Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    22-12-2022 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    da0419198761d8b8ea3bf722ceef96cf3b27ffc4467a915c3ee3c58cdc809547.exe

  • Size

    331KB

  • MD5

    3ef1b6606a77395968be5eee4a8b7d6e

  • SHA1

    89a1d29d6563a3df44c80106d9e4a2aad9819f12

  • SHA256

    da0419198761d8b8ea3bf722ceef96cf3b27ffc4467a915c3ee3c58cdc809547

  • SHA512

    5b1fd819831cfc3d756a346b5a345cadbe37400bd61449bab9399f835376fd546ebd6882ab97e610d239d000103225c302772b1120162ab8a2f287c90c113a5d

  • SSDEEP

    6144:xiX6LiIV2VboRHbL/5gU0WOnPAP9QwX61hJFIJfVAVrwU+:MqeI0bm7L/6Ul6AP9F6PHgtyQ

Score
10/10
smokeloaderbackdoorcollectiondiscoveryspywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da0419198761d8b8ea3bf722ceef96cf3b27ffc4467a915c3ee3c58cdc809547.exe
    "C:\Users\Admin\AppData\Local\Temp\da0419198761d8b8ea3bf722ceef96cf3b27ffc4467a915c3ee3c58cdc809547.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4364
  • C:\Users\Admin\AppData\Local\Temp\CFE7.exe
    C:\Users\Admin\AppData\Local\Temp\CFE7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp",Ritwuoaoyiy
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1320
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 18913
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3580
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:664
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          3⤵
            PID:4804
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:240

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CFE7.exe
          Filesize

          1.2MB

          MD5

          f05a33ad1c445cb6dc8c5e68e262b120

          SHA1

          bafcffe008fe9e9be8b75c7a9c8ea85d90a70acf

          SHA256

          7f81d0e754b149b7dc5775e21712548b6e2cb1539f28c6a95eaaee03d22b3685

          SHA512

          cb97a4a5e7649b9b646909ff8daa7fe8b8e73dc6ec38075ea94b77ac66ee3d267363573547e8114871f92537333a0fec8be81e0d005c0e91ee9b8b98e8a87d9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\CFE7.exe
          Filesize

          1.2MB

          MD5

          f05a33ad1c445cb6dc8c5e68e262b120

          SHA1

          bafcffe008fe9e9be8b75c7a9c8ea85d90a70acf

          SHA256

          7f81d0e754b149b7dc5775e21712548b6e2cb1539f28c6a95eaaee03d22b3685

          SHA512

          cb97a4a5e7649b9b646909ff8daa7fe8b8e73dc6ec38075ea94b77ac66ee3d267363573547e8114871f92537333a0fec8be81e0d005c0e91ee9b8b98e8a87d9a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp
          Filesize

          814KB

          MD5

          f93876956e6e2f754c8be97ac269729d

          SHA1

          bf0eb05f31b4177e5e2fdeb203698d5018c8ee12

          SHA256

          226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a

          SHA512

          c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Quspupodwqfhie.tmp
          Filesize

          814KB

          MD5

          f93876956e6e2f754c8be97ac269729d

          SHA1

          bf0eb05f31b4177e5e2fdeb203698d5018c8ee12

          SHA256

          226eac6b8ce415bf0900050818f8212129fc51d14dab026e7b8600aa89d65c8a

          SHA512

          c3c53aca227ac035ac838002c8f68b2d449ac983a85780356eb8ef7791171fdb2133cf7f8b694cd4e62b6239b5b8ca21013c483c797153dcd57ea845d4b458cb

          Download Submit

        • memory/1320-384-0x0000000006EB0000-0x0000000007A07000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1320-303-0x0000000006EB0000-0x0000000007A07000-memory.dmp

          Filesize

          11.3MB

          Download

        • memory/1972-180-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-183-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-205-0x0000000000400000-0x0000000000531000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1972-187-0x00000000022A0000-0x00000000023CF000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1972-189-0x0000000000400000-0x0000000000531000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1972-191-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-190-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-188-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-185-0x00000000021A0000-0x000000000229A000-memory.dmp

          Filesize

          1000KB

          Download

        • memory/1972-186-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-182-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-181-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-177-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-178-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-175-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-176-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-174-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-173-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-171-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-172-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-170-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-169-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-168-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-167-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-166-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-165-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-158-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-184-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-161-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-164-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-160-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-156-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-157-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-162-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1972-159-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3580-337-0x0000022D28490000-0x0000022D2873E000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/3580-336-0x0000000000110000-0x00000000003AD000-memory.dmp

          Filesize

          2.6MB

          Download

        • memory/4364-153-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4364-151-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-148-0x0000000000540000-0x0000000000549000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4364-149-0x0000000000400000-0x0000000000459000-memory.dmp

          Filesize

          356KB

          Download

        • memory/4364-146-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-147-0x000000000072A000-0x000000000073F000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4364-141-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-143-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-144-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-145-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-142-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-135-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-139-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-133-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-137-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-136-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-117-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-124-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-116-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-150-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-138-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-132-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-131-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-130-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-129-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-128-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-127-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-123-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-122-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-126-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-121-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-120-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-119-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-125-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-134-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-152-0x000000000072A000-0x000000000073F000-memory.dmp

          Filesize

          84KB

          Download

        • memory/4364-118-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4364-140-0x0000000077DA0000-0x0000000077F2E000-memory.dmp

          Filesize

          1.6MB

          Download