Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 04:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b1383298eee8f1ec7aea11638b1ef081.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
b1383298eee8f1ec7aea11638b1ef081.dll
-
Size
188KB
-
MD5
b1383298eee8f1ec7aea11638b1ef081
-
SHA1
fa9c638d9589941c22e0bae134e23f5688a2a308
-
SHA256
73af5f2718ca2946a052bb9b27a2373b29b1094ae7caeba9612c5a8a9095afd0
-
SHA512
6c292c8e75f01c758c8d4e6d11e0594663ff646b5a08655bfa53f38f520e5c4c848946094c642c5a09f7a0df5ee410598480b30e4fc7fc2396c465c9ebac8342
-
SSDEEP
3072:vH0uyjZqEpAK+Gf78TBdrXkTM5vhRg9Esf0DwvtyMpVnpA+z6tX8sxKViWW7dU:vUua/Pv7YNhRIEZDeXVpAxtMsxK
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral2/memory/3036-0-0x0000000074A00000-0x0000000074A30000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1608 3036 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4752 wrote to memory of 3036 4752 rundll32.exe 87 PID 4752 wrote to memory of 3036 4752 rundll32.exe 87 PID 4752 wrote to memory of 3036 4752 rundll32.exe 87
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1383298eee8f1ec7aea11638b1ef081.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1383298eee8f1ec7aea11638b1ef081.dll,#12⤵PID:3036
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 6923⤵
- Program crash
PID:1608
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3036 -ip 30361⤵PID:5044