Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll
Resource
win7-20240708-en
General
-
Target
b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll
-
Size
184KB
-
MD5
8c63bc0d2a4eab2f8fb559fd45da5350
-
SHA1
c01afa558e5337e755da5aef10112a7cf2c4b8e9
-
SHA256
b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6
-
SHA512
595fd36e712b701ebced238806487fe3f96944ec1c7c4702946a0a8e2bddf90200832928ade29a2c313488b324c957b83dce3138d55f21d21888b62ea7231de9
-
SSDEEP
3072:VgkQz1PuOprc+kq6VNOe3qbarVEpZlcbBacS9nOdgWdA4l:0PFkq6zOe5ilSanOJd
Malware Config
Extracted
dridex
22201
103.75.201.2:443
158.223.1.108:6225
165.22.28.242:4664
Signatures
-
resource yara_rule behavioral1/memory/964-1-0x0000000075160000-0x0000000075190000-memory.dmp dridex_ldr -
Program crash 1 IoCs
pid pid_target Process procid_target 1668 964 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 1756 wrote to memory of 964 1756 rundll32.exe 30 PID 964 wrote to memory of 1668 964 rundll32.exe 31 PID 964 wrote to memory of 1668 964 rundll32.exe 31 PID 964 wrote to memory of 1668 964 rundll32.exe 31 PID 964 wrote to memory of 1668 964 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b55197fbb92cdffacdbbe96ffacae20f66477b09e1430b688a4f5e05a72d10c6N.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 2203⤵
- Program crash
PID:1668
-
-