Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2023, 14:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e2145cb74caf435887344832b31954afd855e60d07cfa5fe2a0bcc4a32b8c363.exe

  • Size

    192KB

  • MD5

    9256d4a73e6f2a37e0713aaf3dfcb88d

  • SHA1

    5e60d3ca6d38e008b18cc6ba08014eb0344356ef

  • SHA256

    e2145cb74caf435887344832b31954afd855e60d07cfa5fe2a0bcc4a32b8c363

  • SHA512

    36ce00d436146223ed76dfc79819fda18fc1be6351e224d3ba1ec75d33d7b97284b0cf00bfcf1842a7d3fcc066f52af266ed9e48d1ee70ad0b0f869e56c9ccf5

  • SSDEEP

    3072:ze7XMAD7vr36JVfKrZLH3R48RWH9R5ZxJPpEtTkJQIXJNNnvq6b5:zej6JlQLXRFRYJsBIXJNFR5

Score
10/10
smokeloaderbackdoorpersistencetrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2145cb74caf435887344832b31954afd855e60d07cfa5fe2a0bcc4a32b8c363.exe
    "C:\Users\Admin\AppData\Local\Temp\e2145cb74caf435887344832b31954afd855e60d07cfa5fe2a0bcc4a32b8c363.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1212
  • C:\Users\Admin\AppData\Local\Temp\E17B.exe
    C:\Users\Admin\AppData\Local\Temp\E17B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll,start
      2⤵
      • Loads dropped DLL
      PID:3512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 484
      2⤵
      • Program crash
      PID:4480
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2528 -ip 2528
    1⤵
      PID:996
    • C:\Users\Admin\AppData\Local\Temp\538F.exe
      C:\Users\Admin\AppData\Local\Temp\538F.exe
      1⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3044
      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        2⤵
        • Executes dropped EXE
        PID:944

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\538F.exe
            Filesize

            1.8MB

            MD5

            331a5ef73860d94dd69ee35210d4fc61

            SHA1

            6342d7782beadcb5fee319dda180fa0f69d35eb9

            SHA256

            f1b4ce96834fc41a883c240f2b3197b399bf14e84fddddfae213ac5af49bc28e

            SHA512

            4ccfe942f2165543105bf6ca240e2d50290c628b274145cc2a089b31e931dff191280b955979e59afc54c6a319b90fddf18959a7c50db1b612bc669d3c197675

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\538F.exe
            Filesize

            1.8MB

            MD5

            331a5ef73860d94dd69ee35210d4fc61

            SHA1

            6342d7782beadcb5fee319dda180fa0f69d35eb9

            SHA256

            f1b4ce96834fc41a883c240f2b3197b399bf14e84fddddfae213ac5af49bc28e

            SHA512

            4ccfe942f2165543105bf6ca240e2d50290c628b274145cc2a089b31e931dff191280b955979e59afc54c6a319b90fddf18959a7c50db1b612bc669d3c197675

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll
            Filesize

            4.3MB

            MD5

            9aadd9003b18235e0240cfb0127d1fbe

            SHA1

            5f98607d16409a3ea2b231e944c1350cd4a1c916

            SHA256

            dfaf812aef1bedbdd10047d482783688a667382d7c2692da8d032a5d97c55ce2

            SHA512

            a4b20fe1dc7eae6184a8da61521cbfc20ac5bf47f60479ea9895609537e0e76114738f060062f870fc70ac992227e5280039fc5cbb9928f1854745fecd634e3f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll
            Filesize

            4.3MB

            MD5

            9aadd9003b18235e0240cfb0127d1fbe

            SHA1

            5f98607d16409a3ea2b231e944c1350cd4a1c916

            SHA256

            dfaf812aef1bedbdd10047d482783688a667382d7c2692da8d032a5d97c55ce2

            SHA512

            a4b20fe1dc7eae6184a8da61521cbfc20ac5bf47f60479ea9895609537e0e76114738f060062f870fc70ac992227e5280039fc5cbb9928f1854745fecd634e3f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Aupsoyqaypedu.dll
            Filesize

            4.3MB

            MD5

            9aadd9003b18235e0240cfb0127d1fbe

            SHA1

            5f98607d16409a3ea2b231e944c1350cd4a1c916

            SHA256

            dfaf812aef1bedbdd10047d482783688a667382d7c2692da8d032a5d97c55ce2

            SHA512

            a4b20fe1dc7eae6184a8da61521cbfc20ac5bf47f60479ea9895609537e0e76114738f060062f870fc70ac992227e5280039fc5cbb9928f1854745fecd634e3f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\E17B.exe
            Filesize

            3.6MB

            MD5

            623b0aa79d1a8121f21e2fd5d4a4f2ff

            SHA1

            a1ad370bf954b27178fb685774ea5a00faf50dd7

            SHA256

            bbe0ef5e3c8395e0408887b03a82bc3c45be04e6fa3e5bb1dc5aa970119a7791

            SHA512

            f010ca39e0f72d74a3d53033d550967822be5dafad860933b529340d559c31eead5ebcc71abf4453e184385faaa83817aed4074e1b5f575aeed0c6cc20ce332e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\E17B.exe
            Filesize

            3.6MB

            MD5

            623b0aa79d1a8121f21e2fd5d4a4f2ff

            SHA1

            a1ad370bf954b27178fb685774ea5a00faf50dd7

            SHA256

            bbe0ef5e3c8395e0408887b03a82bc3c45be04e6fa3e5bb1dc5aa970119a7791

            SHA512

            f010ca39e0f72d74a3d53033d550967822be5dafad860933b529340d559c31eead5ebcc71abf4453e184385faaa83817aed4074e1b5f575aeed0c6cc20ce332e

            Download Submit

          • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
            Filesize

            611.3MB

            MD5

            1f0bc21fcf031b4c40c124aa67b9295b

            SHA1

            d297ac875e2c8319e1fb7f0f0356eadd91b8e8ef

            SHA256

            2afbf5a97f1e33538c5a309371f30f3bc210ef5630df76faf6ff0bcf1808537b

            SHA512

            dc4c7c5dca3e31885d5e398248a1d56be5dfffbdd6cb5b6c8c93d3c7b6ef866a5f2454ba7b8accf02b59a9e4d3e426f56b9004c1336fb89977c18314f81f918a

            Download Submit

          • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
            Filesize

            607.1MB

            MD5

            c273f2e62add201d12d11fcea6b2ab7e

            SHA1

            6508a4c3b38554591b102c456ca2ca0577d1ee69

            SHA256

            83fb77baf6f2729e03a8429005d8e1a8bb156a7ddd46c061e23b486d468b9768

            SHA512

            8e223cb8215f98eec3d90c9da68ff6adc3ead0ac11adf5039d7d1dfc24c1b943a956e492c171b6f0e275918a92fa3ae422f00e6f335a39a8c5b3f89e7952319a

            Download Submit

          • memory/944-160-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/944-159-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/944-158-0x00000000025A8000-0x0000000002752000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/1212-135-0x0000000000400000-0x000000000049D000-memory.dmp

            Filesize

            628KB

            Download

          • memory/1212-134-0x0000000000400000-0x000000000049D000-memory.dmp

            Filesize

            628KB

            Download

          • memory/1212-133-0x0000000000630000-0x0000000000639000-memory.dmp

            Filesize

            36KB

            Download

          • memory/1212-132-0x0000000000708000-0x000000000071B000-memory.dmp

            Filesize

            76KB

            Download

          • memory/2528-141-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2528-140-0x0000000002900000-0x0000000002DDD000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/2528-139-0x0000000002574000-0x00000000028F3000-memory.dmp

            Filesize

            3.5MB

            Download

          • memory/2528-147-0x0000000000400000-0x00000000008E9000-memory.dmp

            Filesize

            4.9MB

            Download

          • memory/3044-153-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3044-152-0x0000000002710000-0x0000000002AE0000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/3044-151-0x000000000255F000-0x0000000002709000-memory.dmp

            Filesize

            1.7MB

            Download

          • memory/3044-157-0x0000000000400000-0x0000000000803000-memory.dmp

            Filesize

            4.0MB

            Download

          • memory/3512-146-0x00000000023C0000-0x000000000280E000-memory.dmp

            Filesize

            4.3MB

            Download