Analysis
-
max time kernel
140s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-12-2023 13:56
Static task
static1
Behavioral task
behavioral1
Sample
bea4379c47f02f88e77a690879a0d323.dll
Resource
win7-20231215-en
General
-
Target
bea4379c47f02f88e77a690879a0d323.dll
-
Size
620KB
-
MD5
bea4379c47f02f88e77a690879a0d323
-
SHA1
d82c912a86a5ebedede1015cf0b814b2711e75a7
-
SHA256
b585a54184f3c933f4e0e38cadec4ada8950278bbdf69970b6f1539865772e36
-
SHA512
ca5841bab2f75ea13b1f8513cf9740cd7a2e60f401bd6425155711a2df0c697db4051298d9a51493011a65f3f6e4ca00ab82f51e3679424b0fbb0662a465af93
-
SSDEEP
12288:4E6rSiY4Gbs3j09TMmonCh5atbz9+eoQoUZpDd7Da1nX9y1RO/zFZx:ee6z3j0dMZnCutz4zI5xDwXU3m
Malware Config
Extracted
dridex
10222
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 760 rundll32.exe 5 760 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe PID 2660 wrote to memory of 760 2660 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bea4379c47f02f88e77a690879a0d323.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\bea4379c47f02f88e77a690879a0d323.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/760-0-0x0000000000830000-0x0000000000969000-memory.dmpFilesize
1.2MB
-
memory/760-2-0x0000000000830000-0x0000000000969000-memory.dmpFilesize
1.2MB
-
memory/760-4-0x0000000000830000-0x0000000000969000-memory.dmpFilesize
1.2MB
-
memory/760-6-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB
-
memory/760-3-0x0000000000830000-0x0000000000969000-memory.dmpFilesize
1.2MB
-
memory/760-7-0x0000000000830000-0x0000000000969000-memory.dmpFilesize
1.2MB
-
memory/760-8-0x0000000000830000-0x0000000000969000-memory.dmpFilesize
1.2MB
-
memory/760-10-0x00000000000C0000-0x00000000000C1000-memory.dmpFilesize
4KB