Overview

overview

9

Static

static

1

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/03/2023, 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    180c4bb1fe34e235be1ddaac55f588886549dc53f766043f18b3d76b5a09e581.exe

  • Size

    3.4MB

  • MD5

    9cbb1cf4f73f842fb0aa6a9726c3c24e

  • SHA1

    4f68996a486b8e68f590ff7fec88536d7f77e3e3

  • SHA256

    180c4bb1fe34e235be1ddaac55f588886549dc53f766043f18b3d76b5a09e581

  • SHA512

    362835c2285e2415d29a6fb3d2a7aa2e33bc7fa0ab7b80d6444f996fae915f09793cd859f705627a1cc68685a45b7698972989a130c0b620083cb063e9f2476d

  • SSDEEP

    98304:eUwOIEK84WQsykAeYYkAeYUaMImg8C0Qu9MJuR21C/yIq/dhl/O4i/TksjdFwvhW:eUwOIEK84WQsykAeYYkAeYUaMImg8C0p

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\180c4bb1fe34e235be1ddaac55f588886549dc53f766043f18b3d76b5a09e581.exe
    "C:\Users\Admin\AppData\Local\Temp\180c4bb1fe34e235be1ddaac55f588886549dc53f766043f18b3d76b5a09e581.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivatePackages-type8.4.7.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3120
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivatePackages-type8.4.7.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:5012
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivatePackages-type8.4.7.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:548
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8" /TR "C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:2268
      • C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
        "C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:4296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 276
      2⤵
      • Program crash
      PID:1824
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2764 -ip 2764
    1⤵
      PID:3248
    • C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
      C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:2960

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
      Filesize

      566.5MB

      MD5

      81104de6dc28eaaa5aa078d09653434f

      SHA1

      f2a5703d8d3a6b8b8b0095354b687fea2324f1ef

      SHA256

      a28908e129c42e2ed515eeb5758c6fb02b41f4c81f98e8b296dace448f731c3f

      SHA512

      5eef85e355513394cc4ae9e6828d7c4e32212608035ec1bbb7bcfd2328f3b86aefaead01745478e30bcc09a53c4e332b367508b9f6a03b10cf2e91b8e65d375b

      Download Submit

    • C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
      Filesize

      620.5MB

      MD5

      d0d45b9dc48cc58db9e996aacb25b48e

      SHA1

      2e55b5e0c023b7ebcf64f12b661dc05baa33df32

      SHA256

      25a8e26c2e2ba1d84f324152c2f0ab0dd9a5bb6494459695a1b227585d2947c6

      SHA512

      5d180cb8567eacb351673cde00718f8a490af0d2013bd39f4624fe5ecfc5d3bc227ca154b9ee63f2d4f5ddb29b2c53f6d619c5bfe03c83382dcb49ba60444a73

      Download Submit

    • C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
      Filesize

      610.1MB

      MD5

      e05faed90c3d27105908bbd914216407

      SHA1

      9c0169d394402927673120fefcec7fcca2014f98

      SHA256

      bb6f33c2d8b3f9841eb67160c3086e32b508efc4ab32f2b95400b7144e098ec5

      SHA512

      6f401d2df9b4cc7f72968da703b6588330c22d2d63ad6642dd09493104a3a697e4e785ac8a8ef785561c4a568ef6603784a7e4661c1a2a4614e3f589362933c4

      Download Submit

    • C:\ProgramData\USOPrivatePackages-type8.4.7.8\USOPrivatePackages-type8.4.7.8.exe
      Filesize

      343.2MB

      MD5

      30ef16908c3c7aec6e93b2d06ebbe4ef

      SHA1

      64f1d8dcdcc31ca21b9548c6b8d9ff0c2bd69584

      SHA256

      382a9262f37268890a348cfa76efd839dbf3bb3418816f792aaefbd460cf4612

      SHA512

      27f8e45ad99f758028a4957aa801e346435f4261564e311ee4f324941f07fd9d5acfe8ff85e277c936a3eee6e03f0fdeefdb37735a32cae30f2bf5f5d3218c11

      Download Submit

    • memory/812-141-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/812-138-0x00000000061C0000-0x0000000006764000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/812-143-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/812-144-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/812-133-0x0000000001330000-0x000000000168C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/812-140-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/812-139-0x0000000005CB0000-0x0000000005D42000-memory.dmp

      Filesize

      584KB

      Download

    • memory/812-142-0x0000000005C60000-0x0000000005C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2960-160-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2960-159-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2960-158-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4296-153-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4296-156-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4296-155-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/4296-154-0x00007FF7B5BE0000-0x00007FF7B60FF000-memory.dmp

      Filesize

      5.1MB

      Download