Analysis
-
max time kernel
144s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 09:11
Static task
static1
Behavioral task
behavioral1
Sample
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe
-
Size
136KB
-
MD5
ade38b776e42062ba169c3b4597918a7
-
SHA1
be1638fc2d88e00524321e03f24adeb49a9211c3
-
SHA256
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59
-
SHA512
ccfb2216e517db191e1f9660307b9842b2b2d5ea3b4265b9e35092a92b590e44e3c8c70b29821c06ee7da717b18e8cc5224b055c71b985fc56c6224903f49d27
Malware Config
Extracted
Family
dridex
C2
64.87.26.17:443
192.241.220.155:1801
142.4.198.252:3389
216.98.148.156:1801
Signatures
-
Processes:
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exepid process 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exedescription pid process Token: SeRestorePrivilege 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exedescription pid process target process PID 4156 wrote to memory of 4804 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe raserver.exe PID 4156 wrote to memory of 4804 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe raserver.exe PID 4156 wrote to memory of 4804 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe raserver.exe PID 4156 wrote to memory of 4804 4156 213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe raserver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe"C:\Users\Admin\AppData\Local\Temp\213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe"1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\raserver.exeC:\Windows\SysWOW64\raserver.exe "C:\Users\Admin\AppData\Local\Temp\213fe9b9265c740c5a2392f38f2c7f9b9471fffff53e58c7eabcbc4a7beedb59.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4156-130-0x0000000000830000-0x0000000000852000-memory.dmpFilesize
136KB
-
memory/4156-132-0x0000000002DB0000-0x0000000002DB6000-memory.dmpFilesize
24KB
-
memory/4804-133-0x0000000000000000-mapping.dmp
-
memory/4804-134-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-136-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-135-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-137-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-138-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-139-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-140-0x0000000000DC0000-0x0000000000DE2000-memory.dmpFilesize
136KB
-
memory/4804-145-0x0000000000D90000-0x0000000000D96000-memory.dmpFilesize
24KB