Overview

overview

10

Static

static

3

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/05/2023, 15:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    36f8583ffa056f168fda300a479f5050c8f2abcc2db39c3d3c8aeab6fdbdc862.exe

  • Size

    599KB

  • MD5

    6e7e832224324817f46a5984867c06fe

  • SHA1

    f7298ce86995830fa5e52c5de06bb5ccd47477be

  • SHA256

    36f8583ffa056f168fda300a479f5050c8f2abcc2db39c3d3c8aeab6fdbdc862

  • SHA512

    92bf58802aadd4dc8fbbb15f176d606cb3cd77a883d609970b11d2ec38ade9b1109960f25fed94c6b3db9d2a92365f815c664226d7e9f92c1a87b4152067384c

  • SSDEEP

    12288:uMrqy90Dc7pqF8oX1Ig+Vh3qpME3EDKs7OciJggA3XHX:oyFsygag+VRCBhsLiugUXX

Score
10/10
discoveryevasionpersistencespywarestealertrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36f8583ffa056f168fda300a479f5050c8f2abcc2db39c3d3c8aeab6fdbdc862.exe
    "C:\Users\Admin\AppData\Local\Temp\36f8583ffa056f168fda300a479f5050c8f2abcc2db39c3d3c8aeab6fdbdc862.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4148
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9669166.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9669166.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3596
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1865473.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1865473.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2344
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4280008.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4280008.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4304
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3713255.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3713255.exe
      2⤵
      • Executes dropped EXE
      PID:3984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 620
        3⤵
        • Program crash
        PID:1120
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 700
        3⤵
        • Program crash
        PID:1728
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 844
        3⤵
        • Program crash
        PID:3532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 872
        3⤵
        • Program crash
        PID:3528
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 880
        3⤵
        • Program crash
        PID:3488
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 888
        3⤵
        • Program crash
        PID:1740
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1120
        3⤵
        • Program crash
        PID:2964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1152
        3⤵
        • Program crash
        PID:3100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1080
        3⤵
        • Program crash
        PID:4692

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3713255.exe
          Filesize

          340KB

          MD5

          f92c51a33c9c4b05b5519738663925e0

          SHA1

          002041315d552bddfa3e5458b8eb51e50cd07626

          SHA256

          abc38dd4ba2e868e99ab4dc3a68a0baaed70c6d6171cac33f88ea9e257cc2a80

          SHA512

          615d045672a3049a830e9e23df35adb2961c4b21c5daa60413ea703a029dedaa186e3ad5c90e250307712c3aa0a2f1be4466ac5eedb8657369ef6099bb1f5e48

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m3713255.exe
          Filesize

          340KB

          MD5

          f92c51a33c9c4b05b5519738663925e0

          SHA1

          002041315d552bddfa3e5458b8eb51e50cd07626

          SHA256

          abc38dd4ba2e868e99ab4dc3a68a0baaed70c6d6171cac33f88ea9e257cc2a80

          SHA512

          615d045672a3049a830e9e23df35adb2961c4b21c5daa60413ea703a029dedaa186e3ad5c90e250307712c3aa0a2f1be4466ac5eedb8657369ef6099bb1f5e48

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9669166.exe
          Filesize

          307KB

          MD5

          f9bb081ac23b509752ac3de4099bb1d2

          SHA1

          17f89f6b73823f2f129b43f3f9d065d95b19a95e

          SHA256

          516a5a94cc2d8bb83dd7c0364f46d32c6abce93821c05a3f58fd1b69e651f8db

          SHA512

          078475dccd624abaa1282bd5380d5dada74dced403417cdcc64051fdaf3f28f1895d2cdbe09a1a55f8c1c5e8f0187674ed4a592f0dfe8a16260d9fab964b8ca4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9669166.exe
          Filesize

          307KB

          MD5

          f9bb081ac23b509752ac3de4099bb1d2

          SHA1

          17f89f6b73823f2f129b43f3f9d065d95b19a95e

          SHA256

          516a5a94cc2d8bb83dd7c0364f46d32c6abce93821c05a3f58fd1b69e651f8db

          SHA512

          078475dccd624abaa1282bd5380d5dada74dced403417cdcc64051fdaf3f28f1895d2cdbe09a1a55f8c1c5e8f0187674ed4a592f0dfe8a16260d9fab964b8ca4

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1865473.exe
          Filesize

          136KB

          MD5

          59eb250f23b2e7dc6fb3dd077347bc0b

          SHA1

          054b8eb0a3502da81fcfdf51dca1edc5def42731

          SHA256

          6c703116f4c6bb46d803b79c09d968a7dc450e605ee9a01a608ca24b1d558c67

          SHA512

          99a6feb06786cc549646c327cdce374651dc20d8c10c82a4219b699c4ec6725649adf0d48fd4565e4e8a48bb005ad27709d3b7eca627c327682c3dd0500e294e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1865473.exe
          Filesize

          136KB

          MD5

          59eb250f23b2e7dc6fb3dd077347bc0b

          SHA1

          054b8eb0a3502da81fcfdf51dca1edc5def42731

          SHA256

          6c703116f4c6bb46d803b79c09d968a7dc450e605ee9a01a608ca24b1d558c67

          SHA512

          99a6feb06786cc549646c327cdce374651dc20d8c10c82a4219b699c4ec6725649adf0d48fd4565e4e8a48bb005ad27709d3b7eca627c327682c3dd0500e294e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4280008.exe
          Filesize

          175KB

          MD5

          86a275972779ee0d661bb5721986b940

          SHA1

          a59ac617d8b5fde1c4ebdf907c10fba4e1bdbf60

          SHA256

          20907d8f2e1838cedd8f9559a5841a22a74f31676da3d194a03ca0d1de14a126

          SHA512

          edf7a3701b7e2bfb19fb727a0fa0c795e256316d674c433a9eff043539a249233cc3977c5fbbc4732bab27baa296f50139e7ad2dd6f33fb8881acd935a2fe15e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4280008.exe
          Filesize

          175KB

          MD5

          86a275972779ee0d661bb5721986b940

          SHA1

          a59ac617d8b5fde1c4ebdf907c10fba4e1bdbf60

          SHA256

          20907d8f2e1838cedd8f9559a5841a22a74f31676da3d194a03ca0d1de14a126

          SHA512

          edf7a3701b7e2bfb19fb727a0fa0c795e256316d674c433a9eff043539a249233cc3977c5fbbc4732bab27baa296f50139e7ad2dd6f33fb8881acd935a2fe15e

          Download Submit

        • memory/2344-138-0x00000000084B0000-0x0000000008542000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2344-143-0x0000000009120000-0x00000000092E2000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/2344-136-0x00000000079D0000-0x00000000079E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2344-137-0x0000000007A50000-0x0000000007AB6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2344-134-0x00000000076C0000-0x00000000076FE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2344-139-0x0000000008A50000-0x0000000008F4E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/2344-140-0x0000000008800000-0x0000000008876000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2344-141-0x0000000008490000-0x00000000084AE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2344-142-0x0000000008920000-0x0000000008970000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2344-135-0x0000000007700000-0x000000000774B000-memory.dmp

          Filesize

          300KB

          Download

        • memory/2344-144-0x0000000009820000-0x0000000009D4C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/2344-133-0x0000000007790000-0x000000000789A000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/2344-132-0x0000000007660000-0x0000000007672000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2344-130-0x0000000000980000-0x00000000009A8000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2344-131-0x0000000007BC0000-0x00000000081C6000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/3984-187-0x00000000006F0000-0x0000000000725000-memory.dmp

          Filesize

          212KB

          Download

        • memory/3984-188-0x0000000000400000-0x00000000006EF000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/4304-150-0x00000000023D0000-0x00000000023E8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4304-156-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-158-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-160-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-162-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-164-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-166-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-168-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-170-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-172-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-174-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-176-0x0000000004B10000-0x0000000004B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4304-178-0x0000000004B10000-0x0000000004B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4304-181-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-180-0x0000000004B10000-0x0000000004B20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4304-177-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-154-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-152-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-151-0x00000000023D0000-0x00000000023E2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4304-149-0x00000000006D0000-0x00000000006EA000-memory.dmp

          Filesize

          104KB

          Download