Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 00:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    520ac8a7c8963b64449f36f419ee414be34d80d6e017a5c2773bce2408b05d98.exe

  • Size

    734KB

  • MD5

    ac99947bfc16f54eb17f53e6e3fb786f

  • SHA1

    d36105fa1ed457b0678f4b497e781228e0ba9ddb

  • SHA256

    520ac8a7c8963b64449f36f419ee414be34d80d6e017a5c2773bce2408b05d98

  • SHA512

    353ed8fc05ed8987c87c9cc967b8ff87414baf2238e433dd92b137418eb9ec7930e4431c83a24f14abca2700bfee2b3df53ce7d056616ff6dd349f023f75b4c8

  • SSDEEP

    768:rZmchlXKGREW6VA6joSRhFH+C9Pe2auEqainmngYWxuv8Gwmwoe9R4ZstojtfcWv:schl6M+lpDCUoHid0bIrlyR

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 9 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Creates scheduled task(s) 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\520ac8a7c8963b64449f36f419ee414be34d80d6e017a5c2773bce2408b05d98.exe
    "C:\Users\Admin\AppData\Local\Temp\520ac8a7c8963b64449f36f419ee414be34d80d6e017a5c2773bce2408b05d98.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\HostData"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\chcp.com
        chcp 1251
        3⤵
          PID:3708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2524
      • C:\ProgramData\Dllhost\dllhost.exe
        "C:\ProgramData\Dllhost\dllhost.exe"
        2⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2400
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
          3⤵
            PID:2432
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1320
            • C:\Windows\SysWOW64\schtasks.exe
              SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              4⤵
              • Creates scheduled task(s)
              PID:3512
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
            3⤵
              PID:1836
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:848
              • C:\Windows\SysWOW64\schtasks.exe
                SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                4⤵
                • Creates scheduled task(s)
                PID:2668
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
              3⤵
                PID:4560
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:4840
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4600
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3612
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1116
                • C:\Windows\SysWOW64\schtasks.exe
                  SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  4⤵
                  • Creates scheduled task(s)
                  PID:3208
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                3⤵
                  PID:4660
                  • C:\Windows\SysWOW64\schtasks.exe
                    SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    4⤵
                    • Creates scheduled task(s)
                    PID:448
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1220" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                  3⤵
                    PID:4248
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk1220" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:2460
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2478" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3564
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2478" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:1600
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6455" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:5044
                    • C:\Windows\SysWOW64\schtasks.exe
                      SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6455" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                      4⤵
                      • Creates scheduled task(s)
                      PID:3464
                  • C:\Windows\SysWOW64\cmd.exe
                    "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk417" /TR "C:\ProgramData\Dllhost\dllhost.exe"
                    3⤵
                      PID:2948
                    • C:\Windows\SysWOW64\cmd.exe
                      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                      3⤵
                        PID:1260
                        • C:\Windows\SysWOW64\chcp.com
                          chcp 1251
                          4⤵
                            PID:3096
                        • C:\Windows\SysWOW64\cmd.exe
                          "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe --config msi.bin --log off
                          3⤵
                            PID:3352
                            • C:\Windows\SysWOW64\chcp.com
                              chcp 1251
                              4⤵
                                PID:4268

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\Dllhost\dllhost.exe
                          Filesize

                          966KB

                          MD5

                          c5d209b9ab7fcd3938bb22e5cfcb89ac

                          SHA1

                          d8c7dcee841e43d58d4348edbd79cb18b6170959

                          SHA256

                          5ed2462ecb33abedadaec35d6ca2152025544577f37195082a3e03861567f841

                          SHA512

                          529df27cbf5b710d453fd9525eb70e7e64ef961d37cf3d0e39b83b054b9c8d2a272d84bf1f35f5c7576e23e1631c108225b534edb36fdb0d3b7c61f781b18d46

                          Download Submit

                        • C:\ProgramData\Dllhost\dllhost.exe
                          Filesize

                          966KB

                          MD5

                          c5d209b9ab7fcd3938bb22e5cfcb89ac

                          SHA1

                          d8c7dcee841e43d58d4348edbd79cb18b6170959

                          SHA256

                          5ed2462ecb33abedadaec35d6ca2152025544577f37195082a3e03861567f841

                          SHA512

                          529df27cbf5b710d453fd9525eb70e7e64ef961d37cf3d0e39b83b054b9c8d2a272d84bf1f35f5c7576e23e1631c108225b534edb36fdb0d3b7c61f781b18d46

                          Download Submit

                        • C:\ProgramData\HostData\logs.uce
                          Filesize

                          497B

                          MD5

                          13fda2ab01b83a5130842a5bab3892d3

                          SHA1

                          6e18e4b467cde054a63a95d4dfc030f156ecd215

                          SHA256

                          76973d42c8fceceab7ec85b3d01b218db92564993e93a9bea31c52aa73aeee9e

                          SHA512

                          c51f9fd6e452fbeeedd4dfaba3c7c887e337f01e68abdd27d4032f8be85def7ef3cf0c77bf60e425b085b76c0539464c6b6e5e805a69397c5519e8ccf9fffccc

                          Download Submit

                        • memory/2400-147-0x0000000000DB0000-0x0000000000E60000-memory.dmp

                          Filesize

                          704KB

                          Download

                        • memory/2524-171-0x0000000006F70000-0x0000000006FA2000-memory.dmp

                          Filesize

                          200KB

                          Download

                        • memory/2524-176-0x0000000007D30000-0x0000000007D3A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2524-142-0x0000000005A30000-0x0000000005A52000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/2524-141-0x0000000005A90000-0x00000000060B8000-memory.dmp

                          Filesize

                          6.2MB

                          Download

                        • memory/2524-151-0x00000000069A0000-0x00000000069BE000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/2524-140-0x0000000005410000-0x0000000005446000-memory.dmp

                          Filesize

                          216KB

                          Download

                        • memory/2524-177-0x0000000007F60000-0x0000000007FF6000-memory.dmp

                          Filesize

                          600KB

                          Download

                        • memory/2524-178-0x0000000007F00000-0x0000000007F0E000-memory.dmp

                          Filesize

                          56KB

                          Download

                        • memory/2524-179-0x0000000008000000-0x000000000801A000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/2524-143-0x0000000006230000-0x0000000006296000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/2524-175-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

                          Filesize

                          104KB

                          Download

                        • memory/2524-174-0x0000000008350000-0x00000000089CA000-memory.dmp

                          Filesize

                          6.5MB

                          Download

                        • memory/2524-180-0x0000000007F40000-0x0000000007F48000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2524-172-0x0000000070B10000-0x0000000070B5C000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/2524-173-0x0000000006F50000-0x0000000006F6E000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/4012-136-0x0000000004F20000-0x0000000004F86000-memory.dmp

                          Filesize

                          408KB

                          Download

                        • memory/4012-135-0x0000000004D40000-0x0000000004D4A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/4012-134-0x0000000004CA0000-0x0000000004D32000-memory.dmp

                          Filesize

                          584KB

                          Download

                        • memory/4012-132-0x0000000000230000-0x00000000002D8000-memory.dmp

                          Filesize

                          672KB

                          Download

                        • memory/4012-133-0x00000000051B0000-0x0000000005754000-memory.dmp

                          Filesize

                          5.6MB

                          Download