Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    184s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 16:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2676374e6bf6ba1f7fe417c99474fc917ca218447f7ac59a8d2fc8de1a600a78.exe

  • Size

    285KB

  • MD5

    0550b85844aa024fbbeead0e481d6a4e

  • SHA1

    aa4bd72b5f1ac3deeb01d778611ff9175a4d5e3b

  • SHA256

    2676374e6bf6ba1f7fe417c99474fc917ca218447f7ac59a8d2fc8de1a600a78

  • SHA512

    1c9f766bb47f065a233ea63e56673c552553a5c0e3bccbf24041d990bba4d9232c50f21354318e11f25d7f75a70b0a752c6453d3d9a66b6e00e4a8fc4b0e51af

  • SSDEEP

    3072:4vzT6rUfvb/LC0H6B5ZpVes+JcSJr+ZlL7TmS1d3vP6apldnhM/h3:NrUfvb/LC0H6FUJlG7JDvPPpldh

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 9 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2676374e6bf6ba1f7fe417c99474fc917ca218447f7ac59a8d2fc8de1a600a78.exe
    "C:\Users\Admin\AppData\Local\Temp\2676374e6bf6ba1f7fe417c99474fc917ca218447f7ac59a8d2fc8de1a600a78.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4968
  • C:\Users\Admin\AppData\Local\Temp\4793.exe
    C:\Users\Admin\AppData\Local\Temp\4793.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 628
      2⤵
      • Program crash
      PID:3864
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 912
      2⤵
      • Program crash
      PID:3608
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 980
      2⤵
      • Program crash
      PID:2912
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1104
      2⤵
      • Program crash
      PID:3620
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 960
      2⤵
      • Program crash
      PID:2064
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1132
      2⤵
      • Program crash
      PID:1780
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1120
      2⤵
      • Program crash
      PID:4276
    • C:\Users\Admin\AppData\Local\Temp\4793.exe
      "C:\Users\Admin\AppData\Local\Temp\4793.exe"
      2⤵
      • Executes dropped EXE
      PID:3296
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 600
        3⤵
        • Program crash
        PID:424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1048
      2⤵
      • Program crash
      PID:60
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      2⤵
        PID:5044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 2376
      1⤵
        PID:1444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2376 -ip 2376
        1⤵
          PID:1640
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2376 -ip 2376
          1⤵
            PID:1260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2376 -ip 2376
            1⤵
              PID:4464
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2376 -ip 2376
              1⤵
                PID:4584
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2376 -ip 2376
                1⤵
                  PID:1476
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2376 -ip 2376
                  1⤵
                    PID:5004
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2376 -ip 2376
                    1⤵
                      PID:4600
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3296 -ip 3296
                      1⤵
                        PID:4592
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2376 -ip 2376
                        1⤵
                          PID:4548

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\4793.exe
                          Filesize

                          6.1MB

                          MD5

                          660c791a048da7a94aea15b2afd18f29

                          SHA1

                          de2b82ae153902b79fb998f84c396f68fe8c3ab5

                          SHA256

                          052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

                          SHA512

                          1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\4793.exe
                          Filesize

                          6.1MB

                          MD5

                          660c791a048da7a94aea15b2afd18f29

                          SHA1

                          de2b82ae153902b79fb998f84c396f68fe8c3ab5

                          SHA256

                          052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

                          SHA512

                          1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\4793.exe
                          Filesize

                          6.1MB

                          MD5

                          660c791a048da7a94aea15b2afd18f29

                          SHA1

                          de2b82ae153902b79fb998f84c396f68fe8c3ab5

                          SHA256

                          052cf058219159f00e4328a5537d2f399f110805647f2ae9d52f1b1cf9509932

                          SHA512

                          1d947b6d93fd105dcf939fb2916fdf2f6105fc72dfbdde0d289c1d3ff400577a503377a8ba653b49ca977b0a04136042f5c5304372477d8e3817589298e06412

                          Download Submit

                        • memory/2376-140-0x00000000054E0000-0x0000000005B00000-memory.dmp

                          Filesize

                          6.1MB

                          Download

                        • memory/2376-136-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2376-139-0x0000000003650000-0x0000000003C3A000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/2376-141-0x0000000000400000-0x000000000320A000-memory.dmp

                          Filesize

                          46.0MB

                          Download

                        • memory/2376-144-0x0000000000400000-0x000000000320A000-memory.dmp

                          Filesize

                          46.0MB

                          Download

                        • memory/3296-142-0x0000000000000000-mapping.dmp

                          Download

                        • memory/3296-145-0x000000000367B000-0x0000000003C65000-memory.dmp

                          Filesize

                          5.9MB

                          Download

                        • memory/3296-146-0x0000000000400000-0x000000000320A000-memory.dmp

                          Filesize

                          46.0MB

                          Download

                        • memory/4968-135-0x0000000000400000-0x0000000002C35000-memory.dmp

                          Filesize

                          40.2MB

                          Download

                        • memory/4968-134-0x0000000000400000-0x0000000002C35000-memory.dmp

                          Filesize

                          40.2MB

                          Download

                        • memory/4968-132-0x0000000002EA2000-0x0000000002EB7000-memory.dmp

                          Filesize

                          84KB

                          Download

                        • memory/4968-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

                          Filesize

                          36KB

                          Download

                        • memory/5044-147-0x0000000000000000-mapping.dmp

                          Download