Overview

overview

8

Static

static

dridex

windows10-1703-x64

8

Analysis

  • max time kernel
    137s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-01-2023 10:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfc83919bff11c630a90c559ddc1deb8316453c0cd492e8f1251d9e5e262700c.exe

  • Size

    1.0MB

  • MD5

    7d0ec78a9495cea56b5b5716d28f2590

  • SHA1

    6367a468e35540e1480b744e99ba864e972e6c35

  • SHA256

    bfc83919bff11c630a90c559ddc1deb8316453c0cd492e8f1251d9e5e262700c

  • SHA512

    c94fce36d141f00b1dd807804e8099fb88d2bacc21f8f88b48d0ef7d4eeab165a9e0098d69f66515d4f20731fa01735ff19101c445d7e66358dc3163f38d84c5

  • SSDEEP

    24576:pj/qbiEMYfjf2rdgvJUu9wCf3LsM/b2Axh6+PT:pj/6ffQEXwCD7/b2AxnL

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 24 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfc83919bff11c630a90c559ddc1deb8316453c0cd492e8f1251d9e5e262700c.exe
    "C:\Users\Admin\AppData\Local\Temp\bfc83919bff11c630a90c559ddc1deb8316453c0cd492e8f1251d9e5e262700c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp",Iyidwoiowsw
      2⤵
      • Blocklisted process makes network request
      • Sets DLL path for service in the registry
      • Sets service image path in registry
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 15599
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2224
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:3828
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          3⤵
            PID:4880
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:5100
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k LocalService
          1⤵
            PID:2768
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobexmp.dll",Qgo4WWdTNkk=
              2⤵
                PID:4840

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\{B7E8E476-349D-60AA-651B-798B40E3CAEC}\102__Connections_Cellular_Claro (Dominican Republic)_i1$(__MVID)@WAP.provxml
              Filesize

              670B

              MD5

              e138d12df07a17d5c6430f164d346e9f

              SHA1

              737b9f72f21706882009bdc9dd4480652a424494

              SHA256

              a291b07ef66ac7d269030117060c2a271f22590f5a9dd056ba522841663b30ed

              SHA512

              9dde92da0b7e408369cc0d826c933a3f32dea4f9b6d76e8690e365bd3bf2e4a8b9432a0c9dc279fa2a5e354c39f5bbeb0e90dfc082b0e7d84cbfdecd960bf48a

              Download Submit

            • C:\ProgramData\{B7E8E476-349D-60AA-651B-798B40E3CAEC}\MasterDatastore.xml
              Filesize

              271B

              MD5

              d6650e3886f3c95fb42d4f0762b04173

              SHA1

              1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b

              SHA256

              9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9

              SHA512

              1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

              Download Submit

            • C:\ProgramData\{B7E8E476-349D-60AA-651B-798B40E3CAEC}\Microsoft_Office_OfficeTelemetryAgentLogOn2016.xml
              Filesize

              3KB

              MD5

              2dd9bafcbda61d5d509e48086cd0a986

              SHA1

              821e66af11451535cdc249ec1493e5bca4d2cad2

              SHA256

              2da208b3e33831803c1b830244636ca3d6cbc54fdd7e4add03059795c169002e

              SHA512

              6f79656269570b309a5697b007245dff4983e6c20b9c3857ba1cc088ad4f7aec3b465e5fafc4f97b584cca88f6984ef90bbbdc499c20440f0f15da04ea79d528

              Download Submit

            • C:\ProgramData\{B7E8E476-349D-60AA-651B-798B40E3CAEC}\RunTime.xml
              Filesize

              575B

              MD5

              0dccb4a744fba717d59b35ea33679620

              SHA1

              2f3733a32560c424c0e7c627f016d872bf30f212

              SHA256

              2c71a1524274d23cf66d3cee24a74592a2b9d0b9bd4a14999d8a6e53ebd33afc

              SHA512

              bdda2d98fdd488594ecdb0b2552da2f4f25a3eb5a5a1aecf8cc17e32126ac9d878928425cbece7fd5ab601f4e182a3c150c852c3f0b0e0f0dca9a676c4cb5b8e

              Download Submit

            • C:\ProgramData\{B7E8E476-349D-60AA-651B-798B40E3CAEC}\Rwdfud.tmp
              Filesize

              3.5MB

              MD5

              9d04cf0ff7e95ad4b363c4a7da79d41e

              SHA1

              9e0a07252102ca1103c80e4295962b2ad38449ef

              SHA256

              029d8ea6985c43ae05b04c017b1dea297abda245219cb74afcb61910ebb5e5d7

              SHA512

              3fe0de997f771668a88c8cef2d62e22b34b6c5196504eea10b0cca38e87de7f6fdcc1312b81fcef4b60ed1badf5b73c6c696480f01bc8608913e88d367bec61e

              Download Submit

            • C:\ProgramData\{B7E8E476-349D-60AA-651B-798B40E3CAEC}\stream.x64.x-none.hash
              Filesize

              128B

              MD5

              2b4d6d3b95916f9810449019372fbbde

              SHA1

              2c9f59c51fc6b290f758aed25a899dba37459fc6

              SHA256

              cea19b915390806a9677165794194c66b19e3198a342d51e5a880e7b55768ac7

              SHA512

              5cbb012b89989d53a7814dcb9f0391a761ebea6a7c9d1dcaae0efb476e61b30ce678387c4ff6fcebea0643f96d2f3bf126cff9511a75c1780ec89b51ba79c8db

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
              Filesize

              714KB

              MD5

              9dd70d24b2657a9254b9fd536a4d06d5

              SHA1

              348a1d210d7c4daef8ecdb692eadf3975971e8ee

              SHA256

              d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd

              SHA512

              dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6

              Download Submit

            • \??\c:\program files (x86)\windowspowershell\modules\adobexmp.dll
              Filesize

              714KB

              MD5

              8915e2f468e54fb9a02fa9fc54fb7363

              SHA1

              a279e025182846415139269b2922ef17dea5b062

              SHA256

              26e056839c14f2bdbe6f847913146ac29a6d83a429b470395699d32b70aef3cd

              SHA512

              872ab7039c1ca93fd76e3dbc211564fab0638cc888d07c1506ae1ed6cc09b17a6936144f2f6fe3d3019b81e9fa8624c050b6be6317f1f9f9b63bea70fcc964d0

              Download Submit

            • \Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll
              Filesize

              714KB

              MD5

              8915e2f468e54fb9a02fa9fc54fb7363

              SHA1

              a279e025182846415139269b2922ef17dea5b062

              SHA256

              26e056839c14f2bdbe6f847913146ac29a6d83a429b470395699d32b70aef3cd

              SHA512

              872ab7039c1ca93fd76e3dbc211564fab0638cc888d07c1506ae1ed6cc09b17a6936144f2f6fe3d3019b81e9fa8624c050b6be6317f1f9f9b63bea70fcc964d0

              Download Submit

            • \Program Files (x86)\WindowsPowerShell\Modules\AdobeXMP.dll
              Filesize

              714KB

              MD5

              8915e2f468e54fb9a02fa9fc54fb7363

              SHA1

              a279e025182846415139269b2922ef17dea5b062

              SHA256

              26e056839c14f2bdbe6f847913146ac29a6d83a429b470395699d32b70aef3cd

              SHA512

              872ab7039c1ca93fd76e3dbc211564fab0638cc888d07c1506ae1ed6cc09b17a6936144f2f6fe3d3019b81e9fa8624c050b6be6317f1f9f9b63bea70fcc964d0

              Download Submit

            • \Users\Admin\AppData\Local\Temp\Wtfoiq.tmp
              Filesize

              714KB

              MD5

              9dd70d24b2657a9254b9fd536a4d06d5

              SHA1

              348a1d210d7c4daef8ecdb692eadf3975971e8ee

              SHA256

              d0ac0e9021c6e231c60256198309b7f72ce4c5e772cf343b5456c2ce0664b9bd

              SHA512

              dee5bfe83fdf196c78ee255e50a25994220ce9ecac22eb24323df70e668714d7a810b67ddace7809d9d7e2160a35c4603deedb64b1660d82dde58586c34d2ab6

              Download Submit

            • memory/2224-281-0x0000000000E90000-0x0000000001131000-memory.dmp

              Filesize

              2.6MB

              Download

            • memory/2224-282-0x00000190C8300000-0x00000190C85B2000-memory.dmp

              Filesize

              2.7MB

              Download

            • memory/2692-161-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-154-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-132-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-133-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-134-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-135-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-136-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-137-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-138-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-139-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-140-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-141-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-143-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-144-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-145-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-147-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-148-0x0000000004E30000-0x0000000004F45000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2692-146-0x0000000004D50000-0x0000000004E2D000-memory.dmp

              Filesize

              884KB

              Download

            • memory/2692-149-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-150-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-151-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-152-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-153-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-129-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-156-0x0000000000400000-0x00000000030C7000-memory.dmp

              Filesize

              44.8MB

              Download

            • memory/2692-157-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-158-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-155-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-159-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-160-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-130-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-162-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-163-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-164-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-174-0x0000000000400000-0x00000000030C7000-memory.dmp

              Filesize

              44.8MB

              Download

            • memory/2692-120-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-121-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-122-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-123-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-131-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-124-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-125-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-128-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-126-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2692-127-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2768-357-0x0000000006130000-0x0000000006C71000-memory.dmp

              Filesize

              11.3MB

              Download

            • memory/3480-280-0x0000000006179000-0x000000000617B000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3480-179-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-180-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-181-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-182-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-183-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-184-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-185-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-186-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-187-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-188-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-189-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-263-0x0000000006740000-0x0000000007281000-memory.dmp

              Filesize

              11.3MB

              Download

            • memory/3480-177-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-178-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-283-0x0000000006740000-0x0000000007281000-memory.dmp

              Filesize

              11.3MB

              Download

            • memory/3480-176-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-175-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-173-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-170-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-172-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-171-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-169-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-168-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-167-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3480-166-0x0000000077890000-0x0000000077A1E000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4840-455-0x0000000006AC0000-0x0000000007601000-memory.dmp

              Filesize

              11.3MB

              Download