Overview

overview

10

Static

static

3

8dd40365e8...cs.dll

windows7-x64

10

8dd40365e8...cs.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 04:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8dd40365e845f07a0b429e634a4090c0_NeikiAnalytics.dll

  • Size

    896KB

  • MD5

    8dd40365e845f07a0b429e634a4090c0

  • SHA1

    9687bf0672114bf599cfb01e76cf88aa9c80a8e1

  • SHA256

    5afb1c3c0f4be11c4901a5654cace6795baf1cee126a154ebdd1d5729a6ee33e

  • SHA512

    0ac6c8b04acf4023b85aebd7018336904c6fbf93d565d60c21a3aee32d56a55b4f693eda3df0643cb2301ef5b08b4a92639a8a1a5831dfc40d6261889051e6de

  • SSDEEP

    12288:dGVNJAvuPFUl/faxGVlBLXKCgFfEK7JRLeHlX//ve7:g3JAvRl/fKwKCgFfx4P/va

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8dd40365e845f07a0b429e634a4090c0_NeikiAnalytics.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1368
  • C:\Windows\system32\notepad.exe
    C:\Windows\system32\notepad.exe
    1⤵
      PID:2496
    • C:\Users\Admin\AppData\Local\SMK7P7\notepad.exe
      C:\Users\Admin\AppData\Local\SMK7P7\notepad.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2232
    • C:\Windows\system32\SystemPropertiesAdvanced.exe
      C:\Windows\system32\SystemPropertiesAdvanced.exe
      1⤵
        PID:2964
      • C:\Users\Admin\AppData\Local\A4i\SystemPropertiesAdvanced.exe
        C:\Users\Admin\AppData\Local\A4i\SystemPropertiesAdvanced.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2420
      • C:\Windows\system32\sigverif.exe
        C:\Windows\system32\sigverif.exe
        1⤵
          PID:2404
        • C:\Users\Admin\AppData\Local\ewn2LpQez\sigverif.exe
          C:\Users\Admin\AppData\Local\ewn2LpQez\sigverif.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious behavior: GetForegroundWindowSpam
          PID:760

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Query Registry

        1
        T1012

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\A4i\SYSDM.CPL
          Filesize

          900KB

          MD5

          164b905b83d258b1e67bc60851a86d48

          SHA1

          d1ccaa86035d8809de29fe1720b9f94e35262a15

          SHA256

          042c4b72e1872522173b7fb7d984396ff1820efe4e0884eee1e1901cf6498c6e

          SHA512

          efc0ac178798b762e8c53ec46451d7953b450e036e43c6547e8ac12425ae79a83c92dc947710ef0b4dc7187dc7cb9e276dae57529635e5eb227290c200ca4bd3

          Download Submit
        • C:\Users\Admin\AppData\Local\SMK7P7\VERSION.dll
          Filesize

          900KB

          MD5

          0279ac99f2efa827b76c93e224081587

          SHA1

          b8ecaab9d0af12b7d43e0d38677b70600120e143

          SHA256

          e234c34c2bfc12f5339bb4c636eebe5e536f3419640ce696f608dd27ae63a7b9

          SHA512

          cbdccb18f91f52a2a429d597dab1155b3ad2b4012b52fa5d771518ec398459f6b4c7917ab3b5511af09e1475dad4c5106a6d18f3f96f2152214ef1a4308206e5

          Download Submit
        • C:\Users\Admin\AppData\Local\SMK7P7\notepad.exe
          Filesize

          189KB

          MD5

          f2c7bb8acc97f92e987a2d4087d021b1

          SHA1

          7eb0139d2175739b3ccb0d1110067820be6abd29

          SHA256

          142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2

          SHA512

          2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

          Download Submit
        • C:\Users\Admin\AppData\Local\ewn2LpQez\VERSION.dll
          Filesize

          900KB

          MD5

          476265d9f798d8a911fe9a3b469b5589

          SHA1

          2b33cb89f1aa349c20db48c86ba47aa8bc78314a

          SHA256

          e42266e1cc1b5b73041c9de5b4fbc126dca49f4ccf6fb76c801863998fc1aaa2

          SHA512

          6a610de13646435a8430b47ca78bfc3a94d99a80a2d785c4fa4c6b3d96f15a008769bc7886c9a53f781f01d4b647e47a9f2fac312d1e4191b5481d83643aeeab

          Download Submit
        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mewsro.lnk
          Filesize

          1KB

          MD5

          b97a033d04bb2f857cd01142d9a9b1ad

          SHA1

          691cfe2516363dba0457028c06df99eb11cd1243

          SHA256

          21b300096635435b90af4d3287282a02889f92ad548f8ae6443540e8749e9cae

          SHA512

          333815f61b0ec42348a55e2d98d2193db0eeaea1a8311bee20812136e406264b848c99efef79b4c727f28b1332dc08d6aba37a11f3d685d3fc6d82fb75bf7f43

          Download Submit
        • \Users\Admin\AppData\Local\A4i\SystemPropertiesAdvanced.exe
          Filesize

          80KB

          MD5

          25dc1e599591871c074a68708206e734

          SHA1

          27a9dffa92d979d39c07d889fada536c062dac77

          SHA256

          a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef

          SHA512

          f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

          Download Submit
        • \Users\Admin\AppData\Local\ewn2LpQez\sigverif.exe
          Filesize

          73KB

          MD5

          e8e95ae5534553fc055051cee99a7f55

          SHA1

          4e0f668849fd546edd083d5981ed685d02a68df4

          SHA256

          9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec

          SHA512

          5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

          Download Submit
        • memory/760-107-0x0000000000100000-0x0000000000107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/760-108-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/1148-15-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-26-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-29-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-28-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-27-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-25-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-24-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-23-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-22-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-21-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-20-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-19-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-18-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-17-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-16-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-127-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1148-14-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-13-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-12-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-37-0x0000000002100000-0x0000000002107000-memory.dmp
          Filesize

          28KB

          Download
        • memory/1148-42-0x00000000776F0000-0x00000000776F2000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1148-41-0x0000000077591000-0x0000000077592000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1148-48-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-52-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-54-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-36-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-4-0x0000000077486000-0x0000000077487000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1148-5-0x0000000002D90000-0x0000000002D91000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1148-9-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-8-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-10-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1148-7-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1368-11-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1368-0-0x0000000140000000-0x00000001400E0000-memory.dmp
          Filesize

          896KB

          Download
        • memory/1368-2-0x0000000000190000-0x0000000000197000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2232-71-0x0000000000090000-0x0000000000097000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2232-72-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/2232-66-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download
        • memory/2420-84-0x0000000000280000-0x0000000000287000-memory.dmp
          Filesize

          28KB

          Download
        • memory/2420-90-0x0000000140000000-0x00000001400E1000-memory.dmp
          Filesize

          900KB

          Download