Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    05-06-2022 04:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d1ad011fe83db3962763da2d2deb11b4c95c6840401c13147204bd67a6a88a1c.exe

  • Size

    310KB

  • MD5

    8afbf4b9402bd31fbfbdb3a7ba46b5a6

  • SHA1

    b080adea8cf5a7bb04217890414e37bc66717e6c

  • SHA256

    d1ad011fe83db3962763da2d2deb11b4c95c6840401c13147204bd67a6a88a1c

  • SHA512

    42e67e84f09dfeb6f693fd6f1cb031b27d38ea9b2f3e2ee01dd79423da34c5b0ec57226cfe7eabdf150014cf2516f8ea386ee470d32dc0e0f59b85f4918add97

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d1ad011fe83db3962763da2d2deb11b4c95c6840401c13147204bd67a6a88a1c.exe
    "C:\Users\Admin\AppData\Local\Temp\d1ad011fe83db3962763da2d2deb11b4c95c6840401c13147204bd67a6a88a1c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\lacruayg\
      2⤵
        PID:1796
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hyotxhwv.exe" C:\Windows\SysWOW64\lacruayg\
        2⤵
          PID:1824
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create lacruayg binPath= "C:\Windows\SysWOW64\lacruayg\hyotxhwv.exe /d\"C:\Users\Admin\AppData\Local\Temp\d1ad011fe83db3962763da2d2deb11b4c95c6840401c13147204bd67a6a88a1c.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2860
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description lacruayg "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2640
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start lacruayg
          2⤵
          • Launches sc.exe
          PID:2648
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1800
      • C:\Windows\SysWOW64\lacruayg\hyotxhwv.exe
        C:\Windows\SysWOW64\lacruayg\hyotxhwv.exe /d"C:\Users\Admin\AppData\Local\Temp\d1ad011fe83db3962763da2d2deb11b4c95c6840401c13147204bd67a6a88a1c.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3960
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2576

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\hyotxhwv.exe
        Filesize

        14.5MB

        MD5

        755bc77039a17fa36be17e6b5f54a7e5

        SHA1

        d35184a8b7f597ba20933f17579c6d6bff5cdbee

        SHA256

        0fa8299efd97855bde175a6c8e2448a00a08b278371b537955283e8f9cad9c3b

        SHA512

        e4033b6d1db2d521504de96423e9f775ddf1f2cb512df90f8a0f6bd046442ccdbd39b74ad67ac186554ad83ef25ba0588e53edfd5c3e5a4defa91e925af75a31

        Download Submit
      • C:\Windows\SysWOW64\lacruayg\hyotxhwv.exe
        Filesize

        14.5MB

        MD5

        755bc77039a17fa36be17e6b5f54a7e5

        SHA1

        d35184a8b7f597ba20933f17579c6d6bff5cdbee

        SHA256

        0fa8299efd97855bde175a6c8e2448a00a08b278371b537955283e8f9cad9c3b

        SHA512

        e4033b6d1db2d521504de96423e9f775ddf1f2cb512df90f8a0f6bd046442ccdbd39b74ad67ac186554ad83ef25ba0588e53edfd5c3e5a4defa91e925af75a31

        Download Submit
      • memory/1796-172-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1796-170-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1796-171-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1796-169-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1796-167-0x0000000000000000-mapping.dmp
        Download
      • memory/1796-168-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1800-215-0x0000000000000000-mapping.dmp
        Download
      • memory/1824-175-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1824-173-0x0000000000000000-mapping.dmp
        Download
      • memory/1824-174-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1824-178-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1824-177-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1824-176-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2576-521-0x0000000000B3259C-mapping.dmp
        Download
      • memory/2640-188-0x0000000000000000-mapping.dmp
        Download
      • memory/2648-203-0x0000000000000000-mapping.dmp
        Download
      • memory/2860-187-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2860-180-0x0000000000000000-mapping.dmp
        Download
      • memory/2860-181-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2860-182-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2860-183-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2860-184-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2860-185-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2860-186-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-138-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-116-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-145-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-146-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-147-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-148-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-149-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-150-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-151-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-152-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-153-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-154-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-155-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-156-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-157-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-158-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-159-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-160-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-161-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-162-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/3932-163-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-164-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-165-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-166-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-143-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-141-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-142-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-140-0x0000000000660000-0x0000000000673000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3932-139-0x0000000000500000-0x00000000005AE000-memory.dmp
        Filesize

        696KB

        Download
      • memory/3932-144-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-137-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-136-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-135-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-134-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-133-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-132-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-131-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-130-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-129-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-128-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-127-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-126-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-125-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-124-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-122-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-121-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-120-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-202-0x0000000000500000-0x00000000005AE000-memory.dmp
        Filesize

        696KB

        Download
      • memory/3932-204-0x0000000000660000-0x0000000000673000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3932-119-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-217-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/3932-118-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3932-117-0x00000000772B0000-0x000000007743E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3960-327-0x0000000000D29A6B-mapping.dmp
        Download
      • memory/3960-405-0x0000000000D20000-0x0000000000D35000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3960-486-0x0000000000D20000-0x0000000000D35000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4004-300-0x0000000000500000-0x000000000064A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4004-330-0x00000000007FC000-0x000000000080D000-memory.dmp
        Filesize

        68KB

        Download
      • memory/4004-332-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/4004-296-0x00000000007FC000-0x000000000080D000-memory.dmp
        Filesize

        68KB

        Download