Overview

overview

10

Static

static

8

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe

  • Size

    72KB

  • MD5

    e0770f68d015a398c13d8918a6751aa3

  • SHA1

    7d7874784b9a2fe223531bac40d400e1d5bf8f8f

  • SHA256

    caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6

  • SHA512

    6555e264fd66f551f285a67e8383c4552e0be54442f619870fc79447a42cd4da4b9313811683a74c46d969bb2b668936045d68f16f4ed58cd7eba2106cb49b39

  • SSDEEP

    1536:qFiusdglLI8cH+9g0FDDZtFMfav7V5F5erqjzssdQLXKvhCj18n:qsusdBBH+9g4mC7V5F5/zssdhsJ8n

Score
10/10
persistenceupx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
      PID:1020
      • C:\123.exe
        C:\123.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1572
        • \??\c:\windows\SysWOW64\svchost.exe
          c:\windows\SysWOW64\svchost.exe
          3⤵
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3460
    • C:\Users\Admin\AppData\Local\Temp\caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe
      "C:\Users\Admin\AppData\Local\Temp\caa701aea3a9754d8821d1639935df8574f63f9a80ec76691d064399c1543dc6.exe"
      1⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1296

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\123.exe
      Filesize

      1.6MB

      MD5

      5d8ab1d3b48afab34fab8930c3e56793

      SHA1

      64c4e251af2970abc2e24bc3c3de0448103afd6d

      SHA256

      86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

      SHA512

      f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

      Download Submit
    • C:\123.exe
      Filesize

      1.6MB

      MD5

      5d8ab1d3b48afab34fab8930c3e56793

      SHA1

      64c4e251af2970abc2e24bc3c3de0448103afd6d

      SHA256

      86ba5195ceef7562b3baf057bdbcd40123fa5fea2cb4c95dc50ffdedfbe088c4

      SHA512

      f8b0372fd577424ef9d489de2ecdd32c1154ede0660f4ea0d1f589acc0df9689606a524387d16e51f4cb87759775678c0d7f32260b4bd4661e92486681b7f085

      Download Submit
    • C:\libcef.dll
      Filesize

      90KB

      MD5

      12b71771467bb1d2d2f5f1a793836f7a

      SHA1

      8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

      SHA256

      ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

      SHA512

      59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

      Download Submit
    • C:\libcef.dll
      Filesize

      90KB

      MD5

      12b71771467bb1d2d2f5f1a793836f7a

      SHA1

      8c86374aa8a4604be47dbe2b9cd84885f04a1cb4

      SHA256

      ca3d79dbd07fe563bdab59e559fafede0199aff5e25c138c560277e8a4521a87

      SHA512

      59e80e81afd24abf102dde95bca8f07492c35c854b1744d51b4438be445449385d8865f4567010c20aeb042b2d39cf71e5e6e4d870073e4c500315721c62dac4

      Download Submit
    • memory/1572-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3460-139-0x0000000000000000-mapping.dmp
      Download
    • memory/3460-140-0x0000000010000000-0x0000000010026000-memory.dmp
      Filesize

      152KB

      Download
    • memory/3460-143-0x0000000001190000-0x00000000011DE000-memory.dmp
      Filesize

      312KB

      Download
    • memory/4800-132-0x00007FF75A030000-0x00007FF75A055000-memory.dmp
      Filesize

      148KB

      Download
    • memory/4800-135-0x00007FF75A030000-0x00007FF75A055000-memory.dmp
      Filesize

      148KB

      Download