Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...658754

ubuntu-18.04-amd64

8

The-MALWAR...e3c0f1

ubuntu-18.04-amd64

8

The-MALWAR...b16793

ubuntu-18.04-amd64

8

The-MALWAR...9fd013

ubuntu-18.04-amd64

8

The-MALWAR...17bf0d

ubuntu-18.04-amd64

8

The-MALWAR...11b2b2

ubuntu-18.04-amd64

8

The-MALWAR...18cd3a

ubuntu-18.04-amd64

8

The-MALWAR...c0b6aa

ubuntu-18.04-amd64

8

The-MALWAR...cec74a

ubuntu-18.04-amd64

8

The-MALWAR...5211bb

ubuntu-18.04-amd64

8

The-MALWAR...b7a014

ubuntu-18.04-amd64

8

The-MALWAR...dafcbf

ubuntu-18.04-amd64

8

The-MALWAR...ecdf6f

ubuntu-18.04-amd64

8

The-MALWAR...ace289

ubuntu-18.04-amd64

8

The-MALWAR...8ea4f5

ubuntu-18.04-amd64

8

The-MALWAR...c6d281

ubuntu-18.04-amd64

8

Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Analysis

  • max time kernel
    153s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-01-2024 14:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
7/10
persistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1740
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:2464
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\sk7zmPQ.cmd
      1⤵
        PID:880
      • C:\Windows\system32\dccw.exe
        C:\Windows\system32\dccw.exe
        1⤵
          PID:2896
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6TwGKQ.cmd
          1⤵
          • Drops file in System32 directory
          PID:2752
        • C:\Windows\System32\eventvwr.exe
          "C:\Windows\System32\eventvwr.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2988
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\VFy.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2136
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Hkckipfn" /TR C:\Windows\system32\2XSO\dccw.exe /SC minute /MO 60 /RL highest
              3⤵
              • Creates scheduled task(s)
              PID:2424
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Hkckipfn"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1008
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Hkckipfn"
            2⤵
              PID:1596
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Hkckipfn"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2472
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Hkckipfn"
              2⤵
                PID:2160
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Hkckipfn"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2092
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Hkckipfn"
                2⤵
                  PID:2668
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Hkckipfn"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2448
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Hkckipfn"
                  2⤵
                    PID:1048
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Hkckipfn"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:684
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Hkckipfn"
                    2⤵
                      PID:1772

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Scheduled Task/Job

                  1
                  T1053

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Scheduled Task/Job

                  1
                  T1053

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Scheduled Task/Job

                  1
                  T1053

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  1
                  T1012

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\6TwGKQ.cmd
                    Filesize

                    187B

                    MD5

                    59ac6bf81144be63ada79e2df7b8da30

                    SHA1

                    576ccdad6820355b3d0eece8336dd03e45915259

                    SHA256

                    6812928ad675e829697d2afad6347841e6c8f7ef4528386d3f80f2ff1f3416c8

                    SHA512

                    a91d4d70523edb4adb4b884be9a6e5ac0ecc11b983ea6a6b8ce003b33e2b9438a6ff67b412188277b64a2af77f6db29b97c01c1b8cf3e7ed58d53ea78bbcb746

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\GnE34D.tmp
                    Filesize

                    628KB

                    MD5

                    868f6b71ef80c8329588655ca8264c7f

                    SHA1

                    1e6be8a0619087cbf56b0a6693048b9123ce09e6

                    SHA256

                    6c358509100a3f221e0f5cb72cc1268b9fc38e763ee8cf32bae592e871b4dc17

                    SHA512

                    cb9b395149f129f7d8b7c651b65f3eeebf0e2052d2b850002669690dd0048dd078c0a63fc870e681228d1143c1c23e003a7ebdcb9b6ee03d0efedae79b733a55

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\VFy.cmd
                    Filesize

                    121B

                    MD5

                    e011f466281b18a877a36b2eab23d0c9

                    SHA1

                    1220e33e938d29b25f6281075a189f93b830cb06

                    SHA256

                    b8a7e8b3ba40bff696cc8a9b9b831ee4d10ab47fe0393683aacf52bae0639825

                    SHA512

                    46ba2c889d89adee39600425f0a72fe7898adec0752ec01119595e47cb1743219d2ca82182f62565743bb44a8ea8cf3d7ad3d70743d1946437fcca437514a6e1

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\e9C80.tmp
                    Filesize

                    628KB

                    MD5

                    b0cca5eb15611095166a799637025bb9

                    SHA1

                    d4524e44b470059bff7d0c02e7f333d935186f56

                    SHA256

                    9f62e3032b29b22b64d9cb3c29bf21a34d932c738cf54e257531d4b1cbdf9d4e

                    SHA512

                    462e2f127e50dd4f19556e6b85874069b7f6aa27e5ccba7ecbfb8da32120e06d3f9b433113a8d0bb519762a2aefd8ac7947eb6c161bfdd043f2343cce6a2c910

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\sk7zmPQ.cmd
                    Filesize

                    232B

                    MD5

                    fa31ef0c555fe05b21e38849efa10c7d

                    SHA1

                    33341e7a18f97b5e92c8deb7e20dd03a6c73cfed

                    SHA256

                    797edec972df8a27282cc542899ee705259621c2a29c3e67ee74688d04b07e31

                    SHA512

                    c6fb35055bd631215378a423e774ee1cc96ef610cd090f17395873ee74112df7d23f5cacaab6e1bc74310b7e4034e2fae2ee4266a559362e02ce865158841f17

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\6XiyY0\recdisc.exe
                    Filesize

                    232KB

                    MD5

                    f3b306179f1840c0813dc6771b018358

                    SHA1

                    dec7ce3c13f7a684cb52ae6007c99cf03afef005

                    SHA256

                    dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0

                    SHA512

                    9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fskzoiv.lnk
                    Filesize

                    880B

                    MD5

                    95009c124a895a339d0a08ab1c2f14c9

                    SHA1

                    60281d8efc316540f540f378d59570b08ba4210b

                    SHA256

                    823448ea8654198c8378f7c4ab9d5677b88accc0895e8de4e2537e602d95d097

                    SHA512

                    4bb3a8c0e4e6011e8efb271580aad9c91cef14003572249d843a93b40ea5e8ee66b18ef2ad736e72f381d454b942052e075d111fe1d8d15039b58ce35a486dad

                    Download Submit
                  • memory/1196-8-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-33-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-12-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-11-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-14-0x0000000002AF0000-0x0000000002AF7000-memory.dmp
                    Filesize

                    28KB

                    Download
                  • memory/1196-13-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-15-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-21-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-22-0x00000000776F1000-0x00000000776F2000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1196-23-0x0000000077850000-0x0000000077852000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1196-32-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-7-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-37-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-3-0x00000000774E6000-0x00000000774E7000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1196-10-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-9-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1196-53-0x00000000774E6000-0x00000000774E7000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1196-4-0x0000000002B10000-0x0000000002B11000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/1740-6-0x000007FEF7A60000-0x000007FEF7AFD000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1740-0-0x000007FEF7A60000-0x000007FEF7AFD000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/1740-1-0x0000000000100000-0x0000000000107000-memory.dmp
                    Filesize

                    28KB

                    Download