Overview

overview

10

Static

static

10

The-MALWAR...er.zip

windows7-x64

1

The-MALWAR...er.zip

windows10-2004-x64

1

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...et.zip

windows7-x64

1

The-MALWAR...et.zip

windows10-2004-x64

1

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-24.04-amd64

8

The-MALWAR...caa742

ubuntu-22.04-amd64

8

The-MALWAR...c1a732

ubuntu-22.04-amd64

8

The-MALWAR...57c046

ubuntu-24.04-amd64

8

The-MALWAR...4cde86

ubuntu-24.04-amd64

8

The-MALWAR...460a01

ubuntu-24.04-amd64

8

The-MALWAR...ece0c5

ubuntu-24.04-amd64

8

The-MALWAR...257619

ubuntu-22.04-amd64

8

The-MALWAR...fbcc59

ubuntu-22.04-amd64

8

The-MALWAR...54f69c

ubuntu-22.04-amd64

8

The-MALWAR...d539a6

ubuntu-22.04-amd64

8

The-MALWAR...4996dd

ubuntu-24.04-amd64

8

Analysis

  • max time kernel
    150s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-09-2024 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
7/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2712
  • C:\Windows\system32\perfmon.exe
    C:\Windows\system32\perfmon.exe
    1⤵
      PID:1976
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\l5hL.cmd
      1⤵
        PID:3024
      • C:\Windows\system32\Magnify.exe
        C:\Windows\system32\Magnify.exe
        1⤵
          PID:2276
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\1ab5MJK.cmd
          1⤵
          • Drops file in System32 directory
          PID:2252
        • C:\Windows\System32\eventvwr.exe
          "C:\Windows\System32\eventvwr.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\4QFxKr.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2184
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Gugio" /TR C:\Windows\system32\4QmF\Magnify.exe /SC minute /MO 60 /RL highest
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1732
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2532
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Gugio"
            2⤵
              PID:1972
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:580
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Gugio"
              2⤵
                PID:2288
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2352
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Gugio"
                2⤵
                  PID:1984
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:944
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Gugio"
                  2⤵
                    PID:1800
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2536
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Gugio"
                    2⤵
                      PID:1108
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Gugio"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:328
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Query /TN "Gugio"
                      2⤵
                        PID:1056

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Event Triggered Execution

                    1
                    T1546

                    Accessibility Features

                    1
                    T1546.008

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Event Triggered Execution

                    1
                    T1546

                    Accessibility Features

                    1
                    T1546.008

                    Scheduled Task/Job

                    1
                    T1053

                    Scheduled Task

                    1
                    T1053.005

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\1ab5MJK.cmd
                      Filesize

                      192B

                      MD5

                      9818458013aa957cfae58ec744e8fb5a

                      SHA1

                      d68981dc9b8ffb7acd27e40214057bbd95000d53

                      SHA256

                      cb6ef21e54cde404e4d88f1f36262e133fae6da2d0eb8c0d515edd53c5c6603b

                      SHA512

                      b0a4215d76cb93a7d3ea5b2a58ff8cc7772eb791ee3d391bc282eb352a270bc57b40f735f85835341d3d60ec5e36c41c455ed214483b9273b04aaaf88f70598a

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\4QFxKr.cmd
                      Filesize

                      121B

                      MD5

                      819e3a2901d6e1c85bd5dad94758ce17

                      SHA1

                      31a02a71fcd19400b0c75bc04d4dcebf3a9148ec

                      SHA256

                      40bdf3586e0b23cf8654ffff3f74f6c4be324ea90d594a8a4768c30c09098cdf

                      SHA512

                      d310ec18878c1c6f4260cb107b0832c95ccf237e4c87f5858a80cb48a2e570032b62dd6443ab777ff034e2a5a2fece8259f24448605c2a27765871409f14d85c

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\l5hL.cmd
                      Filesize

                      232B

                      MD5

                      346eaac10f27ee818583dab257c085f0

                      SHA1

                      2170d98a0c11859288af7ab61c93ef9e88996160

                      SHA256

                      2100d0a70eefe559dc0e1ae7a1b0b86ffa32ffbade1054c8c9d1bf5bd8ed197e

                      SHA512

                      b53839d68f8a6d02cb9ffccef84cf10482795d30790f9b01d9f0b1106592484d4259c29a29f1b7537d39c7e7a17b0c8d2609c54b8062bd0e36bb77df3069f308

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\lvA7E4.tmp
                      Filesize

                      628KB

                      MD5

                      e5a83a5c4fd6b3742cb1bdd4504e115d

                      SHA1

                      d538fddf3227eb990bb713ea251661d6c9b75938

                      SHA256

                      b90abdce3910b2be736a67db788444b0131e6116e8894258b52d0102cac65b18

                      SHA512

                      e24ab7578dd045451ff68400405e6361d28fb1a12175bd0c3afe2ffb3520559be3879cbafb955ed6916939b6023aed167d75a775567cfa152d2d64563543515a

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\m48047.tmp
                      Filesize

                      632KB

                      MD5

                      87301407b8c71c9c44acb0440fbffad5

                      SHA1

                      d8c52cadd229765f4c86e06185c813c34bbfcf8d

                      SHA256

                      4cad76f0400499a3c4d0d7ecdb6e3006e33501f490059751b46ca6e06383e685

                      SHA512

                      e5b83565267fa32081f2de632d68c9a1baab6af82107bded737d6e7bdd7e245a645e7e83a5e419afd80d8041bffc2b1f2222c0fcd43e757707e4df274279d51d

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zoekctxdbskyzr.lnk
                      Filesize

                      884B

                      MD5

                      686acba2c190cd0f636b355d21bf2745

                      SHA1

                      7a49dfe621466ec1dba5f023da8d7be2448581de

                      SHA256

                      d6bdeab505a66b9c5b11ceffab89a986287979571effd59846734a475358a8d4

                      SHA512

                      41e01b7cffa9c089d90df9b6e86b45f25925736f694ca39064830595eeca030b9010c1b429dbc8cf4062b73d6cf3bd182a1dc1e115928e2958005279c5b62bea

                      Download Submit
                    • \Users\Admin\AppData\Roaming\qAf0yl\perfmon.exe
                      Filesize

                      168KB

                      MD5

                      3eb98cff1c242167df5fdbc6441ce3c5

                      SHA1

                      730b27a1c92e8df1e60db5a6fc69ea1b24f68a69

                      SHA256

                      6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081

                      SHA512

                      f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

                      Download Submit
                    • memory/1244-8-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-37-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-20-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-21-0x00000000025C0000-0x00000000025C7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/1244-14-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-13-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-12-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-11-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-23-0x0000000077C00000-0x0000000077C02000-memory.dmp
                      Filesize

                      8KB

                      Download
                    • memory/1244-22-0x0000000077AA1000-0x0000000077AA2000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1244-32-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-7-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-33-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-43-0x0000000077996000-0x0000000077997000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1244-3-0x0000000077996000-0x0000000077997000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1244-9-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-10-0x0000000140000000-0x000000014009D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/1244-4-0x00000000029B0000-0x00000000029B1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/2712-6-0x000007FEF7E80000-0x000007FEF7F1D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/2712-0-0x000007FEF7E80000-0x000007FEF7F1D000-memory.dmp
                      Filesize

                      628KB

                      Download
                    • memory/2712-2-0x0000000000180000-0x0000000000187000-memory.dmp
                      Filesize

                      28KB

                      Download