Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2022, 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    682283ef8fde1772be8f6da7a5ea6cb75c92f468900f4ad9a980d540e9ee71e4.exe

  • Size

    731KB

  • MD5

    f3654deae66c38b6de2d38d361e8ca3a

  • SHA1

    d43dbc24eeb90e8561bd16285c72e0b012b3cde8

  • SHA256

    682283ef8fde1772be8f6da7a5ea6cb75c92f468900f4ad9a980d540e9ee71e4

  • SHA512

    bb8c61531d91e497bbb458f11e27d581aaf42721dadb2bf06e2be7b5daa06e57fa7dab263b7254f4b3062c8963004f2c39a02208b3461453f72904e79a861d06

  • SSDEEP

    768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 11 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\682283ef8fde1772be8f6da7a5ea6cb75c92f468900f4ad9a980d540e9ee71e4.exe
    "C:\Users\Admin\AppData\Local\Temp\682283ef8fde1772be8f6da7a5ea6cb75c92f468900f4ad9a980d540e9ee71e4.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:4720
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1456
      • C:\ProgramData\Dllhost\dllhost.exe
        "C:\ProgramData\Dllhost\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:228
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
            PID:3784
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:4476
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
              PID:2072
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:4352
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
                PID:5044
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:4164
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3256
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3076
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2196
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:2936
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                  PID:4876
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:2160
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3280
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:3700
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4524
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:3376
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2903" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                    PID:4240
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2903" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:4048
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk9922" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                      PID:3724
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9957" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4288
                      • C:\Windows\SysWOW64\schtasks.exe
                        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9957" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        4⤵
                        • Creates scheduled task(s)
                        PID:4888
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9626" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:3508
                      • C:\Windows\SysWOW64\schtasks.exe
                        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9626" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                        4⤵
                        • Creates scheduled task(s)
                        PID:3108
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                      3⤵
                        PID:3960
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 1251
                          4⤵
                            PID:3480
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                          3⤵
                            PID:1672
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 1251
                              4⤵
                                PID:3908

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Dllhost\dllhost.exe
                          Filesize

                          949KB

                          MD5

                          f0ee55e5d9aaabd946222739fdd60256

                          SHA1

                          86fcb9772d0f3b8c459cb9ee9bd157ca1c5ed278

                          SHA256

                          a07b944286cbb1128462f9364e24729211f2b7aa8cea049645b2bf2ba7703650

                          SHA512

                          38b319c13e33489943efabaa026beb8ba0480802f7733c42545eb8c4de608a3fe979087cac717bd18aff4b0a777900af4431fdd56a1a1bdcb39850a79f476aac

                          Download Submit

                        • C:\ProgramData\Dllhost\dllhost.exe
                          Filesize

                          949KB

                          MD5

                          f0ee55e5d9aaabd946222739fdd60256

                          SHA1

                          86fcb9772d0f3b8c459cb9ee9bd157ca1c5ed278

                          SHA256

                          a07b944286cbb1128462f9364e24729211f2b7aa8cea049645b2bf2ba7703650

                          SHA512

                          38b319c13e33489943efabaa026beb8ba0480802f7733c42545eb8c4de608a3fe979087cac717bd18aff4b0a777900af4431fdd56a1a1bdcb39850a79f476aac

                          Download Submit

                        • C:\ProgramData\HostData\logs.uce
                          Filesize

                          497B

                          MD5

                          13fda2ab01b83a5130842a5bab3892d3

                          SHA1

                          6e18e4b467cde054a63a95d4dfc030f156ecd215

                          SHA256

                          76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

                          SHA512

                          c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

                          Download Submit

                        • memory/228-153-0x0000000000C40000-0x0000000000CF0000-memory.dmp

                          Filesize

                          704KB

                          Download

                        • memory/1456-144-0x0000000005B20000-0x0000000005B3E000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/1456-166-0x0000000005F10000-0x0000000005F1A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/1456-140-0x0000000000BF0000-0x0000000000C26000-memory.dmp

                          Filesize

                          216KB

                          Download

                        • memory/1456-141-0x0000000004DE0000-0x0000000005408000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/1456-142-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/1456-143-0x0000000005580000-0x00000000055E6000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/1456-182-0x00000000070C0000-0x00000000070C8000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/1456-145-0x0000000006110000-0x0000000006142000-memory.dmp

                          Filesize

                          200KB

                          Download

                        • memory/1456-146-0x0000000070C80000-0x0000000070CCC000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/1456-178-0x00000000070F0000-0x0000000007186000-memory.dmp

                          Filesize

                          600KB

                          Download

                        • memory/1456-148-0x00000000074B0000-0x0000000007B2A000-memory.dmp

                          Filesize

                          6.5MB

                          Download

                        • memory/1456-149-0x0000000006E50000-0x0000000006E6A000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/1456-180-0x0000000006EB0000-0x0000000006EBE000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/1456-147-0x00000000060D0000-0x00000000060EE000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/1456-181-0x00000000070D0000-0x00000000070EA000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/4332-132-0x0000000000330000-0x00000000003D8000-memory.dmp

                          Filesize

                          672KB

                          Download

                        • memory/4332-133-0x0000000005260000-0x0000000005804000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/4332-134-0x0000000004D90000-0x0000000004E22000-memory.dmp

                          Filesize

                          584KB

                          Download

                        • memory/4332-135-0x0000000004F30000-0x0000000004F3A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/4332-136-0x0000000005010000-0x0000000005076000-memory.dmp

                          Filesize

                          408KB

                          Download