Analysis
-
max time kernel
123s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
18-10-2021 16:47
Static task
static1
Behavioral task
behavioral1
Sample
1_FXSMON.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
1_FXSMON.dll
Resource
win10-en-20211014
Behavioral task
behavioral3
Sample
2_System.Windows.Forms.DataVisualization.Design.ni.dll
Resource
win7-en-20210920
Behavioral task
behavioral4
Sample
2_System.Windows.Forms.DataVisualization.Design.ni.dll
Resource
win10-en-20211014
Behavioral task
behavioral5
Sample
5_System.dll
Resource
win7-en-20210920
General
-
Target
2_System.Windows.Forms.DataVisualization.Design.ni.dll
-
Size
180KB
-
MD5
d08861f67ff78ce290400918bef9d6d3
-
SHA1
84fa96bab75c39763e98cae598d66bc2e0372cc5
-
SHA256
8321ba3134a0517c02ddf3b26163afa155aeb6aa606a2825618671372679c4a2
-
SHA512
e502f2e8ed1c45a1de6d8a9fb3f610cf97adf71f2504284bbccd42dd436e08d483536ac031e022526c951a21b7521322cc5f78863e1cea40003e5c4b8c912bd5
Malware Config
Extracted
dridex
22203
195.154.146.84:443
45.56.121.87:8116
157.245.222.44:5723
Signatures
-
Processes:
resource yara_rule behavioral3/memory/1600-55-0x0000000074950000-0x000000007497F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 268 1600 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe 268 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 268 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 268 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 1600 1124 rundll32.exe rundll32.exe PID 1600 wrote to memory of 268 1600 rundll32.exe WerFault.exe PID 1600 wrote to memory of 268 1600 rundll32.exe WerFault.exe PID 1600 wrote to memory of 268 1600 rundll32.exe WerFault.exe PID 1600 wrote to memory of 268 1600 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2_System.Windows.Forms.DataVisualization.Design.ni.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2_System.Windows.Forms.DataVisualization.Design.ni.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/268-59-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1600-53-0x0000000000000000-mapping.dmp
-
memory/1600-54-0x0000000076201000-0x0000000076203000-memory.dmpFilesize
8KB
-
memory/1600-55-0x0000000074950000-0x000000007497F000-memory.dmpFilesize
188KB
-
memory/1600-58-0x0000000000130000-0x0000000000136000-memory.dmpFilesize
24KB