Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/11/2022, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b9ae14fa1dafe606ba9a07f207498e7c8b60a727c381bf799f4cfc53717d4a7.exe

  • Size

    293KB

  • MD5

    88f3f50c520d45face3c6c3e5497c0c0

  • SHA1

    fd0f732b191f3e8dc9e58dbd76080910c759ac3c

  • SHA256

    0b9ae14fa1dafe606ba9a07f207498e7c8b60a727c381bf799f4cfc53717d4a7

  • SHA512

    f85322e63fb16c4ca22ff041ec1f1926df0fd6d193832e3bec24b642fa7bcaa70d87b6f402bb25f9f4906c55ca7f727ad2248a4895546b750a31da687243bc61

  • SSDEEP

    3072:jDBsDlLlG+gIllk57W04nX9BafL+fKslRUY5duMLXamKHvC1hahR5:HBCLkXcmW04tBaj4UIuWXdufP

Score
10/10
smokeloaderbackdoordiscoverytrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 47 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b9ae14fa1dafe606ba9a07f207498e7c8b60a727c381bf799f4cfc53717d4a7.exe
    "C:\Users\Admin\AppData\Local\Temp\0b9ae14fa1dafe606ba9a07f207498e7c8b60a727c381bf799f4cfc53717d4a7.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1508
  • C:\Users\Admin\AppData\Local\Temp\593C.exe
    C:\Users\Admin\AppData\Local\Temp\593C.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:3880
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Suspicious use of FindShellTrayWindow
      PID:4240
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 1460
        3⤵
        • Program crash
        PID:1576
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 988
      2⤵
      • Program crash
      PID:2368
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 1016
      2⤵
      • Program crash
      PID:2268
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240
    1⤵
      PID:4496
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3880 -ip 3880
      1⤵
        PID:3656
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3880 -ip 3880
        1⤵
          PID:1192

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\02fc4909-db62-4fee-8646-109dbf6b271b.tmp
          Filesize

          21KB

          MD5

          301ea18f32584b0102b1e4f710c6054d

          SHA1

          e970ec47138c443ec94a4c3671622f578ed09a26

          SHA256

          7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

          SHA512

          3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\593C.exe
          Filesize

          4.9MB

          MD5

          f54c1dc65f20cf0b5656936b95e8de1f

          SHA1

          554898e06be759a9be12e8874845ea7199323b00

          SHA256

          e166d886c990856e595d333e023850ae743ca2ca830b0a8b706dcb576e52e9a4

          SHA512

          ce13585a8d5579653f9ceda8bce63d0c5efd1dcfca462e7843f3da89e764c576c74752348f57e25002829b6d3653167badc8b6fff86d0e730e6437fc89db4254

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\593C.exe
          Filesize

          4.9MB

          MD5

          f54c1dc65f20cf0b5656936b95e8de1f

          SHA1

          554898e06be759a9be12e8874845ea7199323b00

          SHA256

          e166d886c990856e595d333e023850ae743ca2ca830b0a8b706dcb576e52e9a4

          SHA512

          ce13585a8d5579653f9ceda8bce63d0c5efd1dcfca462e7843f3da89e764c576c74752348f57e25002829b6d3653167badc8b6fff86d0e730e6437fc89db4254

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\607cd18f-98c4-4c86-94ad-33f9ee772d45.tmp
          Filesize

          25KB

          MD5

          9f670566b87be47f09e3871cd67ed6d9

          SHA1

          8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

          SHA256

          d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

          SHA512

          6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Rpiidpytrto.tmp
          Filesize

          3.5MB

          MD5

          c597ca48af580cb2755914474a787ddf

          SHA1

          427cdbd19eadb94f1f89b51a7c3647a3ff7d3925

          SHA256

          8c67a70fe070595fda6ec977af7da0085d40df299f04cdd5669156752fee3f31

          SHA512

          c41ab851b712c484184934b2dab7015d329ec485b454b645411f69a97ef4a46351fe892f86522abf19c08cf1b7b6a5212954053b8218046cdfab24ef734e47ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\XZIOFAVD-20220812-1951.log
          Filesize

          56KB

          MD5

          d431794afa91c4c3745055b53d795183

          SHA1

          ca518aa0948e9e8af5ec5a89bc613d7e4fc6c9d5

          SHA256

          2290c5fc19f04b088974b297c2677e0e848900c9188382d3b24611a02685ae03

          SHA512

          1ae72c1da9b766b3bea44aa3244ab028f7ed8c6e715b284ca111f6f22d3300dbc54a89639f3af0b0371c62c7cab81d4b8b76d807e9738f9d5aa4b329f25fdd64

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\XZIOFAVD-20220812-1952.log
          Filesize

          181KB

          MD5

          6d45d5cf8942fe84ef13f94ba7e9f103

          SHA1

          ab7e93c91409dfd822e4afac72b423780be91711

          SHA256

          f407fcd3ce92166e2e3a86ce23f830100747364042f275338650e228af10bd03

          SHA512

          a9ab9519c8fb6343552b5b9ba6492e7db7595d8a4abff5197944034c5bc940db97f58907b24c9c1cc316e03799dcaca647bc1e2280c7388ddc9a8e9322c491ab

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-4844.log
          Filesize

          470B

          MD5

          467995413210c7391415743b595525c4

          SHA1

          f3ca1cf58a0e3285359840b39bcb30d49a7424d6

          SHA256

          cf0b731d7efcb55d5bf659817e88dcbb0aa3c6a0fe66d11ad965f1812eb3689e

          SHA512

          eb8987cd31907911197a818a84c790584c13a55d7a104afb542c066b66b0bd9d7c34b4fb07601bb6d31d9829d5d04eb3ad3947e7ea25c5915128ab96b9e42247

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
          Filesize

          1KB

          MD5

          93e7cb32c0803cd4f10f40068afb5ebb

          SHA1

          388fb2b6a393f807f5d36a320bea35a696004f9f

          SHA256

          fbba51574a6ba44ae6525df959ec9a14e4a1f65dbd74d2d6cd36d415b5a8bf98

          SHA512

          02c8f31973611f5161e5022fa4c1b042790e04bdb40221fa656e74701dd9fa2bb2b4f49dc17c8119b0d6b8838675c8755fc075545e0f091d0e96ea9aa3c8b642

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI6492.txt
          Filesize

          414KB

          MD5

          e84baf36ed9355aac02c3f9de8a23c22

          SHA1

          78f5ff2e9a7bee6ad878f6b800723046a579b0ec

          SHA256

          91e5abdb3d637fd2ed154683857201bcf95a49f2c8b27ce36f7559f4f8deed81

          SHA512

          132e1e2b1dc9d44d902930fd3d8ea1806b17ca54eacce74a4517a17b789e9e5e575a9de7f16451cabeb3b4cceb6728ea9d51ebd299d4ce72b7de33246d286074

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI6492.txt
          Filesize

          11KB

          MD5

          3deb951d119c378dff3d7911fa48dd12

          SHA1

          b74cbbddb4b37d46456da7a3e86260a3d8144e17

          SHA256

          0cf9936341117c121cc50582950760d7b24f1117749b451d82a45202f5aad461

          SHA512

          d9fc285be218af35e81d17b6bd78644d9bad8995cbfc466a0a671f171012f5ff760863e359ea49c9329c951a2280fa5b8e08e72c431e2c961e9fbc65bba7ce80

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wctA999.tmp
          Filesize

          62KB

          MD5

          7185e716980842db27c3b3a88e1fe804

          SHA1

          e4615379cd4797629b4cc3da157f4d4a5412fb2b

          SHA256

          094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

          SHA512

          dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

          Download Submit

        • memory/1508-132-0x0000000002D08000-0x0000000002D1D000-memory.dmp

          Filesize

          84KB

          Download

        • memory/1508-133-0x0000000002CB0000-0x0000000002CB9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/1508-134-0x0000000000400000-0x0000000002C37000-memory.dmp

          Filesize

          40.2MB

          Download

        • memory/1508-135-0x0000000000400000-0x0000000002C37000-memory.dmp

          Filesize

          40.2MB

          Download

        • memory/3880-143-0x0000000005F40000-0x0000000006AA9000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/3880-150-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-151-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-153-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-152-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-175-0x0000000000400000-0x00000000030CC000-memory.dmp

          Filesize

          44.8MB

          Download

        • memory/3880-174-0x0000000005F40000-0x0000000006AA9000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/3880-173-0x0000000000400000-0x00000000030CC000-memory.dmp

          Filesize

          44.8MB

          Download

        • memory/3880-149-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-148-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-147-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-146-0x0000000006D10000-0x0000000006E50000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3880-145-0x0000000005F40000-0x0000000006AA9000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/3880-144-0x0000000005F40000-0x0000000006AA9000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/3880-142-0x0000000000400000-0x00000000030CC000-memory.dmp

          Filesize

          44.8MB

          Download

        • memory/3880-141-0x0000000000400000-0x00000000030CC000-memory.dmp

          Filesize

          44.8MB

          Download

        • memory/3880-140-0x0000000005310000-0x0000000005965000-memory.dmp

          Filesize

          6.3MB

          Download

        • memory/3880-139-0x0000000004E5D000-0x0000000005306000-memory.dmp

          Filesize

          4.7MB

          Download

        • memory/4240-157-0x0000000003680000-0x00000000037C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4240-168-0x0000000000610000-0x000000000105A000-memory.dmp

          Filesize

          10.3MB

          Download

        • memory/4240-170-0x0000000002960000-0x00000000034C9000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/4240-171-0x0000000003680000-0x00000000037C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4240-169-0x0000000003680000-0x00000000037C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4240-172-0x0000000002960000-0x00000000034C9000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/4240-156-0x0000000003680000-0x00000000037C0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4240-155-0x0000000002960000-0x00000000034C9000-memory.dmp

          Filesize

          11.4MB

          Download