Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/10/2022, 07:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a9aa8fceb7b903bfd238db2ebb6b430fbba87d41beae5ba96644e95b0b90400f.exe

  • Size

    270KB

  • MD5

    4d01040a74161507bf5bce0fb0897867

  • SHA1

    f6a7ca90fcf2bffd53ccadb863202a8334c7ac4f

  • SHA256

    a9aa8fceb7b903bfd238db2ebb6b430fbba87d41beae5ba96644e95b0b90400f

  • SHA512

    5c9d65da730285728503801b7705bce58285e9c67fb8cd59f1507bd7547ca8b23bcf0210935be35b5af589cad0a4a02e66d58e7580ab674f5e905431c54da299

  • SSDEEP

    6144:MXe8tGCtPSHvXtrCmDgHpU9b30vrwVfquS:MXp3Q/trCmDgHpokvd

Score
10/10
danabotsmokeloaderbackdoorbankerspywarestealertrojan

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • embedded_hash

    56951C922035D696BFCE443750496462

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 39 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 48 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a9aa8fceb7b903bfd238db2ebb6b430fbba87d41beae5ba96644e95b0b90400f.exe
    "C:\Users\Admin\AppData\Local\Temp\a9aa8fceb7b903bfd238db2ebb6b430fbba87d41beae5ba96644e95b0b90400f.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3184
  • C:\Users\Admin\AppData\Local\Temp\F707.exe
    C:\Users\Admin\AppData\Local\Temp\F707.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Windows\SysWOW64\agentactivationruntimestarter.exe
      C:\Windows\system32\agentactivationruntimestarter.exe
      2⤵
        PID:3148
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        PID:1812
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 596
        2⤵
        • Program crash
        PID:4072
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 924
        2⤵
        • Program crash
        PID:1524
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1048
        2⤵
        • Program crash
        PID:4796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 932
        2⤵
        • Program crash
        PID:5008
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious use of FindShellTrayWindow
        PID:4464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1064
        2⤵
        • Program crash
        PID:1924
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x510 0x318
      1⤵
        PID:512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4840 -ip 4840
        1⤵
          PID:1576
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4840 -ip 4840
          1⤵
            PID:2260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4840 -ip 4840
            1⤵
              PID:4164
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4840 -ip 4840
              1⤵
                PID:5028
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4840 -ip 4840
                1⤵
                  PID:4828

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\F707.exe
                  Filesize

                  1.3MB

                  MD5

                  f2f9ff6a17d728fe3a0ad04549ae3990

                  SHA1

                  5e05a1acec45dd329cd40e505e22c140c391a035

                  SHA256

                  677b1d55884aab4706a6cbe6846aa2cd22d3d4ef3cbfd0567a6c321af0180a27

                  SHA512

                  235fc2184976b28663e45e4ba74608d4d91e32a6738d9a667529bf62d8eeaa4038d87d09163ff284f2180c8c9470e5ce2172cf0cd382e74825f405b77496a937

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\F707.exe
                  Filesize

                  1.3MB

                  MD5

                  f2f9ff6a17d728fe3a0ad04549ae3990

                  SHA1

                  5e05a1acec45dd329cd40e505e22c140c391a035

                  SHA256

                  677b1d55884aab4706a6cbe6846aa2cd22d3d4ef3cbfd0567a6c321af0180a27

                  SHA512

                  235fc2184976b28663e45e4ba74608d4d91e32a6738d9a667529bf62d8eeaa4038d87d09163ff284f2180c8c9470e5ce2172cf0cd382e74825f405b77496a937

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp
                  Filesize

                  3.3MB

                  MD5

                  8b9c0f72deaf2ee06e7441209cbe4ffb

                  SHA1

                  34912f3c7f4285d85497c96e95c33e5d6a597c97

                  SHA256

                  1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

                  SHA512

                  db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

                  Download Submit

                • memory/1812-160-0x0000000000E60000-0x0000000000E64000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-152-0x0000000000BE0000-0x0000000000BE4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-167-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-166-0x0000000000EC0000-0x0000000000EC4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-165-0x0000000000EB0000-0x0000000000EB4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-164-0x0000000000EA0000-0x0000000000EA4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-161-0x0000000000E70000-0x0000000000E74000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-159-0x0000000000E50000-0x0000000000E54000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-158-0x0000000000E40000-0x0000000000E44000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-163-0x0000000000E90000-0x0000000000E94000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-162-0x0000000000E80000-0x0000000000E84000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-148-0x0000000000BA0000-0x0000000000BA4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-147-0x0000000000B90000-0x0000000000B94000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-149-0x0000000000BB0000-0x0000000000BB4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-150-0x0000000000BC0000-0x0000000000BC4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-151-0x0000000000BD0000-0x0000000000BD4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-157-0x0000000000E30000-0x0000000000E34000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-153-0x0000000000BF0000-0x0000000000BF4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-154-0x0000000000E00000-0x0000000000E04000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-155-0x0000000000E10000-0x0000000000E14000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1812-156-0x0000000000E20000-0x0000000000E24000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/3184-132-0x00000000005BE000-0x00000000005CE000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/3184-134-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/3184-135-0x0000000000400000-0x0000000000448000-memory.dmp

                  Filesize

                  288KB

                  Download

                • memory/3184-133-0x0000000000510000-0x0000000000519000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/4464-184-0x0000000004290000-0x00000000043D0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4464-185-0x0000000001200000-0x0000000001BA4000-memory.dmp

                  Filesize

                  9.6MB

                  Download

                • memory/4464-186-0x0000000003690000-0x0000000004153000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4464-183-0x0000000004290000-0x00000000043D0000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4464-182-0x0000000003690000-0x0000000004153000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4464-187-0x0000000003690000-0x0000000004153000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4840-170-0x00000000030C0000-0x0000000003B83000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4840-171-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4840-172-0x00000000030C0000-0x0000000003B83000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4840-173-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-174-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-175-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-176-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-177-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-178-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-180-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-179-0x0000000003D50000-0x0000000003E90000-memory.dmp

                  Filesize

                  1.2MB

                  Download

                • memory/4840-169-0x00000000030C0000-0x0000000003B83000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4840-144-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4840-145-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4840-143-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4840-142-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4840-141-0x0000000002700000-0x00000000029C2000-memory.dmp

                  Filesize

                  2.8MB

                  Download

                • memory/4840-140-0x0000000002352000-0x0000000002470000-memory.dmp

                  Filesize

                  1.1MB

                  Download

                • memory/4840-188-0x00000000030C0000-0x0000000003B83000-memory.dmp

                  Filesize

                  10.8MB

                  Download