Overview

overview

7

Static

static

3

dridex

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/05/2023, 21:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe

  • Size

    438KB

  • MD5

    6e556d49fbf0274dc4e806399e742733

  • SHA1

    77cfe6cc7956083a4479896073b05741534b8e7c

  • SHA256

    b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45

  • SHA512

    6c4c4438c1b44dce28567a7b2cfa4fd3c3972eba835ab600be3c6304692c8a73f9c75268fa02fc119938bbb1620a9fb9f3aae911c3d9b85cc07b6cd11071c4d7

  • SSDEEP

    6144:sYpMkLXBVVz9OodL7+kTFsKAF4KJffL9VUjnSnL1gPoQQl:sYL7B30ogKH4XL9ujnEL1E

Score
7/10
discoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
    "C:\Users\Admin\AppData\Local\Temp\b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1308
      2⤵
      • Program crash
      PID:4760
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4892 -ip 4892
    1⤵
      PID:760

    Network

    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      janjackfrs.com
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      Remote address:
      8.8.8.8:53
      Request
      janjackfrs.com
      IN A
      Response
      janjackfrs.com
      IN A
      176.124.192.196
    • flag-us
      DNS
      196.192.124.176.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.192.124.176.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.ip.sb
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      Remote address:
      8.8.8.8:53
      Request
      api.ip.sb
      IN A
      Response
      api.ip.sb
      IN CNAME
      api.ip.sb.cdn.cloudflare.net
      api.ip.sb.cdn.cloudflare.net
      IN A
      104.26.13.31
      api.ip.sb.cdn.cloudflare.net
      IN A
      104.26.12.31
      api.ip.sb.cdn.cloudflare.net
      IN A
      172.67.75.172
    • flag-us
      GET
      https://api.ip.sb/ip
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      Remote address:
      104.26.13.31:443
      Request
      GET /ip HTTP/1.1
      Host: api.ip.sb
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 07 May 2023 21:10:35 GMT
      Content-Type: text/plain
      Transfer-Encoding: chunked
      Connection: keep-alive
      vary: Accept-Encoding
      Cache-Control: no-cache
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=yir13o75DCAgTkzmlKcA4IZR8TDVwZXlRQ24aGShMPAZSt9uaUM7BIhCOstugyZG1YI2fUCOFkUMeTiFGvgc25gkiTcPN%2Bh35%2BJjKQIMhUx0Hv7bXskAYgIBZA%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      Server: cloudflare
      CF-RAY: 7c3c73570f4928a1-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    • flag-us
      DNS
      31.13.26.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.13.26.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      123.108.74.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      123.108.74.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.13.109.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.13.109.52.in-addr.arpa
      IN PTR
      Response
    • 176.124.192.196:80
      janjackfrs.com
      http
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      759.5kB
       15.5kB
       518
      219
    • 104.26.13.31:443
      https://api.ip.sb/ip
      tls, http
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      756 B
       3.9kB
       9
      8

      HTTP Request

      GET https://api.ip.sb/ip

      HTTP Response

      200
    • 52.152.110.14:443
      260 B
       5
    • 52.168.112.66:443
      322 B
       7
    • 52.152.110.14:443
      260 B
       5
    • 173.223.113.164:443
      322 B
       7
    • 173.223.113.131:80
      322 B
       7
    • 204.79.197.203:80
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 52.152.110.14:443
      260 B
       5
    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      janjackfrs.com
      dns
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      60 B
       76 B
       1
      1

      DNS Request

      janjackfrs.com

      DNS Response

      176.124.192.196

    • 8.8.8.8:53
      196.192.124.176.in-addr.arpa
      dns
      74 B
       134 B
       1
      1

      DNS Request

      196.192.124.176.in-addr.arpa

    • 8.8.8.8:53
      api.ip.sb
      dns
      b3e0abcc4da87e90dee64295814e432ad46be9ae67cfac687044457283e07a45.exe
      55 B
       145 B
       1
      1

      DNS Request

      api.ip.sb

      DNS Response

      104.26.13.31
      104.26.12.31
      172.67.75.172

    • 8.8.8.8:53
      31.13.26.104.in-addr.arpa
      dns
      71 B
       133 B
       1
      1

      DNS Request

      31.13.26.104.in-addr.arpa

    • 8.8.8.8:53
      123.108.74.40.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      123.108.74.40.in-addr.arpa

    • 8.8.8.8:53
      64.13.109.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      64.13.109.52.in-addr.arpa

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4892-134-0x0000000002460000-0x00000000024A6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4892-135-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-136-0x0000000004FB0000-0x0000000005554000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4892-138-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-137-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-139-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-140-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-142-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-144-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-148-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-146-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-152-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-150-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-154-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-156-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-158-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-160-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-162-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-164-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-166-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-168-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-170-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-172-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-174-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-176-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-178-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-180-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-182-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-184-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-186-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-188-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-190-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-192-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-194-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-196-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-198-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-202-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-200-0x0000000004E00000-0x0000000004E35000-memory.dmp

      Filesize

      212KB

      Download

    • memory/4892-931-0x00000000078E0000-0x0000000007EF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4892-932-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4892-933-0x0000000007FC0000-0x00000000080CA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4892-934-0x00000000080E0000-0x000000000811C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4892-935-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-936-0x00000000083F0000-0x0000000008456000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4892-937-0x00000000093A0000-0x0000000009432000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4892-938-0x0000000009460000-0x00000000094D6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4892-940-0x0000000009530000-0x00000000096F2000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4892-941-0x0000000009750000-0x0000000009C7C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4892-942-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-943-0x0000000009D50000-0x0000000009D6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4892-944-0x00000000048F0000-0x0000000004940000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4892-945-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-947-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

      Filesize

      64KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.