Analysis
-
max time kernel
98s -
max time network
12s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 15:08
Static task
static1
Behavioral task
behavioral1
Sample
2_kbd101c.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5_WfHC.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
2_kbd101c.dll
-
Size
180KB
-
MD5
13607671c64e6859be1f83fb324344f9
-
SHA1
6ef50dbb7dff8dd9e860fd1c5b36a4f3df1c2863
-
SHA256
b8e4c68f8843fe8f2f12d5cc636c824a338ddaa24feee9e9e5e380169b07b231
-
SHA512
4f466b28d492ef583c2a35998eeaf8645b4afe50fc47aa93de6e8b5a504f420b4ba90e2c0be47469135031f43f79aeb3cbd7662eb5b096385be903724bae4bd7
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
178.62.205.130:443
45.90.108.123:13786
198.199.98.78:9217
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1620-56-0x0000000075330000-0x000000007535F000-memory.dmp dridex_ldr behavioral1/memory/864-60-0x00000000002A0000-0x0000000000300000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 864 1620 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe 864 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 864 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1620 1520 rundll32.exe rundll32.exe PID 1620 wrote to memory of 864 1620 rundll32.exe WerFault.exe PID 1620 wrote to memory of 864 1620 rundll32.exe WerFault.exe PID 1620 wrote to memory of 864 1620 rundll32.exe WerFault.exe PID 1620 wrote to memory of 864 1620 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2_kbd101c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2_kbd101c.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/864-59-0x0000000000000000-mapping.dmp
-
memory/864-60-0x00000000002A0000-0x0000000000300000-memory.dmpFilesize
384KB
-
memory/1620-54-0x0000000000000000-mapping.dmp
-
memory/1620-55-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/1620-56-0x0000000075330000-0x000000007535F000-memory.dmpFilesize
188KB
-
memory/1620-58-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB