Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    26-10-2021 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c234eb09ebee0e484dca3d0f6bf3072843b89527ecd6cfa4680eb27f0b8f032.exe

  • Size

    213KB

  • MD5

    f50e748b30a91dd671d0c6fc2f8e8681

  • SHA1

    67cee6fffd5e2ab09ed92f490b2f991902ce3c85

  • SHA256

    0c234eb09ebee0e484dca3d0f6bf3072843b89527ecd6cfa4680eb27f0b8f032

  • SHA512

    f081143710eef0ae705a7b145a46e0e08cbde32db587a8485b3867d0dcc17fb2378ee49ab35198072018a02ac384ce9b9532c2c944bbcbcbd38aae79a55f9f8a

Score
10/10
raccoonsmokeloader187e8d46623768b376fedb48580157fafedb4942backdoorstealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

187e8d46623768b376fedb48580157fafedb4942

Attributes
  • url4cnc

    http://telegin.top/frombobu98s

    http://ttmirror.top/frombobu98s

    http://teletele.top/frombobu98s

    http://telegalive.top/frombobu98s

    http://toptelete.top/frombobu98s

    http://telegraf.top/frombobu98s

    https://t.me/frombobu98s

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Drops startup file 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c234eb09ebee0e484dca3d0f6bf3072843b89527ecd6cfa4680eb27f0b8f032.exe
    "C:\Users\Admin\AppData\Local\Temp\0c234eb09ebee0e484dca3d0f6bf3072843b89527ecd6cfa4680eb27f0b8f032.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2216
  • C:\Users\Admin\AppData\Local\Temp\8180.exe
    C:\Users\Admin\AppData\Local\Temp\8180.exe
    1⤵
    • Executes dropped EXE
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
      "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      PID:4720
  • C:\Users\Admin\AppData\Local\Temp\F3C3.exe
    C:\Users\Admin\AppData\Local\Temp\F3C3.exe
    1⤵
    • Executes dropped EXE
    PID:1776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 1016
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:2440

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8180.exe
    MD5

    0791a29b349cb041ce7a942927ec2d34

    SHA1

    3ad5f687f84082a64787808eca134db2e561bb2f

    SHA256

    305fe55e6c47c88aae2cfab4f4a45b5ceac3d08ccd6f6d42667aa826e04e9598

    SHA512

    db25f9cb727ca67b340176335f5b4b4cd0da78bb687b9adee02a741d7b7da66fa3d9fd8efd46514f727264d21373753e8ee35424765f2e5bcf91c959c90965fa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\8180.exe
    MD5

    0791a29b349cb041ce7a942927ec2d34

    SHA1

    3ad5f687f84082a64787808eca134db2e561bb2f

    SHA256

    305fe55e6c47c88aae2cfab4f4a45b5ceac3d08ccd6f6d42667aa826e04e9598

    SHA512

    db25f9cb727ca67b340176335f5b4b4cd0da78bb687b9adee02a741d7b7da66fa3d9fd8efd46514f727264d21373753e8ee35424765f2e5bcf91c959c90965fa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\F3C3.exe
    MD5

    248d4db4353a519f94d61b9f7f09f70f

    SHA1

    ba27bf3fcf5aa9fda7e6cab44770481c0825f4c9

    SHA256

    e74e2260c8edc4e6789ed628a428190b281b292294f4f1af2b4c669a78a710ff

    SHA512

    ffd3b84fa77728fe03d32541ddc87e285bd1174d61613181e7ef75eb7e7e4147f4a767be60c83b0a80ef02dfacf92b783a302bc776e363119f99d2ca86ffb8a0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\F3C3.exe
    MD5

    248d4db4353a519f94d61b9f7f09f70f

    SHA1

    ba27bf3fcf5aa9fda7e6cab44770481c0825f4c9

    SHA256

    e74e2260c8edc4e6789ed628a428190b281b292294f4f1af2b4c669a78a710ff

    SHA512

    ffd3b84fa77728fe03d32541ddc87e285bd1174d61613181e7ef75eb7e7e4147f4a767be60c83b0a80ef02dfacf92b783a302bc776e363119f99d2ca86ffb8a0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    MD5

    0791a29b349cb041ce7a942927ec2d34

    SHA1

    3ad5f687f84082a64787808eca134db2e561bb2f

    SHA256

    305fe55e6c47c88aae2cfab4f4a45b5ceac3d08ccd6f6d42667aa826e04e9598

    SHA512

    db25f9cb727ca67b340176335f5b4b4cd0da78bb687b9adee02a741d7b7da66fa3d9fd8efd46514f727264d21373753e8ee35424765f2e5bcf91c959c90965fa

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
    MD5

    0791a29b349cb041ce7a942927ec2d34

    SHA1

    3ad5f687f84082a64787808eca134db2e561bb2f

    SHA256

    305fe55e6c47c88aae2cfab4f4a45b5ceac3d08ccd6f6d42667aa826e04e9598

    SHA512

    db25f9cb727ca67b340176335f5b4b4cd0da78bb687b9adee02a741d7b7da66fa3d9fd8efd46514f727264d21373753e8ee35424765f2e5bcf91c959c90965fa

    Download Submit
  • memory/1776-129-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-132-0x0000000004A10000-0x0000000004A5E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1776-134-0x0000000000400000-0x0000000002F42000-memory.dmp
    Filesize

    43.3MB

    Download
  • memory/1776-133-0x0000000004AA0000-0x0000000004B2E000-memory.dmp
    Filesize

    568KB

    Download
  • memory/2216-115-0x0000000002F00000-0x000000000304A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2216-116-0x0000000002F00000-0x000000000304A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2216-117-0x0000000000400000-0x0000000002EFC000-memory.dmp
    Filesize

    43.0MB

    Download
  • memory/3056-118-0x0000000000720000-0x0000000000736000-memory.dmp
    Filesize

    88KB

    Download
  • memory/4580-124-0x0000000000400000-0x0000000002F73000-memory.dmp
    Filesize

    43.4MB

    Download
  • memory/4580-122-0x0000000003210000-0x0000000003290000-memory.dmp
    Filesize

    512KB

    Download
  • memory/4580-123-0x0000000004CA0000-0x0000000004D31000-memory.dmp
    Filesize

    580KB

    Download
  • memory/4580-119-0x0000000000000000-mapping.dmp
    Download
  • memory/4720-125-0x0000000000000000-mapping.dmp
    Download
  • memory/4720-128-0x0000000000400000-0x0000000002F73000-memory.dmp
    Filesize

    43.4MB

    Download