Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-12-2022 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe

  • Size

    65KB

  • MD5

    7e319c1315d5b97983fb7cb4d93ddf0c

  • SHA1

    fde2d21cb08b8d95ea2e4419e51aa43f8da348ac

  • SHA256

    311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c

  • SHA512

    02f59f8d2dd41e1e287c46a8bd3119c98d2f2500a95a7d980791f7f6f326cad43111385b30d3c8e6de912905a81527632dd9a7089f1aa6f1716eabe4608bcfad

  • SSDEEP

    1536:WIHebrEKfgYBUngABZvxZ/DOG8s8MkeNSzXzK1:Gb4KRapBZP/Dl8DMDSzX+1

Score
10/10
bitratxenarmorcollectionpasswordpersistencerecoveryspywarestealertrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

37.139.128.233:3569

Attributes
  • communication_password

    ce952068942604a6d6df06ed5002fad6

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe
    "C:\Users\Admin\AppData\Local\Temp\311dc36ff1b1c092fe3c27ea3d7c699b77d092da4d5f1ccb5fc8e35b9a4adf5c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-Date
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4584
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        -a "C:\Users\Admin\AppData\Local\707c9a17\plg\CwE6Xkaj.json"
        3⤵
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
          4⤵
          • Loads dropped DLL
          • Accesses Microsoft Outlook accounts
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3172

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\707c9a17\plg\CwE6Xkaj.json
    Filesize

    1KB

    MD5

    2839088c337f35edbce9721dddc514e3

    SHA1

    54e573718f2579b31d7fb8edd7b1e42f005e857f

    SHA256

    83086b306de7176597d26be3ffa5f8852b0238e5ed8880374512dc6c697a75ce

    SHA512

    4f47cc8de0c1bbf04c7a337bd4e52f33cf400f6a421908623806461b0a3b5488b57fb1bed8462e7e7f7037482f6ec451f8e6836867168b1f5c5d3d3ecadd2d48

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    e57283afa46563c60c53dc103abd8e98

    SHA1

    1e1b5107870820c613e78cb6e74255dd048f63bd

    SHA256

    41a77c3e4d60ee39c69fd15cdb6f6e77ec95c6ac51bb10674be5f330498b3ae9

    SHA512

    ffdddc29857ddf461681412d9bec5c0d4231eb695d66fbfc8a61a02f71526473c56ea090f2aaf77bd6b2da8c04aa7ea07899555b738ddd02223d1426601e9696

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\unk.xml
    Filesize

    1KB

    MD5

    2839088c337f35edbce9721dddc514e3

    SHA1

    54e573718f2579b31d7fb8edd7b1e42f005e857f

    SHA256

    83086b306de7176597d26be3ffa5f8852b0238e5ed8880374512dc6c697a75ce

    SHA512

    4f47cc8de0c1bbf04c7a337bd4e52f33cf400f6a421908623806461b0a3b5488b57fb1bed8462e7e7f7037482f6ec451f8e6836867168b1f5c5d3d3ecadd2d48

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor
    Filesize

    104B

    MD5

    4f3bde9212e17ef18226866d6ac739b6

    SHA1

    732733bec8314beb81437e60876ffa75e72ae6cd

    SHA256

    212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

    SHA512

    10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\License.XenArmor
    Filesize

    104B

    MD5

    bf5da170f7c9a8eae88d1cb1a191ff80

    SHA1

    dd1b991a1b03587a5d1edc94e919a2070e325610

    SHA256

    e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

    SHA512

    9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll
    Filesize

    793KB

    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Unknown.dll
    Filesize

    793KB

    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit

  • memory/400-133-0x0000000005210000-0x00000000057B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/400-136-0x0000000005A20000-0x0000000005AB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/400-132-0x0000000000340000-0x0000000000356000-memory.dmp

    Filesize

    88KB

    Download

  • memory/400-141-0x0000000005A10000-0x0000000005A1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1104-168-0x0000000000400000-0x00000000008DC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1104-159-0x0000000000400000-0x00000000008DC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1104-160-0x0000000000400000-0x00000000008DC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1104-176-0x0000000000400000-0x00000000008DC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1104-157-0x0000000000400000-0x00000000008DC000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/1104-156-0x0000000000000000-mapping.dmp

    Download

  • memory/1944-154-0x0000000075460000-0x0000000075499000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1944-178-0x00000000750E0000-0x0000000075119000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1944-152-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1944-153-0x00000000750E0000-0x0000000075119000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1944-151-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1944-155-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1944-149-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1944-148-0x0000000000000000-mapping.dmp

    Download

  • memory/1944-179-0x0000000075460000-0x0000000075499000-memory.dmp

    Filesize

    228KB

    Download

  • memory/1944-150-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2348-144-0x0000000006A70000-0x0000000006A8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2348-134-0x0000000000000000-mapping.dmp

    Download

  • memory/2348-135-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2348-137-0x0000000005740000-0x0000000005D68000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2348-138-0x00000000055D0000-0x00000000055F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2348-143-0x0000000007CB0000-0x000000000832A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2348-142-0x0000000005340000-0x000000000535E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2348-140-0x0000000005E50000-0x0000000005EB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2348-139-0x0000000005DE0000-0x0000000005E46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3172-172-0x0000000010000000-0x0000000010227000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/3172-171-0x0000000010000000-0x0000000010227000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/3172-173-0x0000000000400000-0x00000000006FE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3172-170-0x0000000000400000-0x00000000006FE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3172-165-0x0000000000400000-0x00000000006FE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3172-164-0x0000000000400000-0x00000000006FE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3172-163-0x0000000000400000-0x00000000006FE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3172-162-0x0000000000400000-0x00000000006FE000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/3172-161-0x0000000000000000-mapping.dmp

    Download

  • memory/4584-145-0x0000000000000000-mapping.dmp

    Download