Overview

overview

9

Static

static

1

dridex

windows10-1703-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    83s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/03/2023, 01:01

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    29789b76036401899f2207526ca5fb29ae1bcb4b22d8c0da37deba8af67fb836.exe

  • Size

    3.4MB

  • MD5

    f38ac57b6cf644a68b88617241f62dce

  • SHA1

    686b0ad66446af1351ab885d0b8216018536316f

  • SHA256

    29789b76036401899f2207526ca5fb29ae1bcb4b22d8c0da37deba8af67fb836

  • SHA512

    41f71133a2bfb7e808dbe34fd0e47e1c3b2baff71c73f27e3c31f436b05d993ad4956b7613326f8148a4827f47ad2b39c6abae48e63cda08c871530ee36dfc86

  • SSDEEP

    49152:ZvNJEciXT1SMTEGUlayCd1XlOrUcwFY92eg6zBCYUFQumEeBAoCuYXMYo3js:OcmEZlaPfUwbYIelzBLU3vqCRs

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29789b76036401899f2207526ca5fb29ae1bcb4b22d8c0da37deba8af67fb836.exe
    "C:\Users\Admin\AppData\Local\Temp\29789b76036401899f2207526ca5fb29ae1bcb4b22d8c0da37deba8af67fb836.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:948
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1248
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1472
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9" /TR "C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4668
      • C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe
        "C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:3544
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 508
      2⤵
      • Program crash
      PID:440
  • C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe
    C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:4740

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe
          Filesize

          695.9MB

          MD5

          7ba8a835b4271255deae9fcb1f84a82c

          SHA1

          7f40600a09efb157bf29816b3a92d2726b28ab62

          SHA256

          1b52a7809f5d712bb1d77a8d0cb9786fa64a3379c909630ee9cff7d3cf9458a3

          SHA512

          47adf2fc7ba9ed9c09c142a5feb2b2ae491b634577b98e3ea87824fa50a8949222d3f7425e61337e82024981c57ae319c77d527516936c4671f6e7a9330defa2

          Download Submit

        • C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe
          Filesize

          725.5MB

          MD5

          0ef814376b6a52c678099807d5005aae

          SHA1

          7e0dc2373433302b867b24f44a5902a129dc6df2

          SHA256

          e2dad435045d2b7f5da5440211bd40701c472d25267e44e03d03bb120ac42136

          SHA512

          2c6de8c0aee85fef4b4643f24701e4481006999cceda55857bf29b906fecade042f10e7c9b5f79fe5bf1a67e7c74938b71533112913198ec95cb082ef1b54269

          Download Submit

        • C:\ProgramData\TemplatesWindowsHolographicDevices-type5.3.1.9\TemplatesWindowsHolographicDevices-type5.3.1.9.exe
          Filesize

          375.9MB

          MD5

          dbd7079738322de3b95893012451b65d

          SHA1

          8421188687f52711c2f8aa41efe0734c2074c87c

          SHA256

          7f8c40fba123b811b08cc7505a0d68d1f433073ad53715db8a391a314dd92f6b

          SHA512

          819b1df0f57588debf5eec636c57139c12cfe52787261fa6c6bba599e7b1ec84a64618c7c29f8c52ac9c4175565fcb91b1d587f1e82801214c166be1b2f8c624

          Download Submit

        • memory/3544-154-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/3544-151-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/3544-153-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/3544-152-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/3544-149-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/3544-150-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4740-158-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4740-157-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4740-156-0x00007FF7626E0000-0x00007FF762BFF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4908-126-0x0000000008EB0000-0x0000000008EBA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4908-125-0x0000000008EE0000-0x0000000008F72000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4908-127-0x0000000009130000-0x0000000009140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4908-117-0x0000000000700000-0x0000000000A5C000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4908-124-0x00000000094D0000-0x00000000099CE000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4908-130-0x0000000009130000-0x0000000009140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4908-129-0x0000000009130000-0x0000000009140000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4908-128-0x0000000009130000-0x0000000009140000-memory.dmp

          Filesize

          64KB

          Download