Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2023, 06:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe

  • Size

    569KB

  • MD5

    e16aa9c33b0b8bd510d86d8747a0e82f

  • SHA1

    133bd312f8e1e3eaf246254c912b2d9fbfb978b4

  • SHA256

    2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7

  • SHA512

    f3e00ba5a7f331847ae4a712f874d8a8650283e09fcbc944a3111a4dfc0dc0607397fc3800263af3243bdfe4a2ddf95359ada4f5be0793471c6a4c3d2955e114

  • SSDEEP

    12288:cy90+BBqBMbIU8w3hbrTyedSn0Y8405kpymxHNrYbGksfK:cyfBBqBZU8w3hf+ISns4aCYxj

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe
    "C:\Users\Admin\AppData\Local\Temp\2008044eca9a7de9a8b090746d2d000daf61b8a305450ab32d0c8eecc57a54f7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3768
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimv9509.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimv9509.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it372024.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it372024.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3240
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp219351.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp219351.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:116
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1956
          4⤵
          • Program crash
          PID:1308
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947039.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947039.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4972
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 116 -ip 116
    1⤵
      PID:1300

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947039.exe
      Filesize

      136KB

      MD5

      9c75a048f066d01b19ed80dc6e7a7101

      SHA1

      7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

      SHA256

      c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

      SHA512

      b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr947039.exe
      Filesize

      136KB

      MD5

      9c75a048f066d01b19ed80dc6e7a7101

      SHA1

      7d37c8ef50e8b83fcdd44032fb082f226ab3d8c3

      SHA256

      c816d0c862e5001569f4454d0a12c7ee85a7d5afbf3abd896546bba1816d1625

      SHA512

      b70e03a3fcfd29276b36d42ae1b2fedda5de020f0279d798f9fbd1d7f4ac1f10e60cf623e173a55dc42f87d99a83fe9a8db8f6b02a349257d8a2665f84f99e33

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimv9509.exe
      Filesize

      415KB

      MD5

      8b261921f93827eea0e9b29b524baf24

      SHA1

      66924f135a98a1848bffba58ec9fb990f6181b36

      SHA256

      48982a27952fbebbf7b9bb1cc56a55dfcb5b40a0770cfcef5235482768ba536d

      SHA512

      2d79b5354023533b540963d5457feaf090c671325684f5b7d53b6804efc7668f9814dd277953f9da676e1afdb9b88831a4110015a43925359715c8ba972c74a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zimv9509.exe
      Filesize

      415KB

      MD5

      8b261921f93827eea0e9b29b524baf24

      SHA1

      66924f135a98a1848bffba58ec9fb990f6181b36

      SHA256

      48982a27952fbebbf7b9bb1cc56a55dfcb5b40a0770cfcef5235482768ba536d

      SHA512

      2d79b5354023533b540963d5457feaf090c671325684f5b7d53b6804efc7668f9814dd277953f9da676e1afdb9b88831a4110015a43925359715c8ba972c74a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it372024.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it372024.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp219351.exe
      Filesize

      382KB

      MD5

      959353ae66c54a41d5d1c9dcef11209e

      SHA1

      e8c3ab3e7de97a577044b2e00bcca6a0b69a82dd

      SHA256

      c98de88bceedbf050f5250ae91cb8b8ed14a91916c7db4fc76a8a95018510491

      SHA512

      a0d7e73985c6261840bdda03eb4dbacc8cd07990335ca48fb96aff203eee63d7a58fbd3c9d6258dd27ba430309a04344b945d450824d2c2402aa802235711a63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp219351.exe
      Filesize

      382KB

      MD5

      959353ae66c54a41d5d1c9dcef11209e

      SHA1

      e8c3ab3e7de97a577044b2e00bcca6a0b69a82dd

      SHA256

      c98de88bceedbf050f5250ae91cb8b8ed14a91916c7db4fc76a8a95018510491

      SHA512

      a0d7e73985c6261840bdda03eb4dbacc8cd07990335ca48fb96aff203eee63d7a58fbd3c9d6258dd27ba430309a04344b945d450824d2c2402aa802235711a63

      Download Submit

    • memory/116-153-0x0000000007340000-0x00000000078E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/116-154-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-155-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-157-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-159-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-161-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-163-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-165-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-167-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-169-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/116-171-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/116-173-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-175-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/116-174-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/116-170-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-177-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-179-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-181-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-183-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-185-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-187-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-189-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-191-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-193-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-195-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-197-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-199-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-201-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-203-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-205-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-207-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-211-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-213-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-209-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-215-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-217-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-219-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-221-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/116-950-0x0000000009DB0000-0x000000000A3C8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/116-951-0x000000000A460000-0x000000000A472000-memory.dmp

      Filesize

      72KB

      Download

    • memory/116-952-0x000000000A480000-0x000000000A58A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/116-953-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/116-954-0x0000000007330000-0x0000000007340000-memory.dmp

      Filesize

      64KB

      Download

    • memory/116-955-0x000000000A8A0000-0x000000000A906000-memory.dmp

      Filesize

      408KB

      Download

    • memory/116-956-0x000000000AF70000-0x000000000B002000-memory.dmp

      Filesize

      584KB

      Download

    • memory/116-957-0x000000000B130000-0x000000000B1A6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/116-958-0x000000000B200000-0x000000000B3C2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/116-959-0x000000000B420000-0x000000000B94C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/116-960-0x000000000BA20000-0x000000000BA3E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/116-961-0x00000000049D0000-0x0000000004A20000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3240-147-0x0000000000990000-0x000000000099A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4972-967-0x0000000000CC0000-0x0000000000CE8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4972-968-0x0000000007A50000-0x0000000007A60000-memory.dmp

      Filesize

      64KB

      Download