Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/03/2023, 13:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0c20ded1d665938de180c8519a90254949af29f346cc763195ca9c41abadafa.exe

  • Size

    3.4MB

  • MD5

    3f062c179088905caa034b2b7581d160

  • SHA1

    da04dc55bae78506d62e61db03198b4c5e613ded

  • SHA256

    f0c20ded1d665938de180c8519a90254949af29f346cc763195ca9c41abadafa

  • SHA512

    e907627eab4121d040cfc40afedaf9239582f6ec5d1909ac84e3d39dfb11de720762ea5b7131677230b5695c08b6a1cb7c6d7ab43c479b8db8560613559b68e9

  • SSDEEP

    98304:+nB/hPovhl+YHt0DJSZtAzc/K9gMus7RfRwUIq8DuznQ6:ozQm6EJzxl7RJwk8DuznQ6

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0c20ded1d665938de180c8519a90254949af29f346cc763195ca9c41abadafa.exe
    "C:\Users\Admin\AppData\Local\Temp\f0c20ded1d665938de180c8519a90254949af29f346cc763195ca9c41abadafa.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1112
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2996
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedssh-type8.6.4.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2064
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedssh-type8.6.4.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1620
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedssh-type8.6.4.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:848
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0" /TR "C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:3920
      • C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe
        "C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:4024
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 296
      2⤵
      • Program crash
      PID:2572
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1112 -ip 1112
    1⤵
      PID:1912
    • C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe
      C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4464

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe
      Filesize

      804.1MB

      MD5

      3abd70f7d803665cfc5bef15d73cc400

      SHA1

      07c4b97fa5d3747740c2b8c0438287d22c49fd38

      SHA256

      78e8888c5fc6e23a1317eec3222292c481ac7de774d6e0297a48ceaf22af7124

      SHA512

      1637137cc144c72f50cb276a44843b45ae52f0e0bf10303d368a1fee7260c0fdc5aee8a307a66f9835da5827a5ee976b9661e05235912bcbbdd35b6240e8399a

      Download Submit

    • C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe
      Filesize

      805.2MB

      MD5

      5c6c2bb14b0c651448a38675f6637b98

      SHA1

      1c7904881b59633ba8c56782cbd44fc0a9d45636

      SHA256

      c8c5b45c1758d7f930f74e0c5c2c16136d9997054777126aea49c3fafd899d25

      SHA512

      c353ef0c6291b437ee75c0be4aa0ed3b453bef50019528b8e22e7aff52aedd7bc31f112310d2f59dc1ec4480f1a5161629c4be21324c160610fc5fc234404e60

      Download Submit

    • C:\ProgramData\USOSharedssh-type8.6.4.0\USOSharedssh-type8.6.4.0.exe
      Filesize

      141.7MB

      MD5

      105325a86ec6c46a2f9e33920b2c9a53

      SHA1

      1193ce0bf7fdae8e74734dc695566d47ed95ce90

      SHA256

      c5623db016eecfccaaaf9f3fc5c5ea50b8b6c6e97bd0662d719ece2179a69457

      SHA512

      f90889af16d75388de81ad9e8e1d689c37fdc5eaf8f0c7be41db936296e39bac73ac87f424c9dac2e79b6eca8c0dea7d0437187e5c7f8fc0c15bdce05712f94f

      Download Submit

    • memory/2996-141-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2996-138-0x0000000005B90000-0x0000000006134000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2996-142-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2996-143-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2996-144-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2996-140-0x0000000005770000-0x000000000577A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2996-139-0x00000000055E0000-0x0000000005672000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2996-133-0x0000000000400000-0x000000000075C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/4024-153-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4024-154-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4024-155-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4024-152-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4464-157-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4464-159-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4464-160-0x00007FF7CFE40000-0x00007FF7D035F000-memory.dmp

      Filesize

      5.1MB

      Download