Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/04/2023, 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9c47df617e481fcd2c55e92ef01763202fdbeb91dbcce1888f3ee64b00b15e2.exe

  • Size

    705KB

  • MD5

    59491743c4a100c454edb62985fbf778

  • SHA1

    74dccb256ac6f12fc8d0e91de0e0a40ab03dc9d9

  • SHA256

    e9c47df617e481fcd2c55e92ef01763202fdbeb91dbcce1888f3ee64b00b15e2

  • SHA512

    6b9da53a630d6b18bceb703cdc8322f462007571d48f244b93934b34c78e99a7dbe0017e3eae31838d28073dc43bed3502cda96d5cfdd2132de6d34faa0f2af4

  • SSDEEP

    12288:iy902oMFLccTf4y4AwiG3CS/Vi39pKVK6tkAI1wzC01IzEMGJ/K3WoS/Oy2:iyusbX47iDS/V7wR851IIBgWf/h2

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9c47df617e481fcd2c55e92ef01763202fdbeb91dbcce1888f3ee64b00b15e2.exe
    "C:\Users\Admin\AppData\Local\Temp\e9c47df617e481fcd2c55e92ef01763202fdbeb91dbcce1888f3ee64b00b15e2.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4280
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un224083.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un224083.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2212
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr061505.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr061505.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:928
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 1072
          4⤵
          • Program crash
          PID:4648
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu397342.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu397342.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1856
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 1320
          4⤵
          • Program crash
          PID:3760
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si848208.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si848208.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4340
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 928 -ip 928
    1⤵
      PID:2876
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1856 -ip 1856
      1⤵
        PID:5068
      • C:\Windows\system32\sc.exe
        C:\Windows\system32\sc.exe start wuauserv
        1⤵
        • Launches sc.exe
        PID:2016

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si848208.exe
        Filesize

        136KB

        MD5

        8c80b06d843bd6a7599a5be2075d9a55

        SHA1

        caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

        SHA256

        e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

        SHA512

        cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si848208.exe
        Filesize

        136KB

        MD5

        8c80b06d843bd6a7599a5be2075d9a55

        SHA1

        caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

        SHA256

        e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

        SHA512

        cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un224083.exe
        Filesize

        550KB

        MD5

        3fb4f841349d68b3b8f5d83b06cd8222

        SHA1

        a33cc3b928511cfecb58501282556c9739cb80d9

        SHA256

        62f2a2326bb4243edf298a0bfba00adfd9b22364e0d2ea5eb9f286b70bab6e54

        SHA512

        1c09620cc495848dc2a31ab9be6b94d6497b0a03969b1da26d625ee8437d73e8933c0547c7198ad0a4ff4d1280f6cc0adcf70009ccbdd4afa2ffddfcc378abf2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un224083.exe
        Filesize

        550KB

        MD5

        3fb4f841349d68b3b8f5d83b06cd8222

        SHA1

        a33cc3b928511cfecb58501282556c9739cb80d9

        SHA256

        62f2a2326bb4243edf298a0bfba00adfd9b22364e0d2ea5eb9f286b70bab6e54

        SHA512

        1c09620cc495848dc2a31ab9be6b94d6497b0a03969b1da26d625ee8437d73e8933c0547c7198ad0a4ff4d1280f6cc0adcf70009ccbdd4afa2ffddfcc378abf2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr061505.exe
        Filesize

        278KB

        MD5

        68cba3fc32aca719c0412bb99239543c

        SHA1

        ad6563b5dda5e6c1944c79cb8fccf0647ea82ac5

        SHA256

        7b28a705215cc5683a45ca18ac24dc9b73e6c3c8d6030b0893310e6e3821519c

        SHA512

        acc2db070e2926910676e3c2e3a480cb644a647bf08be487cdeefacbf2914480f158e570227d2db954d1fcbb1aaaec5835b1187ce1d7eaef4371f39f2432a560

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr061505.exe
        Filesize

        278KB

        MD5

        68cba3fc32aca719c0412bb99239543c

        SHA1

        ad6563b5dda5e6c1944c79cb8fccf0647ea82ac5

        SHA256

        7b28a705215cc5683a45ca18ac24dc9b73e6c3c8d6030b0893310e6e3821519c

        SHA512

        acc2db070e2926910676e3c2e3a480cb644a647bf08be487cdeefacbf2914480f158e570227d2db954d1fcbb1aaaec5835b1187ce1d7eaef4371f39f2432a560

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu397342.exe
        Filesize

        361KB

        MD5

        86a99833e769557caa39ecb10fd6bfcd

        SHA1

        f5507dada4002cbcd0092d4180584914ea6cfcb8

        SHA256

        f68613550063c7a0cd34ef7b16ae3f0b68ba7cf1041bbb374fcca776a5eed751

        SHA512

        5cd01bd1bf5c4634a85a86c9e722b54842e8c6b3f58693b20b7832b4942adf95e770fd452b59c9f411988dbbdaa319aa7802ef81a84fb98fc532c4747b3df4d7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu397342.exe
        Filesize

        361KB

        MD5

        86a99833e769557caa39ecb10fd6bfcd

        SHA1

        f5507dada4002cbcd0092d4180584914ea6cfcb8

        SHA256

        f68613550063c7a0cd34ef7b16ae3f0b68ba7cf1041bbb374fcca776a5eed751

        SHA512

        5cd01bd1bf5c4634a85a86c9e722b54842e8c6b3f58693b20b7832b4942adf95e770fd452b59c9f411988dbbdaa319aa7802ef81a84fb98fc532c4747b3df4d7

        Download Submit

      • memory/928-148-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/928-149-0x0000000007250000-0x00000000077F4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/928-150-0x0000000007240000-0x0000000007250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/928-151-0x0000000007240000-0x0000000007250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/928-152-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-155-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-153-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-157-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-159-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-161-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-163-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-165-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-167-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-169-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-171-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-173-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-175-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-177-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-179-0x0000000004AD0000-0x0000000004AE2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/928-180-0x0000000000400000-0x0000000002BAF000-memory.dmp

        Filesize

        39.7MB

        Download

      • memory/928-181-0x0000000002BB0000-0x0000000002BDD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/928-182-0x0000000007240000-0x0000000007250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/928-183-0x0000000007240000-0x0000000007250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/928-184-0x0000000007240000-0x0000000007250000-memory.dmp

        Filesize

        64KB

        Download

      • memory/928-186-0x0000000000400000-0x0000000002BAF000-memory.dmp

        Filesize

        39.7MB

        Download

      • memory/1856-193-0x00000000073A0000-0x00000000073B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1856-220-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-195-0x00000000073A0000-0x00000000073B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1856-194-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-192-0x00000000073A0000-0x00000000073B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1856-198-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-196-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-206-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-204-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-202-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-200-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-208-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-210-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-212-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-214-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-216-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-218-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-191-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/1856-222-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-224-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-226-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-228-0x0000000004E30000-0x0000000004E65000-memory.dmp

        Filesize

        212KB

        Download

      • memory/1856-987-0x0000000009CE0000-0x000000000A2F8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/1856-988-0x000000000A320000-0x000000000A332000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1856-989-0x000000000A340000-0x000000000A44A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/1856-990-0x000000000A460000-0x000000000A49C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/1856-991-0x00000000073A0000-0x00000000073B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1856-992-0x000000000A760000-0x000000000A7C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1856-993-0x000000000AE20000-0x000000000AEB2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1856-994-0x000000000AFE0000-0x000000000B030000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1856-995-0x000000000B040000-0x000000000B0B6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1856-996-0x000000000B0F0000-0x000000000B10E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1856-997-0x000000000B1D0000-0x000000000B392000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/1856-998-0x000000000B3A0000-0x000000000B8CC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4340-1005-0x0000000000F80000-0x0000000000FA8000-memory.dmp

        Filesize

        160KB

        Download

      • memory/4340-1006-0x0000000008190000-0x00000000081A0000-memory.dmp

        Filesize

        64KB

        Download