Analysis
-
max time kernel
122s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
20-10-2021 16:04
Static task
static1
Behavioral task
behavioral1
Sample
9_FDResPub.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
9_FDResPub.dll
-
Size
180KB
-
MD5
6ac256a1d85a3aaf1ef844019fa0f6e1
-
SHA1
a77c09e019b83bca9f0a8eeb9d0a7b7c623b65b4
-
SHA256
230b5356406c0d2477d3048b82c31f451326332834177c15bcc30ac7418c1067
-
SHA512
7446256888933ed9beada1a5773891588c4c252d2bd1ce458064c21e5dc1834a434690829438e6043cb4821cc8c0b291d3fe7a516aca5472ae8517b85135c3ac
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1524-55-0x0000000074C40000-0x0000000074C6F000-memory.dmp dridex_ldr behavioral1/memory/1620-59-0x0000000000210000-0x0000000000270000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1620 1524 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe 1620 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1620 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1620 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 2008 wrote to memory of 1524 2008 rundll32.exe rundll32.exe PID 1524 wrote to memory of 1620 1524 rundll32.exe WerFault.exe PID 1524 wrote to memory of 1620 1524 rundll32.exe WerFault.exe PID 1524 wrote to memory of 1620 1524 rundll32.exe WerFault.exe PID 1524 wrote to memory of 1620 1524 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_FDResPub.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_FDResPub.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1524-53-0x0000000000000000-mapping.dmp
-
memory/1524-54-0x0000000076581000-0x0000000076583000-memory.dmpFilesize
8KB
-
memory/1524-55-0x0000000074C40000-0x0000000074C6F000-memory.dmpFilesize
188KB
-
memory/1524-58-0x0000000000190000-0x0000000000196000-memory.dmpFilesize
24KB
-
memory/1620-57-0x0000000000000000-mapping.dmp
-
memory/1620-59-0x0000000000210000-0x0000000000270000-memory.dmpFilesize
384KB