Analysis
-
max time kernel
117s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 10:07
Static task
static1
General
-
Target
fd321dd675720bb14806eb4a24630461bc00c86e8fd240151dee42899081c9ff.dll
-
Size
552KB
-
MD5
6389beefa606ecdf6dde97aa07adf91f
-
SHA1
e20eec6c39eecf9bbeb09fd4efaac98e8de0c2fb
-
SHA256
fd321dd675720bb14806eb4a24630461bc00c86e8fd240151dee42899081c9ff
-
SHA512
6d48db12e8fc7c7adb0ca69ef8e01d705d7f3aa135b740b8b6fc96922ec8150f09b7531c335890a328b1b453752469a12fc6b71df4913f106661a4e0fd387994
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2720-116-0x0000000073880000-0x000000007390C000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3684 2720 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe 3684 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3684 WerFault.exe Token: SeBackupPrivilege 3684 WerFault.exe Token: SeDebugPrivilege 3684 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2728 wrote to memory of 2720 2728 rundll32.exe rundll32.exe PID 2728 wrote to memory of 2720 2728 rundll32.exe rundll32.exe PID 2728 wrote to memory of 2720 2728 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd321dd675720bb14806eb4a24630461bc00c86e8fd240151dee42899081c9ff.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\fd321dd675720bb14806eb4a24630461bc00c86e8fd240151dee42899081c9ff.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken