Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2023, 20:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f9566c89ded8993162f78d5e1d3cca6f70c3e94cb9084251c74306f60ef2cabf.exe

  • Size

    206KB

  • MD5

    e5ca5c56f7b98c83b06c55aec38961d9

  • SHA1

    ff8d1cc0be6b2fa24c08fa22db96589a62a64a9b

  • SHA256

    f9566c89ded8993162f78d5e1d3cca6f70c3e94cb9084251c74306f60ef2cabf

  • SHA512

    17ac3cfdfa2693cf12335385496ef4b7abddd557c2b620cb19eeeae8bff2e87e9b3a5de50a2b445986977c4b149c06bcd4ca379eeb99af90e4beaf8ce766b194

  • SSDEEP

    3072:6XqXQobWkXZb1oz5VqffEuPd3EGgE2Yd/IdgBpIr9pxrW8Papb:av2xXwbmlKhgvIr0Dp

Score
10/10
lummasmokeloaderbackdoorspywarestealertrojan

Malware Config

Extracted

Family

lumma

C2

77.73.134.68

Signatures

  • Detects Smokeloader packer 1 IoCs
  • Lumma Stealer

    An infostealer written in C++ first seen in August 2022.

    stealerlumma
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f9566c89ded8993162f78d5e1d3cca6f70c3e94cb9084251c74306f60ef2cabf.exe
    "C:\Users\Admin\AppData\Local\Temp\f9566c89ded8993162f78d5e1d3cca6f70c3e94cb9084251c74306f60ef2cabf.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1948
  • C:\Users\Admin\AppData\Local\Temp\21FA.exe
    C:\Users\Admin\AppData\Local\Temp\21FA.exe
    1⤵
    • Executes dropped EXE
    PID:112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 1348
      2⤵
      • Program crash
      PID:4532
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 112 -ip 112
    1⤵
      PID:4356

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\21FA.exe
            Filesize

            245KB

            MD5

            e18f1fd1040b9d95ad88b298b3539d8a

            SHA1

            e93f54c3579da8c9dc119a50728c4ccdf768eae2

            SHA256

            9cd87a8050aadd59dedeedfe415a27d0a9f21508e552b21724872ce64d924242

            SHA512

            d1505e6b25a2638ec65ffd1fbf52a7b492f90a1ea14836c62d6181515b95cd3c0687ef821e84094d6549fa4f536809807ba89d5644d3922ce761b1267e175bcc

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\21FA.exe
            Filesize

            245KB

            MD5

            e18f1fd1040b9d95ad88b298b3539d8a

            SHA1

            e93f54c3579da8c9dc119a50728c4ccdf768eae2

            SHA256

            9cd87a8050aadd59dedeedfe415a27d0a9f21508e552b21724872ce64d924242

            SHA512

            d1505e6b25a2638ec65ffd1fbf52a7b492f90a1ea14836c62d6181515b95cd3c0687ef821e84094d6549fa4f536809807ba89d5644d3922ce761b1267e175bcc

            Download Submit

          • memory/112-140-0x0000000002C90000-0x0000000002D90000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/112-141-0x00000000047A0000-0x00000000047CA000-memory.dmp

            Filesize

            168KB

            Download

          • memory/112-142-0x0000000000400000-0x0000000002BA5000-memory.dmp

            Filesize

            39.6MB

            Download

          • memory/112-143-0x0000000000400000-0x0000000002BA5000-memory.dmp

            Filesize

            39.6MB

            Download

          • memory/1948-132-0x0000000002D6D000-0x0000000002D7D000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1948-133-0x0000000002D40000-0x0000000002D49000-memory.dmp

            Filesize

            36KB

            Download

          • memory/1948-134-0x0000000000400000-0x0000000002B9C000-memory.dmp

            Filesize

            39.6MB

            Download

          • memory/1948-135-0x0000000000400000-0x0000000002B9C000-memory.dmp

            Filesize

            39.6MB

            Download