Analysis
-
max time kernel
4294183s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
26-03-2022 01:51
Static task
static1
Behavioral task
behavioral1
Sample
d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll
Resource
win7-20220311-en
General
-
Target
d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll
-
Size
355KB
-
MD5
f45d3e9f068eed28b41490774a7857e7
-
SHA1
d071a9ff48a7172081c3f89d0d5ae4016a523cf9
-
SHA256
d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3
-
SHA512
3f005cada6a051500688164ff1f5c5b6043b5e402fbb969d7993f75b89ac26a55fa7bc0c9c60f0a077b9d7bade38b8d12e77529566acb3267cc69b64880d0f19
Malware Config
Extracted
dridex
10555
175.126.167.148:443
173.249.20.233:8043
162.241.204.233:4443
138.122.143.40:8043
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2016 rundll32.exe 6 2016 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe PID 1836 wrote to memory of 2016 1836 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d94bbc62b2f345d98c2b69c6173a51e59e6e6d9581e5e6d51f46d35d8f3998c3.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2016-54-0x0000000000000000-mapping.dmp
-
memory/2016-55-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/2016-56-0x00000000001E0000-0x000000000021D000-memory.dmpFilesize
244KB
-
memory/2016-57-0x00000000007B0000-0x00000000007ED000-memory.dmpFilesize
244KB