Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2022 12:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b71b90f62e3b61d3946aa1dbcbe2ef60d18bc512349de334fd06fdcde80a9f6b.exe

  • Size

    218KB

  • MD5

    0c2da48c16331136f35f0d17a8e564d1

  • SHA1

    27c4029331bf05a1317e0645c6841cc83c65c78b

  • SHA256

    b71b90f62e3b61d3946aa1dbcbe2ef60d18bc512349de334fd06fdcde80a9f6b

  • SHA512

    dcd1366b0f485725249a4ee97e699d315b7b33d53fb12c5beaf58d509cd1289c606816d2d8dc2852ac89e53251dd7aa209dcf7457bdb8807c763683f7f8155f4

  • SSDEEP

    3072:hV6JiL8pQOlHRZGF596ek/3Nscwbkuuq+7b/SNwwqNUoBNHCDml:hQJiL3Ogb9q2JluqW6mNUorCa

Score
10/10
danabotsmokeloadersystembcbackdoorbankertrojan

Malware Config

Extracted

Family

systembc

C2

109.205.214.18:443

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 31 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b71b90f62e3b61d3946aa1dbcbe2ef60d18bc512349de334fd06fdcde80a9f6b.exe
    "C:\Users\Admin\AppData\Local\Temp\b71b90f62e3b61d3946aa1dbcbe2ef60d18bc512349de334fd06fdcde80a9f6b.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1712
  • C:\Users\Admin\AppData\Local\Temp\F244.exe
    C:\Users\Admin\AppData\Local\Temp\F244.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 536
      2⤵
      • Program crash
      PID:1648
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1216 -ip 1216
    1⤵
      PID:2240
    • C:\Users\Admin\AppData\Local\Temp\2183.exe
      C:\Users\Admin\AppData\Local\Temp\2183.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:400
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 492
        2⤵
        • Program crash
        PID:904
    • C:\ProgramData\ftlm\asboros.exe
      C:\ProgramData\ftlm\asboros.exe start
      1⤵
      • Executes dropped EXE
      PID:3148
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 400 -ip 400
        1⤵
          PID:3876

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Modify Registry

        1
        T1112

        Credential Access

        Discovery

        System Information Discovery

        3
        T1082

        Query Registry

        2
        T1012

        Peripheral Device Discovery

        1
        T1120

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\ftlm\asboros.exe
          Filesize

          218KB

          MD5

          cdc67700f25eaed1417264c4bdec03d3

          SHA1

          56639e9414e6ee8394d940d62778475ddf071290

          SHA256

          fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

          SHA512

          a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

          Download Submit
        • C:\ProgramData\ftlm\asboros.exe
          Filesize

          218KB

          MD5

          cdc67700f25eaed1417264c4bdec03d3

          SHA1

          56639e9414e6ee8394d940d62778475ddf071290

          SHA256

          fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

          SHA512

          a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\2183.exe
          Filesize

          218KB

          MD5

          cdc67700f25eaed1417264c4bdec03d3

          SHA1

          56639e9414e6ee8394d940d62778475ddf071290

          SHA256

          fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

          SHA512

          a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\2183.exe
          Filesize

          218KB

          MD5

          cdc67700f25eaed1417264c4bdec03d3

          SHA1

          56639e9414e6ee8394d940d62778475ddf071290

          SHA256

          fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

          SHA512

          a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\F244.exe
          Filesize

          1.1MB

          MD5

          11bccba197c0008c8d2635448a14541b

          SHA1

          3d7792942e6900117547d03d6ccbeac3852e1f45

          SHA256

          f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa

          SHA512

          5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\F244.exe
          Filesize

          1.1MB

          MD5

          11bccba197c0008c8d2635448a14541b

          SHA1

          3d7792942e6900117547d03d6ccbeac3852e1f45

          SHA256

          f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa

          SHA512

          5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
          Filesize

          797KB

          MD5

          24925b25552a7d8f1d3292071e545920

          SHA1

          f786e1d40df30f6fed0301d60c823b655f2d6eac

          SHA256

          9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

          SHA512

          242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
          Filesize

          797KB

          MD5

          24925b25552a7d8f1d3292071e545920

          SHA1

          f786e1d40df30f6fed0301d60c823b655f2d6eac

          SHA256

          9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

          SHA512

          242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

          Download Submit
        • memory/400-172-0x00000000006B9000-0x00000000006CA000-memory.dmp
          Filesize

          68KB

          Download
        • memory/400-146-0x0000000000000000-mapping.dmp
          Download
        • memory/400-173-0x0000000000400000-0x000000000045F000-memory.dmp
          Filesize

          380KB

          Download
        • memory/400-151-0x0000000000400000-0x000000000045F000-memory.dmp
          Filesize

          380KB

          Download
        • memory/400-150-0x0000000000560000-0x0000000000569000-memory.dmp
          Filesize

          36KB

          Download
        • memory/400-149-0x00000000006B9000-0x00000000006CA000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1176-164-0x00007FF744736890-mapping.dmp
          Download
        • memory/1176-169-0x000001FF13240000-0x000001FF1346A000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/1176-166-0x000001FF14C10000-0x000001FF14D50000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1176-167-0x000001FF14C10000-0x000001FF14D50000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1176-168-0x0000000000E30000-0x0000000001049000-memory.dmp
          Filesize

          2.1MB

          Download
        • memory/1216-140-0x0000000002260000-0x0000000002390000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1216-136-0x0000000000000000-mapping.dmp
          Download
        • memory/1216-141-0x0000000000400000-0x000000000053E000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1216-139-0x0000000002161000-0x0000000002250000-memory.dmp
          Filesize

          956KB

          Download
        • memory/1216-145-0x0000000000400000-0x000000000053E000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/1712-132-0x0000000000749000-0x000000000075A000-memory.dmp
          Filesize

          68KB

          Download
        • memory/1712-134-0x0000000000400000-0x000000000045F000-memory.dmp
          Filesize

          380KB

          Download
        • memory/1712-133-0x00000000005A0000-0x00000000005A9000-memory.dmp
          Filesize

          36KB

          Download
        • memory/1712-135-0x0000000000400000-0x000000000045F000-memory.dmp
          Filesize

          380KB

          Download
        • memory/2204-152-0x0000000005A50000-0x0000000006175000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/2204-165-0x0000000004C39000-0x0000000004C3B000-memory.dmp
          Filesize

          8KB

          Download
        • memory/2204-163-0x0000000004BC0000-0x0000000004D00000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2204-160-0x0000000004BC0000-0x0000000004D00000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2204-162-0x0000000004BC0000-0x0000000004D00000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2204-142-0x0000000000000000-mapping.dmp
          Download
        • memory/2204-153-0x0000000005A50000-0x0000000006175000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/2204-161-0x0000000004BC0000-0x0000000004D00000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2204-154-0x0000000004BC0000-0x0000000004D00000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2204-155-0x0000000004BC0000-0x0000000004D00000-memory.dmp
          Filesize

          1.2MB

          Download
        • memory/2204-170-0x0000000005A50000-0x0000000006175000-memory.dmp
          Filesize

          7.1MB

          Download
        • memory/3148-171-0x00000000004B2000-0x00000000004C3000-memory.dmp
          Filesize

          68KB

          Download
        • memory/3148-158-0x00000000004B2000-0x00000000004C3000-memory.dmp
          Filesize

          68KB

          Download
        • memory/3148-159-0x0000000000400000-0x000000000045F000-memory.dmp
          Filesize

          380KB

          Download