Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
31-12-2021 17:14
Static task
static1
General
-
Target
019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528.dll
-
Size
512KB
-
MD5
e21ad7f48cf6448cb847a955b511374e
-
SHA1
046cae3fb14e2c40d13fba3c03a0e71c52b1ff4c
-
SHA256
019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528
-
SHA512
4775e1dc2de8d00407ba010a21d51bda9a96a988978710350993ba0d480d91d0d066c8a42ead823fd7f7e45b758b9f197a394018965f0f159bb662d408c4408b
Malware Config
Extracted
Family
dridex
Botnet
22203
C2
51.159.52.196:443
134.209.247.135:6602
194.233.68.48:5228
89.31.56.58:593
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2776-116-0x0000000073C30000-0x0000000073CB1000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3340 2776 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe 3340 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3340 WerFault.exe Token: SeBackupPrivilege 3340 WerFault.exe Token: SeDebugPrivilege 3340 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2728 wrote to memory of 2776 2728 rundll32.exe rundll32.exe PID 2728 wrote to memory of 2776 2728 rundll32.exe rundll32.exe PID 2728 wrote to memory of 2776 2728 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\019e4a2eaa89bbc5dd4dd542baa34e32fde1bd36038b3761aad409dec278e528.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 6843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken