Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 19:21
Static task
static1
General
-
Target
b3dbdfe68df9ff59d5dbf2fe5cfa1af03af7b3aa88f300af63457947c1e515d0.dll
-
Size
244KB
-
MD5
bad08e3e2cd605bb4143b859a0adb9f0
-
SHA1
59386f864987dcfd1d74354e6fb98031a24829b4
-
SHA256
b3dbdfe68df9ff59d5dbf2fe5cfa1af03af7b3aa88f300af63457947c1e515d0
-
SHA512
a9870cd45e884160cded25607ec60b632cc73173ebe919bad1d67a6181956219fba504eb8f56002be8fd29da3ec89e4111753de6abb42719e448c33208dc4b44
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
195.154.146.84:443
45.56.121.87:8116
157.245.222.44:5723
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2332-121-0x0000000073F50000-0x0000000073F8E000-memory.dmp dridex_ldr behavioral1/memory/2332-120-0x0000000073F50000-0x0000000073F7F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3208 2332 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe 3208 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3208 WerFault.exe Token: SeBackupPrivilege 3208 WerFault.exe Token: SeDebugPrivilege 3208 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2744 wrote to memory of 2332 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 2332 2744 rundll32.exe rundll32.exe PID 2744 wrote to memory of 2332 2744 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3dbdfe68df9ff59d5dbf2fe5cfa1af03af7b3aa88f300af63457947c1e515d0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3dbdfe68df9ff59d5dbf2fe5cfa1af03af7b3aa88f300af63457947c1e515d0.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2332-115-0x0000000000000000-mapping.dmp
-
memory/2332-116-0x0000000073F50000-0x0000000073F8E000-memory.dmpFilesize
248KB
-
memory/2332-119-0x00000000032A0000-0x00000000032A6000-memory.dmpFilesize
24KB
-
memory/2332-121-0x0000000073F50000-0x0000000073F8E000-memory.dmpFilesize
248KB
-
memory/2332-120-0x0000000073F50000-0x0000000073F7F000-memory.dmpFilesize
188KB
-
memory/2332-122-0x00000000049D0000-0x00000000049D6000-memory.dmpFilesize
24KB