Analysis
-
max time kernel
166s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 16:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc1eb56e51414e509958dda6dfd1f0f5.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
dc1eb56e51414e509958dda6dfd1f0f5.dll
-
Size
188KB
-
MD5
dc1eb56e51414e509958dda6dfd1f0f5
-
SHA1
741d1ff6fe5babb6b0b7fc408be6327d43abee23
-
SHA256
281126712086225346c0867cf2587a785e3662254d109e844f723d0b30f0d80b
-
SHA512
a0aed0df9d69e47f27e0e97e84e7dc6b0fd061bd11d7a1a6c190da3e409c8c5a9c0b5acc8f96ae3278e8d38a6abb268ce02267bacc18a5faa2a9dd50d3538d1e
-
SSDEEP
3072:6A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoro:6zIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral2/memory/2812-0-0x00000000750C0000-0x00000000750F0000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2388 2812 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 916 wrote to memory of 2812 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 2812 916 rundll32.exe rundll32.exe PID 916 wrote to memory of 2812 916 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc1eb56e51414e509958dda6dfd1f0f5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dc1eb56e51414e509958dda6dfd1f0f5.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 6923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 2812 -ip 28121⤵