Analysis
-
max time kernel
106s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 20:21
Static task
static1
General
-
Target
d4335a8401f73186b956495196d60de56083a6c633396358ab4f6ac61b61a520.dll
-
Size
180KB
-
MD5
493affe2d3fb24b9ef24a523292df0be
-
SHA1
ccde112ce9717c826b578b41a8b1e62b8fa34f1f
-
SHA256
d4335a8401f73186b956495196d60de56083a6c633396358ab4f6ac61b61a520
-
SHA512
1359269056aa43b898bd73fe6519cef435314cc3e54b9ab2c098b49591243c6c2d16592e62c17152cb72ea3e142a5efcc29708abe8abd5d4171c53a7f5b47358
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
212.237.17.99:443
176.28.17.160:6602
51.254.140.238:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/4392-116-0x00000000738F0000-0x000000007391F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4584 4392 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe 4584 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4584 WerFault.exe Token: SeBackupPrivilege 4584 WerFault.exe Token: SeDebugPrivilege 4584 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4372 wrote to memory of 4392 4372 rundll32.exe rundll32.exe PID 4372 wrote to memory of 4392 4372 rundll32.exe rundll32.exe PID 4372 wrote to memory of 4392 4372 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4335a8401f73186b956495196d60de56083a6c633396358ab4f6ac61b61a520.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d4335a8401f73186b956495196d60de56083a6c633396358ab4f6ac61b61a520.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken