2d9bb4e3fddfe5dc51c54cba74a1eb594c7be9d34774524d972350edd85e6499

Resubmissions

08-02-2024 01:32

240208-bx7pqsbg96 10

27-01-2024 14:19

240127-rmwgqadhc4 10

Analysis

max time kernel
150s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "\"C:\\Users\\Admin\\AppData\\Roaming\\YcJW1a\\SystemPropertiesPerformance.exe\""

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\system32\3pmmn\ApplicationFrameHost.exe	cmd.exe
File opened for modification	C:\Windows\system32\3pmmn\ApplicationFrameHost.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1348 schtasks.exe

pid	process
1348	schtasks.exe

Modifies registry class 10 IoCs

Processes:

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell\open\command
Key deleted	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell\open
Key deleted	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell
Key deleted	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell\open
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\JBm8.cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell\open\command\DelegateExecute
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell\open\command
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\ms-settings\shell

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
1180	rundll32.exe
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352
3352

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352
Token: SeShutdownPrivilege	3352
Token: SeCreatePagefilePrivilege	3352

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

fodhelper.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3352 wrote to memory of 4880	3352		SystemPropertiesPerformance.exe
PID 3352 wrote to memory of 4880	3352		SystemPropertiesPerformance.exe
PID 3352 wrote to memory of 1708	3352		cmd.exe
PID 3352 wrote to memory of 1708	3352		cmd.exe
PID 3352 wrote to memory of 4436	3352		ApplicationFrameHost.exe
PID 3352 wrote to memory of 4436	3352		ApplicationFrameHost.exe
PID 3352 wrote to memory of 4028	3352		cmd.exe
PID 3352 wrote to memory of 4028	3352		cmd.exe
PID 3352 wrote to memory of 2692	3352		fodhelper.exe
PID 3352 wrote to memory of 2692	3352		fodhelper.exe
PID 2692 wrote to memory of 3576	2692	fodhelper.exe	cmd.exe
PID 2692 wrote to memory of 3576	2692	fodhelper.exe	cmd.exe
PID 3576 wrote to memory of 1348	3576	cmd.exe	schtasks.exe
PID 3576 wrote to memory of 1348	3576	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 4404	3352		cmd.exe
PID 3352 wrote to memory of 4404	3352		cmd.exe
PID 4404 wrote to memory of 4592	4404	cmd.exe	schtasks.exe
PID 4404 wrote to memory of 4592	4404	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 4648	3352		cmd.exe
PID 3352 wrote to memory of 4648	3352		cmd.exe
PID 4648 wrote to memory of 4840	4648	cmd.exe	schtasks.exe
PID 4648 wrote to memory of 4840	4648	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 4884	3352		cmd.exe
PID 3352 wrote to memory of 4884	3352		cmd.exe
PID 4884 wrote to memory of 3968	4884	cmd.exe	schtasks.exe
PID 4884 wrote to memory of 3968	4884	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 4208	3352		cmd.exe
PID 3352 wrote to memory of 4208	3352		cmd.exe
PID 4208 wrote to memory of 4552	4208	cmd.exe	schtasks.exe
PID 4208 wrote to memory of 4552	4208	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 1776	3352		cmd.exe
PID 3352 wrote to memory of 1776	3352		cmd.exe
PID 1776 wrote to memory of 3940	1776	cmd.exe	schtasks.exe
PID 1776 wrote to memory of 3940	1776	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
1⤵
PID:4880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6WuD.cmd
1⤵
PID:1708

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
1⤵
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\cWSCY2y.cmd
1⤵
- Drops file in System32 directory
PID:4028

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\JBm8.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Create /F /TN "Cuzuiwgsauymkw" /TR C:\Windows\system32\3pmmn\ApplicationFrameHost.exe /SC minute /MO 60 /RL highest
    3⤵
    - Creates scheduled task(s)
    PID:1348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Cuzuiwgsauymkw"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Cuzuiwgsauymkw"
  2⤵
  PID:4592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Cuzuiwgsauymkw"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Cuzuiwgsauymkw"
  2⤵
  PID:4840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Cuzuiwgsauymkw"
1⤵
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Cuzuiwgsauymkw"
  2⤵
  PID:3968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Cuzuiwgsauymkw"
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Cuzuiwgsauymkw"
  2⤵
  PID:4552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Cuzuiwgsauymkw"
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\system32\schtasks.exe
  schtasks.exe /Query /TN "Cuzuiwgsauymkw"
  2⤵
  PID:3940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6WuD.cmd

Filesize
249B

MD5
5186f7abc858a45b6e7f79123fc2e996

SHA1
8d3b71e6cabcfc3688e8efeb7fef932cd72646cc

SHA256
2317f80a7f6df140378e98f4d1e83586b4e85aa2ac449bbd97b0e47bb2a8f875

SHA512
3f96c6f35eaf0b312e3ed84c291889e6650effb8a5aa1c2c760e4822be2a17747c812bf4b179683a98a2503dd1adb43707bd81249cf9604d7a75e20bb319e303

Download Submit
C:\Users\Admin\AppData\Local\Temp\JBm8.cmd

Filesize
144B

MD5
ee7520d3047a6487c624921395baa6a1

SHA1
b757ecbd5f61cf3289d9786b7d4d9c5b91a72c61

SHA256
4319acb4eb0c502d44346043be88643ae02fa5ca6476b4c87f57dc4200657139

SHA512
73600f8712dc6ac7e361a8d6a19c4c41fe18a8b5593e7b0b81c84a2204646743ec694f0523f0beb6ad590fd3f251c99249015ea26bcbcfa6233ff1a48102daa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\cD65B.tmp

Filesize
628KB

MD5
eafa287c3b54ac725edaf032413c9eb0

SHA1
0fff913b3edc74162c646eacc17bf90950c50f3c

SHA256
9b599b383d82e82202f03bd2016c50135d8f45c82163d4bbf7c1443c0e079582

SHA512
1e41e8d40f3ebada39460c5c09463da20d0f8b05dd99357f6733aa9266cb7f26da25d0a8f189394c96510d7f157214b35632cf49e7f676b5e6777e34a5646878

Download Submit
C:\Users\Admin\AppData\Local\Temp\cWSCY2y.cmd

Filesize
205B

MD5
d7db65e2946357e356c9fc19a37ecbcd

SHA1
c440b31a7272977343c60cf52a84304c6a538afb

SHA256
7a1f9158dbb0104d4c8786a7779edef2b05562036fa4b795ba99b430a317cefd

SHA512
a7bacfb5c401a6f77c9b0806d7eccdf2530f1c39fa95879a7ac74af2ff506396cfc3f8efdf7e219b1425d2ffbc4ea11e5fd26c8e690bf0d858cdc977498ed69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gFFAE.tmp

Filesize
628KB

MD5
47fbe88d6b8b29cf5050d1e519419397

SHA1
2a48e3083ee5f6b4777c19d7a89f0a41ae4800b7

SHA256
7bcc4b43a69ef80b88eddccea19eb477104aef9bbd40717caa948bd5f5bd1ed3

SHA512
2535ec5454181eec24f58551fa58bcf64a4dbdfc0254245bb63ba7122903aa2986e9732a39aeb0e5eb7a271086424a20e050a89b73cff5659d5b83190baf1987

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hcbfaqn.lnk

Filesize
1004B

MD5
4bd066679dd2062485999dd5731bc556

SHA1
4dd12b99e90f396c6bbb87cfd0817bf34b891edf

SHA256
cd1d3e1569d3d7a865378888db983ac5d1554c261bc041e18d9cddc29ebfcf02

SHA512
37e944a27851fa66a5b37b27535d86e1eeb3ad78574d8e5322fee5c3dc8645658d0793a649b945d27e3ccc0103c3e13e34a16d39f5b76b7ce5553446a6600440

Download Submit
C:\Users\Admin\AppData\Roaming\YcJW1a\SystemPropertiesPerformance.exe

Filesize
82KB

MD5
e4fbf7cab8669c7c9cef92205d2f2ffc

SHA1
adbfa782b7998720fa85678cc85863b961975e28

SHA256
b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

SHA512
c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

Download Submit
memory/1180-0-0x00007FFB945C0000-0x00007FFB9465D000-memory.dmp

Filesize
628KB

Download
memory/1180-6-0x00007FFB945C0000-0x00007FFB9465D000-memory.dmp

Filesize
628KB

Download
memory/1180-1-0x0000026C09DB0000-0x0000026C09DB7000-memory.dmp

Filesize
28KB

Download
memory/3352-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-15-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-14-0x0000000002B10000-0x0000000002B17000-memory.dmp

Filesize
28KB

Download
memory/3352-21-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-22-0x00007FFBA65A0000-0x00007FFBA65B0000-memory.dmp

Filesize
64KB

Download
memory/3352-31-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3352-5-0x00007FFBA55DA000-0x00007FFBA55DB000-memory.dmp

Filesize
4KB

Download
memory/3352-3-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download