Malware Analysis Report

2024-11-30 21:26

Sample ID 231222-s8f5ladfc7
Target e07278c27ec90b3d8fc7500d8180f0a8
SHA256 ea2fba4b7d64dc7c14d8b7e2bbb4f2333976b93c5f6d32310925eda10593ca72
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea2fba4b7d64dc7c14d8b7e2bbb4f2333976b93c5f6d32310925eda10593ca72

Threat Level: Known bad

The file e07278c27ec90b3d8fc7500d8180f0a8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win7-20231215-en

Max time kernel

156s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\24TdjKl\\SystemPropertiesProtection.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1516 N/A N/A C:\Windows\system32\icardagt.exe
PID 1204 wrote to memory of 1516 N/A N/A C:\Windows\system32\icardagt.exe
PID 1204 wrote to memory of 1516 N/A N/A C:\Windows\system32\icardagt.exe
PID 1204 wrote to memory of 1564 N/A N/A C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe
PID 1204 wrote to memory of 1564 N/A N/A C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe
PID 1204 wrote to memory of 1564 N/A N/A C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe
PID 1204 wrote to memory of 756 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1204 wrote to memory of 756 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1204 wrote to memory of 756 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1204 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe
PID 1204 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe
PID 1204 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Windows\system32\wextract.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Windows\system32\wextract.exe
PID 1204 wrote to memory of 2880 N/A N/A C:\Windows\system32\wextract.exe
PID 1204 wrote to memory of 1228 N/A N/A C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe
PID 1204 wrote to memory of 1228 N/A N/A C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe
PID 1204 wrote to memory of 1228 N/A N/A C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#1

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

Network

N/A

Files

memory/2404-1-0x0000000140000000-0x0000000140232000-memory.dmp

memory/2404-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1204-4-0x0000000077B46000-0x0000000077B47000-memory.dmp

memory/1204-5-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2404-7-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-8-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-15-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-22-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-23-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-21-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-19-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-29-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-28-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-26-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-30-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-31-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-32-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-33-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-24-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-25-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-34-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-35-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-39-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-38-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-43-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-44-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-45-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-42-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-41-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-37-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-36-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-46-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-47-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-48-0x0000000002A10000-0x0000000002A17000-memory.dmp

memory/1204-55-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-57-0x0000000077DB0000-0x0000000077DB2000-memory.dmp

memory/1204-56-0x0000000077C51000-0x0000000077C52000-memory.dmp

memory/1204-66-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-72-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1204-73-0x0000000140000000-0x0000000140232000-memory.dmp

C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

MD5 c6adb32eaee9726a4e167d319a0e1c96
SHA1 170e5660d236d3bf13240a22dae52ac3d950d13b
SHA256 c00c10c1e688ba92f00d10dd57f9f83518834725d48373416954b6204ccd1477
SHA512 cbea5bf89ec0b71e03ccbe7192994effcc20b94d645b10a18120e736167963c74ceb5c6877a3fac239966b52316edc03542e2ac8772ed3a260e10bc885b51c3d

\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\zIJHw3ib\UxTheme.dll

MD5 70b9d70dcc909de160865eab88a90790
SHA1 233e7aa18f870f04371114590c227e25b5fafe53
SHA256 713e0e7a220b53329598e7d67ceb2613b7897a7a064757ede6c807e8b3940102
SHA512 829ce7767baf1e60ff50d314ba0b049d6336a55b5237971c5d1d46bca33e2f783f1dec6acbd8f4977f21276c85b4920cb9bc7d067204a75eff8adc2092a60daa

\Users\Admin\AppData\Local\zIJHw3ib\UxTheme.dll

MD5 d55d466028efd8170bd29163b9b6758f
SHA1 bda4e8a5a8ff81b762836dfcebf0acc57ee269ff
SHA256 89c36919b0714702d8d094568089cdbc6557b0c1c5eb0d7f40e11bfd9c23fc59
SHA512 b9c37c88991cd570926f460f67e8256da832961dc3d5187527cdf0a94ccb48bf548861e96a7f1c3902867fd1598cded25b56c0646a8833a23e5033cbd0af349c

memory/1564-84-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\zIJHw3ib\icardagt.exe

MD5 19d68d32bbdd55227b836aea2c2506b9
SHA1 ff165dd031ee3c198d86182b2c3b00d6d6e6ac6c
SHA256 d455ac7eddd35cdedf5db54ef2a7a34130168015f6f9c8496c4319b5eb21d489
SHA512 ae015e2e98761cc1a1a1d5b03eefa7201b57125b2b713a4832acca823dfa8ed962dad84068bec6632ea5716410cd2f784c57836a73b2bf63b95d2cb11cec1a67

C:\Users\Admin\AppData\Local\u6AEzWV\SYSDM.CPL

MD5 a8214c754d4f9e5b457de0261bc26aac
SHA1 2f7d337459a2f9122b475857565d599b6533395a
SHA256 adfe78b64e5be346ef3ff5a98fd81e887ba2092161f0185985be77d42052c447
SHA512 5d4add254839b79ba5a822b21356c1973031535fa173d6ab4ee4bb80bc6e3f4e7a29a6e1f1ecad6f86e4a14a501eb30120e2b6a29d601fc91f463aa432265b03

\Users\Admin\AppData\Local\u6AEzWV\SYSDM.CPL

MD5 498eb31ac14dbd434d7886c24750fd6b
SHA1 b9d9f40705ca38cafe03506e751997d055c771e7
SHA256 000ed5e8e4dbcda01fd0a821c96139604920f07c971611de8fc9d811ff6ad9b2
SHA512 91f4ca7230059703267aeeaf88ce05702354ea834909ff2dc3c86bf4cf9ee63b4ea9664b636f955a9c4461605a99a82975e9927f4d5d427fbe95ae07ef664c3f

memory/1908-108-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

MD5 4203aa3d1935214fb6d32c591d0d3aa1
SHA1 6099415b10972c0b31032fbf80a5edf2b31df8a3
SHA256 eb1713ead3e2fc6888361e8e5e9f23a503b49fcc15125203e186fef2f2d1b77d
SHA512 210386293616d7b210f0258fb579018a2c2906c9dd76970a8417d97869ca34503c3bca5077b0ccb84b259f20ed3954bb8ce81ca0b829c73eafd47f589f7cd883

\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

MD5 365c3f59ebddb46b7c4fc632ea1b68da
SHA1 0acec6063c5a100eef85eccd7cd3f6c84f16631a
SHA256 f4bb65ce7c7e096d644c3417c32dc6658398c80fcc9d76c5e18a256b5e622def
SHA512 cc00aa8a039a10590b6a6d67d11f75e3ae141fed3309ac27d41fe4f1631255d1e2e986e39f6c383965f3a9aa691e6cc17b7d65d821b9d5e558bb5b7150bc7288

C:\Users\Admin\AppData\Local\u6AEzWV\SystemPropertiesProtection.exe

MD5 7e2b55fabcb6f591d64c520d5e334579
SHA1 aa85c361e282f878c2d886820227a57079c2247f
SHA256 04b723eb9b29bd2d2b0e34a7c23a5840a85931aff8a1b15b8b66516f65f8343d
SHA512 bd6febc1fd1b49d129d1e798cd20ee0a059cd02887e2b514292bbb3c3291e518b07b274c54db05fd0ac634811340e79266c032f73b89e0960f9db0c04059b4d0

C:\Users\Admin\AppData\Local\X1MjLwJ\VERSION.dll

MD5 272bd1743fea94984d93cfec65b9c3d1
SHA1 2be3b0128d4e99d5b6413b86dd2ff0cebc3e78df
SHA256 59f6b9fb5836f66f0b82819ca111562f710f8dd440d48fd45eae8ae313131c17
SHA512 089492545b13794c027d0497fa549be3ac7f01c0e52e1ea96ba6386554ef51ce56d53b117c4c093de757dfb3523a2caaef58999e5bb71ef0d6d18e7d80307842

\Users\Admin\AppData\Local\X1MjLwJ\VERSION.dll

MD5 d24bf5d39a272d9bba62e0ccafc4e439
SHA1 5aba184c4988cfd9e4e4d1331cbfac2502fad38c
SHA256 c07ab1af13bab47be3a31c944b6029a404b3fdd6d4b9ab7ac857bbcc8c330d26
SHA512 8a833871ee404da9744e4e9f50fb55aa53aeed969bb792a8507469db71e75aa7e7a5b57be8cbead4fac5a9b43b7cd769f29fde2279e1f6f573af6cac1d5cf243

C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

MD5 4974fab807ddb1d05fa4d31126b42f87
SHA1 1811d3fadc7806cd3351472d10b64e6996093ca0
SHA256 d37db080c90438ae46e4def81447cb40a660b9e0a07eb4e97e83b7a89c981453
SHA512 afd28307c03c830f6cc1b5a232cdeb607fc110202ace505063819e3354f17cd76c7cf6bd5d8c09bbb01bd38881dd8d6b047dda0249063cec0a88583b91002442

memory/1228-126-0x00000000000A0000-0x00000000000A7000-memory.dmp

\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

MD5 fa84912d3a38f86cb90fcdd2fe43870a
SHA1 2f91718dba700e5a905a7359f94ac31f2e099508
SHA256 4d0460518834a661f3ade086eecdca59281e8a05d63c1a5684e6fc5fb51fd161
SHA512 c59d1bb5c14dba9228c0fdd2b3530099cd15076f2833b54284f497c721d58ce854e4b19f3fff94533e80e427713b40cd8a705e013d647f710d42d7bc5295d84a

C:\Users\Admin\AppData\Local\X1MjLwJ\wextract.exe

MD5 39422855658bd1be91f04154e050fc8b
SHA1 5b83ff414ee52f740212e439a33e20531b754c18
SHA256 1fabd9bef3058d78ca18b81515a6e64a71ee6273d6cf927a1860326ee4ca3b0e
SHA512 0c5587eee82532aa1ec319082cebca1f65eb98301adbf6303df2a038236a8cbdfeda7b57c1a7a0bdd5411a0d9b03601d5305b57c819f86fb47445ba288125f29

\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J5WBRE3WJf\wextract.exe

MD5 1ea6500c25a80e8bdb65099c509af993
SHA1 6a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA256 99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512 b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

memory/1204-147-0x0000000077B46000-0x0000000077B47000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 0e652aedf276de92cd4e3fbbe4bf1c40
SHA1 a3e48b8d333b4ed6ebed0425bf2f58b51c987bee
SHA256 46498af42a49bac7f9cb34104fcaa86d5b581e969cd6f8e62a53ae01ed7c3c4e
SHA512 e38d12aa1f451ab528d0791e1dcb3a6b7c499a06ae858873fd5ce7a832af0a0688234a712776aec0a7dda75da57bc08fe8dda5c82fac174b304c4bc3a60e7648

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\OIO9GbO\UxTheme.dll

MD5 20e9ce0abf848819ecc75072be2b8d81
SHA1 9e1b86dcfbb3ef34fe936dd170fc07662c755da2
SHA256 b39faa7a0ac3998e39f52b8ae9bee89bffb50b48af26f663e34f47dba46a3b9f
SHA512 cc4e35fd2c4fc69e5f8a24d817ab4bb9743778ee2b5321cd2333cb13b55386e593e6782e1ccc91a41a1dacad0c9c80b50c11b707e6af9a32ff0f503e427f5c87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\24TdjKl\SYSDM.CPL

MD5 dac7ec3b49ee04ec5897883f3346fa62
SHA1 e1d1ed8282a0647b2527a45bbd7f50cb7ab625cd
SHA256 418b731647d74b272fcf5444366759215d03fa43dc1ccdbbb51415b1ef77fb9b
SHA512 93b167fa4e1a62b09e41c8fd2a6cc2d91d8ee6e1c7c85f027244979c60807089c90078674bf63ec8fc1f703eed67f14d4a0e7d450799f623986f93ea9d17da44

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J5WBRE3WJf\VERSION.dll

MD5 975de0bb942081b89ba48de4c2d301ea
SHA1 795450e4ef5c795d80b8c6dafe0ea61360914806
SHA256 66111f70a833371d9eaa2074ae6ecd6c9192517d9ffbb8e6e0581fd5713b0d63
SHA512 1f728800e59a7096c83ade89743136226bc6238ef1c74ade91e1cc2f49cba0aefcee2f621b5a1e85b3658e1c717b3972efe8c8a1ec58538be7ad89b597228f64

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win10v2004-20231222-en

Max time kernel

138s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\JQSjJGf3IE5\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 4592 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3468 wrote to memory of 4592 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3468 wrote to memory of 680 N/A N/A C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe
PID 3468 wrote to memory of 680 N/A N/A C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe
PID 3468 wrote to memory of 2668 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3468 wrote to memory of 2668 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3468 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe
PID 3468 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe
PID 3468 wrote to memory of 2936 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 3468 wrote to memory of 2936 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 3468 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe
PID 3468 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e07278c27ec90b3d8fc7500d8180f0a8.dll,#1

C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe

C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/4616-0-0x0000000140000000-0x0000000140232000-memory.dmp

memory/4616-3-0x0000021A9CCB0000-0x0000021A9CCB7000-memory.dmp

memory/4616-1-0x0000000140000000-0x0000000140232000-memory.dmp

memory/4616-8-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-7-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-12-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-13-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-17-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-16-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-23-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-28-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-30-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-31-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-36-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-41-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-42-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-44-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-49-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-48-0x0000000002F30000-0x0000000002F37000-memory.dmp

memory/3468-57-0x00007FFACBBE0000-0x00007FFACBBF0000-memory.dmp

memory/3468-66-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-68-0x0000000140000000-0x0000000140232000-memory.dmp

C:\Users\Admin\AppData\Local\4ELeR\OLEACC.dll

MD5 9722e097b460d7b27896f3cb93d6a703
SHA1 2daec85a58f5d498cd43e61e61f2464c5acc4e30
SHA256 24c95de22da6da97dfe5461d9d88092414fc71073f5851c56cf927d0be0b6f0c
SHA512 6fbb02d23baa4d1926b1c214d946aceb67bd005ea13b75b42ed570eecbe115263fa1808ed3b987197333464457048cfa6c9d3dfbc17ac1f3201fabbb31cd9c36

memory/680-78-0x0000000140000000-0x0000000140233000-memory.dmp

memory/680-80-0x00000231B25D0000-0x00000231B25D7000-memory.dmp

memory/680-84-0x0000000140000000-0x0000000140233000-memory.dmp

C:\Users\Admin\AppData\Local\4ELeR\OLEACC.dll

MD5 bd67724a7f88fecf8d84d95ea70d5b72
SHA1 0404399a7a1366219d22216fa62ccc8e084a934b
SHA256 1cf76594a34fb84dedddeb1a9cddf578a377a3112adf2286669cba278878a287
SHA512 b540e18db9cabe9b0e09fac877aedc3b14a794ed1e7cc4144b9029880e4b97c909641ba5f4fc06e095a7ae52131102754330f91d4e11ea3bab852710ca8da584

C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe

MD5 e52b08749fa407e44c37a05f6b542242
SHA1 68b1f1aa9a70c59172578dcae0e98071601525d1
SHA256 4387194d62f0710397ae6e4f3f707dc8574957da2625833ce7e4aeac837eed16
SHA512 00c4af4bac9db9a1c2dcc447990d0cd4bbc80b304c14816522403097935e513bcf07e7f1d37a60f2257dde69b4099f1ced3c53943fc8f6bfcbc68072797646da

C:\Users\Admin\AppData\Local\4ELeR\EaseOfAccessDialog.exe

MD5 e8061bcb916dc31651a86ed6181f5e4b
SHA1 1d59fcaa79cd06c5eae8d16ef36e8b49e16e9d0b
SHA256 d0bade86222ad5685c7b2fb946d23590423e20197c8dd3379325dc0b78910398
SHA512 055403d382c6df2d3b13e974ae8948229e067dd7412cadcc59eabd7fcae4d1eeee5e50e5c1376d15d22d129c97a7e7005c2cf0cc4dcf77e3dc2327ba38f1f1c7

C:\Users\Admin\AppData\Local\3sx2\MFPlat.DLL

MD5 562c480ea39b48543a905fe323451465
SHA1 9ccf6afedd3faad643bb486cc7f584e92d63f2d3
SHA256 5f75d8153ec735478e0fd503834eebcc7ec72665288bd9c8d3ca7d172bcc6fbd
SHA512 97ed785fc4947415c47a23e79b03afea0d8293708abe00f4ae8a39e42f35b29812a476f8ac6307d24bccb359bc5f108473a9e0c9baaa4ba5ee4e07b1e0bfe3f3

memory/5000-96-0x0000000140000000-0x0000000140234000-memory.dmp

memory/5000-95-0x0000000140000000-0x0000000140234000-memory.dmp

memory/5000-103-0x0000000140000000-0x0000000140234000-memory.dmp

C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe

MD5 dde86491fc2c1e8cb0cb7ac6ad771ee6
SHA1 e7c497ee7be00331269a2f8a01ac948f12ece116
SHA256 08f3aece8bdab8249e02f5c671e11418829e4f28175ee8c14efd115420bf5293
SHA512 018fd97628c9fe776c1f1b3a4a488000d04b7906bde0f5daec1a6737c8ffe07eeec9317b128d3344850652732849303a3f68088ac696a66117a6d46daad5b68f

C:\Users\Admin\AppData\Local\H5kfv\FVEWIZ.dll

MD5 0c32ee784a254efd2a47dde0c65a3c03
SHA1 74df1b6a8fcc0f9f135f051e749429002a0ed11c
SHA256 f600f6384570ee0ed42dacdcf0ae2cfeceb78c6b16f24742f0aead5f6608d5e3
SHA512 8ff947bb7fbc08988d682bfd9a9161ca1ff54a7b9d3ba762c0cf1ab4f0d194d3ad92f053e993b81879c616090e5ff4ead9b82114f2196a0a8f4c09abd1b1443c

C:\Users\Admin\AppData\Local\H5kfv\FVEWIZ.dll

MD5 3446992ec608716139eef422cb6312f5
SHA1 c1e1927e341c5118035a94294082aacd582f4244
SHA256 a247284e3fb93ce7d1fce9b11c413550e2be38be0b4ac56d4e63c812ff6767f3
SHA512 82af6e4d70fbe894d942d10bdb89864562b3c0ec50ad892aa6a177fcc73437c2c718aa4c128e890df5ff647d7c996b6d28f74e774659fe878b6477429b28311d

memory/1704-115-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1704-122-0x0000000140000000-0x0000000140233000-memory.dmp

memory/1704-116-0x000001BD3CCD0000-0x000001BD3CCD7000-memory.dmp

C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

MD5 e7fb91ffd9b64c86109fc1701245fc2a
SHA1 6f285f255ad89bfa6de3dd8c62f856039479396f
SHA256 c84c5a6e46ab73a0f6a6109f571b39a4915beabab8ff5c6683495a35b8259a4b
SHA512 a8f7204080b68a65626468f19d4c784461efda21f97a9846f84c1937c95a786e2e8143abef3b81954f1ee450114387b7ace0e0e0d48ef83a8db2e29d92a46b12

C:\Users\Admin\AppData\Local\H5kfv\BitLockerWizard.exe

MD5 620aad971540dce295960abf840c6cb1
SHA1 b9318b585110a9afd14c3aca2e1c554cd42c0ea7
SHA256 9edf0f094b98b671b6251f20bae45cdd611764c33725bff3af4556f254d56e90
SHA512 daf0a4775de72689dd324189e13e9e0925c3a85eb904cdae03807dbc16c0383a4d91f4766822ef207ba24d5010d2bbd01233f45e148eaef209034a15142e49b1

memory/5000-97-0x0000024D8C700000-0x0000024D8C707000-memory.dmp

C:\Users\Admin\AppData\Local\3sx2\MFPlat.DLL

MD5 f38931d6e59ef19136436b64056d6563
SHA1 92fa053c74d4893066e056a1860165dec28feaa6
SHA256 30d729771052eda1adc38a040e96ea530c57e5c6236bec62975576fb99e78de4
SHA512 2274293ce4aa3e267ef8e685e5e916c0ccb9cc1f20334fe303e1e3ba69df4f95e5329b8e2d72c220ff2acdf4a31020f560690c218bdfb74146cac50cb15836b1

C:\Users\Admin\AppData\Local\3sx2\mfpmp.exe

MD5 cd810bb75a4224ea34c4e7bb53ced4e6
SHA1 c6090c486e45ca5491e93e7dbf2f7f3043d3e5f1
SHA256 21decf4857071ab66fcd046d21389e1a4601d64a0eccb1ef89f36ee4c424d562
SHA512 3896c8b1802c942126bb649d12df31c992528c4b959ca2f27d86ef5ce9cb2698d2ce6510a0e17dbdd1950b1172cd820392bc9e94ab2074d27db635ff06f9fb43

memory/3468-56-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-47-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-45-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-46-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-43-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-40-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-39-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-38-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-37-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-35-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-34-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-33-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-32-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-29-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-27-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-26-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-25-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-24-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-22-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-21-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-20-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-19-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-18-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-15-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-14-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-11-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-10-0x00007FFACB0BA000-0x00007FFACB0BB000-memory.dmp

memory/3468-9-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3468-5-0x0000000002F60000-0x0000000002F61000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 18edf0ff7bf7e08e270245b861d9647d
SHA1 2ffa20eb9943844c2e683675e8242cc0a0c4d742
SHA256 2531aa273580ada41e3f3aad81c28cefa8cad55723eadf4ddc4c3b150cedee4a
SHA512 edfc02f26a6c198322e124ff760473ada1f736610dd3487f34b2fb0187e1e378a48b8306786d3fa8e290150dc66d0c28eb48f06a60e86271b8a52a01a5952911

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\laGuI\OLEACC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JQSjJGf3IE5\MFPlat.DLL

MD5 37531edbe6d2ad4494bb2f957b214221
SHA1 4d4cfc4c47cf9d4312b005ee3f7279f667be546c
SHA256 494582d1022c7f6301135af7fb2e00f3301d76f20b11e8241e799530b0fde84f
SHA512 948caddb9c76f00ccf83181191cfefe6bb8482789f5f47cd474399dd6b4642cf67b39934bdb1511996f529f029cafc4eb0f140670d95c115df71f645003892f7

C:\Users\Admin\AppData\Roaming\Sun\ltUdnuMM\FVEWIZ.dll

MD5 6aa4fff3f5fa055fca5fcd0a6cee0462
SHA1 871c07b1ab9f3a65c293778fec4b17fe09ed46c3
SHA256 5d09126995d4c3f5d0d936fbce926630c71b728f4ed1f36ba03347959ead8b69
SHA512 4b607ad96bc1071a522f2d6687e04f1db2f52c979cdeaf0512b15fac51c2764db4c8a467d977cbe146e7dc24296194fc7d035609ddb3822b51b95d381bab4b83