Overview

overview

10

Static

static

10

The-MALWAR...ot.exe

windows7-x64

10

The-MALWAR...ll.exe

windows7-x64

10

The-MALWAR...BS.exe

windows7-x64

10

The-MALWAR...in.exe

windows7-x64

7

The-MALWAR....A.exe

windows7-x64

7

The-MALWAR....A.exe

windows7-x64

10

The-MALWAR....A.dll

windows7-x64

7

The-MALWAR...r.xlsm

windows7-x64

10

The-MALWAR...36c859

windows7-x64

1

The-MALWAR...caa742

windows7-x64

1

The-MALWAR...c1a732

windows7-x64

1

The-MALWAR...57c046

windows7-x64

1

The-MALWAR...4cde86

windows7-x64

1

The-MALWAR...460a01

windows7-x64

1

The-MALWAR...ece0c5

windows7-x64

1

The-MALWAR...257619

windows7-x64

1

The-MALWAR...fbcc59

windows7-x64

1

The-MALWAR...54f69c

windows7-x64

1

The-MALWAR...d539a6

windows7-x64

1

The-MALWAR...4996dd

windows7-x64

1

The-MALWAR...8232d5

windows7-x64

1

The-MALWAR...66b948

windows7-x64

1

The-MALWAR...f9db86

windows7-x64

1

The-MALWAR...ea2485

windows7-x64

1

The-MALWAR...us.exe

windows7-x64

6

The-MALWAR....a.exe

windows7-x64

3

The-MALWAR....a.exe

windows7-x64

7

The-MALWAR...ok.exe

windows7-x64

10

The-MALWAR...y.html

windows7-x64

3

The-MALWAR...ft.exe

windows7-x64

4

The-MALWAR...en.exe

windows7-x64

6

The-MALWAR...min.js

windows7-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    25/02/2025, 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll

  • Size

    628KB

  • MD5

    97a26d9e3598fea2e1715c6c77b645c2

  • SHA1

    c4bf3a00c9223201aa11178d0f0b53c761a551c4

  • SHA256

    e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f

  • SHA512

    acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c

  • SSDEEP

    12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies registry class 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:2268
  • C:\Windows\system32\ddodiag.exe
    C:\Windows\system32\ddodiag.exe
    1⤵
      PID:2704
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\NuFWqB.cmd
      1⤵
        PID:2840
      • C:\Windows\system32\SnippingTool.exe
        C:\Windows\system32\SnippingTool.exe
        1⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        PID:2604
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\vDj.cmd
        1⤵
        • Drops file in System32 directory
        PID:2708
      • C:\Windows\System32\eventvwr.exe
        "C:\Windows\System32\eventvwr.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\fYOY.cmd
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1620
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Create /F /TN "Uofpoxfgtb" /TR C:\Windows\system32\7gMH\SnippingTool.exe /SC minute /MO 60 /RL highest
            3⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1528
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /Query /TN "Uofpoxfgtb"
          2⤵
            PID:2032
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2868
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /Query /TN "Uofpoxfgtb"
            2⤵
              PID:1144
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2100
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /Query /TN "Uofpoxfgtb"
              2⤵
                PID:2188
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:836
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /Query /TN "Uofpoxfgtb"
                2⤵
                  PID:760
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1856
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /Query /TN "Uofpoxfgtb"
                  2⤵
                    PID:1724
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Uofpoxfgtb"
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:344
                  • C:\Windows\system32\schtasks.exe
                    schtasks.exe /Query /TN "Uofpoxfgtb"
                    2⤵
                      PID:2324

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\NuFWqB.cmd
                    Filesize

                    233B

                    MD5

                    cad7747e80e0adaa152d525cd76a2f07

                    SHA1

                    fd881e8e2677431789a0468d58b16a4cb7157c61

                    SHA256

                    d6efcee0af7eb583c3a0a2a1b900d89bb0186047030a6d57cbb189890b4de96c

                    SHA512

                    bc82b457920c2b1c32d4a8729bc29506bb6a76287a29dba2f7af6423fbcc2a86e1167229fda8088ec9d3de1aa73d5c62637fe702b2cfd07a12d3c46003b01dd4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\V34B.tmp
                    Filesize

                    628KB

                    MD5

                    ff46eb690fe76fde08ac27de82330e78

                    SHA1

                    0a6e01c08c676fd0c9b1eb6b058b5dacb8b1dc32

                    SHA256

                    ed3ec7ce9b1fd0a54d091289dfb7c897775b1c715a924fe88442fd1e1c5d9cee

                    SHA512

                    57255c988aab446b8ae138da0d5e97de3f04421ab61fc0d916b75a13ea8889e5f44b6fe449598a69c49d830f37ce6889daa24252c3055235e674de80b8f364c3

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\fYOY.cmd
                    Filesize

                    131B

                    MD5

                    6869bb67d2e145b09575925dcc3b2ed4

                    SHA1

                    d91c2d88c29dc5705863de5f45adcf5882cc8da5

                    SHA256

                    93dabebfe21549320b7b9ba9d4e5cd8e0df8211487c4ac93314c165f6c83f13d

                    SHA512

                    1f9f21a3511c1bec1362d7d3c7addcf9a8704de6949a5989fab32b16a00b85e32d48bce6486cf3d9258916bc152797ddc50f517fa01b3f954dd88375e24f9144

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\v2B46.tmp
                    Filesize

                    628KB

                    MD5

                    61accd5890280f912056abceed54d446

                    SHA1

                    df3df5c837adf54154ef25342fcd101916840081

                    SHA256

                    669ebcc899e4f1d31d51db6d7fa6b31d746a013a75e2da9423b6a7b17e6ad982

                    SHA512

                    05cf4c1d7d66c06d8b17ac51fac46e9c9bb35e5c195d55f83b93dcbf70b08e785aec9e1b3151dc8da03046d1571333dcc3b6d6fc7e82a9336a375c04d67ab137

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\vDj.cmd
                    Filesize

                    196B

                    MD5

                    77695ce944f76aa9e1f57454132d4012

                    SHA1

                    5656c392f721b31dfcdd6d9c7ccf68bf9f65eda3

                    SHA256

                    67ef504a14a10ecb1896479f34c58a8ac40eebdc68dc01fde7da100a26063762

                    SHA512

                    3e4e963dd1ff63ff4156a1eb427793222b78436bfedb7fe21bee70970522cd5baf71f2d4d7fcfd7be2bdc37f10f97aff3107599e876f31a8407eb6b10e2e8726

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kccgsbu.lnk
                    Filesize

                    884B

                    MD5

                    b2a09303ff362453c2ef7e987b4aeb4d

                    SHA1

                    23f23299a5a2b7dba687a496cbf6b7b95c2a4f7a

                    SHA256

                    a29235b80fda829a6b766963eb03bc7f19c473d1bf2e762033c894e8211f01bb

                    SHA512

                    405cd3e7653a65df9af00bc9c37f73291e8ed095b2b9a3d5dc969cb7a4a920199bb89c831a9f73891e11c0536db852ddb91927758981cecb6debaab49c0c76a2

                    Download Submit

                  • \Users\Admin\AppData\Roaming\NQmXr7z\ddodiag.exe
                    Filesize

                    42KB

                    MD5

                    509f9513ca16ba2f2047f5227a05d1a8

                    SHA1

                    fe8d63259cb9afa17da7b7b8ede4e75081071b1a

                    SHA256

                    ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e

                    SHA512

                    ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

                    Download Submit

                  • memory/1216-8-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-33-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-10-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-20-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-22-0x00000000775D1000-0x00000000775D2000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1216-21-0x0000000002640000-0x0000000002647000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/1216-14-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-13-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-11-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-23-0x0000000077730000-0x0000000077732000-memory.dmp

                    Filesize

                    8KB

                    Download

                  • memory/1216-36-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-9-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-32-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-43-0x00000000773C6000-0x00000000773C7000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1216-3-0x00000000773C6000-0x00000000773C7000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1216-7-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-12-0x0000000140000000-0x000000014009D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/1216-4-0x0000000002E10000-0x0000000002E11000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2268-6-0x000007FEF6CE0000-0x000007FEF6D7D000-memory.dmp

                    Filesize

                    628KB

                    Download

                  • memory/2268-2-0x0000000000110000-0x0000000000117000-memory.dmp

                    Filesize

                    28KB

                    Download

                  • memory/2268-0-0x000007FEF6CE0000-0x000007FEF6D7D000-memory.dmp

                    Filesize

                    628KB

                    Download