Analysis
-
max time kernel
75s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 19:47
Static task
static1
Behavioral task
behavioral1
Sample
5_SMSvcHost.resources.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
5_SMSvcHost.resources.dll
-
Size
180KB
-
MD5
49b0e4b2386c4c7f9b0d3f8748bd34e8
-
SHA1
9450b46850cc52e1128e34e0639c57ed21034991
-
SHA256
28ce2c4d838a1de5a8bbbd10fc8b7db21c82e306338ed40933f7e107bf2a5b06
-
SHA512
501cc133f5c88f2fd450afd74f74c1d50d9da0ce9638e8c0894f7dc89057aacd41d4b3d0f8ebe798295d2cfad63ff5fea1499e4cdde0f523a82bf92e3a408b1e
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3500-116-0x00000000739E0000-0x0000000073A0F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1884 3500 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe 1884 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1884 WerFault.exe Token: SeBackupPrivilege 1884 WerFault.exe Token: SeDebugPrivilege 1884 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1244 wrote to memory of 3500 1244 rundll32.exe rundll32.exe PID 1244 wrote to memory of 3500 1244 rundll32.exe rundll32.exe PID 1244 wrote to memory of 3500 1244 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_SMSvcHost.resources.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_SMSvcHost.resources.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 6243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken