Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ot.exe

windows10-2004-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...ll.exe

windows10-2004-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...BS.exe

windows10-2004-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR...in.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows10-2004-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.exe

windows10-2004-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR....A.dll

windows10-2004-x64

6

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...r.xlsm

windows10-2004-x64

10

The-MALWAR...36c859

ubuntu-22.04-amd64

8

The-MALWAR...caa742

ubuntu-22.04-amd64

8

The-MALWAR...c1a732

ubuntu-24.04-amd64

8

The-MALWAR...57c046

ubuntu-24.04-amd64

8

The-MALWAR...4cde86

ubuntu-24.04-amd64

8

The-MALWAR...460a01

ubuntu-24.04-amd64

8

The-MALWAR...ece0c5

ubuntu-20.04-amd64

8

The-MALWAR...257619

ubuntu-24.04-amd64

8

The-MALWAR...fbcc59

ubuntu-22.04-amd64

8

The-MALWAR...54f69c

ubuntu-24.04-amd64

8

The-MALWAR...d539a6

ubuntu-22.04-amd64

8

The-MALWAR...4996dd

ubuntu-24.04-amd64

8

The-MALWAR...8232d5

ubuntu-18.04-amd64

8

The-MALWAR...66b948

ubuntu-24.04-amd64

8

The-MALWAR...f9db86

ubuntu-24.04-amd64

8

The-MALWAR...ea2485

ubuntu-24.04-amd64

8

Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4576
  • C:\Windows\system32\SystemPropertiesPerformance.exe
    C:\Windows\system32\SystemPropertiesPerformance.exe
    1⤵
      PID:3948
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Pln.cmd
      1⤵
        PID:2208
      • C:\Windows\system32\rstrui.exe
        C:\Windows\system32\rstrui.exe
        1⤵
          PID:1240
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\sVr9k.cmd
          1⤵
          • Drops file in System32 directory
          PID:1236
        • C:\Windows\System32\fodhelper.exe
          "C:\Windows\System32\fodhelper.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Windows\system32\cmd.exe
            "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\9m3F.cmd
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3668
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Create /F /TN "Kmcxh" /TR C:\Windows\system32\xo8xkeM\rstrui.exe /SC minute /MO 60 /RL highest
              3⤵
              • Scheduled Task/Job: Scheduled Task
              PID:3648
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kmcxh"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Kmcxh"
            2⤵
              PID:1588
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kmcxh"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:4960
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Kmcxh"
              2⤵
                PID:2824
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kmcxh"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:3504
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Kmcxh"
                2⤵
                  PID:3880
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kmcxh"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1992
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Kmcxh"
                  2⤵
                    PID:3772
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kmcxh"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3552
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Kmcxh"
                    2⤵
                      PID:4492
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Kmcxh"
                    1⤵
                    • Suspicious use of WriteProcessMemory
                    PID:860
                    • C:\Windows\system32\schtasks.exe
                      schtasks.exe /Query /TN "Kmcxh"
                      2⤵
                        PID:4100

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\1503E.tmp
                      Filesize

                      628KB

                      MD5

                      762ebd271bc7d29e57bbb459a872b168

                      SHA1

                      361631efe1dfd5d16edea922255ab60ae13d05f8

                      SHA256

                      20bdf9a95cec144102f0bf6eacf3a11b7c864db3b7cee77f3d54791bdaef0f7b

                      SHA512

                      e591e606bc1e4202cf6060d0053839ef9d18e62102cf40227228c517ea967464ef9dc8c1643ed356eb930da421aa5cab52945d8bba75c5d41852fac66bcbd5b5

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\1zm7849.tmp
                      Filesize

                      628KB

                      MD5

                      ff19c44e063d4fb2c6af48056ba63811

                      SHA1

                      a959bccc17a5c36419199c42a30737c6684f43ab

                      SHA256

                      4aefae14a73d00ad8f61b54fd92ee6c96cdf8f92929fb4c152da390244c09d0d

                      SHA512

                      09916014f3d4661048ca2f4d1df15c487acca39598b08c1a44d958da63163d82e31b800ee8e1c1a0dbbbcd683db857efc8f83c2b82657d2c1d7a5f358f6caab6

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\9m3F.cmd
                      Filesize

                      123B

                      MD5

                      71d1752a68b2bd235b1ceb13948d6ea8

                      SHA1

                      d26f289d6f97cc47bd4dbd53c8b5b9bdd1641e34

                      SHA256

                      fd5195c9027f653ae470dac25b5abe913c9d3091d374a00a0027dc76bf48fbf0

                      SHA512

                      a352e88d40fc78680465f613c135151570fe5c32c5b90bc9bf65547d7baf4dea32af9624cc148fe44906a70245daae2b7be09baefa77387aed3547865b64ed36

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Pln.cmd
                      Filesize

                      243B

                      MD5

                      94eb02c4f8b77bd61d87e4cc22965b9e

                      SHA1

                      92cf6ee02fb11e33a135d40daf7f35864105e17c

                      SHA256

                      00289bc3d21b0fbf44d56512bf44f133ace9c7e71131123a6bdfcf15655c47d4

                      SHA512

                      3a3ffcb4f9e48736d0da9a3409c673ac3f13e1899ece3ec11da437a1a4cc94ae696da151fc4504a04ec23cc95951c424e91db192b5bb81bd517ab5874c4d9104

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\sVr9k.cmd
                      Filesize

                      198B

                      MD5

                      e086b267060efb6683b80b1a880318b3

                      SHA1

                      05d18ba23934f8f98c395de8ab29900645ea03a6

                      SHA256

                      492506d633182e0db7d85fe7fa48f505093d085f9c9e995734de2856b40b7aa5

                      SHA512

                      d318e248ae873dcb92d8a7f508ffc9003bd1a434565b0a7b591b063f8b949d8c469f6da5608e6b0163398b5d5d7ac01128286c46a18b1538849854705e44dae7

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\Lo5h\SystemPropertiesPerformance.exe
                      Filesize

                      82KB

                      MD5

                      e4fbf7cab8669c7c9cef92205d2f2ffc

                      SHA1

                      adbfa782b7998720fa85678cc85863b961975e28

                      SHA256

                      b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30

                      SHA512

                      c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

                      Download Submit

                    • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Fzrdqelbmr.lnk
                      Filesize

                      994B

                      MD5

                      e9b11177c012a717896559f0ebe826a0

                      SHA1

                      13b007d1f1050162b2ec140acb378e0f7f590475

                      SHA256

                      1f6eec6be38c6afea7d1c5576175a6452a4ff4f7edba327843ed7d5905f3946d

                      SHA512

                      28711ebbe8271f660678561e7c328255ec5b072b36af39519a2300af269199cccf0a59fc8f955d554359e2f393b1b099ac6fe4dd35ea58474eba97579654a15c

                      Download Submit

                    • memory/3448-14-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-8-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-20-0x00000000027C0000-0x00000000027C7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/3448-13-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-11-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-33-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-31-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-10-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-9-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-24-0x00007FFBDBA00000-0x00007FFBDBA10000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/3448-7-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-21-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-4-0x00007FFBDA85A000-0x00007FFBDA85B000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3448-12-0x0000000140000000-0x000000014009D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/3448-3-0x00000000027E0000-0x00000000027E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4576-6-0x00007FFBCC800000-0x00007FFBCC89D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/4576-0-0x00007FFBCC800000-0x00007FFBCC89D000-memory.dmp

                      Filesize

                      628KB

                      Download

                    • memory/4576-2-0x0000019730860000-0x0000019730867000-memory.dmp

                      Filesize

                      28KB

                      Download