b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
150s
max time network
155s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250218-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/03/2025, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lfoniegvg = "\"C:\\Users\\Admin\\AppData\\Roaming\\fo0u\\wlrmdr.exe\""	Process not Found

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\ZKbMr\quickassist.exe	cmd.exe
File opened for modification	C:\Windows\system32\ZKbMr\quickassist.exe	cmd.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell\open\command	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell\open	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\JgNahPc.cmd"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell\open\command\DelegateExecute	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings\shell\open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-556327730-4249790997-552795783-1000_Classes\ms-settings	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2336	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4164	rundll32.exe
4164	rundll32.exe
4164	rundll32.exe
4164	rundll32.exe
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found
3568	Process not Found

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found
Token: SeShutdownPrivilege	3568	Process not Found
Token: SeCreatePagefilePrivilege	3568	Process not Found

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 980	3568	Process not Found	88
PID 3568 wrote to memory of 980	3568	Process not Found	88
PID 3568 wrote to memory of 1684	3568	Process not Found	90
PID 3568 wrote to memory of 1684	3568	Process not Found	90
PID 3568 wrote to memory of 884	3568	Process not Found	92
PID 3568 wrote to memory of 884	3568	Process not Found	92
PID 3568 wrote to memory of 948	3568	Process not Found	93
PID 3568 wrote to memory of 948	3568	Process not Found	93
PID 3568 wrote to memory of 2996	3568	Process not Found	95
PID 3568 wrote to memory of 2996	3568	Process not Found	95
PID 2996 wrote to memory of 2300	2996	fodhelper.exe	96
PID 2996 wrote to memory of 2300	2996	fodhelper.exe	96
PID 2300 wrote to memory of 2336	2300	cmd.exe	99
PID 2300 wrote to memory of 2336	2300	cmd.exe	99
PID 3568 wrote to memory of 4288	3568	Process not Found	100
PID 3568 wrote to memory of 4288	3568	Process not Found	100
PID 4288 wrote to memory of 4188	4288	cmd.exe	102
PID 4288 wrote to memory of 4188	4288	cmd.exe	102
PID 3568 wrote to memory of 1108	3568	Process not Found	103
PID 3568 wrote to memory of 1108	3568	Process not Found	103
PID 1108 wrote to memory of 1752	1108	cmd.exe	105
PID 1108 wrote to memory of 1752	1108	cmd.exe	105
PID 3568 wrote to memory of 3992	3568	Process not Found	106
PID 3568 wrote to memory of 3992	3568	Process not Found	106
PID 3992 wrote to memory of 4388	3992	cmd.exe	108
PID 3992 wrote to memory of 4388	3992	cmd.exe	108
PID 3568 wrote to memory of 332	3568	Process not Found	109
PID 3568 wrote to memory of 332	3568	Process not Found	109
PID 332 wrote to memory of 4412	332	cmd.exe	111
PID 332 wrote to memory of 4412	332	cmd.exe	111
PID 3568 wrote to memory of 956	3568	Process not Found	112
PID 3568 wrote to memory of 956	3568	Process not Found	112
PID 956 wrote to memory of 3184	956	cmd.exe	114
PID 956 wrote to memory of 3184	956	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4164

C:\Windows\system32\wlrmdr.exe
C:\Windows\system32\wlrmdr.exe
1⤵
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\XB4Xp.cmd
1⤵
PID:1684

C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
1⤵
PID:884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\ecdHdH.cmd
1⤵
- Drops file in System32 directory
PID:948

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\JgNahPc.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Mrlaauv" /TR C:\Windows\system32\ZKbMr\quickassist.exe /SC minute /MO 60 /RL highest
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2336

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Mrlaauv"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Mrlaauv"
  2⤵
  PID:4188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Mrlaauv"
1⤵
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Mrlaauv"
  2⤵
  PID:1752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Mrlaauv"
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Mrlaauv"
  2⤵
  PID:4388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Mrlaauv"
1⤵
- Suspicious use of WriteProcessMemory
PID:332
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Mrlaauv"
  2⤵
  PID:4412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Mrlaauv"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Mrlaauv"
  2⤵
  PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JgNahPc.cmd

Filesize
128B

MD5
8d37892b468886083feb91bda3aed536

SHA1
671d9a3f0643928d940acfc625f759752a2bbd78

SHA256
017c1f752d3c00bcf1e73a405797020d54455f4dccd1dd672f67ba4dc3412794

SHA512
8038bd9d471d3768a09ddb85990c22a1c3d7dc1beee2d84e388ce9b36b3a1d3a05736de28d0257047b729bdabbcb6a8e1fffa111ddf3401dd802c2e4cdaf82a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\T994293.tmp

Filesize
632KB

MD5
65795b7f2d043c27520f97ddb211e900

SHA1
2c76702822f789624fa7d3275e0550be5b8b9883

SHA256
362a9458b691042cd6ba3febdb5d2af0b21b101d98fa35371ba8767a15f9960b

SHA512
d655b8231895f8fba2a66d31d53f47cd1f5cb305c62d19ecf7646d3162699b775851d4d38e3430db39fd5ef6d1efbae898404e1fcee3d2f53a9ecf7c468ff570

Download Submit
C:\Users\Admin\AppData\Local\Temp\XB4Xp.cmd

Filesize
224B

MD5
05f24295663398b241058df61cfdbd73

SHA1
939c606c1b2859fce1be9c2a4069c593c19acdb7

SHA256
677ce7dc658da9adcd7ececa6ceae5d4f5e55624e0254d5d6295ba09568f6736

SHA512
4fc6e18be978ad5752e1271fd69c772314c4f7acf1e09f4a75772e09fbf596b74beec69211ca7c2a3341b68c04a03433ce328926a854e4a359219a5649116623

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecdHdH.cmd

Filesize
201B

MD5
50c9019dfea56bc09d96276e705460a3

SHA1
5150df374d41ba51a1f67f709699d730b064ab98

SHA256
bc914fa18b9c44a276147d7a03d7fab2f9a199b342d4a0595e6e7c99eadbfbdb

SHA512
9b321e839d692e9ec2ba0b5cbc78fb5d3330ad4f287d8d509d1a16f94249d0898ab3beff56a29d31ce113749d6d09895d319ebd3ce72a7521f0299f15a1cefbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rQZ18B3.tmp

Filesize
908KB

MD5
d70956b318c78f7567501bd5a79635fe

SHA1
57ab1f1837363b1180ab4356bcad8a493f8201d7

SHA256
6f48ec08d6951cf298432431b738c877f345f25579afe378de4bf54fe68ab915

SHA512
dec4bde2cc03b797452c549f3239dc0799e211b4aea3e66ee4fe09c73fea82f62847cf102dd878be62f589f33ecece761308c92ab0e4468f188c1470eac11368

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Lfoniegvg.lnk

Filesize
890B

MD5
64f08117acf8845411cbc15fbdd2c5b1

SHA1
2848098d42290dbb90ca9f6c4af773859b54df52

SHA256
a5844d15113ae6d085c65f5278191e47cac3ddf76438324d5c993a4110ec97f4

SHA512
76b0b840bdb4101aa5e303af02bcddaceba1f26a2bc26e6a9216d41e7e84713f6873219cada76e9fd9500bf4d2a8fafe8b0e66ca8b4832c7f0a7b23055aaf790

Download Submit
memory/3568-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-23-0x00007FFBAE020000-0x00007FFBAE030000-memory.dmp

Filesize
64KB

Download
memory/3568-22-0x00007FFBAE0CD000-0x00007FFBAE0CE000-memory.dmp

Filesize
4KB

Download
memory/3568-20-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-14-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-3-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

Filesize
4KB

Download
memory/3568-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-21-0x0000000002F80000-0x0000000002F87000-memory.dmp

Filesize
28KB

Download
memory/3568-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-34-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3568-5-0x00007FFBAC369000-0x00007FFBAC36A000-memory.dmp

Filesize
4KB

Download
memory/4164-6-0x00007FFB9E950000-0x00007FFB9E9ED000-memory.dmp

Filesize
628KB

Download
memory/4164-0-0x00007FFB9E950000-0x00007FFB9E9ED000-memory.dmp

Filesize
628KB

Download
memory/4164-2-0x000001EDF2220000-0x000001EDF2227000-memory.dmp

Filesize
28KB

Download