Overview

overview

9

Static

static

dridex

windows10-1703-x64

9

Analysis

  • max time kernel
    69s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-01-2023 10:39

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe

  • Size

    8MB

  • MD5

    f205470fd1cbe293434397547ea08085

  • SHA1

    fef100258be04cfc8004b1e0827f7e7a78db8bae

  • SHA256

    f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2

  • SHA512

    f1c856c6b606f857d715dc19359456ff4464885b2783979b201c1b089a76ad78eccaf2ebb95bd188c5a944fb286dc1f7f24e74573d1306e954503243b2d885c7

  • SSDEEP

    196608:LJTx4XeiMijsL8e4O7mBEHwkSbgnVzTJUy392wJIlbgEc3Hs2V:tmiiwR4O7rw/bgVz973ttZHFV

Score
9/10
discoveryevasionpersistencetrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) ⋅ 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE ⋅ 1 IoCs
  • Checks BIOS information in registry ⋅ 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Modifies file permissions ⋅ 1 TTPs 3 IoCs
    discovery
  • Adds Run key to start application ⋅ 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled ⋅ 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices ⋅ 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) ⋅ 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses ⋅ 18 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
    "C:\Users\Admin\AppData\Local\Temp\f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe"
    Identifies VirtualBox via ACPI registry values (likely anti-VM)
    Checks BIOS information in registry
    Adds Run key to start application
    Checks whether UAC is enabled
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "8.3.7.Microsoft.NET\AgentActivationRuntime8.3.7.\IntelPalnt8.3.7." /TR "C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe" /SC MINUTE
      Creates scheduled task(s)
      PID:3364
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\5QP8WC5O" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      Modifies file permissions
      PID:4788
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\5QP8WC5O" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      Modifies file permissions
      PID:300
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\5QP8WC5O" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      Modifies file permissions
      PID:2072
  • C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
    C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
    Identifies VirtualBox via ACPI registry values (likely anti-VM)
    Executes dropped EXE
    Checks BIOS information in registry
    Checks whether UAC is enabled
    PID:4252

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Discovery

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Persistence

                  Privilege Escalation

                    Replay Monitor

                    00:00 00:00

                    Downloads

                    • C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
                      MD5

                      fd1d33f24186fc488ec1dc023922320d

                      SHA1

                      6e666b1208eb252fbad96c2a6812b2eb841cdac6

                      SHA256

                      786510ffa18676e7df771a3b5771d90c0a65d5cadd5c81762ffbf18d9e4b90d8

                      SHA512

                      8a1009c95a763e16efe35defd955b2ff59dd89d4df661e9ccc1617520c01fa59d8633c894de6bd61d7968124a7b28a4d821ffdc51c5a55ef95c383b42683a4c7

                      Download Submit
                    • C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
                      MD5

                      fd1d33f24186fc488ec1dc023922320d

                      SHA1

                      6e666b1208eb252fbad96c2a6812b2eb841cdac6

                      SHA256

                      786510ffa18676e7df771a3b5771d90c0a65d5cadd5c81762ffbf18d9e4b90d8

                      SHA512

                      8a1009c95a763e16efe35defd955b2ff59dd89d4df661e9ccc1617520c01fa59d8633c894de6bd61d7968124a7b28a4d821ffdc51c5a55ef95c383b42683a4c7

                      Download Submit
                    • memory/300-126-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2072-127-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3364-124-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3812-123-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/3812-132-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/3812-116-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/3812-122-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/3812-121-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/3812-129-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/3812-117-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp
                      Download
                    • memory/4252-131-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp
                      Download
                    • memory/4252-133-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp
                      Download
                    • memory/4252-137-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp
                      Download
                    • memory/4252-138-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp
                      Download
                    • memory/4252-139-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp
                      Download
                    • memory/4252-140-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp
                      Download
                    • memory/4788-125-0x0000000000000000-mapping.dmp
                      Download