Overview

overview

9

Static

static

7

dridex

windows10_x64

9

Analysis

  • max time kernel
    120s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    04-01-2022 10:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1.exe

  • Size

    4.0MB

  • MD5

    897502356def468c85b24a68759bcc7e

  • SHA1

    582e2bc638a2674aad18f61f620f1523dc8c574f

  • SHA256

    47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1

  • SHA512

    ee1f1ccc2dd5594a4ef3aff25bb9642f2b9c2baff093c571801f19876535354c1364c207919f1b9d519ce5adcc07913adf74e7682999f64205253b2c274f4edb

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1.exe
    "C:\Users\Admin\AppData\Local\Temp\47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1.exe"
    1⤵
    • Checks BIOS information in registry
    • Drops startup file
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:3664
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3664 -s 1372
      2⤵
      • Program crash
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3664-115-0x00007FF65E810000-0x00007FF65EC10000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/3664-116-0x00007FF65E810000-0x00007FF65EC10000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/3664-117-0x0000000003380000-0x0000000003406000-memory.dmp
    Filesize

    536KB

    Download
  • memory/3664-118-0x00007FFE80000000-0x00007FFE80002000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3664-119-0x00007FFE80030000-0x00007FFE80031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3664-120-0x000000001CBC0000-0x000000001CBC2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3664-121-0x00000000032A0000-0x00000000032F0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3664-122-0x0000000003260000-0x000000000326C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3664-123-0x0000000003420000-0x0000000003474000-memory.dmp
    Filesize

    336KB

    Download
  • memory/3664-124-0x000000001CB50000-0x000000001CB9C000-memory.dmp
    Filesize

    304KB

    Download