Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1416248e000b693192f5664eb083e6bdcf63395dc06d7de8919f7849f3917850.exe

  • Size

    3.4MB

  • MD5

    84c227e60924c9391b72c7dc88777255

  • SHA1

    9e2d04f661332204f7d34e2ceee6b49e37cccac7

  • SHA256

    1416248e000b693192f5664eb083e6bdcf63395dc06d7de8919f7849f3917850

  • SHA512

    c915452a9c9cafe64db00231876e5141c7aab056e08095fd4af6fe0d27ab74650ec5c3c7ab197db1d0f946e0e3035bcecf73ed8cd2072a8cf170351e9ad3cc4e

  • SSDEEP

    49152:w/c+EciXT1SMTEGUlayCd1XlOrUcwFY92eg6zBCYUFQumEeBAoCuYXMYo3js:PcmEZlaPfUwbYIelzBLU3vqCRs

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1416248e000b693192f5664eb083e6bdcf63395dc06d7de8919f7849f3917850.exe
    "C:\Users\Admin\AppData\Local\Temp\1416248e000b693192f5664eb083e6bdcf63395dc06d7de8919f7849f3917850.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:748
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3612
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4816
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3956
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:5064
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7" /TR "C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:2208
      • C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe
        "C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:2064
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 352
      2⤵
      • Program crash
      PID:4260
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 748 -ip 748
    1⤵
      PID:4380
    • C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe
      C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe
      1⤵
        PID:1112

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe
        Filesize

        653.9MB

        MD5

        d029b859c85025bcdfcf4c1fcc28086f

        SHA1

        25b745fc95e0ade1f1499024f0e2924d081b95d4

        SHA256

        48adac7433627d1d12308418c1501fe858e058120181b5901c822f6bd336b1e7

        SHA512

        5458686c71678ac904a89f174a487f293eba4cff61879d15ffc72958a76db2d327b16d81b62a50768216c8f4049f1e90e806d33ca46ae94fecdf15b58c5e516a

        Download Submit

      • C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe
        Filesize

        713.0MB

        MD5

        58e7c403f224f02ec204cfbe5b326ea2

        SHA1

        4c6edebc27b49642439815c2dd83861d8d827bdd

        SHA256

        661d117c242a0766a563ce17caa260e07f529c986e584a8a00e5ed6f80b5d2fc

        SHA512

        d3e74cad99e3388de223d1679314a8f24a121ada1cd4f99d26bbe44ee7a88deb41df41678eeb6b8267993b2d4889b706ce5cb12bba69dd7e3a5c3e49dd4010e4

        Download Submit

      • C:\ProgramData\DocumentsUSOPrivate-type0.2.5.7\DocumentsUSOPrivate-type0.2.5.7.exe
        Filesize

        650.9MB

        MD5

        bdc44a7166ad528c819720f8f4518960

        SHA1

        fb090f9129e62520a54365fc05234e6e8c3590e9

        SHA256

        1984574f6c15b60ab5711ea4fb33148d3c5eb77e57aee07fa58469e31446bfb7

        SHA512

        417320e1fd877b34d9f0d4fca1a16cf7c9440cfba06fd80395aec506b2d428055b6fab57ab0d0a7417a9831cf9bae5882e5801e06393631b037325b2701366fc

        Download Submit

      • memory/2064-155-0x00007FF721510000-0x00007FF721A2F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/2064-154-0x00007FF721510000-0x00007FF721A2F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/2064-156-0x00007FF721510000-0x00007FF721A2F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/2064-157-0x00007FF721510000-0x00007FF721A2F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/2064-158-0x00007FF721510000-0x00007FF721A2F000-memory.dmp

        Filesize

        5.1MB

        Download

      • memory/3612-141-0x00000000051F0000-0x00000000051FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3612-142-0x00000000054C0000-0x00000000054D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3612-143-0x00000000054C0000-0x00000000054D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3612-144-0x00000000054C0000-0x00000000054D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3612-140-0x00000000054C0000-0x00000000054D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3612-139-0x0000000005250000-0x00000000052E2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3612-138-0x0000000005800000-0x0000000005DA4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3612-133-0x0000000000400000-0x000000000075C000-memory.dmp

        Filesize

        3.4MB

        Download