Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2022 09:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cec38458f77fb0f094fb9182e73a041d646bc5cc057cde2b8c527ced41896403.exe

  • Size

    218KB

  • MD5

    92ccfc59d422fc34cfa500f5d4198b36

  • SHA1

    880f73dbdaf8ba18ba32415282fb3a1b22e92b6a

  • SHA256

    cec38458f77fb0f094fb9182e73a041d646bc5cc057cde2b8c527ced41896403

  • SHA512

    7956378f88b56188c7dc6f4f1e2c64e540788fd5ecf9135a6c674dac7b750c0b59abd7601b3577cc6ccb3594b0607e704de05ff1f1fa846f34b9da33a660e0ac

  • SSDEEP

    3072:yzpGUmLKgc9Rk4T9OSNYR5udR6NOQr2W3C8V7b/9xLFpnldNHCDml:yd9mLxd45OSk3rZRlbFphCa

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cec38458f77fb0f094fb9182e73a041d646bc5cc057cde2b8c527ced41896403.exe
    "C:\Users\Admin\AppData\Local\Temp\cec38458f77fb0f094fb9182e73a041d646bc5cc057cde2b8c527ced41896403.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1600
  • C:\Users\Admin\AppData\Local\Temp\F225.exe
    C:\Users\Admin\AppData\Local\Temp\F225.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 536
      2⤵
      • Program crash
      PID:4424
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 392 -ip 392
    1⤵
      PID:2224
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3036
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:1828
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobe_spinner_mini.dll",EgwGTVpRaw==
            2⤵
              PID:4868

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.dll
            Filesize

            797KB

            MD5

            b652965a4ecd5ce33de9e231c0080eca

            SHA1

            9f7ba8524d8e69e721f977bd19a4f7578e8bbfb0

            SHA256

            f51e55a005b5c3cedfc8acab537993ed70b4fe8bb96e980039107a8a18f34966

            SHA512

            e4c9069e2ea175e0bde1c523ef202416ec028d24d6431effa53ea6c767760f1a80388ad6cde4de47bb22f6ef6cf10a5148ba8b4663e3c3db71862b1df4ca2d20

            Download Submit
          • C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.dll
            Filesize

            797KB

            MD5

            b652965a4ecd5ce33de9e231c0080eca

            SHA1

            9f7ba8524d8e69e721f977bd19a4f7578e8bbfb0

            SHA256

            f51e55a005b5c3cedfc8acab537993ed70b4fe8bb96e980039107a8a18f34966

            SHA512

            e4c9069e2ea175e0bde1c523ef202416ec028d24d6431effa53ea6c767760f1a80388ad6cde4de47bb22f6ef6cf10a5148ba8b4663e3c3db71862b1df4ca2d20

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.osmmui.msi.16.en-us.xml
            Filesize

            10KB

            MD5

            3ef69b2c0f15e6b97fca1141bc9beb9a

            SHA1

            421916704e31978eb77421161bb170003a83c1a2

            SHA256

            f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

            SHA512

            cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.powerpointmui.msi.16.en-us.xml
            Filesize

            27KB

            MD5

            e9ed7134ebf28fea3f7aa5691a28438a

            SHA1

            ea1e55c279ed9f8dae333ae436204d8d67d46adf

            SHA256

            8fe0a353ce49d8bf91b019174a72f92c70870d8215b3afa565a01eb041569e28

            SHA512

            535d34d3e428d421793e147e8bf1e344e9a2da449ce25103bf4d72c7b421db429304d5eaebbe305ac566b4b172984677885dcab2aa118441a3df38c57fd04dd9

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            18fff4a27a2a0cecd5068661262b106d

            SHA1

            aaf9f29239c805b3d99216f5ed56fd1dd0dc1fcc

            SHA256

            58fe741969f70e710f510c505cbba50755cd0015949524cd5ea15c204c29bcb2

            SHA512

            1eb0a3685b1bae64ccf0d90dce32fac13206e21d5ed2be4e2b45a750fe69a68200b0d09acfb78d8b6175ae4f2ba741cbcad17166f8385c45a20ee590b805bbe9

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xml
            Filesize

            9KB

            MD5

            993d82e37af681bd65f1d428b6ee281e

            SHA1

            bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65

            SHA256

            1bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8

            SHA512

            4eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.jcp
            Filesize

            8KB

            MD5

            c826cf0fe94cfb79c23bd04630acb722

            SHA1

            e8e2babb652dfa84cbd20c007c4a1f6e435c120c

            SHA256

            6fb2188180d070a523d282882b2e7ba593ece8e2a8b01c47d55dbab7b852d523

            SHA512

            371651e5fb1c1e137b7c8a2653bf677a5d1158c1c34c6afd4bc6d4ce84215239ea1354b6b7f25e49620f3c1a6a5e3a31b2c2938e32a57e144d0c3010230c64d3

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\F225.exe
            Filesize

            1.1MB

            MD5

            c8beb87469647c6fb577d2bfec8e0fcd

            SHA1

            dcbbd759d34cb4d23c53d67943c47a250ee32767

            SHA256

            c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

            SHA512

            678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\F225.exe
            Filesize

            1.1MB

            MD5

            c8beb87469647c6fb577d2bfec8e0fcd

            SHA1

            dcbbd759d34cb4d23c53d67943c47a250ee32767

            SHA256

            c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

            SHA512

            678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit
          • \??\c:\program files (x86)\windowspowershell\modules\adobe_spinner_mini.dll
            Filesize

            797KB

            MD5

            b652965a4ecd5ce33de9e231c0080eca

            SHA1

            9f7ba8524d8e69e721f977bd19a4f7578e8bbfb0

            SHA256

            f51e55a005b5c3cedfc8acab537993ed70b4fe8bb96e980039107a8a18f34966

            SHA512

            e4c9069e2ea175e0bde1c523ef202416ec028d24d6431effa53ea6c767760f1a80388ad6cde4de47bb22f6ef6cf10a5148ba8b4663e3c3db71862b1df4ca2d20

            Download Submit
          • memory/392-142-0x0000000002166000-0x0000000002255000-memory.dmp
            Filesize

            956KB

            Download
          • memory/392-144-0x0000000000400000-0x000000000053E000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/392-136-0x0000000000000000-mapping.dmp
            Download
          • memory/392-143-0x0000000002260000-0x0000000002390000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1600-133-0x0000000002190000-0x0000000002199000-memory.dmp
            Filesize

            36KB

            Download
          • memory/1600-134-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/1600-135-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/1600-132-0x00000000005F8000-0x0000000000609000-memory.dmp
            Filesize

            68KB

            Download
          • memory/1828-171-0x0000000003440000-0x0000000003B65000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/1828-163-0x0000000003440000-0x0000000003B65000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2864-159-0x0000000004F00000-0x0000000005625000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2864-151-0x0000000004B50000-0x0000000004C90000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2864-156-0x0000000004BC9000-0x0000000004BCB000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2864-146-0x0000000004F00000-0x0000000005625000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2864-147-0x0000000004B50000-0x0000000004C90000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2864-145-0x0000000004F00000-0x0000000005625000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2864-148-0x0000000004B50000-0x0000000004C90000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2864-149-0x0000000004B50000-0x0000000004C90000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2864-152-0x0000000004B50000-0x0000000004C90000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2864-150-0x0000000004B50000-0x0000000004C90000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2864-139-0x0000000000000000-mapping.dmp
            Download
          • memory/4868-168-0x0000000000000000-mapping.dmp
            Download
          • memory/4868-170-0x0000000003FC0000-0x00000000046E5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4868-172-0x0000000003FC0000-0x00000000046E5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/5092-155-0x000002018F6A0000-0x000002018F7E0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5092-153-0x00007FF789DE6890-mapping.dmp
            Download
          • memory/5092-154-0x000002018F6A0000-0x000002018F7E0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5092-158-0x000002018F820000-0x000002018FA4A000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/5092-157-0x0000000000400000-0x0000000000619000-memory.dmp
            Filesize

            2.1MB

            Download