Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 05:20
Static task
static1
General
-
Target
781eb8553b3ca720f4d2e13808c349663937d49a4e735b9c7cd792e4343f7df9.dll
-
Size
180KB
-
MD5
3db9494ba19459c1c47680286771d913
-
SHA1
6f0f8c56a83388bb50699187bc2c85b0389c6bc5
-
SHA256
781eb8553b3ca720f4d2e13808c349663937d49a4e735b9c7cd792e4343f7df9
-
SHA512
98cb65afc4e9d88a1fe5b1bccfb271ab01d6769c4a4f05be3ed419ee3984ab436972ce6f93a4d366e56abe166ebc4334adba05cc7eb1b4de94b7c3ac8c675879
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3488-116-0x0000000073930000-0x000000007395F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 752 3488 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe 752 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 752 WerFault.exe Token: SeBackupPrivilege 752 WerFault.exe Token: SeDebugPrivilege 752 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1524 wrote to memory of 3488 1524 rundll32.exe rundll32.exe PID 1524 wrote to memory of 3488 1524 rundll32.exe rundll32.exe PID 1524 wrote to memory of 3488 1524 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\781eb8553b3ca720f4d2e13808c349663937d49a4e735b9c7cd792e4343f7df9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\781eb8553b3ca720f4d2e13808c349663937d49a4e735b9c7cd792e4343f7df9.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken