Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2023 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    46e6e163e3bc57ea482de4c30f4c74df76507b7dde9db089802bf28107be0410.exe

  • Size

    566KB

  • MD5

    4ab7a6452e1f696820d332abc96f09a2

  • SHA1

    62f41a35c831eefd2a3400606c63c6eb8b07c2b2

  • SHA256

    46e6e163e3bc57ea482de4c30f4c74df76507b7dde9db089802bf28107be0410

  • SHA512

    f62762995f597531dceea7ca6abacb881b680fc5a82ea8fc9fd2aa0a1a03e0fd772c1ab8b917249adf7db1cfc2c0769d6cda9620b4a6f555a301d7e44246d1f5

  • SSDEEP

    12288:xy90CkFVjZDjw9nRiRLKs+oY6m1XteBXwbaW:xycVjxanRiRLj+oY60X0JeaW

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\46e6e163e3bc57ea482de4c30f4c74df76507b7dde9db089802bf28107be0410.exe
    "C:\Users\Admin\AppData\Local\Temp\46e6e163e3bc57ea482de4c30f4c74df76507b7dde9db089802bf28107be0410.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSP2102.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSP2102.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it560434.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it560434.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3196
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp309594.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp309594.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4312
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 1144
          4⤵
          • Program crash
          PID:2876
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr926449.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr926449.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3712
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4312 -ip 4312
    1⤵
      PID:4280
    • C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start wuauserv
      1⤵
      • Launches sc.exe
      PID:1788

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr926449.exe
      Filesize

      136KB

      MD5

      8c80b06d843bd6a7599a5be2075d9a55

      SHA1

      caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

      SHA256

      e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

      SHA512

      cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr926449.exe
      Filesize

      136KB

      MD5

      8c80b06d843bd6a7599a5be2075d9a55

      SHA1

      caf86cf2f908f6ac64b8d4788bc61aaaf672f9f2

      SHA256

      e794f573618cef6be742a0f574f179aa1087b51c4ec23bcf7faa16415028850e

      SHA512

      cd902bd2607ee797a60f615c550304e45ff59f2313cbb596b50fae913eae481987a8bde0a83587b153192eeb97514f281864c5fb3db4dc128453d507c5aeeded

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSP2102.exe
      Filesize

      412KB

      MD5

      120e756bf931fb40501afcd0ff94d831

      SHA1

      1f25a7fa1151023f92976f9af192219ade6ecb7e

      SHA256

      689031141c37116cc4f332844182a6c43921278917d65ed3922a712e0328ad2b

      SHA512

      d27841e3a9d83ca79f21ffff1e178dff40cf6afd5c1464283b15c42fe94a811d2ff0ea7c54efb8cea1e755086b938f28b1965fe0fb0417f604cb4a1e0f555956

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziSP2102.exe
      Filesize

      412KB

      MD5

      120e756bf931fb40501afcd0ff94d831

      SHA1

      1f25a7fa1151023f92976f9af192219ade6ecb7e

      SHA256

      689031141c37116cc4f332844182a6c43921278917d65ed3922a712e0328ad2b

      SHA512

      d27841e3a9d83ca79f21ffff1e178dff40cf6afd5c1464283b15c42fe94a811d2ff0ea7c54efb8cea1e755086b938f28b1965fe0fb0417f604cb4a1e0f555956

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it560434.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it560434.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp309594.exe
      Filesize

      368KB

      MD5

      4ae1de73c3aa0f808d313beddc0c07e3

      SHA1

      e5357f7f219789efbb9586ed5da30449dc93e1c1

      SHA256

      4970812a5643ecb6176ffe63311bee6174d9374a83d7017341c11f41aa10f9c2

      SHA512

      f13588b70254edc73e54904e832a7453162e2ff4d9bb44ae2d8e0eab48d30f1bfef00958ee40518fc899ef971047531c67068526a4c0c72645f8bdd35ce25dcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp309594.exe
      Filesize

      368KB

      MD5

      4ae1de73c3aa0f808d313beddc0c07e3

      SHA1

      e5357f7f219789efbb9586ed5da30449dc93e1c1

      SHA256

      4970812a5643ecb6176ffe63311bee6174d9374a83d7017341c11f41aa10f9c2

      SHA512

      f13588b70254edc73e54904e832a7453162e2ff4d9bb44ae2d8e0eab48d30f1bfef00958ee40518fc899ef971047531c67068526a4c0c72645f8bdd35ce25dcc

      Download Submit

    • memory/3196-147-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3712-967-0x0000000000970000-0x0000000000998000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3712-968-0x00000000078E0000-0x00000000078F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-185-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-197-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-155-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-158-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-156-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-160-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-162-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-165-0x0000000007390000-0x00000000073A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-169-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-168-0x0000000007390000-0x00000000073A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-166-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-164-0x0000000007390000-0x00000000073A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-173-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-171-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-175-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-177-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-179-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-181-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-183-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-153-0x0000000002C20000-0x0000000002C66000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4312-187-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-189-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-191-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-193-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-195-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-154-0x00000000073A0000-0x0000000007944000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4312-201-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-199-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-203-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-205-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-207-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-209-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-211-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-213-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-215-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-217-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-219-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-221-0x00000000072B0000-0x00000000072E5000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4312-950-0x0000000009DD0000-0x000000000A3E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4312-951-0x000000000A460000-0x000000000A472000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4312-952-0x000000000A480000-0x000000000A58A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4312-953-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4312-954-0x0000000007390000-0x00000000073A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4312-955-0x000000000A8A0000-0x000000000A906000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4312-956-0x000000000AF70000-0x000000000B002000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4312-957-0x000000000B010000-0x000000000B086000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4312-958-0x000000000B0D0000-0x000000000B0EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4312-959-0x000000000B160000-0x000000000B1B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4312-960-0x000000000B430000-0x000000000B5F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4312-961-0x000000000B610000-0x000000000BB3C000-memory.dmp

      Filesize

      5.2MB

      Download