Analysis
-
max time kernel
67s -
max time network
97s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
24-02-2021 23:21
Static task
static1
Behavioral task
behavioral1
Sample
aa68e997626373a297e4a8411d6574aa2cb5bb1f93b7e1d4a12739a998f0275c.dll
Resource
win7v20201028
General
-
Target
aa68e997626373a297e4a8411d6574aa2cb5bb1f93b7e1d4a12739a998f0275c.dll
-
Size
188KB
-
MD5
615d8f5e434db4542fa8acf87dcfa850
-
SHA1
6ac9470b452c5d082c61a02228d7eafc79175162
-
SHA256
aa68e997626373a297e4a8411d6574aa2cb5bb1f93b7e1d4a12739a998f0275c
-
SHA512
8237033399330bee8c51e4ff6a2633445353eed12f6c80462b32c56033968376c4626e508796210cc2b38c187d36d4b83758e72d416aca5ac0c831dae129beaa
Malware Config
Extracted
dridex
111
209.151.236.42:443
91.121.94.86:8172
5.189.144.136:6516
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1956-5-0x0000000074680000-0x00000000746B1000-memory.dmp dridex_ldr behavioral1/memory/1956-7-0x0000000074680000-0x000000007469F000-memory.dmp dridex_ldr -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 6 1956 rundll32.exe 8 1956 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe PID 532 wrote to memory of 1956 532 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa68e997626373a297e4a8411d6574aa2cb5bb1f93b7e1d4a12739a998f0275c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa68e997626373a297e4a8411d6574aa2cb5bb1f93b7e1d4a12739a998f0275c.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1416-8-0x000007FEF7040000-0x000007FEF72BA000-memory.dmpFilesize
2.5MB
-
memory/1956-2-0x0000000000000000-mapping.dmp
-
memory/1956-3-0x0000000075C61000-0x0000000075C63000-memory.dmpFilesize
8KB
-
memory/1956-4-0x0000000074310000-0x00000000744B3000-memory.dmpFilesize
1.6MB
-
memory/1956-5-0x0000000074680000-0x00000000746B1000-memory.dmpFilesize
196KB
-
memory/1956-6-0x00000000001A0000-0x00000000001A6000-memory.dmpFilesize
24KB
-
memory/1956-7-0x0000000074680000-0x000000007469F000-memory.dmpFilesize
124KB