Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-05-2022 02:18
Static task
static1
Behavioral task
behavioral1
Sample
u5nmsr.dll
Resource
win7-20220414-en
0 signatures
0 seconds
General
-
Target
u5nmsr.dll
-
Size
717KB
-
MD5
59d4c719403b793876d65395f5a2d0bd
-
SHA1
0b224d9b94af60a8fec79416d4b1bcab8cf9308c
-
SHA256
b6cf019dca618ebc676b84c40846e0a9a2050689b35845af2f12a93442fb25e8
-
SHA512
d395272ad4169d8de1f660b239d3dfc9937abb29aec05ba7527c5307cf90825058f3107e85acf8f5f4afe3b64c24e226edca3f84c678043469674292ade3f8b5
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
97.107.127.161:443
45.33.94.33:5037
159.89.91.92:5037
158.69.118.130:1443
rc4.plain
rc4.plain
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 95 4512 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2352 wrote to memory of 4512 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 4512 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 4512 2352 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u5nmsr.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\u5nmsr.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4512-130-0x0000000000000000-mapping.dmp
-
memory/4512-132-0x00000000751F0000-0x00000000752B6000-memory.dmpFilesize
792KB
-
memory/4512-131-0x00000000751F0000-0x000000007522D000-memory.dmpFilesize
244KB
-
memory/4512-134-0x00000000751F0000-0x00000000752B6000-memory.dmpFilesize
792KB