Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27/10/2022, 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    28770d98ca127719f45ed63422991e612d180b8374bd612bbb02f09403030c28.exe

  • Size

    256KB

  • MD5

    5e0bf7b28bebe18defb564e7185829b5

  • SHA1

    1893b3aa33453db42a1d05157168c715162644b3

  • SHA256

    28770d98ca127719f45ed63422991e612d180b8374bd612bbb02f09403030c28

  • SHA512

    5c17c60e495a5d78556b6c89a90147b0566b54c1a80d9135ee3875eb8580d36a97752edc2479d227c620a8838a8e65bd49e1e9bf637d3be7d3a4db8e9ec191eb

  • SSDEEP

    3072:5DXOwqzZxFQanq5rjP8TrEGGMpuQwUcGosWxn5lIuK14XqkEmk/M0Kv:J3qlKjPCTamTossRKwNJ0

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\28770d98ca127719f45ed63422991e612d180b8374bd612bbb02f09403030c28.exe
    "C:\Users\Admin\AppData\Local\Temp\28770d98ca127719f45ed63422991e612d180b8374bd612bbb02f09403030c28.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\wexkspmo\
      2⤵
        PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\khbczhxe.exe" C:\Windows\SysWOW64\wexkspmo\
        2⤵
          PID:3448
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create wexkspmo binPath= "C:\Windows\SysWOW64\wexkspmo\khbczhxe.exe /d\"C:\Users\Admin\AppData\Local\Temp\28770d98ca127719f45ed63422991e612d180b8374bd612bbb02f09403030c28.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:4296
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description wexkspmo "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1340
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start wexkspmo
          2⤵
          • Launches sc.exe
          PID:4504
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2236
      • C:\Windows\SysWOW64\wexkspmo\khbczhxe.exe
        C:\Windows\SysWOW64\wexkspmo\khbczhxe.exe /d"C:\Users\Admin\AppData\Local\Temp\28770d98ca127719f45ed63422991e612d180b8374bd612bbb02f09403030c28.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3516
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3356

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\khbczhxe.exe
        Filesize

        13.5MB

        MD5

        3343e243ec55796aa811f901d7a36e4c

        SHA1

        fa557f90ae93114f0396e5d1887a4d04ee2833a1

        SHA256

        a59d0c73696a14ca47e2b1a7bacc030c8e07d82fa941e6a360a258b0f9bdba40

        SHA512

        22b81bc2c2be5203bab8b4b79f29fa9712bdbc1b66088983133ecbd713679c5672a74965f3c14395f227b388a4464f05f1cd01faf67090371dfb4b14f22d8c98

        Download Submit

      • C:\Windows\SysWOW64\wexkspmo\khbczhxe.exe
        Filesize

        13.5MB

        MD5

        3343e243ec55796aa811f901d7a36e4c

        SHA1

        fa557f90ae93114f0396e5d1887a4d04ee2833a1

        SHA256

        a59d0c73696a14ca47e2b1a7bacc030c8e07d82fa941e6a360a258b0f9bdba40

        SHA512

        22b81bc2c2be5203bab8b4b79f29fa9712bdbc1b66088983133ecbd713679c5672a74965f3c14395f227b388a4464f05f1cd01faf67090371dfb4b14f22d8c98

        Download Submit

      • memory/1652-176-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1652-167-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1652-168-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1652-169-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1652-170-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/2692-478-0x00000000001A0000-0x00000000001B5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/2692-483-0x00000000001A0000-0x00000000001B5000-memory.dmp

        Filesize

        84KB

        Download

      • memory/3448-173-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3448-174-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3448-177-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3448-175-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3448-172-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-155-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-129-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-133-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-134-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-135-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-136-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-137-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-138-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-139-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-140-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-141-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-143-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-144-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-146-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-147-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-148-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-150-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-149-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-151-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-152-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-153-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-145-0x0000000002C30000-0x0000000002CDE000-memory.dmp

        Filesize

        696KB

        Download

      • memory/3488-131-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-154-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-142-0x0000000002EF3000-0x0000000002F09000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3488-156-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-157-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-158-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-159-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-160-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-130-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-132-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-128-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-127-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-126-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-125-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-124-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-161-0x0000000000400000-0x0000000002C2D000-memory.dmp

        Filesize

        40.2MB

        Download

      • memory/3488-162-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-163-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-164-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-165-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-116-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-117-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-118-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-119-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-123-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-233-0x0000000000400000-0x0000000002C2D000-memory.dmp

        Filesize

        40.2MB

        Download

      • memory/3488-222-0x0000000002EF3000-0x0000000002F09000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3488-120-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-121-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3488-122-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3516-430-0x0000000002EED000-0x0000000002F03000-memory.dmp

        Filesize

        88KB

        Download

      • memory/3516-433-0x0000000002D10000-0x0000000002D23000-memory.dmp

        Filesize

        76KB

        Download

      • memory/3516-439-0x0000000000400000-0x0000000002C2D000-memory.dmp

        Filesize

        40.2MB

        Download

      • memory/4296-185-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4296-186-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4296-184-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4296-182-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4296-181-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4296-180-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/4296-179-0x0000000077480000-0x000000007760E000-memory.dmp

        Filesize

        1.6MB

        Download