Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    146s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2023 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a3be46b36f7dc57b878b4cc2e2a293a33f1f35ebc331e7e865de598ab9c5d7e.exe

  • Size

    3.4MB

  • MD5

    3681f3c785e7073fa692dcf16a1f993c

  • SHA1

    bb128e0a650488a940bcb40c164b03b4ceebc74a

  • SHA256

    9a3be46b36f7dc57b878b4cc2e2a293a33f1f35ebc331e7e865de598ab9c5d7e

  • SHA512

    52ed42c9dc8837c68d4319948065e6ad1a3dce1611aac7d88eb4652cc776101cf06e60ecf8b5e11ce68c79dcb3eba9fdd4fda0f4266f49be058a7ee2ae169900

  • SSDEEP

    98304:ana5Gkonx+t5bHJmSwD2jCgQIr/84IVuTPYFw:Ea5InxsjmTK+gQIjCw3

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a3be46b36f7dc57b878b4cc2e2a293a33f1f35ebc331e7e865de598ab9c5d7e.exe
    "C:\Users\Admin\AppData\Local\Temp\9a3be46b36f7dc57b878b4cc2e2a293a33f1f35ebc331e7e865de598ab9c5d7e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3804
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\Oraclessh-type4.6.0.2" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4752
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\Oraclessh-type4.6.0.2" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2188
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\Oraclessh-type4.6.0.2" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:924
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2" /TR "C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4764
      • C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe
        "C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:3148
  • C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe
    C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:3712

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe
    Filesize

    788.7MB

    MD5

    3c6de774922e880a30b0dff5719557ac

    SHA1

    1393d079af8babc6ea75453936459b9808bbaf64

    SHA256

    45b4e26dbba84465aba25763591b90f85266c510ec9e28c6e3015219adc002e0

    SHA512

    3c4949725a0c7ff01e7b7d7d09b7bc5fbfd52a102a9eba58fe8e2d6f356b5d74bcf354837b5d72c9b1f1e9702a5ccd0f3724e5e3a07a2cccce7ba7538fec40dd

    Download Submit

  • C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe
    Filesize

    788.7MB

    MD5

    3c6de774922e880a30b0dff5719557ac

    SHA1

    1393d079af8babc6ea75453936459b9808bbaf64

    SHA256

    45b4e26dbba84465aba25763591b90f85266c510ec9e28c6e3015219adc002e0

    SHA512

    3c4949725a0c7ff01e7b7d7d09b7bc5fbfd52a102a9eba58fe8e2d6f356b5d74bcf354837b5d72c9b1f1e9702a5ccd0f3724e5e3a07a2cccce7ba7538fec40dd

    Download Submit

  • C:\ProgramData\Oraclessh-type4.6.0.2\Oraclessh-type4.6.0.2.exe
    Filesize

    210.8MB

    MD5

    8fb07ca1fcf02f16cfb95fb0fc920dfe

    SHA1

    69335a16522d8a93cdf3c5a4046be666f3c749c1

    SHA256

    ce6fa7aef5ce6bab1f41274ebde81656786264358dc92f465399e0e93c7b1908

    SHA512

    526fac639adca9ebd253ffb173eb193d9b2b18db2acb35d908558254589bc7b0f530e820865fbe61ea032075046e52ef9e2caab9529f0c81f200d3a1b149010c

    Download Submit

  • memory/3148-152-0x00007FF612D70000-0x00007FF61328F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3148-149-0x00007FF612D70000-0x00007FF61328F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3148-151-0x00007FF612D70000-0x00007FF61328F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3712-156-0x00007FF612D70000-0x00007FF61328F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3712-155-0x00007FF612D70000-0x00007FF61328F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3712-154-0x00007FF612D70000-0x00007FF61328F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3804-144-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3804-139-0x00000000056D0000-0x0000000005762000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3804-140-0x00000000057A0000-0x00000000057AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3804-133-0x0000000000DB0000-0x000000000110C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3804-138-0x0000000005D70000-0x0000000006314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3804-141-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3804-143-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3804-142-0x00000000058A0000-0x00000000058B0000-memory.dmp

    Filesize

    64KB

    Download