Analysis
-
max time kernel
125s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
21-10-2021 19:11
Static task
static1
Behavioral task
behavioral1
Sample
5_System.Numerics.dll
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
5_System.Numerics.dll
-
Size
180KB
-
MD5
4aa41378b7c700010b1a3ec72a588306
-
SHA1
3d9ca1eb8a16c0350c233f291c399b177cccc980
-
SHA256
7bbe546e2f5367c00bb05a53f122756098df9c75019167455c3bffa73e11a7e1
-
SHA512
aa61fce6f9430580cd5c8f4a9b1d7d9781b96371cd4da00a4ed4bf6c16c872b6d20f291663bbd0a8ab84f1ed9e5bd8e2f4558395150f764e94648d9c05d94eee
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
212.237.17.99:443
176.28.17.160:6602
51.254.140.238:8333
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/592-56-0x0000000074AB0000-0x0000000074ADF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 636 592 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe 636 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 636 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 636 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 368 wrote to memory of 592 368 rundll32.exe rundll32.exe PID 592 wrote to memory of 636 592 rundll32.exe WerFault.exe PID 592 wrote to memory of 636 592 rundll32.exe WerFault.exe PID 592 wrote to memory of 636 592 rundll32.exe WerFault.exe PID 592 wrote to memory of 636 592 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_System.Numerics.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5_System.Numerics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 2523⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/592-54-0x0000000000000000-mapping.dmp
-
memory/592-55-0x00000000751D1000-0x00000000751D3000-memory.dmpFilesize
8KB
-
memory/592-56-0x0000000074AB0000-0x0000000074ADF000-memory.dmpFilesize
188KB
-
memory/592-59-0x0000000000100000-0x0000000000106000-memory.dmpFilesize
24KB
-
memory/636-58-0x0000000000000000-mapping.dmp
-
memory/636-60-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB