Overview

overview

9

Static

static

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/09/2022, 17:59

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    360d827690f49525cffa591e70660bf8112c6f5b5c3cea2a1776ceec464b23e8.exe

  • Size

    1.8MB

  • MD5

    82ce7de0da5627187fdc958f5240a93d

  • SHA1

    4bc7c7b6dc1d6cf1f52d4e79f09acd51ae49216f

  • SHA256

    360d827690f49525cffa591e70660bf8112c6f5b5c3cea2a1776ceec464b23e8

  • SHA512

    a8d34810bebbea539748dbb6298f42f2e0ade11e0c513919df97f7a2f041eaa82a7bf3e076c18723e4abb3792be3aa9ce274fa5ba9dd57019d22af9ca497f231

  • SSDEEP

    49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\360d827690f49525cffa591e70660bf8112c6f5b5c3cea2a1776ceec464b23e8.exe
    "C:\Users\Admin\AppData\Local\Temp\360d827690f49525cffa591e70660bf8112c6f5b5c3cea2a1776ceec464b23e8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:5000
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4376

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          Filesize

          1.8MB

          MD5

          82ce7de0da5627187fdc958f5240a93d

          SHA1

          4bc7c7b6dc1d6cf1f52d4e79f09acd51ae49216f

          SHA256

          360d827690f49525cffa591e70660bf8112c6f5b5c3cea2a1776ceec464b23e8

          SHA512

          a8d34810bebbea539748dbb6298f42f2e0ade11e0c513919df97f7a2f041eaa82a7bf3e076c18723e4abb3792be3aa9ce274fa5ba9dd57019d22af9ca497f231

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          Filesize

          1.8MB

          MD5

          82ce7de0da5627187fdc958f5240a93d

          SHA1

          4bc7c7b6dc1d6cf1f52d4e79f09acd51ae49216f

          SHA256

          360d827690f49525cffa591e70660bf8112c6f5b5c3cea2a1776ceec464b23e8

          SHA512

          a8d34810bebbea539748dbb6298f42f2e0ade11e0c513919df97f7a2f041eaa82a7bf3e076c18723e4abb3792be3aa9ce274fa5ba9dd57019d22af9ca497f231

          Download Submit

        • memory/2448-153-0x0000000002CB0000-0x0000000002CF4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2448-152-0x00000000008A0000-0x0000000000BBF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/2448-151-0x0000000077C10000-0x0000000077DB3000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/2448-150-0x0000000002CB0000-0x0000000002CF4000-memory.dmp

          Filesize

          272KB

          Download

        • memory/2448-149-0x00000000008A0000-0x0000000000BBF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/2448-147-0x00000000008A1000-0x00000000008A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2448-145-0x00000000008A0000-0x0000000000BBF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4824-137-0x0000000000651000-0x0000000000653000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4824-142-0x0000000077C10000-0x0000000077DB3000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4824-141-0x00000000031D0000-0x0000000003214000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4824-140-0x0000000000650000-0x000000000096F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4824-138-0x0000000000651000-0x0000000000653000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4824-132-0x0000000000650000-0x000000000096F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4824-136-0x0000000000650000-0x000000000096F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4824-135-0x0000000000650000-0x000000000096F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4824-134-0x00000000031D0000-0x0000000003214000-memory.dmp

          Filesize

          272KB

          Download

        • memory/4824-133-0x0000000000650000-0x000000000096F000-memory.dmp

          Filesize

          3.1MB

          Download