Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-01-2022 10:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42e4e66240e60f5a0fcd4a7883b339f082522ce1bc63843c2ffb36a67bcf1415.exe

  • Size

    2.6MB

  • MD5

    6d146e3ddad2f5eff0479a9596c9b4ef

  • SHA1

    f7f5a96f3d72580acd6e15e32a899f7e39e83cf6

  • SHA256

    42e4e66240e60f5a0fcd4a7883b339f082522ce1bc63843c2ffb36a67bcf1415

  • SHA512

    ab467e0c509f821167b7bd1b9bade0a69e5811ee2e4447abadcb37447abec8ef52308419217b13d227a46ad9ce0198eec607037ca29fb15f20f60d6ea2e40b9a

Score
10/10
evasionpersistencetrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 4 IoCs
    persistence
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs
    evasiontrojan
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 6 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\42e4e66240e60f5a0fcd4a7883b339f082522ce1bc63843c2ffb36a67bcf1415.exe
    "C:\Users\Admin\AppData\Local\Temp\42e4e66240e60f5a0fcd4a7883b339f082522ce1bc63843c2ffb36a67bcf1415.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriverintoSessiondllnet\h2YjT9qrkwkVWBPNB7hGt2.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4100
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\DriverintoSessiondllnet\IjEEoD6RrJAQi8mazuJy.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3456
        • C:\DriverintoSessiondllnet\DriverintoSessiondllnetreviewsaves.exe
          "C:\DriverintoSessiondllnet\DriverintoSessiondllnetreviewsaves.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2020
          • C:\Windows\System32\ntlanman\audiodg.exe
            "C:\Windows\System32\ntlanman\audiodg.exe"
            5⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious use of AdjustPrivilegeToken
            • System policy modification
            PID:4244
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\System32\ntlanman\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\DeviceProperties\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3212
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\SysWOW64\NotificationObjFactory\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\DriverintoSessiondllnet\DriverintoSessiondllnetreviewsaves.exe
    MD5

    9373e0a3254a88132b1be02996d8557c

    SHA1

    9ffff5c96df7af813945efd265b6c764e45fc4d6

    SHA256

    5818445d37fb7945c127dec0a8df0a253c200c0b5846ba1a39dedfee4cbb147c

    SHA512

    c628c87429dfae629109c15955d81c680f6994f213b27d08350e77975a2d27640423daa9ad65e33e514b2f39812fca0187be3ec3b40b06f450695b7f7bf7578c

    Download Submit

  • C:\DriverintoSessiondllnet\DriverintoSessiondllnetreviewsaves.exe
    MD5

    9373e0a3254a88132b1be02996d8557c

    SHA1

    9ffff5c96df7af813945efd265b6c764e45fc4d6

    SHA256

    5818445d37fb7945c127dec0a8df0a253c200c0b5846ba1a39dedfee4cbb147c

    SHA512

    c628c87429dfae629109c15955d81c680f6994f213b27d08350e77975a2d27640423daa9ad65e33e514b2f39812fca0187be3ec3b40b06f450695b7f7bf7578c

    Download Submit

  • C:\DriverintoSessiondllnet\IjEEoD6RrJAQi8mazuJy.bat
    MD5

    b9dd300b621f20c69a4ff3d618f1ac71

    SHA1

    b0a8ce76b94f8989c268701b1bf262ebc6f1c385

    SHA256

    4bd543300a28e4d10e3204cc7b59ec6b4494f0d719ca15d7e8252ede2485694b

    SHA512

    c037757c2d34fe96792726a69a34cdee436ff4826957253c90782dcb87b23c3fb0dd2d6095b1f1bbef864bde9e0830a02569bfccb1fd15dbdae3fd6a27263323

    Download Submit

  • C:\DriverintoSessiondllnet\h2YjT9qrkwkVWBPNB7hGt2.vbe
    MD5

    dee061d2e195b3e6d23521afbdd6e67f

    SHA1

    00174d878f75f803a4e5d33c694c26ef74659ccc

    SHA256

    ab080c5cae3e0292cf40c6ef8150da8941e68d242423e83c08e18c709179ed15

    SHA512

    39b6c4f0b4d9478910b6b7552a779a07b9775039cbc5760a84e0dc66f215576abfcb7cb6d0993ed3e7d11f4e8406a101b6f8baa98997433bb730098edec53e57

    Download Submit

  • C:\Windows\System32\ntlanman\audiodg.exe
    MD5

    9373e0a3254a88132b1be02996d8557c

    SHA1

    9ffff5c96df7af813945efd265b6c764e45fc4d6

    SHA256

    5818445d37fb7945c127dec0a8df0a253c200c0b5846ba1a39dedfee4cbb147c

    SHA512

    c628c87429dfae629109c15955d81c680f6994f213b27d08350e77975a2d27640423daa9ad65e33e514b2f39812fca0187be3ec3b40b06f450695b7f7bf7578c

    Download Submit

  • C:\Windows\System32\ntlanman\audiodg.exe
    MD5

    9373e0a3254a88132b1be02996d8557c

    SHA1

    9ffff5c96df7af813945efd265b6c764e45fc4d6

    SHA256

    5818445d37fb7945c127dec0a8df0a253c200c0b5846ba1a39dedfee4cbb147c

    SHA512

    c628c87429dfae629109c15955d81c680f6994f213b27d08350e77975a2d27640423daa9ad65e33e514b2f39812fca0187be3ec3b40b06f450695b7f7bf7578c

    Download Submit

  • memory/444-142-0x0000000000000000-mapping.dmp

    Download

  • memory/2020-135-0x000000001AFE0000-0x000000001AFE8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2020-131-0x000000001AF80000-0x000000001AFD6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/2020-124-0x0000000000340000-0x0000000000588000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2020-125-0x0000000000340000-0x0000000000588000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2020-126-0x000000001B1D0000-0x000000001B1D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2020-127-0x0000000002530000-0x000000000253C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2020-128-0x0000000002540000-0x0000000002548000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2020-129-0x0000000002550000-0x0000000002560000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2020-130-0x0000000002580000-0x000000000258A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2020-121-0x0000000000000000-mapping.dmp

    Download

  • memory/2020-132-0x0000000002570000-0x000000000257A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2020-133-0x0000000002590000-0x0000000002598000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2020-134-0x000000001AFD0000-0x000000001AFD8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2020-138-0x000000001B120000-0x000000001B12C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2020-136-0x000000001B100000-0x000000001B108000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2020-137-0x000000001B110000-0x000000001B11C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3364-116-0x0000000000040000-0x0000000000041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3364-115-0x0000000000040000-0x0000000000041000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3456-120-0x0000000000000000-mapping.dmp

    Download

  • memory/4100-117-0x0000000000000000-mapping.dmp

    Download

  • memory/4244-139-0x0000000000000000-mapping.dmp

    Download

  • memory/4244-144-0x0000000000C20000-0x0000000000E68000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4244-143-0x0000000000C20000-0x0000000000E68000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4244-145-0x0000000001550000-0x000000000155C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4244-146-0x0000000001560000-0x0000000001568000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4244-147-0x0000000001570000-0x0000000001580000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-148-0x00000000015A0000-0x00000000015AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4244-149-0x0000000002FC0000-0x0000000003016000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4244-150-0x0000000001580000-0x000000000158A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4244-151-0x0000000001590000-0x0000000001598000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4244-152-0x00000000015B0000-0x00000000015B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4244-153-0x00000000015C0000-0x00000000015C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4244-154-0x0000000001780000-0x0000000001788000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4244-155-0x0000000001790000-0x000000000179C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4244-156-0x0000000001770000-0x000000000177C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4244-157-0x000000001BBA0000-0x000000001BBA2000-memory.dmp

    Filesize

    8KB

    Download