Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-05-2023 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe

  • Size

    541KB

  • MD5

    c159fc653a86ef3eab80e5d06b9cfa2c

  • SHA1

    f95b35bcd8528dafda2b8fd53bed2bab150676e3

  • SHA256

    b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b

  • SHA512

    78ee8d1c957f21e6023f4c9096f63c9bc697620cfc7584bb937b4cffb792f312c8fd0cb586c0aa4f43ddf8e622042f2c85852f10018e0c5799d6dd02903ab9f2

  • SSDEEP

    12288:lBXSh9d55EWf6bkHXgtQZDsfDfWXWBt9ExkUp8ZbcoahOOufKlgc+ABeaESJAzEM:7QZQz8Du4

Score
10/10
vjw0rmwshratpersistencetrojanworm

Malware Config

Signatures

  • Vjw0rm

    Vjw0rm is a remote access trojan written in JavaScript.

    trojanwormvjw0rm
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • WSHRAT payload 3 IoCs
  • Blocklisted process makes network request 10 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe
    "C:\Users\Admin\AppData\Local\Temp\b6e0c17a224fe0df6f58add122e0420aad76a697c1d7634aa0cfe2f5dc84dc2b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\lRDdN.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\lRDdN.vbs"
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Drops startup file
        • Adds Run key to start application
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4152
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\windows.js"
          4⤵
          • Blocklisted process makes network request
          • Drops startup file
          • Adds Run key to start application
          PID:1580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.js
    Filesize

    3KB

    MD5

    14d1d9d3dc5e8d0eac04d5b78645a2ea

    SHA1

    aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

    SHA256

    92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

    SHA512

    e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit
  • C:\Users\Admin\lRDdN.vbs
    Filesize

    185KB

    MD5

    43fca5129026c9b6b49ce26c27759df2

    SHA1

    46a4acdd5faae42e04ba753f69e6e777324ae8e9

    SHA256

    a6772f8687d81d92138a6cfa10ead2b3c409a0884053a1600c640ae65eea517e

    SHA512

    c465b24ebba4ce399e7e8605b8b93993e92916b653c42c470e9168a8a9573bfc42bb1dc730674e1fc7656453820fc3a19240514c1bd2b8acf32d87ffa09cf228

    Download Submit
  • C:\Users\Admin\windows.js
    Filesize

    3KB

    MD5

    14d1d9d3dc5e8d0eac04d5b78645a2ea

    SHA1

    aa14b5a613919e41c4d97fef48ff1a24ff06fd2b

    SHA256

    92d5609974d3d52dc028185e819111679f0ff052c1e3b951e2eee9b18e361f36

    SHA512

    e13cc2ca8b4dc4564a2176e4bc06d2a3271a957918cb84589402462ea2fe33782eb92ab1575187ab07ac3e270e8301607bff6b7ccb1dd688666be940716f092c

    Download Submit
  • memory/4400-133-0x0000000001510000-0x0000000001520000-memory.dmp
    Filesize

    64KB

    Download