Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-03-2024 01:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b36d3e6810ca49ac83ff8ac03e86944e.dll
Resource
win7-20240220-en
4 signatures
150 seconds
General
-
Target
b36d3e6810ca49ac83ff8ac03e86944e.dll
-
Size
188KB
-
MD5
b36d3e6810ca49ac83ff8ac03e86944e
-
SHA1
5d4e932a673ac8ac915a76f35deb4fa6889d9089
-
SHA256
8c6a797b103fed118c9b478e27a814da8fb5f7950f3d3526da6b48a6b8a218f3
-
SHA512
685a0aff80796a679b868a0962ab2aa55899963b7ea678c7d28287771aaae6595116508b6858782e0d02adda113e47a2d31f8622b865c7b06ae2c860cf40bb69
-
SSDEEP
3072:2A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoBo:2zIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
resource yara_rule behavioral2/memory/2996-0-0x0000000074E90000-0x0000000074EC0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 544 2996 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1592 wrote to memory of 2996 1592 rundll32.exe 88 PID 1592 wrote to memory of 2996 1592 rundll32.exe 88 PID 1592 wrote to memory of 2996 1592 rundll32.exe 88
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b36d3e6810ca49ac83ff8ac03e86944e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b36d3e6810ca49ac83ff8ac03e86944e.dll,#12⤵PID:2996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 6923⤵
- Program crash
PID:544
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2996 -ip 29961⤵PID:4868