Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    99s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31/12/2022, 22:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    13942eba94d3c13cedda849761d56f66b58961c379aa75dcff0f4eb89d21e514.exe

  • Size

    255KB

  • MD5

    bd3db429f581640d3eb1776b3ccb40df

  • SHA1

    2b4652ad817110ad673d8be392e42bd2f781ded8

  • SHA256

    13942eba94d3c13cedda849761d56f66b58961c379aa75dcff0f4eb89d21e514

  • SHA512

    ba3f978eb738fea15561b40d2ac55afbc4548bf0863ca5746dcb4f29a6a74e1c4322f8f8b8d816dd5086825a8caf484226ac087547be7521c93b54c6a33bb7c4

  • SSDEEP

    3072:a5wTPtgnLVJiilLR7Kzip1dKOGZk/97olmqW9IpnN27hZY:JgLaillK+RCZk/97vTIBoZY

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 7 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 44 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 20 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\13942eba94d3c13cedda849761d56f66b58961c379aa75dcff0f4eb89d21e514.exe
    "C:\Users\Admin\AppData\Local\Temp\13942eba94d3c13cedda849761d56f66b58961c379aa75dcff0f4eb89d21e514.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2656
  • C:\Users\Admin\AppData\Local\Temp\D49A.exe
    C:\Users\Admin\AppData\Local\Temp\D49A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 996
      2⤵
      • Program crash
      PID:1228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1008
      2⤵
      • Program crash
      PID:4036
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1084
      2⤵
      • Program crash
      PID:4192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1124
      2⤵
      • Program crash
      PID:4232
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1104
      2⤵
      • Program crash
      PID:4248
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1192
      2⤵
      • Program crash
      PID:4260
    • C:\Users\Admin\AppData\Local\Temp\Iqpoqhfidqa.exe
      "C:\Users\Admin\AppData\Local\Temp\Iqpoqhfidqa.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4684
    • C:\Windows\syswow64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      PID:3000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 1444
      2⤵
      • Program crash
      PID:3044

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\1c6aeebc-9b48-4879-9e95-53925e99bb5f\1253081315.pri
    Filesize

    3KB

    MD5

    68b2d64b878603ee02fcebb9899c38e1

    SHA1

    fb517f2c2a85e6dc1d78096e8f92dbd860bccb48

    SHA256

    ceb103d831d43292b43e7c04016f586f89f7b6ca382905c51399e6fe13e471c6

    SHA512

    0e6db2b4484db790fc8ebeeee1d073986e4971766927d2ff4f7bcb08ec66e30a16a80d03b6866748fbbc91a59b0f11afb241ee9bb3b4d8783222c83a3e16e6fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5bcfbbd5-3bcc-4247-8a89-bc35b397a17c\3950266016.pri
    Filesize

    3KB

    MD5

    2bf467eb5b9849766bbeaf369f660932

    SHA1

    379ecc09f68d991e26b042e05733249f24abf6f1

    SHA256

    d94477eb5e0e2211a80cceeaaa6e4ca2d3a2fa601399a3c3d305b91c79f729fb

    SHA512

    a61ee3201065c8e6a486d7e51273ff753364af636247cb7181fa92d0c21a60e76b5c7b46a21cd6e0c6b8de7b32f92738129983e7ccb7ac992cd1061b4aa33f98

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D49A.exe
    Filesize

    6.7MB

    MD5

    b7b91e43de4b4eed1a8e57ecd93c45a3

    SHA1

    eeedab7d2f864dae66666e23a3684bb3b1014cca

    SHA256

    b896146165c8f4b760f91b8999b7a3e50c4da4a7fb1beb5e794955c2bf18517c

    SHA512

    d98401f531ac9c0cede432e22cd7e954da7eda2c71bce352dd40f640e9b8d80e511b60844f069b804b7d9014947a35165bd145a2313411e12bfd0b9644a3c343

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D49A.exe
    Filesize

    6.7MB

    MD5

    b7b91e43de4b4eed1a8e57ecd93c45a3

    SHA1

    eeedab7d2f864dae66666e23a3684bb3b1014cca

    SHA256

    b896146165c8f4b760f91b8999b7a3e50c4da4a7fb1beb5e794955c2bf18517c

    SHA512

    d98401f531ac9c0cede432e22cd7e954da7eda2c71bce352dd40f640e9b8d80e511b60844f069b804b7d9014947a35165bd145a2313411e12bfd0b9644a3c343

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Iqpoqhfidqa.exe
    Filesize

    1.4MB

    MD5

    526b7ca434081a2cde3a52401145e6d1

    SHA1

    4a56c2f0a375fd61e8c735b8e01b82c5d937f23d

    SHA256

    57c3c745da3abd3efb910c157bad430f5dc74a3aab48334e4f8f1a93c68d7d67

    SHA512

    57b54dcdd7f99cde495e202e2e8f85278afdd6a4bd31c9593975d890942cecac0a482602ddf0e6f04dc4b37517414b65949a2c506c9c7f04197ec53845834f2d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Iqpoqhfidqa.exe
    Filesize

    1.4MB

    MD5

    526b7ca434081a2cde3a52401145e6d1

    SHA1

    4a56c2f0a375fd61e8c735b8e01b82c5d937f23d

    SHA256

    57c3c745da3abd3efb910c157bad430f5dc74a3aab48334e4f8f1a93c68d7d67

    SHA512

    57b54dcdd7f99cde495e202e2e8f85278afdd6a4bd31c9593975d890942cecac0a482602ddf0e6f04dc4b37517414b65949a2c506c9c7f04197ec53845834f2d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Iqpoqhfidqa.tmp
    Filesize

    3.5MB

    MD5

    e46489e6f67972c624a8ef215d26db53

    SHA1

    304fdfc6918d97480f65c80891baeb63e55ee3e0

    SHA256

    c34565954052e885c9978fc2b50cf32cc98a67ba9851689101ed5bfffa9bdce4

    SHA512

    6c65ad50bde38b2d6b5880f998e67ac431daa783be6baf925a84f1bb439b04806d1a612f4537363940325bb2aa6d1e692379215a63d1e80ac997fc1a9eb47ac1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
    Filesize

    25KB

    MD5

    5b23c3c0737a95edb85275ec17c2923b

    SHA1

    c0ce1821e48a1cc74c7470a74e3cd37f19a4b65f

    SHA256

    c25b7fbfc7f07cf3e1effa0e3d6471690900cf5125e78221f4a3c83c8455151e

    SHA512

    dd2b15441a4e3de3c86957b1f7c3061778985681e1f9ab80c6f04d0f1456d337fda7c30e6fca8b82fc26f8bfc9014cee17ccf0e1c60b319dab5eb24a61c832f0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
    Filesize

    1KB

    MD5

    c9890816476283f7abd8cd6a6f8925da

    SHA1

    c64f783fe4b77871917a398a6cda64f72e29caf2

    SHA256

    784f75a13d595f338fcd00f299c5e49d3c29b1820d396267be66aa920feb2317

    SHA512

    47da4f52ba86cb288bf3bc4bf5f58dd0791ebf5beb968e771e9da1443631761f15b2b74f2cbe23768dce293d5092ff41276e5a7bb8e68526a648242b2b9a7eed

    Download Submit

  • memory/2072-207-0x0000000000400000-0x0000000000CD0000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2072-177-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-166-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-420-0x0000000004A00000-0x0000000005552000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/2072-371-0x0000000000400000-0x0000000000CD0000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2072-164-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-364-0x0000000003220000-0x0000000003AE3000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2072-362-0x0000000002BA0000-0x000000000321A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2072-277-0x0000000004A00000-0x0000000005552000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/2072-202-0x0000000000400000-0x0000000000CD0000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2072-194-0x0000000003220000-0x0000000003AE3000-memory.dmp

    Filesize

    8.8MB

    Download

  • memory/2072-191-0x0000000002BA0000-0x000000000321A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2072-187-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-185-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-186-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-184-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-183-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-182-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-181-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-169-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-179-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-167-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-176-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-175-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-174-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-173-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-172-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-171-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-168-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-160-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-155-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-156-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-158-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-157-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-159-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-170-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-161-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-163-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-180-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2072-165-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2420-369-0x0000000007FAD000-0x0000000007FAF000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2420-423-0x0000000007FAD000-0x0000000007FAF000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2656-147-0x00000000006D0000-0x00000000006D9000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2656-122-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-123-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-124-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-151-0x00000000007AA000-0x00000000007BA000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2656-150-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-149-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-148-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2656-125-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-146-0x00000000007AA000-0x00000000007BA000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2656-143-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-145-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-144-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-141-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-142-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-140-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-139-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-138-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-137-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-136-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-135-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-134-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-133-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-115-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-126-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-152-0x0000000000400000-0x000000000045D000-memory.dmp

    Filesize

    372KB

    Download

  • memory/2656-121-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-127-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-132-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-116-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-117-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-118-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-131-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-130-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-119-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-120-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-129-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2656-128-0x0000000076EA0000-0x000000007702E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3000-368-0x0000000004B20000-0x0000000005672000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/3000-337-0x0000000002600000-0x0000000003032000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3000-418-0x0000000002600000-0x0000000003032000-memory.dmp

    Filesize

    10.2MB

    Download

  • memory/3000-419-0x0000000004B20000-0x0000000005672000-memory.dmp

    Filesize

    11.3MB

    Download

  • memory/4684-366-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4684-330-0x00000000024B0000-0x0000000002605000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4684-328-0x00000000022F0000-0x0000000002436000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4684-421-0x00000000024B0000-0x0000000002605000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4684-422-0x00000000022F0000-0x0000000002436000-memory.dmp

    Filesize

    1.3MB

    Download