Analysis
-
max time kernel
14s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
12-01-2021 14:35
Static task
static1
Behavioral task
behavioral1
Sample
a804ed88ea8ab0b0136488a6302626ba.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
a804ed88ea8ab0b0136488a6302626ba.exe
Resource
win10v20201028
General
-
Target
a804ed88ea8ab0b0136488a6302626ba.exe
-
Size
637KB
-
MD5
a804ed88ea8ab0b0136488a6302626ba
-
SHA1
27e4371f7c0892be905d63661ead63ea9683b95b
-
SHA256
e64e3395c17e8de856a49a6c16eec63b95d876b957b8e2ff12946f8a93a6faad
-
SHA512
a887836f6d277eba77f47e716b571c754dc33b19d237b2c182fc702bada6003801b55288953755ed766157a321bc64e14cc5ade9e9358068bcf5530b61cdaeb7
Malware Config
Extracted
dridex
10555
77.220.64.37:443
80.86.91.27:3308
5.100.228.233:3389
46.105.131.65:1512
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3924-10-0x0000000000B80000-0x0000000000BBD000-memory.dmp dridex_ldr -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3924 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
a804ed88ea8ab0b0136488a6302626ba.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings a804ed88ea8ab0b0136488a6302626ba.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a804ed88ea8ab0b0136488a6302626ba.exeWScript.execmd.exedescription pid process target process PID 3932 wrote to memory of 1864 3932 a804ed88ea8ab0b0136488a6302626ba.exe WScript.exe PID 3932 wrote to memory of 1864 3932 a804ed88ea8ab0b0136488a6302626ba.exe WScript.exe PID 3932 wrote to memory of 1864 3932 a804ed88ea8ab0b0136488a6302626ba.exe WScript.exe PID 1864 wrote to memory of 2448 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 2448 1864 WScript.exe cmd.exe PID 1864 wrote to memory of 2448 1864 WScript.exe cmd.exe PID 2448 wrote to memory of 3924 2448 cmd.exe regsvr32.exe PID 2448 wrote to memory of 3924 2448 cmd.exe regsvr32.exe PID 2448 wrote to memory of 3924 2448 cmd.exe regsvr32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a804ed88ea8ab0b0136488a6302626ba.exe"C:\Users\Admin\AppData\Local\Temp\a804ed88ea8ab0b0136488a6302626ba.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\inst\117.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\inst\eps1.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s pspvl.dll4⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\inst\117.vbsMD5
8de1f00c6064ce91fcb28f729a6f6371
SHA1742e468c97d4cd5fe86d21f0e117e61c4da1ba4c
SHA2563a2e68a8385fc5f85c2152e5bd55e2fc293955c1126f494fb778735dc92b65d1
SHA5126bea0198d9ee1f9d4f7cb5a0baf659702f6c07b435d158fcbc0b8f9a1475208404a13b4e41926b0764f434d25ed83d2a615a93667fa8e41caf62be23ae10230a
-
C:\inst\eps1.batMD5
9ae39daeea77ba3fbb1e51a6a0e4cabd
SHA14e2538e7b8adfa46db64cf99ab178bd92ad5b29d
SHA25696458f375a5c1331f7b44d4f0402402f642889989b44db5817135871d842aa0d
SHA512b4648100d4b5c55cc8a3fac79fa0b827bd2e6213a63d433a616eca25678cc4816162add5f99bc6c9cf02a44d525035d3a69b63679d3e1b4012a114aa2dce1f42
-
C:\inst\pspvl.dllMD5
93b3d78c457ce029a383590d6d6f7c6e
SHA1629a368dbf26925714172b616a08ee65ca839f5e
SHA256b3e57d1a48a868416c41809022790266f7fc0db89acc635e97d63428144c23a8
SHA5126fbd1d52fac9348b5fd7ffe3943544026006198f683334e58a96de036f3c5c890e4037e0dfc1144b9523ca2b506e5aca985b6a9922a56eb96185394dd47b231b
-
\inst\pspvl.dllMD5
93b3d78c457ce029a383590d6d6f7c6e
SHA1629a368dbf26925714172b616a08ee65ca839f5e
SHA256b3e57d1a48a868416c41809022790266f7fc0db89acc635e97d63428144c23a8
SHA5126fbd1d52fac9348b5fd7ffe3943544026006198f683334e58a96de036f3c5c890e4037e0dfc1144b9523ca2b506e5aca985b6a9922a56eb96185394dd47b231b
-
memory/1864-3-0x0000000000000000-mapping.dmp
-
memory/2448-6-0x0000000000000000-mapping.dmp
-
memory/3924-7-0x0000000000000000-mapping.dmp
-
memory/3924-10-0x0000000000B80000-0x0000000000BBD000-memory.dmpFilesize
244KB
-
memory/3932-2-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB