Analysis
-
max time kernel
144s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-03-2024 00:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
afdae9d9181e38dfae7f6b25d94e19ce.dll
Resource
win7-20240221-en
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
afdae9d9181e38dfae7f6b25d94e19ce.dll
Resource
win10v2004-20240226-en
1 signatures
150 seconds
General
-
Target
afdae9d9181e38dfae7f6b25d94e19ce.dll
-
Size
188KB
-
MD5
afdae9d9181e38dfae7f6b25d94e19ce
-
SHA1
25b707e537d404edd075dca68714302d6f30e185
-
SHA256
a8513a6ad49d3d2af677dc5a4e3d485999b2de4a8f0cac96dbbde28eea9b2b2d
-
SHA512
c6c78263cf97709c810cfdcfd52e7e321ef21621699a72a946ca7b3906285110c62d07ee3c8bc1d0e942635ff40fad1568d6bda65a058f6ddf5449ebe87cdd2b
-
SSDEEP
3072:bA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoSo:bzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1652-0-0x0000000075270000-0x00000000752A0000-memory.dmp dridex_ldr behavioral1/memory/1652-2-0x0000000075270000-0x00000000752A0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2504 1652 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1428 wrote to memory of 1652 1428 rundll32.exe 28 PID 1652 wrote to memory of 2504 1652 rundll32.exe 29 PID 1652 wrote to memory of 2504 1652 rundll32.exe 29 PID 1652 wrote to memory of 2504 1652 rundll32.exe 29 PID 1652 wrote to memory of 2504 1652 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afdae9d9181e38dfae7f6b25d94e19ce.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afdae9d9181e38dfae7f6b25d94e19ce.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 3083⤵
- Program crash
PID:2504
-
-