Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2023 02:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    40e88b99a6b03c16111987fa7aaf98cbb564055f2d822aa213b497ec70232c18.exe

  • Size

    3.4MB

  • MD5

    a4156d3baec30f5866d6a2403b9341d5

  • SHA1

    62820b126f3c67487904729897e17ef7bd4e3417

  • SHA256

    40e88b99a6b03c16111987fa7aaf98cbb564055f2d822aa213b497ec70232c18

  • SHA512

    3a4e5cac114ed6d9a9fa10ccc1165322e7bfebae19794da69f65f1b9479ef7d74e4bffb2ad1e1aa173a7fc8a04b97a2f1cf465f73d6e3593dcf3c3d9c2cd3ac8

  • SSDEEP

    98304:lmwMi6hqm+mXHkTiGDsAsQJEwky5CXjcM0Jhv8jYhz:lmRhfv3DG4+vsXjcM0zv8jS

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\40e88b99a6b03c16111987fa7aaf98cbb564055f2d822aa213b497ec70232c18.exe
    "C:\Users\Admin\AppData\Local\Temp\40e88b99a6b03c16111987fa7aaf98cbb564055f2d822aa213b497ec70232c18.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:60
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1752
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4396
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4748
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:2552
      • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
        "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1892
  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
    C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:3436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
    Filesize

    677.8MB

    MD5

    9bb9bc01b5b7adcdc53232e48ad388c6

    SHA1

    7586666c7136940365ac235c5d34d4c0b1a31e03

    SHA256

    d63dbcf2d631f58391a790249a86e04fee30f3d94eb8a373df0c4d6cf88e2010

    SHA512

    11fa6bfc048a2012d754ba0b570547d40773bbd04356649d55ee38b2b3b5dcb7e96980a81bfed286680de06013bcb1d3b8586cd17ade6e8913b70853c2d25374

    Download Submit

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
    Filesize

    674.9MB

    MD5

    3d19075bbcbe687b76f1c16fb8435d58

    SHA1

    477a788dda699e879ffc2fe4627330bfeff11eb8

    SHA256

    d38a07d92422a1039dfcf9b625c13ee43f399145aca2540d162c2cd1955e66a6

    SHA512

    58aff754ef6039e47db5f37302653005e678f4252b9922700176f62e9794434ccb360de34c123af977c9f1d310da8f55ae2bace13f19c901f93c5a7ac5fab33c

    Download Submit

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
    Filesize

    661.8MB

    MD5

    a7eb1f751e475c4b1d6b1327ebdd259c

    SHA1

    e109d65fc7f9e4bb098fd7c6706170196758a585

    SHA256

    d709363a1b222afa64011c5f551cd013e8bf1a270b1baa7c6e52e879c798a221

    SHA512

    8053bc2704762cae154e0859e09dd9f516120def9a218a77b1aa38beba9a83a1c0b75ee6056b0fb657967bf6e5a48fa0355624c03480ee952d17424dc7e7f434

    Download Submit

  • C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type1.0.8.0.exe
    Filesize

    19.2MB

    MD5

    636d37abe357e406b8a999b50edca68d

    SHA1

    47f58146eabfab0cffd2d76c3ac373d2c86954c1

    SHA256

    90784f71e827597be5f63cccdc0a63db0a728aef6c1dc542a9620489087ee2ab

    SHA512

    6faa3d940303d7344af9ca933939ad1ded581f208d28fd90f46274495fa5125082d92be67dfa822b0fd12d3a4482f825927135af0247a3c469733c243865cb6e

    Download Submit

  • memory/60-142-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-139-0x0000000005730000-0x0000000005CD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/60-144-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-145-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/60-134-0x0000000000800000-0x0000000000B5C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/60-141-0x0000000005130000-0x000000000513A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/60-140-0x0000000005180000-0x0000000005212000-memory.dmp

    Filesize

    584KB

    Download

  • memory/60-143-0x0000000005380000-0x0000000005390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1892-154-0x00007FF62D4F0000-0x00007FF62DA0F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1892-156-0x00007FF62D4F0000-0x00007FF62DA0F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1892-157-0x00007FF62D4F0000-0x00007FF62DA0F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1892-155-0x00007FF62D4F0000-0x00007FF62DA0F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3436-159-0x00007FF62D4F0000-0x00007FF62DA0F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3436-160-0x00007FF62D4F0000-0x00007FF62DA0F000-memory.dmp

    Filesize

    5.1MB

    Download