Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
07-05-2024 23:03
General
-
Target
5ce626cc979bced4df80a332aa794800_NEIKI.dll
-
Size
1.8MB
-
MD5
5ce626cc979bced4df80a332aa794800
-
SHA1
31f289af6916a9e20780333e928710df52da459d
-
SHA256
445accea40bee73a661f478c9bfd5c9129b49ad86971a3cb25dae06f1a572a14
-
SHA512
40473c862c21c3cd44aabdc8ee4b232be2ffb20973049f7deebe792816d43b7e27788d89197a50ff5a9d5f282374a1fd830c0f8f2fdf6663864c853b06cd5090
-
SSDEEP
12288:m38uea4w46+K1FZPfxyMs2SRXTajPomqkpyrJXy6mfvHELWUbxdewWRa7Ckhkgjj:M8uea4w467D5/0ypyFYELW8xFZmMXJZ
Malware Config
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
Dridex Shellcode 1 IoCs
Detects Dridex Payload shellcode injected in Explorer process.
-
Dridex payload 8 IoCs
Detects Dridex x64 core DLL in memory.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ce626cc979bced4df80a332aa794800_NEIKI.dll,#11⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\slui.exeC:\Windows\system32\slui.exe1⤵
-
C:\Users\Admin\AppData\Local\34fLLx\slui.exeC:\Users\Admin\AppData\Local\34fLLx\slui.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\wextract.exeC:\Windows\system32\wextract.exe1⤵
-
C:\Users\Admin\AppData\Local\BvhF9Ov\wextract.exeC:\Users\Admin\AppData\Local\BvhF9Ov\wextract.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
-
C:\Windows\system32\sethc.exeC:\Windows\system32\sethc.exe1⤵
-
C:\Users\Admin\AppData\Local\Y9RLgl\sethc.exeC:\Users\Admin\AppData\Local\Y9RLgl\sethc.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\34fLLx\SLC.dllFilesize
1.9MB
MD523366eb85df1dc3f6d028ae02af7a579
SHA1774f717f581bcd9f640e8d5f938133cdc339bbee
SHA25672f7f63b4844cae7e8b29c2610eb780f3afa3e2fc86df33f6832a398c03c2758
SHA51251070cc7340c787e989bf6ad41f6c48f5795881dd76098f25ba465c9cbdf3fd1757133ace5e7bfc68e44c5d00a1de534c20ce108930f6da612e77e55f1bea4c2
-
C:\Users\Admin\AppData\Local\34fLLx\slui.exeFilesize
534KB
MD5eb725ea35a13dc18eac46aa81e7f2841
SHA1c0b3304c970324952e18c4a51073e3bdec73440b
SHA25625e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff
SHA51239192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26
-
C:\Users\Admin\AppData\Local\BvhF9Ov\VERSION.dllFilesize
1.9MB
MD5ade97477402549bbe72b24d53f7ac331
SHA137542a2cf2882c7153c0fe6e98ff7df7043be348
SHA256039d73df02053334c88335e2bc7ac613ed1ea545cc341dd63b88e55c0e2ef787
SHA5120c1eeab82dea4542a2baf4ee881c63c300fc265fa7b103a41f0d4e8c376b5ac753c0da516ece8239c7e46747f70b2eb41cad064eb67f0a59c81627a7c4da861e
-
C:\Users\Admin\AppData\Local\BvhF9Ov\wextract.exeFilesize
143KB
MD556e501e3e49cfde55eb1caabe6913e45
SHA1ab2399cbf17dbee7b302bea49e40d4cee7caea76
SHA256fbb6dc62abeeb222b49a63f43dc6eea96f3d7e9a8da55381c15d57a5d099f3e0
SHA5122b536e86cbd8ab026529ba2c72c0fda97e9b6f0bc4fd96777024155852670cb41d17937cde372a44cdbad3e53b8cd3ef1a4a3ee9b34dfb3c2069822095f7a172
-
C:\Users\Admin\AppData\Local\Y9RLgl\WTSAPI32.dllFilesize
1.9MB
MD52eee7d9b52b6f4b0b9fc072aa5a40dc9
SHA192c71761d808371bfdd962be063363f971e992d7
SHA2568d1ae730edcfcc51c42d4b7859ad9b122c4c0fb267ae9554b3c68a6e2052d761
SHA512a19c26f95a422f2203abc17a47c22092e7dfdda6662c71281b055bedb06d3f0ab0bafdc4bcc7645bffd51adb5c55f57bb4621c162a668ea4bcbf08c4f306a7e7
-
C:\Users\Admin\AppData\Local\Y9RLgl\sethc.exeFilesize
104KB
MD58ba3a9702a3f1799431cad6a290223a6
SHA19c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746
-
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ehesgegqlj.lnkFilesize
1KB
MD5015640e0ae74f31a3924e802c0f5db08
SHA18d4f16cbf5f79b0029bea320da024ae0fed18a1f
SHA256984e31b0c3133cb0aa7876bb815320af8dde6c6ebe674278922e1a1555acd454
SHA512defb5ab25af5319a43e9e7caecec6d2e390b43587bc9fb7072c6fb8b07331154fa4f4cc794859c6f395bea866d927c87d560a71a8724b13815c9f3e77c215038
-
memory/1484-51-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/1484-1-0x0000022A955C0000-0x0000022A955C7000-memory.dmpFilesize
28KB
-
memory/1484-0-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/2216-95-0x0000000140000000-0x00000001401DA000-memory.dmpFilesize
1.9MB
-
memory/2216-92-0x0000024D45140000-0x0000024D45147000-memory.dmpFilesize
28KB
-
memory/3324-37-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-7-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-25-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-24-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-22-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-20-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-18-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-17-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-14-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-13-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-12-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-11-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-10-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-23-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-21-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-8-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-19-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-26-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-15-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-9-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-27-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-38-0x00007FFA2EA00000-0x00007FFA2EA10000-memory.dmpFilesize
64KB
-
memory/3324-48-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-5-0x00007FFA2E77A000-0x00007FFA2E77B000-memory.dmpFilesize
4KB
-
memory/3324-3-0x0000000008510000-0x0000000008511000-memory.dmpFilesize
4KB
-
memory/3324-6-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-39-0x00007FFA2E9F0000-0x00007FFA2EA00000-memory.dmpFilesize
64KB
-
memory/3324-36-0x00000000084F0000-0x00000000084F7000-memory.dmpFilesize
28KB
-
memory/3324-16-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/3324-28-0x0000000140000000-0x00000001401D9000-memory.dmpFilesize
1.8MB
-
memory/4084-79-0x0000000140000000-0x00000001401DA000-memory.dmpFilesize
1.9MB
-
memory/4084-76-0x00000179B3900000-0x00000179B3907000-memory.dmpFilesize
28KB
-
memory/4344-63-0x0000000140000000-0x00000001401DA000-memory.dmpFilesize
1.9MB
-
memory/4344-58-0x0000000140000000-0x00000001401DA000-memory.dmpFilesize
1.9MB
-
memory/4344-60-0x0000028FA0B30000-0x0000028FA0B37000-memory.dmpFilesize
28KB