b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
150s
max time network
162s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-01-2025 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Xjxddytacc = "\"C:\\Users\\Admin\\AppData\\Roaming\\YzQgFar\\SystemPropertiesComputerName.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\aUzYO\PresentationSettings.exe	cmd.exe
File opened for modification	C:\Windows\system32\aUzYO\PresentationSettings.exe	cmd.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\8HP.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1006597246-3150276181-3318461161-1000_Classes\ms-settings\shell\open	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found
3636	Process not Found

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found
Token: SeShutdownPrivilege	3636	Process not Found
Token: SeCreatePagefilePrivilege	3636	Process not Found

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 2872	3636	Process not Found	88
PID 3636 wrote to memory of 2872	3636	Process not Found	88
PID 3636 wrote to memory of 3280	3636	Process not Found	90
PID 3636 wrote to memory of 3280	3636	Process not Found	90
PID 3636 wrote to memory of 2488	3636	Process not Found	93
PID 3636 wrote to memory of 2488	3636	Process not Found	93
PID 3636 wrote to memory of 2460	3636	Process not Found	94
PID 3636 wrote to memory of 2460	3636	Process not Found	94
PID 3636 wrote to memory of 3296	3636	Process not Found	96
PID 3636 wrote to memory of 3296	3636	Process not Found	96
PID 3296 wrote to memory of 1252	3296	fodhelper.exe	97
PID 3296 wrote to memory of 1252	3296	fodhelper.exe	97
PID 1252 wrote to memory of 4912	1252	cmd.exe	99
PID 1252 wrote to memory of 4912	1252	cmd.exe	99
PID 3636 wrote to memory of 3696	3636	Process not Found	101
PID 3636 wrote to memory of 3696	3636	Process not Found	101
PID 3696 wrote to memory of 1828	3696	cmd.exe	103
PID 3696 wrote to memory of 1828	3696	cmd.exe	103
PID 3636 wrote to memory of 3328	3636	Process not Found	104
PID 3636 wrote to memory of 3328	3636	Process not Found	104
PID 3328 wrote to memory of 2888	3328	cmd.exe	106
PID 3328 wrote to memory of 2888	3328	cmd.exe	106
PID 3636 wrote to memory of 4724	3636	Process not Found	107
PID 3636 wrote to memory of 4724	3636	Process not Found	107
PID 4724 wrote to memory of 2228	4724	cmd.exe	109
PID 4724 wrote to memory of 2228	4724	cmd.exe	109
PID 3636 wrote to memory of 4668	3636	Process not Found	110
PID 3636 wrote to memory of 4668	3636	Process not Found	110
PID 4668 wrote to memory of 2776	4668	cmd.exe	112
PID 4668 wrote to memory of 2776	4668	cmd.exe	112
PID 3636 wrote to memory of 1416	3636	Process not Found	113
PID 3636 wrote to memory of 1416	3636	Process not Found	113
PID 1416 wrote to memory of 4872	1416	cmd.exe	115
PID 1416 wrote to memory of 4872	1416	cmd.exe	115
PID 3636 wrote to memory of 952	3636	Process not Found	116
PID 3636 wrote to memory of 952	3636	Process not Found	116
PID 952 wrote to memory of 1844	952	cmd.exe	118
PID 952 wrote to memory of 1844	952	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
1⤵
PID:2872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LbirA.cmd
1⤵
PID:3280

C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
1⤵
PID:2488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\yel.cmd
1⤵
- Drops file in System32 directory
PID:2460

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3296
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\8HP.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Oklhuijy" /TR C:\Windows\system32\aUzYO\PresentationSettings.exe /SC minute /MO 60 /RL highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Oklhuijy"
1⤵
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Oklhuijy"
  2⤵
  PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Oklhuijy"
1⤵
- Suspicious use of WriteProcessMemory
PID:3328
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Oklhuijy"
  2⤵
  PID:2888

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Oklhuijy"
1⤵
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Oklhuijy"
  2⤵
  PID:2228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Oklhuijy"
1⤵
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Oklhuijy"
  2⤵
  PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Oklhuijy"
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Oklhuijy"
  2⤵
  PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Oklhuijy"
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Oklhuijy"
  2⤵
  PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8HP.cmd

Filesize
138B

MD5
bb091c304126255cb84c7d310ed1c89a

SHA1
06c55c73f94d216b9ef73f0d51be07b4438b4758

SHA256
46e55fcf75be2bc10099b111e60ca65fe8674f3031fb51d7dc826f3248bb9739

SHA512
b18d3d5b7171730f7c885d2c00b1cd1b90acb85cf5b991bc9140e498faa5051486bc400c28472ff991c861d1d62586364d321a1871d6ebe754257f2c66acb9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF26E.tmp

Filesize
628KB

MD5
113f346fdca196ec0e51f8e1cf983a33

SHA1
499c30b2ac814c469550721a267b66f06e63539f

SHA256
da60117736d000cc4a41d20f7c1775643a60e0b28a35e0ffd556df84f8d381c1

SHA512
a86ebfd29c8b975679e22689078ac6eff041b6de19c98902007580d488733a1ef6eeb17d55aeccd894b056c2ae7ebb92bde268b096de816a2c6669a1aabf2831

Download Submit
C:\Users\Admin\AppData\Local\Temp\LbirA.cmd

Filesize
253B

MD5
90f2b9a130eaa7788d9026ff2d2d01f0

SHA1
2de7be50d9af2f1d26709f4d8572e18e1c2c1cc8

SHA256
113582ffa2fdded385fbc7e1433f978b19c628900292423ef2dde832ac97d49b

SHA512
b4d0bdbe2cbbe5bbcf6bf3aa92e8ac7f261140f662dcaad560eee1faacf662a6975441fcc6448215c688ec9980fbd0c3e84011cc9c50101dad256677cc5d8134

Download Submit
C:\Users\Admin\AppData\Local\Temp\ObT1A3B.tmp

Filesize
636KB

MD5
0f6de14cad3fae79a05e7e7f1432df2e

SHA1
1098c2bfb54efc40d3da3e3d7c40d1316596d36a

SHA256
1936fa477226eb41ea85111d1b3aac323933d4847ebc9749381e9e60aa89b6db

SHA512
a6612f6473774efb461bfe4d6c4b7397fd4b9364952754647872a8e75ee01291696a3b891044e6b18fbbe4fb46e22ff60c85abe75ece0572f9feb85086ac94af

Download Submit
C:\Users\Admin\AppData\Local\Temp\yel.cmd

Filesize
208B

MD5
1def8134d1743bd36b7f58a8dee38cf4

SHA1
e3d59cab01eda2fd433930438f531676cd2e1ca4

SHA256
9c1499d407b7ce980435520231816e627f9d867005f4bccddbca3a05c1f44f03

SHA512
571842510df0c8d81badd155081aa886192664a5775cad29723e22c4f4a81b12ca09a7752160e74c52c7d3408be80c24395510271f531453e8fee1dd74248be7

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Xjxddytacc.lnk

Filesize
1018B

MD5
a44f9a623688efeba6bf0303509ddcbd

SHA1
e5956f8e425e3e49df7ae0f8063f7ab8a2b1c409

SHA256
00a7475664c9860db56a3ffacc7f27a1b1d792303b8c2fd2640a3e8b056b3dd4

SHA512
80f6583271024d5f1a0a5951e4658cbb280b84f39bc053b932299179fe4f5db5490460f89f1e3dec9922ee44f2e03aae637422c26a539834cf1f201840ae62b0

Download Submit
memory/3052-0-0x000001A00D360000-0x000001A00D367000-memory.dmp

Filesize
28KB

Download
memory/3052-1-0x00007FF9F4D10000-0x00007FF9F4DAD000-memory.dmp

Filesize
628KB

Download
memory/3052-6-0x00007FF9F4D10000-0x00007FF9F4DAD000-memory.dmp

Filesize
628KB

Download
memory/3636-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-14-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-23-0x00007FFA054E0000-0x00007FFA054F0000-memory.dmp

Filesize
64KB

Download
memory/3636-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-20-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-32-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-34-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-22-0x00007FFA0558D000-0x00007FFA0558E000-memory.dmp

Filesize
4KB

Download
memory/3636-21-0x0000000000FA0000-0x0000000000FA7000-memory.dmp

Filesize
28KB

Download
memory/3636-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3636-4-0x00007FFA03EE9000-0x00007FFA03EEA000-memory.dmp

Filesize
4KB

Download
memory/3636-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download