Overview

overview

8

Static

static

3

dridex

windows10-2004-x64

8

Analysis

  • max time kernel
    142s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230831-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2023 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062.exe

  • Size

    349KB

  • MD5

    d932fd367c2d603dc3b11aabd8a62546

  • SHA1

    42960fe85a9c6be9819d43984582e0e13f684506

  • SHA256

    fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062

  • SHA512

    03c39fdd97708070dc6923eb282d12d81b4224e4cb3c5897fc00d8190dcf087bbe8ba21ede12717ec30e0f115a1997e00ae04d30b25947ad4986db62d5a890c2

  • SSDEEP

    3072:AZ7Il8gafR3KsOhtQs4+M/SKx2TA9PFCWpZM/eWrsNLs+OQsa37KNFn/6731ryPP:M7cgRasOjA+bebbrL3OYeFy7qC0shTy

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062.exe
    "C:\Users\Admin\AppData\Local\Temp\fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9380393321.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Users\Admin\AppData\Local\Temp\9380393321.exe
        "C:\Users\Admin\AppData\Local\Temp\9380393321.exe"
        3⤵
        • Executes dropped EXE
        PID:2240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /im "fda8cd3cfc7e0067e5f5323399038f3304ade670b2e1b327c1430dc615ec2062.exe" /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3476
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 1648
      2⤵
      • Program crash
      PID:4528
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2268 -ip 2268
    1⤵
      PID:3416
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p
      1⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Enumerates system info in registry
      PID:4928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9380393321.exe
      Filesize

      500KB

      MD5

      523ad6be6bc5ab3a05ff3727e5cc2d4e

      SHA1

      0f2747fb399c6ec4890e7ab05d995de6457fca0f

      SHA256

      15609411e286631dabd4916a34067b3f9a3bbb7b121150ae06d824efbabc2e2f

      SHA512

      fce703523d38590007b3057dff77aa55989ea1fa1e54fb7683d1c3a9d2612cce2d58fb50f7c5e85c0ce6584f11f84d02f08f8cf7914fd464aca314d674f20062

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9380393321.exe
      Filesize

      500KB

      MD5

      523ad6be6bc5ab3a05ff3727e5cc2d4e

      SHA1

      0f2747fb399c6ec4890e7ab05d995de6457fca0f

      SHA256

      15609411e286631dabd4916a34067b3f9a3bbb7b121150ae06d824efbabc2e2f

      SHA512

      fce703523d38590007b3057dff77aa55989ea1fa1e54fb7683d1c3a9d2612cce2d58fb50f7c5e85c0ce6584f11f84d02f08f8cf7914fd464aca314d674f20062

      Download Submit

    • memory/2268-0-0x00000000026F0000-0x0000000002714000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2268-1-0x00000000001C0000-0x00000000001FE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2268-2-0x0000000000400000-0x0000000002446000-memory.dmp

      Filesize

      32.3MB

      Download

    • memory/2268-12-0x0000000000400000-0x0000000002446000-memory.dmp

      Filesize

      32.3MB

      Download

    • memory/2268-14-0x00000000026F0000-0x0000000002714000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2268-15-0x00000000001C0000-0x00000000001FE000-memory.dmp

      Filesize

      248KB

      Download