Overview

overview

10

Static

static

10

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    172s
  • max time network
    190s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-11-2023 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f.exe

  • Size

    1.3MB

  • MD5

    5a8c19f0298f074877ae3f0fdcf4e40f

  • SHA1

    7bf4408ad28f32a1ec63840a8a2c59916e77df81

  • SHA256

    66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f

  • SHA512

    00ffdde9b5d270b379ff10c6524aa2a1ba4e62d9a4de8ef931d41a4b3045e8cc079905edcef5e3fe927126b365b676b7b0e75c0c6d16d29e32f6a122f2e37625

  • SSDEEP

    24576:Og+tmm6ugk+8JujxZ2YPBzK5tUMxdEvYt2RnG:OgrjpvsuXK5BsSP

Score
10/10
purelogsxmrigzgratminerratstealer

Malware Config

Signatures

  • Detect PureLogs payload 4 IoCs
  • Detect ZGRat V1 1 IoCs
  • PureLogs

    PureLogs is an infostealer written in C#.

    stealerpurelogs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 12 IoCs
    miner
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f.exe
    "C:\Users\Admin\AppData\Local\Temp\66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Users\Admin\AppData\Local\Temp\66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f.exe
      C:\Users\Admin\AppData\Local\Temp\66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4800
  • C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
    C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
      C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:724
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4624
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:4716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f.exe.log
    Filesize

    1KB

    MD5

    84a01db52ea5a878520e162c80acfcd3

    SHA1

    49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

    SHA256

    25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

    SHA512

    0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RegSvcs.exe.log
    Filesize

    1KB

    MD5

    84a01db52ea5a878520e162c80acfcd3

    SHA1

    49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

    SHA256

    25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

    SHA512

    0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TypeId.exe.log
    Filesize

    1KB

    MD5

    84a01db52ea5a878520e162c80acfcd3

    SHA1

    49b7c5c072f6c32e54cc97c1dcbee90de0dd4738

    SHA256

    25ff806b9c85928aee814fa3aebbf45fa9735a7f594a6261f0779e89eb8c3bfe

    SHA512

    0516cbe6b9b7842be7f00ba3159a4df31257fc4e9db8ccb8f9f720801174f3d49327b7881c59ea12a4767c6d3e7c99a3b707c10279dfb39f12f9792134e6248e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
    Filesize

    1.3MB

    MD5

    5a8c19f0298f074877ae3f0fdcf4e40f

    SHA1

    7bf4408ad28f32a1ec63840a8a2c59916e77df81

    SHA256

    66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f

    SHA512

    00ffdde9b5d270b379ff10c6524aa2a1ba4e62d9a4de8ef931d41a4b3045e8cc079905edcef5e3fe927126b365b676b7b0e75c0c6d16d29e32f6a122f2e37625

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
    Filesize

    1.3MB

    MD5

    5a8c19f0298f074877ae3f0fdcf4e40f

    SHA1

    7bf4408ad28f32a1ec63840a8a2c59916e77df81

    SHA256

    66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f

    SHA512

    00ffdde9b5d270b379ff10c6524aa2a1ba4e62d9a4de8ef931d41a4b3045e8cc079905edcef5e3fe927126b365b676b7b0e75c0c6d16d29e32f6a122f2e37625

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NextChannelSink\TypeId.exe
    Filesize

    1.3MB

    MD5

    5a8c19f0298f074877ae3f0fdcf4e40f

    SHA1

    7bf4408ad28f32a1ec63840a8a2c59916e77df81

    SHA256

    66c8e00f46e83d91c5920cf9638b03b8b9095d22ed58744f2abc9fdebc550c9f

    SHA512

    00ffdde9b5d270b379ff10c6524aa2a1ba4e62d9a4de8ef931d41a4b3045e8cc079905edcef5e3fe927126b365b676b7b0e75c0c6d16d29e32f6a122f2e37625

    Download Submit

  • memory/724-43-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/724-34-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2544-32-0x000001B04BFA0000-0x000001B04BFB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2544-35-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2544-31-0x000001B04BFA0000-0x000001B04BFB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2544-27-0x000001B04BFA0000-0x000001B04BFB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2544-26-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3792-11-0x00007FFF2FB60000-0x00007FFF30621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3792-0-0x0000020173A80000-0x0000020173BCE000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3792-6-0x00000201757E0000-0x000002017582C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3792-5-0x00000201762C0000-0x0000020176390000-memory.dmp

    Filesize

    832KB

    Download

  • memory/3792-4-0x0000020176170000-0x0000020176240000-memory.dmp

    Filesize

    832KB

    Download

  • memory/3792-3-0x00000201762B0000-0x00000201762C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3792-2-0x00007FFF2FB60000-0x00007FFF30621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3792-1-0x00000201758A0000-0x0000020175988000-memory.dmp

    Filesize

    928KB

    Download

  • memory/4060-29-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4060-23-0x00000187F3B60000-0x00000187F3B70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4060-22-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-40-0x000001FEF80D0000-0x000001FEF80E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-41-0x000001FEF80D0000-0x000001FEF80E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-42-0x000001FEF80D0000-0x000001FEF80E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-44-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4624-45-0x000001FEF80D0000-0x000001FEF80E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-56-0x000001FEF80D0000-0x000001FEF80E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-58-0x000001FEF80D0000-0x000001FEF80E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4624-39-0x00007FFF2FA30000-0x00007FFF304F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4716-50-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-51-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-63-0x00000262BF450000-0x00000262BF470000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4716-62-0x00000262BF450000-0x00000262BF470000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4716-61-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-60-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-46-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-47-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-48-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-49-0x00000262BD9D0000-0x00000262BD9F0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/4716-59-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-57-0x00000262BF410000-0x00000262BF450000-memory.dmp

    Filesize

    256KB

    Download

  • memory/4716-52-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-53-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-54-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4716-55-0x0000000140000000-0x00000001407CF000-memory.dmp

    Filesize

    7.8MB

    Download

  • memory/4800-10-0x000001855CBA0000-0x000001855CCA0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4800-19-0x00007FFF2FB60000-0x00007FFF30621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-7-0x0000000000400000-0x00000000004B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4800-12-0x00007FFF2FB60000-0x00007FFF30621000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4800-13-0x00000185443F0000-0x0000018544400000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4800-14-0x0000018544470000-0x0000018544478000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4800-15-0x000001855CDA0000-0x000001855CDF6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/4800-16-0x000001855D6B0000-0x000001855D704000-memory.dmp

    Filesize

    336KB

    Download