Overview

overview

7

Static

static

1

dridex

windows10-2004-x64

7

Analysis

  • max time kernel
    134s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-03-2023 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f67397efbe737544ecc40af40d938c6635277220d48836ce0617b2dc9bba2960.exe

  • Size

    4.6MB

  • MD5

    3b03fce4671df646496d75488d16eaf8

  • SHA1

    13b8b37d36c5c3114718e20f96daef0d3575c5fa

  • SHA256

    f67397efbe737544ecc40af40d938c6635277220d48836ce0617b2dc9bba2960

  • SHA512

    8e279ba83f9547cc083fb965a9027428c6a977a34449cccd6f7971b6b95cbffe729ba1ba6fad681a6f5eb70324826746fc82edbe5ec37d7f7317a121d83e5b5b

  • SSDEEP

    98304:eFRP61hlce+gu3O+UHKZc+sRZvojwn6MTSrb:eFRPQzceZHOc3RxAwZG/

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f67397efbe737544ecc40af40d938c6635277220d48836ce0617b2dc9bba2960.exe
    "C:\Users\Admin\AppData\Local\Temp\f67397efbe737544ecc40af40d938c6635277220d48836ce0617b2dc9bba2960.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateUSOShared-type6.3.1.4" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4120
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateUSOShared-type6.3.1.4" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4684
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateUSOShared-type6.3.1.4" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:984
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4" /TR "C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4032
      • C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe
        "C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Executes dropped EXE
        PID:1652
  • C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe
    C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe
    1⤵
    • Executes dropped EXE
    PID:5020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe
    Filesize

    716.9MB

    MD5

    bbff028a2e2ad1967116b2785faf9798

    SHA1

    678e6e5b2a80870622266e6d980958c1a53f8502

    SHA256

    8587992c820a4ec0295ca3b8e4fd64b43818df0ce3175d6f925d451a71be829a

    SHA512

    52afb69c982e925f0eccd255db9298684db4354c6ec26fa3b946e2758ea3a30387be6e37eb17f6ec23920750615e13c1af6f3c87b8f1cc9ad9e51e1368394edc

    Download Submit

  • C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe
    Filesize

    716.9MB

    MD5

    bbff028a2e2ad1967116b2785faf9798

    SHA1

    678e6e5b2a80870622266e6d980958c1a53f8502

    SHA256

    8587992c820a4ec0295ca3b8e4fd64b43818df0ce3175d6f925d451a71be829a

    SHA512

    52afb69c982e925f0eccd255db9298684db4354c6ec26fa3b946e2758ea3a30387be6e37eb17f6ec23920750615e13c1af6f3c87b8f1cc9ad9e51e1368394edc

    Download Submit

  • C:\ProgramData\USOPrivateUSOShared-type6.3.1.4\USOPrivateUSOShared-type6.3.1.4.exe
    Filesize

    614.0MB

    MD5

    efe1610979a190e862e3b41addda6a5d

    SHA1

    7cf15821ab545c0a453ae4d7dec9cf87de0e44e3

    SHA256

    72885d3bca36288586c427f0d2ba4ce2a576cfbaa98b0be88d28596fa328e67e

    SHA512

    3676e8bc717b759fb1649cdf9503e04cb776dd1080c1fc475895b21835c3d9284cfa37061698cf4c3cbd4e307b08b3e896223d836d2cac2ba9f89529965bfcc9

    Download Submit

  • memory/1116-134-0x0000000000400000-0x000000000088C000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1116-139-0x0000000005B30000-0x00000000060D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1116-140-0x0000000005660000-0x00000000056F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1116-141-0x00000000057B0000-0x00000000057C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1116-142-0x0000000005710000-0x000000000571A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1116-143-0x00000000057B0000-0x00000000057C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1116-144-0x00000000057B0000-0x00000000057C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1116-145-0x00000000057B0000-0x00000000057C0000-memory.dmp

    Filesize

    64KB

    Download