Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 17:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c78zdj.jpg.dll
Resource
win7-20240419-en
windows7-x64
5 signatures
150 seconds
General
-
Target
c78zdj.jpg.dll
-
Size
664KB
-
MD5
68f95809ba9b346ae75c82d10cb5bf62
-
SHA1
094d74fce8c00a7dcb1d92cae01dd91f1595b4e9
-
SHA256
d40041f60c6a9aae6ac0a04d1a9224f14fcf119cc41d5599941769146524f8ea
-
SHA512
d46f8e3a41dfb6b6487e6d65d2276d4d12b26ab64957fa806b09300e5e17eecbcc5d1a02c4a17b38c34d2816f8455d5845b362326e8e15666daca6de6fb47767
-
SSDEEP
12288:B/0Qzqf0eCi48wM+6TFKywVt6PbEYU0eyJTT/Mu9oV01ueoaEP:B0zhCjn6TFKywvCbEOxDMu9oySaEP
Malware Config
Extracted
Family
dridex
Botnet
10222
C2
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2988 rundll32.exe 5 2988 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2988 2424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c78zdj.jpg.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c78zdj.jpg.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2988-0-0x0000000000440000-0x000000000057C000-memory.dmpFilesize
1.2MB
-
memory/2988-3-0x0000000000440000-0x000000000057C000-memory.dmpFilesize
1.2MB
-
memory/2988-2-0x0000000000440000-0x000000000057C000-memory.dmpFilesize
1.2MB
-
memory/2988-5-0x00000000004E2000-0x00000000004E8000-memory.dmpFilesize
24KB
-
memory/2988-6-0x0000000000440000-0x000000000057C000-memory.dmpFilesize
1.2MB
-
memory/2988-7-0x0000000000440000-0x000000000057C000-memory.dmpFilesize
1.2MB
-
memory/2988-8-0x0000000000440000-0x000000000057C000-memory.dmpFilesize
1.2MB