Analysis
-
max time kernel
106s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
u5nmsr.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
u5nmsr.dll
-
Size
717KB
-
MD5
59d4c719403b793876d65395f5a2d0bd
-
SHA1
0b224d9b94af60a8fec79416d4b1bcab8cf9308c
-
SHA256
b6cf019dca618ebc676b84c40846e0a9a2050689b35845af2f12a93442fb25e8
-
SHA512
d395272ad4169d8de1f660b239d3dfc9937abb29aec05ba7527c5307cf90825058f3107e85acf8f5f4afe3b64c24e226edca3f84c678043469674292ade3f8b5
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 3 2024 rundll32.exe 5 2024 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe PID 1972 wrote to memory of 2024 1972 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u5nmsr.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u5nmsr.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
PID:2024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2024-54-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2024-57-0x0000000075170000-0x0000000075236000-memory.dmpFilesize
792KB
-
memory/2024-56-0x0000000075170000-0x00000000751AD000-memory.dmpFilesize
244KB
-
memory/2024-59-0x0000000075170000-0x0000000075236000-memory.dmpFilesize
792KB