Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 02:23
Static task
static1
General
-
Target
8a9bcb64e46267636419e039a75a27a3a025d36a1b7cc4abfcd8a035b12b99a6.dll
-
Size
552KB
-
MD5
1a72e330d0ebca06e1986d9b611d5312
-
SHA1
f031fd1bb33d390fb347355845b82102ea81a41e
-
SHA256
8a9bcb64e46267636419e039a75a27a3a025d36a1b7cc4abfcd8a035b12b99a6
-
SHA512
a7d8d841cb1365766e871e94afcafef8d9b91b08d4617844b63e201e6ce0533494669ed2c2f5c4c4442f57cd54e618398c7540eea62d2b5576ae7f78b45a191a
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3828-116-0x0000000073640000-0x00000000736CC000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 744 3828 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe 744 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 744 WerFault.exe Token: SeBackupPrivilege 744 WerFault.exe Token: SeDebugPrivilege 744 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3656 wrote to memory of 3828 3656 rundll32.exe rundll32.exe PID 3656 wrote to memory of 3828 3656 rundll32.exe rundll32.exe PID 3656 wrote to memory of 3828 3656 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a9bcb64e46267636419e039a75a27a3a025d36a1b7cc4abfcd8a035b12b99a6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a9bcb64e46267636419e039a75a27a3a025d36a1b7cc4abfcd8a035b12b99a6.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 6323⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken