Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    161s
  • max time network
    149s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-10-2022 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    083eea25d427ca3acfdfe93ed619fd2d454d3266821d81e1c531bc2445419647.exe

  • Size

    273KB

  • MD5

    f2ca9d88083514f3f3cf0dab2da19c4f

  • SHA1

    647e7871f8c6e2472517ee788eb5d9758fd1d43c

  • SHA256

    083eea25d427ca3acfdfe93ed619fd2d454d3266821d81e1c531bc2445419647

  • SHA512

    af3949259ae2bd101afd2dff2b3ac16bab52e484c5dfb3cac1b3ab79ca87baf525b6b388bb94e3cfc18948926a59ea160c1b8fcd2238406bd8e54db34cc4872d

  • SSDEEP

    6144:iJqVLah3lIRcnuiI+XyOUHuzbgwuelJOn3PrcwVf0:iJymh1kcuiIOYunndkPY

Score
10/10
danabotsmokeloaderbackdoorbankertrojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • embedded_hash

    EAD30BF58E340E9E105B328F524565E0

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 47 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\083eea25d427ca3acfdfe93ed619fd2d454d3266821d81e1c531bc2445419647.exe
    "C:\Users\Admin\AppData\Local\Temp\083eea25d427ca3acfdfe93ed619fd2d454d3266821d81e1c531bc2445419647.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2372
  • C:\Users\Admin\AppData\Local\Temp\4229.exe
    C:\Users\Admin\AppData\Local\Temp\4229.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:4652
    • C:\Windows\SysWOW64\appidtel.exe
      C:\Windows\system32\appidtel.exe
      2⤵
        PID:4708
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 792
        2⤵
        • Program crash
        PID:3444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 832
        2⤵
        • Program crash
        PID:3504
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 936
        2⤵
        • Program crash
        PID:3884
      • C:\Windows\syswow64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4856

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\0827c8ab-837f-467b-a253-3759c224c02e.tmp
      Filesize

      25KB

      MD5

      9f670566b87be47f09e3871cd67ed6d9

      SHA1

      8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

      SHA256

      d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

      SHA512

      6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1c6aeebc-9b48-4879-9e95-53925e99bb5f\1253081315.pri
      Filesize

      3KB

      MD5

      68b2d64b878603ee02fcebb9899c38e1

      SHA1

      fb517f2c2a85e6dc1d78096e8f92dbd860bccb48

      SHA256

      ceb103d831d43292b43e7c04016f586f89f7b6ca382905c51399e6fe13e471c6

      SHA512

      0e6db2b4484db790fc8ebeeee1d073986e4971766927d2ff4f7bcb08ec66e30a16a80d03b6866748fbbc91a59b0f11afb241ee9bb3b4d8783222c83a3e16e6fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4229.exe
      Filesize

      4.6MB

      MD5

      33b47d41a8226544c62ca1abc9340457

      SHA1

      6b33d8804dafc12c5b510dac9973014647757a07

      SHA256

      dd059b92a903722ab60b18f8fa8390ee82a4db7d578823956bb3923cb5a73ef5

      SHA512

      538322073d00837d0598fe4bb1ed61768c20a65ae583d53a48df04c72c874c5663759d3b9acf0630def2d8acc3c94f1dfaa24b0e72146ff10ea2fb4fa3a78961

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\4229.exe
      Filesize

      4.6MB

      MD5

      33b47d41a8226544c62ca1abc9340457

      SHA1

      6b33d8804dafc12c5b510dac9973014647757a07

      SHA256

      dd059b92a903722ab60b18f8fa8390ee82a4db7d578823956bb3923cb5a73ef5

      SHA512

      538322073d00837d0598fe4bb1ed61768c20a65ae583d53a48df04c72c874c5663759d3b9acf0630def2d8acc3c94f1dfaa24b0e72146ff10ea2fb4fa3a78961

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
      Filesize

      1KB

      MD5

      3d05b59c57d82ff83b2c91cb8bb18c52

      SHA1

      c8cd5c111e3663f5099fb4eae09dd074dd92b15b

      SHA256

      3fafdb3d832f2a0417482168daca1c2d6cb7c4dacc559ea497529120d5455716

      SHA512

      1169e7c1311a5dd14449fb17d303fb793518619e16e275b298a9ac9fa3890ab17f0cc022589f4bd5823194be959a7d769f889ed2bd413c9903d970ec72092a02

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Uapaipuuih.tmp
      Filesize

      3.3MB

      MD5

      963024ce4b5518f20619bdcb2998a789

      SHA1

      bbce53b5aa2beeff5c9f1555a1e32350bba479b2

      SHA256

      e473b9afa947ef211c7e7cad6521687d504ec244a22f5ea5381f7020f947fc7d

      SHA512

      468f341fb7c284f0024ad5d13a72264d60e77b9ea724a770b4d45856dc0aaedd30e51263ea266e6979d7db1079703a9bc1358c5562aac6761ee45c06436baae8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\a160e3ee-df46-45ae-8d47-cbbd5c94e242\1253081315.pri
      Filesize

      3KB

      MD5

      68b2d64b878603ee02fcebb9899c38e1

      SHA1

      fb517f2c2a85e6dc1d78096e8f92dbd860bccb48

      SHA256

      ceb103d831d43292b43e7c04016f586f89f7b6ca382905c51399e6fe13e471c6

      SHA512

      0e6db2b4484db790fc8ebeeee1d073986e4971766927d2ff4f7bcb08ec66e30a16a80d03b6866748fbbc91a59b0f11afb241ee9bb3b4d8783222c83a3e16e6fd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ab8da9c0-9e38-4607-b3b0-7c8f400eac9e\3516841636.pri
      Filesize

      2KB

      MD5

      6f0067066c578e540dd4276c2b8e03ae

      SHA1

      a9eef9032b9a005aa6de0d398d542f5714f3d829

      SHA256

      9cc023bd420a9582336fc2ecdb3d8d21fd7f9a3e8dfd824b5ea3266864bd6a4f

      SHA512

      db4aa55c2afbea8380ccc3302011d0945f76cde0b3d8703e8df0aea5a964a1bf65f940ec88e9fe3b98560fda5e83e13c2a47f9a8ff300accadacb11c86b94e99

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\b402bd2a-1839-4d44-b612-679fe27bfec4.tmp
      Filesize

      23KB

      MD5

      7cd73270bd735f9fe77bc9278f9f2b8b

      SHA1

      b27a898970297c750fb7e4d70ad8f87c1e6c1739

      SHA256

      ee80340a02c0f96a3f9d01e635857d38d7b92444d6102ee29804f559f2eaa7f4

      SHA512

      1fe70455d4d8c0fbab9ef20cf85d0de55fea9f18499c653af5d234462aa5c45eaacceadab39e9be62dc548af4f710362dd34970e1d8a666bf09fe4101bf32077

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
      Filesize

      1KB

      MD5

      d014361d4784414ed4ee85b1b4ac7a3f

      SHA1

      cd19fa6f4eaa4c99020e04dc9812f512df0a7090

      SHA256

      04b78bf833942302dac40bb8a58664ca057cd12149914966e0798d878b1dc86b

      SHA512

      f657266a756880ed2a4d3ed3c54500b670fc209c849f95a178470b104be7b99ef0503ec42a61a8091497b35871780a190d6d4fa4e6ede1a2744e88d7bd718d26

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_SetupUtility.txt
      Filesize

      2KB

      MD5

      5273ebed16aaffaa81753c533f1b6f70

      SHA1

      62056f28ae12fc51a6fe54941bb3ce8b5fb9e015

      SHA256

      9d35c93b343681a3aab6be3bca1ad407b02036185b89ef97229fe7fcb0d37d69

      SHA512

      41d99cef4f46411f2e0fc57023be9d1ea83b971c97ce2dd2e0be3ac959edfa7e9069a36c8888c4012a758e58042502fc015405040a247a5802a4d34fd1c6302d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI6D50.txt
      Filesize

      414KB

      MD5

      23c32201914ed67eeb73ef01e902279b

      SHA1

      ca614164445a64c856b1614adac29f860d688f75

      SHA256

      28b3a20d19f5cc61c50a2fd63f400cb6db3463e2e1b37c0a974e15434507d440

      SHA512

      f1c374a4644326875beab6b7cf0766ba2205e67acc5149086caa2f9b94628ea024632e44c752de3040124b07bd92a1d07e1c46ef48a0dc97510ba8d78e6a307c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\sa.9NBLGGH5Q1ZL_0_0010_.Public.InstallAgent.dat
      Filesize

      59KB

      MD5

      2a2397d66a4f17eaed59a7904ee8d1c2

      SHA1

      a0b08f8ea5c9abf6a67c50ed480a6e2f4c9b2ae7

      SHA256

      01391b3f059bf8de4f4cf1bcd556b896f24689bb2461a426cbc2b9522b1f6b0d

      SHA512

      4f4a9f901bf4ebd6f33f1b78691e32a1dc124f8486bf8e50a41e57512365dcabead47cbb0387a429c503b3ceec09ab58f02111527d45f8e2c9b738f1251af2e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\wct6AF0.tmp
      Filesize

      62KB

      MD5

      7185e716980842db27c3b3a88e1fe804

      SHA1

      e4615379cd4797629b4cc3da157f4d4a5412fb2b

      SHA256

      094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

      SHA512

      dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

      Download Submit

    • memory/2372-131-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-152-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-134-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-135-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-136-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-137-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-138-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-139-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-141-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-142-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-143-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-144-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-145-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-146-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-148-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-147-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-149-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-150-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-151-0x00000000004E0000-0x000000000058E000-memory.dmp

      Filesize

      696KB

      Download

    • memory/2372-133-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-154-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-155-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2372-153-0x00000000004A0000-0x00000000004A9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2372-156-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/2372-132-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-129-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-130-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-128-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-127-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-126-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-125-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-124-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-123-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-122-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-118-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-121-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-120-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/2372-119-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-168-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-206-0x00000000028C0000-0x0000000002D2C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/4652-173-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-174-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-175-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-176-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-177-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-178-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-179-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-180-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-181-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-183-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-184-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-185-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-186-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-187-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-188-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-189-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-190-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-193-0x00000000028C0000-0x0000000002D2C000-memory.dmp

      Filesize

      4.4MB

      Download

    • memory/4652-197-0x0000000002D30000-0x0000000003346000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4652-200-0x0000000000400000-0x0000000000A22000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4652-172-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-207-0x0000000000400000-0x0000000000A22000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4652-220-0x0000000000400000-0x0000000000A22000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4652-242-0x0000000003A90000-0x0000000004557000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4652-159-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-161-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-324-0x0000000000400000-0x0000000000A22000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4652-329-0x0000000003A90000-0x0000000004557000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4652-160-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-171-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-170-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-169-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-167-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-165-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-164-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-163-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4652-162-0x00000000770E0000-0x000000007726E000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4856-315-0x00000000029A0000-0x0000000003348000-memory.dmp

      Filesize

      9.7MB

      Download

    • memory/4856-346-0x0000000004D10000-0x00000000057D7000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4856-375-0x00000000029A0000-0x0000000003348000-memory.dmp

      Filesize

      9.7MB

      Download

    • memory/4856-376-0x0000000004D10000-0x00000000057D7000-memory.dmp

      Filesize

      10.8MB

      Download