Analysis
-
max time kernel
121s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 20:21
Static task
static1
General
-
Target
51a6358624d0cc0ceb023e2931f10dc31a6a41bd46ce01397ee73fd6b74af933.dll
-
Size
180KB
-
MD5
a3a5924e4c87c69d14c2502875416ba6
-
SHA1
e013418472d02fd7b06b0acd0dceae6f864637f3
-
SHA256
51a6358624d0cc0ceb023e2931f10dc31a6a41bd46ce01397ee73fd6b74af933
-
SHA512
6f91c4d669945f8b6af48007fd26984b31533f7a59a4ac01d2982151731e82a00cf95d6750f9d5aa09a161cd4b91a34987df886e02a52f013f8b7f3699f7d297
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
212.237.17.99:443
176.28.17.160:6602
51.254.140.238:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2828-116-0x0000000073530000-0x000000007355F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2308 2828 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe 2308 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2308 WerFault.exe Token: SeBackupPrivilege 2308 WerFault.exe Token: SeDebugPrivilege 2308 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2804 wrote to memory of 2828 2804 rundll32.exe rundll32.exe PID 2804 wrote to memory of 2828 2804 rundll32.exe rundll32.exe PID 2804 wrote to memory of 2828 2804 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51a6358624d0cc0ceb023e2931f10dc31a6a41bd46ce01397ee73fd6b74af933.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51a6358624d0cc0ceb023e2931f10dc31a6a41bd46ce01397ee73fd6b74af933.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken