Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23-12-2021 15:33
Static task
static1
Behavioral task
behavioral1
Sample
5.exe.dll
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
5.exe.dll
-
Size
552KB
-
MD5
bb880b1799d137def2d94a7eda6d36a1
-
SHA1
63f3b460bcf945995a028326ffd28be470ab21e0
-
SHA256
6b62c3906edaed2be8993b6013a50ab123cd85d5cd55d4580d324b2b5c3264e9
-
SHA512
eaedf5ec87afb73372280c29fe1ee58842f8400fab85ab335cf0c68750bdd022297e9cf02ae9c6e77cb1135cb76c229049c34d831dcc681decb66fc01771a707
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
144.91.122.102:443
85.10.248.28:593
185.4.135.27:5228
80.211.3.13:8116
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1744-56-0x0000000074BB0000-0x0000000074C3C000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 628 1744 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 628 WerFault.exe 628 WerFault.exe 628 WerFault.exe 628 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 628 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 628 WerFault.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 796 wrote to memory of 1744 796 rundll32.exe rundll32.exe PID 1744 wrote to memory of 628 1744 rundll32.exe WerFault.exe PID 1744 wrote to memory of 628 1744 rundll32.exe WerFault.exe PID 1744 wrote to memory of 628 1744 rundll32.exe WerFault.exe PID 1744 wrote to memory of 628 1744 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5.exe.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/628-58-0x0000000000000000-mapping.dmp
-
memory/628-61-0x0000000001C10000-0x0000000001C11000-memory.dmpFilesize
4KB
-
memory/1744-54-0x0000000000000000-mapping.dmp
-
memory/1744-55-0x0000000075761000-0x0000000075763000-memory.dmpFilesize
8KB
-
memory/1744-56-0x0000000074BB0000-0x0000000074C3C000-memory.dmpFilesize
560KB
-
memory/1744-60-0x00000000000B0000-0x00000000000B6000-memory.dmpFilesize
24KB