Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-02-2024 00:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aa83426bcc82c33e0fbc1ce96e0dfe95.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
aa83426bcc82c33e0fbc1ce96e0dfe95.dll
-
Size
171KB
-
MD5
aa83426bcc82c33e0fbc1ce96e0dfe95
-
SHA1
42178099287beffe1c632f52e1e6391b6cb75bca
-
SHA256
48d267f875bca7301f079a283305cba11ec8106e9ed76758c780ddb2cf847a59
-
SHA512
4edc5fdb8c01d94ba1252f7ba95d0d4f28c7ac9499a2cd9223f6230ef4005269db17c6e5d2287a7f1feaf5638afc178cd932c3bebb2a178e3726da5310496d99
-
SSDEEP
3072:9DZDVVA+DQ5JTOfEb18qFafjqvTwQJeWLq9NxbKejWGEjh:9zVAfqfER8qFOqv8eeWLqRb3dE
Malware Config
Extracted
Family
dridex
Botnet
22203
C2
137.74.112.43:443
216.108.227.55:6225
94.177.176.51:5723
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/1028-0-0x0000000075550000-0x0000000075580000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2076 1028 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4896 wrote to memory of 1028 4896 rundll32.exe rundll32.exe PID 4896 wrote to memory of 1028 4896 rundll32.exe rundll32.exe PID 4896 wrote to memory of 1028 4896 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa83426bcc82c33e0fbc1ce96e0dfe95.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa83426bcc82c33e0fbc1ce96e0dfe95.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 6123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 1028 -ip 10281⤵