Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Analysis

  • max time kernel
    111s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 14:19

General

  • Target

    The-MALWARE-Repo-master/The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe

  • Size

    132KB

  • MD5

    dbf96ab40b728c12951d317642fbd9da

  • SHA1

    38687e06f4f66a6a661b94aaf4e73d0012dfb8e3

  • SHA256

    daab430bb5771eaa7af0fbd3417604e8af5f4693099a6393a4dc3b440863bced

  • SHA512

    a49cc96651d01da5d6cbb833df36b7987eafb4f09cc9c516c10d0d812002d06ae8edee4e7256c84e300dc2eadad90f7bb37c797bccdee4bad16fcaf88277b381

  • SSDEEP

    3072:uItv1YJOQnVc2pEANuoUeyCx9CC5O86BJaoqsf:xrr2pEANuXCx9Jd6c

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\SysWOW64\whoami.exe
        C:\Windows\system32\whoami.exe /all
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1260
      • C:\Windows\SysWOW64\net.exe
        C:\Windows\system32\net.exe view
        3⤵
        • Discovers systems in the same network
        PID:1392

Network

  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    176.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    176.178.17.96.in-addr.arpa
    IN PTR
    Response
    176.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-176deploystaticakamaitechnologiescom
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.134.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.134.221.88.in-addr.arpa
    IN PTR
    Response
    18.134.221.88.in-addr.arpa
    IN PTR
    a88-221-134-18deploystaticakamaitechnologiescom
  • flag-us
    DNS
    67.31.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    67.31.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.142.211.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.142.211.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    180.178.17.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    180.178.17.96.in-addr.arpa
    IN PTR
    Response
    180.178.17.96.in-addr.arpa
    IN PTR
    a96-17-178-180deploystaticakamaitechnologiescom
  • flag-us
    DNS
    2.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 91.92.136.107:443
    svchost.exe
    260 B
    5
  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    176.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    176.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    18.134.221.88.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    18.134.221.88.in-addr.arpa

  • 8.8.8.8:53
    67.31.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    67.31.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    183.142.211.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    183.142.211.20.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    180.178.17.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    180.178.17.96.in-addr.arpa

  • 8.8.8.8:53
    2.173.189.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1524-9-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-7-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-31-0x0000000077510000-0x0000000077600000-memory.dmp

    Filesize

    960KB

  • memory/1524-3-0x0000000002D40000-0x0000000002D41000-memory.dmp

    Filesize

    4KB

  • memory/1524-5-0x0000000077510000-0x0000000077600000-memory.dmp

    Filesize

    960KB

  • memory/1524-8-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-14-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-10-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-15-0x0000000002D20000-0x0000000002D26000-memory.dmp

    Filesize

    24KB

  • memory/1524-12-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-11-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/1524-13-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/3268-0-0x00000000006E0000-0x0000000000702000-memory.dmp

    Filesize

    136KB

  • memory/3268-1-0x00000000017C0000-0x00000000017C6000-memory.dmp

    Filesize

    24KB

  • memory/3268-2-0x00000000006E0000-0x0000000000702000-memory.dmp

    Filesize

    136KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.