Overview

overview

9

Static

static

dridex

windows10_x64

9

Analysis

  • max time kernel
    144s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6d02ffc80658a75e14c93ff63b4704941124f1ab357c5ad1dc750205a38d823.exe

  • Size

    71KB

  • MD5

    b4479eaf03634d01b29504d10d756c2b

  • SHA1

    15117264212dd79ca5a7cb1a180c2f4cf8337fa4

  • SHA256

    c6d02ffc80658a75e14c93ff63b4704941124f1ab357c5ad1dc750205a38d823

  • SHA512

    856ce50c03f5fcc1ed8d9f01f9f436fe61950a85ec39e2e48db1e4a0206d7103b3e8f03b064859dfaabee8f04a0f977500283eaa493363a7bd32861febd3f05f

Score
9/10
discoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 7 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6d02ffc80658a75e14c93ff63b4704941124f1ab357c5ad1dc750205a38d823.exe
    "C:\Users\Admin\AppData\Local\Temp\c6d02ffc80658a75e14c93ff63b4704941124f1ab357c5ad1dc750205a38d823.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Users\Admin\AppData\Roaming\7639770.scr
      "C:\Users\Admin\AppData\Roaming\7639770.scr" /S
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2904
    • C:\Users\Admin\AppData\Roaming\6051877.scr
      "C:\Users\Admin\AppData\Roaming\6051877.scr" /S
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1268
    • C:\Users\Admin\AppData\Roaming\2039295.scr
      "C:\Users\Admin\AppData\Roaming\2039295.scr" /S
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:532
    • C:\Users\Admin\AppData\Roaming\2432216.scr
      "C:\Users\Admin\AppData\Roaming\2432216.scr" /S
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3644
    • C:\Users\Admin\AppData\Roaming\4805325.scr
      "C:\Users\Admin\AppData\Roaming\4805325.scr" /S
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1792
    • C:\Users\Admin\AppData\Roaming\1210827.scr
      "C:\Users\Admin\AppData\Roaming\1210827.scr" /S
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1210827.scr
    MD5

    f8448fbe34a9cfcae04bc6c9ec45755e

    SHA1

    b9d1f27e8cbc4527bd1b44dd589e714c3fc2474b

    SHA256

    8bdef052bb678168846735d11679997f6a0aaf58827fb0c419db0739c6f2e978

    SHA512

    ce1727e7fa79e6c5ed4a851fcbee56cd3c67a9273d795015554ed4bbe45bad318e67e2732564ad53e4a5890cded78cc38ba2700c93185fa5bd8ec38e2ad70d91

    Download Submit
  • C:\Users\Admin\AppData\Roaming\1210827.scr
    MD5

    f8448fbe34a9cfcae04bc6c9ec45755e

    SHA1

    b9d1f27e8cbc4527bd1b44dd589e714c3fc2474b

    SHA256

    8bdef052bb678168846735d11679997f6a0aaf58827fb0c419db0739c6f2e978

    SHA512

    ce1727e7fa79e6c5ed4a851fcbee56cd3c67a9273d795015554ed4bbe45bad318e67e2732564ad53e4a5890cded78cc38ba2700c93185fa5bd8ec38e2ad70d91

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2039295.scr
    MD5

    41b024c2772af7e0ee44f44d9c1b355b

    SHA1

    67d214ab1964fe2690ec66a855e5fdfab7aef927

    SHA256

    ec7b4d2dc1d89e112b3ecd49ff70df5098214e69d38536a2a24aee15e1991027

    SHA512

    79cce9684e259bdd42130e29f0264bdfa3868c76560cce12f3bb410fe768a78d842e2f054e057e546c860a6b71349c1b1647569ef5b3f26b1c66482a20d887d4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2432216.scr
    MD5

    6023eac4d72969f9b0de8f828ea378ef

    SHA1

    1cb0d928e5edcc585eda6a268946c3ad00554e2f

    SHA256

    316816c6be1c77c09a93a5a27c780e7db33f6efd0459bbce3f796f63d3eba595

    SHA512

    053ebd616f45cd0878314ca4c110fca2ddd68cd935275d084e2b26026c7f14da0fc9f8903e5be6b9382559a95d4964769c7c70e9f6c78f6d6000598853019e36

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4805325.scr
    MD5

    e4ba5731421dfa9fec766e7cb1927ae9

    SHA1

    93e17cfbdabb7f5eea14efb99516d5b6c45489d4

    SHA256

    c6a876f43adefb6be72ae43fbd4eb079301cbe7a052461b29bc87c2d5f98eca6

    SHA512

    bc9e16b1a5f75aea432816ea093b672c2b4dc46a29f2a45a7023bd4328c46e828be3efce1dc84bc6bd620a2d0f9eaba42c0f9d7767661f94cba0b23d9dbb23d6

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6051877.scr
    MD5

    189f317d17e76c9508138a99ba559789

    SHA1

    e7bb485fec167181daff91307695e9dcbbede996

    SHA256

    ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

    SHA512

    784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6051877.scr
    MD5

    189f317d17e76c9508138a99ba559789

    SHA1

    e7bb485fec167181daff91307695e9dcbbede996

    SHA256

    ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

    SHA512

    784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7639770.scr
    MD5

    2bffa3f9327a1bacdf6809219266e1e6

    SHA1

    9db7e9b73ab0f155080f212b7b9601e1f1d5361d

    SHA256

    4d0971ac3a17354f88ae34711f983d2b769f42fb886c70b00198617e791b63b0

    SHA512

    534e80e683ffafb0937b09b0493def0cb9d79e3b025da8689e2c7fbb4c983f1d5c7912d00661156ef7ea4607d97f4fa061d41310ae684a71fc043ccc62cf4442

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7639770.scr
    MD5

    2bffa3f9327a1bacdf6809219266e1e6

    SHA1

    9db7e9b73ab0f155080f212b7b9601e1f1d5361d

    SHA256

    4d0971ac3a17354f88ae34711f983d2b769f42fb886c70b00198617e791b63b0

    SHA512

    534e80e683ffafb0937b09b0493def0cb9d79e3b025da8689e2c7fbb4c983f1d5c7912d00661156ef7ea4607d97f4fa061d41310ae684a71fc043ccc62cf4442

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    189f317d17e76c9508138a99ba559789

    SHA1

    e7bb485fec167181daff91307695e9dcbbede996

    SHA256

    ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

    SHA512

    784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    189f317d17e76c9508138a99ba559789

    SHA1

    e7bb485fec167181daff91307695e9dcbbede996

    SHA256

    ceb9eb8c49009fd993ce1aacdf61464e9f091d4166816a2bd6a9ed19cdd5375a

    SHA512

    784b7c10e00b761d0c316b7ff96ac325f0bc29347b8824e482240d7df2e193517b99bf924c8a9d011e62f7d7a86405436d3ed4dfdf3a0165b82be95bd869af4b

    Download Submit
  • memory/532-199-0x0000000007140000-0x0000000007141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-159-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-161-0x0000000005850000-0x0000000005851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-160-0x00000000057C0000-0x00000000057C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-158-0x0000000005860000-0x0000000005861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-157-0x0000000005720000-0x0000000005721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-135-0x0000000000000000-mapping.dmp
    Download
  • memory/532-154-0x0000000005E70000-0x0000000005E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-153-0x0000000077000000-0x000000007718E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/532-151-0x0000000000170000-0x0000000000171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/532-205-0x0000000007360000-0x0000000007361000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-148-0x0000000008740000-0x0000000008741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1268-150-0x00000000056B0000-0x00000000056B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-145-0x0000000007C50000-0x0000000007C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1696-186-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1696-174-0x0000000000000000-mapping.dmp
    Download
  • memory/1696-177-0x0000000000EA0000-0x0000000000EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1792-182-0x0000000000D60000-0x0000000000D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1792-188-0x0000000077000000-0x000000007718E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1792-171-0x0000000000000000-mapping.dmp
    Download
  • memory/1792-195-0x0000000006260000-0x0000000006261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-115-0x00000000002E0000-0x00000000002E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2372-118-0x000000001B0C0000-0x000000001B0C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2372-117-0x00000000007E0000-0x00000000007E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2904-132-0x0000000005B80000-0x0000000005B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2904-131-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2904-119-0x0000000000000000-mapping.dmp
    Download
  • memory/2904-133-0x0000000006280000-0x0000000006281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2904-134-0x0000000005DF0000-0x0000000005DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2904-126-0x0000000000E60000-0x0000000000E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2904-147-0x0000000005E90000-0x0000000005E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3644-163-0x0000000077000000-0x000000007718E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3644-172-0x0000000005C60000-0x0000000005C61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3644-164-0x0000000000D40000-0x0000000000D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3644-155-0x0000000000000000-mapping.dmp
    Download
  • memory/3772-130-0x0000000007860000-0x0000000007861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3772-129-0x0000000004E40000-0x0000000004E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3772-125-0x00000000006F0000-0x00000000006F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3772-121-0x0000000000000000-mapping.dmp
    Download