Overview

overview

6

Static

static

dridex

windows10-1703-x64

6

Analysis

  • max time kernel
    109s
  • max time network
    117s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/09/2022, 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe

  • Size

    927KB

  • MD5

    84b47858205c7c5c980babe75ac7fea0

  • SHA1

    41ddba8c41789bdf4d9286298b4819a5d7317c15

  • SHA256

    c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf

  • SHA512

    852e59c20a3a0603b2ba0ccd3c88a31194e4d0972bddec168615453a780a46cbaf72e80aa0737e024a22ac65b4c6695ba6818caba0b31e2f87424ec2ce5ffd00

  • SSDEEP

    768:5RdutBr/u3GduUrRTj8ObyVUBMfSDFTh0lrpcxNq3ey16HMV1Iu3MCBo6qstNpzJ:5R4HmK3Tj8J4FPHMV1tNRLbwCX

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe
    "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Windows\SysWOW64\schtasks.exe
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3476
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
      2⤵
        PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Windows\SysWOW64\schtasks.exe
          SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
          3⤵
          • Creates scheduled task(s)
          PID:4752
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
        2⤵
          PID:3068
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
          2⤵
            PID:1944
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
            2⤵
              PID:3312
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1412
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
                3⤵
                • Creates scheduled task(s)
                PID:4236
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3743" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4112
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3743" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
                3⤵
                • Creates scheduled task(s)
                PID:4224
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9825" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1660
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9825" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
                3⤵
                • Creates scheduled task(s)
                PID:3972
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6712" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4140
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6712" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
                3⤵
                • Creates scheduled task(s)
                PID:4748
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk379" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1012
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk379" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
                3⤵
                • Creates scheduled task(s)
                PID:4784
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\Users\Admin\AppData\Local\Temp\c9df20f58e7826e18179170361502b4edf66ebc3057604ee2e3994e5983062cf.exe"
              2⤵
                PID:3360
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1396
                2⤵
                • Program crash
                PID:856

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1412-192-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/1412-188-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/1412-185-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-141-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-156-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-130-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-131-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-133-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-132-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-134-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-135-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-136-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-137-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-138-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-139-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-140-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-120-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-142-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-143-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-144-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-145-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-146-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-147-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-148-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-149-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-150-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-151-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-152-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-153-0x00000000003D0000-0x0000000000480000-memory.dmp

              Filesize

              704KB

              Download

            • memory/2300-154-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-155-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-167-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-157-0x0000000005360000-0x000000000585E000-memory.dmp

              Filesize

              5.0MB

              Download

            • memory/2300-158-0x00000000029C0000-0x0000000002A52000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2300-159-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-160-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-161-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-162-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-163-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-164-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-165-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-129-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-166-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-121-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-169-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-170-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-171-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-172-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-173-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-174-0x0000000002950000-0x000000000295A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2300-122-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-168-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-123-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-124-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-128-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-125-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-127-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2300-126-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3312-189-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3312-193-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5072-182-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5072-177-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5072-180-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5072-178-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5108-181-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5108-191-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5108-187-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5108-184-0x0000000077A00000-0x0000000077B8E000-memory.dmp

              Filesize

              1.6MB

              Download