Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-11-2022 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe

  • Size

    147KB

  • MD5

    4d83d22a9fc1239d934e267867d666d9

  • SHA1

    c4a6f3a568f4c9a07db50ca8abc44efad63bccb2

  • SHA256

    8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8

  • SHA512

    7d847890dffa9c581f875caed61c89e744fc72cb27c2d387ef15af6d8e4d08d6cad3182facc9b00c7c5a37202c22d542d474c43c424fa8d662496d0f75c6100c

  • SSDEEP

    3072:sKw5vmdLlF5bH/moJM0lVvg/dsopnRLjkYAfA+kbRpg:kmd1ffJ7ldEWot2fOp

Score
10/10
tofseeevasionpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe
    "C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\nordkegh\
      2⤵
        PID:4868
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zluihdmr.exe" C:\Windows\SysWOW64\nordkegh\
        2⤵
          PID:2732
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create nordkegh binPath= "C:\Windows\SysWOW64\nordkegh\zluihdmr.exe /d\"C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2244
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description nordkegh "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1208
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start nordkegh
          2⤵
          • Launches sc.exe
          PID:1504
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2824
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 1036
          2⤵
          • Program crash
          PID:2024
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2168 -ip 2168
        1⤵
          PID:1128
        • C:\Windows\SysWOW64\nordkegh\zluihdmr.exe
          C:\Windows\SysWOW64\nordkegh\zluihdmr.exe /d"C:\Users\Admin\AppData\Local\Temp\8f9bb3a7266ab5b9b69efdccfc4b08caf510f30e7a01a1d28f071d8c51fae2d8.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            PID:232
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 508
            2⤵
            • Program crash
            PID:3676
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4056 -ip 4056
          1⤵
            PID:116

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\zluihdmr.exe
            Filesize

            14.6MB

            MD5

            6f76568ed4e2eae559834b2478cbf5b8

            SHA1

            797b29c5f129f835f05832c348b70fe81a1747af

            SHA256

            fcadcca914a2171c3c6b094c74859287c92ec667e48e012dbcd35186310648d4

            SHA512

            fc9cea4d8db9dd21f721c4c5f00c01e1c09f443b8a2db67a734f57af241a237f70feeeead43735b9fc72541a3b05496370273ec1aaa98e08160a0c8447fb9ef2

            Download Submit
          • C:\Windows\SysWOW64\nordkegh\zluihdmr.exe
            Filesize

            14.6MB

            MD5

            6f76568ed4e2eae559834b2478cbf5b8

            SHA1

            797b29c5f129f835f05832c348b70fe81a1747af

            SHA256

            fcadcca914a2171c3c6b094c74859287c92ec667e48e012dbcd35186310648d4

            SHA512

            fc9cea4d8db9dd21f721c4c5f00c01e1c09f443b8a2db67a734f57af241a237f70feeeead43735b9fc72541a3b05496370273ec1aaa98e08160a0c8447fb9ef2

            Download Submit
          • memory/232-151-0x00000000003C0000-0x00000000003D5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/232-143-0x0000000000000000-mapping.dmp
            Download
          • memory/232-144-0x00000000003C0000-0x00000000003D5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/232-153-0x00000000003C0000-0x00000000003D5000-memory.dmp
            Filesize

            84KB

            Download
          • memory/1208-139-0x0000000000000000-mapping.dmp
            Download
          • memory/1504-140-0x0000000000000000-mapping.dmp
            Download
          • memory/2168-148-0x0000000000C80000-0x0000000000C93000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2168-133-0x0000000000C80000-0x0000000000C93000-memory.dmp
            Filesize

            76KB

            Download
          • memory/2168-147-0x0000000000CDE000-0x0000000000CEE000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2168-134-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/2168-152-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/2168-132-0x0000000000CDE000-0x0000000000CEE000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2244-138-0x0000000000000000-mapping.dmp
            Download
          • memory/2732-136-0x0000000000000000-mapping.dmp
            Download
          • memory/2824-141-0x0000000000000000-mapping.dmp
            Download
          • memory/4056-149-0x0000000000B18000-0x0000000000B29000-memory.dmp
            Filesize

            68KB

            Download
          • memory/4056-150-0x0000000000400000-0x0000000000AD6000-memory.dmp
            Filesize

            6.8MB

            Download
          • memory/4868-135-0x0000000000000000-mapping.dmp
            Download