Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

TheG0df2th...t.docm

windows7-x64

10

TheG0df2th...t.docm

windows10-2004-x64

10

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-20.04-amd64

8

The-MALWAR...caa742

ubuntu-20.04-amd64

8

The-MALWAR...c1a732

ubuntu-20.04-amd64

8

The-MALWAR...57c046

ubuntu-20.04-amd64

8

The-MALWAR...4cde86

ubuntu-20.04-amd64

8

The-MALWAR...460a01

ubuntu-20.04-amd64

8

The-MALWAR...ece0c5

ubuntu-18.04-amd64

8

The-MALWAR...257619

ubuntu-18.04-amd64

8

The-MALWAR...fbcc59

ubuntu-18.04-amd64

8

The-MALWAR...54f69c

ubuntu-18.04-amd64

8

The-MALWAR...d539a6

ubuntu-20.04-amd64

8

The-MALWAR...4996dd

ubuntu-20.04-amd64

8

The-MALWAR...8232d5

ubuntu-20.04-amd64

8

The-MALWAR...66b948

ubuntu-18.04-amd64

8

Analysis

  • max time kernel
    150s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-03-2024 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2760
  • C:\Windows\system32\psr.exe
    C:\Windows\system32\psr.exe
    1⤵
      PID:1412
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aZu.cmd
      1⤵
        PID:1480
      • C:\Windows\system32\sigverif.exe
        C:\Windows\system32\sigverif.exe
        1⤵
          PID:900
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\jwbzE.cmd
          1⤵
          • Drops file in System32 directory
          PID:5072
        • C:\Windows\System32\fodhelper.exe
          "C:\Windows\System32\fodhelper.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:4604
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\rj5eeeU.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:572
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Evifhzprwd" /TR C:\Windows\system32\DE44Ec\sigverif.exe /SC minute /MO 60 /RL highest
              3⤵
              • Creates scheduled task(s)
              PID:2204
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3820 --field-trial-handle=2232,i,11267738607351977302,107266978269557304,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:4864
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Evifhzprwd"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4952
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Evifhzprwd"
              2⤵
                PID:4224
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Evifhzprwd"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1800
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Evifhzprwd"
                2⤵
                  PID:2396
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Evifhzprwd"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4936
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Evifhzprwd"
                  2⤵
                    PID:3596
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Evifhzprwd"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4616
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Evifhzprwd"
                    2⤵
                      PID:1288
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Evifhzprwd"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4436
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Query /TN "Evifhzprwd"
                      2⤵
                        PID:1548

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Scheduled Task/Job

                    1
                    T1053

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Scheduled Task/Job

                    1
                    T1053

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\28f1634.tmp
                      Filesize

                      628KB

                      MD5

                      8430fb1652c13701e7a44ce0663dc189

                      SHA1

                      5ae78ae0e50ba370a71f7f5957b1d68da0bd5544

                      SHA256

                      469353bf6814219ef1def0df9e6a53219c1c53962dc3a40881ce74c7c8c0ee78

                      SHA512

                      f5d46cf49bbc3a4026529a8a663c1f37bda0404780b8ab5dc3b6577268287df28280b41d42656de89e1fac39813238aab67b24139ad020a072d619e5f7baa6e0

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\aZu.cmd
                      Filesize

                      221B

                      MD5

                      8aedbaf5461d7fe1cdc496745b48bafe

                      SHA1

                      c3647034fc74f6249dcb0027d5b8bec9d831e1e0

                      SHA256

                      4367a89e6d4f3cf3ccaa9e8be53dbc53758558a17c93d0edae20a44343a5fd66

                      SHA512

                      af41a0f2552d9b01995813b90694fb9eb3f97034242bbe3b2f749854b4bb95d7978e753713c21cec953b6c4eb7fcaa006174284bdff94d3435ccf31fffb02422

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\jwbzE.cmd
                      Filesize

                      201B

                      MD5

                      96cd6ca5c681f6885234dbda051158dc

                      SHA1

                      4a1c29f3884f889280055bace4b0782335fb5959

                      SHA256

                      dd3cfe8d2ff730f8d5abe51eaab38d217a0b1f12998eef26274e70c94b977e05

                      SHA512

                      315d93ff605e91fe62332056a9c49776273312effb9521814a64c1d14882b02af170b9562c0e0715ac0f6041c98ba1d74032e687476677c632f6475d7066ccf9

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\kED0F.tmp
                      Filesize

                      576KB

                      MD5

                      448994754bac2c17c23dcd927d25321a

                      SHA1

                      6beb564f129dd0f7283044dc18a68088374f82f2

                      SHA256

                      7ffd4eee7397a65d24a13a249f6e497b4a8ea30850cdc97db65f71686bf79f8a

                      SHA512

                      9ca28c866ff090bcdd4da0da51aa11bbeec994c3935cd659947219e7699661a4098c08795c88fb073e843b498465a5ed8252eeac63f97fb66573c394368de95d

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\rj5eeeU.cmd
                      Filesize

                      129B

                      MD5

                      6a471e6acc06f505ad1a6211f82d49a9

                      SHA1

                      149a373098d09164c5392cf8593d9e73c112b3cb

                      SHA256

                      fa039a3c38224225c597ad0188ea26db480013a8f75837f86d1a7767616a88b4

                      SHA512

                      cc813bef5f7b8f330496f781f1bc61078896c596c924aadcdf2bfb1354531d1a2349ddc35a8eb993e05bc0e6a6f546db47cfb73a97e7bfb35316f80d92e11896

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wwzeokxwnoh.lnk
                      Filesize

                      874B

                      MD5

                      05a5931ce233a39fa4eab871b8469a44

                      SHA1

                      e4295af4ec9b46d29b5e7be941e03253d192825b

                      SHA256

                      d061f3e441de2d345981864b924f1d2425c6dde1de4b77a72db7afdb7f7199f8

                      SHA512

                      2988a9c284bd40c2698fed838ebf93f6a10d02784c5ca26f802bb65795ba686af2bf45bfefe6f5ed104fabd80412d92f00943c476e6200fa5f051a7f4272aef2

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\uI0t\psr.exe
                      Filesize

                      192KB

                      MD5

                      2e908463234937567aea03268daad010

                      SHA1

                      7355d9b50ae789486b2d89b1becee9ebf4756509

                      SHA256

                      fe6a77232dfe200e56681f354376468de951934b3d3ff09e1d4de20ff558aaba

                      SHA512

                      590f3a9da9a75c5d777df7e65f3350ded1b88d167759e93a768bffc4f098400265726475183ec16982ded34a2f055e13f373295122b131c69bdedc92d7f8df4f

                      Download Submit
                    • memory/2760-2-0x0000025C7BAC0000-0x0000025C7BAC7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/2760-6-0x00007FFCD4AB0000-0x00007FFCD4B4D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/2760-0-0x00007FFCD4AB0000-0x00007FFCD4B4D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-8-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-33-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-13-0x00000000006B0000-0x00000000006B7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/3412-15-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-21-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-24-0x00007FFCF4240000-0x00007FFCF4250000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/3412-31-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-14-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-12-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-11-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-10-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-9-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-7-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/3412-5-0x00007FFCF3B3A000-0x00007FFCF3B3B000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/3412-3-0x00000000024F0000-0x00000000024F1000-memory.dmp
                      Filesize

                      4KB

                      Download