Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    351s
  • max time network
    397s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2022 20:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67d2a654bafe5bf876d25c1e6f36f795d8375b17b557e1ebb76f3f14cc044c83.exe

  • Size

    148KB

  • MD5

    b9a6abe942c1910b8b38cfde1f9f22dc

  • SHA1

    99c1720861f66483844c5f8cf11698958927d3dc

  • SHA256

    67d2a654bafe5bf876d25c1e6f36f795d8375b17b557e1ebb76f3f14cc044c83

  • SHA512

    0a0799b18b694b7e604104848bc435a54e1807e634c6dfbacce88fe6a79779db795bad3ef4d15f5ba6197507a1862e933d7c6719c5ad157600741a64371c5191

  • SSDEEP

    3072:mvcf6svLX80itk5eDSiRFYDjT0jJkYieVBIz2jks:lf6q/iFGiRFwIjJkYBVBIHs

Score
10/10
amadeysmokeloaderbackdoortrojan

Malware Config

Extracted

Family

amadey

Version

3.50

C2

77.73.134.65/o7VsjdSa2f/index.php

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67d2a654bafe5bf876d25c1e6f36f795d8375b17b557e1ebb76f3f14cc044c83.exe
    "C:\Users\Admin\AppData\Local\Temp\67d2a654bafe5bf876d25c1e6f36f795d8375b17b557e1ebb76f3f14cc044c83.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3444
  • C:\Users\Admin\AppData\Local\Temp\DDAA.exe
    C:\Users\Admin\AppData\Local\Temp\DDAA.exe
    1⤵
    • Executes dropped EXE
    PID:4752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\DDAA.exe
    Filesize

    745KB

    MD5

    9cf1dac1e7594909ca279477cf63196b

    SHA1

    6eaa8cc997456d5cd38287828089c8d968d7ec97

    SHA256

    055505edf9540a4e5984d6725b3c30bff77fe034266c174b3451104930509f61

    SHA512

    eda5bf3e96d004d53ad6fe7567d561a3740de54b23629bebd93445cab854d8cadc9969a1d94d9d35318e2cf91e2cb21c56b6e29377b561dff130c61efbc4d291

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\DDAA.exe
    Filesize

    745KB

    MD5

    9cf1dac1e7594909ca279477cf63196b

    SHA1

    6eaa8cc997456d5cd38287828089c8d968d7ec97

    SHA256

    055505edf9540a4e5984d6725b3c30bff77fe034266c174b3451104930509f61

    SHA512

    eda5bf3e96d004d53ad6fe7567d561a3740de54b23629bebd93445cab854d8cadc9969a1d94d9d35318e2cf91e2cb21c56b6e29377b561dff130c61efbc4d291

    Download Submit
  • memory/3444-132-0x000000000060D000-0x000000000061D000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3444-134-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/3444-133-0x0000000002190000-0x0000000002199000-memory.dmp
    Filesize

    36KB

    Download
  • memory/3444-135-0x0000000000400000-0x000000000045A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/4752-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4752-139-0x0000000002710000-0x000000000274F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/4752-140-0x0000000000400000-0x00000000004C2000-memory.dmp
    Filesize

    776KB

    Download