Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-24.04-amd64

8

The-MALWAR...caa742

ubuntu-24.04-amd64

8

The-MALWAR...c1a732

ubuntu-22.04-amd64

8

The-MALWAR...57c046

ubuntu-22.04-amd64

8

The-MALWAR...4cde86

ubuntu-24.04-amd64

8

The-MALWAR...460a01

ubuntu-22.04-amd64

8

The-MALWAR...ece0c5

ubuntu-22.04-amd64

8

The-MALWAR...257619

ubuntu-22.04-amd64

8

The-MALWAR...fbcc59

ubuntu-24.04-amd64

8

The-MALWAR...54f69c

ubuntu-24.04-amd64

8

The-MALWAR...d539a6

ubuntu-22.04-amd64

8

The-MALWAR...4996dd

ubuntu-18.04-amd64

8

The-MALWAR...8232d5

ubuntu-22.04-amd64

8

The-MALWAR...66b948

ubuntu-24.04-amd64

8

The-MALWAR...f9db86

ubuntu-24.04-amd64

8

The-MALWAR...ea2485

ubuntu-22.04-amd64

8

Resubmissions

22-10-2024 02:07

241022-cka1nssfkj 10

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2024 02:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
7/10
persistenceprivilege_escalation

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

    persistenceprivilege_escalation
  • Modifies registry class 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2920
  • C:\Windows\system32\sethc.exe
    C:\Windows\system32\sethc.exe
    1⤵
      PID:2480
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lVcrbZY.cmd
      1⤵
        PID:2536
      • C:\Windows\system32\xpsrchvw.exe
        C:\Windows\system32\xpsrchvw.exe
        1⤵
          PID:2664
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\bfWn9.cmd
          1⤵
          • Drops file in System32 directory
          PID:2704
        • C:\Windows\System32\eventvwr.exe
          "C:\Windows\System32\eventvwr.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:676
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\JEwUiFJ.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2932
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Uofpoxfgtb" /TR C:\Windows\system32\FhbQFdJ\xpsrchvw.exe /SC minute /MO 60 /RL highest
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2520
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1720
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Uofpoxfgtb"
            2⤵
              PID:816
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Uofpoxfgtb"
              2⤵
                PID:1872
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2344
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Uofpoxfgtb"
                2⤵
                  PID:2292
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1484
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Uofpoxfgtb"
                  2⤵
                    PID:596
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1436
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Uofpoxfgtb"
                    2⤵
                      PID:1448
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1368
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Query /TN "Uofpoxfgtb"
                      2⤵
                        PID:896

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\8LZD3A5.tmp
                      Filesize

                      636KB

                      MD5

                      a732bcefdcf1a55a58db058721940ebc

                      SHA1

                      baded904300940321c33fbcf20ac58d28617be20

                      SHA256

                      740ff3508fe807dee531e2a26de4ba668054b22dfd190c36f68879ffbc5983c1

                      SHA512

                      9183b4cdbbd3a83dd449a159ed4226915bc437ac4602378ff0ba6e7cb4b16030b0c8ea434c848e5605ced6920babfde0a3b2228fb4803be6952689ca02947cc7

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\JEwUiFJ.cmd
                      Filesize

                      130B

                      MD5

                      8d8898d6a10a0383b267ca94805ff7c8

                      SHA1

                      3125a6d62d725626d5467a62b4039d1a97a111e1

                      SHA256

                      7eb411e9a698baadcb0eb149efb0998a7d10be5ee4048156ddd1b8f37f5bd842

                      SHA512

                      c91a9bfc236883c571624e6f3c6356e5f8f8da0a7dac9f9bae033d0c1b16bf0f6fefe3188026edae842f09bf0487e268c09cca04337025bb6e4b34382f9aee55

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\bfWn9.cmd
                      Filesize

                      202B

                      MD5

                      8b580888728fe205a4727a4d88e4a968

                      SHA1

                      16f4c2ebd03618b88f244af5494312d36262bc63

                      SHA256

                      61f619f4ebf4e30636ee3647032655716f77514cd0d20376d9006f1ff7ff903b

                      SHA512

                      961e2a39437a4a192665d3d31c509a40fd2c8d84f07590af4fb2fae0fe06d72b7c32af840a34e81ca66a62ebe99954aba055176479e65ae1fa052a5307cb7c57

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\lVcrbZY.cmd
                      Filesize

                      222B

                      MD5

                      b564179c62c5fd48fa3581777e8486f8

                      SHA1

                      64318c50ff47ae1cd6e1d887c1cd1e95471d2a7b

                      SHA256

                      41fb9db9f1b01dca407d4bb39fa13bfc222c7f72855376e12a3ce60ef403a199

                      SHA512

                      b29c7b2d98ff71951ca703fe08e6f9ea094d022811695c4d9003683c7ff0aa96c93bd3ceba381ee32343f779348ad7701e04e801d252520fb45307dc26baa782

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\rABE9.tmp
                      Filesize

                      628KB

                      MD5

                      e223d5afc8c8d885f37bfefb00c923eb

                      SHA1

                      62578be2a9a3b3375023ef7ac1025830359ad982

                      SHA256

                      804e1b93bea5c2cce53de1ca2ef6e329b4508e7f6ac05b45aefc108b04dc82a3

                      SHA512

                      c6a0c3e9f25375d8b11307d96e4ee4aa21a84f2cdab31be32c35a831aafd6438b0ffd8481b3bc9f116a10296c07c4241ff82d2917e11b5656c4f7d5f2aaa4bf8

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kccgsbu.lnk
                      Filesize

                      860B

                      MD5

                      535f0ba336cceca8a7850a63b2552119

                      SHA1

                      1bf0d13b25a0f14f4e69ed923b64f9f095ec7ee9

                      SHA256

                      2cfd9ab8efe723b4b0cb8885d3f5d9686ba9ebb64ea1d7e6ad0d016df19c0363

                      SHA512

                      78f117bcdea47b51d0f98b43d2a29495299cdcee14686ef247cefd2089bbc0a9e32a06c618f16c56c267806a4fd8cee0474e8bc3022cd4977d8a1f73189c9886

                      Download Submit

                    • \Users\Admin\AppData\Roaming\Iw6s\sethc.exe
                      Filesize

                      272KB

                      MD5

                      3bcb70da9b5a2011e01e35ed29a3f3f3

                      SHA1

                      9daecb1ee5d7cbcf46ee154dd642fcd993723a9b

                      SHA256

                      dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5

                      SHA512

                      69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

                      Download Submit

                    • memory/1176-11-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-34-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-21-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-25-0x0000000077E30000-0x0000000077E32000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/1176-24-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1176-15-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-13-0x0000000002ED0000-0x0000000002ED7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/1176-12-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-10-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-7-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-32-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-14-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-35-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-43-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1176-3-0x0000000077BC6000-0x0000000077BC7000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1176-9-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-8-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/1176-4-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2920-6-0x000007FEF7B70000-0x000007FEF7C0D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/2920-0-0x000007FEF7B70000-0x000007FEF7C0D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/2920-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

                      Filesize

                      28KB

                      Download