Analysis
-
max time kernel
130s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
2_api-ms-win-downlevel-normaliz-l1-1-0.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
2_api-ms-win-downlevel-normaliz-l1-1-0.dll
-
Size
180KB
-
MD5
00752a06db0eacfd3b09e36d3a3d29c6
-
SHA1
9afd6ace7a8b25a58450cf7ec16db38a480c32dc
-
SHA256
e8291c194029eedc2117c099b3089a252dfb940160530409df4b9ea85efc9033
-
SHA512
1895a988c678e30ceac1afb421dc29fc6531617b0a5497ec50ae90b2cf85bf62724ad830576e9394cecd6f334f864fa6630a763671b30a91dfe0aa052315ebfe
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
212.237.17.99:443
176.28.17.160:6602
51.254.140.238:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/772-56-0x0000000074730000-0x000000007475F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1576 772 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1576 WerFault.exe 1576 WerFault.exe 1576 WerFault.exe 1576 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1576 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1576 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 1888 wrote to memory of 772 1888 rundll32.exe rundll32.exe PID 772 wrote to memory of 1576 772 rundll32.exe WerFault.exe PID 772 wrote to memory of 1576 772 rundll32.exe WerFault.exe PID 772 wrote to memory of 1576 772 rundll32.exe WerFault.exe PID 772 wrote to memory of 1576 772 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2_api-ms-win-downlevel-normaliz-l1-1-0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2_api-ms-win-downlevel-normaliz-l1-1-0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/772-54-0x0000000000000000-mapping.dmp
-
memory/772-55-0x0000000075FA1000-0x0000000075FA3000-memory.dmpFilesize
8KB
-
memory/772-56-0x0000000074730000-0x000000007475F000-memory.dmpFilesize
188KB
-
memory/772-59-0x0000000000150000-0x0000000000156000-memory.dmpFilesize
24KB
-
memory/1576-58-0x0000000000000000-mapping.dmp
-
memory/1576-60-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB