Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    101s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/11/2022, 07:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe

  • Size

    323KB

  • MD5

    9ea91ade8d040c71ee4e98ee8916cb08

  • SHA1

    90c5af76ec27c35a727cc64f422d2a01f305c930

  • SHA256

    51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

  • SHA512

    89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

  • SSDEEP

    6144:eKlzr1sYCzek2ciDaP9Xk6Ln1W8W/9InBSkZZmLdGcAdgdY6RKpjS:eGhQ2ciDq9ZL1W8q9InBRqELdolRKpj

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
    "C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
      C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
      2⤵
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
        C:\Users\Admin\AppData\Local\Temp\51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:2172
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3536
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
          3⤵
          • Creates scheduled task(s)
          PID:1180
    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1452
      • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
        2⤵
        • Executes dropped EXE
        PID:2040

    Network

      No results found
    • 93.184.220.29:80
      322 B
       7
    • 52.168.112.66:443
      322 B
       7
    • 8.252.51.254:80
      322 B
       7
    • 104.80.225.205:443
      322 B
       7
    No results found

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oobeldr.exe.log
      Filesize

      789B

      MD5

      03d2df1e8834bc4ec1756735429b458c

      SHA1

      4ee6c0f5b04c8e0c5076219c5724032daab11d40

      SHA256

      745ab70552d9a0463b791fd8dc1942838ac3e34fb1a68f09ed3766c7e3b05631

      SHA512

      2482c3d4478125ccbc7f224f50e86b7bf925ed438b59f4dce57b9b6bcdb59df51417049096b131b6b911173550eed98bc92aba7050861de303a692f0681b197b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      Filesize

      323KB

      MD5

      9ea91ade8d040c71ee4e98ee8916cb08

      SHA1

      90c5af76ec27c35a727cc64f422d2a01f305c930

      SHA256

      51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

      SHA512

      89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      Filesize

      323KB

      MD5

      9ea91ade8d040c71ee4e98ee8916cb08

      SHA1

      90c5af76ec27c35a727cc64f422d2a01f305c930

      SHA256

      51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

      SHA512

      89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      Filesize

      323KB

      MD5

      9ea91ade8d040c71ee4e98ee8916cb08

      SHA1

      90c5af76ec27c35a727cc64f422d2a01f305c930

      SHA256

      51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

      SHA512

      89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      Filesize

      323KB

      MD5

      9ea91ade8d040c71ee4e98ee8916cb08

      SHA1

      90c5af76ec27c35a727cc64f422d2a01f305c930

      SHA256

      51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

      SHA512

      89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe
      Filesize

      323KB

      MD5

      9ea91ade8d040c71ee4e98ee8916cb08

      SHA1

      90c5af76ec27c35a727cc64f422d2a01f305c930

      SHA256

      51193108fb352b0c1d77ffb0356aa2df89237859475ce608ecaaf7b73cdb7e18

      SHA512

      89915d96c2f23a043310e725fc2b315f8bb30743e5a8ad4238de3c285bb329446ae294dd2b85dd987d162ac72eced1a5ffa852a2983248a2dad0e9e07ad48855

      Download Submit

    • memory/1408-138-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1408-142-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1408-140-0x0000000000400000-0x0000000000406000-memory.dmp

      Filesize

      24KB

      Download

    • memory/5072-132-0x0000000000AB0000-0x0000000000B06000-memory.dmp

      Filesize

      344KB

      Download

    • memory/5072-136-0x00000000054F0000-0x000000000550E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/5072-135-0x0000000007DE0000-0x0000000007E56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/5072-134-0x0000000007B40000-0x0000000007BD2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5072-133-0x0000000008050000-0x00000000085F4000-memory.dmp

      Filesize

      5.6MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.