Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2022, 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe

  • Size

    305KB

  • MD5

    38534d532efd591c8e8ac97eca8d0571

  • SHA1

    732865d75c66eb16492b3efc24dd650079744b60

  • SHA256

    a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0

  • SHA512

    6d2a384dfe6efa8dea22370f1564a3589536fdf90a9de6ea99828d3137af064de51a9ee8113becc3327203e2f5f265a8bcf27a7f9171bcb3c68e98db84293c6a

  • SSDEEP

    6144:Zv8ILSYLFj8iAkseICh2oC0XDxO0iPvzpQ6rFiaI:Z/fLFgku+2oVxOxnzpQ6rF

Score
10/10
danabotsmokeloaderbackdoorbankertrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe
    "C:\Users\Admin\AppData\Local\Temp\a326ea034a7c1e3e5c9db7c0bf8481d18cecfdcaf1e8e8155c0b6ceb1dd574c0.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4612
  • C:\Users\Admin\AppData\Local\Temp\F8DC.exe
    C:\Users\Admin\AppData\Local\Temp\F8DC.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3624
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 536
      2⤵
      • Program crash
      PID:1748
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4936 -ip 4936
    1⤵
      PID:3708
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3700
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:3104
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_wob.dll",ij1NRVlHVA==
            2⤵
              PID:3984

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll
            Filesize

            726KB

            MD5

            121f0292c99908701253c6f030636f97

            SHA1

            dbe1a8ebd5e1c394fe89a2ca8eb863e4c0b45bca

            SHA256

            7937a5e46fae86457d213a83bec0575eacc0bf464e1184d8e3ddcca03511340d

            SHA512

            535222a50829d6773c99d32c7adc562452d25d84bef1466d29ac4bd9fcc01e82c609987008877d2b5e63eb6f2d5fc9aa27e0c863f8f16d3b68954316196c98fa

            Download Submit

          • C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.dll
            Filesize

            726KB

            MD5

            121f0292c99908701253c6f030636f97

            SHA1

            dbe1a8ebd5e1c394fe89a2ca8eb863e4c0b45bca

            SHA256

            7937a5e46fae86457d213a83bec0575eacc0bf464e1184d8e3ddcca03511340d

            SHA512

            535222a50829d6773c99d32c7adc562452d25d84bef1466d29ac4bd9fcc01e82c609987008877d2b5e63eb6f2d5fc9aa27e0c863f8f16d3b68954316196c98fa

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe.xml
            Filesize

            849B

            MD5

            cff245d69fe04eec05ce3601d77467b6

            SHA1

            d09b1d953eea98ef0b0fcec5936fc806940f7717

            SHA256

            40d6a0b80770bf41ddc0a3b3607ac53eb82d0f90675e5a595a18cd3f8bdf3d94

            SHA512

            4615affbbc7163076cbc82a8e65cd5d168d1411a028b47bddd0ec5219e08037304de1d14ae1fa659909760150edf5401e698c9f6252674eb4e84dec341aa3666

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            2a50749dcd76166d8c08c54e0183c8ad

            SHA1

            91bdf6521e4201d0c4ceef89a301e622b9cfefa5

            SHA256

            c20373e7134051ef91e88637b470e4ec00029ca53dbf4a824b62dd4e574f260a

            SHA512

            e146781efbfc73e71c22e210b3d4f89fb2730f135c42e3849a5b3b0adcfc9f3a95574a106834f935ee14ad2e278fbb906a2824dd6c0881d80b836a83040769ff

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\overlay.png
            Filesize

            28KB

            MD5

            1f93b502e78190a2f496c2d9558e069d

            SHA1

            6ae6249493d36682270c0d5e3eb3c472fdd2766e

            SHA256

            5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

            SHA512

            cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\s640.hash
            Filesize

            106B

            MD5

            bef40d5a19278ca19b56fbcdde7e26ef

            SHA1

            4f01d5b8de038e120c64bd7cc22cf150af1452fb

            SHA256

            7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

            SHA512

            5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
            Filesize

            121B

            MD5

            70bdaa5c409965a452e47aa001033c53

            SHA1

            594fad49def244b2a459ddd86bf1763e190917e3

            SHA256

            433ea519024b5837e58afc7f968df10b5fc3144b4da790c68a72c40740bdfa58

            SHA512

            62f25a4e598f3592cb8bb789ae4127c067fbcb3c738983f8da49996c9bdc981cebe266c666a416abe5cda8f321c8d62aa60da87dc77aef1843035dcb5400dbcc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\F8DC.exe
            Filesize

            1.1MB

            MD5

            52939ddac663150e902b58fdbb2d7b75

            SHA1

            a311ef6a1728ec247963a8b276da6f94d0d0a50c

            SHA256

            73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

            SHA512

            6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\F8DC.exe
            Filesize

            1.1MB

            MD5

            52939ddac663150e902b58fdbb2d7b75

            SHA1

            a311ef6a1728ec247963a8b276da6f94d0d0a50c

            SHA256

            73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

            SHA512

            6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit

          • \??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_wob.dll
            Filesize

            726KB

            MD5

            121f0292c99908701253c6f030636f97

            SHA1

            dbe1a8ebd5e1c394fe89a2ca8eb863e4c0b45bca

            SHA256

            7937a5e46fae86457d213a83bec0575eacc0bf464e1184d8e3ddcca03511340d

            SHA512

            535222a50829d6773c99d32c7adc562452d25d84bef1466d29ac4bd9fcc01e82c609987008877d2b5e63eb6f2d5fc9aa27e0c863f8f16d3b68954316196c98fa

            Download Submit

          • memory/3104-163-0x0000000003000000-0x0000000003725000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3624-155-0x000001D3CE300000-0x000001D3CE440000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3624-158-0x000001D3CCAC0000-0x000001D3CCCEA000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/3624-157-0x0000000000580000-0x0000000000799000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3624-154-0x000001D3CE300000-0x000001D3CE440000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4612-135-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

            Download

          • memory/4612-134-0x0000000000400000-0x0000000000452000-memory.dmp

            Filesize

            328KB

            Download

          • memory/4612-133-0x00000000005B0000-0x00000000005B9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4612-132-0x00000000005D9000-0x00000000005EE000-memory.dmp

            Filesize

            84KB

            Download

          • memory/4836-150-0x0000000004460000-0x00000000045A0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4836-147-0x0000000004460000-0x00000000045A0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4836-151-0x0000000004460000-0x00000000045A0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4836-152-0x0000000004460000-0x00000000045A0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4836-159-0x00000000052F0000-0x0000000005A15000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4836-149-0x0000000004460000-0x00000000045A0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4836-148-0x0000000004460000-0x00000000045A0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4836-156-0x00000000044D9000-0x00000000044DB000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4836-145-0x00000000052F0000-0x0000000005A15000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4836-146-0x00000000052F0000-0x0000000005A15000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4936-143-0x0000000002220000-0x0000000002335000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4936-142-0x0000000001FE9000-0x00000000020BF000-memory.dmp

            Filesize

            856KB

            Download

          • memory/4936-144-0x0000000000400000-0x0000000000517000-memory.dmp

            Filesize

            1.1MB

            Download