Analysis
-
max time kernel
3s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 09:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
61f2627485987b4054ff97050f0dfe2b.dll
Resource
win7-20231215-en
5 signatures
150 seconds
General
-
Target
61f2627485987b4054ff97050f0dfe2b.dll
-
Size
964KB
-
MD5
61f2627485987b4054ff97050f0dfe2b
-
SHA1
8ba24c683a74e29248653e465d46c5b244adb246
-
SHA256
771e168408b17e5f7ae16bd3a878820d0e0a844f25d549507b6d2b9c8ed0c9e2
-
SHA512
4caa9fd59cc8a9cca7edf9e9174ecde4b6cd5c235ab0d141c9ed7c933850526a3c6a443c5fee0a505154d47780badab326da15a86f65b49758c671ac292c1e0c
-
SSDEEP
12288:3tCtvNv+h26xiWZu8xDPtgPuSYAuXIPY2wKg7oGviTVp7OC0aO1/ixB:3tChNv+ceiWjDVgyAurCg7osJ1
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1220-4-0x0000000002E80000-0x0000000002E81000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/1880-0-0x000007FEF61E0000-0x000007FEF62D1000-memory.dmp dridex_payload behavioral1/memory/1220-15-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral1/memory/1220-34-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral1/memory/1220-33-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral1/memory/1220-22-0x0000000140000000-0x00000001400F1000-memory.dmp dridex_payload behavioral1/memory/1880-42-0x000007FEF61E0000-0x000007FEF62D1000-memory.dmp dridex_payload behavioral1/memory/1236-50-0x000007FEF6EA0000-0x000007FEF6F92000-memory.dmp dridex_payload behavioral1/memory/1236-54-0x000007FEF6EA0000-0x000007FEF6F92000-memory.dmp dridex_payload behavioral1/memory/2512-71-0x000007FEF61E0000-0x000007FEF62D2000-memory.dmp dridex_payload behavioral1/memory/2512-67-0x000007FEF61E0000-0x000007FEF62D2000-memory.dmp dridex_payload behavioral1/memory/2844-184-0x000007FEF61E0000-0x000007FEF62D2000-memory.dmp dridex_payload -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exepid Process 1880 rundll32.exe 1880 rundll32.exe 1880 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61f2627485987b4054ff97050f0dfe2b.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:1880
-
C:\Users\Admin\AppData\Local\v30v\SystemPropertiesHardware.exeC:\Users\Admin\AppData\Local\v30v\SystemPropertiesHardware.exe1⤵PID:1236
-
C:\Windows\system32\SystemPropertiesHardware.exeC:\Windows\system32\SystemPropertiesHardware.exe1⤵PID:2704
-
C:\Users\Admin\AppData\Local\DeV6irs\osk.exeC:\Users\Admin\AppData\Local\DeV6irs\osk.exe1⤵PID:2512
-
C:\Windows\system32\osk.exeC:\Windows\system32\osk.exe1⤵PID:2768
-
C:\Users\Admin\AppData\Local\nEke\notepad.exeC:\Users\Admin\AppData\Local\nEke\notepad.exe1⤵PID:2844
-
C:\Windows\system32\notepad.exeC:\Windows\system32\notepad.exe1⤵PID:2832