Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    24-12-2021 12:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c404d536689d4aae9855077a70370115dfb217d9c31ddd401029318dea33d10c.exe

  • Size

    291KB

  • MD5

    0e3ef0c72f7380b2ee49f99491e9cee8

  • SHA1

    a9fbfc6e8b5a61c01a58a909727912b2f6a64259

  • SHA256

    c404d536689d4aae9855077a70370115dfb217d9c31ddd401029318dea33d10c

  • SHA512

    8de48c221004fca6a08efb44203bd69d1bc33648362273bedcf76144f660dfdf73217880b357e53ac346e2043fba35616597e66c1c927b09e23ede2c63ec044c

Score
10/10
amadeyneshtasmokeloaderbackdoorpersistencespywarestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/
rc4.i32
rc4.i32

Extracted

Family

amadey

Version

2.86

C2

2.56.56.210/notAnoob/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detect Neshta Payload 12 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Deletes itself 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c404d536689d4aae9855077a70370115dfb217d9c31ddd401029318dea33d10c.exe
    "C:\Users\Admin\AppData\Local\Temp\c404d536689d4aae9855077a70370115dfb217d9c31ddd401029318dea33d10c.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2676
  • C:\Users\Admin\AppData\Local\Temp\C971.exe
    C:\Users\Admin\AppData\Local\Temp\C971.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\ProgramData\5954_1640339821_5793.exe
      "C:\ProgramData\5954_1640339821_5793.exe"
      2⤵
      • Modifies system executable filetype association
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
        "C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe"
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2848
        • C:\Windows\svchost.com
          "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
            C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
            5⤵
            • Executes dropped EXE
            PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
    MD5

    58f9bc16408d4db56519691315bb8a75

    SHA1

    ac94543044371e3ea49918eb0f114a29ab303004

    SHA256

    5562973f2b3aa9d0c6184143360f7861b4129605f5e63b896ad815f381e6475b

    SHA512

    e1884456f86bb7cf7d268942f6fc1bacaa550eac31aaf186d9e95c15bdc41d05638cfdea1762c92681225af72008d251b101e8f291e3a74f382832336b82d39d

    Download Submit
  • C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
    MD5

    cce8964848413b49f18a44da9cb0a79b

    SHA1

    0b7452100d400acebb1c1887542f322a92cbd7ae

    SHA256

    fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

    SHA512

    bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

    Download Submit
  • C:\ProgramData\5954_1640339821_5793.exe
    MD5

    05ac7818089aaed02ed5320d50f47132

    SHA1

    f9dfd169342637416bdc47d3d6ac6a31f062577f

    SHA256

    bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

    SHA512

    1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

    Download Submit
  • C:\ProgramData\5954_1640339821_5793.exe
    MD5

    05ac7818089aaed02ed5320d50f47132

    SHA1

    f9dfd169342637416bdc47d3d6ac6a31f062577f

    SHA256

    bd5a15ce7b5a16bde1c0a182285da7d47d64e2b1542d57947a139d5bd0a31e70

    SHA512

    1a32853839ca5b0cc1fbc45cbda944cc3681ff0c1e6bbe7e37cbeb60a2e7d400c214b85fd29c8fae72cd098e0bd312256a70d230e2404e2202b8d63c236fc53d

    Download Submit
  • C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
    MD5

    8a403bc371b84920c641afa3cf9fef2f

    SHA1

    d6c9d38f3e571b54132dd7ee31a169c683abfd63

    SHA256

    614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

    SHA512

    b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

    Download Submit
  • C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
    MD5

    32853955255a94fcd7587ca9cbfe2b60

    SHA1

    c33a88184c09e89598f0cabf68ce91c8d5791521

    SHA256

    64df64b39ac4391aea14eb48b0489e6a970a3ea44c02c6a8f10c278cc0636330

    SHA512

    8566b69668729d70567ff494de8f241329baf2a7748ab0ebf5a53308c3e53e646100af4f6fc33325f3851030d11ff045a7e85e5897008e95c991990d8f80a997

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
    MD5

    f6636e7fd493f59a5511f08894bba153

    SHA1

    3618061817fdf1155acc0c99b7639b30e3b6936c

    SHA256

    61720d294189141b74631299911d91874aa02e67096a47cfaf56ef03f568bd33

    SHA512

    bd2ae751a37b4c065f0d7f7f7ec19785c1552dfaa4818fdb213fffcf90b7951886131a2b5d7aad843f714be418383fcf09ba1d9548bdbf38fa3d304a092a33d1

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
    MD5

    3e8de969e12cd5e6292489a12a9834b6

    SHA1

    285b89585a09ead4affa32ecaaa842bc51d53ad5

    SHA256

    7a25fc3b1ce0f1d06a84dd344c8f5a6c4604732f7d13a8aaad504c4376b305cf

    SHA512

    b14a5936181a1d8c0f966d969a049254238bf1eacdb1da952c2dc084d5d6dcd5d611d2d058d4c00d6384c20046deef5e74ea865c0062bb0761a391a1eaf1640e

    Download Submit
  • C:\Users\ALLUSE~1\PACKAG~1\{F4220~1\VC_RED~1.EXE
    MD5

    3ce8289aa50e980f2a6565fe0dc74ff6

    SHA1

    0c8d577e833416761e4702b77fa6b3c7defab628

    SHA256

    add2079306b5c23b79fef64ce989021356c1117e8326782193e1b05b65e59654

    SHA512

    97cff5dc208a588c5491e645b8e733370a724e2dbe1d4786a22ec375b0772acf42c66c85083663424ebdc54190bb24321891a8b44e70c6145bc55b773c919e35

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\3582-490\5954_1640339821_5793.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\A0383E~1\tkools.exe
    MD5

    47d324d0398317af1f842dd2a271c3f0

    SHA1

    045937d0083abe615ce4780684f500dfde4c550b

    SHA256

    0247ed2604b2aea96511a96de88d6925040d26bc7239ab05968caf64210b1b50

    SHA512

    ecfffe8d7eab4e627adc71ddc13cc9aaaf814fb76f9eaf9cfc11f9ecb6c4d3a653a7be67b803f47859bb0f475cf5eced2e9491c660bed4cc7cf6c7210c210823

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\C971.exe
    MD5

    ac696ff26dae3d008a7f1a8a33a6c067

    SHA1

    0e450582db291be053ac6a4ccf722dc4441b1f2e

    SHA256

    44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

    SHA512

    1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\C971.exe
    MD5

    ac696ff26dae3d008a7f1a8a33a6c067

    SHA1

    0e450582db291be053ac6a4ccf722dc4441b1f2e

    SHA256

    44e08debeddf1bf932fd76e0fd0088eb196c036c92d662601ac8b55fe10528b9

    SHA512

    1e049cc4cdd0e6dc4f38771f271a8021ad5c771024ed9cc3aea787d184a976f84778fc127ff2ab67cb79e0621ddc60b4b872393f4fabb0dfceb977409f66c0c6

    Download Submit
  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit
  • C:\Windows\svchost.com
    MD5

    36fd5e09c417c767a952b4609d73a54b

    SHA1

    299399c5a2403080a5bf67fb46faec210025b36d

    SHA256

    980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

    SHA512

    1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

    Download Submit
  • C:\odt\OFFICE~1.EXE
    MD5

    02c3d242fe142b0eabec69211b34bc55

    SHA1

    ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

    SHA256

    2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

    SHA512

    0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

    Download Submit
  • memory/304-125-0x000001406C9C0000-0x000001406C9C2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/304-124-0x000001406C9D0000-0x000001406C9F4000-memory.dmp
    Filesize

    144KB

    Download
  • memory/304-123-0x000001406C620000-0x000001406C6C8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/304-122-0x000001406C620000-0x000001406C6C8000-memory.dmp
    Filesize

    672KB

    Download
  • memory/304-119-0x0000000000000000-mapping.dmp
    Download
  • memory/852-136-0x0000000000000000-mapping.dmp
    Download
  • memory/1012-126-0x0000000000000000-mapping.dmp
    Download
  • memory/1636-132-0x0000000000000000-mapping.dmp
    Download
  • memory/2676-115-0x0000000000776000-0x0000000000786000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2676-117-0x0000000000400000-0x00000000004C9000-memory.dmp
    Filesize

    804KB

    Download
  • memory/2676-116-0x00000000004D0000-0x000000000061A000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/2848-129-0x0000000000000000-mapping.dmp
    Download
  • memory/3000-118-0x00000000013E0000-0x00000000013F6000-memory.dmp
    Filesize

    88KB

    Download