Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2022 02:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    470259db6840ebc8256faa7c44782d9efa47579dac57cf5f1fa88a4124130492.exe

  • Size

    220KB

  • MD5

    8b23d09dbc3017a73fa22730685e549b

  • SHA1

    a66e17d08719f5de9b15852f7f96451fcdb033a2

  • SHA256

    470259db6840ebc8256faa7c44782d9efa47579dac57cf5f1fa88a4124130492

  • SHA512

    a32869ff241650f419dbcc11b47b9ede48ccfcc23e464bea0e9ab5bea2325b80beb215ff641bb16c8f57cf9dd0ebf85279e4e72b0582e625b1be1db24e8f5d59

  • SSDEEP

    3072:notA0Lv4115ZvCplRZLi6EiEXUbM7PsBy7b/9jKcNHCDml:oHLv4LvCpx26EieuMzssRnCa

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\470259db6840ebc8256faa7c44782d9efa47579dac57cf5f1fa88a4124130492.exe
    "C:\Users\Admin\AppData\Local\Temp\470259db6840ebc8256faa7c44782d9efa47579dac57cf5f1fa88a4124130492.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4752
  • C:\Users\Admin\AppData\Local\Temp\F580.exe
    C:\Users\Admin\AppData\Local\Temp\F580.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:980
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 528
      2⤵
      • Program crash
      PID:4128
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4044 -ip 4044
    1⤵
      PID:3544
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4760
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:836
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\comment.dll",Vicv
            2⤵
              PID:1932

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\comment.dll
            Filesize

            797KB

            MD5

            e0d1e0ebf1d0984357037aae57fa19fd

            SHA1

            0b866ea0b917481fde547bea710ff9a7522f9e08

            SHA256

            8c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487

            SHA512

            6467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a

            Download Submit
          • C:\Program Files (x86)\WindowsPowerShell\Modules\comment.dll
            Filesize

            797KB

            MD5

            e0d1e0ebf1d0984357037aae57fa19fd

            SHA1

            0b866ea0b917481fde547bea710ff9a7522f9e08

            SHA256

            8c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487

            SHA512

            6467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.office32ww.msi.16.x-none.xml
            Filesize

            331KB

            MD5

            b5cf5d15a8e6c6f2eb99a5645a2c2336

            SHA1

            7efe1b634ce1253a6761eb0c54f79dd42b79325f

            SHA256

            f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

            SHA512

            83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            1e35fef8641aa1414e25d47a5037b616

            SHA1

            7daefa81b7bc3f6079eebfa63ca39f85053a1fed

            SHA256

            011e94a2345e4478ee9832e0c63c731f58f6cb42f823db0ec2c4cd74353477fd

            SHA512

            e4cbfc636a57e47c95497caa52ecb8b94c64efc05ab6bdcea06d54a267cbf4cdd20e33477ae80646844b267ca7537e52e6cf1b033e406ff826144508cf582bb3

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MasterDescriptor.x-none.xml
            Filesize

            27KB

            MD5

            82c3ab31834272e4118e925922249240

            SHA1

            a116ca5af39e39b7d4234c2c0cd6a91bff6727af

            SHA256

            25b87fbabbec1d49eae7cf47c3d659cb6c99eb82203e90eee6035b21b425b5ef

            SHA512

            4d3eaec898ef47e9b6039bcd481a06001263e7fcbc9303974423f90058a4d91494392427ca35dced5db642e8692580f24cb761b27a60e3288f15aefd8dbdb647

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftLync2010.xml
            Filesize

            3KB

            MD5

            701beb4f8c252fb3c9f5dbdc94648048

            SHA1

            556ba20475a502b68b7992454be6c64ab355b4ec

            SHA256

            620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67

            SHA512

            28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\tasks.xml
            Filesize

            10KB

            MD5

            c949974e2fc5c8909c2efafb92f7640d

            SHA1

            ec68489a4a4fa022e5b60901f7221d733365a9c9

            SHA256

            1131721b6f906cedebbcefe223725ae0f5c7ad0a96219eabaa49dc8d38cedf40

            SHA512

            8fc8e3cdcb66ec98962d0f888f0abe90e1a18db09144e00494dda9f56eaf7ed623e0ee13efd8a29fbf72c7094bbc9f489baf2d54e8170bb4b04d5363ec354362

            Download Submit
          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\user.bmp
            Filesize

            588KB

            MD5

            908fa2dfb385771ecf5f8b2b3e7bff16

            SHA1

            1255fa1edbd2dbbcab6d9eb9f74b7d6783697a58

            SHA256

            60ff5131dba68a8ffe7ba0475bf3e192b432e1969e5ac52d7f217f6935f4035d

            SHA512

            573c9fde441fb8debaa44b6fa2d3763c3dc4714497089b82bedc8ef0720eea4a907f75cffb1c0ec4a77ac89cfecbef8e6182a2a8fea5b51a2e91920ceaad5f69

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\F580.exe
            Filesize

            1.1MB

            MD5

            7e9ce657b646e0ecff706bf6680061f0

            SHA1

            8f576b573c55ba4b3a36b495e9ab0361270b0fd7

            SHA256

            f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9

            SHA512

            360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\F580.exe
            Filesize

            1.1MB

            MD5

            7e9ce657b646e0ecff706bf6680061f0

            SHA1

            8f576b573c55ba4b3a36b495e9ab0361270b0fd7

            SHA256

            f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9

            SHA512

            360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit
          • \??\c:\program files (x86)\windowspowershell\modules\comment.dll
            Filesize

            797KB

            MD5

            e0d1e0ebf1d0984357037aae57fa19fd

            SHA1

            0b866ea0b917481fde547bea710ff9a7522f9e08

            SHA256

            8c0fe5c4827e6e1c959e35c1e33b1bf86f276adbf21351d97cd820593bd4b487

            SHA512

            6467571037bcc76f041d747e5d9ace4b1ae91301cbfb97bad55e0da99c0285c49c100004333987d7054d068dfc51adbe29ccecf0e6721d94262e7c02faa9d59a

            Download Submit
          • memory/836-164-0x0000000003680000-0x0000000003DA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/836-172-0x0000000003680000-0x0000000003DA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/980-155-0x00000227AF930000-0x00000227AFA70000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/980-159-0x00000227ADF40000-0x00000227AE16A000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/980-158-0x0000000000CB0000-0x0000000000EC9000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/980-156-0x00000227AF930000-0x00000227AFA70000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/980-154-0x00007FF690596890-mapping.dmp
            Download
          • memory/1932-170-0x0000000000000000-mapping.dmp
            Download
          • memory/1932-174-0x0000000004A70000-0x0000000005195000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/1932-173-0x0000000004A70000-0x0000000005195000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4044-141-0x0000000000400000-0x0000000000540000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4044-145-0x0000000000400000-0x0000000000540000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4044-136-0x0000000000000000-mapping.dmp
            Download
          • memory/4044-139-0x0000000000818000-0x0000000000907000-memory.dmp
            Filesize

            956KB

            Download
          • memory/4044-140-0x0000000002330000-0x0000000002460000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4752-133-0x00000000001F0000-0x00000000001F9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4752-134-0x0000000000400000-0x0000000000462000-memory.dmp
            Filesize

            392KB

            Download
          • memory/4752-135-0x0000000000400000-0x0000000000462000-memory.dmp
            Filesize

            392KB

            Download
          • memory/4752-132-0x00000000005A2000-0x00000000005B3000-memory.dmp
            Filesize

            68KB

            Download
          • memory/5056-147-0x0000000005370000-0x0000000005A95000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/5056-146-0x0000000005370000-0x0000000005A95000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/5056-153-0x0000000005C60000-0x0000000005DA0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5056-148-0x0000000005C60000-0x0000000005DA0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5056-142-0x0000000000000000-mapping.dmp
            Download
          • memory/5056-149-0x0000000005C60000-0x0000000005DA0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5056-150-0x0000000005C60000-0x0000000005DA0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5056-160-0x0000000005370000-0x0000000005A95000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/5056-151-0x0000000005C60000-0x0000000005DA0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5056-152-0x0000000005C60000-0x0000000005DA0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/5056-157-0x0000000005CD9000-0x0000000005CDB000-memory.dmp
            Filesize

            8KB

            Download