Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    104s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/04/2023, 21:35 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe

  • Size

    695KB

  • MD5

    b41df39c86e8bbff6deb15b02db488f1

  • SHA1

    1be27cca3d1d33bc4ec2e8cc1ccb016702490ed5

  • SHA256

    7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664

  • SHA512

    5283465d5c49bc3acf412b2762478138225dce348c4335038c75dd128c885454466a9ec0ae9fdb5ac4cd1a9c7f0d8963f4eaf846b6a381d09459c9d54d81670e

  • SSDEEP

    12288:Py90G/sP6Wie07Z8o8UbIK9BiCDzax8IkqLSbZeNA2s6:PylfZ79tIK9ECk8fbZaAd6

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe
    "C:\Users\Admin\AppData\Local\Temp\7a329b0b93590a9eec42518af702296df1ef3f95dceb2fd5106f0cc578301664.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370216.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370216.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3972
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11789496.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11789496.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:396
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1088
          4⤵
          • Program crash
          PID:1256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk720685.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk720685.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:436
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1620
          4⤵
          • Program crash
          PID:4868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si036499.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si036499.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3356
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 396 -ip 396
    1⤵
      PID:3356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 436 -ip 436
      1⤵
        PID:4392

      Network

      • flag-us
        DNS
        176.122.125.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        176.122.125.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        97.97.242.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.97.242.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        72.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        72.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        208.194.73.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        208.194.73.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        15.164.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        15.164.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        143.248.161.185.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        143.248.161.185.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        2.36.159.162.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        2.36.159.162.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        8.3.197.209.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        8.3.197.209.in-addr.arpa
        IN PTR
        Response
        8.3.197.209.in-addr.arpa
        IN PTR
        vip0x008map2sslhwcdnnet
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        26.165.165.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        26.165.165.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        44.8.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        44.8.109.52.in-addr.arpa
        IN PTR
        Response
      • 185.161.248.143:38452
        rk720685.exe
        7.5kB
         7.8kB
         18
        14
      • 185.161.248.143:38452
        si036499.exe
        5.7kB
         7.6kB
         15
        11
      • 104.46.162.224:443
        322 B
         7
      • 8.238.22.254:80
        322 B
         7
      • 8.238.22.254:80
        322 B
         7
      • 8.238.22.254:80
        322 B
         7
      • 173.223.113.164:443
        322 B
         7
      • 173.223.113.131:80
        322 B
         7
      • 131.253.33.203:80
        322 B
         7
      • 8.8.8.8:53
        176.122.125.40.in-addr.arpa
        dns
        73 B
         159 B
         1
        1

        DNS Request

        176.122.125.40.in-addr.arpa

      • 8.8.8.8:53
        97.97.242.52.in-addr.arpa
        dns
        71 B
         145 B
         1
        1

        DNS Request

        97.97.242.52.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        72.32.126.40.in-addr.arpa
        dns
        71 B
         157 B
         1
        1

        DNS Request

        72.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        208.194.73.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        208.194.73.20.in-addr.arpa

      • 8.8.8.8:53
        15.164.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        15.164.165.52.in-addr.arpa

      • 8.8.8.8:53
        143.248.161.185.in-addr.arpa
        dns
        74 B
         134 B
         1
        1

        DNS Request

        143.248.161.185.in-addr.arpa

      • 8.8.8.8:53
        2.36.159.162.in-addr.arpa
        dns
        71 B
         133 B
         1
        1

        DNS Request

        2.36.159.162.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        8.3.197.209.in-addr.arpa
        dns
        70 B
         111 B
         1
        1

        DNS Request

        8.3.197.209.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        26.165.165.52.in-addr.arpa
        dns
        72 B
         146 B
         1
        1

        DNS Request

        26.165.165.52.in-addr.arpa

      • 8.8.8.8:53
        44.8.109.52.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        44.8.109.52.in-addr.arpa

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si036499.exe
        Filesize

        136KB

        MD5

        73cae2858379cab7e68b9e5bf751c372

        SHA1

        38c375354bda6e5c8fb2579f1ef0416a6c65929a

        SHA256

        e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

        SHA512

        343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si036499.exe
        Filesize

        136KB

        MD5

        73cae2858379cab7e68b9e5bf751c372

        SHA1

        38c375354bda6e5c8fb2579f1ef0416a6c65929a

        SHA256

        e423b9b79b441e48fd15c0980c78bf87ddaab308fa1c5d5ecdfbd85e1da73f1c

        SHA512

        343c2e4470d42c5078a7e4025509779bfd4b92b5c8b71a9e270acb2b98b6b6fcfa04f8158d9c10c468d0984daac5c8f316424df5e4def7db13e8768eb0d7c7d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370216.exe
        Filesize

        541KB

        MD5

        6057ef77379a0a454b5f77253efde380

        SHA1

        1e1eef08edd657282a35aad5edf54102515fbab2

        SHA256

        bd388398e7331607568318f2e7680e8febcd65597686696c87c9ac174b41c4de

        SHA512

        9fc233573d24031b93061405fda77cb1d7f82b0e38b09dfadbd039ec9e6c2b73aebc607c096d2a50db3bdd6ccd0db029932c34c05c95f3e87f7a1c340c7f296d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un370216.exe
        Filesize

        541KB

        MD5

        6057ef77379a0a454b5f77253efde380

        SHA1

        1e1eef08edd657282a35aad5edf54102515fbab2

        SHA256

        bd388398e7331607568318f2e7680e8febcd65597686696c87c9ac174b41c4de

        SHA512

        9fc233573d24031b93061405fda77cb1d7f82b0e38b09dfadbd039ec9e6c2b73aebc607c096d2a50db3bdd6ccd0db029932c34c05c95f3e87f7a1c340c7f296d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11789496.exe
        Filesize

        257KB

        MD5

        4097446966a1f8e5bc5e5dc449d594fb

        SHA1

        21b5ade485267fbc111fd46ca9aa10458251a520

        SHA256

        aa03b1948bd7bf8ee8048959a27386f6d631b2d4873588befeededa192ce7cd3

        SHA512

        3f50b5cd6c26f5ab255dddb69e02f5dbcc7d5f1d3e66474a5c262ef3c085a8dd4bb3545a0a8faa5ddc530a89aaf4c981c57de631c035fc39a2c25838e2b567fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\11789496.exe
        Filesize

        257KB

        MD5

        4097446966a1f8e5bc5e5dc449d594fb

        SHA1

        21b5ade485267fbc111fd46ca9aa10458251a520

        SHA256

        aa03b1948bd7bf8ee8048959a27386f6d631b2d4873588befeededa192ce7cd3

        SHA512

        3f50b5cd6c26f5ab255dddb69e02f5dbcc7d5f1d3e66474a5c262ef3c085a8dd4bb3545a0a8faa5ddc530a89aaf4c981c57de631c035fc39a2c25838e2b567fa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk720685.exe
        Filesize

        340KB

        MD5

        80af2c67431e948091ff0701e3810329

        SHA1

        71e5e57e3d12541d86a87fd87e9bf43cd6f7f748

        SHA256

        9b0ce8368ca835ccd188ebb819ee56a259c806b2b488388a54b73ee9e592652a

        SHA512

        0ab3035a29c36907855ab80560b6cef54dd337af0e42df23f635eea7eedce42516f1fe17fa168679fd6f0da96693444220650d0864e578d67a6f07a676e6b508

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk720685.exe
        Filesize

        340KB

        MD5

        80af2c67431e948091ff0701e3810329

        SHA1

        71e5e57e3d12541d86a87fd87e9bf43cd6f7f748

        SHA256

        9b0ce8368ca835ccd188ebb819ee56a259c806b2b488388a54b73ee9e592652a

        SHA512

        0ab3035a29c36907855ab80560b6cef54dd337af0e42df23f635eea7eedce42516f1fe17fa168679fd6f0da96693444220650d0864e578d67a6f07a676e6b508

        Download Submit

      • memory/396-148-0x0000000007310000-0x00000000078B4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/396-149-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/396-150-0x0000000007300000-0x0000000007310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/396-151-0x0000000007300000-0x0000000007310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/396-152-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-153-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-155-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-157-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-159-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-161-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-163-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-165-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-167-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-169-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-171-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-173-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-175-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-177-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-179-0x00000000049F0000-0x0000000004A03000-memory.dmp

        Filesize

        76KB

        Download

      • memory/396-180-0x0000000000400000-0x0000000002B9B000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/396-182-0x0000000007300000-0x0000000007310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/396-184-0x0000000007300000-0x0000000007310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/396-183-0x0000000007300000-0x0000000007310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/396-185-0x0000000000400000-0x0000000002B9B000-memory.dmp

        Filesize

        39.6MB

        Download

      • memory/436-190-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-191-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-193-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-195-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-197-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-199-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-201-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-203-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-205-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-207-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-209-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-211-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-213-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-215-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-217-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-219-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-221-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-223-0x0000000002CE0000-0x0000000002D26000-memory.dmp

        Filesize

        280KB

        Download

      • memory/436-224-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-225-0x0000000007730000-0x0000000007765000-memory.dmp

        Filesize

        212KB

        Download

      • memory/436-227-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-229-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-986-0x0000000009C40000-0x000000000A258000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/436-987-0x000000000A300000-0x000000000A312000-memory.dmp

        Filesize

        72KB

        Download

      • memory/436-988-0x000000000A320000-0x000000000A42A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/436-989-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-990-0x000000000A440000-0x000000000A47C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/436-991-0x000000000A740000-0x000000000A7A6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/436-992-0x000000000AE10000-0x000000000AEA2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/436-993-0x000000000AFD0000-0x000000000B046000-memory.dmp

        Filesize

        472KB

        Download

      • memory/436-994-0x000000000B0A0000-0x000000000B262000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/436-995-0x000000000B280000-0x000000000B7AC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/436-996-0x000000000B830000-0x000000000B84E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/436-998-0x000000000B930000-0x000000000B980000-memory.dmp

        Filesize

        320KB

        Download

      • memory/436-1000-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-1001-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/436-1002-0x0000000004940000-0x0000000004950000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3356-1007-0x0000000000240000-0x0000000000268000-memory.dmp

        Filesize

        160KB

        Download

      • memory/3356-1008-0x0000000006FC0000-0x0000000006FD0000-memory.dmp

        Filesize

        64KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.