Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-08-2021 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe

  • Size

    174KB

  • MD5

    badcc5eeb093cfa468ac2433ca3ec639

  • SHA1

    1e9b7c068262b69803f40088d7c296ec1cad777c

  • SHA256

    9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd

  • SHA512

    9710efb850d7109bbb51a769ecf610e1c79732d331c140392b68448f3fca49249b1458cbf7e4e931056bc4987a605616052197f1003c68d0490f66ab6e25c611

Score
10/10
babuksmokeloaderbackdoordiscoveryevasionransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
Hi, friend. Your files are encrypted. And you can't do anything with them. If you want to restore them, contact us via telegram @username312321 Price - 350 $ You can pay with BTC - bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93
Wallets

bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe
    "C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2256
  • C:\Users\Admin\AppData\Local\Temp\BA8B.exe
    C:\Users\Admin\AppData\Local\Temp\BA8B.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
      "C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
        "C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3148
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2192
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2
T1107

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
    MD5

    cf88599048145e4911915215a91527f4

    SHA1

    f4ba5c7117736388c4de3442b1d6e4f84628c15d

    SHA256

    9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0

    SHA512

    254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
    MD5

    cf88599048145e4911915215a91527f4

    SHA1

    f4ba5c7117736388c4de3442b1d6e4f84628c15d

    SHA256

    9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0

    SHA512

    254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
    MD5

    cf88599048145e4911915215a91527f4

    SHA1

    f4ba5c7117736388c4de3442b1d6e4f84628c15d

    SHA256

    9f7d6949fd359dce79d3233eb80101ff706a35de5308543b0488450c19eba0f0

    SHA512

    254f6e26ed075ff1fe46493e36e6ec7eb70db52d2219070b6a77cbf7202d231fc826bd3fb69bdcaee86e45c9ce4ee8bc7085d37d5627a0bc1d2ec86aa9f2c0f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\BA8B.exe
    MD5

    eeb0f28c077d4b7f9740232aa95d93b4

    SHA1

    61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967

    SHA256

    3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af

    SHA512

    6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\BA8B.exe
    MD5

    eeb0f28c077d4b7f9740232aa95d93b4

    SHA1

    61d50d4d4c1eee0c8fe9e17bcf78a4f43e482967

    SHA256

    3662c3ba063379af8bca502364807bf88752a36b5ca83671c02ea48fbb0b06af

    SHA512

    6034043269af32b2633e1c2b46dfb766d342dbd64337e868c703090c9b8aa9f4ab7a692d1e5e6eeecbef31b2a77d28183a8ec24b75caabb870219f27b5eae73c

    Download Submit
  • memory/2192-158-0x0000000000000000-mapping.dmp
    Download
  • memory/2256-114-0x0000000002CC0000-0x0000000002E0A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2256-115-0x0000000000400000-0x0000000002CBB000-memory.dmp
    Filesize

    40.7MB

    Download
  • memory/2380-154-0x0000000000000000-mapping.dmp
    Download
  • memory/2692-149-0x0000000009CB0000-0x0000000009D4C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2692-148-0x0000000009A70000-0x0000000009A81000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2692-147-0x0000000005390000-0x0000000005422000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2692-146-0x0000000005490000-0x0000000005491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-145-0x0000000005420000-0x0000000005421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-144-0x0000000005540000-0x0000000005541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-140-0x0000000000A70000-0x0000000000A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2692-137-0x0000000000000000-mapping.dmp
    Download
  • memory/2692-150-0x000000000C580000-0x000000000C5B1000-memory.dmp
    Filesize

    196KB

    Download
  • memory/2696-126-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-125-0x0000000003690000-0x0000000003691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-136-0x0000000007890000-0x0000000007891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-134-0x0000000007510000-0x0000000007511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-133-0x00000000073F0000-0x00000000073F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-132-0x0000000007E50000-0x0000000007E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-131-0x0000000007920000-0x0000000007921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-130-0x0000000007220000-0x0000000007221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-129-0x00000000059B0000-0x00000000059B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-128-0x0000000005850000-0x0000000005851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-127-0x0000000005810000-0x0000000005811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-135-0x00000000077F0000-0x00000000077F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-124-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-122-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2696-117-0x0000000000000000-mapping.dmp
    Download
  • memory/2696-121-0x0000000077000000-0x000000007718E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3040-116-0x0000000001200000-0x0000000001216000-memory.dmp
    Filesize

    88KB

    Download
  • memory/3148-155-0x0000000000000000-mapping.dmp
    Download
  • memory/3152-152-0x000000000040ABC0-mapping.dmp
    Download
  • memory/3152-151-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/3152-156-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/3628-157-0x0000000000000000-mapping.dmp
    Download