Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 23:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da1632e35963bff1eee60264a64ca39a.dll
Resource
win7-20240221-en
4 signatures
150 seconds
General
-
Target
da1632e35963bff1eee60264a64ca39a.dll
-
Size
188KB
-
MD5
da1632e35963bff1eee60264a64ca39a
-
SHA1
61a584443565d3b00fec14a6a550e3dfa5270655
-
SHA256
260882766b6bbb6ce21025de7362ed0eb9873c23d78aa9bb9043a674ba51a6c1
-
SHA512
3d2650c62090ddd122e8ed80b271661d071efec16f40f9f02f0b875881b336e2b78576e6cf49f5a1566c6d9b47c57375d5da42ffeada951be41270786ac681e7
-
SSDEEP
3072:XA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAo9o:XzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2852-0-0x0000000074C50000-0x0000000074C80000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2528 2852 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2856 wrote to memory of 2852 2856 rundll32.exe rundll32.exe PID 2852 wrote to memory of 2528 2852 rundll32.exe WerFault.exe PID 2852 wrote to memory of 2528 2852 rundll32.exe WerFault.exe PID 2852 wrote to memory of 2528 2852 rundll32.exe WerFault.exe PID 2852 wrote to memory of 2528 2852 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da1632e35963bff1eee60264a64ca39a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\da1632e35963bff1eee60264a64ca39a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 3003⤵
- Program crash