Overview

overview

5

Static

static

dridex

windows10-1703-x64

5

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11-09-2022 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34df9595fe07276e90d10a9b2c153002c54820f4ee4e0e9b522e4a5dceebdd5a.exe

  • Size

    31.0MB

  • MD5

    52bfa39dc9d72b0dac76ae9814af27ad

  • SHA1

    74a7effc3cde14000209722299df15ca56c99946

  • SHA256

    34df9595fe07276e90d10a9b2c153002c54820f4ee4e0e9b522e4a5dceebdd5a

  • SHA512

    bf48fd8e1edc3dc20d1545dd98826357f2472c6643258d5610921a002e73e71cb46edeb6a877f9560d943a5f05c1e58200278b430a8780282a7c7b1a6948befd

  • SSDEEP

    786432:vR39Z2nrKhSUfx1ibQH9XmYbdwlzBI9WTL+s3YyKLhS:vR3XArkXqQHgYbdOza90Lj3e1

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34df9595fe07276e90d10a9b2c153002c54820f4ee4e0e9b522e4a5dceebdd5a.exe
    "C:\Users\Admin\AppData\Local\Temp\34df9595fe07276e90d10a9b2c153002c54820f4ee4e0e9b522e4a5dceebdd5a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2132-129-0x000001A4FED40000-0x000001A4FEDB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3600-137-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/3600-139-0x000002B947AD0000-0x000002B947B7A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3600-140-0x000002B92F030000-0x000002B92F07E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3600-141-0x000002B9478C0000-0x000002B94790C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4328-118-0x00000000007A0000-0x00000000026A6000-memory.dmp

    Filesize

    31.0MB

    Download

  • memory/4328-119-0x000000001FAF0000-0x000000001FC1E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4328-120-0x00000000030D0000-0x0000000003162000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4328-121-0x0000000003160000-0x0000000003182000-memory.dmp

    Filesize

    136KB

    Download