Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 17:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e64v7wm.jpg.dll
Resource
win7-20240215-en
windows7-x64
5 signatures
150 seconds
General
-
Target
e64v7wm.jpg.dll
-
Size
664KB
-
MD5
5fe7063f0ff776925933f7eacb7c6548
-
SHA1
73be6bb3a402c2d0af577e70309e38e0a96989e5
-
SHA256
50deeef45a40410096418b06a0a33ada0d821a3af6ddf6abb13df2b2e27ea177
-
SHA512
c7c41aa0a17a23b0ca4a3b261c36f72bb033940dd6e37210c8403f322d4388dd1418d7e8f9a9499380ffb658a3479f58dada7192ad3074885226858c99edd546
-
SSDEEP
12288:Z/0Qzqf0eei48vM+6TFKywVt6PbEYU0eyJTT/Mu9oV01u3oaEP:J0zheAn6TFKywvCbEOxDMu9oyZaEP
Malware Config
Extracted
Family
dridex
Botnet
10222
C2
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1468 rundll32.exe 5 1468 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe PID 2832 wrote to memory of 1468 2832 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e64v7wm.jpg.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e64v7wm.jpg.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:1468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1468-1-0x0000000000400000-0x000000000053C000-memory.dmpFilesize
1.2MB
-
memory/1468-0-0x0000000000400000-0x000000000053C000-memory.dmpFilesize
1.2MB
-
memory/1468-4-0x0000000000400000-0x000000000053C000-memory.dmpFilesize
1.2MB
-
memory/1468-3-0x00000000004A2000-0x00000000004A8000-memory.dmpFilesize
24KB
-
memory/1468-5-0x0000000000400000-0x000000000053C000-memory.dmpFilesize
1.2MB