Analysis
-
max time kernel
122s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
18-10-2021 20:37
Static task
static1
General
-
Target
87046bd22099a12e0bf795f5068d330af93f8d7cb9af27d4016dceb7b82c6a49.dll
-
Size
244KB
-
MD5
0ff2c4b04a4f31bb7ec8c88ad9c06c14
-
SHA1
330a37fdcafea1cacd10ad7393bc472bb2e03d9a
-
SHA256
87046bd22099a12e0bf795f5068d330af93f8d7cb9af27d4016dceb7b82c6a49
-
SHA512
1f5b3da0bb89ff654e79aa4134035b05b12fa7694d5a8464c3e2975f4abccadf953f7488b17634ab97201216533b61dd2fc359d18c24127e0f02268675aa73ef
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
195.154.146.84:443
45.56.121.87:8116
157.245.222.44:5723
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2512-121-0x00000000744D0000-0x000000007450E000-memory.dmp dridex_ldr behavioral1/memory/2512-120-0x00000000744D0000-0x00000000744FF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2688 2512 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe 2688 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2688 WerFault.exe Token: SeBackupPrivilege 2688 WerFault.exe Token: SeDebugPrivilege 2688 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2468 wrote to memory of 2512 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2512 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2512 2468 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87046bd22099a12e0bf795f5068d330af93f8d7cb9af27d4016dceb7b82c6a49.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87046bd22099a12e0bf795f5068d330af93f8d7cb9af27d4016dceb7b82c6a49.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 6163⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2512-115-0x0000000000000000-mapping.dmp
-
memory/2512-116-0x00000000744D0000-0x000000007450E000-memory.dmpFilesize
248KB
-
memory/2512-119-0x00000000003F0000-0x00000000003F6000-memory.dmpFilesize
24KB
-
memory/2512-121-0x00000000744D0000-0x000000007450E000-memory.dmpFilesize
248KB
-
memory/2512-120-0x00000000744D0000-0x00000000744FF000-memory.dmpFilesize
188KB
-
memory/2512-122-0x00000000003C0000-0x00000000003C6000-memory.dmpFilesize
24KB