Overview

overview

10

Static

static

dridex

windows10_x64

10

Resubmissions

25/03/2025, 15:40

250325-s4pk6ssjz3 10

05/02/2025, 09:14

250205-k7s4rszmex 10

26/08/2021, 08:49

210826-epqpjsdkt2 10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26/08/2021, 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe

  • Size

    174KB

  • MD5

    badcc5eeb093cfa468ac2433ca3ec639

  • SHA1

    1e9b7c068262b69803f40088d7c296ec1cad777c

  • SHA256

    9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd

  • SHA512

    9710efb850d7109bbb51a769ecf610e1c79732d331c140392b68448f3fca49249b1458cbf7e4e931056bc4987a605616052197f1003c68d0490f66ab6e25c611

Score
10/10
babuksmokeloaderbackdoordiscoveryevasionransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Path

C:\How To Restore Your Files.txt

Ransom Note
Hi, friend. Your files are encrypted. And you can't do anything with them. If you want to restore them, contact us via telegram @username312321 Price - 350 $ You can pay with BTC - bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93
Wallets

bc1qd53hpk76zutapw8tsgnnkeuuuhuk4ecr2wrd93

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Signatures

  • Babuk Locker

    RaaS first seen in 2021 initially called Vasa Locker.

    ransomwarebabuk
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Modifies extensions of user files 16 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe
    "C:\Users\Admin\AppData\Local\Temp\9528313d13ec6629a64434c36e11872cc12f35232908b2a2e6a89636a199d6cd.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2256
  • C:\Users\Admin\AppData\Local\Temp\BA8B.exe
    C:\Users\Admin\AppData\Local\Temp\BA8B.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
      "C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2692
      • C:\Users\Admin\AppData\Local\Temp\AudioB.exe
        "C:\Users\Admin\AppData\Local\Temp\AudioB.exe"
        3⤵
        • Executes dropped EXE
        • Modifies extensions of user files
        • Enumerates connected drives
        • Suspicious use of WriteProcessMemory
        PID:3152
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2380
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:3148
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3628
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe delete shadows /all /quiet
            5⤵
            • Interacts with shadow copies
            PID:2192
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2496

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2256-114-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2256-115-0x0000000000400000-0x0000000002CBB000-memory.dmp

    Filesize

    40.7MB

    Download

  • memory/2692-149-0x0000000009CB0000-0x0000000009D4C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2692-148-0x0000000009A70000-0x0000000009A81000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2692-147-0x0000000005390000-0x0000000005422000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2692-146-0x0000000005490000-0x0000000005491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-145-0x0000000005420000-0x0000000005421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-144-0x0000000005540000-0x0000000005541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-140-0x0000000000A70000-0x0000000000A71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-150-0x000000000C580000-0x000000000C5B1000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2696-126-0x00000000059C0000-0x00000000059C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-125-0x0000000003690000-0x0000000003691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-136-0x0000000007890000-0x0000000007891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-134-0x0000000007510000-0x0000000007511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-133-0x00000000073F0000-0x00000000073F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-132-0x0000000007E50000-0x0000000007E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-131-0x0000000007920000-0x0000000007921000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-130-0x0000000007220000-0x0000000007221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-129-0x00000000059B0000-0x00000000059B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-128-0x0000000005850000-0x0000000005851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-127-0x0000000005810000-0x0000000005811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-135-0x00000000077F0000-0x00000000077F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-124-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-122-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2696-121-0x0000000077000000-0x000000007718E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3040-116-0x0000000001200000-0x0000000001216000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3152-151-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3152-156-0x0000000000400000-0x0000000000418000-memory.dmp

    Filesize

    96KB

    Download