Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2022 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe

  • Size

    218KB

  • MD5

    16b1904a41d5a106d93914dd3e6e71be

  • SHA1

    4f2a08f73cfe51f363760578588b19765eb36ec8

  • SHA256

    5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7

  • SHA512

    3a75d7d713b6382cc4720003bb8cfc7e2814ad9478ef7d6ded0f5b3bdfc59d6e5a7fda10fab7cd9a2231f57683e199fe7954e0e4ec19fc54c6ff8b42a2928e9a

  • SSDEEP

    3072:+NCxFYH1LI/4GHR7uvUZi6eVwCll7c58u7b/fOp2NHCDml:+02VLk40AUQcsc58mHkECa

Score
10/10
danabotsmokeloadersystembcbackdoorbankerpersistencetrojan

Malware Config

Extracted

Family

systembc

C2

109.205.214.18:443

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets service image path in registry 2 TTPs 4 IoCs
    persistence
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 19 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe
    "C:\Users\Admin\AppData\Local\Temp\5234114873c908014335c999b048382d2f1e68ef3cf98ff14e30e04a269126f7.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4188
  • C:\Users\Admin\AppData\Local\Temp\E4F6.exe
    C:\Users\Admin\AppData\Local\Temp\E4F6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Sets DLL path for service in the registry
      • Sets service image path in registry
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:444
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:1936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 536
      2⤵
      • Program crash
      PID:2344
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4908 -ip 4908
    1⤵
      PID:2580
    • C:\Users\Admin\AppData\Local\Temp\2D79.exe
      C:\Users\Admin\AppData\Local\Temp\2D79.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:3808
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1008
      • C:\ProgramData\fjgceb\lsknjp.exe
        C:\ProgramData\fjgceb\lsknjp.exe start
        1⤵
        • Executes dropped EXE
        PID:1416
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:1464
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_bow.dll",TxY5V0Ixcko=
            2⤵
              PID:664

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          2
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          3
          T1112

          Credential Access

          Discovery

          System Information Discovery

          3
          T1082

          Query Registry

          2
          T1012

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_bow.dll
            Filesize

            797KB

            MD5

            f66bed060034ad85e2d3d7606d8f33a4

            SHA1

            58ecaa5ea7b54c0874dd5159cc6c85898be971f8

            SHA256

            435f7a015f01caacf5e1021d800ef8a49f687d85989c7421fa3e205bc1931f4e

            SHA512

            8d2917a6fb0330a3bac4fe299185e6c545d79053ee93691e7e7f22829dd9a8ac68253df4ed8873d648e087826dde4dd8d3e90071b391f7db371dadb81f19709e

            Download Submit
          • C:\ProgramData\fjgceb\lsknjp.exe
            Filesize

            218KB

            MD5

            cdc67700f25eaed1417264c4bdec03d3

            SHA1

            56639e9414e6ee8394d940d62778475ddf071290

            SHA256

            fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

            SHA512

            a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

            Download Submit
          • C:\ProgramData\fjgceb\lsknjp.exe
            Filesize

            218KB

            MD5

            cdc67700f25eaed1417264c4bdec03d3

            SHA1

            56639e9414e6ee8394d940d62778475ddf071290

            SHA256

            fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

            SHA512

            a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
            Filesize

            2KB

            MD5

            d2d725a3c34b3597b164a038ec06085a

            SHA1

            52eb2334afeccafd46b205de0d2c7306cb7b7c8d

            SHA256

            01bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00

            SHA512

            6f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EventStore.db
            Filesize

            60KB

            MD5

            df1f91f22250f52a1445cdcbf265d1a6

            SHA1

            e7d220ec4c084da76d797efac809f3c03b190706

            SHA256

            a60ec6a0c045b7bdafd193c4d03b57f6f0740bce1c082ed79496a8910679ae4b

            SHA512

            236da8bf2becf5f3c265bb07c32c019dee22882108176487d7ca1e03ef0dd3a147223be1514dd4d395aabf7d0777a35cf2e16d2e58a84787a393c098e64e5319

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            2e4e5bfd0d757cc9bef8fe8703168e7f

            SHA1

            21770102e794c82092e4e82bfedd50a5088bb215

            SHA256

            8f1c319ec2a27577699582f741f2b43bd711aa84d45e00641941a64679c64ead

            SHA512

            8dcbdf8cf55b485c26bfdd9a2e33b0e7bc376396abc959892a14425336fa7b77f3472a6ecf1bbac4e45487aa62144a949c1869d5235bca5bb649ba04746eac61

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
            Filesize

            843B

            MD5

            8a33c96712ba9c043f7a07d4c437a3fd

            SHA1

            dbd78a66c461017ee26a751925f9cecdea2590da

            SHA256

            eb8b0de59dd2efc380f7081af8975f37a83ee72c9c06ef25873f63d224adea1e

            SHA512

            7b9a15d219e4a5cd9146f8e7ae1d7c3b6f843ed060edf52e4928e349edd821a2d527f8f8402f774559f6cf282c83b751f02d2feaf9e040771c07bc4038a59e5a

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.chk
            Filesize

            8KB

            MD5

            21340b30b50bf39023c82c3f5f7e2191

            SHA1

            be30fd0676ee73ad765b60a8260b16fbb5aee75b

            SHA256

            44b356799549f16cb20a4bdd111b599c48d8f0ee05441e2a12999fa0e45a9ec4

            SHA512

            4b75fd293d2c659503d59045d5953c1d75d559775effc5babe0d358b15c1805cc4e6709940a647128da2cfbf191d8abee7c0f643b38858a80d6adcb7e66ffcaf

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\ringtones.ico
            Filesize

            50KB

            MD5

            8b30e7cbd25f178baac418e9b507b61e

            SHA1

            73c93d967571bb88b1bdf33477e7a5f758fc18e9

            SHA256

            0afa2eb896ffe20c5244dd191be791231c8b5b71eff200e75a3150a8e3296f30

            SHA512

            6b0ff7ff67cbb4c8611696273ee16fc5d57b53ea7869e0c97686583d7875faa65f04d7678017628a11420000f8bb869f6dca5fcbefb53b1824443fa73544944d

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user.png
            Filesize

            5KB

            MD5

            d7ee4543371744836d520e0ce24a9ee6

            SHA1

            a6cda6aac3e480b269b9da2bd616bdb4d6fa87f0

            SHA256

            98817a572430813ca4ca2787dab20573f7864c5168ac6912f34d14b49e7bd7c9

            SHA512

            e15b6a50d9d498918a81488bf8d60860027f9a38f4d87e239f1c6e9d20fe4938e75861dad35c69e4087370c18b2cd5b482ab6ca694dfe205d053f1d303d17808

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\2D79.exe
            Filesize

            218KB

            MD5

            cdc67700f25eaed1417264c4bdec03d3

            SHA1

            56639e9414e6ee8394d940d62778475ddf071290

            SHA256

            fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

            SHA512

            a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\2D79.exe
            Filesize

            218KB

            MD5

            cdc67700f25eaed1417264c4bdec03d3

            SHA1

            56639e9414e6ee8394d940d62778475ddf071290

            SHA256

            fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

            SHA512

            a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\E4F6.exe
            Filesize

            1.1MB

            MD5

            11bccba197c0008c8d2635448a14541b

            SHA1

            3d7792942e6900117547d03d6ccbeac3852e1f45

            SHA256

            f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa

            SHA512

            5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\E4F6.exe
            Filesize

            1.1MB

            MD5

            11bccba197c0008c8d2635448a14541b

            SHA1

            3d7792942e6900117547d03d6ccbeac3852e1f45

            SHA256

            f6e7473ec1d725f3f0b05f071f26355d86a480a29f6044f5dfe3210977f286aa

            SHA512

            5f7f0457c7b3d21322db66af1038187d91b3a300b6caa72dc2f3562c0c09dd0de67af6ce974b1c8471a03fed30936d026ac1ea4e253c9a16205edd603b936a8e

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit
          • \??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_bow.dll
            Filesize

            797KB

            MD5

            f66bed060034ad85e2d3d7606d8f33a4

            SHA1

            58ecaa5ea7b54c0874dd5159cc6c85898be971f8

            SHA256

            435f7a015f01caacf5e1021d800ef8a49f687d85989c7421fa3e205bc1931f4e

            SHA512

            8d2917a6fb0330a3bac4fe299185e6c545d79053ee93691e7e7f22829dd9a8ac68253df4ed8873d648e087826dde4dd8d3e90071b391f7db371dadb81f19709e

            Download Submit
          • memory/444-158-0x0000000005530000-0x0000000005670000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/444-156-0x0000000005530000-0x0000000005670000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/444-149-0x0000000005530000-0x0000000005670000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/444-147-0x0000000005530000-0x0000000005670000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/444-139-0x0000000000000000-mapping.dmp
            Download
          • memory/444-162-0x00000000055A9000-0x00000000055AB000-memory.dmp
            Filesize

            8KB

            Download
          • memory/444-155-0x0000000005530000-0x0000000005670000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/444-165-0x0000000004CB0000-0x00000000053D5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/444-157-0x0000000005530000-0x0000000005670000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/444-145-0x0000000004CB0000-0x00000000053D5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/444-146-0x0000000004CB0000-0x00000000053D5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/664-183-0x0000000000000000-mapping.dmp
            Download
          • memory/1416-169-0x0000000000713000-0x0000000000723000-memory.dmp
            Filesize

            64KB

            Download
          • memory/1416-170-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/1464-176-0x0000000003D60000-0x0000000004485000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/1936-159-0x00007FF7BF526890-mapping.dmp
            Download
          • memory/1936-160-0x0000020895300000-0x0000020895440000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1936-163-0x0000000000630000-0x0000000000849000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/1936-161-0x0000020895300000-0x0000020895440000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/1936-164-0x0000020893AC0000-0x0000020893CEA000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/3808-148-0x0000000000000000-mapping.dmp
            Download
          • memory/3808-154-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/3808-171-0x00000000005B9000-0x00000000005CA000-memory.dmp
            Filesize

            68KB

            Download
          • memory/3808-172-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/3808-168-0x00000000005B9000-0x00000000005CA000-memory.dmp
            Filesize

            68KB

            Download
          • memory/3808-152-0x00000000005B9000-0x00000000005CA000-memory.dmp
            Filesize

            68KB

            Download
          • memory/3808-153-0x0000000000490000-0x0000000000499000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4188-132-0x0000000000788000-0x0000000000799000-memory.dmp
            Filesize

            68KB

            Download
          • memory/4188-135-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/4188-134-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/4188-133-0x00000000006F0000-0x00000000006F9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4908-142-0x000000000220E000-0x00000000022FD000-memory.dmp
            Filesize

            956KB

            Download
          • memory/4908-143-0x0000000002300000-0x0000000002430000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4908-136-0x0000000000000000-mapping.dmp
            Download
          • memory/4908-144-0x0000000000400000-0x000000000053E000-memory.dmp
            Filesize

            1.2MB

            Download