Overview

overview

9

Static

static

dridex

windows10_x64

9

Analysis

  • max time kernel
    62s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    21-10-2021 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6521c647241a2d90eed590f30a671bb59d0502474591d85c9b47da44f9ed9aa.exe

  • Size

    68KB

  • MD5

    80ee15eec2f947f29af93c199c6a5062

  • SHA1

    60df9a563d7ebc4f265f7aacc8f20ec2ea62643d

  • SHA256

    b6521c647241a2d90eed590f30a671bb59d0502474591d85c9b47da44f9ed9aa

  • SHA512

    25ea6e80266556be35685f48070a3eddfc8d9fb839ca782044eb4bd892881fffbdbb78499b1a9be356ab9770eca0e932cf748c22cc5f50eed9a6e0c89472fb72

Score
9/10
discoveryevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 5 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6521c647241a2d90eed590f30a671bb59d0502474591d85c9b47da44f9ed9aa.exe
    "C:\Users\Admin\AppData\Local\Temp\b6521c647241a2d90eed590f30a671bb59d0502474591d85c9b47da44f9ed9aa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Roaming\2930351.exe
      "C:\Users\Admin\AppData\Roaming\2930351.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1188
    • C:\Users\Admin\AppData\Roaming\3528269.exe
      "C:\Users\Admin\AppData\Roaming\3528269.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:444
    • C:\Users\Admin\AppData\Roaming\6881318.exe
      "C:\Users\Admin\AppData\Roaming\6881318.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3548
    • C:\Users\Admin\AppData\Roaming\3499288.exe
      "C:\Users\Admin\AppData\Roaming\3499288.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3592
      • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        3⤵
        • Executes dropped EXE
        PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\2930351.exe
    MD5

    4df98a640f478d4214aaf1b61853300b

    SHA1

    e9d52f289e35c594b7471e218eaeb2d914a55955

    SHA256

    de06a7e08701d5a924151a0dc90455fc7226e6a7e0d571a1ae7c28b34f3c8bb8

    SHA512

    ecce6683f22689b1934a81e20609718c3e356410faa9c983303669e326cbf86f1ece9c7a121a1ddc842680f6fd5fefe98f01caa48326ec2989bbe7f98fdc82b7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\2930351.exe
    MD5

    4df98a640f478d4214aaf1b61853300b

    SHA1

    e9d52f289e35c594b7471e218eaeb2d914a55955

    SHA256

    de06a7e08701d5a924151a0dc90455fc7226e6a7e0d571a1ae7c28b34f3c8bb8

    SHA512

    ecce6683f22689b1934a81e20609718c3e356410faa9c983303669e326cbf86f1ece9c7a121a1ddc842680f6fd5fefe98f01caa48326ec2989bbe7f98fdc82b7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3499288.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3499288.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3528269.exe
    MD5

    a8db1bf1f4246c4e715f93f2a18fbe59

    SHA1

    5486db0d84862e68c4b9f24160bdc895bf3a45aa

    SHA256

    3f6143b5b4286cedcc3c8adcb25b1a971e1657dde65cca796e117971c2ac58bd

    SHA512

    905652518f08a3b0dba61706389c29eb91f4e9eab2071c550b6b0eb4092451c5f5b1abf992536efc723aaa4f335f027aecde5342465487547043d7842c0602e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\3528269.exe
    MD5

    a8db1bf1f4246c4e715f93f2a18fbe59

    SHA1

    5486db0d84862e68c4b9f24160bdc895bf3a45aa

    SHA256

    3f6143b5b4286cedcc3c8adcb25b1a971e1657dde65cca796e117971c2ac58bd

    SHA512

    905652518f08a3b0dba61706389c29eb91f4e9eab2071c550b6b0eb4092451c5f5b1abf992536efc723aaa4f335f027aecde5342465487547043d7842c0602e8

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6881318.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\6881318.exe
    MD5

    a983f21830995c68472ebfa937acf4ca

    SHA1

    37b652cdf432a14d658ace5447c51d6954fc8fdb

    SHA256

    8ad9e5bb76241b55016fcc32dfed84d2fe80d64463f781d408e2eb51c8beb3c0

    SHA512

    cd2c0c4b833d85a0e7cd1627d9a3fc9332b2c65821ea5f1982fde85568d4f008b263826210c6912222b98e6207268cde467f1010f775b77fa9633b51280494e3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
    MD5

    a20e32791806c7b29070b95226b0e480

    SHA1

    8f2bac75ffabbe45770076047ded99f243622e5f

    SHA256

    df24005d51e393ed322bbf354c31485dab121ae0a445a754e08bb7912d9cd146

    SHA512

    6cf6b6aa3d4d82e7f202c5a0d3fd9a1085e05dd136e0532702e61de6e9a09b76eb5ec2add7f3a3e926e304aab928bbc639661cf6380133c8e00c387d4e9f2ca0

    Download Submit
  • memory/444-159-0x0000000005500000-0x0000000005501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-182-0x0000000006A60000-0x0000000006A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-127-0x0000000000000000-mapping.dmp
    Download
  • memory/444-185-0x0000000006BA0000-0x0000000006BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-142-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-153-0x00000000053F0000-0x00000000053F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-154-0x00000000054C0000-0x00000000054C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-152-0x0000000077590000-0x000000007771E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/444-151-0x0000000005590000-0x0000000005591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-150-0x0000000005460000-0x0000000005461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/444-148-0x0000000005A10000-0x0000000005A11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-119-0x0000000000000000-mapping.dmp
    Download
  • memory/1188-132-0x000000000DC20000-0x000000000DC21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-140-0x0000000005050000-0x0000000005051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-126-0x0000000002960000-0x0000000002961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-124-0x0000000002940000-0x0000000002941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-122-0x00000000004D0000-0x00000000004D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-130-0x000000000D990000-0x000000000D991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-138-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-136-0x00000000053B0000-0x00000000053B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-125-0x0000000004CD0000-0x0000000004D16000-memory.dmp
    Filesize

    280KB

    Download
  • memory/1188-131-0x000000000E090000-0x000000000E091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1188-133-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-115-0x0000000000D70000-0x0000000000D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-118-0x0000000005590000-0x0000000005591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1680-117-0x0000000005500000-0x0000000005501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3548-177-0x0000000005C20000-0x0000000005C21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3548-194-0x00000000087F0000-0x00000000087F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3548-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3548-160-0x00000000000C0000-0x00000000000C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3548-155-0x0000000077590000-0x000000007771E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3592-147-0x0000000000040000-0x0000000000041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3592-176-0x00000000021B0000-0x00000000021B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3592-156-0x00000000008A0000-0x00000000008A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3592-143-0x0000000000000000-mapping.dmp
    Download
  • memory/3864-178-0x0000000004B10000-0x0000000004B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3864-179-0x000000000ACA0000-0x000000000ACA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3864-166-0x0000000000000000-mapping.dmp
    Download