Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
05-03-2024 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b36d3e6810ca49ac83ff8ac03e86944e.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
b36d3e6810ca49ac83ff8ac03e86944e.dll
-
Size
188KB
-
MD5
b36d3e6810ca49ac83ff8ac03e86944e
-
SHA1
5d4e932a673ac8ac915a76f35deb4fa6889d9089
-
SHA256
8c6a797b103fed118c9b478e27a814da8fb5f7950f3d3526da6b48a6b8a218f3
-
SHA512
685a0aff80796a679b868a0962ab2aa55899963b7ea678c7d28287771aaae6595116508b6858782e0d02adda113e47a2d31f8622b865c7b06ae2c860cf40bb69
-
SSDEEP
3072:2A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoBo:2zIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral1/memory/1120-0-0x0000000074900000-0x0000000074930000-memory.dmp dridex_ldr behavioral1/memory/1120-2-0x0000000074900000-0x0000000074930000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 2172 1120 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1640 wrote to memory of 1120 1640 rundll32.exe 28 PID 1120 wrote to memory of 2172 1120 rundll32.exe 29 PID 1120 wrote to memory of 2172 1120 rundll32.exe 29 PID 1120 wrote to memory of 2172 1120 rundll32.exe 29 PID 1120 wrote to memory of 2172 1120 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b36d3e6810ca49ac83ff8ac03e86944e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b36d3e6810ca49ac83ff8ac03e86944e.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 3003⤵
- Program crash
PID:2172
-
-