Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-03-2023 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d62392ceee673d7627d338aef4b07a51bf975641b38e3aec5f06eb4b824df2cb.exe

  • Size

    3.4MB

  • MD5

    c20fb723bdd082115e7c23b333a55ba8

  • SHA1

    775c58af059bfd8e0c9d5cfc167b9ab65ae3d2c0

  • SHA256

    d62392ceee673d7627d338aef4b07a51bf975641b38e3aec5f06eb4b824df2cb

  • SHA512

    bd8d2bbb629cad2154ce42a64651615469c0569ea2d80e9294d99dd238f79022ba36e06b54a887cbd574cb62730dd7d68ca41a2d1ace5fdae73fb9b998ad6507

  • SSDEEP

    98304:5na5Gkonx+t5bHJmSwD2jCgQIr/84IVuTPYy:5a5InxsjmTK+gQIjCwP

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d62392ceee673d7627d338aef4b07a51bf975641b38e3aec5f06eb4b824df2cb.exe
    "C:\Users\Admin\AppData\Local\Temp\d62392ceee673d7627d338aef4b07a51bf975641b38e3aec5f06eb4b824df2cb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3728
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftPackages-type5.1.9.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1504
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftPackages-type5.1.9.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4120
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftPackages-type5.1.9.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1740
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0" /TR "C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:1324
      • C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
        "C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1652
  • C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
    C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:1500

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
    Filesize

    604.8MB

    MD5

    dfd819bc9ef509d8361e673a8d7e98b4

    SHA1

    7cf78ccc1491268eb1fd46c216a42c023caa2cfb

    SHA256

    c4233572c5441b14002b7dbf91d4836df637d679fa4f4eeb4c55e89e003aef11

    SHA512

    032eb8ae02dbf16e9dc9b75034a96530a704274f1f9a6f10a1166170990867a513d1e1c3abd6093f9d30e557ced59a2bc6842462c62a62ae485139806f6f6d54

    Download Submit

  • C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
    Filesize

    655.6MB

    MD5

    60501c3dcf7a13e44a452aa69bc9e2f2

    SHA1

    d9b5591ed04d15eae2045db1475d7c606e01011b

    SHA256

    0510c4cb097c48e6c81f5b18130bda5142ff1dedf9f7b435b31ad5b9ed1d105f

    SHA512

    24e07451d3db997c9628d003c3bc4b41a949e0d5dcf262ca9870fbb9a64943755fb781377a93b7c0f037da7034a5517ffaa03b15a1f834317bffa0a4c6d98846

    Download Submit

  • C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
    Filesize

    612.2MB

    MD5

    7837dec42eb6ed1e3994eb56b4eb1e68

    SHA1

    15c8c181fa1e0070e6790b9a3c617a93b9118fd2

    SHA256

    36cd40b1c32484ba47b77105d3cd1c9f6ecc2a1a6853d5aa9fd96af654070e3b

    SHA512

    538bbd89e3a72bde1ec0ae6e623dfd7b62598d14b281923ee87a30d8026008fcafa4d0977e917b4bb7b5a5838172102cf27fb310af056eb47deba2a5f3d82de6

    Download Submit

  • C:\ProgramData\MicrosoftPackages-type5.1.9.0\MicrosoftPackages-type5.1.9.0.exe
    Filesize

    252.1MB

    MD5

    2f3460f84def921fdf9d7f7dabc490af

    SHA1

    65503dabf0c104457089023eddad5830c8df135a

    SHA256

    b26dd0007c357070e3fce7946fafbbbc4d6f5848633a2d1f14f64bdeae08b27e

    SHA512

    f58986baae86f2f08d227830ffe09d014a581766c9e29119fd83feaed1076b6ae7aab416b36452d65b8ad348e76604a5a06ef2f6d636b7c5b8c2dbbe353d804c

    Download Submit

  • memory/1500-158-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1500-162-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1500-160-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1500-159-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1652-154-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1652-152-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1652-155-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1652-156-0x00007FF619890000-0x00007FF619DAF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3728-139-0x00000000051F0000-0x0000000005282000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3728-138-0x0000000005850000-0x0000000005DF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3728-141-0x00000000053F0000-0x0000000005400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3728-133-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3728-140-0x00000000051A0000-0x00000000051AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3728-144-0x00000000053F0000-0x0000000005400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3728-143-0x00000000053F0000-0x0000000005400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3728-142-0x00000000053F0000-0x0000000005400000-memory.dmp

    Filesize

    64KB

    Download