Overview

overview

10

Static

static

3

0e0d449478...xe.dll

windows7-x64

10

0e0d449478...xe.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2025 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e0d4494780c9010ece88f39f65bfbfcb13236e1652f7fe41e9c84a5b16583a5N.exe.dll

  • Size

    640KB

  • MD5

    808f8aa2eb9c746712dd4793ba90da70

  • SHA1

    7175856d3d473772c5e3fbb2af0ee72f9424f59d

  • SHA256

    0e0d4494780c9010ece88f39f65bfbfcb13236e1652f7fe41e9c84a5b16583a5

  • SHA512

    44d6b3891a7c0fec9a2a20d036113d273754433af8a0bb2b630be5a051fd087f0d4a3c2afe2304f27299457e4a946e9dac3bdb213ae13d6b77378982601b2ddb

  • SSDEEP

    6144:Gg12AzW5HsiScvtNybiR8g0ISTFCRVe9/JE+++sKS1JGWWsca65eu9K2zqc4CWAZ:G82AK5HOEksJ1YW7DwzqyQ

Score
10/10
dridexbotnetdefense_evasiondiscoveryloaderpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Loader 'dmod' strings 2 IoCs

    Detects 'dmod' strings in Dridex loader.

    botnetloader
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    defense_evasiontrojan
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 58 IoCs
  • Suspicious use of FindShellTrayWindow 58 IoCs
  • Suspicious use of SendNotifyMessage 52 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e0d4494780c9010ece88f39f65bfbfcb13236e1652f7fe41e9c84a5b16583a5N.exe.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e0d4494780c9010ece88f39f65bfbfcb13236e1652f7fe41e9c84a5b16583a5N.exe.dll,#1
      2⤵
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:224
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3240
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3096
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3508
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2220
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3720
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Boot or Logon Autostart Execution: Active Setup
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/224-1-0x0000000074A40000-0x0000000074AE0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/224-0-0x00000000013C0000-0x00000000013C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/224-4-0x00000000013C0000-0x00000000013C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/224-3-0x0000000074A40000-0x0000000074AE0000-memory.dmp

    Filesize

    640KB

    Download