Overview

overview

9

Static

static

1

dridex

windows10-1703-x64

9

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/03/2023, 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe

  • Size

    3.5MB

  • MD5

    f73ff75729d6b75e6471e831de9da26c

  • SHA1

    d2ad907db9be23213a56841811bf3fdd40167e14

  • SHA256

    36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba

  • SHA512

    3fa2b19407fa423937a14777e50473f5783eeaafe901ac89525dcff84b2bbd076cbfa25bc5d8a0788520eee1ddfc439ce5a3b11828a55f49a3bd00c5028fac03

  • SSDEEP

    49152:lkygYIBuLxcnsis7wVFEIRmQJcCT7KZLDMGLRwHyp9lcOP7UuziMddsruFXKQnLw:aYdxcnsEcI4QJhOOHyuM4u+UdJAqERL

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe
    "C:\Users\Admin\AppData\Local\Temp\36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleTemplates-type3.1.4.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3952
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleTemplates-type3.1.4.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1012
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleTemplates-type3.1.4.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4572
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0" /TR "C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4760
      • C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe
        "C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:2528
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 508
      2⤵
      • Program crash
      PID:2100
  • C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe
    C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:3520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe
    Filesize

    955.6MB

    MD5

    fe83ff2c94df77062bb5e12e06ebb0f3

    SHA1

    9c6e16e96654f62b461547aec7faa63e5d2ea604

    SHA256

    25dfc22eb572b78f65c246eac6b2f4a0227585fed5dece61dc232c4761dfa3d1

    SHA512

    a7a137d3b0a1a92cd52cfa8d206ef8503535141c9dfb489cf37664304e5ed234fffd19617962bcc36b41d98c7a31e4a5f02dc412f73bb756859b9d30e0785603

    Download Submit

  • C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe
    Filesize

    955.6MB

    MD5

    fe83ff2c94df77062bb5e12e06ebb0f3

    SHA1

    9c6e16e96654f62b461547aec7faa63e5d2ea604

    SHA256

    25dfc22eb572b78f65c246eac6b2f4a0227585fed5dece61dc232c4761dfa3d1

    SHA512

    a7a137d3b0a1a92cd52cfa8d206ef8503535141c9dfb489cf37664304e5ed234fffd19617962bcc36b41d98c7a31e4a5f02dc412f73bb756859b9d30e0785603

    Download Submit

  • C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe
    Filesize

    54.7MB

    MD5

    bfa1db0bb85805cabfc07ab23b81ae19

    SHA1

    fb87ee1400af198d747b80dae0d36e47dbe68190

    SHA256

    15754ec720dd1d3c7972f5aef388c6ff2d39e8c89722b39057719a130e0dd32c

    SHA512

    6e7403c35390a2f475e8cb5b82e32788cc9c8c1a06c6b2f29c087c50c8b67592b893846d099bc69d828053ada20fd269ff31e556fef809a6b2959c27ccd9f645

    Download Submit

  • memory/2528-154-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2528-155-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2528-157-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2528-156-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2528-153-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/2528-150-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3520-159-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/3520-160-0x00007FF718910000-0x00007FF718E2F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/4156-128-0x00000000092F0000-0x0000000009382000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4156-129-0x00000000092D0000-0x00000000092DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4156-133-0x00000000092A0000-0x00000000092B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4156-120-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4156-130-0x00000000092A0000-0x00000000092B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4156-132-0x00000000092A0000-0x00000000092B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4156-131-0x00000000092A0000-0x00000000092B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4156-127-0x0000000009930000-0x0000000009E2E000-memory.dmp

    Filesize

    5.0MB

    Download