Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    06-03-2023 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f7682f7dedc2a1ae89e8fef584aeafc44f7742919deb6b839d58fd800fceb16d.exe

  • Size

    308KB

  • MD5

    9ee78f83577be2793a35ee683ccee5fc

  • SHA1

    8baed5c17e0e45219946bcdafa6f0eea9d33c0d8

  • SHA256

    f7682f7dedc2a1ae89e8fef584aeafc44f7742919deb6b839d58fd800fceb16d

  • SHA512

    d521231236bdc0bdeb1c2b4ca66281e0b82c126b36dd3e45b6c4927ca4f2485f4eadd6db6831fcb00a0fb271ee1ea42d3d8cba918d6e080924e0f45a9cff1576

  • SSDEEP

    6144:bOsY+HgEiTA14Xn0Ti8v1bbFgXIQdjrfzNt1fEP3:i814Xn0Ti8tbJyIQdjrfzNEP3

Score
10/10
pseudomanuscryptloader

Malware Config

Signatures

  • Detects PseudoManuscrypt payload 29 IoCs
    loader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 22 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:296
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:912
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1100
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1196
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s UserManager
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1376
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s SENS
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1412
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1832
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2248
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k WspService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4732
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2412
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2324
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2212
  • C:\Users\Admin\AppData\Local\Temp\f7682f7dedc2a1ae89e8fef584aeafc44f7742919deb6b839d58fd800fceb16d.exe
    "C:\Users\Admin\AppData\Local\Temp\f7682f7dedc2a1ae89e8fef584aeafc44f7742919deb6b839d58fd800fceb16d.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Users\Admin\AppData\Local\Temp\f7682f7dedc2a1ae89e8fef584aeafc44f7742919deb6b839d58fd800fceb16d.exe
      "C:\Users\Admin\AppData\Local\Temp\f7682f7dedc2a1ae89e8fef584aeafc44f7742919deb6b839d58fd800fceb16d.exe" -h
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:4480
  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\db.dat
    Filesize

    557KB

    MD5

    9ac15413299558174055dc5601e114c2

    SHA1

    5f9507e6689fb18c1d9de33b550b412b18d6682f

    SHA256

    56e8a703e9cc3e3d46f72f387bd8e3bb40011715bde0cbbf12468deaea33e5d4

    SHA512

    fb30f39883db7071e014008c3d1c068ba89fee5c3d58efd4e72dd3e4d4f3172928f94d421f6ea17f4bf16521347a0ceac632e7733077c76128ae751175361e65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\db.dll
    Filesize

    52KB

    MD5

    1b20e998d058e813dfc515867d31124f

    SHA1

    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

    SHA256

    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

    SHA512

    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\db.dll
    Filesize

    52KB

    MD5

    1b20e998d058e813dfc515867d31124f

    SHA1

    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

    SHA256

    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

    SHA512

    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

    Download Submit
  • memory/296-153-0x000001FA7EEA0000-0x000001FA7EF12000-memory.dmp
    Filesize

    456KB

    Download
  • memory/296-136-0x000001FA7EEA0000-0x000001FA7EF12000-memory.dmp
    Filesize

    456KB

    Download
  • memory/912-170-0x000001E240940000-0x000001E2409B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/912-215-0x000001E240940000-0x000001E2409B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1100-214-0x0000016BD2330000-0x0000016BD23A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1100-164-0x0000016BD2330000-0x0000016BD23A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1196-220-0x000001D30E760000-0x000001D30E7D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1196-190-0x000001D30E760000-0x000001D30E7D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1376-196-0x0000024E7C760000-0x0000024E7C7D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1376-222-0x0000024E7C760000-0x0000024E7C7D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1412-217-0x0000020EEED30000-0x0000020EEEDA2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1412-177-0x0000020EEED30000-0x0000020EEEDA2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1832-183-0x0000014F623D0000-0x0000014F62442000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1832-218-0x0000014F623D0000-0x0000014F62442000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2212-158-0x0000026D1CF10000-0x0000026D1CF82000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2212-145-0x0000026D1CF10000-0x0000026D1CF82000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2248-213-0x000002A691B40000-0x000002A691BB2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2248-157-0x000002A691B40000-0x000002A691BB2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2324-203-0x00000266B0600000-0x00000266B0672000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2324-223-0x00000266B0600000-0x00000266B0672000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2412-209-0x0000018D68A00000-0x0000018D68A72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2412-225-0x0000018D68A00000-0x0000018D68A72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2712-152-0x000001FC06600000-0x000001FC06672000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2712-125-0x000001FC05B50000-0x000001FC05B9D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/2712-128-0x000001FC06600000-0x000001FC06672000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2712-130-0x000001FC05B50000-0x000001FC05B9D000-memory.dmp
    Filesize

    308KB

    Download
  • memory/4304-148-0x0000000004450000-0x0000000004558000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4304-216-0x0000000004320000-0x000000000437E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/4304-150-0x0000000004320000-0x000000000437E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/4732-137-0x00000234D1270000-0x00000234D12E2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4732-149-0x00000234D1270000-0x00000234D12E2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4732-155-0x00000234D1270000-0x00000234D12E2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4732-231-0x00000234D1270000-0x00000234D12E2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4732-244-0x00000234D10D0000-0x00000234D10EB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4732-248-0x00000234D3800000-0x00000234D390A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4732-249-0x00000234D2A90000-0x00000234D2AB0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4732-250-0x00000234D2AE0000-0x00000234D2AFB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4732-263-0x00000234D3800000-0x00000234D390A000-memory.dmp
    Filesize

    1.0MB

    Download