Analysis
-
max time kernel
77s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
18-10-2021 20:02
Static task
static1
General
-
Target
c8344e4ee2de8d92eede0c6b97e003a0e277d6bee5b86181dc85d78ead98a66d.dll
-
Size
244KB
-
MD5
a1818a3243826176732e5dc4a15a0ff5
-
SHA1
590dca3c55f9b0e42a7b46ed1c42b19509f62c33
-
SHA256
c8344e4ee2de8d92eede0c6b97e003a0e277d6bee5b86181dc85d78ead98a66d
-
SHA512
1025acb4b38b40c852a073350d3b597658d6a1d1896e5b7a9391d875fdd3c663ce67af43c42067525f4022007180c67fe1873f21f4198e51641f4647e4ab3243
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
195.154.146.84:443
45.56.121.87:8116
157.245.222.44:5723
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/752-120-0x0000000073C20000-0x0000000073C4F000-memory.dmp dridex_ldr behavioral1/memory/752-121-0x0000000073C20000-0x0000000073C5E000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4520 752 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe 4520 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4520 WerFault.exe Token: SeBackupPrivilege 4520 WerFault.exe Token: SeDebugPrivilege 4520 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3392 wrote to memory of 752 3392 rundll32.exe rundll32.exe PID 3392 wrote to memory of 752 3392 rundll32.exe rundll32.exe PID 3392 wrote to memory of 752 3392 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8344e4ee2de8d92eede0c6b97e003a0e277d6bee5b86181dc85d78ead98a66d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8344e4ee2de8d92eede0c6b97e003a0e277d6bee5b86181dc85d78ead98a66d.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/752-115-0x0000000000000000-mapping.dmp
-
memory/752-116-0x0000000073C20000-0x0000000073C5E000-memory.dmpFilesize
248KB
-
memory/752-119-0x0000000000500000-0x0000000000506000-memory.dmpFilesize
24KB
-
memory/752-120-0x0000000073C20000-0x0000000073C4F000-memory.dmpFilesize
188KB
-
memory/752-121-0x0000000073C20000-0x0000000073C5E000-memory.dmpFilesize
248KB
-
memory/752-122-0x0000000000510000-0x0000000000516000-memory.dmpFilesize
24KB