Analysis
-
max time kernel
140s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 18:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dfca69fe1e634e92696b13032383eac6.dll
Resource
win7-20240220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
dfca69fe1e634e92696b13032383eac6.dll
-
Size
188KB
-
MD5
dfca69fe1e634e92696b13032383eac6
-
SHA1
389b1dfdd56714d4e23145775e424f085e9b8b33
-
SHA256
e84da0c917c8406ad24610577a6b1884aa71aa090062f68b0ef5f28b2ee7a01b
-
SHA512
c4cc132ce3bca4c99d231847109a1c81b72d9f2000d2b7b6cb60676a19ab505d8cfc126d5414441ae52968835d8487329d2bacf587fb1d2a0a7969fdc9c4a84b
-
SSDEEP
3072:9A8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoto:9zIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1956-0-0x00000000748F0000-0x0000000074920000-memory.dmp dridex_ldr behavioral1/memory/1956-2-0x00000000748F0000-0x0000000074920000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2604 1956 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1956 2080 rundll32.exe rundll32.exe PID 1956 wrote to memory of 2604 1956 rundll32.exe WerFault.exe PID 1956 wrote to memory of 2604 1956 rundll32.exe WerFault.exe PID 1956 wrote to memory of 2604 1956 rundll32.exe WerFault.exe PID 1956 wrote to memory of 2604 1956 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfca69fe1e634e92696b13032383eac6.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dfca69fe1e634e92696b13032383eac6.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 3003⤵
- Program crash