Overview

overview

9

Static

static

7

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-03-2023 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5.exe

  • Size

    6.9MB

  • MD5

    9468ee14458c641df58cc7cee92e7719

  • SHA1

    d2586659aebfbe2d873bba54ba29bd7920c72994

  • SHA256

    dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5

  • SHA512

    bab5a67ffe9b133f0f84c1082193ada89873463d6aac5f001d303edfb0c58a4cf9207c24e8594ac18a843003d49164ded57413b2acc5640192f651650f7d3ccf

  • SSDEEP

    196608:WDlnTW4qWp/q4O6bTLICybW/RiuDIuUf7EhLTrF6f6:2dTFqWpd7LXJzDHU/6

Score
9/10
agilenetevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 32 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5.exe
    "C:\Users\Admin\AppData\Local\Temp\dedeceb8284ebc184f1a02840c36140986defef77be965f8e5fd78b8e47a25a5.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ScintillaNET\3.6.3\x86\SciLexer.dll
    Filesize

    943KB

    MD5

    2ff7acfa80647ee46cc3c0e446327108

    SHA1

    c994820d03af722c244b046d1ee0967f1b5bc478

    SHA256

    08f0cbbc5162f236c37166772be2c9b8ffd465d32df17ea9d45626c4ed2c911d

    SHA512

    50a9e20c5851d3a50f69651bc770885672ff4f97de32dfda55bf7488abd39a11e990525ec9152d250072acaad0c12a484155c31083d751668eb01addea5570cd

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fe18e516-f12f-4073-bf13-52a839118bfb\GunaDotNetRT.dll
    Filesize

    136KB

    MD5

    9af5eb006bb0bab7f226272d82c896c7

    SHA1

    c2a5bb42a5f08f4dc821be374b700652262308f0

    SHA256

    77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

    SHA512

    7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fe18e516-f12f-4073-bf13-52a839118bfb\GunaDotNetRT.dll
    Filesize

    136KB

    MD5

    9af5eb006bb0bab7f226272d82c896c7

    SHA1

    c2a5bb42a5f08f4dc821be374b700652262308f0

    SHA256

    77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db

    SHA512

    7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

    Download Submit
  • memory/1852-133-0x0000000000C70000-0x00000000018A2000-memory.dmp
    Filesize

    12.2MB

    Download
  • memory/1852-137-0x0000000000C70000-0x00000000018A2000-memory.dmp
    Filesize

    12.2MB

    Download
  • memory/1852-138-0x0000000000C70000-0x00000000018A2000-memory.dmp
    Filesize

    12.2MB

    Download
  • memory/1852-139-0x00000000063C0000-0x0000000006964000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1852-140-0x0000000005C90000-0x0000000005D22000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1852-141-0x0000000005D30000-0x0000000005D3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1852-143-0x0000000003A80000-0x0000000003A90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1852-154-0x0000000073CC0000-0x0000000073D49000-memory.dmp
    Filesize

    548KB

    Download
  • memory/1852-155-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-156-0x0000000003A80000-0x0000000003A90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1852-158-0x0000000070640000-0x0000000070677000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1852-157-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-160-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-162-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-164-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-166-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-168-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-170-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-172-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-174-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-176-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-178-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-180-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-182-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-184-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-186-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-188-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-190-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-192-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-194-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-196-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-199-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-201-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-203-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-205-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-207-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-209-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-211-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-213-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-215-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-217-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-219-0x0000000000C70000-0x00000000018A2000-memory.dmp
    Filesize

    12.2MB

    Download
  • memory/1852-220-0x000000000A310000-0x000000000A4E8000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/1852-633-0x0000000003A80000-0x0000000003A90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1852-728-0x0000000070640000-0x0000000070677000-memory.dmp
    Filesize

    220KB

    Download
  • memory/1852-726-0x0000000003A80000-0x0000000003A90000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1852-11093-0x0000000001C90000-0x0000000001D2C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1852-11098-0x0000000000C70000-0x00000000018A2000-memory.dmp
    Filesize

    12.2MB

    Download
  • memory/1852-11099-0x0000000070640000-0x0000000070677000-memory.dmp
    Filesize

    220KB

    Download