dridex | 7af038d2f4f41c0d130aaa1e4557d821e2b7f4c6bda2be44300e229cd5c721df

Analysis

max time kernel
132s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
23-11-2020 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inv_112020_65098.pif.exe
Size

656KB
MD5

6e5017e2d0407e74578d1121233da979
SHA1

be9ad4ab667f1e8be4ad4848ad852d5a72aa4234
SHA256

7af038d2f4f41c0d130aaa1e4557d821e2b7f4c6bda2be44300e229cd5c721df
SHA512

b1f8e67c5373aef0e7997d2c4392078aa7f7f28b975fad0e06319a524a59ec98d328fd60438b00f05b6c16b6142065d995e1b88512fdd9e02839990407b15e61

Score

10^/10

dridex smokeloader 10444 backdoor botnet cryptone loader packer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://penodux.com/xsmkld/index.php

http://tommusikirtyur.com/xsmkld/index.php

http://ploaernysannyer.com/xsmkld/index.php

http://dersmasfannyer.com/xsmkld/index.php

http://derdsgdannyer.com/xsmkld/index.php

rc4.i32

Extracted

Family

dridex

Botnet

10444

175.126.167.148:443

173.249.20.233:8043

162.241.204.233:4443

138.122.143.40:8043

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

CryptOne packer 2 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\EA20.dll	cryptone
\Users\Admin\AppData\Local\Temp\EA20.dll	cryptone

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/436-8-0x0000000000980000-0x00000000009BD000-memory.dmp	dridex_ldr
behavioral1/memory/336-14-0x0000000010000000-0x000000001001D000-memory.dmp	dridex_ldr

Executes dropped EXE 1 IoCs

Processes:

F1FE.exe

pid process

336 F1FE.exe
Deletes itself 1 IoCs

Processes:

pid process

1268
Loads dropped DLL 2 IoCs

Processes:

inv_112020_65098.pif.exeregsvr32.exe

pid process

884 inv_112020_65098.pif.exe
436 regsvr32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

inv_112020_65098.pif.exe

description pid process target process

PID 2028 set thread context of 884 2028 inv_112020_65098.pif.exe inv_112020_65098.pif.exe

pid	process
336	F1FE.exe

pid	process
1268

description	pid	process	target process
PID 2028 set thread context of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

inv_112020_65098.pif.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	inv_112020_65098.pif.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	inv_112020_65098.pif.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	inv_112020_65098.pif.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

inv_112020_65098.pif.exe

pid	process
884	inv_112020_65098.pif.exe
884	inv_112020_65098.pif.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268

Suspicious behavior: MapViewOfSection 11 IoCs

Processes:

inv_112020_65098.pif.exe

pid process

884 inv_112020_65098.pif.exe
1268
1268
1268
1268
1268
1268
1268
1268
1268
1268
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

pid process

1268
1268
1268
1268
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

pid process

1268
1268
1268
1268

pid	process
1268
1268
1268
1268

pid	process
1268
1268
1268
1268

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

inv_112020_65098.pif.exeregsvr32.exe

description	pid	process	target process
PID 2028 wrote to memory of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe
PID 2028 wrote to memory of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe
PID 2028 wrote to memory of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe
PID 2028 wrote to memory of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe
PID 2028 wrote to memory of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe
PID 2028 wrote to memory of 884	2028	inv_112020_65098.pif.exe	inv_112020_65098.pif.exe
PID 1268 wrote to memory of 1996	1268		regsvr32.exe
PID 1268 wrote to memory of 1996	1268		regsvr32.exe
PID 1268 wrote to memory of 1996	1268		regsvr32.exe
PID 1268 wrote to memory of 1996	1268		regsvr32.exe
PID 1268 wrote to memory of 1996	1268		regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1996 wrote to memory of 436	1996	regsvr32.exe	regsvr32.exe
PID 1268 wrote to memory of 336	1268		F1FE.exe
PID 1268 wrote to memory of 336	1268		F1FE.exe
PID 1268 wrote to memory of 336	1268		F1FE.exe
PID 1268 wrote to memory of 336	1268		F1FE.exe
PID 1268 wrote to memory of 628	1268		explorer.exe
PID 1268 wrote to memory of 628	1268		explorer.exe
PID 1268 wrote to memory of 628	1268		explorer.exe
PID 1268 wrote to memory of 628	1268		explorer.exe
PID 1268 wrote to memory of 628	1268		explorer.exe
PID 1268 wrote to memory of 1312	1268		explorer.exe
PID 1268 wrote to memory of 1312	1268		explorer.exe
PID 1268 wrote to memory of 1312	1268		explorer.exe
PID 1268 wrote to memory of 1312	1268		explorer.exe
PID 1268 wrote to memory of 1988	1268		explorer.exe
PID 1268 wrote to memory of 1988	1268		explorer.exe
PID 1268 wrote to memory of 1988	1268		explorer.exe
PID 1268 wrote to memory of 1988	1268		explorer.exe
PID 1268 wrote to memory of 1988	1268		explorer.exe
PID 1268 wrote to memory of 1692	1268		explorer.exe
PID 1268 wrote to memory of 1692	1268		explorer.exe
PID 1268 wrote to memory of 1692	1268		explorer.exe
PID 1268 wrote to memory of 1692	1268		explorer.exe
PID 1268 wrote to memory of 1692	1268		explorer.exe
PID 1268 wrote to memory of 1244	1268		explorer.exe
PID 1268 wrote to memory of 1244	1268		explorer.exe
PID 1268 wrote to memory of 1244	1268		explorer.exe
PID 1268 wrote to memory of 1244	1268		explorer.exe

C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe
"C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe
  "C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe"
  2⤵
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:884

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EA20.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\EA20.dll
  2⤵
  - Loads dropped DLL
  PID:436

C:\Users\Admin\AppData\Local\Temp\F1FE.exe
C:\Users\Admin\AppData\Local\Temp\F1FE.exe
1⤵
- Executes dropped EXE
PID:336

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:628

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1312

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1988

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1692

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EA20.dll

MD5
e9468e28d01bad99d0cb9ad8a4bfe60a

SHA1
4b91dec1d0ad55372d11eb084a7e91ed3cc7dfa7

SHA256
8bf0ee8a7e68a8e7b41ec6a54c7a0ef80ab28bcd55b27bffba99f2991950741a

SHA512
9d5b5f6ad74e0cb3c041b28fcf3cc31beb67e57e883a1625c4c1261737ccd9d9bd12ab9367ffebda9e808c105dd16add85071d32be80b14ab3ff75fcae67474a

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1FE.exe

MD5
2f66e11030122a8e381f5806543f45a2

SHA1
8760dae8485027db5d36bfb634b438f1f433e842

SHA256
30ce3fd6112a662fe576a70816ffab8f9c0b1cabe93ab14c1a5cd85d3a37b510

SHA512
d9ee3eb3b21042a114b06fb3e949771662ae5e08a691336c8080f315640250e3f50f48127b5fab8ba8ad2298e9e97ff4bbe9dbea0022d48a9eb2ab566e726292

Download Submit
\Users\Admin\AppData\Local\Temp\45E1.tmp

MD5
d124f55b9393c976963407dff51ffa79

SHA1
2c7bbedd79791bfb866898c85b504186db610b5d

SHA256
ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef

SHA512
278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Download Submit
\Users\Admin\AppData\Local\Temp\EA20.dll

MD5
e9468e28d01bad99d0cb9ad8a4bfe60a

SHA1
4b91dec1d0ad55372d11eb084a7e91ed3cc7dfa7

SHA256
8bf0ee8a7e68a8e7b41ec6a54c7a0ef80ab28bcd55b27bffba99f2991950741a

SHA512
9d5b5f6ad74e0cb3c041b28fcf3cc31beb67e57e883a1625c4c1261737ccd9d9bd12ab9367ffebda9e808c105dd16add85071d32be80b14ab3ff75fcae67474a

Download Submit
memory/336-14-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/336-11-0x0000000074670000-0x0000000074813000-memory.dmp

Filesize
1.6MB

Download
memory/336-9-0x0000000000000000-mapping.dmp

Download
memory/436-6-0x0000000000000000-mapping.dmp

Download
memory/436-8-0x0000000000980000-0x00000000009BD000-memory.dmp

Filesize
244KB

Download
memory/628-13-0x0000000000000000-mapping.dmp

Download
memory/628-15-0x00000000000D0000-0x000000000013B000-memory.dmp

Filesize
428KB

Download
memory/628-16-0x0000000000140000-0x00000000001B5000-memory.dmp

Filesize
468KB

Download
memory/884-0-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/884-1-0x0000000000402DA2-mapping.dmp

Download
memory/1184-317-0x00000000000F0000-0x00000000000F6000-memory.dmp

Filesize
24KB

Download
memory/1184-313-0x00000000000E0000-0x00000000000EC000-memory.dmp

Filesize
48KB

Download
memory/1184-307-0x0000000000000000-mapping.dmp

Download
memory/1244-217-0x0000000000000000-mapping.dmp

Download
memory/1244-221-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/1268-628-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-639-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-58-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

Filesize
28KB

Download
memory/1268-605-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-606-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-607-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-183-0x0000000002AF0000-0x0000000002AFA000-memory.dmp

Filesize
40KB

Download
memory/1268-608-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-609-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-610-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-215-0x0000000002B00000-0x0000000002B09000-memory.dmp

Filesize
36KB

Download
memory/1268-611-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-612-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-241-0x0000000002B00000-0x0000000002B09000-memory.dmp

Filesize
36KB

Download
memory/1268-613-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-614-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-615-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-300-0x0000000002B00000-0x0000000002B09000-memory.dmp

Filesize
36KB

Download
memory/1268-21-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

Filesize
28KB

Download
memory/1268-616-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-617-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-337-0x0000000002B00000-0x0000000002B09000-memory.dmp

Filesize
36KB

Download
memory/1268-618-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-619-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-621-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-622-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-623-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-624-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-625-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-626-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-627-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-620-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-640-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-57-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

Filesize
28KB

Download
memory/1268-638-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-637-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-636-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-635-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-634-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-633-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-632-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-631-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-630-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-629-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

Filesize
24KB

Download
memory/1268-3-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

Filesize
88KB

Download
memory/1312-23-0x0000000000060000-0x000000000006C000-memory.dmp

Filesize
48KB

Download
memory/1312-22-0x0000000000000000-mapping.dmp

Download
memory/1692-185-0x0000000000000000-mapping.dmp

Download
memory/1692-186-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1692-187-0x00000000000D0000-0x00000000000D7000-memory.dmp

Filesize
28KB

Download
memory/1744-350-0x00000000000C0000-0x00000000000E7000-memory.dmp

Filesize
156KB

Download
memory/1744-353-0x00000000000F0000-0x0000000000112000-memory.dmp

Filesize
136KB

Download
memory/1744-342-0x0000000000000000-mapping.dmp

Download
memory/1848-259-0x00000000000D0000-0x00000000000D5000-memory.dmp

Filesize
20KB

Download
memory/1848-249-0x0000000000000000-mapping.dmp

Download
memory/1848-256-0x00000000000C0000-0x00000000000C9000-memory.dmp

Filesize
36KB

Download
memory/1904-482-0x0000000000000000-mapping.dmp

Download
memory/1904-483-0x0000000000080000-0x000000000008B000-memory.dmp

Filesize
44KB

Download
memory/1904-484-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/1908-12-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

Filesize
2.5MB

Download
memory/1988-535-0x0000000000000000-mapping.dmp

Download
memory/1988-539-0x0000000000060000-0x000000000006D000-memory.dmp

Filesize
52KB

Download
memory/1988-541-0x0000000000070000-0x0000000000077000-memory.dmp

Filesize
28KB

Download
memory/1988-60-0x00000000000C0000-0x00000000000CB000-memory.dmp

Filesize
44KB

Download
memory/1988-61-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download
memory/1996-4-0x0000000000000000-mapping.dmp

Download