Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    16-12-2021 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfdc8e0c68dd10c2f8053070533a387d01f1f3a81e30ae36902a3082466a2278.exe

  • Size

    333KB

  • MD5

    81b268f1a348d1f423f4ca65c145cbbc

  • SHA1

    da52d8917c0d3b7c835349dff771dfa9a76bc5b3

  • SHA256

    dfdc8e0c68dd10c2f8053070533a387d01f1f3a81e30ae36902a3082466a2278

  • SHA512

    4141e8aa05d104ea0bc1c90d65c7c7a25c8fa5d047220e9e5eb08e453c2ae9d4499dbe70099a07fb734b805afd81eafae0d26e364356316c763c8aab6b8b6222

Score
10/10
arkeiicedidredlinesmokeloadertofseevkeyloggerxmrig223372020928backdoorbankercollectiondiscoveryevasioninfostealerkeyloggerminerpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://host-data-coin-11.com/

http://file-coin-host-12.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

icedid

Campaign

3372020928

C2

jeliskvosh.com

Extracted

Family

tofsee

C2

mubrikych.top

oxxyfix.xyz

Extracted

Family

redline

Botnet

22

C2

195.133.47.114:38127

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://45.77.127.230:8888

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • IcedID, BokBot

    IcedID is a banking trojan capable of stealing credentials.

    trojanbankericedid
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • VKeylogger

    A keylogger first seen in Nov 2020.

    stealerkeyloggervkeylogger
  • VKeylogger Payload 3 IoCs
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 3 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • Blocklisted process makes network request 3 IoCs
  • Blocks application from running via registry modification

    Adds application to list of disallowed applications.

    evasion
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 15 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfdc8e0c68dd10c2f8053070533a387d01f1f3a81e30ae36902a3082466a2278.exe
    "C:\Users\Admin\AppData\Local\Temp\dfdc8e0c68dd10c2f8053070533a387d01f1f3a81e30ae36902a3082466a2278.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2552
    • C:\Users\Admin\AppData\Local\Temp\dfdc8e0c68dd10c2f8053070533a387d01f1f3a81e30ae36902a3082466a2278.exe
      "C:\Users\Admin\AppData\Local\Temp\dfdc8e0c68dd10c2f8053070533a387d01f1f3a81e30ae36902a3082466a2278.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1328
  • C:\Users\Admin\AppData\Local\Temp\348.exe
    C:\Users\Admin\AppData\Local\Temp\348.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\348.exe
      C:\Users\Admin\AppData\Local\Temp\348.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:1424
  • C:\Users\Admin\AppData\Local\Temp\FFB.exe
    C:\Users\Admin\AppData\Local\Temp\FFB.exe
    1⤵
    • Executes dropped EXE
    PID:2884
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 476
      2⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Program crash
      • Suspicious use of AdjustPrivilegeToken
      PID:704
  • C:\Users\Admin\AppData\Local\Temp\1E82.exe
    C:\Users\Admin\AppData\Local\Temp\1E82.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1412
  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\21CF.dll
    1⤵
    • Loads dropped DLL
    PID:604
  • C:\Users\Admin\AppData\Local\Temp\2DC7.exe
    C:\Users\Admin\AppData\Local\Temp\2DC7.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks processor information in registry
    PID:1048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2DC7.exe" & exit
      2⤵
        PID:2404
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          3⤵
          • Delays execution with timeout.exe
          PID:3036
    • C:\Users\Admin\AppData\Local\Temp\322D.exe
      C:\Users\Admin\AppData\Local\Temp\322D.exe
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:936
    • C:\Users\Admin\AppData\Local\Temp\3AAA.exe
      C:\Users\Admin\AppData\Local\Temp\3AAA.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\epxsdtkc\
        2⤵
          PID:3668
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ottujyj.exe" C:\Windows\SysWOW64\epxsdtkc\
          2⤵
            PID:1664
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" create epxsdtkc binPath= "C:\Windows\SysWOW64\epxsdtkc\ottujyj.exe /d\"C:\Users\Admin\AppData\Local\Temp\3AAA.exe\"" type= own start= auto DisplayName= "wifi support"
            2⤵
              PID:3692
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" description epxsdtkc "wifi internet conection"
              2⤵
                PID:708
              • C:\Windows\SysWOW64\sc.exe
                "C:\Windows\System32\sc.exe" start epxsdtkc
                2⤵
                  PID:64
                • C:\Windows\SysWOW64\netsh.exe
                  "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                  2⤵
                    PID:2264
                • C:\Users\Admin\AppData\Local\Temp\521B.exe
                  C:\Users\Admin\AppData\Local\Temp\521B.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:1516
                  • C:\Users\Admin\AppData\Local\Temp\521B.exe
                    C:\Users\Admin\AppData\Local\Temp\521B.exe
                    2⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1780
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noexit
                      3⤵
                      • Blocklisted process makes network request
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2980
                • C:\Users\Admin\AppData\Local\Temp\56FE.exe
                  C:\Users\Admin\AppData\Local\Temp\56FE.exe
                  1⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  PID:4036
                • C:\Users\Admin\AppData\Local\Temp\5A3B.exe
                  C:\Users\Admin\AppData\Local\Temp\5A3B.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3796
                • C:\Users\Admin\AppData\Local\Temp\5FF8.exe
                  C:\Users\Admin\AppData\Local\Temp\5FF8.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  PID:1800
                  • C:\Windows\SysWOW64\explorer.exe
                    "C:\Windows\SysWOW64\explorer.exe"
                    2⤵
                    • Adds Run key to start application
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of FindShellTrayWindow
                    PID:2648
                • C:\Windows\SysWOW64\epxsdtkc\ottujyj.exe
                  C:\Windows\SysWOW64\epxsdtkc\ottujyj.exe /d"C:\Users\Admin\AppData\Local\Temp\3AAA.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:2372
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    2⤵
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    PID:2900
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                      3⤵
                        PID:3052
                  • C:\Users\Admin\AppData\Local\Temp\6885.exe
                    C:\Users\Admin\AppData\Local\Temp\6885.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:2308
                  • C:\Users\Admin\AppData\Local\Temp\71.exe
                    C:\Users\Admin\AppData\Local\Temp\71.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:4012
                  • C:\Windows\SysWOW64\explorer.exe
                    C:\Windows\SysWOW64\explorer.exe
                    1⤵
                    • Accesses Microsoft Outlook profiles
                    • outlook_office_path
                    • outlook_win_path
                    PID:1360
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe
                    1⤵
                      PID:2144

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/604-161-0x0000000000CC0000-0x0000000000CCA000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/936-173-0x0000000000400000-0x00000000004CD000-memory.dmp

                      Filesize

                      820KB

                      Download

                    • memory/936-172-0x00000000005C0000-0x000000000070A000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/936-171-0x0000000000766000-0x0000000000777000-memory.dmp

                      Filesize

                      68KB

                      Download

                    • memory/1048-169-0x00000000020E0000-0x00000000020FC000-memory.dmp

                      Filesize

                      112KB

                      Download

                    • memory/1048-170-0x0000000000400000-0x00000000004D6000-memory.dmp

                      Filesize

                      856KB

                      Download

                    • memory/1328-116-0x0000000000400000-0x0000000000409000-memory.dmp

                      Filesize

                      36KB

                      Download

                    • memory/1360-373-0x0000000000E40000-0x0000000000EAB000-memory.dmp

                      Filesize

                      428KB

                      Download

                    • memory/1360-372-0x0000000000EB0000-0x0000000000F24000-memory.dmp

                      Filesize

                      464KB

                      Download

                    • memory/1412-148-0x0000000005940000-0x0000000005941000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-136-0x0000000074D70000-0x0000000074F32000-memory.dmp

                      Filesize

                      1.8MB

                      Download

                    • memory/1412-145-0x00000000058E0000-0x00000000058E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-147-0x0000000005A20000-0x0000000005A21000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-135-0x0000000001200000-0x0000000001201000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-134-0x00000000002A0000-0x0000000000309000-memory.dmp

                      Filesize

                      420KB

                      Download

                    • memory/1412-141-0x0000000072030000-0x00000000720B0000-memory.dmp

                      Filesize

                      512KB

                      Download

                    • memory/1412-139-0x00000000002A0000-0x00000000002A1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-153-0x0000000070280000-0x00000000702CB000-memory.dmp

                      Filesize

                      300KB

                      Download

                    • memory/1412-138-0x0000000074C20000-0x0000000074D11000-memory.dmp

                      Filesize

                      964KB

                      Download

                    • memory/1412-152-0x0000000005980000-0x0000000005981000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-137-0x0000000002F20000-0x0000000002F65000-memory.dmp

                      Filesize

                      276KB

                      Download

                    • memory/1412-143-0x0000000006030000-0x0000000006031000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1412-151-0x0000000076090000-0x00000000773D8000-memory.dmp

                      Filesize

                      19.3MB

                      Download

                    • memory/1412-150-0x0000000075650000-0x0000000075BD4000-memory.dmp

                      Filesize

                      5.5MB

                      Download

                    • memory/1412-149-0x0000000005A10000-0x0000000005A11000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/1780-191-0x0000000000400000-0x000000000040F000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/1780-177-0x0000000000400000-0x000000000040F000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/1800-268-0x0000000000930000-0x000000000093E000-memory.dmp

                      Filesize

                      56KB

                      Download

                    • memory/1800-269-0x0000000000400000-0x000000000081A000-memory.dmp

                      Filesize

                      4.1MB

                      Download

                    • memory/1800-267-0x0000000000030000-0x000000000003A000-memory.dmp

                      Filesize

                      40KB

                      Download

                    • memory/2144-375-0x00000000003D0000-0x00000000003D7000-memory.dmp

                      Filesize

                      28KB

                      Download

                    • memory/2144-376-0x00000000003C0000-0x00000000003CC000-memory.dmp

                      Filesize

                      48KB

                      Download

                    • memory/2308-259-0x00000000005B0000-0x00000000005F5000-memory.dmp

                      Filesize

                      276KB

                      Download

                    • memory/2372-290-0x0000000000400000-0x00000000004D5000-memory.dmp

                      Filesize

                      852KB

                      Download

                    • memory/2520-200-0x0000000000400000-0x00000000004D5000-memory.dmp

                      Filesize

                      852KB

                      Download

                    • memory/2520-197-0x00000000001D0000-0x00000000001E3000-memory.dmp

                      Filesize

                      76KB

                      Download

                    • memory/2552-115-0x00000000007B6000-0x00000000007C6000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/2552-118-0x00000000004E0000-0x000000000062A000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/2648-319-0x0000000000DF0000-0x0000000000DFF000-memory.dmp

                      Filesize

                      60KB

                      Download

                    • memory/2884-156-0x0000000000400000-0x00000000004CD000-memory.dmp

                      Filesize

                      820KB

                      Download

                    • memory/2884-155-0x00000000004D0000-0x000000000057E000-memory.dmp

                      Filesize

                      696KB

                      Download

                    • memory/2900-291-0x00000000007B0000-0x00000000007C5000-memory.dmp

                      Filesize

                      84KB

                      Download

                    • memory/2980-186-0x0000000007880000-0x0000000007881000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-189-0x00000000081A0000-0x00000000081A1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-181-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-227-0x00000000096B0000-0x00000000096B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-182-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-183-0x0000000007150000-0x0000000007151000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-184-0x0000000007920000-0x0000000007921000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-253-0x000000000A190000-0x000000000A191000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-254-0x0000000009B10000-0x0000000009B11000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-210-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-187-0x0000000007F50000-0x0000000007F51000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-266-0x00000000072E3000-0x00000000072E4000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-188-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-192-0x00000000072E0000-0x00000000072E1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-194-0x00000000072E2000-0x00000000072E3000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-240-0x00000000097B0000-0x00000000097B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2980-193-0x0000000008600000-0x0000000008601000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3012-244-0x0000000004420000-0x0000000004436000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3012-119-0x00000000005E0000-0x00000000005F6000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3012-157-0x0000000002060000-0x0000000002076000-memory.dmp

                      Filesize

                      88KB

                      Download

                    • memory/3436-130-0x00000000004E0000-0x000000000062A000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/3436-126-0x0000000000716000-0x0000000000727000-memory.dmp

                      Filesize

                      68KB

                      Download

                    • memory/3796-206-0x0000000000120000-0x0000000000121000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/3796-216-0x00000000048F0000-0x0000000004EF6000-memory.dmp

                      Filesize

                      6.0MB

                      Download

                    • memory/4012-366-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4012-363-0x0000000001200000-0x00000000012AE000-memory.dmp

                      Filesize

                      696KB

                      Download

                    • memory/4036-243-0x0000000000A45000-0x0000000000A46000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4036-214-0x0000000000A40000-0x0000000000A42000-memory.dmp

                      Filesize

                      8KB

                      Download