Analysis
-
max time kernel
4294178s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
24-03-2022 11:11
Static task
static1
Behavioral task
behavioral1
Sample
ceec2d7752b046d0e0119a794aae214e097ab074f728494bb6edab2fb5370b4b.dll
Resource
win7-20220310-en
General
-
Target
ceec2d7752b046d0e0119a794aae214e097ab074f728494bb6edab2fb5370b4b.dll
-
Size
355KB
-
MD5
821e56271da5d7ab18c6eb49cb14abf5
-
SHA1
be56ac4b532620d9b3ec88c9b2530de0a6499d6a
-
SHA256
ceec2d7752b046d0e0119a794aae214e097ab074f728494bb6edab2fb5370b4b
-
SHA512
79b2325efe8ad9e24e0f22ede0d824367986caf3133df86be86b89d39c8d4cd3811bc3ee0cca8746ceeea5c3c790b192be0cab7b2d9b005444f6756df97111f5
Malware Config
Extracted
dridex
10555
175.126.167.148:443
173.249.20.233:8043
162.241.204.233:4443
138.122.143.40:8043
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 4 1752 rundll32.exe 6 1752 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1752 288 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceec2d7752b046d0e0119a794aae214e097ab074f728494bb6edab2fb5370b4b.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ceec2d7752b046d0e0119a794aae214e097ab074f728494bb6edab2fb5370b4b.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1752-54-0x0000000000000000-mapping.dmp
-
memory/1752-55-0x0000000074DE1000-0x0000000074DE3000-memory.dmpFilesize
8KB
-
memory/1752-56-0x0000000000130000-0x000000000016D000-memory.dmpFilesize
244KB
-
memory/1752-57-0x0000000000270000-0x00000000002AD000-memory.dmpFilesize
244KB