Analysis
-
max time kernel
145s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-03-2024 19:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d999440094ce13be07389638d82c745a.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
d999440094ce13be07389638d82c745a.dll
-
Size
188KB
-
MD5
d999440094ce13be07389638d82c745a
-
SHA1
a030b1074b2739dadcb2cc43174fca3e16dad8f8
-
SHA256
8aec65ccb76854cbadc8c0fe77dda563a1a5f3eff7c99aba766a931814a6c795
-
SHA512
886a66bc0fb50917411b6389153ffa48071bc27696ec28b0fe14201fd5ff220b5f3e737cec6e99940c55db5a332632edaf1d53b7ce02308f85c8f7d6ac2d99f1
-
SSDEEP
3072:CA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoFo:CzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/2376-0-0x0000000074860000-0x0000000074890000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2372 2376 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 1224 wrote to memory of 2376 1224 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2372 2376 rundll32.exe WerFault.exe PID 2376 wrote to memory of 2372 2376 rundll32.exe WerFault.exe PID 2376 wrote to memory of 2372 2376 rundll32.exe WerFault.exe PID 2376 wrote to memory of 2372 2376 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d999440094ce13be07389638d82c745a.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\d999440094ce13be07389638d82c745a.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 3083⤵
- Program crash