Analysis
-
max time kernel
31s -
max time network
68s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 05:22
Static task
static1
Behavioral task
behavioral1
Sample
Amazon_Gift-Card.579177920.scr
Resource
win7v20201028
General
-
Target
Amazon_Gift-Card.579177920.scr
-
Size
965KB
-
MD5
33ca3e86d783234092e52369e1b6bb83
-
SHA1
653ab54e15b01473943cd897ded24f742b0193c5
-
SHA256
2c6110a76dda8da49195052fa561ab8b8278c02df400124e46d26d2df228b70b
-
SHA512
7ddd8dfca491fd272cb1232813e78a0df52983801222b00cc535c1386a411aba30aa2bc720b4d913685f564c2060f8d072c48c31be88753d0924639f8adb632e
Malware Config
Extracted
dridex
10555
194.225.58.216:443
178.254.40.132:691
216.172.165.70:3889
198.57.200.100:3786
Signatures
-
Processes:
resource yara_rule behavioral2/memory/3984-20-0x0000000000DB0000-0x0000000000DED000-memory.dmp dridex_ldr behavioral2/memory/3984-21-0x0000000000DB0000-0x0000000000DED000-memory.dmp dridex_ldr -
Executes dropped EXE 1 IoCs
Processes:
extraPFZ.exepid process 3024 extraPFZ.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3984 regsvr32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 5 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 1332 timeout.exe 3200 timeout.exe 4024 timeout.exe 2836 timeout.exe 3968 timeout.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 208 taskkill.exe 3712 taskkill.exe -
Modifies registry class 2 IoCs
Processes:
Amazon_Gift-Card.579177920.scrcmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Amazon_Gift-Card.579177920.scr Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings cmd.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
Amazon_Gift-Card.579177920.scrWScript.execmd.exeWScript.execmd.exedescription pid process target process PID 648 wrote to memory of 3960 648 Amazon_Gift-Card.579177920.scr WScript.exe PID 648 wrote to memory of 3960 648 Amazon_Gift-Card.579177920.scr WScript.exe PID 648 wrote to memory of 3960 648 Amazon_Gift-Card.579177920.scr WScript.exe PID 3960 wrote to memory of 3144 3960 WScript.exe cmd.exe PID 3960 wrote to memory of 3144 3960 WScript.exe cmd.exe PID 3960 wrote to memory of 3144 3960 WScript.exe cmd.exe PID 3144 wrote to memory of 1332 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 1332 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 1332 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 3024 3144 cmd.exe extraPFZ.exe PID 3144 wrote to memory of 3024 3144 cmd.exe extraPFZ.exe PID 3144 wrote to memory of 3024 3144 cmd.exe extraPFZ.exe PID 3144 wrote to memory of 3200 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 3200 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 3200 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 2212 3144 cmd.exe WScript.exe PID 3144 wrote to memory of 2212 3144 cmd.exe WScript.exe PID 3144 wrote to memory of 2212 3144 cmd.exe WScript.exe PID 3144 wrote to memory of 4024 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 4024 3144 cmd.exe timeout.exe PID 3144 wrote to memory of 4024 3144 cmd.exe timeout.exe PID 2212 wrote to memory of 2204 2212 WScript.exe cmd.exe PID 2212 wrote to memory of 2204 2212 WScript.exe cmd.exe PID 2212 wrote to memory of 2204 2212 WScript.exe cmd.exe PID 2204 wrote to memory of 3940 2204 cmd.exe attrib.exe PID 2204 wrote to memory of 3940 2204 cmd.exe attrib.exe PID 2204 wrote to memory of 3940 2204 cmd.exe attrib.exe PID 2204 wrote to memory of 2836 2204 cmd.exe timeout.exe PID 2204 wrote to memory of 2836 2204 cmd.exe timeout.exe PID 2204 wrote to memory of 2836 2204 cmd.exe timeout.exe PID 2204 wrote to memory of 3984 2204 cmd.exe regsvr32.exe PID 2204 wrote to memory of 3984 2204 cmd.exe regsvr32.exe PID 2204 wrote to memory of 3984 2204 cmd.exe regsvr32.exe PID 2204 wrote to memory of 208 2204 cmd.exe taskkill.exe PID 2204 wrote to memory of 208 2204 cmd.exe taskkill.exe PID 2204 wrote to memory of 208 2204 cmd.exe taskkill.exe PID 2204 wrote to memory of 3712 2204 cmd.exe taskkill.exe PID 2204 wrote to memory of 3712 2204 cmd.exe taskkill.exe PID 2204 wrote to memory of 3712 2204 cmd.exe taskkill.exe PID 2204 wrote to memory of 200 2204 cmd.exe attrib.exe PID 2204 wrote to memory of 200 2204 cmd.exe attrib.exe PID 2204 wrote to memory of 200 2204 cmd.exe attrib.exe PID 2204 wrote to memory of 3968 2204 cmd.exe timeout.exe PID 2204 wrote to memory of 3968 2204 cmd.exe timeout.exe PID 2204 wrote to memory of 3968 2204 cmd.exe timeout.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3940 attrib.exe 200 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Amazon_Gift-Card.579177920.scr"C:\Users\Admin\AppData\Local\Temp\Amazon_Gift-Card.579177920.scr" /S1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Video\config\svideo.vbs" /f=CREATE_NO_WINDOW install.cmd2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Video\config\elp.bat" "3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Video\config\extraPFZ.exe"extraPFZ.exe" e -pVursion cvn5869508.rar4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\timeout.exetimeout 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Video\config\chinatown.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Video\config\7p.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Video"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 26⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 -s pzxrk4325.dll6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /extraPFZ.exee6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /extraPFZ.exe6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\attrib.exeattrib -s -h "C:\Video\config\pzxrk4325.dll"6⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exetimeout 46⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Video\config\7p.batMD5
e94a811e7efd1d3615123b7642472d0a
SHA188b985970ad4a3b9da13262e47f7211d535c8738
SHA256318e6fec79a00bac1f3e14b21aac6a9e6df11290ece1f57011e755c077cfc83c
SHA512eb58d58103a8eb7989a4ecb245889eae1e179cf1cc17f2a07901edb00e3b727a309b1c1569ef680f51c998016829c764d1fe35b193a647d5fece4c24c8c14387
-
C:\Video\config\chinatown.vbsMD5
e36f6c0eb7c04e04074230bb5c0d2683
SHA1a48a3a27a6746c1ce5417bb77e9a792642a9c6eb
SHA2567e87a583d7ce276cf430bb9eeab7ff48e34b1b8413bae3cadbef47884ae9521f
SHA512daa2fb0c0a0bf3604eb9e929b45723d1bf6474a6f82cbea971bf9015730801e1a844afd8e87bf2a71952491bdbd3aecd097da7ad9581bfbc29da4486f48e8182
-
C:\Video\config\elp.batMD5
413bfe1c6c922e4d55d1572bfd8979c0
SHA1d998b64917159bc30b816d28ee78794067d92637
SHA25607c5e188ceca4bcd4d0ec7757ff03359402b0902bfe7ffe851fe81552f467153
SHA512b31683c8124fb4294756af24186fddbf7f8d516c854df8760eac17d2a8c46b7815c96e015cf6280770f96624ad924de3ecb7203815d87336d838ad59877839db
-
C:\Video\config\extraPFZ.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\Video\config\extraPFZ.exeMD5
061f64173293969577916832be29b90d
SHA1b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA25634dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA51266e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da
-
C:\Video\config\pzxrk4325.dllMD5
457a2d0c13db31222c66c3e623d88063
SHA115bd1122fe1a910c3b8f255bbe74de5ffed57fd2
SHA256a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba
SHA5125eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3
-
C:\Video\config\reedmi.cvlMD5
1659459a93acdd26e1253c3a61d4c306
SHA1b08003deee9edf383190a5b8e3e1d504487439e3
SHA25637c2c5cf6587c824ba7670c696220d246d9d1a9f619ff0ddfd1f21ca82a97c5c
SHA51230aaf65dcc1e2e4be19a2e88a2bd9866bdc7b632142130ee5b1a394cdc3c61d4a1b518d4c05d9bf68931ed90b5bcb1acf0bc16a96c775c368816eb33c6ce2180
-
C:\Video\config\svideo.vbsMD5
664af4c8be70de64667d91cf849ab6ea
SHA18fa378b5e4320d02b839b63a61350784db0fd41a
SHA256cb7d3e410617f53d4def0c6093cb53c9c12b0dc9c68344e9caeb5357cfb4a277
SHA512eb99a1a7cd58865a5fa0e7780ec344d1615570bb6dd68635b2009b2dd4fd0df79145ff63bd682bbb28c0da66d1496834f1b869c270885ab02a55cff5d15540a5
-
\Video\config\pzxrk4325.dllMD5
457a2d0c13db31222c66c3e623d88063
SHA115bd1122fe1a910c3b8f255bbe74de5ffed57fd2
SHA256a1658b979357f174c83dcd9867941d8cd917beb3ea67720fa43b6340b27762ba
SHA5125eeb2bfcfedd0703134196a3135bba5bbc59d67ab51bc847c837e4243c1c1a7fa1971a5602af5f6d946ef1a0f5c5f5f1f1807fa5e5d6dc723b6d5888336875c3
-
memory/200-24-0x0000000000000000-mapping.dmp
-
memory/208-22-0x0000000000000000-mapping.dmp
-
memory/1332-5-0x0000000000000000-mapping.dmp
-
memory/2204-14-0x0000000000000000-mapping.dmp
-
memory/2212-11-0x0000000000000000-mapping.dmp
-
memory/2836-16-0x0000000000000000-mapping.dmp
-
memory/3024-7-0x0000000000000000-mapping.dmp
-
memory/3144-4-0x0000000000000000-mapping.dmp
-
memory/3200-9-0x0000000000000000-mapping.dmp
-
memory/3712-23-0x0000000000000000-mapping.dmp
-
memory/3940-15-0x0000000000000000-mapping.dmp
-
memory/3960-1-0x0000000000000000-mapping.dmp
-
memory/3968-25-0x0000000000000000-mapping.dmp
-
memory/3984-17-0x0000000000000000-mapping.dmp
-
memory/3984-21-0x0000000000DB0000-0x0000000000DED000-memory.dmpFilesize
244KB
-
memory/3984-20-0x0000000000DB0000-0x0000000000DED000-memory.dmpFilesize
244KB
-
memory/4024-12-0x0000000000000000-mapping.dmp