Analysis
-
max time kernel
119s -
max time network
135s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
21-10-2021 20:21
Static task
static1
General
-
Target
0f805102c77684494cffc5df1e75e97990f83f58e6845d16f02888db03b2159e.dll
-
Size
180KB
-
MD5
74e4a2208c91735a96bfbbba392b221a
-
SHA1
38855ddf26cc33d307132386c20cff6bf7846aaf
-
SHA256
0f805102c77684494cffc5df1e75e97990f83f58e6845d16f02888db03b2159e
-
SHA512
9fc2b724b63c75b3ea7e44a95d9e9cdfa181a5d81ab7a0b445b727101e93592f9ea4b5f2e57f83f0f3f5934f628b31e1f38d724cb4b7fdaf03a21b29843f65d8
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
212.237.17.99:443
176.28.17.160:6602
51.254.140.238:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/688-116-0x00000000736B0000-0x00000000736DF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4000 688 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe 4000 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4000 WerFault.exe Token: SeBackupPrivilege 4000 WerFault.exe Token: SeDebugPrivilege 4000 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2192 wrote to memory of 688 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 688 2192 rundll32.exe rundll32.exe PID 2192 wrote to memory of 688 2192 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f805102c77684494cffc5df1e75e97990f83f58e6845d16f02888db03b2159e.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f805102c77684494cffc5df1e75e97990f83f58e6845d16f02888db03b2159e.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken