Overview

overview

10

Static

static

3

096c523389...a0.dll

windows7-x64

10

096c523389...a0.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2024 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0.dll

  • Size

    1.1MB

  • MD5

    29b4a43d6fa90c2c28824982c991da5d

  • SHA1

    f4693227a98c1b9a031bb6ad182c5f20b83de5f1

  • SHA256

    096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0

  • SHA512

    88fa077dc53d0bef81cdfc3d6da7f44ffc77ca3bdd5fd1818c37c0e9327fdd5b1749945393289b87f7aa2f0a2ddb11b924cea0861e83960bd858f7e353f43f2c

  • SSDEEP

    12288:LkMZ+g4TyilMqFvPIV93i/S0hzmOBt5nihfSxI/mhjEvqJ0D/eAQsroXAkH64C:LkMZ+gf4ltGd8H1fYO0q2G1Ah

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 8 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\096c5233892113f80a9ade6545c751fd5c7e049e3357f0be6a0dc8debd18f5a0.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:1300
  • C:\Windows\system32\AgentService.exe
    C:\Windows\system32\AgentService.exe
    1⤵
      PID:548
    • C:\Users\Admin\AppData\Local\6py\AgentService.exe
      C:\Users\Admin\AppData\Local\6py\AgentService.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:3188
    • C:\Windows\system32\Netplwiz.exe
      C:\Windows\system32\Netplwiz.exe
      1⤵
        PID:4336
      • C:\Users\Admin\AppData\Local\G9pVhx\Netplwiz.exe
        C:\Users\Admin\AppData\Local\G9pVhx\Netplwiz.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2864
      • C:\Windows\system32\SystemPropertiesRemote.exe
        C:\Windows\system32\SystemPropertiesRemote.exe
        1⤵
          PID:3392
        • C:\Users\Admin\AppData\Local\thGh3oyC4\SystemPropertiesRemote.exe
          C:\Users\Admin\AppData\Local\thGh3oyC4\SystemPropertiesRemote.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:4172

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\6py\AgentService.exe
          Filesize

          1.2MB

          MD5

          f8bac206def3e87ceb8ef3cb0fb5a194

          SHA1

          a28ea816e7b5ca511da4576262a5887a75171276

          SHA256

          c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

          SHA512

          8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

          Download Submit

        • C:\Users\Admin\AppData\Local\6py\VERSION.dll
          Filesize

          1.1MB

          MD5

          3a4ae92c58b5ee0f5a96c4e4b5d34fd5

          SHA1

          b2956e2eecd16768dda038a5771d0c8f3c0d3c67

          SHA256

          1e953f0902ecaf17d8053d4b54daa7fa6c5114b6195c8a99dd2befd91a32f6b7

          SHA512

          adcc18a2633c475c2da1a8a60d40e87ada1c4bfe9827bef9b49adad67ca00b248e50096f841b2e1746003724935867c6869db05b732060ddbb3aba41ebf05cc3

          Download Submit

        • C:\Users\Admin\AppData\Local\G9pVhx\NETPLWIZ.dll
          Filesize

          1.1MB

          MD5

          0ee91bfdfa7c77441e4292fe2c6c5c86

          SHA1

          d7edb87e80ee46850fbfe7c974b71c2189dbadcf

          SHA256

          6e618d7477eba873d25dca7832acf04b2f77c5a1e2932902bab1d58a689e951a

          SHA512

          10ff91a790eae25a53c9298ca1efcab8a8ada48cb98b412177811f9bef7b8c28a4b4e0d23b899382184b6a495fef1b45a52bdebb00fd8227c7e32fc9baad4bf0

          Download Submit

        • C:\Users\Admin\AppData\Local\G9pVhx\Netplwiz.exe
          Filesize

          40KB

          MD5

          520a7b7065dcb406d7eca847b81fd4ec

          SHA1

          d1b3b046a456630f65d482ff856c71dfd2f335c8

          SHA256

          8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d

          SHA512

          7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

          Download Submit

        • C:\Users\Admin\AppData\Local\thGh3oyC4\SYSDM.CPL
          Filesize

          1.1MB

          MD5

          95e0f89cbd047a4c494071aa3fe28448

          SHA1

          51ce52863403876cacbf83690a1535563eb58bf9

          SHA256

          475589030d52d77b5c2c4a1928db8eefb0bc5ccd33bc2bcb94ae0ce3468aec90

          SHA512

          a75e3bdc5697e251bee9265e0cf52542967af2573caebb1c574d2a9c11f70d716fb0430000095657bb9edcc76a61c9709eb9a9767df13bf0cfae553ee0709db3

          Download Submit

        • C:\Users\Admin\AppData\Local\thGh3oyC4\SystemPropertiesRemote.exe
          Filesize

          82KB

          MD5

          cdce1ee7f316f249a3c20cc7a0197da9

          SHA1

          dadb23af07827758005ec0235ac1573ffcea0da6

          SHA256

          7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932

          SHA512

          f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Rasxaa.lnk
          Filesize

          1KB

          MD5

          51946e09fe6f5c4a6fc0a3ed99900d36

          SHA1

          d780a037d95f305056050271a713ed0b5f33bf5c

          SHA256

          93bb8c7b9b19f8e1a0aeb911dc24778913d3bf027073faa7a691f117ef43b37d

          SHA512

          b63155bc0ba184ce5ced411ba4d99b9664f0102e9b142c7a4310c5524b63a355197d5e3a04b27bcc74ab7a713a5212f4dcd67763bfd9a9b31d8784f8f7b7fdc7

          Download Submit

        • memory/1300-0-0x00000171D4C10000-0x00000171D4C17000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1300-38-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1300-1-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2864-66-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2864-63-0x000001B3FD910000-0x000001B3FD917000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3188-50-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3188-47-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3188-45-0x000002768E350000-0x000002768E357000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-13-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-11-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-25-0x00007FFA7C920000-0x00007FFA7C930000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-35-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-24-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-6-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-7-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-8-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-9-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-26-0x00007FFA7C910000-0x00007FFA7C920000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3428-12-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-15-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-23-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3428-14-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-10-0x0000000140000000-0x000000014011E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3428-3-0x0000000002A70000-0x0000000002A71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3428-5-0x00007FFA7AAAA000-0x00007FFA7AAAB000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4172-81-0x0000000140000000-0x000000014011F000-memory.dmp

          Filesize

          1.1MB

          Download