Overview

overview

8

Static

static

dridex

windows10-2004_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    171s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    31-01-2022 00:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    05ba36adc06b3ca377293860d2fc9663ef886d04f13b524f34d1d21bce10fb84.exe

  • Size

    830KB

  • MD5

    988ba4728db4c7fb5bbe34c07c298856

  • SHA1

    57192a3a61012f0eeb7afab21c97e3b23a08cbce

  • SHA256

    05ba36adc06b3ca377293860d2fc9663ef886d04f13b524f34d1d21bce10fb84

  • SHA512

    54cf9189d057aacdd2e5d989660a045590cbe361871c8f89d1af3c662b146cf6f6c9647b2e9d2507022ff73b9bdb85e3aa6735af7eb6914880d41375d415667b

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\05ba36adc06b3ca377293860d2fc9663ef886d04f13b524f34d1d21bce10fb84.exe
    "C:\Users\Admin\AppData\Local\Temp\05ba36adc06b3ca377293860d2fc9663ef886d04f13b524f34d1d21bce10fb84.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\OpenBoxAddIn_2022131450\prerequisites\setup.exe
      C:\Users\Admin\AppData\Local\OpenBoxAddIn_2022131450\prerequisites\setup.exe
      2⤵
      • Executes dropped EXE
      PID:4916
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 19a3d3911e61f5fba7f04237b84676e1 Wf+mdQd1LUu2b7HNOycV8g.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:4676
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\OpenBoxAddIn_2022131450\prerequisites\setup.exe
    MD5

    242601e34bc56f41709f376706aad640

    SHA1

    0262974e437c644d891bc81ea16122b6b8cb37d2

    SHA256

    d43fee20211443a24dac895080137efabedf45e8b11aa98e552a9d2add734440

    SHA512

    5069f41d16c8b42b653e925937752fc8275cba23fd984949407518ba4d407e28954c0d9c4b2c2fbfafebaa7c29bd2bd253c06a534ba1b4e228ed86f6f2ee3bb8

    Download Submit
  • C:\Users\Admin\AppData\Local\OpenBoxAddIn_2022131450\prerequisites\setup.exe
    MD5

    242601e34bc56f41709f376706aad640

    SHA1

    0262974e437c644d891bc81ea16122b6b8cb37d2

    SHA256

    d43fee20211443a24dac895080137efabedf45e8b11aa98e552a9d2add734440

    SHA512

    5069f41d16c8b42b653e925937752fc8275cba23fd984949407518ba4d407e28954c0d9c4b2c2fbfafebaa7c29bd2bd253c06a534ba1b4e228ed86f6f2ee3bb8

    Download Submit
  • memory/232-154-0x00000227BA5C0000-0x00000227BA5C4000-memory.dmp
    Filesize

    16KB

    Download