Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    94s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    20-04-2023 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ece5032d62e954b56af6f1c4530d93449d845aaa52b44d939c1329c7673162cf.exe

  • Size

    919KB

  • MD5

    9f8a0cf772670710b171b340ba02ea04

  • SHA1

    d22799681a55e56160be775a0a75450110436589

  • SHA256

    ece5032d62e954b56af6f1c4530d93449d845aaa52b44d939c1329c7673162cf

  • SHA512

    1d04a31e875df77e96226cf5e9989cd3ec10b186a8b75aa748bba45e846c2aaf6122161ae388d72519e26eb10f9f6d61457716001b627b407de1304c55381e2e

  • SSDEEP

    24576:TySGbbTN1iKSr6z2a/Kw2IPmhziJ78DbE08p:mS4ziKSWChG6E08

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ece5032d62e954b56af6f1c4530d93449d845aaa52b44d939c1329c7673162cf.exe
    "C:\Users\Admin\AppData\Local\Temp\ece5032d62e954b56af6f1c4530d93449d845aaa52b44d939c1329c7673162cf.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2544
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDV6999.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDV6999.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziRb5329.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziRb5329.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5092
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it555927.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it555927.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4596
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr516909.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr516909.exe
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4148
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp486739.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp486739.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656679.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656679.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:4936
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 616
        3⤵
        • Program crash
        PID:4016
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 696
        3⤵
        • Program crash
        PID:4220
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 836
        3⤵
        • Program crash
        PID:1456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 816
        3⤵
        • Program crash
        PID:3684
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 872
        3⤵
        • Program crash
        PID:4876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 860
        3⤵
        • Program crash
        PID:3756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1116
        3⤵
        • Program crash
        PID:3760
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1148
        3⤵
        • Program crash
        PID:2724
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 1124
        3⤵
        • Program crash
        PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656679.exe
    Filesize

    367KB

    MD5

    b3b924bc1e4ae918cc67c3c5ab6ad03a

    SHA1

    0a34e2347aa616a61aca5a8f96cff2dad58a3fcc

    SHA256

    c8d23073564e37c211205363bf832a3127766095f8cdca28225adccd2c6085d0

    SHA512

    92cc0e283c266dbabdad7002b46a94c81a5a74bc8a51d9e9e64d2b8f12f0aa19d348728b77f4e2488eb4ebf72103c610cfa00e64cc890bb2a3a6579bd4d855f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr656679.exe
    Filesize

    367KB

    MD5

    b3b924bc1e4ae918cc67c3c5ab6ad03a

    SHA1

    0a34e2347aa616a61aca5a8f96cff2dad58a3fcc

    SHA256

    c8d23073564e37c211205363bf832a3127766095f8cdca28225adccd2c6085d0

    SHA512

    92cc0e283c266dbabdad7002b46a94c81a5a74bc8a51d9e9e64d2b8f12f0aa19d348728b77f4e2488eb4ebf72103c610cfa00e64cc890bb2a3a6579bd4d855f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDV6999.exe
    Filesize

    614KB

    MD5

    99a5fc613be18bbae4b66040169a92b7

    SHA1

    30263127106f7aca7f333c600c90965e33a870b1

    SHA256

    da936377b51e73e054b7235893634fa0f3611a5e9f2407dd7632ff4f9ead6d34

    SHA512

    ad6e2a8cbc0782c81b6c13b01ea47c3a9fb59fb6cb2734b48b70677c8db396ba925120357d87bc464ccec2c3635018701081cd127ec4b0926a6496c025bb79e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDV6999.exe
    Filesize

    614KB

    MD5

    99a5fc613be18bbae4b66040169a92b7

    SHA1

    30263127106f7aca7f333c600c90965e33a870b1

    SHA256

    da936377b51e73e054b7235893634fa0f3611a5e9f2407dd7632ff4f9ead6d34

    SHA512

    ad6e2a8cbc0782c81b6c13b01ea47c3a9fb59fb6cb2734b48b70677c8db396ba925120357d87bc464ccec2c3635018701081cd127ec4b0926a6496c025bb79e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp486739.exe
    Filesize

    136KB

    MD5

    86810f340795831f3c2bd147981be929

    SHA1

    573345e2c322720fa43f74d761ff1d48028f36c9

    SHA256

    d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

    SHA512

    c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp486739.exe
    Filesize

    136KB

    MD5

    86810f340795831f3c2bd147981be929

    SHA1

    573345e2c322720fa43f74d761ff1d48028f36c9

    SHA256

    d122c80c89eb529d8edb82af16a9ffd8bb187f391758fe80ac2e25db159a9139

    SHA512

    c50b8b6a424fc20c6a3009560cffc277c8dd99792c97f72bfb57d924efdc07341e87a96cb2556e90955fbab6bd59df2a8fc23f89866096658dc7530499becd9f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziRb5329.exe
    Filesize

    460KB

    MD5

    1c4d29d492d1d967a67440e2f0e6e52e

    SHA1

    4116559d606a40d505af4fd6f0f2a4321ce1c6ce

    SHA256

    84fef87fa3b4e12ce9c858820c422e1e49160feb48ed0fabec6e762b95e76772

    SHA512

    23bd150552976362275e6c0a26ccf916c89dbee35c8346d6ef7e2fcb010ace12ea9350184f0cc4c35c96e4bad214aaf2effc2fb34690b3106c1b9f2b41c138eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziRb5329.exe
    Filesize

    460KB

    MD5

    1c4d29d492d1d967a67440e2f0e6e52e

    SHA1

    4116559d606a40d505af4fd6f0f2a4321ce1c6ce

    SHA256

    84fef87fa3b4e12ce9c858820c422e1e49160feb48ed0fabec6e762b95e76772

    SHA512

    23bd150552976362275e6c0a26ccf916c89dbee35c8346d6ef7e2fcb010ace12ea9350184f0cc4c35c96e4bad214aaf2effc2fb34690b3106c1b9f2b41c138eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it555927.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it555927.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr516909.exe
    Filesize

    472KB

    MD5

    f427fdaa1889f4778fb46c4bfe81d0a2

    SHA1

    71f5800ebf5e2735a43315466bb538386e80aaa6

    SHA256

    f2ebc5b662b4cf19397130d183e870db6e0c3bbb2081c7f2e83cfafa9f8f9ddc

    SHA512

    a8dc3a3987e60213ca431985b5be0513180f590a1933c406b31688439b72c32ec3ee29fe5505ba3981bcdadebf80f15cd2cc85080df340ca69e256bb831b6015

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr516909.exe
    Filesize

    472KB

    MD5

    f427fdaa1889f4778fb46c4bfe81d0a2

    SHA1

    71f5800ebf5e2735a43315466bb538386e80aaa6

    SHA256

    f2ebc5b662b4cf19397130d183e870db6e0c3bbb2081c7f2e83cfafa9f8f9ddc

    SHA512

    a8dc3a3987e60213ca431985b5be0513180f590a1933c406b31688439b72c32ec3ee29fe5505ba3981bcdadebf80f15cd2cc85080df340ca69e256bb831b6015

    Download Submit

  • memory/2268-966-0x0000000000A40000-0x0000000000A68000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2268-968-0x0000000007770000-0x0000000007780000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2268-967-0x0000000007800000-0x000000000784B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4148-183-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-203-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-155-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-156-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-157-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-159-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-161-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-163-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-165-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-167-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-171-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-169-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-175-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-177-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-173-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-179-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-187-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-185-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-189-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-153-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-181-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-191-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-197-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-199-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-201-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-207-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-205-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-154-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-195-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-193-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-209-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-213-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-217-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-215-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-211-0x0000000004DE0000-0x0000000004E15000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4148-948-0x0000000007E00000-0x0000000008406000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4148-949-0x0000000007850000-0x0000000007862000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4148-950-0x0000000007880000-0x000000000798A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4148-951-0x0000000004E60000-0x0000000004E70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4148-952-0x00000000079A0000-0x00000000079DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4148-953-0x0000000007B20000-0x0000000007B6B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4148-954-0x0000000007CB0000-0x0000000007D16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4148-955-0x0000000008970000-0x0000000008A02000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4148-956-0x0000000008A40000-0x0000000008AB6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4148-957-0x0000000008B00000-0x0000000008CC2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4148-152-0x0000000002210000-0x0000000002256000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4148-151-0x0000000004DE0000-0x0000000004E1A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4148-150-0x0000000004E70000-0x000000000536E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4148-149-0x0000000004D60000-0x0000000004D9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4148-958-0x0000000008CE0000-0x000000000920C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/4148-959-0x0000000009330000-0x000000000934E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4148-960-0x0000000002840000-0x0000000002890000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4596-142-0x0000000000780000-0x000000000078A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4596-144-0x0000000000D40000-0x0000000000DC9000-memory.dmp

    Filesize

    548KB

    Download

  • memory/4936-974-0x0000000000800000-0x0000000000835000-memory.dmp

    Filesize

    212KB

    Download