Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    41s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-03-2023 18:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f.exe

  • Size

    702KB

  • MD5

    ab8f0580cc0d74e0215e7de19515c8a6

  • SHA1

    acbbba95fc6982f63bcc1981d7d33df26a8d439d

  • SHA256

    7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f

  • SHA512

    dfe6b8194dcd56599dba09be3b5746350dee3572f34a4661c42a4597e5938c4a3d82300b7eacb116c68ec0c974c10abf3ad51aa36bbcf4ce043754aca73fce96

  • SSDEEP

    12288:U4LGLJtHUGH3HV3y9dsrlHMg2i6lqHIAkIdV2:YxHV3g2HmlPM

Score
10/10
ransomware

Malware Config

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\ReadMe.txt

Ransom Note
Attention! All your files, documents, photos, databases and other important files are encrypted The only method of recovering files is to purchase an unique decryptor. Only we can give you this decryptor and only we can recover your files. The server with your decryptor is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in TOR browser: http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501GYZBDEGH 5. and open ticket ---------------------------------------------------------------------------------------- Alternate communication channel here: https://yip.su/2QstD5
URLs

http://34vm2smykaqtzzzm4bgycfzg5fwyhhksrkpahdbiswmmuwuu7hmvuvqd.onion/?501GYZBDEGH

https://yip.su/2QstD5

Signatures

  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f.exe
    "C:\Users\Admin\AppData\Local\Temp\7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Users\Admin\AppData\Local\Temp\7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f.exe
      "{path}"
      2⤵
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2156
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:5888
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:9540
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:11204
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:21076
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:21120
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
                PID:36932
              • C:\Windows\system32\werfault.exe
                werfault.exe /hc /shared Global\2d1762768c0d4926bd07329887adc7b4 /t 21156 /p 21120
                1⤵
                  PID:1468
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                    PID:5072

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Common Files\microsoft shared\ClickToRun\ReadMe.txt
                    Filesize

                    850B

                    MD5

                    7f3438f64524b57c48330a1a53391c9f

                    SHA1

                    3b50696a990efce545152d98cc8ea3f08ea70a4e

                    SHA256

                    2e680bb7b91b37c8612d95be766330bb422bfd490dd2cc093df2365c47cea750

                    SHA512

                    c29874c923a49173b88706b04e40bd23d4def7f91e1dfd11dce54ff955f629f7e76a33225eb774510d7c853a30e8fe3c82ce4d32e8fc3f16d9c6a22fc9a150d8

                    Download Submit

                  • C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml
                    Filesize

                    3.3MB

                    MD5

                    073ab92bcf0efa9798965c7c0faed41b

                    SHA1

                    ac17e266e9a1870fa3fa4d98a2434109f327cec9

                    SHA256

                    48a5999cf81e81c1c1c495a6a9b10a9ab4176994cc760633e8f6b14d2f8e58c1

                    SHA512

                    5f3d587a79ff9a5cb4e1b47e1870379ddbc9cfb87820bdc591bcd70be7c48e52b9e4b34210ad11564780fa2136a7dc9160fcdf6f4bb28817b41320d48f0da014

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
                    Filesize

                    1KB

                    MD5

                    e9fdfe236ec13581f7ab002a6fc96598

                    SHA1

                    57664871e73e018b7d191a8033a49967d402a54a

                    SHA256

                    10264c4093f59d64102b1f2d8d887834f9bd053fe97bac2d3997ac58f7abaceb

                    SHA512

                    4338121b6aea1622d0db4de40fb55ac613de8040c0f1b61db8cad27d8cff54ae3c38293c3e4cbfdfe54deec90993c1129301c3a4d812d424ee0964a6fbacafc2

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
                    Filesize

                    434B

                    MD5

                    c2e27ef8f01717f2d21984d90919eb5a

                    SHA1

                    c0a73c1cc0597df6aff21ec267a9381f204b2ecb

                    SHA256

                    c664b0be13a2217296481665be55660615ada9eef5f80062d48fe9b9cad697cd

                    SHA512

                    366592ef0a9cb7465a82a05524f49ab702b12388ea3ae07cd69a9792d65199fb0f59e9c37e35dfd26508f4de2d300d45a038eda846df7239199c8285fd6d0abc

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7177160e81c4ed90b8e6551d1dcb1877f697cbc9faa6b66f85976e2a4179154f.exe.log
                    Filesize

                    1KB

                    MD5

                    16d8e25807e9da7f68124aefcc815546

                    SHA1

                    ad3907f6d1ec27fc197ba21df6caa607dc588a59

                    SHA256

                    1693bc4731965496deb1eaa92e6aa7209f87cbb985322f5e0203d8e3d9f2a25f

                    SHA512

                    7033d6be40dd684ae62cf8edcb74ef4dfe4a6ad68768083b259304b631461f2e73acfea686a4295ee22050569d4f61728be12e9fe006fc290cfd3fa5ad04d66c

                    Download Submit

                  • memory/2156-143-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-26946-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-140-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-141-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-244-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-144-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-145-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-27389-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-27388-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-9466-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-726-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-159-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/2156-9467-0x0000000000400000-0x000000000041E000-memory.dmp

                    Filesize

                    120KB

                    Download

                  • memory/4024-134-0x0000000005E90000-0x0000000006434000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/4024-133-0x0000000000D60000-0x0000000000E16000-memory.dmp

                    Filesize

                    728KB

                    Download

                  • memory/4024-136-0x0000000005980000-0x0000000005A1C000-memory.dmp

                    Filesize

                    624KB

                    Download

                  • memory/4024-139-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4024-138-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4024-137-0x0000000005860000-0x000000000586A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/4024-135-0x00000000057C0000-0x0000000005852000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/9540-16632-0x0000000004080000-0x0000000004081000-memory.dmp

                    Filesize

                    4KB

                    Download