Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 10:43
Static task
static1
General
-
Target
6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699.dll
-
Size
552KB
-
MD5
3e7d095ad538d8c095d8009df9f688c5
-
SHA1
ae102343271f19472f262df1e26e16e2b8b7f26d
-
SHA256
6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699
-
SHA512
7a7b33dd102b49b3561899d2b503a14a4e17c6a7df62e7883ddcafb173c0e9aa934e23fd5dfb3de6a4555d200f7a67473ff86ec3737d0f4fc76ec10a9b82d417
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/3764-116-0x0000000074240000-0x00000000742CC000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3888 3764 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe 3888 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3888 WerFault.exe Token: SeBackupPrivilege 3888 WerFault.exe Token: SeDebugPrivilege 3888 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3488 wrote to memory of 3764 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 3764 3488 rundll32.exe rundll32.exe PID 3488 wrote to memory of 3764 3488 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6dd192a20689a44dbff16ea81223d710fe342c05a8530b8bdd1d84771ca32699.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken