Analysis
-
max time kernel
126s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
20-10-2021 20:34
Static task
static1
Behavioral task
behavioral1
Sample
5_SMSvcHost.resources.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
5_SMSvcHost.resources.dll
-
Size
180KB
-
MD5
49b0e4b2386c4c7f9b0d3f8748bd34e8
-
SHA1
9450b46850cc52e1128e34e0639c57ed21034991
-
SHA256
28ce2c4d838a1de5a8bbbd10fc8b7db21c82e306338ed40933f7e107bf2a5b06
-
SHA512
501cc133f5c88f2fd450afd74f74c1d50d9da0ce9638e8c0894f7dc89057aacd41d4b3d0f8ebe798295d2cfad63ff5fea1499e4cdde0f523a82bf92e3a408b1e
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
155.138.203.91:443
207.180.220.242:8116
46.101.142.214:6891
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1596-56-0x0000000074C10000-0x0000000074C3F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 324 1596 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 324 WerFault.exe 324 WerFault.exe 324 WerFault.exe 324 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 324 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 324 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 2016 wrote to memory of 1596 2016 rundll32.exe rundll32.exe PID 1596 wrote to memory of 324 1596 rundll32.exe WerFault.exe PID 1596 wrote to memory of 324 1596 rundll32.exe WerFault.exe PID 1596 wrote to memory of 324 1596 rundll32.exe WerFault.exe PID 1596 wrote to memory of 324 1596 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_SMSvcHost.resources.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_SMSvcHost.resources.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-58-0x0000000000000000-mapping.dmp
-
memory/324-60-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1596-54-0x0000000000000000-mapping.dmp
-
memory/1596-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1596-56-0x0000000074C10000-0x0000000074C3F000-memory.dmpFilesize
188KB
-
memory/1596-59-0x0000000000220000-0x0000000000226000-memory.dmpFilesize
24KB