Malware Analysis Report

2024-11-30 21:25

Sample ID 231222-s8gfcsdfc9
Target e0766950c83a3551309ffe32a39cf502
SHA256 aa4895a92de07b083cd4ae91f0dfa52a25713b7103d573512465a75f23ffbdc4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa4895a92de07b083cd4ae91f0dfa52a25713b7103d573512465a75f23ffbdc4

Threat Level: Known bad

The file e0766950c83a3551309ffe32a39cf502 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win7-20231215-en

Max time kernel

157s

Max time network

130s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\ACCESS~1\\99LB0P~1\\OPTION~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2032 N/A N/A C:\Windows\system32\wscript.exe
PID 1272 wrote to memory of 2032 N/A N/A C:\Windows\system32\wscript.exe
PID 1272 wrote to memory of 2032 N/A N/A C:\Windows\system32\wscript.exe
PID 1272 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe
PID 1272 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe
PID 1272 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe
PID 1272 wrote to memory of 2692 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1272 wrote to memory of 2692 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1272 wrote to memory of 2692 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1272 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe
PID 1272 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe
PID 1272 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe
PID 1272 wrote to memory of 1380 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1272 wrote to memory of 1380 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1272 wrote to memory of 1380 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1272 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe
PID 1272 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe
PID 1272 wrote to memory of 1368 N/A N/A C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

Network

N/A

Files

memory/2504-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2504-1-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-4-0x00000000779F6000-0x00000000779F7000-memory.dmp

memory/1272-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1272-7-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-9-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-11-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-13-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-15-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-17-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-18-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-19-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-20-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-22-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-26-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-28-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-29-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-31-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-30-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-27-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-32-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-35-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-36-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-38-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-37-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-41-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-42-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-45-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-48-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-50-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-51-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-49-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-46-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-52-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-53-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-54-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-56-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-58-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-59-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-61-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-62-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-64-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-65-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-69-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1272-63-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-60-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-57-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-55-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-47-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-44-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-43-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-77-0x0000000077C01000-0x0000000077C02000-memory.dmp

memory/1272-39-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-40-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-34-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-33-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-78-0x0000000077D60000-0x0000000077D62000-memory.dmp

memory/1272-25-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-24-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-23-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-21-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-16-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-14-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-12-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/1272-10-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/2504-8-0x0000000140000000-0x00000001402E6000-memory.dmp

C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

MD5 2b223b04bf8c80193f8311703f0babdc
SHA1 d1bdf83845b6d1877b11480d38b7db99023c5422
SHA256 d667a2ebf90219cbea4fe221ad689f10630ec7069ce92b61c12646023a7c69d5
SHA512 ef36727b9275e76eb8dc1c50465fa50d3b418f916867958049717cb392ed8134afaa52a0f3f2b9b86c302f6fcc19d0634075dc8a6d66f812ebf545509e1bf5e9

C:\Users\Admin\AppData\Local\ZKwzQXQ\VERSION.dll

MD5 2e82444dbbf00150e6aa5c74bc5611f8
SHA1 87ebcdaa95759aab7701ebaf48a5105cf532ca71
SHA256 935f1bb1532b33ae82018df082918341c5dd49b0b5c5e5591823e09e34d23d28
SHA512 a5b3acf0bbb8215c90fa9fa7d7594110398ac7b130c8c4225191ca82d52d23f5738ac1bfee902acef4079ee6df35d3f87ad46046e6c87d770666bbc8ff6179d8

\Users\Admin\AppData\Local\ZKwzQXQ\VERSION.dll

MD5 9ef49ba69a852310fe3f0d0d0dc8d303
SHA1 9fdd4177ba5ad0583453b12cdb2496c2cdb76921
SHA256 0618e1dc79d8c5f8e53df9f6deab8dcd6a28b2190a0cd3791a669ca9c20bb468
SHA512 cf8d49f3b863c2cbd7b951007c7e8f1ab89d0f4544b31911642aac77e657bd9bcdd8156ed2993ef13dc85586d1b0533e32b7ecf40779d85b6260c458e0884cef

memory/2932-108-0x00000000000E0000-0x00000000000E7000-memory.dmp

\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

MD5 1adef384faf554a124d84a142b1c3802
SHA1 d855776ed411c27ca7bd1a5c2a0833e7719ac9c2
SHA256 fe130f371fa4fb5f67a97132a684f4d0416c4b33dcd9eed2afd9341c4805e235
SHA512 f45128a5c6996f75d35a18ea1bbc87f4ce42496a7b4d44d331138baa9811d5c4c1f448c36ddcdcc01d85c057e23304ac7e55bb5762747e633c4ea733ea38299d

C:\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

MD5 0c0ec8ea6e93e18d0c9971044a176597
SHA1 0cf51bcc802d062358ad1d13065ebd16b30ac9cf
SHA256 8dfb879d7343048781310b7e992ab39cb2a52a2b95298aeb8c69da8479ed664d
SHA512 e8e6a2d92cad3f25d007d375c7b1b9ba0cc90c14d99b05f9d108a09fc0c724e1ad2f1da5bb589761cfe16c51107bbacd5cd7ffda079b329293e0c1a89070a9db

\Users\Admin\AppData\Local\ZKwzQXQ\wscript.exe

MD5 bb7a6a37321b5caf1625e9e56e836dd6
SHA1 b2721b24c2e5e29608e274d92c6fb1e14373d356
SHA256 cb99e5f89654927f7b69864dbd0917c3b15ece2bc840076491f4825269c30da1
SHA512 4642d87aabcb9ac305f0de340ee4971d6b500263a92500b23067bfa1167437f6b0bb18eb954d4d4383df98e17f656459b08e9960b93269dcb10c5d03ba33a9f0

\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

\Users\Admin\AppData\Local\FMo0a\appwiz.cpl

MD5 5e79e740e29ab88bc686e008e09a6546
SHA1 29cbc3cf7e5511c1dc22ca4b8ee9239a48007dd1
SHA256 15dbee77b950fb7abc42920f5f60d798c6e2877acd62a6fcaa9d88b6312d3bf1
SHA512 df334daef490d0195beb863b24f1352cf51ce6d6ab8f3016c03352e820b8a428bb4da9205f505b54d51454a792450d742b5a05ed2eff72de89bb35a739bcf5ed

C:\Users\Admin\AppData\Local\FMo0a\appwiz.cpl

MD5 184f4dda30fa08ca34e5bc2173c0946b
SHA1 ad5dbb58876c5c1fed1f7d8e3544612d33ad18fd
SHA256 ebf5fcde69ae5dc8fb21d4f63596a69597a8fdb7f4997ead029f21391db9e1c5
SHA512 62816d7d7e64610a21e29d44eed3b35aed57c8fd87cbc78bf7960673e113ce184122bbf41d7b3b27e540d256b7df5a6e948d5bc3b9173517bfca15dc8af7c6f0

memory/2972-133-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\FMo0a\OptionalFeatures.exe

MD5 a4b95f129f100ef9349aeda03d5dc7ef
SHA1 d4fb62221cea37f760ae891bdb4b4b3fcf12e0d9
SHA256 4a0f4ceddcd53031ff9b8c3dcf9905cf93f1c3e5413e9dc3da0e4464791099c5
SHA512 e30598b0f8562c50c33457a5cfd4680503b796d171d87c2c95db526b0b4f21a94d563579cf3a9c9a02217b095648553fd80887e54bc228459da6a2418229716d

C:\Users\Admin\AppData\Local\kug\UxTheme.dll

MD5 3ac06460b0405301e277f8d2ddfacdd5
SHA1 b66daa7116fc1ed197e2cae7ab80770b9712a1ec
SHA256 3553dbdc7704a674ffed29b9347e8f375e66e1e21c366640a7237397b4dd44dc
SHA512 fe9ef55357b69a2342bbe407226c71a5f61f3794850a980fea479867a8319cd6b364ac1cf48050c9ad1fd933513878caa7a52dedd4658e1b1f38ac8ef141ad7e

\Users\Admin\AppData\Local\kug\UxTheme.dll

MD5 f005c843e7d634ecd97da686d6df0cfe
SHA1 59ee1a70056ca0eb90251b5acdb623e423176418
SHA256 4d4579cfa59ee1d532567b8a9b38711bf731accecfd4ac6c6107da2f91f846cc
SHA512 4fe2d6adbb218802a8d05260337c8bd310a097e63bce486aa745166c694f696b86cb35870466590e37ea0e06bbc4f5c2946a3571c5b89929bdcbdd9c19373a35

C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

MD5 5e88527a55c08ad842f452f2b1e0a8fb
SHA1 c4214b0047a1f3c83fd6178f1aa3d34595b4e38f
SHA256 8fc5e0bd3b28d0c979b05b922e46be6bae0a3a142767ba46d2804804075e32cb
SHA512 1a60e883188787aa2fe46274aa79c6dfe2f285541f1b0de7e7460b9e1b148909efbcbdab9f7b837313e7fd724218e46585f0dba6f1c57fc6a3520120fe23c21b

\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

C:\Users\Admin\AppData\Local\kug\EhStorAuthn.exe

MD5 bfd3f83302a2ee72fa811ee4f6643759
SHA1 ddc7e39087d686c641efe4df2424d1d73bcfe35a
SHA256 36b10dbadac14c62ffb04a77e5699ad3a9c4fb13869592e1672e11689aa6d7ab
SHA512 2f69987500ee4aee5d33a8e14a110550202e93f49b3c443c0a8f3c0deb0a8aa17ce5cf3ebc50e6afdc14f6d64be49376bcab754bcb5b54bacbc695dbfb2c78e6

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\bg\EhStorAuthn.exe

MD5 27fc63ee98bc85c6ea207db041539866
SHA1 5cf11fb2666fe99bdbeb7051d159963602e52b2a
SHA256 39b5090e04f4d1b13e8d93c1869421bfa96aae5747bc31d10e6623c8b21698cc
SHA512 098a7358b3870d3b6fc950f3eeb12e56433c8a7fb090669be9ca35a1b98f4318ed5f38c352debe0a600e4ff5bfc94a4128d2f52e251b880b3ae931bc9d569d06

memory/1272-170-0x00000000779F6000-0x00000000779F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 d3f1975c750dc0ee183f1d34ad999dfd
SHA1 de9cf834960e36144af4a7d13f16008fdcaa97f4
SHA256 fec3a4fd3c06909debb06292bda981e3fc5451cbdeb902176fa4db384ded9c45
SHA512 109d568aa13371248ed29811d462511c6ad46d6869c917b0027a99422fe63e6e5d5749f8c7483c9b1d58c4af4ee6fda45b64724bde7487f5b01ef89b96996571

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\5m4\VERSION.dll

MD5 fc69d44d6c061d5fce75de61cd579aa4
SHA1 c94b2309c4339c7593d6b95d6096516b4a63fdb9
SHA256 9ab73255e2808674d46bdee86695c4d0ddf9e43c2ae33e853f3a6c402d10033b
SHA512 67dce67192b99c67e6e21bcc20922815aa6b79ecd4addd5d97e500ae0a1433f4317d45bf80dbb096ac2858f060c4c6e55e335d885bcc431be47ec66d4112e21e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\99LB0pkB56l\appwiz.cpl

MD5 566c5256ca075e80018c5f5ead015f34
SHA1 d3efedc6f08410faf3ad8ebef72c6443e9ad117b
SHA256 16d1bf6e4d3c4c7947032bdc46264f353dcd16cc1c33cea4dece0fda234c9f5c
SHA512 fbe1fae4d43089443b31db48a245587cdf8f2285eb4edc0afb5d4d899a789147502b5f29984f9bbb2146dcab3e6a435ef1a378e5f673b71147127a5431ae892d

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\bg\UxTheme.dll

MD5 e8a252edd8ee8ef34cb029730440d290
SHA1 43e47d640886f6f2e8a48bcce71f199311543320
SHA256 bb59c825cdd0ec1af7399f2e24e40fbb8756e4aa9d7bff46eb0e013ba10b846b
SHA512 191d35f6a84116a1e129c7bde1972c4ae6fd2580b156004bbef609cd018fee1b1bce086ef94acb647c7093a0e08da2c2156af1e90bc059588f7c5ad02accfdc7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:47

Reported

2023-12-24 04:42

Platform

win10v2004-20231215-en

Max time kernel

8s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\Y4VnGL\\ie4ushowIE.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7QAFCA\quickassist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 3280 N/A N/A C:\Windows\system32\quickassist.exe
PID 3480 wrote to memory of 3280 N/A N/A C:\Windows\system32\quickassist.exe
PID 3480 wrote to memory of 624 N/A N/A C:\Users\Admin\AppData\Local\7QAFCA\quickassist.exe
PID 3480 wrote to memory of 624 N/A N/A C:\Users\Admin\AppData\Local\7QAFCA\quickassist.exe
PID 3480 wrote to memory of 2236 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3480 wrote to memory of 2236 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3480 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exe
PID 3480 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exe
PID 3480 wrote to memory of 4824 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3480 wrote to memory of 4824 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3480 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exe
PID 3480 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e0766950c83a3551309ffe32a39cf502.dll

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\yXANtbX\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\jtbopf\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\7QAFCA\quickassist.exe

C:\Users\Admin\AppData\Local\7QAFCA\quickassist.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3240-0-0x00000000013B0000-0x00000000013B7000-memory.dmp

memory/3240-1-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-5-0x00007FFD11FBA000-0x00007FFD11FBB000-memory.dmp

memory/3480-9-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-10-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-15-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-19-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-24-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-29-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-33-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-38-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-42-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-44-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-47-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-51-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-54-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-58-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-61-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-65-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-69-0x0000000000700000-0x0000000000707000-memory.dmp

memory/3480-64-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-63-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-62-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-77-0x00007FFD12DA0000-0x00007FFD12DB0000-memory.dmp

memory/3480-60-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/624-97-0x0000018C13260000-0x0000018C13267000-memory.dmp

memory/2624-114-0x000002182C7B0000-0x000002182C7B7000-memory.dmp

memory/3216-131-0x000001D24A860000-0x000001D24A867000-memory.dmp

memory/3480-59-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-56-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-57-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-55-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-53-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-52-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-50-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-49-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-48-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-46-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-45-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-43-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-41-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-40-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-39-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-37-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-36-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-35-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-34-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-32-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-31-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-30-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-28-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-27-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-26-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-25-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-23-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-22-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-21-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-20-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-18-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-17-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-16-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-14-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-13-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-12-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-11-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3240-8-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-7-0x0000000140000000-0x00000001402E6000-memory.dmp

memory/3480-4-0x00000000020E0000-0x00000000020E1000-memory.dmp