Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2022 21:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56c77e5efa069fdbea2beaf1cbb234735d6aa70eba0fe50b736ab5f9bbe6e69a.exe

  • Size

    187KB

  • MD5

    ed89332cb4fb426b7e9ad5d8853be58f

  • SHA1

    4c6dbd10b19dd0a53d76bc8ca8c5df055a5f0ccc

  • SHA256

    56c77e5efa069fdbea2beaf1cbb234735d6aa70eba0fe50b736ab5f9bbe6e69a

  • SHA512

    9f23967e804be45bf892f7c1c1590efe633ae34ddb4d953f8a29ea14febdda51ae217e9c38e59acbbf9e578d5564fd50d6239d15b57495884adfd07ece988862

  • SSDEEP

    3072:znz60aKL8S8oN5QLMMfSZ523EfCUMvgNZJBJG1Sy/Pk44x://L0oQLoC3EfCUVNG1

Score
10/10
smokeloaderbackdoorcollectiontrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56c77e5efa069fdbea2beaf1cbb234735d6aa70eba0fe50b736ab5f9bbe6e69a.exe
    "C:\Users\Admin\AppData\Local\Temp\56c77e5efa069fdbea2beaf1cbb234735d6aa70eba0fe50b736ab5f9bbe6e69a.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4436
  • C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    1⤵
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:4604
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    1⤵
      PID:2192
    • C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      1⤵
        PID:1580

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1580-141-0x0000000000000000-mapping.dmp
        Download
      • memory/1580-145-0x0000000000F40000-0x0000000000F62000-memory.dmp
        Filesize

        136KB

        Download
      • memory/1580-143-0x0000000000AB0000-0x0000000000AD7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/1580-142-0x0000000000F40000-0x0000000000F62000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2192-138-0x00000000004D0000-0x00000000004DC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/2192-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4436-132-0x0000000000848000-0x0000000000859000-memory.dmp
        Filesize

        68KB

        Download
      • memory/4436-135-0x0000000000400000-0x0000000000589000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/4436-134-0x0000000000400000-0x0000000000589000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/4436-133-0x0000000000710000-0x0000000000719000-memory.dmp
        Filesize

        36KB

        Download
      • memory/4604-139-0x0000000000570000-0x00000000005E5000-memory.dmp
        Filesize

        468KB

        Download
      • memory/4604-140-0x0000000000500000-0x000000000056B000-memory.dmp
        Filesize

        428KB

        Download
      • memory/4604-136-0x0000000000000000-mapping.dmp
        Download
      • memory/4604-144-0x0000000000500000-0x000000000056B000-memory.dmp
        Filesize

        428KB

        Download