Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2022 08:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4592c6b5f38f82e9c50fcd6c4b5f2c33b925c57933fcaeb400979dce7cf04454.exe

  • Size

    163KB

  • MD5

    bb8e86a3fc33caae318aab15fc4d5aeb

  • SHA1

    02f9c735807fb78f7a5fade3bf6c0cf34396fe95

  • SHA256

    4592c6b5f38f82e9c50fcd6c4b5f2c33b925c57933fcaeb400979dce7cf04454

  • SHA512

    c7739f21b200393995b5e3e6b9ab8df59110b0f54ee33285ab6c8e385db1ad30aa652d0335080e95124ef8caab5600b013d748cb809fa7a32806766e024e831c

  • SSDEEP

    3072:TrJlWRnGCoMOTjt5wimxSYrF+eeo/yS5Z6pr4QpBh6JnlgPD:HyZHpi1YrF+TOL6pkEh

Score
10/10
smokeloadersystembcbackdoortrojan

Malware Config

Extracted

Family

systembc

C2

89.248.165.79:443

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4592c6b5f38f82e9c50fcd6c4b5f2c33b925c57933fcaeb400979dce7cf04454.exe
    "C:\Users\Admin\AppData\Local\Temp\4592c6b5f38f82e9c50fcd6c4b5f2c33b925c57933fcaeb400979dce7cf04454.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1736
  • C:\Users\Admin\AppData\Local\Temp\DA72.exe
    C:\Users\Admin\AppData\Local\Temp\DA72.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2760
  • C:\ProgramData\bbcrc\mloc.exe
    C:\ProgramData\bbcrc\mloc.exe start
    1⤵
    • Executes dropped EXE
    PID:3108

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\bbcrc\mloc.exe
    Filesize

    163KB

    MD5

    ede4e0e4f4547b54a24a170161ae4542

    SHA1

    7b15b83ebd70c52302e0dea0dea0404026298713

    SHA256

    5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

    SHA512

    d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

    Download Submit

  • C:\ProgramData\bbcrc\mloc.exe
    Filesize

    163KB

    MD5

    ede4e0e4f4547b54a24a170161ae4542

    SHA1

    7b15b83ebd70c52302e0dea0dea0404026298713

    SHA256

    5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

    SHA512

    d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DA72.exe
    Filesize

    163KB

    MD5

    ede4e0e4f4547b54a24a170161ae4542

    SHA1

    7b15b83ebd70c52302e0dea0dea0404026298713

    SHA256

    5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

    SHA512

    d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DA72.exe
    Filesize

    163KB

    MD5

    ede4e0e4f4547b54a24a170161ae4542

    SHA1

    7b15b83ebd70c52302e0dea0dea0404026298713

    SHA256

    5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

    SHA512

    d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

    Download Submit

  • memory/1736-133-0x0000000000720000-0x0000000000729000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1736-134-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1736-135-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/1736-132-0x0000000000748000-0x0000000000759000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2760-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2760-141-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2760-142-0x0000000000649000-0x0000000000659000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2760-143-0x0000000000600000-0x0000000000609000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2760-140-0x0000000000600000-0x0000000000609000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2760-139-0x0000000000649000-0x0000000000659000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3108-146-0x0000000000832000-0x0000000000843000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3108-147-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download