Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    45s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/09/2022, 10:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    b1b5b5b3c3f9517c5ba58c5b1fe5cbac3898e2ed31289926ebe21da8cb7ee5e4.exe

  • Size

    724KB

  • MD5

    fd906ea2583a4cf3c3e0025bee3f9582

  • SHA1

    6dd57b70a2ee53d5bd4d58c23dcc25159be3ff1d

  • SHA256

    b1b5b5b3c3f9517c5ba58c5b1fe5cbac3898e2ed31289926ebe21da8cb7ee5e4

  • SHA512

    c6169978e89e32b0627d59077e44f8edfb036d92b4fde464b4860e99dc9d7a99fac8d7d257de296b8fc5bb35317428d1afc6cd8c98e255143424d7e910ad8992

  • SSDEEP

    768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1b5b5b3c3f9517c5ba58c5b1fe5cbac3898e2ed31289926ebe21da8cb7ee5e4.exe
    "C:\Users\Admin\AppData\Local\Temp\b1b5b5b3c3f9517c5ba58c5b1fe5cbac3898e2ed31289926ebe21da8cb7ee5e4.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:4388
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4696
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:392
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4900
      • C:\ProgramData\Dllhost\dllhost.exe
        "C:\ProgramData\Dllhost\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2604
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3508
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            4⤵
            • Creates scheduled task(s)
            PID:4848
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
            PID:3572
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:1940
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
              PID:3368
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:1748
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4728
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:4216
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
                PID:2864
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:1432
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2840
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:4256
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:952
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:1632
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                  PID:1408
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:3764
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8457" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                    PID:1056
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8457" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:2416
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk888" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                      PID:4716
                      • C:\Windows\SysWOW64\schtasks.exe
                        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk888" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        4⤵
                        • Creates scheduled task(s)
                        PID:676
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk177" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      3⤵
                        PID:2356
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk862" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        3⤵
                          PID:740
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 1044
                          3⤵
                          • Program crash
                          PID:1140
                    • C:\Windows\system32\dwm.exe
                      "dwm.exe"
                      1⤵
                        PID:3532
                      • C:\Windows\system32\dwm.exe
                        "dwm.exe"
                        1⤵
                          PID:1060
                        • C:\Windows\system32\dwm.exe
                          "dwm.exe"
                          1⤵
                            PID:2768
                          • C:\Windows\system32\dwm.exe
                            "dwm.exe"
                            1⤵
                              PID:1348

                            Network

                                  MITRE ATT&CK Enterprise v6

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\ProgramData\Dllhost\dllhost.exe
                                    Filesize

                                    918KB

                                    MD5

                                    152d3ed13eb2bd7a1c10b1f1a7210190

                                    SHA1

                                    efb47b630b9c3a47a4d2b5d94fb0f6552142803c

                                    SHA256

                                    393d04b3ff58fdee4666d225c5360eaef10d1c1b98323ef337fb21a5d2641bcc

                                    SHA512

                                    8f53160a61a2135aa6029b346a4a5cbd1047d34ad15e3d4df6e59ce630fa2909efc7e7648bddfd4d768393bf3c663dd4a0428c59605a253ac9a4036a3d721bb1

                                    Download Submit

                                  • C:\ProgramData\Dllhost\dllhost.exe
                                    Filesize

                                    918KB

                                    MD5

                                    152d3ed13eb2bd7a1c10b1f1a7210190

                                    SHA1

                                    efb47b630b9c3a47a4d2b5d94fb0f6552142803c

                                    SHA256

                                    393d04b3ff58fdee4666d225c5360eaef10d1c1b98323ef337fb21a5d2641bcc

                                    SHA512

                                    8f53160a61a2135aa6029b346a4a5cbd1047d34ad15e3d4df6e59ce630fa2909efc7e7648bddfd4d768393bf3c663dd4a0428c59605a253ac9a4036a3d721bb1

                                    Download Submit

                                  • C:\ProgramData\HostData\logs.uce
                                    Filesize

                                    497B

                                    MD5

                                    13fda2ab01b83a5130842a5bab3892d3

                                    SHA1

                                    6e18e4b467cde054a63a95d4dfc030f156ecd215

                                    SHA256

                                    76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

                                    SHA512

                                    c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                    Filesize

                                    2KB

                                    MD5

                                    968cb9309758126772781b83adb8a28f

                                    SHA1

                                    8da30e71accf186b2ba11da1797cf67f8f78b47c

                                    SHA256

                                    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

                                    SHA512

                                    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    18KB

                                    MD5

                                    cc3030eb0cbdc2d3af7ace2d0ecd7d50

                                    SHA1

                                    a899276275a45f09520a36f938e4c7a80a768cc5

                                    SHA256

                                    179aba871b45ef6c7576eee018e9ec8efb052e803452e20839dbbfa18adddd0a

                                    SHA512

                                    d7cc56d8e424038e81a70785baed7943ef1eae1f0239cd58f0dbf8f750c8fa0c03492327a656a8a79d5fcdd78e571745fa4ccdda80d6163218f719efc5ce8097

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                    Filesize

                                    18KB

                                    MD5

                                    7fbea66b39196ee01feaf905e83bff67

                                    SHA1

                                    cf8a43771b683edb7682ebcb6df5d2c246961d68

                                    SHA256

                                    7267c82892b6ca2d57a78333678c7385d923024a79c1bb2d0574306d1a698a87

                                    SHA512

                                    26f1432b7dab6f00201e7d63798dcd637404c97ee215a43ce0fc24ce01855ae9dbe54645d1d2456e166ebab2088cf803c4a4e8cbb9dc39a6b91add75e96c1ea7

                                    Download Submit

                                  • memory/392-158-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/2604-165-0x00000000001C0000-0x0000000000270000-memory.dmp

                                    Filesize

                                    704KB

                                    Download

                                  • memory/4028-135-0x0000000005550000-0x000000000555A000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/4028-136-0x0000000005770000-0x00000000057D6000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/4028-134-0x00000000054B0000-0x0000000005542000-memory.dmp

                                    Filesize

                                    584KB

                                    Download

                                  • memory/4028-133-0x0000000005B50000-0x00000000060F4000-memory.dmp

                                    Filesize

                                    5.6MB

                                    Download

                                  • memory/4028-132-0x0000000000A50000-0x0000000000AF8000-memory.dmp

                                    Filesize

                                    672KB

                                    Download

                                  • memory/4696-146-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/4696-143-0x00000000056E0000-0x0000000005746000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/4696-140-0x0000000002840000-0x0000000002876000-memory.dmp

                                    Filesize

                                    216KB

                                    Download

                                  • memory/4696-154-0x00000000073C0000-0x00000000073C8000-memory.dmp

                                    Filesize

                                    32KB

                                    Download

                                  • memory/4696-153-0x0000000007480000-0x000000000749A000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/4696-152-0x0000000007380000-0x000000000738E000-memory.dmp

                                    Filesize

                                    56KB

                                    Download

                                  • memory/4696-151-0x00000000073E0000-0x0000000007476000-memory.dmp

                                    Filesize

                                    600KB

                                    Download

                                  • memory/4696-150-0x00000000071B0000-0x00000000071BA000-memory.dmp

                                    Filesize

                                    40KB

                                    Download

                                  • memory/4696-141-0x0000000004F40000-0x0000000005568000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/4696-149-0x0000000007160000-0x000000000717A000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/4696-142-0x0000000004E60000-0x0000000004E82000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/4696-148-0x00000000077C0000-0x0000000007E3A000-memory.dmp

                                    Filesize

                                    6.5MB

                                    Download

                                  • memory/4696-147-0x00000000063C0000-0x00000000063DE000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/4696-145-0x00000000063E0000-0x0000000006412000-memory.dmp

                                    Filesize

                                    200KB

                                    Download

                                  • memory/4696-144-0x0000000005E30000-0x0000000005E4E000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/4900-161-0x0000000070CC0000-0x0000000070D0C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download