Overview

overview

10

Static

static

7

dridex

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-12-2021 20:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe

  • Size

    2.7MB

  • MD5

    99b6ee52d0dc5a07bff09373a8dda2fe

  • SHA1

    616c52af96614c86623829b604b0eda3cf29af28

  • SHA256

    7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067

  • SHA512

    338babef8e40c74ab6957b226e90457d9a0db9f4007235a2df699d4ba6797f571c957b743c1324acad579fd50fd128af47550e5680f92fa7ce276f5cc9d3c12e

Score
10/10
cryptbotdiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

cryptbot

C2

hevahu32.top

morypd03.top
Attributes
  • payload_url

    http://kyrpbr04.top/download.php?file=orrery.exe

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

    spywarestealercryptbot
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 16 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe
    "C:\Users\Admin\AppData\Local\Temp\7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2732
    • C:\Users\Admin\AppData\Local\Temp\File.exe
      "C:\Users\Admin\AppData\Local\Temp\File.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
        "C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:2868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7b3296a5492a8b01ab3bb33164a1bb269630b396d6dd8234accce8e4c4d84067.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2908
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4
        3⤵
        • Delays execution with timeout.exe
        PID:3396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\File.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\File.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\CRUTBG~1.ZIP
    MD5

    00023c0ba717929107a5445b3cfe554b

    SHA1

    2cf3bfcadd6935fa180d266f2268bc5a643f3152

    SHA256

    20333027306eecf4201b20b6280897f63710276a8e00226bb7fa6b3857fa6fbc

    SHA512

    2def93a8a7b1b7e7410dee9d14c9afca934c76ab0fe0f41fca8350f1cb575776e20aff563b606d3835846085a447927cb9b8b511dc769985f3432bdd2306f0c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\HLPUHN~1.ZIP
    MD5

    14b4c3020451a5337e20c34eac179af8

    SHA1

    7cacad89f5cbbd42d520f89d5bcded5c149f35f8

    SHA256

    2a8d93fdab021fc663a2cbe0b621c83333210209d65f82f2bb8d61c11cbf7ca4

    SHA512

    eb1dbfc757a7effdcbbc9be635b38725f0293e3e1492f42c1ad8c35dcddf6d1786735cf387442817129afa91edbfa74757f62280c73b9541310fb688dce47e87

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~1.BIN
    MD5

    f4b8e6e7ca32ed5ab1653cc327475cc0

    SHA1

    e7c30740b8cc28534d398ff4036e0cc6649619ce

    SHA256

    34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

    SHA512

    edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_Files\RENAME~1.TXT
    MD5

    ccc1e1636bc273489df0f99e7847c1bd

    SHA1

    47c283cd8878a8f7b87ed975d1de192b86f43b27

    SHA256

    04b1907dc161d6de96f7d4f0159b6d573535a0d3e3841b2a7bb436ea62cbfa5a

    SHA512

    991e3f5663fc9bb76531b960587dd8fb18e538b07dbad6055abbdb89621412734e38975d496fe55531e4519214d82e9493d1044393ee18482dd094b8d327b9a5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_INFOR~1.TXT
    MD5

    b8ca58b7256a180415e81c2c8f09dbe0

    SHA1

    3c12b6d826babd7d74a029b7c0f6c05c288ae809

    SHA256

    8cfbb57b94be9704b7d47af0aaca3c796ec0cd2cedcf2fd1d656156ab1412cc7

    SHA512

    3e8b29d1f3564088901af8e3ecfb0084c8d8ba73d2c01c37735a235d516a318b98ffd51b63aef2c40567ff65f0022a0301efc5fed96650f0cdb1400829e64984

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\_Files\_SCREE~1.JPE
    MD5

    98a585429a98dba130734a729bc4bd63

    SHA1

    66535f3ade886bcfc3adf7f0c590e6713039bb47

    SHA256

    9d43f94d13c4e78b40a7f405dbd6702d0171298556ac40a2f350ffd90f14daf0

    SHA512

    7d648560c0dacd121876210d5360487838503419d91db89dd274343bd29f2922ea64535dd40bb2f8f0ca8ec21243ab5008361eff51ca47b56f82baaa17ac2b01

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\SCREEN~1.JPG
    MD5

    98a585429a98dba130734a729bc4bd63

    SHA1

    66535f3ade886bcfc3adf7f0c590e6713039bb47

    SHA256

    9d43f94d13c4e78b40a7f405dbd6702d0171298556ac40a2f350ffd90f14daf0

    SHA512

    7d648560c0dacd121876210d5360487838503419d91db89dd274343bd29f2922ea64535dd40bb2f8f0ca8ec21243ab5008361eff51ca47b56f82baaa17ac2b01

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\SYSTEM~1.TXT
    MD5

    b8ca58b7256a180415e81c2c8f09dbe0

    SHA1

    3c12b6d826babd7d74a029b7c0f6c05c288ae809

    SHA256

    8cfbb57b94be9704b7d47af0aaca3c796ec0cd2cedcf2fd1d656156ab1412cc7

    SHA512

    3e8b29d1f3564088901af8e3ecfb0084c8d8ba73d2c01c37735a235d516a318b98ffd51b63aef2c40567ff65f0022a0301efc5fed96650f0cdb1400829e64984

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~1.BIN
    MD5

    f4b8e6e7ca32ed5ab1653cc327475cc0

    SHA1

    e7c30740b8cc28534d398ff4036e0cc6649619ce

    SHA256

    34abcff7dd7e3157dc78b58d9fc7ce57be556a550bcc6a2b2257c9b08107cbe2

    SHA512

    edc72a374b28b984d8d3ced5a27ddb1a91e843ab873f7b700eecea87c0dfea961359f7931ea127ee2b8edc2602968795c6b9f121622dffca23241736c44d8ae2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~1.DB
    MD5

    b608d407fc15adea97c26936bc6f03f6

    SHA1

    953e7420801c76393902c0d6bb56148947e41571

    SHA256

    b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

    SHA512

    cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~2.DB
    MD5

    055c8c5c47424f3c2e7a6fc2ee904032

    SHA1

    5952781d22cff35d94861fac25d89a39af6d0a87

    SHA256

    531b3121bd59938df4933972344d936a67e75d8b1741807a8a51c898d185dd2a

    SHA512

    c2772893695f49cb185add62c35284779b20d45adc01184f1912613fa8b2d70c8e785f0d7cfa3bfaf1d2d58e7cdc74f4304fd973a956601927719d6d370dd57a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\_Chrome\DEFAUL~3.DB
    MD5

    8ee018331e95a610680a789192a9d362

    SHA1

    e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9

    SHA256

    94354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575

    SHA512

    4b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\oppgenpglVdV\files_\files\RENAME~1.TXT
    MD5

    ccc1e1636bc273489df0f99e7847c1bd

    SHA1

    47c283cd8878a8f7b87ed975d1de192b86f43b27

    SHA256

    04b1907dc161d6de96f7d4f0159b6d573535a0d3e3841b2a7bb436ea62cbfa5a

    SHA512

    991e3f5663fc9bb76531b960587dd8fb18e538b07dbad6055abbdb89621412734e38975d496fe55531e4519214d82e9493d1044393ee18482dd094b8d327b9a5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
    MD5

    6f4c94326104917216f67d8511b58e76

    SHA1

    2cece96508040c197e778832ff4df1768b87479f

    SHA256

    5d78b8a09809b8d1b9974a27b55c9c71ce2aa8cc6846ba5cb9115b8ce44a14cf

    SHA512

    c51bf945e1435c6aab82544fb80854f00823bbc57d78b045da6ec70a9c44e9269f9080f85465fe6a10f69052c2a17f126dd75efd376c7ee169f5d9af4a9e9969

    Download Submit
  • memory/1752-143-0x0000000000E20000-0x0000000001510000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1752-140-0x0000000000E20000-0x0000000001510000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1752-120-0x0000000000000000-mapping.dmp
    Download
  • memory/1752-145-0x00000000774B0000-0x000000007763E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1752-144-0x0000000000E20000-0x0000000001510000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1752-141-0x0000000000E20000-0x0000000001510000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2732-115-0x0000000000B60000-0x000000000124F000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2732-117-0x00000000774B0000-0x000000007763E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2732-118-0x0000000000B60000-0x000000000124F000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2732-119-0x0000000000B60000-0x000000000124F000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2732-116-0x0000000000B60000-0x000000000124F000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2868-146-0x0000000000000000-mapping.dmp
    Download
  • memory/2868-149-0x0000000001060000-0x0000000001750000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2868-150-0x0000000001060000-0x0000000001750000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2868-151-0x0000000001060000-0x0000000001750000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2868-152-0x0000000001060000-0x0000000001750000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2868-153-0x00000000774B0000-0x000000007763E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/2908-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3396-142-0x0000000000000000-mapping.dmp
    Download