Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-03-2023 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc936222af5841e0e16687624cfedf2743c9285119fe0c97786f6ae174f825c5.exe

  • Size

    328KB

  • MD5

    243bdb269b59f604ad9bc109758aeb2c

  • SHA1

    a7bb9fa52e09477f654cb7db70411e072224e51c

  • SHA256

    bc936222af5841e0e16687624cfedf2743c9285119fe0c97786f6ae174f825c5

  • SHA512

    36d35dfbe6b516be8f2f2f9dbc0770e727750553cae5db3a30cba40a71c1c777fb4b89684afbdf166869acce6b2b314b6b0dd6c4a954aae1d9d1fea359ee9034

  • SSDEEP

    6144:evSBanJK/5kPas8N0HEAAf1vbViarAWbd33sEPT:evjas8uHEAAtvBpkJEPT

Score
10/10
pseudomanuscryptloader

Malware Config

Signatures

  • Detects PseudoManuscrypt payload 28 IoCs
    loader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1180
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s SENS
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1420
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2232
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2472
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2556
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k WspService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:3728
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2480
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2240
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1844
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s UserManager
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1404
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1248
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1028
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:336
  • C:\Users\Admin\AppData\Local\Temp\bc936222af5841e0e16687624cfedf2743c9285119fe0c97786f6ae174f825c5.exe
    "C:\Users\Admin\AppData\Local\Temp\bc936222af5841e0e16687624cfedf2743c9285119fe0c97786f6ae174f825c5.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\bc936222af5841e0e16687624cfedf2743c9285119fe0c97786f6ae174f825c5.exe
      "C:\Users\Admin\AppData\Local\Temp\bc936222af5841e0e16687624cfedf2743c9285119fe0c97786f6ae174f825c5.exe" -h
      2⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2508
  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\db.dat
    Filesize

    557KB

    MD5

    df7b932ab62e929e3da95470914c10f3

    SHA1

    a63097f937fbe5cde36ab3b1530d5df0fb250fb5

    SHA256

    655a93928167bd8c84bc8dd6810c96cdd2e66a800197065ddb77bd30b2afef45

    SHA512

    7f24316896ce45ee7d3544c1920967ff9e3bb31020100a333b96b19d3ef421f9d6496b87248812ca7be288febf8fe7f7272652893df6f8756ac53d49d40b3d92

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\db.dll
    Filesize

    52KB

    MD5

    1b20e998d058e813dfc515867d31124f

    SHA1

    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

    SHA256

    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

    SHA512

    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\db.dll
    Filesize

    52KB

    MD5

    1b20e998d058e813dfc515867d31124f

    SHA1

    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

    SHA256

    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

    SHA512

    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

    Download Submit
  • memory/336-137-0x0000013741780000-0x00000137417F2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/336-146-0x0000013741780000-0x00000137417F2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1028-170-0x000001A76AA40000-0x000001A76AAB2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1028-195-0x000001A76AA40000-0x000001A76AAB2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1180-194-0x00000255336A0000-0x0000025533712000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1180-164-0x00000255336A0000-0x0000025533712000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1248-224-0x0000022899F70000-0x0000022899FE2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1248-192-0x0000022899F70000-0x0000022899FE2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1404-204-0x0000020860150000-0x00000208601C2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1404-225-0x0000020860150000-0x00000208601C2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1420-176-0x0000027BEA030000-0x0000027BEA0A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1420-199-0x0000027BEA030000-0x0000027BEA0A2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1844-200-0x0000020E96640000-0x0000020E966B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1844-183-0x0000020E96640000-0x0000020E966B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2088-141-0x0000000001170000-0x00000000011CE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/2088-138-0x00000000046E0000-0x00000000047E6000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2088-222-0x0000000001170000-0x00000000011CE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/2232-189-0x0000015E88740000-0x0000015E887B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2232-151-0x0000015E88740000-0x0000015E887B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2240-157-0x0000020EAB440000-0x0000020EAB4B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2240-191-0x0000020EAB440000-0x0000020EAB4B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2472-211-0x0000023CCA940000-0x0000023CCA9B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2472-226-0x0000023CCA940000-0x0000023CCA9B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2480-227-0x000001F8EC870000-0x000001F8EC8E2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2480-218-0x000001F8EC870000-0x000001F8EC8E2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2556-129-0x0000010D7E520000-0x0000010D7E592000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2556-131-0x0000010D7DCA0000-0x0000010D7DCED000-memory.dmp
    Filesize

    308KB

    Download
  • memory/2556-143-0x0000010D7E520000-0x0000010D7E592000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2556-126-0x0000010D7DCA0000-0x0000010D7DCED000-memory.dmp
    Filesize

    308KB

    Download
  • memory/3728-139-0x000001F229C00000-0x000001F229C72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/3728-148-0x000001F229C00000-0x000001F229C72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/3728-188-0x000001F229C00000-0x000001F229C72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/3728-231-0x000001F229C00000-0x000001F229C72000-memory.dmp
    Filesize

    456KB

    Download
  • memory/3728-248-0x000001F22C100000-0x000001F22C20B000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3728-247-0x000001F22B420000-0x000001F22B43B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3728-250-0x000001F22B4C0000-0x000001F22B4DB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3728-249-0x000001F22B480000-0x000001F22B4A0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/3728-260-0x000001F22C100000-0x000001F22C20B000-memory.dmp
    Filesize

    1.0MB

    Download