Analysis
-
max time kernel
72s -
max time network
13s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 15:08
Static task
static1
Behavioral task
behavioral1
Sample
2_kbd101c.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
5_WfHC.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
9_shlwapi.dll
-
Size
180KB
-
MD5
4e883f7247e1ef95ab0cfc974a5d3b88
-
SHA1
99049f145d976731e946f70adc70cb243ca93fc9
-
SHA256
653aa17fbf6949e5bdba2599a9a3df4bb8ec259a5cf0eb7c3b08b6813c4283e7
-
SHA512
fe9adaa182a3823b79fabfda0f1530c8147b04af39fd0f9e4974033393b8689c506ce75d2fc3b6add28f09c78b9b0873cd0755ba353ffe38760eeadc4bb00660
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
178.62.205.130:443
45.90.108.123:13786
198.199.98.78:9217
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral3/memory/2024-56-0x0000000074B30000-0x0000000074B5F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 672 2024 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 672 WerFault.exe 672 WerFault.exe 672 WerFault.exe 672 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 672 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 1120 wrote to memory of 2024 1120 rundll32.exe rundll32.exe PID 2024 wrote to memory of 672 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 672 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 672 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 672 2024 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_shlwapi.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_shlwapi.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/672-59-0x0000000000000000-mapping.dmp
-
memory/672-60-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/2024-54-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x0000000075C11000-0x0000000075C13000-memory.dmpFilesize
8KB
-
memory/2024-56-0x0000000074B30000-0x0000000074B5F000-memory.dmpFilesize
188KB
-
memory/2024-58-0x0000000000260000-0x0000000000266000-memory.dmpFilesize
24KB