Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-18.04-amd64

8

The-MALWAR...caa742

ubuntu-18.04-amd64

1

The-MALWAR...c1a732

ubuntu-18.04-amd64

1

The-MALWAR...57c046

ubuntu-18.04-amd64

8

The-MALWAR...4cde86

ubuntu-18.04-amd64

1

The-MALWAR...460a01

ubuntu-18.04-amd64

1

The-MALWAR...ece0c5

ubuntu-18.04-amd64

8

The-MALWAR...257619

ubuntu-18.04-amd64

8

The-MALWAR...fbcc59

ubuntu-18.04-amd64

1

The-MALWAR...54f69c

ubuntu-18.04-amd64

8

The-MALWAR...d539a6

ubuntu-18.04-amd64

8

The-MALWAR...4996dd

ubuntu-18.04-amd64

1

The-MALWAR...8232d5

ubuntu-18.04-amd64

8

The-MALWAR...66b948

ubuntu-18.04-amd64

8

The-MALWAR...f9db86

ubuntu-18.04-amd64

8

The-MALWAR...ea2485

ubuntu-18.04-amd64

8

Analysis

  • max time kernel
    189s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2023 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2436
  • C:\Windows\system32\DWWIN.EXE
    C:\Windows\system32\DWWIN.EXE
    1⤵
      PID:3008
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\JVcafZz.cmd
      1⤵
        PID:3012
      • C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
        C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
        1⤵
          PID:2816
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\EzPTSg9.cmd
          1⤵
          • Drops file in System32 directory
          PID:3024
        • C:\Windows\System32\eventvwr.exe
          "C:\Windows\System32\eventvwr.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1216
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\2G0GxB.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1516
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Znghtln" /TR C:\Windows\system32\usPZ\WindowsAnytimeUpgradeResults.exe /SC minute /MO 60 /RL highest
              3⤵
              • Creates scheduled task(s)
              PID:1228
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Znghtln"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Znghtln"
            2⤵
              PID:1656
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Znghtln"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1620
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Znghtln"
              2⤵
                PID:1584
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Znghtln"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:380
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Znghtln"
                2⤵
                  PID:696
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Znghtln"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:752
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Znghtln"
                  2⤵
                    PID:2616
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Znghtln"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1524
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Znghtln"
                    2⤵
                      PID:1376
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Znghtln"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2072
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Query /TN "Znghtln"
                      2⤵
                        PID:1364

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Scheduled Task/Job

                    1
                    T1053

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\2G0GxB.cmd
                      Filesize

                      144B

                      MD5

                      e082e1905195e1ab3ef1919ec0e0501d

                      SHA1

                      c821c2c1dd58648aa4aaf2ae7685847fae7df92a

                      SHA256

                      a6f3be69730cea9da53433a94ae39de3aa2e5a9d41826f5d4184bc85e18087e8

                      SHA512

                      18673384b64fb4f621e4547a86179069f51e5545b171fd9798abb0ed6ac0c321b3a088bb2ad4892acfbd4b0c9d167977787734a866092528e32098254015b8d2

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\EzPTSg9.cmd
                      Filesize

                      215B

                      MD5

                      bf4983b95b229931a765296f1c1cd2eb

                      SHA1

                      449fa8dec2b6a7f37a23d33b691cdbee0ece119b

                      SHA256

                      0f4bcf64c17a4bbeb350479a5f8b6ffb8d8acac0ce034d7fc14f20a998162b75

                      SHA512

                      c8502207b81228f67ce44dd95ffa9af4d5eb5e924287cd6ae119e4feded2901ef7fc8c20c5f23daa12e152aa7073269e43bccdec862bb2a9e16bb7aa0857e3e7

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\JVcafZz.cmd
                      Filesize

                      226B

                      MD5

                      e149f8113bb76a871dee38f1286eed1d

                      SHA1

                      7eefddc11cd529994ae3963f3b458d6cc4aec87c

                      SHA256

                      2abc2b388f292d9bb40733b72cedccb9024dc54b50862edb47bf355b0d5e22a8

                      SHA512

                      ecb6bf0b655090e9ccdf79dbf960438fbf1042f82177b7c52cd350152f0cfa9120b5bcbf0ce7a5ed059085327d03504e5801e3646763f32f685e9ccbcde5fabd

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\Z066A0.tmp
                      Filesize

                      628KB

                      MD5

                      9cea0a970ed3dfa9f700da76067b719c

                      SHA1

                      68dcd2ec4138092cbadb1b22334572dab273cd19

                      SHA256

                      72f858e1ce0a21101818ba056d906d7eace217f0e2b3b1e1fe609dfb52b68eec

                      SHA512

                      8baad6da4084dfbd84c8ea6dc0c7f42531872b5d6df0cd321e244a0a4dcdb1c5b7b5dc7c93195343c19ae6a5caf0b04cd4c67cfc76070beabe79b99df74ed0e7

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\ps3EB5.tmp
                      Filesize

                      632KB

                      MD5

                      6b5f79665316736fb16fece07af87f42

                      SHA1

                      392edbdf199b62311a40d052cb8efbf206e5ae9d

                      SHA256

                      695714d553cb1d3310c47d4ea9a1d75d9248bfd76f064161a69057ea4508ee35

                      SHA512

                      603775781c55e5273600c26cdf9f0bc3b3ac4ba9d7a26c71f372d24de73b19091957d7e1c3e2fc7a259857b06b117f7fb99627ace7dfaa81584ffa3a4bfaca6e

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\IMfIUT\DWWIN.EXE
                      Filesize

                      149KB

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Qggynungfkpkrm.lnk
                      Filesize

                      874B

                      MD5

                      b02f62c2b377301b0bb8e07a54616545

                      SHA1

                      d5b9e460be3c5f62e5bf65a1d0049a564d4e5039

                      SHA256

                      20ad56d083ba777a8768ec0c28c8d817a7edbb8cb8d094f355e4eea1ae9fa7b2

                      SHA512

                      71dcfbb7db7223533f9173188f8f27cb47610f4b4e6b0fb0d97e8ee76b4f9b73f317ec2e2cb2e87cc13d7f7c4466dc7452322f66f78b10128c53fbfd75efeb60

                      Download Submit
                    • \Users\Admin\AppData\Roaming\IMfIUT\DWWIN.EXE
                      Filesize

                      149KB

                      MD5

                      25247e3c4e7a7a73baeea6c0008952b1

                      SHA1

                      8087adb7a71a696139ddc5c5abc1a84f817ab688

                      SHA256

                      c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

                      SHA512

                      bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

                      Download Submit
                    • memory/1272-9-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-36-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-12-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-13-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-14-0x0000000002B10000-0x0000000002B17000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/1272-15-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-21-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-22-0x0000000077371000-0x0000000077372000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1272-23-0x00000000774D0000-0x00000000774D2000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1272-32-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-33-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-10-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-11-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-3-0x0000000077166000-0x0000000077167000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1272-8-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-7-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1272-53-0x0000000077166000-0x0000000077167000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1272-4-0x0000000002B30000-0x0000000002B31000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/2436-6-0x000007FEF6A40000-0x000007FEF6ADD000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/2436-0-0x00000000003F0000-0x00000000003F7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2436-1-0x000007FEF6A40000-0x000007FEF6ADD000-memory.dmp
                      Filesize

                      628KB

                      Download