Analysis
-
max time kernel
9s -
max time network
66s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-11-2020 12:37
General
-
Target
cm5xssc78.dll
-
Size
539KB
-
MD5
cf9c14ef002b286cc5b6f40e24430857
-
SHA1
8ab38ccaf47cdfaf5bd48b05d7c094f28aa17b0d
-
SHA256
f4e65ecea469214769a863058823613437eb066a0baf40b5f9342958fce1e7a7
-
SHA512
1c3f18cf81ddc5fc7729e184e9021202bc395b11fc3273be25961de7713307a9d5eeb62c2870481410bafa0d68972050dd659882b2fc610dd465e4151d8b207a
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
162.241.44.26:9443
192.232.229.53:4443
77.220.64.34:443
193.90.12.121:3098
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Loader 1 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cm5xssc78.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cm5xssc78.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1732-2-0x000007FEF7BD0000-0x000007FEF7E4A000-memory.dmpFilesize
2.5MB
-
memory/1960-0-0x0000000000000000-mapping.dmp
-
memory/1960-1-0x00000000009B0000-0x00000000009ED000-memory.dmpFilesize
244KB