Overview

overview

10

Static

static

3

12165e6cc5...08.dll

windows7-x64

10

12165e6cc5...08.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-10-2024 05:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12165e6cc5aa936770832b61eada40b38d30dc9ec123117868d795165810d108.dll

  • Size

    668KB

  • MD5

    53f22cec29ddc10f57ffe3e4348d5d8c

  • SHA1

    9d3c7d20606c1b9fe7f302b7d62eb9fbfd66a5c8

  • SHA256

    12165e6cc5aa936770832b61eada40b38d30dc9ec123117868d795165810d108

  • SHA512

    6ee3f97e5e536b31ebfcc422eb5fcfdf995bb49ac79335bb1e9e36cc61da9a7899cb72e31147e44a50dbd247231caa700c27aa26388792c422e256920c955e84

  • SSDEEP

    6144:D34xznfAp4x+NWMqW/KZ1vCDTEpc2bysCZR6iwAtUnWKT5WK8Rpv1llfFfCRAuT9:DIKp/UWCZdCDh2IZDwAFRpR6Au

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Dridex payload 9 IoCs

    Detects Dridex x64 core DLL in memory.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\12165e6cc5aa936770832b61eada40b38d30dc9ec123117868d795165810d108.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:4984
  • C:\Windows\system32\AgentService.exe
    C:\Windows\system32\AgentService.exe
    1⤵
      PID:2244
    • C:\Users\Admin\AppData\Local\MX9IqR0\AgentService.exe
      C:\Users\Admin\AppData\Local\MX9IqR0\AgentService.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:1020
    • C:\Windows\system32\ApplySettingsTemplateCatalog.exe
      C:\Windows\system32\ApplySettingsTemplateCatalog.exe
      1⤵
        PID:1352
      • C:\Users\Admin\AppData\Local\9TNC7qp\ApplySettingsTemplateCatalog.exe
        C:\Users\Admin\AppData\Local\9TNC7qp\ApplySettingsTemplateCatalog.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2848
      • C:\Windows\system32\DeviceEnroller.exe
        C:\Windows\system32\DeviceEnroller.exe
        1⤵
          PID:2552
        • C:\Users\Admin\AppData\Local\4188I1A\DeviceEnroller.exe
          C:\Users\Admin\AppData\Local\4188I1A\DeviceEnroller.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:468

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\4188I1A\DeviceEnroller.exe
          Filesize

          448KB

          MD5

          946d9474533f58d2613078fd14ca7473

          SHA1

          c2620ac9522fa3702a6a03299b930d6044aa5e49

          SHA256

          cf5f5fe084f172e9c435615c1dc6ae7d3bd8c5ec8ea290caa0627c2f392760cb

          SHA512

          3653d41a0553ee63a43490f682c9b528651a6336f28adafc333d4d148577351122db8279ff83ee59bb0a9c17bb384e9f6c9c78677c8c5ed671a42036dec1f8c1

          Download Submit

        • C:\Users\Admin\AppData\Local\4188I1A\XmlLite.dll
          Filesize

          672KB

          MD5

          0db1d7d267d323fd864ae972af2ab3f8

          SHA1

          e4b8e54eed55307cd86d54facfb7b6fa81c25add

          SHA256

          35eb34495555f0ac66736894b5af1516ef653c61607a0bac2abbd6a39b4f9c68

          SHA512

          6edd88ee9cc4ca196ac289c9928f4aeb3d400686eb119e7551524a55ac52e74d44dc5394b15e8fb7281de6e26cc584eca86829ba408f3e364733550e943809dc

          Download Submit

        • C:\Users\Admin\AppData\Local\9TNC7qp\ACTIVEDS.dll
          Filesize

          672KB

          MD5

          4a9aac86a16557797a3e7bfac81e15c7

          SHA1

          b99c8d017bf731e84c3847f3cc9f0a8537ce1d96

          SHA256

          b4dea5a4cbd8ea13e1453039531348eb73e8d1b04e3b512357c9f707d727dde5

          SHA512

          c92dc7c571339a65a435c0d38e947ba23791bcafe1e9582f64f3c81a7acdc87854f54ef47e11a038b7976edcb1be7d7bf670efcf596a016d79c440121cd0b17d

          Download Submit

        • C:\Users\Admin\AppData\Local\9TNC7qp\ApplySettingsTemplateCatalog.exe
          Filesize

          1.1MB

          MD5

          13af41b1c1c53c7360cd582a82ec2093

          SHA1

          7425f893d1245e351483ab4a20a5f59d114df4e1

          SHA256

          a462f29efaaa3c30411e76f32608a2ba5b7d21af3b9804e5dda99e342ba8c429

          SHA512

          c7c82acef623d964c520f1a458dbfe34099981de0b781fb56e14b1f82632e3a8437db6434e7c20988aa3b39efde47aab8d188e80845e841a13e74b079285706a

          Download Submit

        • C:\Users\Admin\AppData\Local\MX9IqR0\AgentService.exe
          Filesize

          1.2MB

          MD5

          f8bac206def3e87ceb8ef3cb0fb5a194

          SHA1

          a28ea816e7b5ca511da4576262a5887a75171276

          SHA256

          c69e4520d5dd84a409c2df1825ba30ec367400e4f7b001c8e971da8bef1a2268

          SHA512

          8df9a814c738e79492a3b72ba359bf3aedfb89fe02215ef58e743c541a2194ba47e227969d76c55387eee6eb367ca68e4b3cdf054022cb86e62376cc2fdef909

          Download Submit

        • C:\Users\Admin\AppData\Local\MX9IqR0\VERSION.dll
          Filesize

          672KB

          MD5

          f9a5bfeb8a17bac78925614e5ffb38e9

          SHA1

          771ee6f94fde081a9c5e4a353d66d74107a5be5d

          SHA256

          3f14951bf73bf8e773d2c3dc568eb922bbe502cd367cee29b0133cd6e987a1f0

          SHA512

          ac934ed9e2ce9bf0826fd26aa967f97f42974f639af67ca65e0792952a5d847f06b8c74ab5981b586147dc0c16b5d4e887476fe29200d60d89b3288c6eeda8d9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Updjljcn.lnk
          Filesize

          980B

          MD5

          01dabd19e8712ece96841e8e32209fc6

          SHA1

          7a7ae73d36e2f7ff52fdf58d58771eb360b9b532

          SHA256

          9c1e20ef3447a4ab1ec2bcc41ca44f628953a96db8915a48c1b2a48b894bacf7

          SHA512

          3228155857f2cb64d9e8ab7da5729003acf4588324dd6c2091adc09f4c8a239a2c6b5245088cbfbab940e7139ab3782cafe4311058863eebda5ce30f8cb8fe9f

          Download Submit

        • memory/468-81-0x00007FFA21B10000-0x00007FFA21BB8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1020-50-0x00007FFA21B10000-0x00007FFA21BB8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/1020-47-0x000001722CF40000-0x000001722CF47000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1020-45-0x00007FFA21B10000-0x00007FFA21BB8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2848-61-0x000001BF18F30000-0x000001BF18F37000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2848-66-0x00007FFA21B10000-0x00007FFA21BB8000-memory.dmp

          Filesize

          672KB

          Download

        • memory/3444-15-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-35-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-10-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-9-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-8-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-7-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-6-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-3-0x00000000024F0000-0x00000000024F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-13-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-24-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-25-0x00007FFA3F4E0000-0x00007FFA3F4F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-12-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-26-0x00007FFA3F4D0000-0x00007FFA3F4E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3444-4-0x00007FFA3D99A000-0x00007FFA3D99B000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3444-16-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-23-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/3444-14-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/3444-11-0x0000000140000000-0x00000001400A7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4984-0-0x00007FFA31010000-0x00007FFA310B7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4984-38-0x00007FFA31010000-0x00007FFA310B7000-memory.dmp

          Filesize

          668KB

          Download

        • memory/4984-2-0x00000234439A0000-0x00000234439A7000-memory.dmp

          Filesize

          28KB

          Download