Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23-12-2021 14:49
Static task
static1
Behavioral task
behavioral1
Sample
triage_dropped_file.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
triage_dropped_file.dll
-
Size
552KB
-
MD5
7d424a845f21f905b17fb1e4ece26bc4
-
SHA1
129162c17505204008b8c6345f78d8bd8e9d9548
-
SHA256
7f62e9d0e2cb7358202052b4b20f43cec7eed7db11c57cfb372f8fddfb9307a3
-
SHA512
abc7141739ffb23ba3e982796e697e33a5c3108fa7910cf97ca4fc6a1e9dbdadbd10b27665da4829f753794df3f0d2a79adfc9aee91863d60ec70042309bc6a6
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3120-116-0x0000000073BD0000-0x0000000073C5C000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4084 3120 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe 4084 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4084 WerFault.exe Token: SeBackupPrivilege 4084 WerFault.exe Token: SeDebugPrivilege 4084 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3608 wrote to memory of 3120 3608 rundll32.exe rundll32.exe PID 3608 wrote to memory of 3120 3608 rundll32.exe rundll32.exe PID 3608 wrote to memory of 3120 3608 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\triage_dropped_file.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 6283⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken