Analysis
-
max time kernel
168s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 06:19
Static task
static1
Behavioral task
behavioral1
Sample
41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe
-
Size
204KB
-
MD5
4e361b5e51f51240dcc1ae69d50580f9
-
SHA1
870908b1bdf3537682282256afc522b25e059e50
-
SHA256
41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001
-
SHA512
65afc72a3ee2fc3a37d1f5638c0b2da12ba1912ac5c7afae147999d0e58494c84c386f6eafa09484e3a0986efc52362cf9811dd4245ff9e05cb2ca197bdfb5c2
Malware Config
Extracted
Family
dridex
C2
5.196.15.119:443
46.105.131.72:443
157.7.163.144:3389
199.119.78.9:4143
Signatures
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exepid process 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exedescription pid process Token: SeRestorePrivilege 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exedescription pid process target process PID 4388 wrote to memory of 4772 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe raserver.exe PID 4388 wrote to memory of 4772 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe raserver.exe PID 4388 wrote to memory of 4772 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe raserver.exe PID 4388 wrote to memory of 4772 4388 41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe raserver.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe"C:\Users\Admin\AppData\Local\Temp\41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\raserver.exeC:\Windows\SysWOW64\raserver.exe "C:\Users\Admin\AppData\Local\Temp\41409384fc3c2397c4a759245a8269a8f84c40391c9ffb94884986a1a1d33001.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4388-130-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4388-132-0x0000000000770000-0x0000000000776000-memory.dmpFilesize
24KB
-
memory/4772-133-0x0000000000000000-mapping.dmp
-
memory/4772-135-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4772-136-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4772-134-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4772-137-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4772-138-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4772-139-0x0000000003000000-0x0000000003033000-memory.dmpFilesize
204KB
-
memory/4772-145-0x0000000001170000-0x0000000001176000-memory.dmpFilesize
24KB