Analysis
-
max time kernel
135s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
21-07-2021 20:05
Static task
static1
Behavioral task
behavioral1
Sample
3c2244956646acde36ff20732eb63071.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
3c2244956646acde36ff20732eb63071.dll
-
Size
176KB
-
MD5
3c2244956646acde36ff20732eb63071
-
SHA1
f218a9c08cb26388223600bf3691a90be4cdfb7b
-
SHA256
ff277a5e33ec98ad5f0945834f731e39fa2113ac0369ade14fc690a9d1a7cc31
-
SHA512
ae79358315583a248575d4471144c9c0441758502c5c4cba1dc92d68403912c3c6e6c3b109a607f0d9539892f5d4fa845c13a382c3c71d0b2d3335ecc1fd13e6
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
178.238.236.59:443
104.245.52.73:5007
81.0.236.93:13786
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1852-62-0x00000000751E0000-0x0000000075211000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1680 1852 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1680 WerFault.exe 1680 WerFault.exe 1680 WerFault.exe 1680 WerFault.exe 1680 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1680 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1680 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 1852 1080 rundll32.exe rundll32.exe PID 1852 wrote to memory of 1680 1852 rundll32.exe WerFault.exe PID 1852 wrote to memory of 1680 1852 rundll32.exe WerFault.exe PID 1852 wrote to memory of 1680 1852 rundll32.exe WerFault.exe PID 1852 wrote to memory of 1680 1852 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c2244956646acde36ff20732eb63071.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3c2244956646acde36ff20732eb63071.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 2243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1680
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-64-0x0000000000000000-mapping.dmp
-
memory/1680-66-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/1852-60-0x0000000000000000-mapping.dmp
-
memory/1852-61-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/1852-62-0x00000000751E0000-0x0000000075211000-memory.dmpFilesize
196KB
-
memory/1852-65-0x0000000000140000-0x0000000000146000-memory.dmpFilesize
24KB