Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 22:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39d855232ce6e5a3afd70633b77ee7ff237fd719c787dc3e2e69f3f3fec48695.exe

  • Size

    3.4MB

  • MD5

    87cc771bc737365a5940738259947239

  • SHA1

    1bde835becb4eeef7557247de5ce4bf8b4d9c095

  • SHA256

    39d855232ce6e5a3afd70633b77ee7ff237fd719c787dc3e2e69f3f3fec48695

  • SHA512

    c99ec59916a23a5e5e076bcb661f4168a0bbc4fa8a21c2ed1e5a272d450bfa73c5aec4bbc9a178ccd4e2b126f53f7342a90b58b26f4fb51339444aadddd920d3

  • SSDEEP

    49152:5vNJEciXT1SMTEGUlayCd1XlOrUcwFY92eg6zBCYUFQumEeBAoCuYXMYo3js:ucmEZlaPfUwbYIelzBLU3vqCRs

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39d855232ce6e5a3afd70633b77ee7ff237fd719c787dc3e2e69f3f3fec48695.exe
    "C:\Users\Admin\AppData\Local\Temp\39d855232ce6e5a3afd70633b77ee7ff237fd719c787dc3e2e69f3f3fec48695.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshUSOPrivate-type0.0.2.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3664
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshUSOPrivate-type0.0.2.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4720
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\sshUSOPrivate-type0.0.2.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3264
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5" /TR "C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4128
      • C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
        "C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:4636
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 136
      2⤵
      • Program crash
      PID:3320
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1932 -ip 1932
    1⤵
      PID:4152
    • C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
      C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:4456

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
      Filesize

      560.0MB

      MD5

      452d06d99722fbb659326b62b27faeba

      SHA1

      f8742011dd940bf177fb4c226161fc0294f17900

      SHA256

      b3b8883a22d1de5368fe10c5d9db7a9929def0c4de3b3c024391f7ace8c3a2e0

      SHA512

      2f7e2b8ffb59c902cb151a4a91e536cf187e66ebd7ef9f02783eebc29896aa0aa78bcdc5051a1da05870802875b2221688a2367d02830f4c3b134f512c9f7b18

      Download Submit

    • C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
      Filesize

      559.2MB

      MD5

      9acd3949e2bc5de2bf9f69be73c64597

      SHA1

      227471279e73a784204797016e3573680fc16e38

      SHA256

      3bab9adbf194263db05d8a57fce213dd05d744aae5de6b9beeea3bd93b0ded38

      SHA512

      62d7ab6675b79d60ae443fbdc87d1a2e9d495cdce6496b25be5cd3a2a4d8b50a495a6d173e79b0b79e8e09a2fd12bf1ac562da8dbcf91ab8356e219a011560a0

      Download Submit

    • C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
      Filesize

      507.2MB

      MD5

      f7457f0b88a1eaefac8af67a4870e0f0

      SHA1

      9dcb8e0b3843bad9aaea9b125b37a1371a935087

      SHA256

      c2cd94c0da121cf3c2bc7da3e24b445cb25e972e61492e63a19d97766c818453

      SHA512

      7366a430f3234ff0561d99802894bad3791d926b2ea5b4589a98eeca8732e15c3144e3864a419201930afc103aae0198f5fada664709379e2aafc43f58343a4a

      Download Submit

    • C:\ProgramData\sshUSOPrivate-type0.0.2.5\sshUSOPrivate-type0.0.2.5.exe
      Filesize

      277.2MB

      MD5

      f9c0ff5a36dd5df2d74490435a1c71df

      SHA1

      4061f06eb02299b686fb55245587eb23d29a0f49

      SHA256

      e6b96ad163f0ba2297f0e4b7994bca906b82befe8e248c67120e1aed9f7376fe

      SHA512

      f7f18f396c67d64723edb78bd41dac4ad883a630cbd12dd22916ea1f66ade53431fd9c781805bf17e55b02e425da1c0a21c77b633035fa938cbd8f0593ece487

      Download Submit

    • memory/1192-141-0x00000000059B0000-0x00000000059C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1192-138-0x0000000005D40000-0x00000000062E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1192-143-0x00000000059B0000-0x00000000059C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1192-144-0x00000000059B0000-0x00000000059C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1192-133-0x0000000000400000-0x000000000075C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1192-140-0x00000000031D0000-0x00000000031DA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1192-139-0x0000000005790000-0x0000000005822000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1192-142-0x00000000059B0000-0x00000000059C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4456-161-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4456-160-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4456-159-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4636-154-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4636-157-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4636-156-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4636-155-0x00007FF736650000-0x00007FF736B6F000-memory.dmp

      Filesize

      5.1MB

      Download