Overview

overview

8

Static

static

dridex

windows10_x64

8

Analysis

  • max time kernel
    68s
  • max time network
    71s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    26-09-2021 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe

  • Size

    134KB

  • MD5

    2cd9ee84b4da1a802e9f5082a5ffeb6d

  • SHA1

    f6cd9b6b5561456c8a0d8880e2a468bd2256618a

  • SHA256

    0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348

  • SHA512

    e64ed4bd1cf7974cb0392f1fe37c81372035808db2b6fa34d80daa3af20ef588b536a9242dba7f9e6c9a52ab6f588defbb9020674dcd2b8f559311169241713f

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe
    "C:\Users\Admin\AppData\Local\Temp\0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:788
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    MD5

    2cd9ee84b4da1a802e9f5082a5ffeb6d

    SHA1

    f6cd9b6b5561456c8a0d8880e2a468bd2256618a

    SHA256

    0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348

    SHA512

    e64ed4bd1cf7974cb0392f1fe37c81372035808db2b6fa34d80daa3af20ef588b536a9242dba7f9e6c9a52ab6f588defbb9020674dcd2b8f559311169241713f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    MD5

    2cd9ee84b4da1a802e9f5082a5ffeb6d

    SHA1

    f6cd9b6b5561456c8a0d8880e2a468bd2256618a

    SHA256

    0e0024c2ca6388bf69ef07a39a6bd45e88e739e6bcd0cb09aff9f0f85ff88348

    SHA512

    e64ed4bd1cf7974cb0392f1fe37c81372035808db2b6fa34d80daa3af20ef588b536a9242dba7f9e6c9a52ab6f588defbb9020674dcd2b8f559311169241713f

    Download Submit
  • memory/620-114-0x00000000001E0000-0x00000000001E4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/620-115-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/788-116-0x0000000000000000-mapping.dmp
    Download
  • memory/3792-121-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/3792-120-0x00000000005D0000-0x000000000071A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3936-119-0x0000000000000000-mapping.dmp
    Download