Analysis
-
max time kernel
7s -
max time network
63s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 12:10
General
-
Target
ugm5wtx2gif.dll
-
Size
539KB
-
MD5
6972a8146a738570e6443ba8b75af1bb
-
SHA1
480043a771ac2bdde19b0177a0f7ce5db428e8c7
-
SHA256
ae9628344dfef9e22d8bb19fd5001329640ec5573c5503e3ae99788ef7b58f1c
-
SHA512
4120227d0fd105d3e7a28a39f151036121ce84ed78cd7a846f133c7ea4e47fc58cf0f102d1e6ba1dc97fcff318597e3d77548822384c4c2603680dacac809f35
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ugm5wtx2gif.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ugm5wtx2gif.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-2-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmpFilesize
2.5MB
-
memory/2016-0-0x0000000000000000-mapping.dmp
-
memory/2016-1-0x0000000000200000-0x000000000023D000-memory.dmpFilesize
244KB