Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2022 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7.exe

  • Size

    214KB

  • MD5

    0563da06ee50ba49db438972b21d7813

  • SHA1

    f7be7fdf9e376ed8b246e3ebd4be2537075eac8c

  • SHA256

    9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7

  • SHA512

    66985e980cdbbdba5f798460a8a3c32e489aabbcfbb74f54bcbef003577eb53c06da39ccc3e7925dc7cae2559721375617a153ab365d55e39a8ca205297f6728

  • SSDEEP

    3072:dfh/JULEP8RbdQoKfdes/jUsizN3aA82ms8/g3xoy+ewoODPmG3ERWR3Le:dhxULElfw4jwlaAJAg3CPeVaPnU0V6

Score
10/10
danabotsmokeloaderbackdoorbankertrojan

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535
Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 44 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 19 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7.exe
    "C:\Users\Admin\AppData\Local\Temp\9b1431ed3a3ac2e55ef652301d7cd58fac4fb7213919f1a180b8cce23c0dc4c7.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:960
  • C:\Users\Admin\AppData\Local\Temp\494D.exe
    C:\Users\Admin\AppData\Local\Temp\494D.exe
    1⤵
    • Executes dropped EXE
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
      "C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:220
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      PID:3484
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 1420
      2⤵
      • Program crash
      PID:4328
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff858394f50,0x7ff858394f60,0x7ff858394f70
      2⤵
        PID:1900
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1660,6171738230814039498,118225925356473775,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1676 /prefetch:2
        2⤵
          PID:1288
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,6171738230814039498,118225925356473775,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1872 /prefetch:8
          2⤵
            PID:2620
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,6171738230814039498,118225925356473775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2296 /prefetch:8
            2⤵
              PID:1960
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,6171738230814039498,118225925356473775,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
              2⤵
                PID:2864
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -u -p 1332 -s 3664
                2⤵
                • Program crash
                PID:1892
            • C:\Windows\System32\CompPkgSrv.exe
              C:\Windows\System32\CompPkgSrv.exe -Embedding
              1⤵
                PID:5016
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 448 -p 1332 -ip 1332
                1⤵
                  PID:4212
                • C:\Users\Admin\AppData\Local\Temp\7D3F.exe
                  C:\Users\Admin\AppData\Local\Temp\7D3F.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious behavior: GetForegroundWindowSpam
                  PID:1032
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 272
                    2⤵
                    • Program crash
                    PID:3528
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1032 -ip 1032
                  1⤵
                    PID:1156
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 628 -ip 628
                    1⤵
                      PID:4808

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\494D.exe
                      Filesize

                      4.2MB

                      MD5

                      cc4b391886bf4238e70772704b2c97ca

                      SHA1

                      aa0cf46c73caac0019a6f5e7f172f4540d33d525

                      SHA256

                      0290bb1ffcb644899aeb89c8aafdf2dba92aae13b251738163d2d16087f32c4d

                      SHA512

                      379148eaef2495c9518dfb98fc1c1924e310270e4c9965d42b80fd97531fbccafbec04c3fa67d7cec29140a83e37667426092ac6b60b95313cfccaa626df9072

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\494D.exe
                      Filesize

                      4.2MB

                      MD5

                      cc4b391886bf4238e70772704b2c97ca

                      SHA1

                      aa0cf46c73caac0019a6f5e7f172f4540d33d525

                      SHA256

                      0290bb1ffcb644899aeb89c8aafdf2dba92aae13b251738163d2d16087f32c4d

                      SHA512

                      379148eaef2495c9518dfb98fc1c1924e310270e4c9965d42b80fd97531fbccafbec04c3fa67d7cec29140a83e37667426092ac6b60b95313cfccaa626df9072

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\7D3F.exe
                      Filesize

                      1.4MB

                      MD5

                      8fe166e995bbb1f5b9ed97a6b858cb17

                      SHA1

                      34b173b2ee5db7694c69732af29bdc92eb528888

                      SHA256

                      e3ac933f39d5fa387a5f844d1d29379d88c4421aa72ac4e9b50d8bc1d5b40fa4

                      SHA512

                      62a132abe46d212be81f0bd65184b397c80d87c46bd1728d9ec14cd40babd2d6ff61f6a3fe8d8d49be44e00ce28bae355b2059db8f95dfa918b8ac548f5a6432

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\7D3F.exe
                      Filesize

                      1.4MB

                      MD5

                      8fe166e995bbb1f5b9ed97a6b858cb17

                      SHA1

                      34b173b2ee5db7694c69732af29bdc92eb528888

                      SHA256

                      e3ac933f39d5fa387a5f844d1d29379d88c4421aa72ac4e9b50d8bc1d5b40fa4

                      SHA512

                      62a132abe46d212be81f0bd65184b397c80d87c46bd1728d9ec14cd40babd2d6ff61f6a3fe8d8d49be44e00ce28bae355b2059db8f95dfa918b8ac548f5a6432

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
                      Filesize

                      1.2MB

                      MD5

                      50e03c260a0f6db796aa22d7443aa105

                      SHA1

                      573a47d22475dc990d57cdd33b0952b721e4ddd9

                      SHA256

                      5b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065

                      SHA512

                      4528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe
                      Filesize

                      1.2MB

                      MD5

                      50e03c260a0f6db796aa22d7443aa105

                      SHA1

                      573a47d22475dc990d57cdd33b0952b721e4ddd9

                      SHA256

                      5b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065

                      SHA512

                      4528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434

                      Download Submit
                    • \??\pipe\crashpad_1332_PQDYIIRYUDJBDOTG
                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                      Download Submit
                    • memory/220-142-0x0000000000000000-mapping.dmp
                      Download
                    • memory/628-152-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-149-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-140-0x0000000002950000-0x0000000002DB2000-memory.dmp
                      Filesize

                      4.4MB

                      Download
                    • memory/628-139-0x0000000000B96000-0x0000000000FAC000-memory.dmp
                      Filesize

                      4.1MB

                      Download
                    • memory/628-136-0x0000000000000000-mapping.dmp
                      Download
                    • memory/628-172-0x0000000000400000-0x0000000000866000-memory.dmp
                      Filesize

                      4.4MB

                      Download
                    • memory/628-146-0x0000000006560000-0x0000000006C86000-memory.dmp
                      Filesize

                      7.1MB

                      Download
                    • memory/628-147-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-148-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-141-0x0000000000400000-0x0000000000866000-memory.dmp
                      Filesize

                      4.4MB

                      Download
                    • memory/628-150-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-151-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-169-0x0000000000400000-0x0000000000866000-memory.dmp
                      Filesize

                      4.4MB

                      Download
                    • memory/628-153-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-154-0x0000000006F10000-0x0000000007050000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/628-170-0x0000000006560000-0x0000000006C86000-memory.dmp
                      Filesize

                      7.1MB

                      Download
                    • memory/960-132-0x00000000005A2000-0x00000000005B2000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/960-133-0x00000000004A0000-0x00000000004A9000-memory.dmp
                      Filesize

                      36KB

                      Download
                    • memory/960-134-0x0000000000400000-0x000000000045F000-memory.dmp
                      Filesize

                      380KB

                      Download
                    • memory/960-135-0x0000000000400000-0x000000000045F000-memory.dmp
                      Filesize

                      380KB

                      Download
                    • memory/1032-165-0x0000000000000000-mapping.dmp
                      Download
                    • memory/2576-156-0x0000000008500000-0x0000000008626000-memory.dmp
                      Filesize

                      1.1MB

                      Download
                    • memory/2576-171-0x0000000008500000-0x0000000008626000-memory.dmp
                      Filesize

                      1.1MB

                      Download
                    • memory/2576-145-0x0000000008500000-0x0000000008626000-memory.dmp
                      Filesize

                      1.1MB

                      Download
                    • memory/3484-161-0x0000000001200000-0x0000000001806000-memory.dmp
                      Filesize

                      6.0MB

                      Download
                    • memory/3484-162-0x00000000039C0000-0x0000000003B00000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/3484-163-0x00000000039C0000-0x0000000003B00000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/3484-160-0x00000000039C0000-0x0000000003B00000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/3484-159-0x00000000039C0000-0x0000000003B00000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/3484-158-0x0000000003190000-0x00000000038B6000-memory.dmp
                      Filesize

                      7.1MB

                      Download
                    • memory/3484-157-0x0000000003190000-0x00000000038B6000-memory.dmp
                      Filesize

                      7.1MB

                      Download
                    • memory/3484-168-0x0000000003190000-0x00000000038B6000-memory.dmp
                      Filesize

                      7.1MB

                      Download
                    • memory/3484-155-0x0000000000000000-mapping.dmp
                      Download