Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
28-09-2021 08:47
General
-
Target
eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d.dll
-
Size
2.1MB
-
MD5
5edd6ba336c4de29f55cadfd2167a67e
-
SHA1
af181a8f3fe25a515a8fe2a02559e5daceecf976
-
SHA256
eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d
-
SHA512
01b133fad6f564e6736d5f7297284da9aa8cc67a1c28a57b7b7eb1989ee049318377df85fbbeda9f777c0d955f07706743dc2becc3994bf9727a8d040067f5d5
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\eda8c025e5f5f67ae92bee0ed77113e18f60e9465f43fc43e00664f5bea7c32d.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
-
C:\Users\Admin\AppData\Local\jqFX\AgentService.exeC:\Users\Admin\AppData\Local\jqFX\AgentService.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sigverif.exeC:\Windows\system32\sigverif.exe1⤵
-
C:\Users\Admin\AppData\Local\KL6lddaE\sigverif.exeC:\Users\Admin\AppData\Local\KL6lddaE\sigverif.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\PresentationSettings.exeC:\Windows\system32\PresentationSettings.exe1⤵
-
C:\Users\Admin\AppData\Local\2qa\PresentationSettings.exeC:\Users\Admin\AppData\Local\2qa\PresentationSettings.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\2qa\PresentationSettings.exeMD5
bd73d1773092998a116df978b49860b7
SHA1c69255098b8528b88e12a4051fd4e880e8ebe0e7
SHA256cebf396bdf405225c55ce25b6cac39165fa9cb26ddd52e73392df6ea4ce178ec
SHA512dc932ddc9e512776ec5e3a09aa136e2a7a9209ab6f5168c5bcf9756f33b4007a88a332d246a1cc96f0097c0c758e03997dad10907e4be1bf2183fa3e049b5611
-
C:\Users\Admin\AppData\Local\2qa\WINMM.dllMD5
a0e63ca02a3aab8e53af9674ed037f8d
SHA1fb458b82d5730f34b543015385a57bcea6caa543
SHA25628099f181502c7ba867c8325e146947e5e07a89695c9a364c1f376ac131f9590
SHA512527a60c2154753a56e11386767fbda3d9e1423a46329d2128dc54f5efb00747927766d9229ef5caad945df84e277a53304060d74aa64b5aad475f56a2b2f1acd
-
C:\Users\Admin\AppData\Local\KL6lddaE\VERSION.dllMD5
bb14e3236481a46f59dd67c86b7dbb7e
SHA16df0160e9c39bc04477c92b4463679bb8f681c32
SHA2562de03936a16017ffa2476af98cb4da2011811687945da82f52b326666f79eed9
SHA5125c3d56db696767d1072cdb3596f25c524a168f7582e6de2ebeb5d6b6c74553438f1e8cdbad0c95bd2eec8f9420894f6d34478e3aff505d3ba40f033c892c1581
-
C:\Users\Admin\AppData\Local\KL6lddaE\sigverif.exeMD5
92f7917624a4349f7b6041d08ae29714
SHA1eac68bc72ed4d8634a59a1a37faefa4f8327bd2f
SHA256a57403e41c7178403981cd384f6096f12092dee68d3dfbd92f94661f613dfcab
SHA51220eb8366a8285a7d19a8d860038364a625b9b7de5e9d87ed59d2580ab4d5658b6d09d9220f6b0a6291151145373f3e0ff8ac46609c6b4a4aafecc8f2670ac56d
-
C:\Users\Admin\AppData\Local\jqFX\ACTIVEDS.dllMD5
6d664285c3ba1c27c5d975d155278747
SHA14d749ff51d490b694891c6b877c4f4bd030c9c42
SHA25664736d80a5578618f76f00d0a6dc7803a7515fef562661018aa4f57d928265d4
SHA512a567560defa5b02444e8c01645af79e738b23dd5aeb65fc47123fa37d61537b561d33b6b54c414cd07fd5dda9e337dbfad90bfe400d08ec21d8ca407d97478f0
-
C:\Users\Admin\AppData\Local\jqFX\AgentService.exeMD5
5f1da3635c2f6b74ebfdebfc747b63b5
SHA18c26309d2bad1b97195a408d9a742c61942a09d1
SHA2561b456b777c5099a67e405fef20b5cbcb24c6fce9ed7a5a421c6574618364fd47
SHA5129d122a0388484844a6646a27d359532b437e10fa412b075597183b7bc8cbb4e3593eb193c25e0b81dc62b3098d340d6bdc53733e08ee6657c82d11ba32fe2d32
-
\Users\Admin\AppData\Local\2qa\WINMM.dllMD5
a0e63ca02a3aab8e53af9674ed037f8d
SHA1fb458b82d5730f34b543015385a57bcea6caa543
SHA25628099f181502c7ba867c8325e146947e5e07a89695c9a364c1f376ac131f9590
SHA512527a60c2154753a56e11386767fbda3d9e1423a46329d2128dc54f5efb00747927766d9229ef5caad945df84e277a53304060d74aa64b5aad475f56a2b2f1acd
-
\Users\Admin\AppData\Local\KL6lddaE\VERSION.dllMD5
bb14e3236481a46f59dd67c86b7dbb7e
SHA16df0160e9c39bc04477c92b4463679bb8f681c32
SHA2562de03936a16017ffa2476af98cb4da2011811687945da82f52b326666f79eed9
SHA5125c3d56db696767d1072cdb3596f25c524a168f7582e6de2ebeb5d6b6c74553438f1e8cdbad0c95bd2eec8f9420894f6d34478e3aff505d3ba40f033c892c1581
-
\Users\Admin\AppData\Local\jqFX\ACTIVEDS.dllMD5
6d664285c3ba1c27c5d975d155278747
SHA14d749ff51d490b694891c6b877c4f4bd030c9c42
SHA25664736d80a5578618f76f00d0a6dc7803a7515fef562661018aa4f57d928265d4
SHA512a567560defa5b02444e8c01645af79e738b23dd5aeb65fc47123fa37d61537b561d33b6b54c414cd07fd5dda9e337dbfad90bfe400d08ec21d8ca407d97478f0
-
memory/752-176-0x0000000000000000-mapping.dmp
-
memory/752-180-0x0000000140000000-0x0000000140212000-memory.dmpFilesize
2.1MB
-
memory/3028-149-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-155-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-130-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-131-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-132-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-133-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-134-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-135-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-136-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-137-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-138-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-139-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-140-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-141-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-142-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-143-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-144-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-145-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-146-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-147-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-148-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-128-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-150-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-151-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-152-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-153-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-154-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-129-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-156-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-157-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-158-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-159-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-160-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-161-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-163-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-162-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-164-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-127-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-126-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-165-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-173-0x00007FFDD8914560-0x00007FFDD8915560-memory.dmpFilesize
4KB
-
memory/3028-175-0x00007FFDD8860000-0x00007FFDD8870000-memory.dmpFilesize
64KB
-
memory/3028-120-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/3028-121-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-122-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-125-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-123-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/3028-124-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/4084-119-0x0000028196CB0000-0x0000028196CB7000-memory.dmpFilesize
28KB
-
memory/4084-115-0x0000000140000000-0x0000000140211000-memory.dmpFilesize
2.1MB
-
memory/4220-185-0x0000000000000000-mapping.dmp
-
memory/4408-194-0x0000000000000000-mapping.dmp
-
memory/4408-198-0x0000000140000000-0x0000000140213000-memory.dmpFilesize
2.1MB