Analysis
-
max time kernel
134s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
21-10-2021 19:07
Static task
static1
Behavioral task
behavioral1
Sample
6_System.Data.Services.Client.dll
Resource
win7-en-20211014
windows7_x64
0 signatures
0 seconds
General
-
Target
6_System.Data.Services.Client.dll
-
Size
180KB
-
MD5
c3c91aab11ef219ec03c45850a793306
-
SHA1
6b86858e92932f11debd8b0e969ac31e140f5abb
-
SHA256
eea8515a729717bea0a995407687a829e0bd3daa3115032946b76e7071db7580
-
SHA512
8da9972693467d4d180a489fdf0a014d161b70e630845816fd4a4c5e435b59657dd5966c4e7428b5796d38a54234d1900b037074985ac69878bb0a2c65ca4e2c
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
212.237.17.99:443
176.28.17.160:6602
51.254.140.238:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/772-57-0x0000000074960000-0x000000007498F000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1496 772 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe 1496 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1496 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1496 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 772 908 rundll32.exe rundll32.exe PID 772 wrote to memory of 1496 772 rundll32.exe WerFault.exe PID 772 wrote to memory of 1496 772 rundll32.exe WerFault.exe PID 772 wrote to memory of 1496 772 rundll32.exe WerFault.exe PID 772 wrote to memory of 1496 772 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6_System.Data.Services.Client.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6_System.Data.Services.Client.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/772-55-0x0000000000000000-mapping.dmp
-
memory/772-56-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB
-
memory/772-57-0x0000000074960000-0x000000007498F000-memory.dmpFilesize
188KB
-
memory/772-60-0x0000000000190000-0x0000000000196000-memory.dmpFilesize
24KB
-
memory/1496-59-0x0000000000000000-mapping.dmp
-
memory/1496-61-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB