Overview

overview

8

Static

static

dridex

windows10_x64

8

Analysis

  • max time kernel
    119s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 12:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe

  • Size

    135KB

  • MD5

    13d6542b23dfe0a254885ad5b6986141

  • SHA1

    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

  • SHA256

    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

  • SHA512

    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe
    "C:\Users\Admin\AppData\Local\Temp\2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2264
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2624
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    MD5

    13d6542b23dfe0a254885ad5b6986141

    SHA1

    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

    SHA256

    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

    SHA512

    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe
    MD5

    13d6542b23dfe0a254885ad5b6986141

    SHA1

    893cd4ab98575b0e54f9d053fa0fa50b4f17cb33

    SHA256

    2d20a87aba63086438499e34bbc08de31f42162deb4800cd6fc780d2c35da4c8

    SHA512

    e5e4229b0310eaa0b1aad3c2456a1b225aa472db73d146a01cf09dfef7ca7112eeaa904fb937deafe697f6894aa86b722b657b6b9b99ac8157d578d65957b681

    Download Submit
  • memory/2064-115-0x00000000005D0000-0x000000000071A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2064-117-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/2264-116-0x0000000000000000-mapping.dmp
    Download
  • memory/2624-122-0x0000000000400000-0x00000000004A8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/2624-121-0x0000000000590000-0x00000000006DA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2812-120-0x0000000000000000-mapping.dmp
    Download