Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-10-2021 09:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe

  • Size

    175KB

  • MD5

    16dac496ddda6108f8a0a5f5c29f777f

  • SHA1

    9fc6750104fac8148800c9144aeee4e52a491b02

  • SHA256

    2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb

  • SHA512

    f67a5a40f04e76d763257567105409d06e7c08b5426f0bd24886d54e6187c9e5d35549cae80b2af81852b4da773e0e53606e4ff268edaaf034c16113a3e88638

Score
10/10
arkeiraccoonredlineservhelpersmokeloaderxmrig1598d179b9e611eee525425544ee8c6d77360ab7cd9w1backdoordiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

159

C2

190.2.136.29:3279

Extracted

Family

redline

Botnet

w1

C2

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes
  • url4cnc

    http://teletop.top/agrybirdsgamerept

    http://teleta.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 4 IoCs
    stealer
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
    "C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe
      "C:\Users\Admin\AppData\Local\Temp\2ce71601fa23b3340d351bcf4a7ce45ba8c207df3be62146f987fba298b05bfb.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2080
  • C:\Users\Admin\AppData\Local\Temp\F860.exe
    C:\Users\Admin\AppData\Local\Temp\F860.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1264
      2⤵
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:3256
  • C:\Users\Admin\AppData\Local\Temp\FDFE.exe
    C:\Users\Admin\AppData\Local\Temp\FDFE.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2980
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3764
  • C:\Users\Admin\AppData\Local\Temp\9E6.exe
    C:\Users\Admin\AppData\Local\Temp\9E6.exe
    1⤵
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    PID:2648
  • C:\Users\Admin\AppData\Local\Temp\1224.exe
    C:\Users\Admin\AppData\Local\Temp\1224.exe
    1⤵
    • Executes dropped EXE
    PID:952
  • C:\Users\Admin\AppData\Local\Temp\1AE0.exe
    C:\Users\Admin\AppData\Local\Temp\1AE0.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\475362202.exe
      "C:\Users\Admin\AppData\Local\Temp\475362202.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Users\Admin\AppData\Local\Temp\475362202.exe
        C:\Users\Admin\AppData\Local\Temp\475362202.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\schtasks.exe
          /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
          4⤵
          • Creates scheduled task(s)
          PID:3556
  • C:\Users\Admin\AppData\Local\Temp\2F82.exe
    C:\Users\Admin\AppData\Local\Temp\2F82.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3580
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rudw1t01\rudw1t01.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1356
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6571.tmp" "c:\Users\Admin\AppData\Local\Temp\rudw1t01\CSC5D483C6DF943CB8D111B916C7B4922.TMP"
          4⤵
            PID:1260
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2596
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:964
        • C:\Windows\SysWOW64\reg.exe
          "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
          3⤵
            PID:2068
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
            3⤵
            • Modifies registry key
            PID:1220
          • C:\Windows\SysWOW64\reg.exe
            "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
            3⤵
              PID:1540
            • C:\Windows\SysWOW64\net.exe
              "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
              3⤵
                PID:2532
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                  4⤵
                    PID:340
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                  3⤵
                    PID:1064
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd /c net start rdpdr
                      4⤵
                        PID:1344
                        • C:\Windows\SysWOW64\net.exe
                          net start rdpdr
                          5⤵
                            PID:3064
                            • C:\Windows\SysWOW64\net1.exe
                              C:\Windows\system32\net1 start rdpdr
                              6⤵
                                PID:648
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                          3⤵
                            PID:2164
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd /c net start TermService
                              4⤵
                                PID:1612
                                • C:\Windows\SysWOW64\net.exe
                                  net start TermService
                                  5⤵
                                    PID:3068
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 start TermService
                                      6⤵
                                        PID:1772
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                  3⤵
                                    PID:3808
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                    3⤵
                                      PID:380
                                • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  PID:1356
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                    C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
                                    2⤵
                                    • Executes dropped EXE
                                    PID:3488
                                    • C:\Windows\SysWOW64\schtasks.exe
                                      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
                                      3⤵
                                      • Creates scheduled task(s)
                                      PID:3896

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/632-114-0x0000000000611000-0x000000000061A000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/632-115-0x0000000000030000-0x0000000000039000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/792-197-0x0000000005600000-0x0000000005601000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-195-0x0000000005E10000-0x0000000005E11000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-201-0x0000000006310000-0x0000000006311000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-194-0x0000000005602000-0x0000000005603000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-205-0x00000000055F0000-0x00000000055F1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-196-0x0000000005603000-0x0000000005604000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-189-0x0000000000A43000-0x0000000000E49000-memory.dmp

                                  Filesize

                                  4.0MB

                                  Download

                                • memory/792-193-0x0000000000400000-0x0000000000841000-memory.dmp

                                  Filesize

                                  4.3MB

                                  Download

                                • memory/792-206-0x0000000005604000-0x0000000005605000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/792-192-0x0000000000E50000-0x0000000001252000-memory.dmp

                                  Filesize

                                  4.0MB

                                  Download

                                • memory/792-190-0x0000000005A10000-0x0000000005E0F000-memory.dmp

                                  Filesize

                                  4.0MB

                                  Download

                                • memory/952-142-0x0000000000841000-0x0000000000890000-memory.dmp

                                  Filesize

                                  316KB

                                  Download

                                • memory/952-180-0x00000000004A0000-0x00000000005EA000-memory.dmp

                                  Filesize

                                  1.3MB

                                  Download

                                • memory/952-184-0x0000000000400000-0x0000000000491000-memory.dmp

                                  Filesize

                                  580KB

                                  Download

                                • memory/964-905-0x000000007F130000-0x000000007F131000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/964-811-0x0000000004462000-0x0000000004463000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/964-810-0x0000000004460000-0x0000000004461000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1224-124-0x00000000779F0000-0x0000000077B7E000-memory.dmp

                                  Filesize

                                  1.6MB

                                  Download

                                • memory/1224-130-0x0000000000400000-0x0000000000B71000-memory.dmp

                                  Filesize

                                  7.4MB

                                  Download

                                • memory/1224-122-0x0000000000400000-0x0000000000B71000-memory.dmp

                                  Filesize

                                  7.4MB

                                  Download

                                • memory/1224-123-0x0000000000400000-0x0000000000B71000-memory.dmp

                                  Filesize

                                  7.4MB

                                  Download

                                • memory/1224-125-0x0000000000400000-0x0000000000B71000-memory.dmp

                                  Filesize

                                  7.4MB

                                  Download

                                • memory/1224-126-0x0000000000400000-0x0000000000B71000-memory.dmp

                                  Filesize

                                  7.4MB

                                  Download

                                • memory/1356-1133-0x0000000002C60000-0x0000000002CD6000-memory.dmp

                                  Filesize

                                  472KB

                                  Download

                                • memory/1648-289-0x0000000000400000-0x0000000000406000-memory.dmp

                                  Filesize

                                  24KB

                                  Download

                                • memory/1652-556-0x0000000007050000-0x0000000007051000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1652-557-0x0000000007052000-0x0000000007053000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1652-582-0x000000007F020000-0x000000007F021000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1932-253-0x0000000005950000-0x0000000005951000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2080-116-0x0000000000400000-0x0000000000409000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/2428-118-0x0000000000470000-0x0000000000486000-memory.dmp

                                  Filesize

                                  88KB

                                  Download

                                • memory/2596-301-0x0000000006BE2000-0x0000000006BE3000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2596-300-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2596-326-0x000000007ED90000-0x000000007ED91000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-148-0x0000000005300000-0x0000000005301000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-163-0x0000000005340000-0x0000000005341000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-134-0x00000000779F0000-0x0000000077B7E000-memory.dmp

                                  Filesize

                                  1.6MB

                                  Download

                                • memory/2648-137-0x0000000001360000-0x0000000001361000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-145-0x0000000005A20000-0x0000000005A21000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-146-0x00000000052A0000-0x00000000052A1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-147-0x0000000005410000-0x0000000005411000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-200-0x0000000006B00000-0x0000000006B01000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-198-0x0000000006400000-0x0000000006401000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2648-149-0x0000000005400000-0x0000000005401000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-185-0x00000000051C4000-0x00000000051C5000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-159-0x0000000000750000-0x0000000000781000-memory.dmp

                                  Filesize

                                  196KB

                                  Download

                                • memory/3536-212-0x00000000079B0000-0x00000000079B1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-203-0x0000000007150000-0x0000000007151000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-168-0x0000000002760000-0x000000000277C000-memory.dmp

                                  Filesize

                                  112KB

                                  Download

                                • memory/3536-179-0x00000000051C0000-0x00000000051C1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-220-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-181-0x00000000051C2000-0x00000000051C3000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3536-182-0x00000000051C3000-0x00000000051C4000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3580-228-0x0000000006740000-0x0000000006741000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3580-229-0x0000000006742000-0x0000000006743000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3580-263-0x0000000006743000-0x0000000006744000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3764-165-0x0000000000400000-0x0000000000401000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/3764-150-0x0000000000400000-0x0000000000422000-memory.dmp

                                  Filesize

                                  136KB

                                  Download

                                • memory/3764-183-0x0000000004DD0000-0x00000000053D6000-memory.dmp

                                  Filesize

                                  6.0MB

                                  Download