Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-03-2024 05:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0d6378566342a725b5ec723f85b5084.dll
Resource
win7-20240221-en
windows7-x64
4 signatures
150 seconds
General
-
Target
e0d6378566342a725b5ec723f85b5084.dll
-
Size
188KB
-
MD5
e0d6378566342a725b5ec723f85b5084
-
SHA1
ea32588f2e222aed82b11ab9547c8ca52a3118f8
-
SHA256
c1ce670b7ef5fa9a7de5a0009f618fe8aa66f4ce4dfe71b43557a8b1f0b73e16
-
SHA512
4d80b7c136b1175e7ac2665e3deec13f5403aef02b404f3461d16b5bd5b8d3ecb77916560257bb9e6de8afc3bd824b9f21b9bf6899194704f62c0ad1ce988706
-
SSDEEP
3072:FA8JmK7ATVfQeVqNFZa/9KzMXJ6jTFDlAwqWut5KZMzfeAAAoBo:FzIqATVfQeV2FZalKq6jtGJWuTmd
Malware Config
Extracted
Family
dridex
Botnet
22201
C2
103.82.248.59:443
54.39.98.141:6602
103.109.247.8:10443
rc4.plain
rc4.plain
Signatures
-
Processes:
resource yara_rule behavioral1/memory/848-0-0x0000000074DF0000-0x0000000074E20000-memory.dmp dridex_ldr -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2192 848 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 1408 wrote to memory of 848 1408 rundll32.exe rundll32.exe PID 848 wrote to memory of 2192 848 rundll32.exe WerFault.exe PID 848 wrote to memory of 2192 848 rundll32.exe WerFault.exe PID 848 wrote to memory of 2192 848 rundll32.exe WerFault.exe PID 848 wrote to memory of 2192 848 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e0d6378566342a725b5ec723f85b5084.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e0d6378566342a725b5ec723f85b5084.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 3083⤵
- Program crash