Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-20.04-amd64

8

The-MALWAR...caa742

ubuntu-20.04-amd64

8

The-MALWAR...c1a732

ubuntu-20.04-amd64

8

The-MALWAR...57c046

ubuntu-20.04-amd64

8

The-MALWAR...4cde86

ubuntu-20.04-amd64

8

The-MALWAR...460a01

ubuntu-20.04-amd64

8

The-MALWAR...ece0c5

ubuntu-20.04-amd64

8

The-MALWAR...257619

ubuntu-20.04-amd64

8

The-MALWAR...fbcc59

ubuntu-20.04-amd64

8

The-MALWAR...54f69c

ubuntu-20.04-amd64

8

The-MALWAR...d539a6

ubuntu-18.04-amd64

8

The-MALWAR...4996dd

ubuntu-20.04-amd64

8

The-MALWAR...8232d5

ubuntu-18.04-amd64

8

The-MALWAR...66b948

ubuntu-20.04-amd64

8

The-MALWAR...f9db86

ubuntu-20.04-amd64

8

The-MALWAR...ea2485

ubuntu-20.04-amd64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4700
  • C:\Windows\system32\bdechangepin.exe
    C:\Windows\system32\bdechangepin.exe
    1⤵
      PID:3084
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6yO.cmd
      1⤵
        PID:2828
      • C:\Windows\system32\rdpinput.exe
        C:\Windows\system32\rdpinput.exe
        1⤵
          PID:4984
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\LrN.cmd
          1⤵
          • Drops file in System32 directory
          PID:1936
        • C:\Windows\System32\fodhelper.exe
          "C:\Windows\System32\fodhelper.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:684
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\n4l.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4624
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Uhljwyxbarwpt" /TR C:\Windows\system32\uyDTf\rdpinput.exe /SC minute /MO 60 /RL highest
              3⤵
              • Creates scheduled task(s)
              PID:372
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uhljwyxbarwpt"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Uhljwyxbarwpt"
            2⤵
              PID:1344
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uhljwyxbarwpt"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4356
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Uhljwyxbarwpt"
              2⤵
                PID:3600
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uhljwyxbarwpt"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1532
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Uhljwyxbarwpt"
                2⤵
                  PID:2896
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uhljwyxbarwpt"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:3868
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Uhljwyxbarwpt"
                  2⤵
                    PID:2824
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uhljwyxbarwpt"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2308
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Uhljwyxbarwpt"
                    2⤵
                      PID:3888

                  Network

                  MITRE ATT&CK Matrix ATT&CK v13

                  Initial Access

                  Execution

                  Scheduled Task/Job

                  1
                  T1053

                  Persistence

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Scheduled Task/Job

                  1
                  T1053

                  Privilege Escalation

                  Boot or Logon Autostart Execution

                  1
                  T1547

                  Registry Run Keys / Startup Folder

                  1
                  T1547.001

                  Scheduled Task/Job

                  1
                  T1053

                  Defense Evasion

                  Modify Registry

                  1
                  T1112

                  Credential Access

                  Discovery

                  Query Registry

                  1
                  T1012

                  Lateral Movement

                  Collection

                  Exfiltration

                  Command and Control

                  Impact

                  Resource Development

                  Reconnaissance

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\6yO.cmd
                    Filesize

                    229B

                    MD5

                    13afe7a1443f53c6bd5c42cb077382ac

                    SHA1

                    d72b7870a31acb50ad88741fc606369c882369dd

                    SHA256

                    939dffdf106afa895e2895bc38aaaa7105c9e1a3b81fa44bd8c306f18041475d

                    SHA512

                    9ff5f1fc87302ba88274da883a0bea24b230afb32c2c75867ca810ed28e7d6a43887c54adbad0ff7821cc40517c5d693a531e78b7c782d09ca870eaf02261d6f

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\CeB093.tmp
                    Filesize

                    908KB

                    MD5

                    4262b676894c5b59e9c86b514a79ba85

                    SHA1

                    cc6b83eff755a2fc96569bccb1cc503399fbd308

                    SHA256

                    7f01d87601561c20977c21fb8ab9fb97a2e9789c7720cbc2d6d6e456d4150fc8

                    SHA512

                    f6eab35d15e5e6793de1706995034e9a9fba37ec3a118baa35557848d92d94fffb5dab02470cdb5f627fdae2a9b0b354489a40136d94b090c3c4fe29d50b87d4

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\LrN.cmd
                    Filesize

                    199B

                    MD5

                    42ca6bb649c7acdfb01ade2f0846057c

                    SHA1

                    4f41e4c3721472b56f7843e8e35f5819548a7e65

                    SHA256

                    5da151391c96c1f556dc512322a4fc2f097adf40d6edf7baf9808315e8bb4a0e

                    SHA512

                    af128096d318f24b56f5fde2a245afde59475ad08542a065e1c7719493ef9a9c63ab8734bfef831be0ef6cbd039cb83de2062fcc000fcd008c4e86d8523dd212

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\jeKDA53.tmp
                    Filesize

                    632KB

                    MD5

                    a6f2e9a1d7779f952aa30c6c6e06bd7b

                    SHA1

                    0e63389af13506ead52b6609c3166605f2e23ee9

                    SHA256

                    2f7504c82ca2e97b73af982975f7ca02a5f4c03549954dddd49f97fab81cc3a7

                    SHA512

                    1b1ff390896656862cc2487a417642adc006b781e38a5d3de40336dcb53364cd71e1eb5b08cf65fbd588b3c63f72c97b1689e55f80c2f170e9340d8e7e439819

                    Download Submit
                  • C:\Users\Admin\AppData\Local\Temp\n4l.cmd
                    Filesize

                    131B

                    MD5

                    0694f605aedb5cae16cde7219f066d0b

                    SHA1

                    16cc0107ebdc3ecf1642b7ad1501386bc73dbf9a

                    SHA256

                    fbc318b4f044dabefaca2fae460eba196702e1b0d1a5f9fbcb75246c93ee1fb5

                    SHA512

                    d62ac90476f8d72abfe20aed542854386b0ba1f857053f5380be34b41e1715243210d8e41fc08bc9dfa898b78d1abf5d88282b1c3e3cb60d2d8b9153925a9aab

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\IUSt\bdechangepin.exe
                    Filesize

                    373KB

                    MD5

                    601a28eb2d845d729ddd7330cbae6fd6

                    SHA1

                    5cf9f6f9135c903d42a7756c638333db8621e642

                    SHA256

                    4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6

                    SHA512

                    1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

                    Download Submit
                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iqmkzginatp.lnk
                    Filesize

                    920B

                    MD5

                    89e0f5133601960ccf1e5f0e142762d6

                    SHA1

                    9de67fb151344866b134a9d16e97b8b473fe1ad0

                    SHA256

                    802ccb553aaef30ee8ef1ae227f576cd69c3b448b7cb475960195d2ce53e8deb

                    SHA512

                    a9cd6bfc129c10682440a0f7d48b1cb7c7291685cccce7e1c157c0a99c906bf317a51b4bbcbe651f45987fec905f5814ae214d7872f18118c1d9c10551517130

                    Download Submit
                  • memory/3404-9-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-31-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-12-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-11-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-13-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-15-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-14-0x0000000001020000-0x0000000001027000-memory.dmp
                    Filesize

                    28KB

                    Download
                  • memory/3404-21-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-25-0x00007FFF10740000-0x00007FFF10750000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/3404-7-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-33-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-10-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-4-0x00007FFF0E80A000-0x00007FFF0E80B000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/3404-8-0x0000000140000000-0x000000014009D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/3404-3-0x0000000002FE0000-0x0000000002FE1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4700-6-0x00007FFEF22B0000-0x00007FFEF234D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/4700-0-0x00007FFEF22B0000-0x00007FFEF234D000-memory.dmp
                    Filesize

                    628KB

                    Download
                  • memory/4700-1-0x000002582EAE0000-0x000002582EAE7000-memory.dmp
                    Filesize

                    28KB

                    Download