Analysis
-
max time kernel
33s -
max time network
92s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-02-2021 23:20
Static task
static1
Behavioral task
behavioral1
Sample
5729bf7cc2a6566ba2a70c9324718cef806ee892914dfc422f9ff3dc2a420fcd.dll
Resource
win7v20201028
General
-
Target
5729bf7cc2a6566ba2a70c9324718cef806ee892914dfc422f9ff3dc2a420fcd.dll
-
Size
188KB
-
MD5
42c66afb604c668d5f3c7ab485a5dbc1
-
SHA1
b166a127a52355323cda18e0a685fa03ccf5373f
-
SHA256
5729bf7cc2a6566ba2a70c9324718cef806ee892914dfc422f9ff3dc2a420fcd
-
SHA512
4156a423ae929398b65db0bdf49e3cdfe3aa7ca1d6892f14b1f32022b8b31c11fa4a6a4ce7ed2c6dee315f5ce14c9eb890c2c06ff0c95bc97fb2a82d3ef5afdc
Malware Config
Extracted
dridex
111
209.151.236.42:443
91.121.94.86:8172
5.189.144.136:6516
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2032-5-0x00000000750A0000-0x00000000750D1000-memory.dmp dridex_ldr behavioral1/memory/2032-7-0x00000000750A0000-0x00000000750BF000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 5 2032 rundll32.exe 8 2032 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2032 1924 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5729bf7cc2a6566ba2a70c9324718cef806ee892914dfc422f9ff3dc2a420fcd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5729bf7cc2a6566ba2a70c9324718cef806ee892914dfc422f9ff3dc2a420fcd.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1664-8-0x000007FEF6680000-0x000007FEF68FA000-memory.dmpFilesize
2.5MB
-
memory/2032-4-0x0000000074D30000-0x0000000074ED3000-memory.dmpFilesize
1.6MB
-
memory/2032-3-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/2032-2-0x0000000000000000-mapping.dmp
-
memory/2032-5-0x00000000750A0000-0x00000000750D1000-memory.dmpFilesize
196KB
-
memory/2032-6-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/2032-7-0x00000000750A0000-0x00000000750BF000-memory.dmpFilesize
124KB