Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    314s
  • max time network
    340s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/02/2023, 13:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58cabc470935be409c60f06e2b70339d88288e3e8aa4900ada4246599bd0012f.exe

  • Size

    4.1MB

  • MD5

    5fa9970a72578a9747da980f36501cd4

  • SHA1

    6a7567ee7ff5b95894d347b1251f8c43923ba625

  • SHA256

    58cabc470935be409c60f06e2b70339d88288e3e8aa4900ada4246599bd0012f

  • SHA512

    2d6ec24555c31f0fe94050ae8f90bbbaa9ece756031b5c1f944586b59911beef3239a61e61891afbcb16ac2f20284f535f31bea6ea4a1c55b880530890980831

  • SSDEEP

    98304:vJVdvQZGhmIGw3dA+KbLfN2LuJQ6V/Zpk/azmB7:vdH3dA+QfVQ65k/j7

Score
10/10
evasion

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58cabc470935be409c60f06e2b70339d88288e3e8aa4900ada4246599bd0012f.exe
    "C:\Users\Admin\AppData\Local\Temp\58cabc470935be409c60f06e2b70339d88288e3e8aa4900ada4246599bd0012f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:552
    • C:\Users\Admin\AppData\Local\Temp\58cabc470935be409c60f06e2b70339d88288e3e8aa4900ada4246599bd0012f.exe
      "C:\Users\Admin\AppData\Local\Temp\58cabc470935be409c60f06e2b70339d88288e3e8aa4900ada4246599bd0012f.exe"
      2⤵
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\system32\cmd.exe
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4168
        • C:\Windows\system32\netsh.exe
          netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
          4⤵
          • Modifies Windows Firewall
          PID:1084
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4960

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/552-132-0x0000000002B9B000-0x0000000002F84000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/552-133-0x0000000002F90000-0x0000000003807000-memory.dmp

    Filesize

    8.5MB

    Download

  • memory/552-134-0x0000000002B9B000-0x0000000002F84000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/552-135-0x0000000000400000-0x0000000000C91000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/552-137-0x0000000002F90000-0x0000000003807000-memory.dmp

    Filesize

    8.5MB

    Download

  • memory/552-138-0x0000000000400000-0x0000000000C91000-memory.dmp

    Filesize

    8.6MB

    Download

  • memory/2660-139-0x000000000299B000-0x0000000002D84000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2660-140-0x0000000000400000-0x0000000000C91000-memory.dmp

    Filesize

    8.6MB

    Download