Overview

overview

10

Static

static

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    09/01/2023, 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a255965b5cd3193944c90a3e1c574ec568d049f569972520773ca9bb597d0105.exe

  • Size

    327KB

  • MD5

    dd2184835ef5a02a58d037a393c270ce

  • SHA1

    4f172d237ac68b6e3af972e43066d0b3f0cb7806

  • SHA256

    a255965b5cd3193944c90a3e1c574ec568d049f569972520773ca9bb597d0105

  • SHA512

    b49a2568d9a19e4b13a0c128d591b7e415b98c9fb5c5a9b6a360673ed7c9d896172ae9962f51a5aac8c326e5b5c08a9b8ada9cc74f8578963a11900e678a73bb

  • SSDEEP

    3072:GXOdT7bRKVEMSH5sI55ihIyTAZMgUB/b5mAwUq/HldnywF7zkuWdjJrht1Lw8dVR:umbRK6H5VMgUXhzaH/b+THh7mf/o

Score
10/10
smokeloaderbackdoorcollectiondiscoveryspywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 36 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a255965b5cd3193944c90a3e1c574ec568d049f569972520773ca9bb597d0105.exe
    "C:\Users\Admin\AppData\Local\Temp\a255965b5cd3193944c90a3e1c574ec568d049f569972520773ca9bb597d0105.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4700
  • C:\Users\Admin\AppData\Local\Temp\9422.exe
    C:\Users\Admin\AppData\Local\Temp\9422.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1636
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp",Fwpthq
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Accesses Microsoft Outlook accounts
      • Accesses Microsoft Outlook profiles
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:3528
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 22797
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:5060
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:1048
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
          3⤵
            PID:1164
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:4628

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\9422.exe
          Filesize

          1.1MB

          MD5

          879d159f1cc7f0d379cafcfa7d471745

          SHA1

          c12647177e0b56448c882b1f5874e2f6e1a93119

          SHA256

          9e74c4fbe370f9737c9a8d5b6d946fa02fd66a497a1d9a05bdb1333f3f92f99a

          SHA512

          26de25030bdbd11ab11c5f3038de535f191c772ecc0e753c27d6e052088b5f1c510f48414bb1fc50fd3ebdda5dfaf24b4795057243539e970e504090d5e569de

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\9422.exe
          Filesize

          1.1MB

          MD5

          879d159f1cc7f0d379cafcfa7d471745

          SHA1

          c12647177e0b56448c882b1f5874e2f6e1a93119

          SHA256

          9e74c4fbe370f9737c9a8d5b6d946fa02fd66a497a1d9a05bdb1333f3f92f99a

          SHA512

          26de25030bdbd11ab11c5f3038de535f191c772ecc0e753c27d6e052088b5f1c510f48414bb1fc50fd3ebdda5dfaf24b4795057243539e970e504090d5e569de

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ryfererfh.tmp
          Filesize

          817KB

          MD5

          0a6c58fc386c9a4d7d43b809447f3eac

          SHA1

          b07d0ae1180e21bf79b3b720d9e03e2b7982972d

          SHA256

          d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2

          SHA512

          e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

          Download Submit

        • \Users\Admin\AppData\Local\Temp\Ryfererfh.tmp
          Filesize

          817KB

          MD5

          0a6c58fc386c9a4d7d43b809447f3eac

          SHA1

          b07d0ae1180e21bf79b3b720d9e03e2b7982972d

          SHA256

          d71c0aaec63294fb11af30ff408e94b5fff656149da01e3f7a97e3026580d5c2

          SHA512

          e2d08ae110f30257daa9341d1e3c91d6c50f6b32107d1e1ca0badcce872d09ac3d3a3998f26b1f93c3b1937317ce5ea240652d1b784c5a4d2e30273c19a9b6ad

          Download Submit

        • memory/1636-179-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-177-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-158-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-157-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-206-0x0000000000400000-0x000000000052F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1636-156-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-189-0x0000000002430000-0x000000000255C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1636-191-0x0000000000400000-0x000000000052F000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1636-188-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-186-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-187-0x0000000002260000-0x0000000002359000-memory.dmp

          Filesize

          996KB

          Download

        • memory/1636-185-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-184-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-183-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-182-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-171-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-159-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-180-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-178-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-162-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-176-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-175-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-174-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-173-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-160-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-172-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-168-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-170-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-169-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-167-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-166-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-165-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-164-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/1636-161-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3528-304-0x0000000007480000-0x0000000007FDA000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/3528-321-0x0000000007480000-0x0000000007FDA000-memory.dmp

          Filesize

          11.4MB

          Download

        • memory/4700-141-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-136-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-146-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-121-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-120-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-153-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4700-152-0x00000000007BB000-0x00000000007D1000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4700-151-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-150-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-145-0x00000000007BB000-0x00000000007D1000-memory.dmp

          Filesize

          88KB

          Download

        • memory/4700-148-0x00000000005C0000-0x00000000005C9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/4700-149-0x0000000000400000-0x0000000000457000-memory.dmp

          Filesize

          348KB

          Download

        • memory/4700-147-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-144-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-143-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-142-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-122-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-140-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-139-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-115-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-137-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-138-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-135-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-134-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-133-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-132-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-131-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-130-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-129-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-128-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-127-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-126-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-124-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-119-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-118-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-125-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-116-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-117-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/4700-123-0x0000000077D30000-0x0000000077EBE000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/5060-319-0x00000183038B0000-0x0000018303B5A000-memory.dmp

          Filesize

          2.7MB

          Download

        • memory/5060-318-0x00000000003C0000-0x0000000000659000-memory.dmp

          Filesize

          2.6MB

          Download