Overview

overview

9

Static

static

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    91s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2022, 04:39

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    72fd4a41dcf323f65c665d0366533d670505af554825572e42b9fdc349b0eeab.exe

  • Size

    1.8MB

  • MD5

    8d413fb39338458ca2be087f9935f48e

  • SHA1

    40cc8d78b26136db93d21a0c682167cddadd02fd

  • SHA256

    72fd4a41dcf323f65c665d0366533d670505af554825572e42b9fdc349b0eeab

  • SHA512

    8dba5e0bbfed950a397397f477f347d5da0380c9c519728263a683871c2d615d8d851abeba6d7d00f2fe6fd33d6f2077d74329b655b2efb9c77bd87e99bd9a2d

  • SSDEEP

    49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\72fd4a41dcf323f65c665d0366533d670505af554825572e42b9fdc349b0eeab.exe
    "C:\Users\Admin\AppData\Local\Temp\72fd4a41dcf323f65c665d0366533d670505af554825572e42b9fdc349b0eeab.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3284
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:204
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3112
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2120

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          Filesize

          1.8MB

          MD5

          8d413fb39338458ca2be087f9935f48e

          SHA1

          40cc8d78b26136db93d21a0c682167cddadd02fd

          SHA256

          72fd4a41dcf323f65c665d0366533d670505af554825572e42b9fdc349b0eeab

          SHA512

          8dba5e0bbfed950a397397f477f347d5da0380c9c519728263a683871c2d615d8d851abeba6d7d00f2fe6fd33d6f2077d74329b655b2efb9c77bd87e99bd9a2d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
          Filesize

          1.8MB

          MD5

          8d413fb39338458ca2be087f9935f48e

          SHA1

          40cc8d78b26136db93d21a0c682167cddadd02fd

          SHA256

          72fd4a41dcf323f65c665d0366533d670505af554825572e42b9fdc349b0eeab

          SHA512

          8dba5e0bbfed950a397397f477f347d5da0380c9c519728263a683871c2d615d8d851abeba6d7d00f2fe6fd33d6f2077d74329b655b2efb9c77bd87e99bd9a2d

          Download Submit

        • memory/3112-152-0x0000000077C70000-0x0000000077E13000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3112-153-0x0000000000CF0000-0x000000000100F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3112-157-0x0000000000CF0000-0x000000000100F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3112-156-0x0000000000CF0000-0x000000000100F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3112-155-0x0000000000CF0000-0x000000000100F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3112-154-0x0000000001410000-0x0000000001454000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3112-148-0x0000000000CF0000-0x000000000100F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3112-150-0x0000000000CF1000-0x0000000000CF3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3112-146-0x0000000000CF0000-0x000000000100F000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3112-147-0x0000000001410000-0x0000000001454000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3284-137-0x0000000077C70000-0x0000000077E13000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3284-133-0x0000000000FA0000-0x00000000012BF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3284-134-0x0000000000750000-0x0000000000794000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3284-143-0x0000000077C70000-0x0000000077E13000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3284-132-0x0000000000FA0000-0x00000000012BF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3284-136-0x0000000000FA0000-0x00000000012BF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3284-142-0x0000000000750000-0x0000000000794000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3284-141-0x0000000000FA0000-0x00000000012BF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3284-135-0x0000000000FA0000-0x00000000012BF000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/3284-139-0x0000000000FA1000-0x0000000000FA3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/3284-138-0x0000000000FA1000-0x0000000000FA3000-memory.dmp

          Filesize

          8KB

          Download