Overview

overview

7

Static

static

1

dridex

windows10-1703-x64

7

Analysis

  • max time kernel
    90s
  • max time network
    73s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05/03/2023, 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02393da102f8a8c5d76eee171cb10f619114d07680905b17fe48bf5479355d45.exe

  • Size

    4.2MB

  • MD5

    5323d8060be46872b2c0a81c9c4bc67e

  • SHA1

    71dd8df269585b21a7d0b7f2d1f7c0cf4195013f

  • SHA256

    02393da102f8a8c5d76eee171cb10f619114d07680905b17fe48bf5479355d45

  • SHA512

    5412d0a7e844c8980ca85a903157d5c1e77b767275ec518e533515d30f545952d77ff108933f3d968256153a4c21c74eafbe6267b102375ecc306eeb9a5b1f55

  • SSDEEP

    98304:uEhTEG4s2Rk5cs38shhSNjJe+i4sYeq69DedTV0VbTXF2RAvRthQ:uRG4sskf38s7MjJeVYT69id+VbaM8

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02393da102f8a8c5d76eee171cb10f619114d07680905b17fe48bf5479355d45.exe
    "C:\Users\Admin\AppData\Local\Temp\02393da102f8a8c5d76eee171cb10f619114d07680905b17fe48bf5479355d45.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4076
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4932
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1488
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1" /TR "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:2640
      • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe
        "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Executes dropped EXE
        PID:2308
  • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe
    C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe
    1⤵
    • Executes dropped EXE
    PID:4896

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe
    Filesize

    734.2MB

    MD5

    8c87370cf6ffd35393cf0b69e53f7bf5

    SHA1

    d20a81a283eb3c843d63e3486e47a08e9b51494b

    SHA256

    3f3fa0d4be5006768c84fe687b254ed2216d9605de5bd78f09241a64da3a0fd3

    SHA512

    9fb75f686a9026644358eeb22b94c2172afe56899daf62adecb3a407abcbd3cadbe4deb350db23511450a8b92b896960fede29fa50ede95b9b04361534e538f4

    Download Submit

  • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe
    Filesize

    734.2MB

    MD5

    8c87370cf6ffd35393cf0b69e53f7bf5

    SHA1

    d20a81a283eb3c843d63e3486e47a08e9b51494b

    SHA256

    3f3fa0d4be5006768c84fe687b254ed2216d9605de5bd78f09241a64da3a0fd3

    SHA512

    9fb75f686a9026644358eeb22b94c2172afe56899daf62adecb3a407abcbd3cadbe4deb350db23511450a8b92b896960fede29fa50ede95b9b04361534e538f4

    Download Submit

  • C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1\regid.1991-06.com.microsoftMicrosoft-type5.2.3.1.exe
    Filesize

    538.7MB

    MD5

    5c5aff67311e5fda3c4105ec1933336b

    SHA1

    00538662904fd9858a8e8abd3a9b2e706a628749

    SHA256

    2b2ea3a8ef5925af43eaabce2d782fe1397f55e37af59c014ceafb564a4d494d

    SHA512

    b4e82e38be34780d91467a0763a84daaf36cf03961a9b326f7ce42109eb5c798da123eb105a1a2eb86d70b0761a0f449031aeeee8af70a3ed8f202637b202c29

    Download Submit

  • memory/5104-121-0x0000000004600000-0x0000000004A28000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/5104-128-0x0000000009380000-0x000000000987E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/5104-129-0x0000000008F20000-0x0000000008FB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5104-130-0x0000000008EA0000-0x0000000008EAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5104-131-0x0000000008EE0000-0x0000000008EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5104-132-0x0000000008EE0000-0x0000000008EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5104-133-0x0000000008EE0000-0x0000000008EF0000-memory.dmp

    Filesize

    64KB

    Download