Overview

overview

9

Static

static

dridex

windows10_x64

9

Analysis

  • max time kernel
    78s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a70e20df0e0f4af3e365c7f00587f5b31f0048a9fd3091c4fcfc90000920749.exe

  • Size

    74KB

  • MD5

    40eeb8d964bc5f76d2eb5868e12f51b6

  • SHA1

    efe79b2057496d2106a4388e8f4b8a0150548da9

  • SHA256

    0a70e20df0e0f4af3e365c7f00587f5b31f0048a9fd3091c4fcfc90000920749

  • SHA512

    eb207df11812857949e56e00624f5655b40b60470a48b54c76100bc92d158e6e1687cb260ccef3e1c7c7d97fd18061d741c698c82683aff7a964f37982275d30

Score
9/10
discoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 6 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a70e20df0e0f4af3e365c7f00587f5b31f0048a9fd3091c4fcfc90000920749.exe
    "C:\Users\Admin\AppData\Local\Temp\0a70e20df0e0f4af3e365c7f00587f5b31f0048a9fd3091c4fcfc90000920749.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Roaming\6094735.exe
      "C:\Users\Admin\AppData\Roaming\6094735.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Users\Admin\AppData\Roaming\928310.exe
      "C:\Users\Admin\AppData\Roaming\928310.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4428
    • C:\Users\Admin\AppData\Roaming\7006806.exe
      "C:\Users\Admin\AppData\Roaming\7006806.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4520
    • C:\Users\Admin\AppData\Roaming\6977121.exe
      "C:\Users\Admin\AppData\Roaming\6977121.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:1172
    • C:\Users\Admin\AppData\Roaming\1683304.exe
      "C:\Users\Admin\AppData\Roaming\1683304.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1683304.exe
    MD5

    eca5a9ac4b5c0bd9735e66d1773b52fd

    SHA1

    af27bb06fe437c54d6e74f4642ae270af7581f85

    SHA256

    2d577b77b05b95f7264eb4d9c423fcea1ad781fde027f40a26931fce42d3842c

    SHA512

    24eeda96573421755d85d2e0adaa8b97ebef03eb1942b20051258d72b04d0cd2a14274a1ca0106d1ea6d3157e559008d86605885784e2bcba36ab4ad6749167c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\1683304.exe
    MD5

    eca5a9ac4b5c0bd9735e66d1773b52fd

    SHA1

    af27bb06fe437c54d6e74f4642ae270af7581f85

    SHA256

    2d577b77b05b95f7264eb4d9c423fcea1ad781fde027f40a26931fce42d3842c

    SHA512

    24eeda96573421755d85d2e0adaa8b97ebef03eb1942b20051258d72b04d0cd2a14274a1ca0106d1ea6d3157e559008d86605885784e2bcba36ab4ad6749167c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6094735.exe
    MD5

    4f7d10b92d12da0ff18665d97b47e41c

    SHA1

    1d33798862043bce4f32945defc409be9d8b4c1f

    SHA256

    a4fcdedd5c2776be6ef383379ceb3c035a0521c8550b208cd0d46b833afe738e

    SHA512

    eefdff04e48db768b0f7c3ae45c7f6c7c93689ea707d3fe4bb8ed20421d406aba9877920f532f9fe2c33aea78628ad14199d95431628c5f54f9606d48f09b612

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6094735.exe
    MD5

    4f7d10b92d12da0ff18665d97b47e41c

    SHA1

    1d33798862043bce4f32945defc409be9d8b4c1f

    SHA256

    a4fcdedd5c2776be6ef383379ceb3c035a0521c8550b208cd0d46b833afe738e

    SHA512

    eefdff04e48db768b0f7c3ae45c7f6c7c93689ea707d3fe4bb8ed20421d406aba9877920f532f9fe2c33aea78628ad14199d95431628c5f54f9606d48f09b612

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6977121.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6977121.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7006806.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\7006806.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\928310.exe
    MD5

    afb53e37a817304cb9ebd143418159c1

    SHA1

    eb5db5e0a6755c0aed544d2a037ac22928bcdc8b

    SHA256

    17849797ee055a10567c6ca129583db58386385a978f74cd19c9c662f1dc1726

    SHA512

    475466219bc1b7d9451478969385997656a5cc367a9bc1e6d5b26f0e6559b529ba7452e6825a9de4587278af9c52c80bb1dbdca35ebf35d68a2ed7a98b2e261a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\928310.exe
    MD5

    afb53e37a817304cb9ebd143418159c1

    SHA1

    eb5db5e0a6755c0aed544d2a037ac22928bcdc8b

    SHA256

    17849797ee055a10567c6ca129583db58386385a978f74cd19c9c662f1dc1726

    SHA512

    475466219bc1b7d9451478969385997656a5cc367a9bc1e6d5b26f0e6559b529ba7452e6825a9de4587278af9c52c80bb1dbdca35ebf35d68a2ed7a98b2e261a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • memory/1172-180-0x0000000005940000-0x0000000005941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-156-0x0000000000000000-mapping.dmp
    Download
  • memory/1172-175-0x00000000054B0000-0x00000000054B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-122-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-132-0x0000000008740000-0x0000000008741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-148-0x00000000083B0000-0x00000000083B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-153-0x0000000008450000-0x0000000008451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-131-0x0000000008040000-0x0000000008041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-130-0x0000000005B10000-0x0000000005B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-126-0x00000000031C0000-0x00000000031C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-125-0x0000000005310000-0x0000000005359000-memory.dmp
    Filesize

    292KB

    Download
  • memory/3012-139-0x0000000008210000-0x0000000008211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-124-0x0000000003150000-0x0000000003151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3012-119-0x0000000000000000-mapping.dmp
    Download
  • memory/3716-115-0x0000000000630000-0x0000000000631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3716-118-0x0000000004F10000-0x0000000004F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3716-117-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3764-164-0x0000000002700000-0x0000000002748000-memory.dmp
    Filesize

    288KB

    Download
  • memory/3764-142-0x0000000000000000-mapping.dmp
    Download
  • memory/3764-150-0x00000000005D0000-0x00000000005D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3764-172-0x0000000000F40000-0x0000000000F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3764-157-0x0000000000F30000-0x0000000000F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3764-168-0x0000000002760000-0x0000000002761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-186-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-193-0x00000000776F0000-0x000000007787E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4428-194-0x0000000005390000-0x0000000005391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4428-127-0x0000000000000000-mapping.dmp
    Download
  • memory/4504-145-0x000000000AC10000-0x000000000AC11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4504-149-0x00000000010B0000-0x00000000010B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4504-135-0x0000000000000000-mapping.dmp
    Download
  • memory/4504-140-0x0000000000970000-0x0000000000971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4504-144-0x0000000005110000-0x0000000005111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-178-0x0000000005700000-0x0000000005701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-171-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-151-0x00000000776F0000-0x000000007787E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/4520-177-0x0000000005870000-0x0000000005871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-165-0x0000000005E90000-0x0000000005E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-169-0x0000000005880000-0x0000000005881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-167-0x00000000033B0000-0x00000000033B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-159-0x00000000012C0000-0x00000000012C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4520-197-0x0000000006E30000-0x0000000006E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-200-0x00000000071F0000-0x00000000071F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4520-209-0x0000000007DB0000-0x0000000007DB1000-memory.dmp
    Filesize

    4KB

    Download