Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-12-2021 14:49
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
triage_dropped_file.dll
-
Size
552KB
-
MD5
7d424a845f21f905b17fb1e4ece26bc4
-
SHA1
129162c17505204008b8c6345f78d8bd8e9d9548
-
SHA256
7f62e9d0e2cb7358202052b4b20f43cec7eed7db11c57cfb372f8fddfb9307a3
-
SHA512
abc7141739ffb23ba3e982796e697e33a5c3108fa7910cf97ca4fc6a1e9dbdadbd10b27665da4829f753794df3f0d2a79adfc9aee91863d60ec70042309bc6a6
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/956-55-0x0000000075480000-0x000000007550C000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1608 956 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe 1608 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1608 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1608 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 804 wrote to memory of 956 804 rundll32.exe rundll32.exe PID 956 wrote to memory of 1608 956 rundll32.exe WerFault.exe PID 956 wrote to memory of 1608 956 rundll32.exe WerFault.exe PID 956 wrote to memory of 1608 956 rundll32.exe WerFault.exe PID 956 wrote to memory of 1608 956 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 2243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/956-53-0x0000000000000000-mapping.dmp
-
memory/956-54-0x0000000075D11000-0x0000000075D13000-memory.dmpFilesize
8KB
-
memory/956-55-0x0000000075480000-0x000000007550C000-memory.dmpFilesize
560KB
-
memory/956-59-0x00000000000F0000-0x00000000000F6000-memory.dmpFilesize
24KB
-
memory/1608-57-0x0000000000000000-mapping.dmp
-
memory/1608-60-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB