Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    156s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 00:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1762277978acc108cd28b0ae35b447710ccf75408af9db257dcd77e8a802f95c.exe

  • Size

    721KB

  • MD5

    30757631e873c1fff3de4870ec5648ae

  • SHA1

    32036879fcbb65021d34136300142b2041394279

  • SHA256

    1762277978acc108cd28b0ae35b447710ccf75408af9db257dcd77e8a802f95c

  • SHA512

    551701c4121add38ccf9c3f98e07b5e3660e099e96596a1b8b7f01d41a4d6a0c0016550368f610535e8732c99ce548da4e5d194996c140492e783c0958713d6a

  • SSDEEP

    768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1762277978acc108cd28b0ae35b447710ccf75408af9db257dcd77e8a802f95c.exe
    "C:\Users\Admin\AppData\Local\Temp\1762277978acc108cd28b0ae35b447710ccf75408af9db257dcd77e8a802f95c.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3400
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:4496
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1852
      • C:\ProgramData\Dllhost\dllhost.exe
        "C:\ProgramData\Dllhost\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
            PID:1892
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:1964
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1700
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:2972
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
              PID:5092
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:1960
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1768
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:2376
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4840
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:4356
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
                PID:4064
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:1956
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3532
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:4492
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1307" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1404
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1307" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3224
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1575" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:492
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1575" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:1412
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8199" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                  PID:2168
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8199" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:776
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                    PID:5084
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:4964
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2422" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                      PID:1116
                      • C:\Windows\SysWOW64\schtasks.exe
                        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2422" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        4⤵
                        • Creates scheduled task(s)
                        PID:2372
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                      3⤵
                        PID:1080
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 1251
                          4⤵
                            PID:4824
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                          3⤵
                            PID:4408
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 1251
                              4⤵
                                PID:3736

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Dllhost\dllhost.exe
                          Filesize

                          907KB

                          MD5

                          4d868a222d7123e9e3e5ab9ab26ad5e5

                          SHA1

                          7fda8aba29fcfc749dca986eb8883b96a5ff612c

                          SHA256

                          92532fed585ffb25d81fddbf4b32b0a3b8949555fe16488ad93316f2a72cef15

                          SHA512

                          7d51c6bc1449097f19f7621fabcb502bb7baea66d7eb65d4867995c0f4fe1ac54fa376b278e249512dbca717b57c2887ee47aacdb024fad2a65f3b31a0fc0f55

                          Download Submit

                        • C:\ProgramData\Dllhost\dllhost.exe
                          Filesize

                          907KB

                          MD5

                          4d868a222d7123e9e3e5ab9ab26ad5e5

                          SHA1

                          7fda8aba29fcfc749dca986eb8883b96a5ff612c

                          SHA256

                          92532fed585ffb25d81fddbf4b32b0a3b8949555fe16488ad93316f2a72cef15

                          SHA512

                          7d51c6bc1449097f19f7621fabcb502bb7baea66d7eb65d4867995c0f4fe1ac54fa376b278e249512dbca717b57c2887ee47aacdb024fad2a65f3b31a0fc0f55

                          Download Submit

                        • C:\ProgramData\HostData\logs.uce
                          Filesize

                          497B

                          MD5

                          13fda2ab01b83a5130842a5bab3892d3

                          SHA1

                          6e18e4b467cde054a63a95d4dfc030f156ecd215

                          SHA256

                          76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

                          SHA512

                          c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

                          Download Submit

                        • memory/964-148-0x00000000007A0000-0x0000000000850000-memory.dmp

                          Filesize

                          704KB

                          Download

                        • memory/1852-179-0x0000000007E60000-0x0000000007E6A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/1852-178-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/1852-141-0x0000000005A30000-0x0000000006058000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/1852-140-0x0000000005380000-0x00000000053B6000-memory.dmp

                          Filesize

                          216KB

                          Download

                        • memory/1852-149-0x0000000006F60000-0x0000000006F92000-memory.dmp

                          Filesize

                          200KB

                          Download

                        • memory/1852-150-0x0000000070600000-0x000000007064C000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/1852-151-0x0000000006CE0000-0x0000000006CFE000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/1852-183-0x0000000007FC0000-0x0000000007FC8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1852-142-0x0000000005950000-0x0000000005972000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/1852-177-0x0000000008330000-0x00000000089AA000-memory.dmp

                          Filesize

                          6.5MB

                          Download

                        • memory/1852-144-0x0000000006360000-0x000000000637E000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/1852-180-0x0000000007F20000-0x0000000007FB6000-memory.dmp

                          Filesize

                          600KB

                          Download

                        • memory/1852-181-0x0000000007EE0000-0x0000000007EEE000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/1852-182-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/1852-143-0x0000000006060000-0x00000000060C6000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/3136-132-0x0000000000910000-0x00000000009B8000-memory.dmp

                          Filesize

                          672KB

                          Download

                        • memory/3136-133-0x00000000058F0000-0x0000000005E94000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/3136-134-0x00000000053E0000-0x0000000005472000-memory.dmp

                          Filesize

                          584KB

                          Download

                        • memory/3136-135-0x0000000005370000-0x000000000537A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/3136-136-0x0000000005550000-0x00000000055B6000-memory.dmp

                          Filesize

                          408KB

                          Download