Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    24-01-2022 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09c6f8070ebacdee9e649748922e5a5b100ac8723b6bf46467ea7a6ca7443523.dll

  • Size

    328KB

  • MD5

    c29dc151fcd638fe2ddc814b869b39b7

  • SHA1

    949974b10b64eaf21f88dfee55070ae65e1825a1

  • SHA256

    09c6f8070ebacdee9e649748922e5a5b100ac8723b6bf46467ea7a6ca7443523

  • SHA512

    011fb6ade8c7641a73830b32571c66f07b103f9cf9e4a615e912016c6784ee8a33e487de26d71d0ce36c21a585ea4292fd448f9a51685a8bf542cec59c2464aa

Score
10/10
bazarloaderdropperloaderpersistence

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Modifies data under HKEY_USERS 41 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c6f8070ebacdee9e649748922e5a5b100ac8723b6bf46467ea7a6ca7443523.dll,#1
    1⤵
    • Blocklisted process makes network request
    PID:3492
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
    1⤵
      PID:4020
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe fa58bc57968cd7623569d2a957fb8dfb 3qbQ+MGDok21LjTds90Ghg.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1780
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\09c6f8070ebacdee9e649748922e5a5b100ac8723b6bf46467ea7a6ca7443523.dll,#1 {29469E41-4D18-450E-80B5-ADC3C32B1A89}
      1⤵
        PID:1528
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k wusvcs -p
        1⤵
          PID:3680

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1528-131-0x000001DFD9FA0000-0x000001DFDA16E000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3492-130-0x000002156D850000-0x000002156DA1E000-memory.dmp

          Filesize

          1.8MB

          Download