Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Analysis

  • max time kernel
    138s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-01-2024 14:19

General

  • Target

    The-MALWARE-Repo-master/The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.exe

  • Size

    152KB

  • MD5

    6164228ed2cc0eceba9ce1828d87d827

  • SHA1

    cea5bc473c948a78ce565b6e195e6e25f029c0c6

  • SHA256

    7fa83f0588f0f50d0635313918137c05cb59aa672d842f864073aebb72c66195

  • SHA512

    b53ac27397ce5453fa008d1a2e98f9f66be7d7f08375b92c88007544c09ab844d6c8eeceb2221c988e0a0d6ffc2a8a290e49715e3062a74bcd2310d41bffcc37

  • SSDEEP

    3072:VqD/ri6AM4odK4J663POAQgG8rYKvh+5Nl:V0xlIBwPOA+8Zhu

Score
10/10

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Deletes itself 1 IoCs
  • Discovers systems in the same network 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe
    "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.exe"
      2⤵
      • Deletes itself
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\whoami.exe
        C:\Windows\system32\whoami.exe /all
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\SysWOW64\net.exe
        C:\Windows\system32\net.exe view
        3⤵
        • Discovers systems in the same network
        PID:2360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1248-10-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/1248-8-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/1248-2-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

  • memory/1248-29-0x00000000766E0000-0x00000000767D0000-memory.dmp

    Filesize

    960KB

  • memory/1248-5-0x00000000766E0000-0x00000000767D0000-memory.dmp

    Filesize

    960KB

  • memory/1248-7-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/1248-14-0x0000000000E40000-0x0000000000E46000-memory.dmp

    Filesize

    24KB

  • memory/1248-9-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/1248-11-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/1248-12-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/1248-6-0x0000000003000000-0x000000000302F000-memory.dmp

    Filesize

    188KB

  • memory/2616-1-0x00000000009F0000-0x00000000009F6000-memory.dmp

    Filesize

    24KB

  • memory/2616-0-0x0000000002730000-0x000000000275F000-memory.dmp

    Filesize

    188KB

  • memory/2616-4-0x0000000002730000-0x000000000275F000-memory.dmp

    Filesize

    188KB