Analysis
-
max time kernel
141s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
30-06-2023 12:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
WPetkPdickpenis.dll
Resource
win7-20230621-en
windows7-x64
4 signatures
150 seconds
General
-
Target
WPetkPdickpenis.dll
-
Size
524KB
-
MD5
e141d2e1c89da0b36625a8b610ebc4a4
-
SHA1
f1da1edba0f5a4a574192e165f4f0be35839f4ee
-
SHA256
3aab8f6eca123b1fc8184caa6ad3320ac6c9f58cd73835fac41feef05053abff
-
SHA512
824b848c15988f38e59becd16366d384f2545a1d560596a08dbb0a60d1a4df47cc5a817b4ac99ba3d26b5b9a2712571278e7ac806e7f26394611da934da333c4
-
SSDEEP
6144:EKMImhktm7mnmvetmzK/kxwv4Zm7mREqZzdazdULd54f3X0kdVtL8faGAPlX:E9hXAg5aX0CL8fI
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
104.36.167.47:443
188.40.48.93:4664
162.241.33.132:9217
217.160.5.104:593
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2024-55-0x0000000075100000-0x0000000075185000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 268 2024 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 1720 wrote to memory of 2024 1720 rundll32.exe rundll32.exe PID 2024 wrote to memory of 268 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 268 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 268 2024 rundll32.exe WerFault.exe PID 2024 wrote to memory of 268 2024 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WPetkPdickpenis.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WPetkPdickpenis.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 3243⤵
- Program crash