Overview

overview

7

Static

static

3

dridex

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2023, 19:57 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe

  • Size

    4.0MB

  • MD5

    e0200372ab084cee7c02519fa32a5b0e

  • SHA1

    baf75851368121a6e0e2598b8cefea5a9023284a

  • SHA256

    02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344

  • SHA512

    8b78c779811119e5bca214cacc2e0607fa20da4c05fa82b7e897b64585b7d0684ee6d7a5b9cf6e489dd8662055a36093efd59d3f483238472e790c1743dfcc3d

  • SSDEEP

    98304:HdL9xWLs1Esvx3VRy2XOwnqoQyVHXoblgL74+7e:9zwM5S2X9qM3oqLU+7e

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Unexpected DNS network traffic destination 4 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 28 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe
    "C:\Users\Admin\AppData\Local\Temp\02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp" /SL4 $50116 "C:\Users\Admin\AppData\Local\Temp\02725234c6d7748c366690230cb7ee7bd4146cee3f730075bbefa19f01c89344.exe" 3876134 242176
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /Query
        3⤵
          PID:1672
        • C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
          "C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe" -i
          3⤵
          • Executes dropped EXE
          PID:1712
        • C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
          "C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe" -s
          3⤵
          • Executes dropped EXE
          PID:2036

    Network

    • flag-us
      DNS
      158.240.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      158.240.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      134.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      134.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.136.104.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.136.104.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      103.169.127.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      103.169.127.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      56.126.166.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      56.126.166.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      192.240.110.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      192.240.110.104.in-addr.arpa
      IN PTR
      Response
      192.240.110.104.in-addr.arpa
      IN PTR
      a104-110-240-192deploystaticakamaitechnologiescom
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      169.255.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      169.255.221.88.in-addr.arpa
      IN PTR
      Response
      169.255.221.88.in-addr.arpa
      IN PTR
      a88-221-255-169deploystaticakamaitechnologiescom
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      51.159.66.125:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      51.159.66.125:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      51.159.66.125:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      51.159.66.125:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      51.159.66.125:53
      Request
      aaebjoh.ru
      IN A
    • flag-us
      DNS
      125.66.159.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      125.66.159.51.in-addr.arpa
      IN PTR
      Response
      125.66.159.51.in-addr.arpa
      IN PTR
      51-159-66-125rev poneytelecomeu
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.6.51:53
      Request
      aaebjoh.ru
      IN A
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.6.51:53
      Request
      aaebjoh.ru
      IN A
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.6.51:53
      Request
      aaebjoh.ru
      IN A
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.6.51:53
      Request
      aaebjoh.ru
      IN A
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.6.51:53
      Request
      aaebjoh.ru
      IN A
    • flag-us
      DNS
      51.6.23.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      51.6.23.217.in-addr.arpa
      IN PTR
      Response
      51.6.23.217.in-addr.arpa
      IN PTR
      217-23-6-51hosted-by-worldstreamnet
    • flag-us
      DNS
      90.16.208.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      90.16.208.104.in-addr.arpa
      IN PTR
      Response
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      151.80.38.159:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      151.80.38.159:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      151.80.38.159:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      151.80.38.159:53
      Request
      aaebjoh.ru
      IN A
    • flag-fr
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      151.80.38.159:53
      Request
      aaebjoh.ru
      IN A
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.9.168:53
      Request
      aaebjoh.ru
      IN A
    • flag-nl
      DNS
      aaebjoh.ru
      ZxingPDF.exe
      Remote address:
      217.23.9.168:53
      Request
      aaebjoh.ru
      IN A
    • flag-us
      DNS
      159.38.80.151.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      159.38.80.151.in-addr.arpa
      IN PTR
      Response
      159.38.80.151.in-addr.arpa
      IN PTR
      105gra1ovhabcdnetwork
    • flag-us
      DNS
      168.9.23.217.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      168.9.23.217.in-addr.arpa
      IN PTR
      Response
      168.9.23.217.in-addr.arpa
      IN PTR
      217-23-9-168hosted-by-worldstreamnet
    No results found
    • 8.8.8.8:53
      158.240.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      158.240.127.40.in-addr.arpa

    • 8.8.8.8:53
      134.32.126.40.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      134.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      2.136.104.51.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.136.104.51.in-addr.arpa

    • 8.8.8.8:53
      103.169.127.40.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      103.169.127.40.in-addr.arpa

    • 8.8.8.8:53
      56.126.166.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      56.126.166.20.in-addr.arpa

    • 8.8.8.8:53
      192.240.110.104.in-addr.arpa
      dns
      74 B
       141 B
       1
      1

      DNS Request

      192.240.110.104.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      169.255.221.88.in-addr.arpa
      dns
      73 B
       139 B
       1
      1

      DNS Request

      169.255.221.88.in-addr.arpa

    • 51.159.66.125:53
      aaebjoh.ru
      dns
      ZxingPDF.exe
      280 B
       5

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

    • 8.8.8.8:53
      125.66.159.51.in-addr.arpa
      dns
      72 B
       119 B
       1
      1

      DNS Request

      125.66.159.51.in-addr.arpa

    • 217.23.6.51:53
      aaebjoh.ru
      dns
      ZxingPDF.exe
      280 B
       5

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

    • 8.8.8.8:53
      51.6.23.217.in-addr.arpa
      dns
      70 B
       121 B
       1
      1

      DNS Request

      51.6.23.217.in-addr.arpa

    • 8.8.8.8:53
      90.16.208.104.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      90.16.208.104.in-addr.arpa

    • 151.80.38.159:53
      aaebjoh.ru
      dns
      ZxingPDF.exe
      280 B
       5

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

    • 217.23.9.168:53
      aaebjoh.ru
      dns
      ZxingPDF.exe
      112 B
       2

      DNS Request

      aaebjoh.ru

      DNS Request

      aaebjoh.ru

    • 8.8.8.8:53
      159.38.80.151.in-addr.arpa
      dns
      72 B
       111 B
       1
      1

      DNS Request

      159.38.80.151.in-addr.arpa

    • 8.8.8.8:53
      168.9.23.217.in-addr.arpa
      dns
      71 B
       123 B
       1
      1

      DNS Request

      168.9.23.217.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
      Filesize

      2.0MB

      MD5

      330c3f73c995dbc18c9211269fc579ee

      SHA1

      32596c55cfc47c80a8c21dbb28538836cecec40d

      SHA256

      c558e1a93895386068de911f2f92b9e7680b7e3b3649894ccae8f7b12d56849d

      SHA512

      13e095500ad5a57637a7d53ca88deae73921388a0959298fbb8a127f08bec7b108d00405063e6138d1b572b19da9a16ee48564a6ed43880f2a83bdb5428756ca

      Download Submit

    • C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
      Filesize

      2.0MB

      MD5

      330c3f73c995dbc18c9211269fc579ee

      SHA1

      32596c55cfc47c80a8c21dbb28538836cecec40d

      SHA256

      c558e1a93895386068de911f2f92b9e7680b7e3b3649894ccae8f7b12d56849d

      SHA512

      13e095500ad5a57637a7d53ca88deae73921388a0959298fbb8a127f08bec7b108d00405063e6138d1b572b19da9a16ee48564a6ed43880f2a83bdb5428756ca

      Download Submit

    • C:\Program Files (x86)\ZxingPDF\ZxingPDF.exe
      Filesize

      2.0MB

      MD5

      330c3f73c995dbc18c9211269fc579ee

      SHA1

      32596c55cfc47c80a8c21dbb28538836cecec40d

      SHA256

      c558e1a93895386068de911f2f92b9e7680b7e3b3649894ccae8f7b12d56849d

      SHA512

      13e095500ad5a57637a7d53ca88deae73921388a0959298fbb8a127f08bec7b108d00405063e6138d1b572b19da9a16ee48564a6ed43880f2a83bdb5428756ca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-LE9RS.tmp\_iscrypt.dll
      Filesize

      2KB

      MD5

      a69559718ab506675e907fe49deb71e9

      SHA1

      bc8f404ffdb1960b50c12ff9413c893b56f2e36f

      SHA256

      2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

      SHA512

      e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp
      Filesize

      643KB

      MD5

      a991510c12f20ccf8a5231a32a7958c3

      SHA1

      122724d1a4fdea39af3aa427e4941158d7e91dfa

      SHA256

      0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

      SHA512

      8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\is-S4PDG.tmp\is-B8MBD.tmp
      Filesize

      643KB

      MD5

      a991510c12f20ccf8a5231a32a7958c3

      SHA1

      122724d1a4fdea39af3aa427e4941158d7e91dfa

      SHA256

      0c3ab280e156e9ff6a325267bc5d721f71dcb12490a53a03a033d932272f9198

      SHA512

      8f387a6189f6fa51f84004706589ed1706dfd08dfc38c1f8ce3ce010f37efac085fd241396ab69bc25c86174a4637492163bf3cb26f88639551dc9fa0c52eafa

      Download Submit

    • memory/868-81-0x0000000000400000-0x00000000004CF000-memory.dmp

      Filesize

      828KB

      Download

    • memory/868-83-0x0000000002250000-0x0000000002251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/868-7-0x0000000002250000-0x0000000002251000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-72-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1712-74-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1712-75-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1712-70-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-90-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-99-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-127-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-124-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-82-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-78-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-86-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-87-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-121-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-93-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-96-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-79-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-101-0x0000000000750000-0x00000000007FA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2036-105-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-108-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-109-0x0000000000750000-0x00000000007FA000-memory.dmp

      Filesize

      680KB

      Download

    • memory/2036-112-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-115-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/2036-118-0x0000000000400000-0x0000000000609000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5040-2-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    • memory/5040-0-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    • memory/5040-80-0x0000000000400000-0x0000000000441000-memory.dmp

      Filesize

      260KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.