Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    26-01-2022 20:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe

  • Size

    333KB

  • MD5

    5442c936447943b763574d001e77a70b

  • SHA1

    b0dd0c3c0642bc5c175b4ef593b14ef36a6818bb

  • SHA256

    c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d

  • SHA512

    decf02649002a0e7f468a15ee074cd6bb4eed3af47167fe619cd42bd042f1c9707c9b6536ebdff12e14ac5851be2b48fc72e5a70d62c3033573d1523c1c3e83e

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://kotabuki.com/

http://slusextense.com/

http://purekidboo.com/

http://wildzipcode.biz/
rc4.i32
rc4.i32

Signatures

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe
    "C:\Users\Admin\AppData\Local\Temp\c65fa1c272dfed333cc5998c8a49afb64f1e29ee034d2028486535e7e312689d.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3488
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 9ad774db45cc7e04bd9dd4004e39e18e IAiw3QMFREyAlT8sP+zOFQ.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1032
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
      PID:2128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 804
        2⤵
        • Drops file in Windows directory
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      1⤵
        PID:2176
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2128 -ip 2128
        1⤵
        • Suspicious use of NtCreateProcessExOtherParentProcess
        • Suspicious use of WriteProcessMemory
        PID:2184

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2128-134-0x00000000034C0000-0x0000000003534000-memory.dmp
        Filesize

        464KB

        Download
      • memory/2128-135-0x0000000003450000-0x00000000034BB000-memory.dmp
        Filesize

        428KB

        Download
      • memory/2176-136-0x0000000000100000-0x000000000010C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2308-133-0x0000000000CB0000-0x0000000000CC6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/3488-130-0x00000000005B0000-0x00000000005DB000-memory.dmp
        Filesize

        172KB

        Download
      • memory/3488-131-0x0000000000540000-0x0000000000549000-memory.dmp
        Filesize

        36KB

        Download
      • memory/3488-132-0x0000000000400000-0x000000000047E000-memory.dmp
        Filesize

        504KB

        Download