Overview

overview

8

Static

static

1

dridex

windows10-1703-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-03-2023 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03f493282e5511772602c3aca8ce29f9475e70e00d7f4c041e7ae58719a7f00c.exe

  • Size

    2.7MB

  • MD5

    a38ac5c9a2cef88d3c68be534d76d2a6

  • SHA1

    baf8a2757b8788e3a8251b35d94a15a884ed226b

  • SHA256

    03f493282e5511772602c3aca8ce29f9475e70e00d7f4c041e7ae58719a7f00c

  • SHA512

    030e60e5680f6d2406bfd8d7b7e7617053b19b7a727b4cdc4292e9b8646a8e296c4134e358bf86e3adbd445439b534ec6559f578ad6fcf4bdc330695c4100a9d

  • SSDEEP

    49152:38Hf8sEzurvvPywc2HaDG5N4J7FAutD7HKYwEWHdI7vFgdH:38/8SKwIDG5N4JWkDmYsHdEtQ

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 18 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03f493282e5511772602c3aca8ce29f9475e70e00d7f4c041e7ae58719a7f00c.exe
    "C:\Users\Admin\AppData\Local\Temp\03f493282e5511772602c3aca8ce29f9475e70e00d7f4c041e7ae58719a7f00c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll,start
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5116
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1136
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4816
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3200
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3924
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5000
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:748
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1040
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1676
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2172
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4156
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Suspicious use of FindShellTrayWindow
        PID:2740
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4544
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4552
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4476
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4384
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3580
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:912
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 24110
        3⤵
          PID:972
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3644

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
        Filesize

        403KB

        MD5

        b4d3016a1cccde90a62b685149c832f9

        SHA1

        5d6c4ba3474e6544bd24343da564e90bba89f6f7

        SHA256

        df6afa046a72bb55e8984cf9e2870dc62112e4b81d4fef5a94c98e1c4386e373

        SHA512

        abf5e15b40fa03eb9390854199b9feaf0132aac756c5f07d45c81f58c8b4d909833a996a19ccfef7abb905ddb9206591b1eda49a4674bc75a7c5a9c6372590e7

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll
        Filesize

        3.2MB

        MD5

        29224ed15526a0f120750624beb96b8c

        SHA1

        410eb9dfdc70a631ffb7c1288be1336d6d454fc4

        SHA256

        4b2743b3351080c4dfed086c5b18ffcb2efd47df7faad1a390fd82afe6c0a486

        SHA512

        b9e790513c0a340c959d72fc8ecab08d61f5913f03792c86868575c4844bf3e2d40cf3481aa5a997c2a587731e6d4780cfaab6a25a38d25faa9434613df299b3

        Download Submit
      • \Users\Admin\AppData\Local\Temp\Wtoahoepfise.dll
        Filesize

        3.2MB

        MD5

        29224ed15526a0f120750624beb96b8c

        SHA1

        410eb9dfdc70a631ffb7c1288be1336d6d454fc4

        SHA256

        4b2743b3351080c4dfed086c5b18ffcb2efd47df7faad1a390fd82afe6c0a486

        SHA512

        b9e790513c0a340c959d72fc8ecab08d61f5913f03792c86868575c4844bf3e2d40cf3481aa5a997c2a587731e6d4780cfaab6a25a38d25faa9434613df299b3

        Download Submit
      • memory/748-310-0x0000022AAD520000-0x0000022AAD7C8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/748-314-0x0000022AAD520000-0x0000022AAD7C8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/912-563-0x000002AB05720000-0x000002AB059C8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/912-559-0x000002AB05720000-0x000002AB059C8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1040-332-0x0000023FB06E0000-0x0000023FB0988000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1040-337-0x0000023FB06E0000-0x0000023FB0988000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1136-199-0x000002024B4B0000-0x000002024B758000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1136-191-0x000002024CF00000-0x000002024D040000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1136-192-0x000002024CF00000-0x000002024D040000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1136-190-0x00007FFFC1C30000-0x00007FFFC1C31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1136-196-0x000002024B4B0000-0x000002024B758000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1136-195-0x0000000000170000-0x0000000000406000-memory.dmp
        Filesize

        2.6MB

        Download
      • memory/1136-193-0x000002024B4B0000-0x000002024B758000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1676-359-0x000002BC1A2C0000-0x000002BC1A568000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/1676-355-0x000002BC1A2C0000-0x000002BC1A568000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/2172-382-0x00000233F4E80000-0x00000233F5128000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/2172-378-0x00000233F4E80000-0x00000233F5128000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/2740-421-0x00000140970F0000-0x0000014097398000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/2740-427-0x00000140970F0000-0x0000014097398000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3200-246-0x000001F53E030000-0x000001F53E2D8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3200-242-0x000001F53E030000-0x000001F53E2D8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3580-536-0x00000135BAEF0000-0x00000135BB198000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3580-540-0x00000135BAEF0000-0x00000135BB198000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3924-269-0x000001EBB3700000-0x000001EBB39A8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3924-265-0x000001EBB3700000-0x000001EBB39A8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4156-400-0x0000014BDC160000-0x0000014BDC408000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4156-405-0x0000014BDC160000-0x0000014BDC408000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4384-513-0x00000177C3170000-0x00000177C3418000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4384-518-0x00000177C3170000-0x00000177C3418000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4476-491-0x000001B898F40000-0x000001B8991E8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4476-495-0x000001B898F40000-0x000001B8991E8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4544-445-0x0000023E3BB80000-0x0000023E3BE28000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4544-450-0x0000023E3BB80000-0x0000023E3BE28000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4552-468-0x000001A05D010000-0x000001A05D2B8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4552-472-0x000001A05D010000-0x000001A05D2B8000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4604-120-0x0000000004FB0000-0x00000000052EF000-memory.dmp
        Filesize

        3.2MB

        Download
      • memory/4604-123-0x0000000004FB0000-0x00000000052EF000-memory.dmp
        Filesize

        3.2MB

        Download
      • memory/4604-122-0x0000000000400000-0x0000000002D60000-memory.dmp
        Filesize

        41.4MB

        Download
      • memory/4816-217-0x0000025CE4520000-0x0000025CE4660000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4816-220-0x0000025CE2AD0000-0x0000025CE2D78000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4816-214-0x00007FFFC1C30000-0x00007FFFC1C31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4816-216-0x0000025CE4520000-0x0000025CE4660000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4816-222-0x0000025CE2AD0000-0x0000025CE2D78000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4816-218-0x0000025CE2AD0000-0x0000025CE2D78000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/4816-219-0x0000025CE2AD0000-0x0000025CE2D78000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/5000-291-0x000001EA127D0000-0x000001EA12A78000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/5000-287-0x000001EA127D0000-0x000001EA12A78000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/5116-204-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-187-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-209-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-224-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-226-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-227-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-228-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-230-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-233-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-232-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5116-234-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-231-0x0000000000400000-0x0000000000749000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5116-235-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-207-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-205-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-210-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-203-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-215-0x0000000000400000-0x0000000000749000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5116-211-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-201-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-194-0x0000000000400000-0x0000000000749000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5116-208-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5116-184-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5116-186-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-185-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-183-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-182-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-180-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-179-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-177-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-173-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-176-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-175-0x00000000060A0000-0x00000000061E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/5116-174-0x0000000004E20000-0x0000000004E21000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5116-172-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-171-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-162-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-161-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-160-0x0000000006200000-0x0000000006201000-memory.dmp
        Filesize

        4KB

        Download
      • memory/5116-159-0x0000000000400000-0x0000000000749000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5116-158-0x0000000005470000-0x0000000005FD6000-memory.dmp
        Filesize

        11.4MB

        Download
      • memory/5116-131-0x0000000000400000-0x0000000000749000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/5116-126-0x0000000000760000-0x0000000000761000-memory.dmp
        Filesize

        4KB

        Download