Analysis
-
max time kernel
113s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11-06-2022 16:51
Static task
static1
Behavioral task
behavioral1
Sample
oithak.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
oithak.dll
-
Size
476KB
-
MD5
b0105f4cb8deb73bf813d0881781c2a9
-
SHA1
3781d4a2fd04cfe91f063d064a46d14d9b2150c2
-
SHA256
47ccaacdb3f46f8578825f19d50b5d93d8a0dc57f114fc329ee41c8a6f15b88a
-
SHA512
3605c8e0782a5e841d9b2b1938fcbba2a226830eff86ef3d653c2f2a26a46763c1f8acb595d279164916feaf92e83695a7fa3658e4a0bc2e6717906ba2783eb5
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
23.246.204.126:443
151.106.39.36:8116
103.124.144.123:6891
172.105.78.60:4664
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/540-131-0x00000000753F0000-0x0000000075469000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 740 540 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2380 wrote to memory of 540 2380 rundll32.exe rundll32.exe PID 2380 wrote to memory of 540 2380 rundll32.exe rundll32.exe PID 2380 wrote to memory of 540 2380 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oithak.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\oithak.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 7083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 540 -ip 5401⤵