Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/09/2022, 08:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    010cf803e4769a7cea57443a1728e15a2e9041783c04905a3822a11d57dfca4c.exe

  • Size

    317KB

  • MD5

    85451987dd88c1337b6c0cab4777525a

  • SHA1

    b2fd78bc76f8a2060bbde5c616418101014ebfe5

  • SHA256

    010cf803e4769a7cea57443a1728e15a2e9041783c04905a3822a11d57dfca4c

  • SHA512

    7ca4fe244739ae144481c3b287672a7c45f498c741c81bbc5b8e1e34f690ff6d8513eace345d3a4f1d07efb11757798cf8d97ca5fb20459be028a90dac3ee537

  • SSDEEP

    3072:+AXQFNeXrbJ9ZG2QjVq57yR85fctEGTEQdHHaFxvqg0KcCfteV7pM/h3BsxkgaB8:+0ps2tJfcnDEFxig0nZBpnigabwVf

Score
10/10
smokeloaderbackdoorbootkitdiscoverypersistencespywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\010cf803e4769a7cea57443a1728e15a2e9041783c04905a3822a11d57dfca4c.exe
    "C:\Users\Admin\AppData\Local\Temp\010cf803e4769a7cea57443a1728e15a2e9041783c04905a3822a11d57dfca4c.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4960
  • C:\Users\Admin\AppData\Local\Temp\9DC6.exe
    C:\Users\Admin\AppData\Local\Temp\9DC6.exe
    1⤵
    • Executes dropped EXE
    • Writes to the Master Boot Record (MBR)
    PID:4068
  • C:\Users\Admin\AppData\Local\Temp\B46C.exe
    C:\Users\Admin\AppData\Local\Temp\B46C.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2804
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 1944
      2⤵
      • Program crash
      PID:1524
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2804 -ip 2804
    1⤵
      PID:1856

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\9DC6.exe
            Filesize

            640KB

            MD5

            f10c4c4b7a9c5e153236a66d863d1f1d

            SHA1

            8921c2a5368a80b69dc446af3670c07253f0bd31

            SHA256

            39269811e69455544015bea98a34a9855be527c451cbb2c4a048fc39cb434804

            SHA512

            245b377fb93a186e224404e6a1abe624f23779f314d370b6aca1e7e437ef4e886db51cfdb177e409e468c0a16b95446de1ff566ee1e14ad2a225a3f30c3cf178

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\9DC6.exe
            Filesize

            640KB

            MD5

            f10c4c4b7a9c5e153236a66d863d1f1d

            SHA1

            8921c2a5368a80b69dc446af3670c07253f0bd31

            SHA256

            39269811e69455544015bea98a34a9855be527c451cbb2c4a048fc39cb434804

            SHA512

            245b377fb93a186e224404e6a1abe624f23779f314d370b6aca1e7e437ef4e886db51cfdb177e409e468c0a16b95446de1ff566ee1e14ad2a225a3f30c3cf178

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B46C.exe
            Filesize

            304KB

            MD5

            15f1517f0ceaaf9b6c78cf7625510c07

            SHA1

            8aabce20aff43476586a1b69b0b761a7f39d1e7e

            SHA256

            d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb

            SHA512

            931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\B46C.exe
            Filesize

            304KB

            MD5

            15f1517f0ceaaf9b6c78cf7625510c07

            SHA1

            8aabce20aff43476586a1b69b0b761a7f39d1e7e

            SHA256

            d0d47dec11c63b6fa1a2dcac89e5a7352220e371b728781de041bf42fa8965fb

            SHA512

            931a79a6e0d38c9b59b03a68d31e3c8fdb2b51e5eeed1df45790eba38f516f767ed67d9edd10bef16d169dc253c81ba6afb5d52738761cc2fa84f601f86b3516

            Download Submit

          • memory/2804-157-0x00000000005E9000-0x0000000000613000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2804-164-0x0000000000400000-0x00000000005A5000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2804-162-0x0000000007850000-0x0000000007D7C000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/2804-160-0x00000000075A0000-0x00000000075BE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2804-159-0x0000000007500000-0x0000000007576000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2804-158-0x00000000074B0000-0x0000000007500000-memory.dmp

            Filesize

            320KB

            Download

          • memory/2804-155-0x0000000005E40000-0x0000000005EA6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/2804-163-0x00000000005E9000-0x0000000000613000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2804-161-0x0000000007680000-0x0000000007842000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/2804-146-0x00000000005E9000-0x0000000000613000-memory.dmp

            Filesize

            168KB

            Download

          • memory/2804-147-0x00000000020D0000-0x0000000002107000-memory.dmp

            Filesize

            220KB

            Download

          • memory/2804-149-0x0000000004CC0000-0x0000000005264000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2804-148-0x0000000000400000-0x00000000005A5000-memory.dmp

            Filesize

            1.6MB

            Download

          • memory/2804-150-0x00000000052A0000-0x00000000058B8000-memory.dmp

            Filesize

            6.1MB

            Download

          • memory/2804-151-0x0000000005940000-0x0000000005952000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2804-152-0x0000000005960000-0x0000000005A6A000-memory.dmp

            Filesize

            1.0MB

            Download

          • memory/2804-153-0x0000000005A90000-0x0000000005ACC000-memory.dmp

            Filesize

            240KB

            Download

          • memory/2804-154-0x0000000005DA0000-0x0000000005E32000-memory.dmp

            Filesize

            584KB

            Download

          • memory/4068-140-0x000000000078E000-0x00000000007EF000-memory.dmp

            Filesize

            388KB

            Download

          • memory/4068-156-0x0000000000400000-0x00000000004A6000-memory.dmp

            Filesize

            664KB

            Download

          • memory/4068-142-0x0000000000400000-0x00000000004A6000-memory.dmp

            Filesize

            664KB

            Download

          • memory/4068-141-0x0000000000700000-0x000000000076B000-memory.dmp

            Filesize

            428KB

            Download

          • memory/4068-139-0x0000000000400000-0x00000000004A6000-memory.dmp

            Filesize

            664KB

            Download

          • memory/4960-132-0x000000000066E000-0x000000000067F000-memory.dmp

            Filesize

            68KB

            Download

          • memory/4960-135-0x0000000000400000-0x0000000000454000-memory.dmp

            Filesize

            336KB

            Download

          • memory/4960-134-0x0000000000400000-0x0000000000454000-memory.dmp

            Filesize

            336KB

            Download

          • memory/4960-133-0x00000000005F0000-0x00000000005F9000-memory.dmp

            Filesize

            36KB

            Download