Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
31-08-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
a43b7c1fff94a3a2c9cda875dc21e5bc57819537d1f6b9f9b91271e895201638.dll
Resource
win7-20240708-en
General
-
Target
a43b7c1fff94a3a2c9cda875dc21e5bc57819537d1f6b9f9b91271e895201638.dll
-
Size
604KB
-
MD5
2901a3d99aeb6d2231f77ed1787a6a44
-
SHA1
d5b8701ce4f615d0c9c427b060edfa398dd1df62
-
SHA256
a43b7c1fff94a3a2c9cda875dc21e5bc57819537d1f6b9f9b91271e895201638
-
SHA512
c3dd61e13fd28cf03400bccac710c4a3aa05e71fadaa9bb1e381a86c761f90c33a0c5c5ca8f6393c50e60b379c818d54c93cac384e5a2ee95ab6fefb9c52c578
-
SSDEEP
12288:9uIB/bwMtjp4CqwqyaXPLAfx38TW9DiWUT2tq017JGoLbqW/I:I6b4wqyaDA5sTWiXT2tq07G2v/I
Malware Config
Extracted
dridex
10444
174.128.245.202:443
51.83.3.52:13786
69.64.50.41:6602
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 33 3620 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 536 wrote to memory of 3620 536 rundll32.exe 83 PID 536 wrote to memory of 3620 536 rundll32.exe 83 PID 536 wrote to memory of 3620 536 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a43b7c1fff94a3a2c9cda875dc21e5bc57819537d1f6b9f9b91271e895201638.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a43b7c1fff94a3a2c9cda875dc21e5bc57819537d1f6b9f9b91271e895201638.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
PID:3620
-