Analysis
-
max time kernel
162s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 02:27
General
-
Target
xs05ehhb9.dll
-
Size
504KB
-
MD5
d47db68452d9fbd3e11f93f10355243e
-
SHA1
3f3268520315502224b9e09f47a65b7fecb8c8b8
-
SHA256
b03b501c074694ee05545263c92c18aba7f75b2a51221ff6fda744a73cf2af84
-
SHA512
7e0b44af8e01e5353ce0b714675bb1df22f1fd91bac4dc59a0485adae264720343c2490eb85a1ef5a8f6ba03b8b797b3641cfaa3bc512fa82ad74c3a9a1cb24c
Score
10/10
Malware Config
Extracted
Family
dridex
Botnet
10444
C2
210.65.244.166:443
178.33.183.53:7443
157.7.139.198:6601
rc4.plain
rc4.plain
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Blocklisted process makes network request 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\xs05ehhb9.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\xs05ehhb9.dll,#12⤵
- Blocklisted process makes network request
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/904-54-0x0000000000000000-mapping.dmp
-
memory/904-55-0x00000000752B1000-0x00000000752B3000-memory.dmpFilesize
8KB
-
memory/904-56-0x0000000000300000-0x0000000000391000-memory.dmpFilesize
580KB
-
memory/904-57-0x0000000000300000-0x000000000033D000-memory.dmpFilesize
244KB
-
memory/904-58-0x0000000000300000-0x0000000000391000-memory.dmpFilesize
580KB
-
memory/904-60-0x0000000000300000-0x0000000000391000-memory.dmpFilesize
580KB