Overview

overview

9

Static

static

1

dridex

windows10-1703-x64

9

Analysis

  • max time kernel
    153s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-03-2023 10:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe

  • Size

    3.4MB

  • MD5

    6af5b2e6866ba28d18b951b63c4def4d

  • SHA1

    aa43b24fa0080621db487b91937cde636faba824

  • SHA256

    abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da

  • SHA512

    eb83cb73ef0c53b578a5b700deb95e1cc4bdc252cf39d0800bb12f2e107bda8c2f0bebca4ff37ff628cb856ddb7327fe494ddc2fecaa6f4d3fd8eb2fec298c9c

  • SSDEEP

    98304:XUwOIEK84WQsykAeYYkAeYUaMImg8C0QuNAJuR21C/yIq/dhl/O4i/TksjdFwvhW:XUwOIEK84WQsykAeYYkAeYUaMImg8C0l

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe
    "C:\Users\Admin\AppData\Local\Temp\abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:944
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1368
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1940
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9" /TR "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4984
      • C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe
        "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:4324
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 128
      2⤵
      • Program crash
      PID:4724
  • C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe
    C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe
    Filesize

    676.8MB

    MD5

    9f78fdc5d772920b3e6e6961d67397c7

    SHA1

    e6b6428fd0c48d3782ffb8386ef74b03c890b207

    SHA256

    96da6126cd5d4ec17caae05125b3c255340dee4694c4dbac636e7ac0f40356f3

    SHA512

    2cecb62618971ed95ef08040f6913ed87d8c145dde2122b42b49fc91336b4bfc725f5bde16a19875a9c5cf65a16b2389d9ae6622fb00be69757652d3ef2c459d

    Download Submit
  • C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe
    Filesize

    676.8MB

    MD5

    9f78fdc5d772920b3e6e6961d67397c7

    SHA1

    e6b6428fd0c48d3782ffb8386ef74b03c890b207

    SHA256

    96da6126cd5d4ec17caae05125b3c255340dee4694c4dbac636e7ac0f40356f3

    SHA512

    2cecb62618971ed95ef08040f6913ed87d8c145dde2122b42b49fc91336b4bfc725f5bde16a19875a9c5cf65a16b2389d9ae6622fb00be69757652d3ef2c459d

    Download Submit
  • C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe
    Filesize

    651.5MB

    MD5

    dee5b843ab9dc0dfc5b1037f484d249c

    SHA1

    ae4dfd9161f19860855eff0ab8917667f500978c

    SHA256

    ca7c1f5bbfc43c31c8894fdf069517f2553caad4c4628422ca1f59eeb9ba3b08

    SHA512

    7410c1fb5b9e8960abca6c38a26a4336607906741733bc8f2f0d2dba3eba87174cde8ae6e334e514a5fc2b3a7d68508a1b841a2630937f5e1b3feb71a5a44a82

    Download Submit
  • memory/2112-126-0x0000000009C10000-0x000000000A10E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/2112-127-0x00000000095B0000-0x0000000009642000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2112-128-0x0000000009880000-0x0000000009890000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2112-129-0x0000000009590000-0x000000000959A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2112-119-0x0000000000400000-0x000000000075C000-memory.dmp
    Filesize

    3.4MB

    Download
  • memory/3644-153-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3644-154-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3644-155-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/3644-156-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4324-150-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4324-151-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4324-147-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download
  • memory/4324-146-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp
    Filesize

    5.1MB

    Download