Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    182s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    12/06/2022, 11:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    90203596e5a4c28eec4a53453233479d4f46aa122c28cac6c08c2b0baca95875.exe

  • Size

    2.8MB

  • MD5

    d984a914514f03b8c85625f49cee892d

  • SHA1

    b3153ce0066527585f42f5f0ccdaef4a8cafbf0b

  • SHA256

    90203596e5a4c28eec4a53453233479d4f46aa122c28cac6c08c2b0baca95875

  • SHA512

    3399018b7f9eee1c1eb599ddf9b62aa0bc633c8c1c260cca9a8f19454fad181d42f11462f46b870a4b4d5de0d0dbf79bcb8e0e13c5c5107bbd01388c939bf2ed

Score
10/10
blackguardcollectionpersistencespywarestealersuricata

Malware Config

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • suricata: ET MALWARE BlackGuard_v2 Data Exfiltration Observed

    suricata: ET MALWARE BlackGuard_v2 Data Exfiltration Observed

    suricata
  • suricata: ET MALWARE MSIL/BlackGuard Stealer Exfil Activity

    suricata: ET MALWARE MSIL/BlackGuard Stealer Exfil Activity

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90203596e5a4c28eec4a53453233479d4f46aa122c28cac6c08c2b0baca95875.exe
    "C:\Users\Admin\AppData\Local\Temp\90203596e5a4c28eec4a53453233479d4f46aa122c28cac6c08c2b0baca95875.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • outlook_office_path
    • outlook_win_path
    PID:2488
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
      • Modifies Internet Explorer settings
      PID:2604
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://127.0.0.1:12702
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2472 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3832
    • C:\Users\Admin\AppData\Local\Temp\tmpAB76.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpAB76.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1196
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:32
        • C:\Windows\system32\timeout.exe
          timeout 6
          4⤵
          • Delays execution with timeout.exe
          PID:164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /f /sc MINUTE /mo 5 /tn "Infrastructure protection v3.39" /tr "'C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"'
          4⤵
          • Creates scheduled task(s)
          PID:2724
        • C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe
          "C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2412

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe
          Filesize

          201.3MB

          MD5

          0f65866bf4b16c324164dc01f98edb8c

          SHA1

          be64a237e47e1db2a0938161b7d373a6ca9278e9

          SHA256

          aa7c0be8d0498962fe58c0cba21a2abf573933704e28affb2d6cc4b1060ce328

          SHA512

          c30d8360d2462b34b835678d9149476b3e052216f1e7c333076b3e50deff01963bbd6b7a5fe0e1a0cc4f616b11a701067b52df45318e25123725b815022a9e07

          Download Submit

        • C:\Users\Admin\AppData\Local\Infrastructure protection v3.39\Infrastructureprotection.exe
          Filesize

          217.4MB

          MD5

          736c72536c5f3dab5b60f53667f5ac96

          SHA1

          5d26a4e41e1b4d6c1ec0b1105634097e3ab3dee5

          SHA256

          6ae45700768a077fbfed2a0e3247205563fa519203112f3dbdafca7f402a3c5a

          SHA512

          1140f30be52b0ba56a4a58d574fece550a80a622ed391ed724e00bd13bc410b01d37cf6a2884bd3df73aefb4fbf7037c688e824de62db00f6c74235dae64e6cd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat
          Filesize

          439B

          MD5

          e3708cd9ce491e1ec1eebbb9389c169a

          SHA1

          7b931f5e206c28ad9483be63966cd56301e21d5e

          SHA256

          59ad2b8116929042e5ccf40056d16c19feac29f429016079094a6064ad733e23

          SHA512

          f8f8aedc48524028584e80676a189627e9edcaeb310faf664ff0cee5add45dbb4234ffa3335a65024b1313540ec1135c0757bd871112106401fff63d7af64c06

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpAB76.tmp.exe
          Filesize

          202KB

          MD5

          06068dab89c0f8c8a25f738ef05249e1

          SHA1

          b0c853f73f32b0dd3733c2193185eabfa50014a9

          SHA256

          e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d

          SHA512

          432ef3fa26ebf04a6f75b797d9e19a3c6061b135b12b0a0ca7df4fcdb0bbaec846e7a2f420cf1bb90baf4878d0fbc3e7d157f349a1e699894ed3bac22c439ed3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpAB76.tmp.exe
          Filesize

          202KB

          MD5

          06068dab89c0f8c8a25f738ef05249e1

          SHA1

          b0c853f73f32b0dd3733c2193185eabfa50014a9

          SHA256

          e31bf9a8289456a919dd8956bf6be04ff99943649cee6d4f57a92cd47791a34d

          SHA512

          432ef3fa26ebf04a6f75b797d9e19a3c6061b135b12b0a0ca7df4fcdb0bbaec846e7a2f420cf1bb90baf4878d0fbc3e7d157f349a1e699894ed3bac22c439ed3

          Download Submit

        • \Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll
          Filesize

          1.6MB

          MD5

          616827a61d7a49ce5389c5d96443e35d

          SHA1

          d522ee5607e122e775d77641dba09711146db739

          SHA256

          54d4025bc175de5367d0ace1a78fec7edf06b642892691cf85afb02b8ab166d5

          SHA512

          fd6a53cb9851e56b8dc6a40627058852f2949688b73dacf6f3e0fcf932453b8c52a3bfefb12c80c38397a89f1038ad8fad329ea2798b86457ce5d8fe7ba87312

          Download Submit

        • memory/1196-131-0x0000027B5CF70000-0x0000027B5CFA8000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2488-121-0x000001FF3DBC0000-0x000001FF3DBDE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2488-127-0x000001FF58790000-0x000001FF58806000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2488-126-0x000001FF3DC90000-0x000001FF3DCB5000-memory.dmp

          Filesize

          148KB

          Download

        • memory/2488-125-0x000001FF58010000-0x000001FF5804A000-memory.dmp

          Filesize

          232KB

          Download

        • memory/2488-123-0x000001FF57FB0000-0x000001FF58010000-memory.dmp

          Filesize

          384KB

          Download

        • memory/2488-122-0x000001FF584E0000-0x000001FF586F0000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/2488-116-0x000001FF3D560000-0x000001FF3D828000-memory.dmp

          Filesize

          2.8MB

          Download

        • memory/2488-120-0x000001FF58810000-0x000001FF58D36000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2488-119-0x000001FF3DC40000-0x000001FF3DC90000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2488-118-0x000001FF57C50000-0x000001FF57CC6000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2488-117-0x000001FF58110000-0x000001FF582D2000-memory.dmp

          Filesize

          1.8MB

          Download