Overview

overview

10

Static

static

dridex

windows10-2004_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    12-06-2022 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    73062ad4b7f5e6de91a6937939ee1304198734a42570a563a5d78b6892f301bc.exe

  • Size

    183KB

  • MD5

    8837292204de81ca5d7a87cdf3773c76

  • SHA1

    d81ff7c461d29ef3ca2a5837569bb6f3fda5bf45

  • SHA256

    73062ad4b7f5e6de91a6937939ee1304198734a42570a563a5d78b6892f301bc

  • SHA512

    119533670f4c64ef9104d953ba7a887dc7019fb43e1e34a97ca46b580a0fdb958106cbdb0ed4a72c0f1f73230341e3dccd75fabb23a00387714ae15c2fee8918

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\73062ad4b7f5e6de91a6937939ee1304198734a42570a563a5d78b6892f301bc.exe
    "C:\Users\Admin\AppData\Local\Temp\73062ad4b7f5e6de91a6937939ee1304198734a42570a563a5d78b6892f301bc.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qpkqixap\
      2⤵
        PID:2376
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cbfcmsvs.exe" C:\Windows\SysWOW64\qpkqixap\
        2⤵
          PID:3148
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create qpkqixap binPath= "C:\Windows\SysWOW64\qpkqixap\cbfcmsvs.exe /d\"C:\Users\Admin\AppData\Local\Temp\73062ad4b7f5e6de91a6937939ee1304198734a42570a563a5d78b6892f301bc.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:5020
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description qpkqixap "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4104
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start qpkqixap
          2⤵
          • Launches sc.exe
          PID:428
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 1044
          2⤵
          • Program crash
          PID:3352
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2252
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2736 -ip 2736
        1⤵
          PID:1204
        • C:\Windows\SysWOW64\qpkqixap\cbfcmsvs.exe
          C:\Windows\SysWOW64\qpkqixap\cbfcmsvs.exe /d"C:\Users\Admin\AppData\Local\Temp\73062ad4b7f5e6de91a6937939ee1304198734a42570a563a5d78b6892f301bc.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:5048
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4692
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1776
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 604
            2⤵
            • Program crash
            PID:5076
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5048 -ip 5048
          1⤵
            PID:3836

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\cbfcmsvs.exe
            Filesize

            12.2MB

            MD5

            c1553fcadbf6c779de460535558f4130

            SHA1

            7c174aacd9eb1f96b3c61553ee24e6f02947393a

            SHA256

            637ba7b7e809879b85c75346ec70e92cc28b861f8b72f995128f741cf8a27e44

            SHA512

            dc02ab634dd264bd85248bb2c21be00b58aa3cb9bcbb4bef60f9917b4c43b215d6bb332ea0871b7551265c457c7399262453135dbc8a8fae34be5eeeb6a42d7c

            Download Submit
          • C:\Windows\SysWOW64\qpkqixap\cbfcmsvs.exe
            Filesize

            12.2MB

            MD5

            c1553fcadbf6c779de460535558f4130

            SHA1

            7c174aacd9eb1f96b3c61553ee24e6f02947393a

            SHA256

            637ba7b7e809879b85c75346ec70e92cc28b861f8b72f995128f741cf8a27e44

            SHA512

            dc02ab634dd264bd85248bb2c21be00b58aa3cb9bcbb4bef60f9917b4c43b215d6bb332ea0871b7551265c457c7399262453135dbc8a8fae34be5eeeb6a42d7c

            Download Submit
          • memory/428-138-0x0000000000000000-mapping.dmp
            Download
          • memory/1776-175-0x0000000001200000-0x00000000012F1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/1776-170-0x0000000001200000-0x00000000012F1000-memory.dmp
            Filesize

            964KB

            Download
          • memory/1776-169-0x0000000000000000-mapping.dmp
            Download
          • memory/2252-139-0x0000000000000000-mapping.dmp
            Download
          • memory/2376-133-0x0000000000000000-mapping.dmp
            Download
          • memory/2736-131-0x0000000002380000-0x0000000002393000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2736-130-0x00000000008C0000-0x00000000008CD000-memory.dmp
            Filesize

            52KB

            Download
          • memory/2736-132-0x0000000000400000-0x0000000000649000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/2736-141-0x0000000000400000-0x0000000000649000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/3148-134-0x0000000000000000-mapping.dmp
            Download
          • memory/4104-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4692-144-0x0000000000000000-mapping.dmp
            Download
          • memory/4692-157-0x0000000002F50000-0x0000000002F60000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4692-166-0x00000000081A0000-0x00000000081A7000-memory.dmp
            Filesize

            28KB

            Download
          • memory/4692-149-0x0000000000E40000-0x0000000000E55000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4692-150-0x0000000000E40000-0x0000000000E55000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4692-151-0x0000000002C00000-0x0000000002E0F000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/4692-154-0x00000000021F0000-0x00000000021F6000-memory.dmp
            Filesize

            24KB

            Download
          • memory/4692-145-0x0000000000E40000-0x0000000000E55000-memory.dmp
            Filesize

            84KB

            Download
          • memory/4692-160-0x0000000007B00000-0x0000000007B05000-memory.dmp
            Filesize

            20KB

            Download
          • memory/4692-163-0x0000000007C50000-0x000000000805B000-memory.dmp
            Filesize

            4.0MB

            Download
          • memory/5020-136-0x0000000000000000-mapping.dmp
            Download
          • memory/5048-148-0x0000000000400000-0x0000000000649000-memory.dmp
            Filesize

            2.3MB

            Download
          • memory/5048-142-0x00000000009D9000-0x00000000009E7000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5048-143-0x0000000000400000-0x0000000000649000-memory.dmp
            Filesize

            2.3MB

            Download