Overview

overview

8

Static

static

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 11:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe

  • Size

    8KB

  • MD5

    af944ff6ede6e544bd6910aa9b9180b3

  • SHA1

    2274336ac45c75b32db66c9a8ca41013b5f76548

  • SHA256

    1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602

  • SHA512

    6142995db90d6811bf961ec2db4f8b13cc8f01d77b5f4edd4354287d3b813a97bd46bba891b2d3a21a44e2009b6b374af9a433a741fcc55818e1ce21638b308d

  • SSDEEP

    96:7Z83yfYaodPyaH1EWo0UYDQGAhNdcMu4cybu8xOL3yfXYPznlV73AFRvaf2sP0M:7ZtPWyavUSAlRR3fYL37AFxaZ

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe
    "C:\Users\Admin\AppData\Local\Temp\1dc67eb129e32b976031eb223e549092154d84d9d936ec55fab5667ee3e8f602.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4888
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C schtasks /create /tn \kLfNdhbScV /tr "C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn \kLfNdhbScV /tr "C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        3⤵
        • Creates scheduled task(s)
        PID:4824
  • C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe
    C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1028

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe
    Filesize

    535.1MB

    MD5

    c5210e983b00e51f3c03704275387d0e

    SHA1

    107aa766e0b0fffc90e4f51f5062b8efc86d907b

    SHA256

    ed982e12987e6371c6e2f76a4942dbf16e180d22415fe741890f8b9ef0a32088

    SHA512

    c0863fb18cfb0165a0bc1d90c49db3c9696b6441e433468b42750112debc9c35345bb3dc725bff4501db9faf062c88683cae0cf8133bdb171dd5b387a0176c5c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\kLfNdhbScV\svcupdater.exe
    Filesize

    535.0MB

    MD5

    61e6318d3ab3619dd1a96f4e69e16ddb

    SHA1

    02d267fe07754f42346125c07caa10db450cf517

    SHA256

    0cf305c4fa5bd7166a4383a2318e693dcede0e918710431f86e5223645e42110

    SHA512

    31686beeb5e6ecc4c40debd20ff8bb333c061ac9a6c5e79b2910c405e46cb902cd01c0eb0793a6861d476dabd0b64f7a19dfd9342fe80bd99cefbed2d5073618

    Download Submit

  • memory/1028-140-0x00007FFAA3370000-0x00007FFAA3E31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1028-141-0x00007FFAA3370000-0x00007FFAA3E31000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3716-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4824-136-0x0000000000000000-mapping.dmp

    Download

  • memory/4888-132-0x00000000006E0000-0x00000000006E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4888-133-0x00007FFAA2D50000-0x00007FFAA3811000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4888-134-0x00007FFAA2D50000-0x00007FFAA3811000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4888-137-0x00007FFAA2D50000-0x00007FFAA3811000-memory.dmp

    Filesize

    10.8MB

    Download