Analysis
-
max time kernel
64s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 10:07
Static task
static1
General
-
Target
e91ef291cf1abe85ece3bfba657823c7c6b731a2e7c78768be54c8917e45b7ba.dll
-
Size
552KB
-
MD5
9abb796b97292578b1337f8179154fe5
-
SHA1
d238558b4400f3eb92f3f3295dc98a009c6b0807
-
SHA256
e91ef291cf1abe85ece3bfba657823c7c6b731a2e7c78768be54c8917e45b7ba
-
SHA512
5acad1e43c981eaab3948a5c39b068a147bcaf6f3f3c7ad866c1e6634fa2b7b438e66ce268c59859abdd169883ed3456b5898e137b1bb5d30704eceb75fde7a0
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/756-116-0x00000000735C0000-0x000000007364C000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 532 756 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe 532 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 532 WerFault.exe Token: SeBackupPrivilege 532 WerFault.exe Token: SeDebugPrivilege 532 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3468 wrote to memory of 756 3468 rundll32.exe rundll32.exe PID 3468 wrote to memory of 756 3468 rundll32.exe rundll32.exe PID 3468 wrote to memory of 756 3468 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e91ef291cf1abe85ece3bfba657823c7c6b731a2e7c78768be54c8917e45b7ba.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e91ef291cf1abe85ece3bfba657823c7c6b731a2e7c78768be54c8917e45b7ba.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken