b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
149s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vfaxdafbicozcso = "\"C:\\Users\\Admin\\AppData\\Roaming\\3TtfmAT\\RecoveryDrive.exe\""

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\Iyx1\wbengine.exe	cmd.exe
File created	C:\Windows\system32\Iyx1\wbengine.exe	cmd.exe

Modifies registry class 10 IoCs

Processes:

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\OrMao4j.cmd"
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command\DelegateExecute
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open
Key deleted	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\ms-settings\shell\open\command

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4964 schtasks.exe

pid	process
4964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4184	rundll32.exe
4184	rundll32.exe
4184	rundll32.exe
4184	rundll32.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

fodhelper.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3436 wrote to memory of 4764	3436		RecoveryDrive.exe
PID 3436 wrote to memory of 4764	3436		RecoveryDrive.exe
PID 3436 wrote to memory of 1112	3436		cmd.exe
PID 3436 wrote to memory of 1112	3436		cmd.exe
PID 3436 wrote to memory of 3408	3436		wbengine.exe
PID 3436 wrote to memory of 3408	3436		wbengine.exe
PID 3436 wrote to memory of 4700	3436		cmd.exe
PID 3436 wrote to memory of 4700	3436		cmd.exe
PID 3436 wrote to memory of 2296	3436		fodhelper.exe
PID 3436 wrote to memory of 2296	3436		fodhelper.exe
PID 2296 wrote to memory of 4920	2296	fodhelper.exe	cmd.exe
PID 2296 wrote to memory of 4920	2296	fodhelper.exe	cmd.exe
PID 4920 wrote to memory of 4964	4920	cmd.exe	schtasks.exe
PID 4920 wrote to memory of 4964	4920	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 656	3436		cmd.exe
PID 3436 wrote to memory of 656	3436		cmd.exe
PID 656 wrote to memory of 1476	656	cmd.exe	schtasks.exe
PID 656 wrote to memory of 1476	656	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 4692	3436		cmd.exe
PID 3436 wrote to memory of 4692	3436		cmd.exe
PID 4692 wrote to memory of 4132	4692	cmd.exe	schtasks.exe
PID 4692 wrote to memory of 4132	4692	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 2728	3436		cmd.exe
PID 3436 wrote to memory of 2728	3436		cmd.exe
PID 2728 wrote to memory of 540	2728	cmd.exe	schtasks.exe
PID 2728 wrote to memory of 540	2728	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 740	3436		cmd.exe
PID 3436 wrote to memory of 740	3436		cmd.exe
PID 740 wrote to memory of 2736	740	cmd.exe	schtasks.exe
PID 740 wrote to memory of 2736	740	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 4628	3436		cmd.exe
PID 3436 wrote to memory of 4628	3436		cmd.exe
PID 4628 wrote to memory of 4836	4628	cmd.exe	schtasks.exe
PID 4628 wrote to memory of 4836	4628	cmd.exe	schtasks.exe
PID 3436 wrote to memory of 4964	3436		cmd.exe
PID 3436 wrote to memory of 4964	3436		cmd.exe
PID 4964 wrote to memory of 1968	4964	cmd.exe	schtasks.exe
PID 4964 wrote to memory of 1968	4964	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4184

C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
1⤵
PID:4764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Mczz4p.cmd
1⤵
PID:1112

C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
1⤵
PID:3408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\h7uFo2.cmd
1⤵
- Drops file in System32 directory
PID:4700

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2296

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\OrMao4j.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Qdvojli" /TR C:\Windows\system32\Iyx1\wbengine.exe /SC minute /MO 60 /RL highest
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
2⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
1⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
2⤵
PID:4132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
1⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
2⤵
PID:540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
2⤵
PID:2736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
1⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
2⤵
PID:4836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Qdvojli"
1⤵
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Qdvojli"
2⤵
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E31CA.tmp
Filesize
628KB

MD5
45c99a94f559f9e4a93b6096043890bb

SHA1
f3e02bebfb0cdf6aac2a6782acce6931b4c6287c

SHA256
3efce7e77209052b0159588f3e94b41fd34d9199fceff08a0c88dc2d3e2e17e9

SHA512
94fad758b4ea970ba1e8b54e2d0748832009d0d9cff20516883a37e90927787f64b4970c4997a3266e9a820479bc004f19c0d6b696a706791f5ef371a02425e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mczz4p.cmd
Filesize
239B

MD5
a27a2a0effc1711a81c28371d74fa60b

SHA1
ab074ec19eac2c5a0b44df05ea92dd003c621155

SHA256
8be40d27ff168c9a0cd6927285139262e713778568e7e341c1a7556819d2bb89

SHA512
4d04bb6428f0b0e1614b96af2123a77ea1748f89cf388f18b2fe957539a1ef27c5c163b6706c868706bd4573fe8a2817a8ac93bf936bbf6357950aa0798f2825

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrMao4j.cmd
Filesize
124B

MD5
6b80f661b41e8d91f465957eda7c0531

SHA1
9656d53bbb9ba2cadf3b573ef0b2e19e7a4a3230

SHA256
0a19c109cab4c5739512a668b7c613ec0d0ab8c40326653bbdec33dbc9bdb612

SHA512
90b8a22f33a22b26350399bf2f8e39eb1586ed857cc4632afbbeb33c0ccb0d19d575697b4359701096bc1228aef45d5c261fdb863a78213b9012ee7b2be35ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\h7uFo2.cmd
Filesize
193B

MD5
054700d42bbf1d1442986c38395e647e

SHA1
ad21a5350b20e54bf45971ed3f8db7c65859cbf6

SHA256
b0fc161ff520232624b2b6200302edf179ba6fdf1c21a25aa8da594b91c5ad15

SHA512
7183c226784fdcd74034b33d9139a644fcd079f6bbfda10aa21a1a691b5d9c01110da64f297665b4f44b62dd43c4b6a0b5d8200bc4eff3f29373ff3304dbb0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\j952.tmp
Filesize
632KB

MD5
639a8a082e6284fbc68dfdc77ea44427

SHA1
98aee8f25c24c16639dab573d9d3411e579c257e

SHA256
9c6bd4fd6cb4fb3958fd55434ad6fc93f16220fa934a424b8d4646bcb3ed72e0

SHA512
603a3ce9386d0e2d64c7b62bce6a980d21898ec915543f9444b69bcaf3ee1fc95b1fb24817dab99a3c5db916493dc06781e7f48ef1a2ccad080c473087c27178

Download Submit
C:\Users\Admin\AppData\Roaming\3TtfmAT\RecoveryDrive.exe
Filesize
911KB

MD5
b9b3dc6f2eb89e41ff27400952602c74

SHA1
24ae07e0db3ace0809d08bbd039db3a9d533e81b

SHA256
630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4

SHA512
7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Vfaxdafbicozcso.lnk
Filesize
942B

MD5
64f66e448f32bd08d6b7a307d13fcfea

SHA1
f532d318d4685258843f1cb303d54ab77d508821

SHA256
19829b251eb4d007f60442a1e40a4ec53425476eee35ebfaea814445fa643a8d

SHA512
c575d459759fa95cbcf5b0a9eed7bb0f65a6bab12910c24867f40d6371f1733330bd253112c9dd6aeab2da57e21d343fa4d41985fca3148fad6009260f1eb978

Download Submit
memory/3436-20-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-14-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-31-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-21-0x0000000001240000-0x0000000001247000-memory.dmp

Filesize
28KB

Download
memory/3436-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-22-0x00007FFE75000000-0x00007FFE75010000-memory.dmp

Filesize
64KB

Download
memory/3436-3-0x00007FFE7399A000-0x00007FFE7399B000-memory.dmp

Filesize
4KB

Download
memory/3436-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/3436-4-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/4184-6-0x00007FFE66420000-0x00007FFE664BD000-memory.dmp

Filesize
628KB

Download
memory/4184-0-0x00007FFE66420000-0x00007FFE664BD000-memory.dmp

Filesize
628KB

Download
memory/4184-2-0x00000210E82F0000-0x00000210E82F7000-memory.dmp

Filesize
28KB

Download