Analysis
-
max time kernel
104s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-08-2024 22:29
Static task
static1
Behavioral task
behavioral1
Sample
327074efb47343ad7570ca2ac5a4ca50N.dll
Resource
win7-20240729-en
General
-
Target
327074efb47343ad7570ca2ac5a4ca50N.dll
-
Size
184KB
-
MD5
327074efb47343ad7570ca2ac5a4ca50
-
SHA1
a3aecdec672dab53420b709b0b3513e9008d12f1
-
SHA256
f7951e7902d40db690203a808c2f1da49a9e9b44dbf68d38f420b9781811dd4c
-
SHA512
d018fe50268fea896fc75e6df35a60f7c445f379f9c6f8bc40709f51c65c6dd94c117f939dc1e823b56bf397476309bfa4944cb4132b7a021b0a06ac82df8db2
-
SSDEEP
3072:7iLVj+luuUXoPOK2z1WPRgg5YbW+d0Ojk1bSA5q/eaoYlzoxss7:7iLVCIT4WK2z1W+CUHZj4Skq/eaoGoC
Malware Config
Extracted
dridex
22202
80.241.218.90:443
103.161.172.109:13786
87.98.128.76:5723
Signatures
-
resource yara_rule behavioral2/memory/4464-0-0x0000000075380000-0x00000000753AF000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 932 4464 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4140 wrote to memory of 4464 4140 rundll32.exe 84 PID 4140 wrote to memory of 4464 4140 rundll32.exe 84 PID 4140 wrote to memory of 4464 4140 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\327074efb47343ad7570ca2ac5a4ca50N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\327074efb47343ad7570ca2ac5a4ca50N.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 6163⤵
- Program crash
PID:932
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4464 -ip 44641⤵PID:3008
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request22.160.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.143.123.92.in-addr.arpaIN PTRResponse240.143.123.92.in-addr.arpaIN PTRa92-123-143-240deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request43.58.199.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request103.169.127.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request39.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.58.20.217.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEax-0001.ax-msedge.netax-0001.ax-msedge.netIN A150.171.28.10ax-0001.ax-msedge.netIN A150.171.27.10
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN A
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 474395
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: B80F1598F4564F64897D54F000C34033 Ref B: LON04EDGE1211 Ref C: 2024-08-15T22:31:02Z
date: Thu, 15 Aug 2024 22:31:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 504006
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 48137AC7ECE04426A10322543C2188DF Ref B: LON04EDGE1211 Ref C: 2024-08-15T22:31:02Z
date: Thu, 15 Aug 2024 22:31:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 836390
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A1EF38640EBF46A7A815A61BE0770454 Ref B: LON04EDGE1211 Ref C: 2024-08-15T22:31:02Z
date: Thu, 15 Aug 2024 22:31:01 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90Remote address:150.171.28.10:443RequestGET /th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
-
1.7kB 6.8kB 17 11
-
150.171.28.10:443https://tse1.mm.bing.net/th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90tls, http226.5kB 635.4kB 474 468
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388116_1HBZ24TGK6VST5MLJ&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239339388115_1OIS3ERNXZ6FC49JX&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317300929_14U14WCS4159DH3B0&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90HTTP Response
200HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239317301362_1O9HVN7VX0LX9G6S2&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90HTTP Response
200HTTP Response
200 -
1.4kB 6.8kB 15 12
-
1.4kB 6.8kB 15 12
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
209.205.72.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
22.160.190.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
240.143.123.92.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
43.58.199.20.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
103.169.127.40.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
39.58.20.217.in-addr.arpa
-
71 B 131 B 1 1
DNS Request
23.58.20.217.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
29.243.111.52.in-addr.arpa
-
124 B 170 B 2 1
DNS Request
tse1.mm.bing.net
DNS Request
tse1.mm.bing.net
DNS Response
150.171.28.10150.171.27.10