Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/12/2022, 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d51939edbdbcefd39c6daf757dcc9182ae9107b92b1a872144e2bb8e4f5302b4.exe

  • Size

    214KB

  • MD5

    68521d671628e38efa5f153a045cc99c

  • SHA1

    3c1c901111af01ca595e9838ae653724916aa6f7

  • SHA256

    d51939edbdbcefd39c6daf757dcc9182ae9107b92b1a872144e2bb8e4f5302b4

  • SHA512

    7ba01c6d8aa578805e54857fd0739beee539a5da37d9287122f88b1b117780fba7ee579477213cbc612d9f001583abf9eef8b8947dcd809fab2193697339eb57

  • SSDEEP

    3072:l4jiRAvLGLTR4sD9LTRJQ6rTkNCojMyXAC8/g3xoOo/knG3ERWR3Le:yjiuvLG+sDFRTkCogyQfg3CO/GU0V6

Score
10/10
danabotsmokeloaderbackdoorbankertrojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 41 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d51939edbdbcefd39c6daf757dcc9182ae9107b92b1a872144e2bb8e4f5302b4.exe
    "C:\Users\Admin\AppData\Local\Temp\d51939edbdbcefd39c6daf757dcc9182ae9107b92b1a872144e2bb8e4f5302b4.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5012
  • C:\Users\Admin\AppData\Local\Temp\E573.exe
    C:\Users\Admin\AppData\Local\Temp\E573.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1452
    • C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
      "C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4188
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      PID:4668
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1312
        3⤵
        • Program crash
        PID:4092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 1444
      2⤵
      • Program crash
      PID:3508
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7d6b4f50,0x7fff7d6b4f60,0x7fff7d6b4f70
    1⤵
      PID:4772
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
      1⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Enumerates system info in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3604
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1588,7212129404417190305,3048593724288289837,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
        2⤵
          PID:5008
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,7212129404417190305,3048593724288289837,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1664 /prefetch:8
          2⤵
            PID:2056
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,7212129404417190305,3048593724288289837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:8
            2⤵
              PID:1744
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,7212129404417190305,3048593724288289837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
              2⤵
                PID:2648
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 3604 -s 3732
                2⤵
                • Program crash
                PID:5100
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4668 -ip 4668
              1⤵
                PID:60
              • C:\Windows\System32\CompPkgSrv.exe
                C:\Windows\System32\CompPkgSrv.exe -Embedding
                1⤵
                  PID:2960
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -pss -s 536 -p 3604 -ip 3604
                  1⤵
                    PID:1520
                  • C:\Users\Admin\AppData\Local\Temp\182C.exe
                    C:\Users\Admin\AppData\Local\Temp\182C.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious behavior: GetForegroundWindowSpam
                    PID:316
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 268
                      2⤵
                      • Program crash
                      PID:2588
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 316 -ip 316
                    1⤵
                      PID:4476
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1452 -ip 1452
                      1⤵
                        PID:1924

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\182C.exe
                        Filesize

                        1.5MB

                        MD5

                        cef3a3bce13fff2783b8994a70b95037

                        SHA1

                        fc868a722827e7e667aff71fe977cfdc643ace62

                        SHA256

                        7de5993155dddb0d9c365832842b1702b1d3a7a3a0818cc18de65ae5f3abfd15

                        SHA512

                        8058840bc568bcddf1252f440eb048889b5c3faabe9f6d6b0a7e17cb0139142ec5381b3d06e1aa3941562592693e1bc55a178a1fdbabd51cc1c6f0315eed45e7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\182C.exe
                        Filesize

                        1.5MB

                        MD5

                        cef3a3bce13fff2783b8994a70b95037

                        SHA1

                        fc868a722827e7e667aff71fe977cfdc643ace62

                        SHA256

                        7de5993155dddb0d9c365832842b1702b1d3a7a3a0818cc18de65ae5f3abfd15

                        SHA512

                        8058840bc568bcddf1252f440eb048889b5c3faabe9f6d6b0a7e17cb0139142ec5381b3d06e1aa3941562592693e1bc55a178a1fdbabd51cc1c6f0315eed45e7

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\E573.exe
                        Filesize

                        4.2MB

                        MD5

                        9e91c32b888335e331d2b2bce4dcc6e5

                        SHA1

                        b5296fb410921fbc4704414c0ae5b9f66fdf8827

                        SHA256

                        04d2372a5d64fda367c1fe2bbaff93d609beac0aef98dde396e4c2290a54f5cf

                        SHA512

                        a1d3628edcef3bd51433126397878c4a7deb0723ff467423a54b6d62f765e3812dd76a39b774281973297bffb33e177e719d6cfa0ae12312692b6d027733b673

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\E573.exe
                        Filesize

                        4.2MB

                        MD5

                        9e91c32b888335e331d2b2bce4dcc6e5

                        SHA1

                        b5296fb410921fbc4704414c0ae5b9f66fdf8827

                        SHA256

                        04d2372a5d64fda367c1fe2bbaff93d609beac0aef98dde396e4c2290a54f5cf

                        SHA512

                        a1d3628edcef3bd51433126397878c4a7deb0723ff467423a54b6d62f765e3812dd76a39b774281973297bffb33e177e719d6cfa0ae12312692b6d027733b673

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
                        Filesize

                        1.2MB

                        MD5

                        50e03c260a0f6db796aa22d7443aa105

                        SHA1

                        573a47d22475dc990d57cdd33b0952b721e4ddd9

                        SHA256

                        5b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065

                        SHA512

                        4528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
                        Filesize

                        1.2MB

                        MD5

                        50e03c260a0f6db796aa22d7443aa105

                        SHA1

                        573a47d22475dc990d57cdd33b0952b721e4ddd9

                        SHA256

                        5b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065

                        SHA512

                        4528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434

                        Download Submit

                      • memory/760-172-0x00000000083F0000-0x0000000008516000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/760-157-0x00000000083F0000-0x0000000008516000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/760-145-0x00000000083F0000-0x0000000008516000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/1452-146-0x0000000006560000-0x0000000006C86000-memory.dmp

                        Filesize

                        7.1MB

                        Download

                      • memory/1452-150-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-141-0x0000000000400000-0x0000000000866000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/1452-140-0x0000000002960000-0x0000000002DC2000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/1452-147-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-148-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-149-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-151-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-152-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-170-0x0000000000400000-0x0000000000866000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/1452-153-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-154-0x0000000006F20000-0x0000000007060000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/1452-155-0x0000000006560000-0x0000000006C86000-memory.dmp

                        Filesize

                        7.1MB

                        Download

                      • memory/1452-139-0x0000000000CA8000-0x00000000010BE000-memory.dmp

                        Filesize

                        4.1MB

                        Download

                      • memory/1452-171-0x0000000006560000-0x0000000006C86000-memory.dmp

                        Filesize

                        7.1MB

                        Download

                      • memory/1452-173-0x0000000000400000-0x0000000000866000-memory.dmp

                        Filesize

                        4.4MB

                        Download

                      • memory/4668-161-0x0000000000D80000-0x0000000001386000-memory.dmp

                        Filesize

                        6.0MB

                        Download

                      • memory/4668-162-0x0000000003360000-0x00000000034A0000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/4668-163-0x0000000003360000-0x00000000034A0000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/4668-164-0x0000000002B70000-0x0000000003296000-memory.dmp

                        Filesize

                        7.1MB

                        Download

                      • memory/4668-160-0x0000000003360000-0x00000000034A0000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/4668-166-0x0000000002B70000-0x0000000003296000-memory.dmp

                        Filesize

                        7.1MB

                        Download

                      • memory/4668-159-0x0000000003360000-0x00000000034A0000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/4668-158-0x0000000002B70000-0x0000000003296000-memory.dmp

                        Filesize

                        7.1MB

                        Download

                      • memory/5012-132-0x00000000007C2000-0x00000000007D2000-memory.dmp

                        Filesize

                        64KB

                        Download

                      • memory/5012-135-0x0000000000400000-0x000000000045F000-memory.dmp

                        Filesize

                        380KB

                        Download

                      • memory/5012-134-0x0000000000400000-0x000000000045F000-memory.dmp

                        Filesize

                        380KB

                        Download

                      • memory/5012-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

                        Filesize

                        36KB

                        Download