Overview

overview

7

Static

static

1

dridex

windows10-1703-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-03-2023 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d911e065b08602864bff2e45b714ff89d293a85d36aacc35979b5771999025aa.exe

  • Size

    4.2MB

  • MD5

    5b3ece16b03dc1d46acfb9fe7771b642

  • SHA1

    4ab4cb84421f9caaf97f3130f850aeae6b3a74a0

  • SHA256

    d911e065b08602864bff2e45b714ff89d293a85d36aacc35979b5771999025aa

  • SHA512

    19f6e2bc0c20d1e9d5d5ba21fb13b8d86549eaf99fc53ce88bdb8226f6a98f72c331cf2698082bdc6e437f5b1150df6a6a4769f6b08592d3e74de98f4313f60a

  • SSDEEP

    49152:HZx28PbFFbDmcVY9yIsI/qaQjI6DpiRp5ZtCaMRka7eQxh+KDQy8YTc7cN6oe4CY:HGutKcm9yB4iIEiB2+a7eUkub

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d911e065b08602864bff2e45b714ff89d293a85d36aacc35979b5771999025aa.exe
    "C:\Users\Admin\AppData\Local\Temp\d911e065b08602864bff2e45b714ff89d293a85d36aacc35979b5771999025aa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3532
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDocuments-type6.8.7.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1820
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDocuments-type6.8.7.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1020
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDocuments-type6.8.7.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3980
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5" /TR "C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4696
      • C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe
        "C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Executes dropped EXE
        PID:4412
  • C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe
    C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe
    1⤵
    • Executes dropped EXE
    PID:2872

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe
    Filesize

    824.7MB

    MD5

    0f9cd021b6f6a3a0b14c69df5f7f69e4

    SHA1

    8026d016e0a849a3be3bb09a5e7c6c6219c9711f

    SHA256

    8581e922320e275792f0780b888315286016cd98131833144a8ff32d5b3364f9

    SHA512

    ef5c404c6f2ffe38ded1ba2331551489424871d65da274a5d30a6eba285d32eebf26db6f77243600951bb9b3ff1f206b9a7206a22e8dd0f29c3cbae73edfdb86

    Download Submit

  • C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe
    Filesize

    824.7MB

    MD5

    0f9cd021b6f6a3a0b14c69df5f7f69e4

    SHA1

    8026d016e0a849a3be3bb09a5e7c6c6219c9711f

    SHA256

    8581e922320e275792f0780b888315286016cd98131833144a8ff32d5b3364f9

    SHA512

    ef5c404c6f2ffe38ded1ba2331551489424871d65da274a5d30a6eba285d32eebf26db6f77243600951bb9b3ff1f206b9a7206a22e8dd0f29c3cbae73edfdb86

    Download Submit

  • C:\ProgramData\DocumentsDocuments-type6.8.7.5\DocumentsDocuments-type6.8.7.5.exe
    Filesize

    243.6MB

    MD5

    c7f689fe4815b92b6dd21f6558af0f08

    SHA1

    781f926aa815dfe71c8bdd3f9447f8bf4521ef53

    SHA256

    17e1d186a68c546fb18b10627769d529cdb6496a5263b97ad96eb7b46c118d7b

    SHA512

    beea68562b3052e09a214f6d374e52d23db480387a84c5ede30dbd6d4046e965d60abe9ca75518134cc375bcc77a9fd594aadf94e8916ae38886f0b2bb1ae242

    Download Submit

  • memory/3532-121-0x0000000000C00000-0x0000000001028000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/3532-126-0x00000000059A0000-0x0000000005E9E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3532-127-0x0000000005540000-0x00000000055D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3532-128-0x0000000005720000-0x0000000005730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3532-129-0x0000000003030000-0x000000000303A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3532-130-0x0000000005720000-0x0000000005730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3532-131-0x0000000005720000-0x0000000005730000-memory.dmp

    Filesize

    64KB

    Download