Overview

overview

9

Static

static

7

dridex

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2023 08:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c193974cba2761aff38a848a4e9f31b5c8fcdff40595c8db24be95af7af6f7a.exe

  • Size

    5.8MB

  • MD5

    f638388e90b248c8289fe001cd81c259

  • SHA1

    974e3496f915fa1ecc8dcaf97faaf3c9c3da099a

  • SHA256

    3c193974cba2761aff38a848a4e9f31b5c8fcdff40595c8db24be95af7af6f7a

  • SHA512

    1aa39336199b5362818cfc4a59e8bf0c957bd30b66b420af3593fa36d02e49571dd35c74ea92dabd14599ae7324e4ccfdb04f9b5ad4effec1e079c893d75cf2d

  • SSDEEP

    98304:rUnbzxgNgqVpbTYVgZoj47MZ5FV0ZIvY4mQj1zvJmCwz6GFqknoYv6bBDF1c7jdN:rUnbtgNvpbXZ778hsIvY6j1cfuGFqiou

Score
9/10
evasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Themida packer 19 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c193974cba2761aff38a848a4e9f31b5c8fcdff40595c8db24be95af7af6f7a.exe
    "C:\Users\Admin\AppData\Local\Temp\3c193974cba2761aff38a848a4e9f31b5c8fcdff40595c8db24be95af7af6f7a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1to.0.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3232
      • C:\Windows\SysWOW64\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:4324
      • C:\ProgramData\pinterests\XRJNZC.exe
        "C:\ProgramData\pinterests\XRJNZC.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3600
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 512
          4⤵
          • Program crash
          PID:5072
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3600 -ip 3600
    1⤵
      PID:3216

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\pinterests\XRJNZC.exe
      Filesize

      5.8MB

      MD5

      f638388e90b248c8289fe001cd81c259

      SHA1

      974e3496f915fa1ecc8dcaf97faaf3c9c3da099a

      SHA256

      3c193974cba2761aff38a848a4e9f31b5c8fcdff40595c8db24be95af7af6f7a

      SHA512

      1aa39336199b5362818cfc4a59e8bf0c957bd30b66b420af3593fa36d02e49571dd35c74ea92dabd14599ae7324e4ccfdb04f9b5ad4effec1e079c893d75cf2d

      Download Submit

    • C:\ProgramData\pinterests\XRJNZC.exe
      Filesize

      5.8MB

      MD5

      f638388e90b248c8289fe001cd81c259

      SHA1

      974e3496f915fa1ecc8dcaf97faaf3c9c3da099a

      SHA256

      3c193974cba2761aff38a848a4e9f31b5c8fcdff40595c8db24be95af7af6f7a

      SHA512

      1aa39336199b5362818cfc4a59e8bf0c957bd30b66b420af3593fa36d02e49571dd35c74ea92dabd14599ae7324e4ccfdb04f9b5ad4effec1e079c893d75cf2d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\s1to.0.bat
      Filesize

      176B

      MD5

      40331eceb249f153e95e58f711084123

      SHA1

      e1b71a7d3b140a5d770de616a564547b4cd19c43

      SHA256

      ada91eba82667656112e76aa43c7ea3af4b1f290d44fe24fa6b5fa359a8b4e7b

      SHA512

      90cacd7f2fc49867d76dd9578a07861c71eeac1b9d728cde22964cc88e4549728a1be949e790bff6b0f7bd57cf3daa955e33e64f69432f91e958b3e93ffb52a6

      Download Submit

    • memory/2364-12-0x0000000077744000-0x0000000077746000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2364-2-0x0000000003F60000-0x0000000003F61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-1-0x0000000003E50000-0x0000000003E51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-6-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-7-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-0-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-13-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-14-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-15-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-16-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-17-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-23-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/2364-5-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-3-0x0000000003F90000-0x0000000003F91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2364-4-0x0000000000F10000-0x0000000001D0E000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-34-0x0000000003760000-0x0000000003761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3600-39-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-29-0x00000000036F0000-0x00000000036F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3600-35-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-31-0x0000000003730000-0x0000000003731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3600-45-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-30-0x0000000003720000-0x0000000003721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3600-32-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-33-0x0000000003740000-0x0000000003741000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3600-40-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-41-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-42-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-43-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download

    • memory/3600-28-0x00000000036E0000-0x00000000036E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3600-27-0x00000000008E0000-0x00000000016DE000-memory.dmp

      Filesize

      14.0MB

      Download