Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
23-11-2020 18:36
General
-
Target
inv_112020_65098.pif.exe
-
Size
656KB
-
MD5
6e5017e2d0407e74578d1121233da979
-
SHA1
be9ad4ab667f1e8be4ad4848ad852d5a72aa4234
-
SHA256
7af038d2f4f41c0d130aaa1e4557d821e2b7f4c6bda2be44300e229cd5c721df
-
SHA512
b1f8e67c5373aef0e7997d2c4392078aa7f7f28b975fad0e06319a524a59ec98d328fd60438b00f05b6c16b6142065d995e1b88512fdd9e02839990407b15e61
Malware Config
Extracted
smokeloader
2020
http://penodux.com/xsmkld/index.php
http://tommusikirtyur.com/xsmkld/index.php
http://ploaernysannyer.com/xsmkld/index.php
http://dersmasfannyer.com/xsmkld/index.php
http://derdsgdannyer.com/xsmkld/index.php
Extracted
dridex
10444
175.126.167.148:443
173.249.20.233:8043
162.241.204.233:4443
138.122.143.40:8043
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 11 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 45 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe"C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe"C:\Users\Admin\AppData\Local\Temp\inv_112020_65098.pif.exe"2⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\EA20.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\EA20.dll2⤵
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\F1FE.exeC:\Users\Admin\AppData\Local\Temp\F1FE.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
116KB
-
Filesize
1.6MB
-
Filesize
244KB
-
Filesize
428KB
-
Filesize
468KB
-
Filesize
40KB
-
Filesize
24KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
40KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
28KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
36KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
28KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
24KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
44KB
-
Filesize
28KB
-
Filesize
156KB
-
Filesize
136KB
-
Filesize
20KB
-
Filesize
36KB
-
Filesize
44KB
-
Filesize
24KB
-
Filesize
2.5MB
-
Filesize
52KB
-
Filesize
28KB
-
Filesize
44KB
-
Filesize
40KB