Analysis
-
max time kernel
12s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 16:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7e7645b86e265b69aed08c4852fe6291.dll
Resource
win7-20231215-en
5 signatures
150 seconds
General
-
Target
7e7645b86e265b69aed08c4852fe6291.dll
-
Size
1.1MB
-
MD5
7e7645b86e265b69aed08c4852fe6291
-
SHA1
0e39986ca509db0826c81ca3693fecb375726dcb
-
SHA256
e0980b4994c3d61ec8c3ab1db13ef837487bd2e209e97a4ad4708211d9d4d712
-
SHA512
2f2f7e96591bf49bec9e3b56f7457ee00ca85bd7812c6de3a27097fdfda3beb9b42467b7e0f11b01036704c635e461bbf3a2f12877f672a7de1af462611b26ff
-
SSDEEP
12288:JkbQEkWqv+157EYfxarhwLNuR7ek1tHffB/HzTyNQ6NIeGYr/RUX/ShJ:JkbHkWfzZ5adwLNGeStHntqN7vaP
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1316-4-0x0000000002B40000-0x0000000002B41000-memory.dmp dridex_stager_shellcode -
Processes:
resource yara_rule behavioral1/memory/3064-0-0x000007FEF6030000-0x000007FEF6149000-memory.dmp dridex_payload behavioral1/memory/1316-20-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1316-27-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1316-39-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/1316-38-0x0000000140000000-0x0000000140119000-memory.dmp dridex_payload behavioral1/memory/3064-47-0x000007FEF6030000-0x000007FEF6149000-memory.dmp dridex_payload -
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
rundll32.exepid Process 3064 rundll32.exe 3064 rundll32.exe 3064 rundll32.exe 1316 1316 1316 1316
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e7645b86e265b69aed08c4852fe6291.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:3064
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Local\T8dJPz2\slui.exeC:\Users\Admin\AppData\Local\T8dJPz2\slui.exe1⤵PID:2912
-
C:\Users\Admin\AppData\Local\yoADsHxAC\wisptis.exeC:\Users\Admin\AppData\Local\yoADsHxAC\wisptis.exe1⤵PID:1996
-
C:\Windows\system32\wisptis.exeC:\Windows\system32\wisptis.exe1⤵PID:1224
-
C:\Users\Admin\AppData\Local\Nc2VO\msdtc.exeC:\Users\Admin\AppData\Local\Nc2VO\msdtc.exe1⤵PID:1556
-
C:\Windows\system32\msdtc.exeC:\Windows\system32\msdtc.exe1⤵PID:1076
-
C:\Users\Admin\AppData\Local\nKRz0o\vmicsvc.exeC:\Users\Admin\AppData\Local\nKRz0o\vmicsvc.exe1⤵PID:2272
-
C:\Windows\system32\vmicsvc.exeC:\Windows\system32\vmicsvc.exe1⤵PID:2152