Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20220901-en
  • resource tags

    arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15-12-2022 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2636d2eaa0e284a5e079b558af958ff94b5375893aa39ef55f4f55f7221e6d6e.exe

  • Size

    327KB

  • MD5

    8d73778b1e919c68f023e8995a8aaee0

  • SHA1

    b6ba513b4bf1830451aed41121ddf8b5e32ee01f

  • SHA256

    2636d2eaa0e284a5e079b558af958ff94b5375893aa39ef55f4f55f7221e6d6e

  • SHA512

    55d1de360d01ed559e44542254bc454d8d22e7b63f167265fb40d68c82c11c37f43e43d221ae76c841eaf736432ac87b63066056db91871289afb49b2598d999

  • SSDEEP

    6144:0YEcLdiKSYgGFVQ2S9d4eWtGncS3Sbjfxur/tb:BhiKA2S9d3WtGnZSbjJurR

Score
10/10
danabotsystembcbankertrojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • type

    loader

Extracted

Family

systembc

C2

109.205.214.18:443

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 49 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 53 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2636d2eaa0e284a5e079b558af958ff94b5375893aa39ef55f4f55f7221e6d6e.exe
    "C:\Users\Admin\AppData\Local\Temp\2636d2eaa0e284a5e079b558af958ff94b5375893aa39ef55f4f55f7221e6d6e.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:328
  • C:\Users\Admin\AppData\Local\Temp\2460.exe
    C:\Users\Admin\AppData\Local\Temp\2460.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\Tyiotphai.exe
      "C:\Users\Admin\AppData\Local\Temp\Tyiotphai.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4364
    • C:\Windows\syswow64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30765
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4660
  • C:\Users\Admin\AppData\Local\Temp\6CA5.exe
    C:\Users\Admin\AppData\Local\Temp\6CA5.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1152
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3316
    • C:\ProgramData\recol\ucvtq.exe
      C:\ProgramData\recol\ucvtq.exe start
      1⤵
      • Executes dropped EXE
      PID:2764

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    3
    T1082

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\recol\ucvtq.exe
      Filesize

      327KB

      MD5

      a533eeaaec1a873d84936633e153dd0a

      SHA1

      a16f84c4039ddccf9960cee21cb8860f2f1cf34c

      SHA256

      3f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e

      SHA512

      c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79

      Download Submit
    • C:\ProgramData\recol\ucvtq.exe
      Filesize

      327KB

      MD5

      a533eeaaec1a873d84936633e153dd0a

      SHA1

      a16f84c4039ddccf9960cee21cb8860f2f1cf34c

      SHA256

      3f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e

      SHA512

      c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2460.exe
      Filesize

      4.5MB

      MD5

      15d382b3dc8b132f1f9fc920365e6c1f

      SHA1

      17f181aeb9e31768d0bb26c7aa69b7f21fce40f9

      SHA256

      1a092bc94e2aaabc71590a8d4a29e391f7baf57583973f059383254f978a461e

      SHA512

      27d76857400f76a0cf75790e46bc2a8c8a333543d8b707591bad214cb2bdc6a5aafb65b11da0f9880275031d8c58154a05c5477c425096ff31b52aaccf6c598b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\2460.exe
      Filesize

      4.5MB

      MD5

      15d382b3dc8b132f1f9fc920365e6c1f

      SHA1

      17f181aeb9e31768d0bb26c7aa69b7f21fce40f9

      SHA256

      1a092bc94e2aaabc71590a8d4a29e391f7baf57583973f059383254f978a461e

      SHA512

      27d76857400f76a0cf75790e46bc2a8c8a333543d8b707591bad214cb2bdc6a5aafb65b11da0f9880275031d8c58154a05c5477c425096ff31b52aaccf6c598b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\6CA5.exe
      Filesize

      327KB

      MD5

      a533eeaaec1a873d84936633e153dd0a

      SHA1

      a16f84c4039ddccf9960cee21cb8860f2f1cf34c

      SHA256

      3f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e

      SHA512

      c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\6CA5.exe
      Filesize

      327KB

      MD5

      a533eeaaec1a873d84936633e153dd0a

      SHA1

      a16f84c4039ddccf9960cee21cb8860f2f1cf34c

      SHA256

      3f6c84150d51188f54330ce514518c879705052abad3f89325e9c279f1d9403e

      SHA512

      c599ec24478794dbe3fd1f3124bb93423b610a5d36eb76d625a2401fcc5f368ee40bca9585ba156a06747c593bc415369ae2106ee48b94044a72a59bd1949b79

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tyiotphai.exe
      Filesize

      1.4MB

      MD5

      dfa7517406bc186cbc7e7e72491f34e2

      SHA1

      e98c6f327a66a9ecd4c0746e8ef19ae53b2bb8b7

      SHA256

      5b6ea9afdebfce6aafda78bbc6f9a9d81494436e4b159122bbc3122355d7a44b

      SHA512

      2644fb9a879e65aaf99fadb3664772b072cd3ced1f4b8a6b89e149b28588bc0e0a6b5d5d72f0decf31b83875ae87a009c298b3cc036a442c725142297dc8ecda

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tyiotphai.exe
      Filesize

      1.4MB

      MD5

      dfa7517406bc186cbc7e7e72491f34e2

      SHA1

      e98c6f327a66a9ecd4c0746e8ef19ae53b2bb8b7

      SHA256

      5b6ea9afdebfce6aafda78bbc6f9a9d81494436e4b159122bbc3122355d7a44b

      SHA512

      2644fb9a879e65aaf99fadb3664772b072cd3ced1f4b8a6b89e149b28588bc0e0a6b5d5d72f0decf31b83875ae87a009c298b3cc036a442c725142297dc8ecda

      Download Submit
    • memory/328-120-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-121-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-122-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-123-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-124-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-125-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-126-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-127-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-128-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-129-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-130-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-131-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-132-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-133-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-134-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-136-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-137-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-138-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-139-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-140-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-141-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-143-0x0000000000460000-0x000000000050E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/328-144-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-146-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-147-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-148-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-149-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-150-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-151-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-145-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/328-153-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-154-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-155-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-156-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-152-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/328-142-0x0000000000460000-0x000000000050E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/328-157-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1152-483-0x0000000000460000-0x00000000005AA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1152-469-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1152-468-0x00000000001E0000-0x00000000001E9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1152-467-0x0000000000460000-0x00000000005AA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1152-408-0x0000000000000000-mapping.dmp
      Download
    • memory/1212-173-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-165-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-171-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-172-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-169-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-174-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-175-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-177-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-178-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-179-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-180-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-181-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-182-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-183-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-184-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-185-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-186-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-188-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-187-0x0000000002620000-0x0000000002A6B000-memory.dmp
      Filesize

      4.3MB

      Download
    • memory/1212-189-0x0000000002A70000-0x0000000002F09000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/1212-193-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-192-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-194-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-195-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-191-0x0000000000400000-0x000000000089B000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/1212-190-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-263-0x0000000006370000-0x0000000006A95000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/1212-158-0x0000000000000000-mapping.dmp
      Download
    • memory/1212-160-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-161-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-470-0x0000000000400000-0x000000000089B000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/1212-162-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-163-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-164-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-427-0x0000000006370000-0x0000000006A95000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/1212-392-0x0000000002620000-0x0000000002A6B000-memory.dmp
      Filesize

      4.3MB

      Download
    • memory/1212-394-0x0000000000400000-0x000000000089B000-memory.dmp
      Filesize

      4.6MB

      Download
    • memory/1212-170-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-166-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1212-168-0x0000000077460000-0x00000000775EE000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/2764-526-0x00000000004F0000-0x000000000059E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/2764-525-0x00000000004F0000-0x000000000059E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/2764-523-0x0000000000400000-0x0000000000458000-memory.dmp
      Filesize

      352KB

      Download
    • memory/2764-522-0x00000000004F0000-0x000000000059E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/2764-521-0x00000000004F0000-0x000000000059E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/4232-365-0x00000000053E0000-0x0000000005B05000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/4232-406-0x0000000003290000-0x0000000003895000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/4232-274-0x0000000001275FB0-mapping.dmp
      Download
    • memory/4232-407-0x00000000053E0000-0x0000000005B05000-memory.dmp
      Filesize

      7.1MB

      Download
    • memory/4232-337-0x0000000003290000-0x0000000003895000-memory.dmp
      Filesize

      6.0MB

      Download
    • memory/4364-340-0x0000000002260000-0x00000000023A0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4364-216-0x0000000000000000-mapping.dmp
      Download
    • memory/4364-343-0x00000000023A0000-0x00000000024D2000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4364-344-0x0000000000400000-0x0000000000571000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/4364-428-0x0000000002260000-0x00000000023A0000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/4660-386-0x00007FF690DE5FD0-mapping.dmp
      Download
    • memory/4660-396-0x00000000000F0000-0x0000000000309000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/4660-397-0x0000014C64380000-0x0000014C645AB000-memory.dmp
      Filesize

      2.2MB

      Download