Overview

overview

9

Static

static

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    68s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-09-2022 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    933c1d35469f45c6a77fbc723826381f746a251f911337f62496fbf314a5e2dd.exe

  • Size

    1.8MB

  • MD5

    2bae3953e0a75b8a24b51d065815f205

  • SHA1

    ad0bf7ff1a9fc281cdf2b3d551968cef2104d8ca

  • SHA256

    933c1d35469f45c6a77fbc723826381f746a251f911337f62496fbf314a5e2dd

  • SHA512

    c1ac299c6c0ea97d5c1503eb97412f3b3c8eef9d76697dd1517a3d3048ca6e71016f621b0f5e787285cee968cd9ac8e2eec88dc34bcce1d0baf423a2fa54c8dc

  • SSDEEP

    49152:AiSzCD+K95aLs7zeqLTVtXtHFIDP8EehiM8qZA:AiSzCD+K95aUeqFtXtHwEEehig

Score
9/10
evasiontrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\933c1d35469f45c6a77fbc723826381f746a251f911337f62496fbf314a5e2dd.exe
    "C:\Users\Admin\AppData\Local\Temp\933c1d35469f45c6a77fbc723826381f746a251f911337f62496fbf314a5e2dd.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:432
  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4988
    • C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4856

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    Filesize

    1.8MB

    MD5

    2bae3953e0a75b8a24b51d065815f205

    SHA1

    ad0bf7ff1a9fc281cdf2b3d551968cef2104d8ca

    SHA256

    933c1d35469f45c6a77fbc723826381f746a251f911337f62496fbf314a5e2dd

    SHA512

    c1ac299c6c0ea97d5c1503eb97412f3b3c8eef9d76697dd1517a3d3048ca6e71016f621b0f5e787285cee968cd9ac8e2eec88dc34bcce1d0baf423a2fa54c8dc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
    Filesize

    1.8MB

    MD5

    2bae3953e0a75b8a24b51d065815f205

    SHA1

    ad0bf7ff1a9fc281cdf2b3d551968cef2104d8ca

    SHA256

    933c1d35469f45c6a77fbc723826381f746a251f911337f62496fbf314a5e2dd

    SHA512

    c1ac299c6c0ea97d5c1503eb97412f3b3c8eef9d76697dd1517a3d3048ca6e71016f621b0f5e787285cee968cd9ac8e2eec88dc34bcce1d0baf423a2fa54c8dc

    Download Submit

  • memory/432-140-0x0000000000000000-mapping.dmp

    Download

  • memory/4496-142-0x00000000025E0000-0x0000000002624000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4496-134-0x00000000025E0000-0x0000000002624000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4496-137-0x0000000000B71000-0x0000000000B73000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4496-138-0x0000000000B70000-0x0000000000E8F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4496-135-0x0000000000B70000-0x0000000000E8F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4496-139-0x0000000077440000-0x00000000775E3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4496-141-0x0000000000B70000-0x0000000000E8F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4496-132-0x0000000000B70000-0x0000000000E8F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4496-143-0x0000000077440000-0x00000000775E3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4496-136-0x0000000000B71000-0x0000000000B73000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4496-133-0x0000000000B70000-0x0000000000E8F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4856-149-0x0000000000000000-mapping.dmp

    Download

  • memory/4988-146-0x0000000000520000-0x000000000083F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4988-148-0x0000000000521000-0x0000000000523000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4988-150-0x0000000000520000-0x000000000083F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4988-151-0x00000000011D0000-0x0000000001214000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4988-152-0x0000000077440000-0x00000000775E3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4988-153-0x0000000000520000-0x000000000083F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4988-154-0x00000000011D0000-0x0000000001214000-memory.dmp

    Filesize

    272KB

    Download