Analysis
-
max time kernel
121s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 14:03
Static task
static1
General
-
Target
e545b2a69c002dc3135f61f94a4e3a753fa1c366f5c34bf89926b7c1340fb762.dll
-
Size
180KB
-
MD5
f5049f931e703e1c8d8d9b59312f3d27
-
SHA1
f409706c7103042ae60cf9388cec235c48ef75ca
-
SHA256
e545b2a69c002dc3135f61f94a4e3a753fa1c366f5c34bf89926b7c1340fb762
-
SHA512
4da3538765db19243774315bf645d29de6f9d98512749be91a56bb3fbaf0263fb2cb87fd0319d099531b62a5f76f10ff53e1fa93ff5f78ae923771596fd22acc
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3744-116-0x00000000744E0000-0x000000007450F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 488 3744 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe 488 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 488 WerFault.exe Token: SeBackupPrivilege 488 WerFault.exe Token: SeDebugPrivilege 488 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2856 wrote to memory of 3744 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 3744 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 3744 2856 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e545b2a69c002dc3135f61f94a4e3a753fa1c366f5c34bf89926b7c1340fb762.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e545b2a69c002dc3135f61f94a4e3a753fa1c366f5c34bf89926b7c1340fb762.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken