Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 17:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
zpvym0qxg.rar.dll
Resource
win7-20240221-en
5 signatures
150 seconds
General
-
Target
zpvym0qxg.rar.dll
-
Size
664KB
-
MD5
e52f2b2eba6f9de5bb58585c61c559dd
-
SHA1
edc72dfc76457d2c03bfa6fecebd6c33acb31374
-
SHA256
1d0bd1afd44aa2b4a91ffc0dbc014cc6f64a057d71e9c6682997f041e118fedc
-
SHA512
99cf420af46c4a250938b8b67672b7df838b055a15846161630cf4b26013ffccd0b0f22cc6de0925d102c93819081436c8faa8f0671b18533649650e1656276d
-
SSDEEP
12288:J/0Qzqf0eIi48nM+6TFKywVt6PbEYU0eyJTT/Mu9oV01uLoaEP:Z0zhIUn6TFKywvCbEOxDMu9oypaEP
Malware Config
Extracted
Family
dridex
Botnet
10222
C2
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 1660 rundll32.exe 5 1660 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1660 1940 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zpvym0qxg.rar.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\zpvym0qxg.rar.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1660-0-0x0000000001FC0000-0x00000000020FC000-memory.dmpFilesize
1.2MB
-
memory/1660-2-0x0000000001FC0000-0x00000000020FC000-memory.dmpFilesize
1.2MB
-
memory/1660-3-0x0000000001FC0000-0x00000000020FC000-memory.dmpFilesize
1.2MB
-
memory/1660-7-0x0000000001FC0000-0x00000000020FC000-memory.dmpFilesize
1.2MB
-
memory/1660-6-0x0000000002062000-0x0000000002068000-memory.dmpFilesize
24KB
-
memory/1660-8-0x0000000001FC0000-0x00000000020FC000-memory.dmpFilesize
1.2MB