Analysis
-
max time kernel
115s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 13:37
General
-
Target
w5ossf6nf.exe
-
Size
360KB
-
MD5
c966ec47c0480c3a6be2a1231a83c8a1
-
SHA1
b15e12449be1ea174dfd224935fa6d78e1c58f5a
-
SHA256
4b1f2c18b149fd0e878c362ffba50bb553d7bea93a795b33e398d032dc0b7663
-
SHA512
35b3b6e9aebaa447f2cbf6a9fb7d24985475870285c6ea1bde7b8ccfd3ea956761691e44103d391ec89d8af6f43d73627a09c1c36b19f24caeab1453edd69f5e
Malware Config
Extracted
smokeloader
2020
http://penodux.com/xsmkld/index.php
http://tommusikirtyur.com/xsmkld/index.php
http://ploaernysannyer.com/xsmkld/index.php
http://dersmasfannyer.com/xsmkld/index.php
http://derdsgdannyer.com/xsmkld/index.php
Extracted
dridex
10444
175.126.167.148:443
173.249.20.233:8043
162.241.204.233:4443
138.122.143.40:8043
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 13 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\w5ossf6nf.exe"C:\Users\Admin\AppData\Local\Temp\w5ossf6nf.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\CF18.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\CF18.dll2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\D728.exeC:\Users\Admin\AppData\Local\Temp\D728.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CF18.dllMD5
0ca63fc69b7983bbecce6722abff8e86
SHA1f63b03836896bbb8a19baac85c05ca8a9e73054b
SHA2562f38ab60dc994e973ed1269a8d0c0e534235f2e39c29af52f899ecf089908dc1
SHA51234348595fa082d26961731c8fac19719c2a1998b308e8dc68be4435a23f61feb2f5131d660dce9f581ad6dd169a48ffe6c717a7212ec0d666fe08a3676e70e91
-
C:\Users\Admin\AppData\Local\Temp\D728.exeMD5
2f66e11030122a8e381f5806543f45a2
SHA18760dae8485027db5d36bfb634b438f1f433e842
SHA25630ce3fd6112a662fe576a70816ffab8f9c0b1cabe93ab14c1a5cd85d3a37b510
SHA512d9ee3eb3b21042a114b06fb3e949771662ae5e08a691336c8080f315640250e3f50f48127b5fab8ba8ad2298e9e97ff4bbe9dbea0022d48a9eb2ab566e726292
-
C:\Users\Admin\AppData\Local\Temp\D728.exeMD5
2f66e11030122a8e381f5806543f45a2
SHA18760dae8485027db5d36bfb634b438f1f433e842
SHA25630ce3fd6112a662fe576a70816ffab8f9c0b1cabe93ab14c1a5cd85d3a37b510
SHA512d9ee3eb3b21042a114b06fb3e949771662ae5e08a691336c8080f315640250e3f50f48127b5fab8ba8ad2298e9e97ff4bbe9dbea0022d48a9eb2ab566e726292
-
\Users\Admin\AppData\Local\Temp\45E1.tmpMD5
50741b3f2d7debf5d2bed63d88404029
SHA156210388a627b926162b36967045be06ffb1aad3
SHA256f2f8732ae464738372ff274b7e481366cecdd2337210d4a3cbcd089c958a730c
SHA512fac6bfe35b1ee08b3d42d330516a260d9cdb4a90bbb0491411a583029b92a59d20af3552372ea8fb3f59442b3945bf524ef284127f397ae7179467080be8e9b3
-
\Users\Admin\AppData\Local\Temp\CF18.dllMD5
0ca63fc69b7983bbecce6722abff8e86
SHA1f63b03836896bbb8a19baac85c05ca8a9e73054b
SHA2562f38ab60dc994e973ed1269a8d0c0e534235f2e39c29af52f899ecf089908dc1
SHA51234348595fa082d26961731c8fac19719c2a1998b308e8dc68be4435a23f61feb2f5131d660dce9f581ad6dd169a48ffe6c717a7212ec0d666fe08a3676e70e91
-
memory/192-26-0x0000000000770000-0x00000000007DB000-memory.dmpFilesize
428KB
-
memory/192-14-0x0000000000000000-mapping.dmp
-
memory/344-2-0x0000000000000000-mapping.dmp
-
memory/996-4-0x0000000000000000-mapping.dmp
-
memory/996-9-0x0000000004170000-0x00000000041AD000-memory.dmpFilesize
244KB
-
memory/1272-40-0x0000000000730000-0x0000000000737000-memory.dmpFilesize
28KB
-
memory/1272-38-0x0000000000720000-0x000000000072C000-memory.dmpFilesize
48KB
-
memory/1272-35-0x0000000000000000-mapping.dmp
-
memory/1732-273-0x0000000000E60000-0x0000000000E82000-memory.dmpFilesize
136KB
-
memory/1732-267-0x0000000000E30000-0x0000000000E57000-memory.dmpFilesize
156KB
-
memory/1732-255-0x0000000000000000-mapping.dmp
-
memory/1932-372-0x0000000000C90000-0x0000000000C9D000-memory.dmpFilesize
52KB
-
memory/1932-378-0x0000000000CA0000-0x0000000000CA7000-memory.dmpFilesize
28KB
-
memory/1932-360-0x0000000000000000-mapping.dmp
-
memory/2212-130-0x0000000000000000-mapping.dmp
-
memory/2212-137-0x0000000000BE0000-0x0000000000BEE000-memory.dmpFilesize
56KB
-
memory/2212-140-0x0000000000BF0000-0x0000000000BF9000-memory.dmpFilesize
36KB
-
memory/2752-210-0x0000000000000000-mapping.dmp
-
memory/2752-226-0x0000000000620000-0x0000000000626000-memory.dmpFilesize
24KB
-
memory/2752-220-0x0000000000610000-0x000000000061C000-memory.dmpFilesize
48KB
-
memory/2864-318-0x0000000000000000-mapping.dmp
-
memory/2864-330-0x0000000000AF0000-0x0000000000AFB000-memory.dmpFilesize
44KB
-
memory/2864-337-0x0000000000B00000-0x0000000000B06000-memory.dmpFilesize
24KB
-
memory/3024-11-0x0000000002B00000-0x0000000002B75000-memory.dmpFilesize
468KB
-
memory/3024-200-0x00000000012A0000-0x00000000012AC000-memory.dmpFilesize
48KB
-
memory/3024-242-0x00000000012A0000-0x00000000012AC000-memory.dmpFilesize
48KB
-
memory/3024-248-0x00000000012A0000-0x00000000012AC000-memory.dmpFilesize
48KB
-
memory/3024-1-0x0000000001030000-0x0000000001046000-memory.dmpFilesize
88KB
-
memory/3024-10-0x0000000001290000-0x00000000012FB000-memory.dmpFilesize
428KB
-
memory/3024-350-0x00000000012A0000-0x00000000012AC000-memory.dmpFilesize
48KB
-
memory/3464-183-0x00000000005A0000-0x00000000005A5000-memory.dmpFilesize
20KB
-
memory/3464-178-0x0000000000590000-0x0000000000599000-memory.dmpFilesize
36KB
-
memory/3464-167-0x0000000000000000-mapping.dmp
-
memory/3596-148-0x0000000010000000-0x000000001001D000-memory.dmpFilesize
116KB
-
memory/3596-6-0x0000000000000000-mapping.dmp
-
memory/3816-62-0x0000000000000000-mapping.dmp
-
memory/3816-67-0x00000000007F0000-0x00000000007FB000-memory.dmpFilesize
44KB
-
memory/3816-68-0x0000000000A00000-0x0000000000A0A000-memory.dmpFilesize
40KB
-
memory/4012-97-0x0000000000000000-mapping.dmp
-
memory/4012-105-0x0000000000EA0000-0x0000000000EA7000-memory.dmpFilesize
28KB
-
memory/4012-102-0x0000000000E90000-0x0000000000E9B000-memory.dmpFilesize
44KB