Overview

overview

9

Static

static

dridex

windows10_x64

9

Analysis

  • max time kernel
    66s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0171e9e9eeeb770d96f761afc719ec455f1798fa81f7a0bf99854ea08a11b5b9.exe

  • Size

    75KB

  • MD5

    30386b3f9d7964ad395d9853be17ddc1

  • SHA1

    f442060c820565873539183465a2f5784fee1b63

  • SHA256

    0171e9e9eeeb770d96f761afc719ec455f1798fa81f7a0bf99854ea08a11b5b9

  • SHA512

    aa55e95107d504a7cae31ed7dff9202e3cce145ab4df3d4ba2cc873350d718921c16a25accc693bd5c696e3eccdd53729d7e67cee74e8155f6ced7c4612248c4

Score
9/10
discoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0171e9e9eeeb770d96f761afc719ec455f1798fa81f7a0bf99854ea08a11b5b9.exe
    "C:\Users\Admin\AppData\Local\Temp\0171e9e9eeeb770d96f761afc719ec455f1798fa81f7a0bf99854ea08a11b5b9.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Roaming\7027630.exe
      "C:\Users\Admin\AppData\Roaming\7027630.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Users\Admin\AppData\Roaming\4086441.exe
      "C:\Users\Admin\AppData\Roaming\4086441.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4224
    • C:\Users\Admin\AppData\Roaming\2459122.exe
      "C:\Users\Admin\AppData\Roaming\2459122.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4364
    • C:\Users\Admin\AppData\Roaming\6625830.exe
      "C:\Users\Admin\AppData\Roaming\6625830.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1220
    • C:\Users\Admin\AppData\Roaming\6312381.exe
      "C:\Users\Admin\AppData\Roaming\6312381.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2459122.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2459122.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4086441.exe
    MD5

    a8db1bf1f4246c4e715f93f2a18fbe59

    SHA1

    5486db0d84862e68c4b9f24160bdc895bf3a45aa

    SHA256

    3f6143b5b4286cedcc3c8adcb25b1a971e1657dde65cca796e117971c2ac58bd

    SHA512

    905652518f08a3b0dba61706389c29eb91f4e9eab2071c550b6b0eb4092451c5f5b1abf992536efc723aaa4f335f027aecde5342465487547043d7842c0602e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\4086441.exe
    MD5

    a8db1bf1f4246c4e715f93f2a18fbe59

    SHA1

    5486db0d84862e68c4b9f24160bdc895bf3a45aa

    SHA256

    3f6143b5b4286cedcc3c8adcb25b1a971e1657dde65cca796e117971c2ac58bd

    SHA512

    905652518f08a3b0dba61706389c29eb91f4e9eab2071c550b6b0eb4092451c5f5b1abf992536efc723aaa4f335f027aecde5342465487547043d7842c0602e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6312381.exe
    MD5

    eca5a9ac4b5c0bd9735e66d1773b52fd

    SHA1

    af27bb06fe437c54d6e74f4642ae270af7581f85

    SHA256

    2d577b77b05b95f7264eb4d9c423fcea1ad781fde027f40a26931fce42d3842c

    SHA512

    24eeda96573421755d85d2e0adaa8b97ebef03eb1942b20051258d72b04d0cd2a14274a1ca0106d1ea6d3157e559008d86605885784e2bcba36ab4ad6749167c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6312381.exe
    MD5

    eca5a9ac4b5c0bd9735e66d1773b52fd

    SHA1

    af27bb06fe437c54d6e74f4642ae270af7581f85

    SHA256

    2d577b77b05b95f7264eb4d9c423fcea1ad781fde027f40a26931fce42d3842c

    SHA512

    24eeda96573421755d85d2e0adaa8b97ebef03eb1942b20051258d72b04d0cd2a14274a1ca0106d1ea6d3157e559008d86605885784e2bcba36ab4ad6749167c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6625830.exe
    MD5

    9ec6ecf38cb040515dd99edc3e964c10

    SHA1

    96013003c9055983f9e9411613364d6c29169738

    SHA256

    80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

    SHA512

    1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6625830.exe
    MD5

    9ec6ecf38cb040515dd99edc3e964c10

    SHA1

    96013003c9055983f9e9411613364d6c29169738

    SHA256

    80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

    SHA512

    1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7027630.exe
    MD5

    55c4b78d0f180c8bb04f211614233373

    SHA1

    5a75c18fe18834f6e6c7a2f47a1b3d37d962755b

    SHA256

    970c933e53e4c8a0427cf5bd08f98fd38d387cb39720cd2f2be92b504eb1b6d0

    SHA512

    9316bf25813b5f78883da82827e89253fbd71b7616f6254638929be5f6e8c5d20b31b9af6852399c0a3e483353792db37d3cf40413f4ecbd44732d41363cce4a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7027630.exe
    MD5

    55c4b78d0f180c8bb04f211614233373

    SHA1

    5a75c18fe18834f6e6c7a2f47a1b3d37d962755b

    SHA256

    970c933e53e4c8a0427cf5bd08f98fd38d387cb39720cd2f2be92b504eb1b6d0

    SHA512

    9316bf25813b5f78883da82827e89253fbd71b7616f6254638929be5f6e8c5d20b31b9af6852399c0a3e483353792db37d3cf40413f4ecbd44732d41363cce4a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    9ec6ecf38cb040515dd99edc3e964c10

    SHA1

    96013003c9055983f9e9411613364d6c29169738

    SHA256

    80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

    SHA512

    1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    9ec6ecf38cb040515dd99edc3e964c10

    SHA1

    96013003c9055983f9e9411613364d6c29169738

    SHA256

    80db68b4b0216a5371497f59d688d88108efe0bbf3d3fea1b969cde9ce8d4168

    SHA512

    1a7746ddf8f0a660fe4fa6b7fce03c922f2c027550388dd50910d2969ca6390b5b792644dcfd6562ef2ac44b74940547c6281806b30772cfa41415722f7eb323

    Download Submit
  • memory/752-133-0x0000000004E20000-0x0000000004E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-125-0x0000000004BF0000-0x0000000004C36000-memory.dmp
    Filesize

    280KB

    Download
  • memory/752-148-0x0000000005440000-0x0000000005441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-122-0x0000000000310000-0x0000000000311000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-126-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-127-0x000000000D7E0000-0x000000000D7E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-152-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-155-0x00000000050D0000-0x00000000050D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-132-0x000000000D9B0000-0x000000000D9B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-119-0x0000000000000000-mapping.dmp
    Download
  • memory/752-130-0x000000000DEE0000-0x000000000DEE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/752-124-0x00000000025A0000-0x00000000025A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-160-0x0000000000000000-mapping.dmp
    Download
  • memory/1220-178-0x00000000048C0000-0x00000000048C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1220-177-0x00000000009F0000-0x00000000009F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2240-162-0x00000000027D0000-0x00000000027D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2240-176-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2240-143-0x0000000000000000-mapping.dmp
    Download
  • memory/2240-170-0x0000000004950000-0x0000000004951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2240-157-0x0000000000740000-0x0000000000741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2240-169-0x00000000048F0000-0x0000000004938000-memory.dmp
    Filesize

    288KB

    Download
  • memory/3212-137-0x0000000000000000-mapping.dmp
    Download
  • memory/3212-150-0x00000000016A0000-0x00000000016A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3212-144-0x0000000000E40000-0x0000000000E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-118-0x00000000014F0000-0x00000000014F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-115-0x0000000000A00000-0x0000000000A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-117-0x0000000001490000-0x0000000001491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-142-0x0000000077790000-0x000000007791E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4224-156-0x00000000055B0000-0x00000000055B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-166-0x0000000005670000-0x0000000005671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-128-0x0000000000000000-mapping.dmp
    Download
  • memory/4224-161-0x0000000005620000-0x0000000005621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-158-0x0000000005740000-0x0000000005741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-151-0x0000000005C40000-0x0000000005C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-199-0x0000000006CE0000-0x0000000006CE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-146-0x0000000000820000-0x0000000000821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-163-0x0000000005630000-0x0000000005631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4224-197-0x0000000006C20000-0x0000000006C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4364-193-0x00000000058C0000-0x00000000058C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4364-192-0x0000000077790000-0x000000007791E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4364-185-0x0000000001150000-0x0000000001151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4364-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4364-208-0x0000000007E50000-0x0000000007E51000-memory.dmp
    Filesize

    4KB

    Download