Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    10-03-2023 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe

  • Size

    328KB

  • MD5

    01373d57fe51a8c713ff58681b73b545

  • SHA1

    fdde9f7b9b943e8c618ea471ca3d59642530b7d8

  • SHA256

    66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e

  • SHA512

    29929961a67d31e5ee696a9b80326e6c1b28490d9e575f580467d11b7051ea94c88fe7a1590f54b44d33b41402b2428d43e06df6b2e9a574246e3af481583cd1

  • SSDEEP

    6144:evSBanJK/5kPas8N0HEAAf1vbViarAWbd33IEPT:evjas8uHEAAtvBpk9EPT

Score
10/10
pseudomanuscryptloader

Malware Config

Signatures

  • Detects PseudoManuscrypt payload 29 IoCs
    loader
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • PseudoManuscrypt

    PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

    loaderpseudomanuscrypt
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2676
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2664
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Browser
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k WspService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      PID:4636
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2384
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2376
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1892
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s SENS
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1452
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s UserManager
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1412
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1200
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1180
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:60
  • C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
    "C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe
      "C:\Users\Admin\AppData\Local\Temp\66c50293737f9b121c162073ef894bff11906e8fad9b3c4d0f77f0e49f586d7e.exe" -h
      2⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4536
  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4244

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\db.dat
    Filesize

    557KB

    MD5

    9dd748ec666aca6d3fee60839649fb02

    SHA1

    d09baa2751e2972fca1ded62d40823889ca8d41d

    SHA256

    555ced7986ad075033f84cf3b656143f7ca8194aa5824415d2d668123e59fac6

    SHA512

    1faff5e33104061a8479b4e03979e23c9814d14a19d780b5b6cdd81af5f371fcd6f96c8f08ba3760b7b660dcf9667e7e7e9f13284d119936bed046cc19c5fdb8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\db.dll
    Filesize

    52KB

    MD5

    1b20e998d058e813dfc515867d31124f

    SHA1

    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

    SHA256

    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

    SHA512

    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

    Download Submit
  • \Users\Admin\AppData\Local\Temp\db.dll
    Filesize

    52KB

    MD5

    1b20e998d058e813dfc515867d31124f

    SHA1

    c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

    SHA256

    24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

    SHA512

    79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

    Download Submit
  • memory/60-150-0x0000018FE90D0000-0x0000018FE9142000-memory.dmp
    Filesize

    456KB

    Download
  • memory/60-132-0x0000018FE90D0000-0x0000018FE9142000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1064-208-0x00000267C6360000-0x00000267C63D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1064-167-0x00000267C6360000-0x00000267C63D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1180-206-0x00000204D2D30000-0x00000204D2DA2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1180-160-0x00000204D2D30000-0x00000204D2DA2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1200-214-0x0000011DDDD70000-0x0000011DDDDE2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1200-186-0x0000011DDDD70000-0x0000011DDDDE2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1412-216-0x0000017EFBD60000-0x0000017EFBDD2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1412-193-0x0000017EFBD60000-0x0000017EFBDD2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1452-173-0x000001E0CCB60000-0x000001E0CCBD2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1452-209-0x000001E0CCB60000-0x000001E0CCBD2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1892-211-0x000001620F340000-0x000001620F3B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/1892-180-0x000001620F340000-0x000001620F3B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2376-141-0x0000021C69D30000-0x0000021C69DA2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2376-153-0x0000021C69D30000-0x0000021C69DA2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2384-154-0x000001FBAB7B0000-0x000001FBAB822000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2384-202-0x000001FBAB7B0000-0x000001FBAB822000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2560-147-0x000002528DD80000-0x000002528DDF2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2560-121-0x000002528D990000-0x000002528D9DD000-memory.dmp
    Filesize

    308KB

    Download
  • memory/2560-126-0x000002528D990000-0x000002528D9DD000-memory.dmp
    Filesize

    308KB

    Download
  • memory/2560-124-0x000002528DD80000-0x000002528DDF2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2664-199-0x00000178BB740000-0x00000178BB7B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2664-217-0x00000178BB740000-0x00000178BB7B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2676-210-0x0000016FFDF70000-0x0000016FFDFE2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/2676-225-0x0000016FFDF70000-0x0000016FFDFE2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4244-144-0x0000000000E40000-0x0000000000F45000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4244-218-0x0000000004400000-0x000000000445E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/4244-146-0x0000000004400000-0x000000000445E000-memory.dmp
    Filesize

    376KB

    Download
  • memory/4636-152-0x0000012695460000-0x00000126954D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4636-142-0x0000012695460000-0x00000126954D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4636-133-0x0000012695460000-0x00000126954D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4636-226-0x0000012695460000-0x00000126954D2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/4636-236-0x0000012696DA0000-0x0000012696DBB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4636-237-0x0000012697C00000-0x0000012697D0B000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4636-238-0x0000012696DC0000-0x0000012696DE0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4636-239-0x0000012696E10000-0x0000012696E2B000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4636-253-0x0000012696DA0000-0x0000012696DBB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4636-254-0x0000012697C00000-0x0000012697D0B000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4636-255-0x0000012696DC0000-0x0000012696DE0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/4636-256-0x0000012696E10000-0x0000012696E2B000-memory.dmp
    Filesize

    108KB

    Download