Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/01/2023, 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc4df2381fc98d6f1aef8e6ba30bbdc5330d6a73348cad9db2c4943f1555d0a8.exe

  • Size

    278KB

  • MD5

    3a83057b6c2b478b3f5f5b73f82c124e

  • SHA1

    409bbaeb746688839bc8ea75bac5d5ae50e29816

  • SHA256

    bc4df2381fc98d6f1aef8e6ba30bbdc5330d6a73348cad9db2c4943f1555d0a8

  • SHA512

    d1cc4deb3b3592c2882385e55a34c25bb18cc9e5c65361c08dabf5b6a99787ca9eb7cbc2e5bd968b77776026a92ece63929221e30fa0e5034b56172f547af026

  • SSDEEP

    3072:mXEZFhmzRK4p7LdmTHNSJsNo5scoSj35dftR8WjYYVu9PDhism2m4FwCpjKpEAH7:OTzRZLyHNEsNx+DR8W0XPDHmnEmQLr

Score
10/10
smokeloaderbackdoorspywarestealertrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc4df2381fc98d6f1aef8e6ba30bbdc5330d6a73348cad9db2c4943f1555d0a8.exe
    "C:\Users\Admin\AppData\Local\Temp\bc4df2381fc98d6f1aef8e6ba30bbdc5330d6a73348cad9db2c4943f1555d0a8.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4620
  • C:\Users\Admin\AppData\Local\Temp\1F01.exe
    C:\Users\Admin\AppData\Local\Temp\1F01.exe
    1⤵
    • Executes dropped EXE
    PID:4892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 1324
      2⤵
      • Program crash
      PID:3056
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4892 -ip 4892
    1⤵
      PID:2068

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\1F01.exe
      Filesize

      316KB

      MD5

      742cb9ac8ac7e816fd90431c5ae2cf60

      SHA1

      61d7a09b04881118ea328882d7e997f540916968

      SHA256

      ca0ef095e3579fa1c41964305d153824664a7bf0825bec11141fc0d388631d48

      SHA512

      f859734038ab2decab5f2317bbf156b89069b2e7848cd35b79b0da3b1506f1305f9baf83a4cd06d265eb3c2a0abc47f927d27a124214971d69872e9a76daae90

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\1F01.exe
      Filesize

      316KB

      MD5

      742cb9ac8ac7e816fd90431c5ae2cf60

      SHA1

      61d7a09b04881118ea328882d7e997f540916968

      SHA256

      ca0ef095e3579fa1c41964305d153824664a7bf0825bec11141fc0d388631d48

      SHA512

      f859734038ab2decab5f2317bbf156b89069b2e7848cd35b79b0da3b1506f1305f9baf83a4cd06d265eb3c2a0abc47f927d27a124214971d69872e9a76daae90

      Download Submit

    • memory/4620-132-0x0000000002E0D000-0x0000000002E1D000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4620-133-0x0000000002D30000-0x0000000002D39000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4620-134-0x0000000000400000-0x0000000002BAD000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/4620-135-0x0000000000400000-0x0000000002BAD000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/4892-139-0x0000000002F2D000-0x0000000002F47000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4892-140-0x0000000002D10000-0x0000000002D3A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4892-141-0x0000000000400000-0x0000000002BB6000-memory.dmp

      Filesize

      39.7MB

      Download

    • memory/4892-142-0x0000000000400000-0x0000000002BB6000-memory.dmp

      Filesize

      39.7MB

      Download