Analysis
-
max time kernel
124s -
max time network
126s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 17:53
Static task
static1
Behavioral task
behavioral1
Sample
9_dsauth.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
9_dsauth.dll
-
Size
244KB
-
MD5
bad08e3e2cd605bb4143b859a0adb9f0
-
SHA1
59386f864987dcfd1d74354e6fb98031a24829b4
-
SHA256
b3dbdfe68df9ff59d5dbf2fe5cfa1af03af7b3aa88f300af63457947c1e515d0
-
SHA512
a9870cd45e884160cded25607ec60b632cc73173ebe919bad1d67a6181956219fba504eb8f56002be8fd29da3ec89e4111753de6abb42719e448c33208dc4b44
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
195.154.146.84:443
45.56.121.87:8116
157.245.222.44:5723
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2756-120-0x0000000073870000-0x000000007389F000-memory.dmp dridex_ldr behavioral2/memory/2756-121-0x0000000073870000-0x00000000738AE000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2280 2756 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe 2280 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2280 WerFault.exe Token: SeBackupPrivilege 2280 WerFault.exe Token: SeDebugPrivilege 2280 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1828 wrote to memory of 2756 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 2756 1828 rundll32.exe rundll32.exe PID 1828 wrote to memory of 2756 1828 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_dsauth.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_dsauth.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2756-115-0x0000000000000000-mapping.dmp
-
memory/2756-116-0x0000000073870000-0x00000000738AE000-memory.dmpFilesize
248KB
-
memory/2756-119-0x00000000023B0000-0x00000000023B6000-memory.dmpFilesize
24KB
-
memory/2756-120-0x0000000073870000-0x000000007389F000-memory.dmpFilesize
188KB
-
memory/2756-121-0x0000000073870000-0x00000000738AE000-memory.dmpFilesize
248KB
-
memory/2756-122-0x0000000002600000-0x000000000274A000-memory.dmpFilesize
1.3MB