Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

windows10-2004-x64

1

The-MALWAR...caa742

windows10-2004-x64

1

The-MALWAR...c1a732

windows10-2004-x64

1

The-MALWAR...57c046

windows10-2004-x64

1

The-MALWAR...4cde86

windows10-2004-x64

1

The-MALWAR...460a01

windows10-2004-x64

1

The-MALWAR...ece0c5

windows10-2004-x64

1

The-MALWAR...257619

windows10-2004-x64

1

The-MALWAR...fbcc59

windows10-2004-x64

1

The-MALWAR...54f69c

windows10-2004-x64

1

The-MALWAR...d539a6

windows10-2004-x64

1

The-MALWAR...4996dd

windows10-2004-x64

1

The-MALWAR...8232d5

windows10-2004-x64

1

The-MALWAR...66b948

windows10-2004-x64

1

The-MALWAR...f9db86

windows10-2004-x64

1

The-MALWAR...ea2485

windows10-2004-x64

1

The-MALWAR...us.exe

windows10-2004-x64

6

The-MALWAR....a.exe

windows10-2004-x64

1

The-MALWAR....a.exe

windows10-2004-x64

7

The-MALWAR...ok.exe

windows10-2004-x64

1

The-MALWAR...y.html

windows10-2004-x64

1

The-MALWAR...ft.exe

windows10-2004-x64

4

The-MALWAR...en.exe

windows10-2004-x64

6

The-MALWAR...min.js

windows10-2004-x64

1

Resubmissions

29-04-2024 17:56

240429-wjgllsgg29 10

17-04-2024 14:59

240417-sc15wsef8y 10

16-04-2024 14:20

240416-rnxq6sdg3t 10

Analysis

  • max time kernel
    181s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2024 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1808
  • C:\Windows\system32\recdisc.exe
    C:\Windows\system32\recdisc.exe
    1⤵
      PID:4560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\QOb.cmd
      1⤵
        PID:4992
      • C:\Windows\system32\tabcal.exe
        C:\Windows\system32\tabcal.exe
        1⤵
          PID:5032
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\GaK.cmd
          1⤵
          • Drops file in System32 directory
          PID:4076
        • C:\Windows\System32\fodhelper.exe
          "C:\Windows\System32\fodhelper.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:4608
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\2xH6XL.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2840
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Koogjfpcvfdf" /TR C:\Windows\system32\LkJu\tabcal.exe /SC minute /MO 60 /RL highest
              3⤵
              • Creates scheduled task(s)
              PID:4020
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Koogjfpcvfdf"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1452
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Koogjfpcvfdf"
            2⤵
              PID:4112
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Koogjfpcvfdf"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1756
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Koogjfpcvfdf"
              2⤵
                PID:3400
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Koogjfpcvfdf"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2956
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Koogjfpcvfdf"
                2⤵
                  PID:3412
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Koogjfpcvfdf"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1984
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Koogjfpcvfdf"
                  2⤵
                    PID:2720

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\2xH6XL.cmd
                  Filesize

                  127B

                  MD5

                  3b238c573cf6099a5d7b0faa6feeb80b

                  SHA1

                  8228cc81cfee523cf0e9ffa0cee5bb4b499a4385

                  SHA256

                  4caa66e1c93004858e6b0d74316f14000e0e0aebc5e5a019bb2020e89db00fd0

                  SHA512

                  b5964a68e40896e72a2677677fe70d55cf85249e8e9ae0efeb4b8f91b1961a34f8640e0dde318dfcec719c40c6f72da7b72312b29843096652e3dcf582d12d21

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\GaK.cmd
                  Filesize

                  188B

                  MD5

                  7bd9fb99e9ba172d419c64a8a7c6779b

                  SHA1

                  44b25b25100b3e66ec11b65cdda9152bbc3ceff0

                  SHA256

                  dcc7b5aad1d73f623e567e30ce3ab3349aa699a80ee4bd011828d3f7dd53c569

                  SHA512

                  d4ea13a0108f08c32e5bdc513ab95a0e4c29fcd8aed1a4ebcb523c2ef726e9bea01ba1f883b102e658767586bcce6c94bfe5a2c3c861edda19ff89374e628cc3

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\I2ABAD.tmp
                  Filesize

                  628KB

                  MD5

                  734a3efd90ca8c1380f52dbbb6abd905

                  SHA1

                  9c3fe3b1eee4d13986f384c4416975d90d793862

                  SHA256

                  6eb9be8589bd884e8bd50ad43f686a5a498c2d6e435924bd055317f28fcb3427

                  SHA512

                  43b0710e198945af03516edd8716cd27cacaeb236b5c90ed283e2e66ba624f43601b1d7d079737ca10b65e903a340ccbfdc514a6a789744ec54cf8e2eda32179

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\QOb.cmd
                  Filesize

                  230B

                  MD5

                  e5971b174d759e614015c2a81436389c

                  SHA1

                  3cbf45c1bf9f8e166390c601ded1c28773195ada

                  SHA256

                  de25891ba4e5e4306285419bd339a00d1e0e02c216acc42663315e7ead6683e7

                  SHA512

                  2003f0b4145f7b6bb1a829cabb678fb2ac29c3b1929d61df8b63c4c09ceca43477d89fbc9623cdcb607d14007b81e8a377a448a5e8fb24ece4ce162863b505d7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\mjD5C73.tmp
                  Filesize

                  628KB

                  MD5

                  c76276342b8dbc41cfba52361221b02a

                  SHA1

                  3b0e166e2e3f15340f5551da79a7f8a301306db1

                  SHA256

                  6f69845e12930bb26864ec2e0d236d53e7c5ad63d585d65c49030a924632a68a

                  SHA512

                  de71669bee8944b480cfa01d74ea4dc1df910b8ba82db943bd5a297a6da5cd1ff124154c1365ba74be579b71eacf5dbc0c6a16e85689e1570a54d4eedae475e1

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ftmqvfjd.lnk
                  Filesize

                  898B

                  MD5

                  0721eee2d16ef083612e7884f7bfd21d

                  SHA1

                  8084a127fd1fc30ee3a2bee25bd100945b112354

                  SHA256

                  c1a86757d8a146459c90fbd21a6ff2cea8f00cadff02d0226eff1b29ae211a4e

                  SHA512

                  4028a1a3d9d74e38642f4d06413f50ef6f07e104ec606d05947d648a6c797edb216a1d40e1cb88e4f01026eb499b6212dd2415f947a20901d917caf642a09528

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\VidIr\recdisc.exe
                  Filesize

                  193KB

                  MD5

                  18afee6824c84bf5115bada75ff0a3e7

                  SHA1

                  d10f287a7176f57b3b2b315a5310d25b449795aa

                  SHA256

                  0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e

                  SHA512

                  517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

                  Download Submit

                • memory/1808-15-0x00007FF909F30000-0x00007FF909FCD000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/1808-1-0x000001F935700000-0x000001F935707000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1808-0-0x00007FF909F30000-0x00007FF909FCD000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-8-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-33-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-14-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-12-0x0000000001060000-0x0000000001067000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/3504-21-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-22-0x00007FF918A20000-0x00007FF918A30000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3504-31-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-13-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-9-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-11-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-10-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-6-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-7-0x0000000140000000-0x000000014009D000-memory.dmp

                  Filesize

                  628KB

                  Download

                • memory/3504-5-0x00007FF9176DA000-0x00007FF9176DB000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/3504-3-0x0000000001120000-0x0000000001121000-memory.dmp

                  Filesize

                  4KB

                  Download