Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    194s
  • max time network
    196s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7f81afec495e740dd50e649324842a804d0cb14b2aaf725884ff2330ce5d3271.exe

  • Size

    730KB

  • MD5

    d2142ffe825f6ab66a876dc229954517

  • SHA1

    f5b3267f716fd2c101478c6910dad4e9b260db36

  • SHA256

    7f81afec495e740dd50e649324842a804d0cb14b2aaf725884ff2330ce5d3271

  • SHA512

    89fc8e230b1efb72fd6b9fb9218f62c375d95c7aa6bb65381c94d8d840dcbdbb7be83d526af6515ae53814ed8a75841f20f2f0d9f926d0329563c04d27ab80d5

  • SSDEEP

    768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 10 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7f81afec495e740dd50e649324842a804d0cb14b2aaf725884ff2330ce5d3271.exe
    "C:\Users\Admin\AppData\Local\Temp\7f81afec495e740dd50e649324842a804d0cb14b2aaf725884ff2330ce5d3271.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1296
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1216
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:1972
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:640
      • C:\ProgramData\Dllhost\dllhost.exe
        "C:\ProgramData\Dllhost\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2696
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Windows\SysWOW64\schtasks.exe
            SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            4⤵
            • Creates scheduled task(s)
            PID:3076
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
            PID:3456
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:532
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2124
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:5116
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
              PID:4428
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:1904
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
                PID:3980
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:2844
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:768
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3704
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3700
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2816
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:4516
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9723" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1848
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9723" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3440
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8442" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                  PID:2488
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8442" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:3400
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk2227" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                    PID:3740
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9774" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                      PID:4312
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                      3⤵
                        PID:2908
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 1251
                          4⤵
                            PID:4540

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Dllhost\dllhost.exe
                      Filesize

                      945KB

                      MD5

                      dc854e4d6ff263039aaf9763bdf89ac1

                      SHA1

                      2690e0d487e723daf19b3c6f81a371768529e06d

                      SHA256

                      f6a769bd4f43baf1ab9ed1c5b8b10ef561d8c519d6aa6158fe43a37d3f5356c4

                      SHA512

                      621a40b97de4ee8684c9f479bf60a5ddbdbaef23b13c701390714437d8236c09dc9bf922598e563ec7daa023dec7555a7a84edce1c6020a3cb5914a7bb494573

                      Download Submit

                    • C:\ProgramData\Dllhost\dllhost.exe
                      Filesize

                      945KB

                      MD5

                      dc854e4d6ff263039aaf9763bdf89ac1

                      SHA1

                      2690e0d487e723daf19b3c6f81a371768529e06d

                      SHA256

                      f6a769bd4f43baf1ab9ed1c5b8b10ef561d8c519d6aa6158fe43a37d3f5356c4

                      SHA512

                      621a40b97de4ee8684c9f479bf60a5ddbdbaef23b13c701390714437d8236c09dc9bf922598e563ec7daa023dec7555a7a84edce1c6020a3cb5914a7bb494573

                      Download Submit

                    • C:\ProgramData\HostData\logs.uce
                      Filesize

                      497B

                      MD5

                      13fda2ab01b83a5130842a5bab3892d3

                      SHA1

                      6e18e4b467cde054a63a95d4dfc030f156ecd215

                      SHA256

                      76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

                      SHA512

                      c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

                      Download Submit

                    • memory/532-170-0x0000000000000000-mapping.dmp

                      Download

                    • memory/640-171-0x0000000006A90000-0x0000000006AC2000-memory.dmp

                      Filesize

                      200KB

                      Download

                    • memory/640-180-0x0000000007D20000-0x0000000007D3A000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/640-181-0x0000000007C60000-0x0000000007C68000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/640-139-0x0000000000000000-mapping.dmp

                      Download

                    • memory/640-140-0x00000000030D0000-0x0000000003106000-memory.dmp

                      Filesize

                      216KB

                      Download

                    • memory/640-141-0x00000000057A0000-0x0000000005DC8000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/640-142-0x00000000056F0000-0x0000000005712000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/640-143-0x0000000005ED0000-0x0000000005F36000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/640-144-0x0000000005450000-0x000000000546E000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/640-178-0x0000000007C80000-0x0000000007D16000-memory.dmp

                      Filesize

                      600KB

                      Download

                    • memory/640-179-0x0000000007C20000-0x0000000007C2E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/640-177-0x0000000007A50000-0x0000000007A5A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/640-176-0x0000000007A00000-0x0000000007A1A000-memory.dmp

                      Filesize

                      104KB

                      Download

                    • memory/640-175-0x0000000008060000-0x00000000086DA000-memory.dmp

                      Filesize

                      6.5MB

                      Download

                    • memory/640-173-0x0000000006A70000-0x0000000006A8E000-memory.dmp

                      Filesize

                      120KB

                      Download

                    • memory/640-172-0x0000000070E70000-0x0000000070EBC000-memory.dmp

                      Filesize

                      304KB

                      Download

                    • memory/768-155-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1216-137-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1296-134-0x0000000004D20000-0x0000000004DB2000-memory.dmp

                      Filesize

                      584KB

                      Download

                    • memory/1296-136-0x0000000004F70000-0x0000000004FD6000-memory.dmp

                      Filesize

                      408KB

                      Download

                    • memory/1296-133-0x00000000052D0000-0x0000000005874000-memory.dmp

                      Filesize

                      5.6MB

                      Download

                    • memory/1296-132-0x0000000000010000-0x00000000000B8000-memory.dmp

                      Filesize

                      672KB

                      Download

                    • memory/1296-135-0x0000000004CF0000-0x0000000004CFA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/1848-157-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1904-169-0x0000000000000000-mapping.dmp

                      Download

                    • memory/1972-138-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2124-153-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2196-151-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2472-149-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2488-158-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2696-145-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2696-148-0x0000000000770000-0x0000000000820000-memory.dmp

                      Filesize

                      704KB

                      Download

                    • memory/2816-150-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2844-168-0x0000000000000000-mapping.dmp

                      Download

                    • memory/2908-182-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3076-161-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3400-167-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3440-166-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3456-152-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3700-162-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3704-164-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3740-159-0x0000000000000000-mapping.dmp

                      Download

                    • memory/3980-156-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4312-160-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4428-154-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4516-163-0x0000000000000000-mapping.dmp

                      Download

                    • memory/4540-183-0x0000000000000000-mapping.dmp

                      Download

                    • memory/5116-165-0x0000000000000000-mapping.dmp

                      Download