Analysis
-
max time kernel
123s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 10:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
db5cccbba844600fa27354ebb360589d.dll
Resource
win7-20240215-en
windows7-x64
4 signatures
150 seconds
General
-
Target
db5cccbba844600fa27354ebb360589d.dll
-
Size
188KB
-
MD5
db5cccbba844600fa27354ebb360589d
-
SHA1
6fb1d6769c625c5ed72f819e9e2c7a9b1eb6a6a0
-
SHA256
a1ebfce9633f10bf9992e7e220d63e1cc8ac35befc9bef20fbb81abbcfad3bb2
-
SHA512
1ea2c32b61f3e46db248342ebde45b018c0621d057ade80b9e949b5faf5a45665f62ccaa48b0c46187f3bc2642f54035259065d22c121d2d318d4c145ec920bf
-
SSDEEP
3072:BA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoSo:BzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/5056-0-0x00000000757A0000-0x00000000757D0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3688 5056 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 232 wrote to memory of 5056 232 rundll32.exe rundll32.exe PID 232 wrote to memory of 5056 232 rundll32.exe rundll32.exe PID 232 wrote to memory of 5056 232 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db5cccbba844600fa27354ebb360589d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\db5cccbba844600fa27354ebb360589d.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5056 -ip 50561⤵