Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 16:30
Static task
static1
Behavioral task
behavioral1
Sample
9_FDResPub.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
9_FDResPub.dll
-
Size
180KB
-
MD5
6ac256a1d85a3aaf1ef844019fa0f6e1
-
SHA1
a77c09e019b83bca9f0a8eeb9d0a7b7c623b65b4
-
SHA256
230b5356406c0d2477d3048b82c31f451326332834177c15bcc30ac7418c1067
-
SHA512
7446256888933ed9beada1a5773891588c4c252d2bd1ce458064c21e5dc1834a434690829438e6043cb4821cc8c0b291d3fe7a516aca5472ae8517b85135c3ac
Malware Config
Extracted
Family
dridex
Botnet
22202
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2720-116-0x00000000742A0000-0x00000000742CF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 584 2720 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe 584 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 584 WerFault.exe Token: SeBackupPrivilege 584 WerFault.exe Token: SeDebugPrivilege 584 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1792 wrote to memory of 2720 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 2720 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 2720 1792 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_FDResPub.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9_FDResPub.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 6203⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken