Analysis
-
max time kernel
106s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 02:18
General
-
Target
u5nmsr.dll
-
Size
717KB
-
MD5
59d4c719403b793876d65395f5a2d0bd
-
SHA1
0b224d9b94af60a8fec79416d4b1bcab8cf9308c
-
SHA256
b6cf019dca618ebc676b84c40846e0a9a2050689b35845af2f12a93442fb25e8
-
SHA512
d395272ad4169d8de1f660b239d3dfc9937abb29aec05ba7527c5307cf90825058f3107e85acf8f5f4afe3b64c24e226edca3f84c678043469674292ade3f8b5
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u5nmsr.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u5nmsr.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2024-54-0x0000000000000000-mapping.dmp
-
memory/2024-55-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/2024-57-0x0000000075170000-0x0000000075236000-memory.dmpFilesize
792KB
-
memory/2024-56-0x0000000075170000-0x00000000751AD000-memory.dmpFilesize
244KB
-
memory/2024-59-0x0000000075170000-0x0000000075236000-memory.dmpFilesize
792KB