Analysis
-
max time kernel
96s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 07:56
Static task
static1
Behavioral task
behavioral1
Sample
23abf856dde299bc0106195a33847d9fe9ccaeee741c3a5a9a59cd384d52d475.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
23abf856dde299bc0106195a33847d9fe9ccaeee741c3a5a9a59cd384d52d475.dll
-
Size
164KB
-
MD5
d01fc57d0ff5db44b36d8de0e123958c
-
SHA1
c991315a43449aa16acc1cf767a29fc81dbb12b3
-
SHA256
23abf856dde299bc0106195a33847d9fe9ccaeee741c3a5a9a59cd384d52d475
-
SHA512
bf74c326c9a6bb04a0b2713ad9acd8c0cb957fe0d15f8b22df8876668362bc9381d14607c41227c5f5ccc55b8e76e037a9f573b082ad34b396214bcb4174c66d
Malware Config
Extracted
Family
dridex
Botnet
111
C2
192.175.111.220:443
188.40.34.210:4643
190.114.254.163:33443
69.163.34.145:9443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3804-131-0x0000000075680000-0x00000000756AB000-memory.dmp dridex_ldr -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3824 wrote to memory of 3804 3824 rundll32.exe rundll32.exe PID 3824 wrote to memory of 3804 3824 rundll32.exe rundll32.exe PID 3824 wrote to memory of 3804 3824 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23abf856dde299bc0106195a33847d9fe9ccaeee741c3a5a9a59cd384d52d475.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\23abf856dde299bc0106195a33847d9fe9ccaeee741c3a5a9a59cd384d52d475.dll,#12⤵