Overview

overview

10

Static

static

7

dridex

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

  • Size

    1.1MB

  • Sample

    220130-edre7afba2

  • MD5

    488bf62441ff75040d50da4c2bec376b

  • SHA1

    29931ab97f4cb72be955fd51994a895732da871e

  • SHA256

    afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

  • SHA512

    ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

Score
10/10
evasionpersistencethemidatrojan

Malware Config

Targets

    • Target

      afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

    • Size

      1.1MB

    • MD5

      488bf62441ff75040d50da4c2bec376b

    • SHA1

      29931ab97f4cb72be955fd51994a895732da871e

    • SHA256

      afaa0c0a07bab46b47bb11c43f4f9d7d53f9bcd7be742f8b350c19e13d70fdf9

    • SHA512

      ea5d8003f438fd0f220e0d0db76c47fc4ada982e65755e13e0fea8069da063075ef7a6930bf84ed7e2a4b6ccea5edab3ac03be51bbe888f522bbad183dde3047

    Score
    10/10
    evasionpersistencethemidatrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Suspicious use of NtCreateProcessExOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

1
T1089

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks