Overview

overview

10

Static

static

Ref_Sept24-2020.exe

windows7-x64

10

Ref_Sept24-2020.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2022 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ref_Sept24-2020.exe

  • Size

    734KB

  • MD5

    d594e8a2098a81c9bfa24f3c17c992e6

  • SHA1

    b9c820973407c7b4bef5b9ce98b7af62cafa397d

  • SHA256

    fad001d463e892e7844040cabdcfa8f8431c07e7ef1ffd76ffbd190f49d7693d

  • SHA512

    50049d1ded3f8cfcb6aa839c0341e91bb39b46dbd5376533f2725ce27e6ae5059d3f5af71100dd025b03b7a3cf90bfa920a93818ac1bafb30c65460514c4fd47

  • SSDEEP

    12288:EY20AljdZgBPfKfi1leppjfQxAogJfqsUsz0cX0rLfGLEXTMd8MQ5B5rxVCz:Z20gPgFKLfQxAVBbIcXQGL+MWMwTrxMz

Score
10/10
dridex10555botnetevasion

Malware Config

Extracted

Family

dridex

Botnet

10555

C2

151.236.219.181:443

142.4.6.57:14043

162.144.127.197:3786

103.40.116.68:5443
rc4.plain
rc4.plain

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ref_Sept24-2020.exe
    "C:\Users\Admin\AppData\Local\Temp\Ref_Sept24-2020.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:848
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\XIU\configurate\selector.vbs" /f=CREATE_NO_WINDOW install.cmd
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\dsep.bat" "
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\SysWOW64\timeout.exe
          timeout 3
          4⤵
          • Delays execution with timeout.exe
          PID:2428
        • C:\XIU\configurate\PLS.exe
          "PLS.exe" e -pVersion hl.rar
          4⤵
          • Executes dropped EXE
          PID:2136
        • C:\Windows\SysWOW64\timeout.exe
          timeout 5
          4⤵
          • Delays execution with timeout.exe
          PID:1264
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\XIU\configurate\fatless.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:400
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\XIU\configurate\lll.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2296
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h "C:\XIU"
              6⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:3296
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              6⤵
              • Delays execution with timeout.exe
              PID:4348
            • C:\Windows\SysWOW64\regsvr32.exe
              regsvr32 -s CONFIG.dll
              6⤵
              • Loads dropped DLL
              PID:3272
        • C:\Windows\SysWOW64\timeout.exe
          timeout 4
          4⤵
          • Delays execution with timeout.exe
          PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\XIU\configurate\CONFIG.dll
    Filesize

    324KB

    MD5

    031f318c8ab815cda0d447904a925cf7

    SHA1

    2bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e

    SHA256

    9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd

    SHA512

    519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d

    Download Submit
  • C:\XIU\configurate\CONFIG.dll
    Filesize

    324KB

    MD5

    031f318c8ab815cda0d447904a925cf7

    SHA1

    2bbca22cb0355f1ad4acedd9dd69ebaaeddf6b9e

    SHA256

    9492c6842475059a6af7f4b8c42e03944f08938243fa393713a5a6a930d79bcd

    SHA512

    519a54859e82861cf3f73b3a6ac400b57bd560a53867b8396aa8c286a5ee4e675c75c3f80ddc0cb4e0ef80300ada6b4e985bd4bb73bdc8d1c56a673240a83c4d

    Download Submit
  • C:\XIU\configurate\PLS.exe
    Filesize

    551KB

    MD5

    061f64173293969577916832be29b90d

    SHA1

    b05b80385de20463a80b6c9c39bd1d53123aab9b

    SHA256

    34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce

    SHA512

    66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

    Download Submit
  • C:\XIU\configurate\SLP.txt
    Filesize

    212KB

    MD5

    24fdf4791a3efa0178e677b0e03c12b1

    SHA1

    f5f45b8c35cf303eff77aa1fbe02e9bd4318c7d7

    SHA256

    6740389c8266848199851648c4228df7401dd30c8dec89ab7827f1bec7ab522b

    SHA512

    f9b71717cdd61a9539dd93267f4d039e0de7dd8933b9f63679466a881884b06ccdc666d27bb6b9909127101a63879b33a1165a83fff9d6ce3009ed5e7b97b6da

    Download Submit
  • C:\XIU\configurate\dsep.bat
    Filesize

    569B

    MD5

    9318a04c2d4d80719382a7e73c28736b

    SHA1

    ddb5096d2841b575a941ecaf79fee8e2365563ae

    SHA256

    db74d354ad34fa9a0dafd9b846574855b480590ebf06879d87844060cf50ff4b

    SHA512

    0dd33ebf730e77a1d55996b14a560f1584e17e55e5a6efdedd3bce2ecdd0e7f892c9ae2b4bef8ee68a723ef9d02717e9f9fb3939f1b95cacaeacd29b28e70717

    Download Submit
  • C:\XIU\configurate\fatless.vbs
    Filesize

    99B

    MD5

    75214af723ca4720e0aa365eb3ef6f5b

    SHA1

    a6b73a92246cd3b857e32e2a8a26ee8fc52fdcb4

    SHA256

    06d4a788d4c91c141b933199826ac3b4df8d6027f818fc2b198043773ea132e4

    SHA512

    91b7752a63e694641f17187cdb8e1a7876eda195f3070d6fee210b6210e2897833bc08b770db6e82cfec7a99e3fae5c01588872eb2aa60dccdc4064363f54c58

    Download Submit
  • C:\XIU\configurate\lll.bat
    Filesize

    692B

    MD5

    70c1b14895a29502d3e94e395606f82d

    SHA1

    a02fff1f3a0c1c8ff5453a5de715cbe5ba227185

    SHA256

    b449d3d5b476b1a53bbe6b5d6fef93e89d8456450e84b1c349237c6a8df3b65d

    SHA512

    8f9a8975124738b7a5ad1e0d92549f45a06c6efa8fac7d3c07ce16399a6aeed5644c14bf56cec56c83a293835cfb994a99d3e75dc5e9ea7f41e9e354760f742c

    Download Submit
  • C:\XIU\configurate\selector.vbs
    Filesize

    82B

    MD5

    9cce3084f1850c3be989cc47fab4ee71

    SHA1

    e490f01a46f85c155c2848affda6d2c7b0791c8b

    SHA256

    332462b21eed1bcbd9c198851e28b789893628410e7268ddc022a40e2f7f94c1

    SHA512

    30cc59e8e1a5b20a1c59bb437dc96cf65f7bbfa798617a77a613ae89012be78bda38c51278411ba511a7058eaca728e160a0d6d29f5defaeafa4dc7f64458f88

    Download Submit
  • memory/400-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1264-140-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-135-0x0000000000000000-mapping.dmp
    Download
  • memory/2136-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2296-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2428-136-0x0000000000000000-mapping.dmp
    Download
  • memory/3272-148-0x0000000000000000-mapping.dmp
    Download
  • memory/3272-151-0x0000000073B50000-0x0000000073BA1000-memory.dmp
    Filesize

    324KB

    Download
  • memory/3272-154-0x0000000000D00000-0x0000000000D06000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3296-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4308-143-0x0000000000000000-mapping.dmp
    Download
  • memory/4348-147-0x0000000000000000-mapping.dmp
    Download