Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2023 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    68e00e2f71b7ae7c1124426680d387223bdde400865d1c5a6b90b296f7fcc628.exe

  • Size

    167KB

  • MD5

    1345f8eb15a6270dc2813925e753f298

  • SHA1

    25bedbfa4934c2d91058a9b1f1d2c2703e7bdc2f

  • SHA256

    68e00e2f71b7ae7c1124426680d387223bdde400865d1c5a6b90b296f7fcc628

  • SHA512

    c1b6e60566d6388d7e656c28afd241a0678666b5efca431ff8d1173631eb511e27877d2047d356ccad1ef38fa3b5ceec958840021d4e580be576e006c7004ded

  • SSDEEP

    3072:UKruHcjlP82XYPNp/3SGuaLkvoqh9WmF4PKSRlL7o15YwKm1kiC4+99zXmUhs5fG:UUuHcmjlp/iGu7v5ePKSjvo1TKmWR4+z

Score
10/10
smokeloaderbackdoortrojan

Malware Config

Signatures

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\68e00e2f71b7ae7c1124426680d387223bdde400865d1c5a6b90b296f7fcc628.exe
    "C:\Users\Admin\AppData\Local\Temp\68e00e2f71b7ae7c1124426680d387223bdde400865d1c5a6b90b296f7fcc628.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1144
  • C:\Users\Admin\AppData\Local\Temp\E67D.exe
    C:\Users\Admin\AppData\Local\Temp\E67D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll,start
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4588
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 30907
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 460
      2⤵
      • Program crash
      PID:4852
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3080 -ip 3080
    1⤵
      PID:4600
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3392

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      System Information Discovery

      3
      T1082

      Query Registry

      3
      T1012

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\E67D.exe
        Filesize

        4.7MB

        MD5

        c176beec7f2220954469193969c3bcf9

        SHA1

        f811f77f5b53c13a06b43b10eb6189513f66d2a2

        SHA256

        e4f5ee78cf7f8147ab5d5286f4af31dc94cfced6913f3f5f5dad8d87a8cbca7c

        SHA512

        d573b1dcd9a41fbd9699abe28e0eb3bac4b4eab371de5e6fbef95238286d9e0a1e5a895e91bf5e623ae5eb5012881b973fd873f2c1fa27f9ddcb5438deb28439

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\E67D.exe
        Filesize

        4.7MB

        MD5

        c176beec7f2220954469193969c3bcf9

        SHA1

        f811f77f5b53c13a06b43b10eb6189513f66d2a2

        SHA256

        e4f5ee78cf7f8147ab5d5286f4af31dc94cfced6913f3f5f5dad8d87a8cbca7c

        SHA512

        d573b1dcd9a41fbd9699abe28e0eb3bac4b4eab371de5e6fbef95238286d9e0a1e5a895e91bf5e623ae5eb5012881b973fd873f2c1fa27f9ddcb5438deb28439

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll
        Filesize

        5.5MB

        MD5

        a97da92f8f7ea0cb1e5b416190f50643

        SHA1

        9a74ababa9ada15b1af2767ceae6875ebd2d1bf7

        SHA256

        55ba8b7c5dcd9d5b995b8ae97cd33615f278d431fb1bf43ca18c7383fdb1fd7e

        SHA512

        0e4405fed4d14bf4e73ac0bf4c72f52d1d5edbb8b80220ce2cd60aceedea4a3778c65924b9a675b45cf087344f898be20a6466b6509828a99271c88911a4629d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Qruhaepdediwhf.dll
        Filesize

        5.5MB

        MD5

        a97da92f8f7ea0cb1e5b416190f50643

        SHA1

        9a74ababa9ada15b1af2767ceae6875ebd2d1bf7

        SHA256

        55ba8b7c5dcd9d5b995b8ae97cd33615f278d431fb1bf43ca18c7383fdb1fd7e

        SHA512

        0e4405fed4d14bf4e73ac0bf4c72f52d1d5edbb8b80220ce2cd60aceedea4a3778c65924b9a675b45cf087344f898be20a6466b6509828a99271c88911a4629d

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\jawshtml.html
        Filesize

        13B

        MD5

        b2a4bc176e9f29b0c439ef9a53a62a1a

        SHA1

        1ae520cbbf7e14af867232784194366b3d1c3f34

        SHA256

        7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

        SHA512

        e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\wctBC3B.tmp
        Filesize

        63KB

        MD5

        e516a60bc980095e8d156b1a99ab5eee

        SHA1

        238e243ffc12d4e012fd020c9822703109b987f6

        SHA256

        543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

        SHA512

        9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

        Download Submit
      • memory/760-135-0x0000000000850000-0x0000000000866000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1144-136-0x0000000000400000-0x0000000000570000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/1144-134-0x0000000000800000-0x0000000000809000-memory.dmp
        Filesize

        36KB

        Download
      • memory/3080-153-0x0000000000400000-0x0000000000AE7000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3080-148-0x0000000000400000-0x0000000000AE7000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3080-147-0x0000000002DB0000-0x000000000348A000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3404-209-0x000001BB9BD50000-0x000001BB9BFFB000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3404-208-0x00000000009A0000-0x0000000000C39000-memory.dmp
        Filesize

        2.6MB

        Download
      • memory/3404-203-0x00007FFF8B560000-0x00007FFF8B561000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3404-206-0x000001BB9BD50000-0x000001BB9BFFB000-memory.dmp
        Filesize

        2.7MB

        Download
      • memory/3404-205-0x000001BB9D7A0000-0x000001BB9D8E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3404-204-0x000001BB9D7A0000-0x000001BB9D8E0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-189-0x00000000032A0000-0x00000000032A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4588-199-0x00000000036C0000-0x00000000036C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4588-186-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-190-0x0000000004570000-0x00000000046B0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-191-0x0000000004570000-0x00000000046B0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-188-0x0000000000400000-0x0000000000987000-memory.dmp
        Filesize

        5.5MB

        Download
      • memory/4588-192-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-194-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-195-0x0000000004570000-0x00000000046B0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-196-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-198-0x0000000004570000-0x00000000046B0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-187-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-200-0x0000000004570000-0x00000000046B0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-201-0x0000000004570000-0x00000000046B0000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/4588-171-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-170-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-169-0x00000000046C0000-0x00000000046C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4588-202-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-168-0x0000000003950000-0x00000000044A5000-memory.dmp
        Filesize

        11.3MB

        Download
      • memory/4588-167-0x0000000000400000-0x0000000000987000-memory.dmp
        Filesize

        5.5MB

        Download
      • memory/4588-152-0x00000000009A0000-0x00000000009A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4588-210-0x0000000000400000-0x0000000000987000-memory.dmp
        Filesize

        5.5MB

        Download