Malware Analysis Report

2024-11-30 21:27

Sample ID 231222-va5fmscfe6
Target f7e4cd098d36760819259c353ee7c0d9
SHA256 a6a2651b94c935293541f8f92998be8d30f6e0ace01ff02fc931dc834bee9882
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6a2651b94c935293541f8f92998be8d30f6e0ace01ff02fc931dc834bee9882

Threat Level: Known bad

The file f7e4cd098d36760819259c353ee7c0d9 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:48

Reported

2023-12-24 07:58

Platform

win7-20231215-en

Max time kernel

151s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7e4cd098d36760819259c353ee7c0d9.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3308111660-3636268597-2291490419-1000\\4EeWTa\\xpsrchvw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2888 N/A N/A C:\Windows\system32\spreview.exe
PID 1220 wrote to memory of 2888 N/A N/A C:\Windows\system32\spreview.exe
PID 1220 wrote to memory of 2888 N/A N/A C:\Windows\system32\spreview.exe
PID 1220 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe
PID 1220 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe
PID 1220 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe
PID 1220 wrote to memory of 892 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1220 wrote to memory of 892 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1220 wrote to memory of 892 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1220 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe
PID 1220 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe
PID 1220 wrote to memory of 1620 N/A N/A C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe
PID 1220 wrote to memory of 2420 N/A N/A C:\Windows\system32\msdtc.exe
PID 1220 wrote to memory of 2420 N/A N/A C:\Windows\system32\msdtc.exe
PID 1220 wrote to memory of 2420 N/A N/A C:\Windows\system32\msdtc.exe
PID 1220 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe
PID 1220 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe
PID 1220 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7e4cd098d36760819259c353ee7c0d9.dll,#1

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe

C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe

C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe

C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe

Network

N/A

Files

memory/1480-1-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1480-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1220-4-0x0000000077616000-0x0000000077617000-memory.dmp

memory/1220-5-0x0000000002950000-0x0000000002951000-memory.dmp

memory/1480-7-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-8-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-14-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-18-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-19-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-23-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-26-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-29-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-28-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-30-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-31-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-27-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-34-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-36-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-39-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-40-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-41-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-42-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-43-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-45-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-47-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-48-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-49-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-50-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-51-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-52-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-53-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-54-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-46-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-55-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-56-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-57-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-44-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-58-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-59-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-60-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-62-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-63-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-61-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-64-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-65-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-38-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-69-0x0000000002920000-0x0000000002927000-memory.dmp

memory/1220-37-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-35-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-32-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-33-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-25-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-24-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-22-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-21-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-20-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-77-0x0000000077821000-0x0000000077822000-memory.dmp

memory/1220-17-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-16-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/1220-78-0x0000000077980000-0x0000000077982000-memory.dmp

\Users\Admin\AppData\Local\tQF2OpN\spreview.exe

MD5 b6e74675420947ec064e945204549910
SHA1 0d05d27ba1b422f0ebb1774f145f9c11208bad19
SHA256 739e929cde5a6ba38369a6561e595f8a42fc1cf0a82f6943c682fe34df3e6e47
SHA512 fb2dfafac8fc09e3180836a13daddaafe0c0597c090baca595f85512299d8aa316dca8aa10a2798ded02c4624106f5310a70f5d53118d6e3b2bb65d281fb9666

C:\Users\Admin\AppData\Local\tQF2OpN\VERSION.dll

MD5 66020df9bd6e12b52957b2ba0c7a941f
SHA1 04d450b9f6b5bc8f9de9d693acb70bd83d2f3b39
SHA256 986c4ac9a3e35b9be7e859174856da88b6b1e8ab1a810f6841a133fb741850a6
SHA512 655387796e67f00283f5a345d2eee4ac2c12bcd19e2dd520f05aed144ea046b87ab64f0e43417e93a6e79bc2be2e74778301c44d5bf9f0c505e27ccb55cd771e

\Users\Admin\AppData\Local\tQF2OpN\VERSION.dll

MD5 119778ce6b919e7e2e09b5c1f0241a24
SHA1 9a95f393f86ec5f8171d1d829932a3e6d33804d7
SHA256 c96d9520e75ec1ca151fef1c0c9304fd90337ce57849ac29886f70f4182b97a1
SHA512 1ae05a915b06f8091832b8ef03f842122a7d18fd5f66da204b3a340db3ff33c403806ac7a84d1c1ebe40d9f510802c47f686b53b80530ba4959c5bc475ffc642

C:\Users\Admin\AppData\Local\tQF2OpN\spreview.exe

MD5 d52f78ad36d471738240146c6c76c6e5
SHA1 ebfd27625e3b26768ace5f82595f5df3b7e1fcfc
SHA256 6dd387e9e5d0014c564e9d12134152487a6b5e68e3f3b6942f598efcfbcb1356
SHA512 d2b914ca19dea12dd95b30692fe390d1a9ee90c2f45bdc4832670d695e7bbe42fbcac37b96ec769ad493a26947f4a00d31618b65f251d3d72cf60b70e303ac41

memory/2996-105-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\L55iqKFd\spreview.exe

MD5 15e3bd775866454759a3e09e57dccd36
SHA1 9c95c7fca9d4b5c2a1d34339e226eb432a428004
SHA256 d5d662a208a81063f3ae7c40f4d2161dc34f63db06c4af2ace85a3ab27255051
SHA512 e90c995ff6868656858a5ffa28b180298a5083f844e54fa1b6bfc260382e81d976e8f561cab5b74655586b53d749f6a4339cc91801603436b41ac8dea9e32ee0

C:\Users\Admin\AppData\Local\hNW9fX6K\WINMM.dll

MD5 ff44f4fd312483538601165f8d0e934f
SHA1 d1fefb86a84078b1de3b971178458289fd723386
SHA256 ceb15cffba2552fca35934b7a6d00387f1f9e79a90950043a94be31078808fa2
SHA512 dec6fc651ab8d20ebfb2de1bcf0376ead8471b3ec48f344c2cfaa6e76bff1e294c8f525018e3a59497203a6effb4316736a57722e075923b852edf6aeba75598

\Users\Admin\AppData\Local\hNW9fX6K\WINMM.dll

MD5 7e3ec4fb58d900f599e384cdf707f890
SHA1 ab9f445e516905e31101999476b9c1a1d1d27d19
SHA256 054d000074532d5cdad0dfc97a353cc5514103b8a3fc4979655d78064effb886
SHA512 e9cde36a253ed95d58a00828e8385e0d9f87923f3d64aa1069fc1bd32e2aae5099bd172b7c4699856618f1f9d325ac9b3bcaa854e395e1160c44c96407f01ac7

C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe

MD5 baa7563adfa7d743031f4c0b031f5083
SHA1 60e1979f0462241c45e9d2cd869f6aec75d0cb23
SHA256 878a9c8580bdb9e57784be0ebd3e2f6db4e3b6c9e9ae86a9f492307910b42ce4
SHA512 6b950b1036a2427da776be9cf3b594648eaa32eb09dd034613954cd39068fc0ffbfeae7c03d1221b3753ec998c1a9dacff4e36552107e463e3daa402af20bd9d

memory/1620-122-0x00000000001B0000-0x00000000001B7000-memory.dmp

\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe

MD5 103391d5f114da716b7bf73f3e1fdb7f
SHA1 146937de05f7b933230e73cba3a2b8b73e3b0a76
SHA256 2cd9fe5e746ff2c9b3c76b82ee1ec358af33332f0c16f067e230b12bf8f3b73f
SHA512 86d022403411e176850285b75db3fdc836921584dcb0059056a746274d15ecce40b0de6a98ee1fc8d9c67990851eb17ad009aae19b9f50d2b0937cfc1ca12223

C:\Users\Admin\AppData\Local\hNW9fX6K\xpsrchvw.exe

MD5 7540460b1f5d83f336890635cf71b24f
SHA1 70d1450233fede584fff94ee3a674909633cad66
SHA256 9d764d9dcb74a745518c92e079335d2ada0886ef7fa5712e8baa9ddc5a547493
SHA512 3c0302307e2467531dfd2e0781ef1870db9c859b5583fe4462555a25f4822f9c40282bdc923122a472ee6fe9e95d58635b1893c7aa5c1b4c7125c41731e50a19

C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe

MD5 2e88833496888c60b454094781dec33f
SHA1 5aabd230d0bf79389226bc51135e30368803c915
SHA256 e5890107fd3b94c93c7c68f5e5bb4d7989e97ac14bb1c6ef7954b5ac2e319423
SHA512 dcbe1b2e557f19c7ae2b5016a5b196b31c46990bf6ab02de6e1c6e43f0803efbb5550be6e7277b6938b92ed6be3d9adff45a6ce409b8ff680335f60503a76c36

C:\Users\Admin\AppData\Local\V9Hr\VERSION.dll

MD5 25accd6f9cdfba761871d0c88b035be6
SHA1 32da2c5d41c939b8f708cde08ce98a1922325409
SHA256 00bfe17e6f73e89bad392857ff96616373095701a31980836a82dabea0e04e91
SHA512 7dd193a59f2ce32c6fe409aecc6262b66c54f51ea90002016c046d8c0d24b052185250ab7076030de5d127a5120cea7d6de0fa23e49fc862aaa25b7e9ee83690

\Users\Admin\AppData\Local\V9Hr\VERSION.dll

MD5 4da7440c440e81e157b7b4fd47dfe5a8
SHA1 cc456fc82365d3e480412cfe54e9e2839af23614
SHA256 348e4617c3608ed729d373366293bb02cc9faafe6f041e5902fc508e86b640ab
SHA512 e1579e0a712717742d903f7d818b80be7888e7322e938623c0ca7ddb4c0eae8ac3d06ee9117e0a784e274da7eac14ab82256c8fe9483af885bea2d7c269f350f

memory/2968-146-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\V9Hr\msdtc.exe

MD5 e247a2ba0f5fb731c0130e557e29f4a5
SHA1 0c490e2b5d2129281a2eb9cc37eb823aebcc83b4
SHA256 eb894267ed639a77c94266bea70f9c1c9078c956281fb646fe4ef44ece1a7119
SHA512 1796d0bb586e3dcbe6cb76bd77daf7ad5e1cfd09ce9679faa6e38fbd4208984ec87e1ece63339d330d9f548ff38bcfe448dd3c9cb964517f864eb69491e28d62

C:\Users\Admin\AppData\Local\V9Hr\msdtc.exe

MD5 e16bb9da49d880af2c9dfdbb9524e764
SHA1 a70932a44595fc332166b53e10aa0835d159266b
SHA256 5f5e5de07138970c9a6c33c4c04f056087f4a3248c43570becd4a2936cf24865
SHA512 44932762f9ebef12727b3ca9a689ea8cf82f30f3859be00016b20191d446e4c83f3857017e85a6462076d4ac5c13c93c6615fc7c934db5f054dda9a13cbc89f3

\Users\Admin\AppData\Roaming\Microsoft\Crypto\RIN6h6JGn\msdtc.exe

MD5 e34baffdbd3c5dd2fdae15e0b2fcb366
SHA1 5971a7bc95bc6e3547601d3094f41e8c78e4de4b
SHA256 eeff4d73eccde1719d0d94772201020041437827d4788d8a85eac4b849abfb84
SHA512 cd69d2a5bcd37ce7ff9f5e828d1b0ca17fccc642b5e13fb56dd96507cba8659b84f70d16e4c81977aba4997e806cdcda31b1c658a638dd26e612ede601eb197b

memory/1220-167-0x0000000077616000-0x0000000077617000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 66d17e1b0375e65ac502b6e66476f34c
SHA1 47c86e02cc39c26bcf450d3166331d6b92211907
SHA256 690c813f26896198cbb8feb393b01bd777039958016a53fb91d398fa67af202a
SHA512 07ea20b5b187dd8ca47b8e06d146d40252acc2015c4690e5908df8c6dddbe33f992c1def8d1abac0866d0a42c78d17bf9883b5275e1a6992703d66a3cffa6adf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\L55iqKFd\VERSION.dll

MD5 7c7adce8a7bc06c1651ade81d11ff3d8
SHA1 8da46a91f08ac968bfe2affb17b8fb6b5e36ddaa
SHA256 2f0b24691c73f0d819391ad6bd6426af4441d6d18d2af9672dd75bacfd3de1bf
SHA512 c29c9e111fe8442fc0980781ee5b0273b87e57b00471b299ae38f83d183cfa8095a35bdb69cbc07a3fbf245340f764cf7ea775bf6ee3e63b21831edf453d9ce4

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3308111660-3636268597-2291490419-1000\4EeWTa\WINMM.dll

MD5 883f23981021d0880384ba2e5d931bdb
SHA1 962b6f90581a8ca1abc80edc9b306f80ee1a2268
SHA256 0bbd1ddd054848d2b7c08cdd2d813ae858af761fd68b2a544a079884c2d5b462
SHA512 d02d91a52e5189315f3545012e2328168a72fe268981a64683acf61cddaf231a50c440561039876762d1a3d92b26002f4b913851add3c6db4ac3f743167b6ba7

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RIN6h6JGn\VERSION.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:48

Reported

2023-12-24 07:58

Platform

win10v2004-20231215-en

Max time kernel

69s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7e4cd098d36760819259c353ee7c0d9.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\W0jbz\\quickassist.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\foK\quickassist.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 4760 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3360 wrote to memory of 4760 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3360 wrote to memory of 4132 N/A N/A C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe
PID 3360 wrote to memory of 4132 N/A N/A C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe
PID 3360 wrote to memory of 1084 N/A N/A C:\Windows\system32\quickassist.exe
PID 3360 wrote to memory of 1084 N/A N/A C:\Windows\system32\quickassist.exe
PID 3360 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\foK\quickassist.exe
PID 3360 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\foK\quickassist.exe
PID 3360 wrote to memory of 4784 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3360 wrote to memory of 4784 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3360 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe
PID 3360 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f7e4cd098d36760819259c353ee7c0d9.dll,#1

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\usocoreworker.exe

C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe

C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\foK\quickassist.exe

C:\Users\Admin\AppData\Local\foK\quickassist.exe

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe

C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

memory/3188-0-0x0000025219EE0000-0x0000025219EE7000-memory.dmp

memory/3188-1-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-5-0x00007FF89459A000-0x00007FF89459B000-memory.dmp

memory/3360-4-0x0000000003300000-0x0000000003301000-memory.dmp

memory/3188-8-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-9-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-10-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-11-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-12-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-13-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-7-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-14-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-15-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-16-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-18-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-17-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-19-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-20-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-21-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-22-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-23-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-26-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-27-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-29-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-32-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-31-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-30-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-28-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-25-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-24-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-34-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-35-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-33-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-36-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-38-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-39-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-41-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-40-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-42-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-44-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-46-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-47-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-45-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-43-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-37-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-49-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-51-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-50-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-52-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-53-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-55-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-57-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-56-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-58-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-54-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-48-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-59-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-60-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-61-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-64-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-65-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-63-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-62-0x0000000140000000-0x00000001403C4000-memory.dmp

memory/3360-69-0x0000000003390000-0x0000000003397000-memory.dmp

memory/3360-77-0x00007FF895B60000-0x00007FF895B70000-memory.dmp

C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe

MD5 04c3ca0a78be903a775e4aea96b4dbae
SHA1 1280c4244e33cf99c4f49740ba51b4a8ffcc53f0
SHA256 5a1d4985eaa9ce597853189e80858b212538bc186d5305b714607393fc3d17ce
SHA512 4e1fddd273cb6bb69eeda58c88d0c4a95a70811c069b982fc34d95f91733e3ced974c0da5851a3e73d6d1e43c01f218eb1e560b25020995bbc37b2a5eba14f75

C:\Users\Admin\AppData\Local\NErePEmF\XmlLite.dll

MD5 3830e671c8c7b5c1145965a86b70b2b1
SHA1 c8c7d38d5c8b19fa856776cfcb38b243e479ccd9
SHA256 be488a54523b3b0fc799f49f73e0311e3b91562ad371b8ecdfb2ad3205159474
SHA512 126c0862456e2a40d6bdcc3c5e70c5182b47fee12388d02d5580063a26973edf42b99c21df2406b5492e56ca9539bceb14e55fff0e972bea6c4a4b3d0b2bdc64

memory/4132-97-0x000002D57C110000-0x000002D57C117000-memory.dmp

C:\Users\Admin\AppData\Local\NErePEmF\XmlLite.dll

MD5 87c2a724067bfae44f4d9f545894c2a6
SHA1 91eef2acbb6cc8e6923b0c9c0ab2a8036522c43c
SHA256 cff14ff5c5106e60097e13a593b4379bd53b4c8be068c4897a83b43ccc151511
SHA512 d097dacb3f294cb2afc9492e6bca9cd358150eecdde254d7d53d09d1077832f8dde116dc1133f0261c868fa8d2cb9eed6233a9f8e937d21a9f5cd1344b994b01

C:\Users\Admin\AppData\Local\NErePEmF\usocoreworker.exe

MD5 8a05fa056f67c7ea97b6ec2703492ef4
SHA1 901a76bfdb04d4ef70e460f67316d058fcc332c8
SHA256 124576769868d3a3081a136b95811a7b63d91c09b34764c2535682dc83dda7a0
SHA512 111055b6ebd6863b35f239f55864ef07340112179724f22711324e444652409d399e815d21ad72aa73050f317ff580cff9c1d1fb04dc807f8edd3b362369e985

C:\Users\Admin\AppData\Local\foK\quickassist.exe

MD5 566dfec39d892ea1c0142d582ff36d48
SHA1 30d2107dbbaadb925194a6b49ecddd90a3199403
SHA256 35ec7fe08d2b2b4fd17b479e0e6b01b79a90aaa03dee1277d59f80fe60e88318
SHA512 91ad135d82daa5cc9980ac816833d2e05636c05ecadd07cdfcfd5bb0cfb338341f4e5c61b2373ff29145aeed2a3a083ad31a4d31e4cc0e7fc47165452e64e8ce

C:\Users\Admin\AppData\Local\foK\UxTheme.dll

MD5 cb490115408aaae226df2ef4df4be458
SHA1 40bc773e9684b4461065ca9c9cbaccf190ed68a1
SHA256 12c410c887daa27a43360dd63a651fec38e6dc8b9c2136baf94abf890a4f1cf6
SHA512 968ecc547c6fc13bea4292354a4877692c8d53bf239ad6b4a3a1be9a7c738a401ae057a2d31a15c0e71ee3631590452856386bc92b220a584b5c3be8fcc25620

memory/1712-114-0x0000021ED1550000-0x0000021ED1557000-memory.dmp

C:\Users\Admin\AppData\Local\foK\UxTheme.dll

MD5 c79e826d6c152c44165d77d4e8f22a5c
SHA1 00a39536f719a02cba30f7f12d893ee623f8b58b
SHA256 340bb47ed27d413a26e3ec5da87bef9c7c1565faab19f0826d4ff8325a8b77ce
SHA512 64175ecef47c5561a9b638483c2bd7686d96ab8d16c5df01407417a2d50d65538c2a232b0ee4a470d3f8d67d4971d4f20329a70f832d5c1fa6da69e86b5d58db

C:\Users\Admin\AppData\Local\foK\quickassist.exe

MD5 7e90d26977c85adeda62c9b9e977fb9c
SHA1 ed878b5c9b691c76aacc2ae785e1507b9ce29436
SHA256 17fe876b879ecb3ce95fbc8d3ae26290aa43cfead8704524f165de4eb8762bc4
SHA512 fd0a56d743464aa1b590abed66e998e57dbef0225a989df28bc9c7d28afcfd04ccff7b1b3a338b3bf37f792b084124c1e0c858dd3ed5297b40e4bccc1866c148

C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe

MD5 51509f569e927d9d7e879596327f0ab5
SHA1 b3be76acc6fdbec4a304b13a2a40e9b2b19f9bde
SHA256 f42b1b5a9ba672fb65fae8f3a559045e84dc07d832b2929bbe843e05442b6878
SHA512 65ebdc84f2915462e05afbe3342a75221ef3db7fffc2e0f5792f0ce409c52f45f867085cfab1e12cf971b48751e50023a066d35ee70715e62e027762cbe6065d

C:\Users\Admin\AppData\Local\XpojnN2Y\WTSAPI32.dll

MD5 e822836374b41ca557575b0b4560283c
SHA1 6357b3e243df1e8d8b92f414a1a2586f1256dd68
SHA256 7284a26ee7ff119dec3f1a362e0bb72330b51fd1e7efcc4c32f7086861d0de7a
SHA512 f8d46dec649260fc51464e03872935fd543c66f02913ea14dd1c32d159061ba1604c904da293c53f0896543502618cec89af2d725d1a5be43a5dc9bfcae2c6fc

memory/2576-131-0x0000017997C30000-0x0000017997C37000-memory.dmp

C:\Users\Admin\AppData\Local\XpojnN2Y\WTSAPI32.dll

MD5 cf125b3244dc90f364217b3132741418
SHA1 76c6c684761edecc8984642d8e398d7b37a769c2
SHA256 7fe113d1315e3c04b0807e2c82c8f63df82463cabfdc5c2edfe2f1c20c173276
SHA512 e04d9b6e680a0a0dea013b08b51298ec3df87cc20b9521ab8fdb778508bc4ba0401361e018cc8aff04a92e7d77c1dd5e430d7f2124708c00bc74137b13409e8e

C:\Users\Admin\AppData\Local\XpojnN2Y\CustomShellHost.exe

MD5 40a5d03852374bb51a521a127430afad
SHA1 364cbeb430301f4ba0de27ae26eccf5b8ab8c4a6
SHA256 f6d2e2f6ea9069fa9a1a6f902bafeccc91b57e0eea275a92f9903406b3f5b2d7
SHA512 3224242d7645d6f2de054f0358266d36866d5992b834b43cb4e23acbeeb3d4c9601f46107fc826e7b5ae0f693bfc9a64f5475e93df362f6ae851ad3df51f0e41

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 5af8b40db59c78b5c63e7babbec70c22
SHA1 9c02be165d935aaf46846372efaf1b5dbf31933b
SHA256 f77a18148279552904961913439b558f55137c4a00e28c5f486aa8ae62eeb6bc
SHA512 da4c2dc25a8f0c88d3fbf00305cca234931ae2cd1ee8457b47779cd4289daeca1f76391773a641000a7246a9a91f2515ecf733b7b7cca804e24dd420873884bb

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PVsuq\XmlLite.dll

MD5 86757ff0f891794fdc6dcf299ff4328a
SHA1 54b3a829bd928bf13e48d49e66ec1a0658c23870
SHA256 dcdd678517cb46d264f4d17f760cde260d3837164e1bc4baee5503c8d54a8842
SHA512 073c5bcb3a89f2d9fba76df91d5fa68b8407c8b9ed632918d14ea6ee936090c8200b9aaa33553d7f01a3c260f66fd03d3ebb1510f28d6de384de88473cc99665

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\W0jbz\UxTheme.dll

MD5 af55724eb7a4272d97959ced0714b30f
SHA1 53986de2818239d57894a2ac1344ea6adce36a17
SHA256 d936674c11e9dd9aa5270c13e6657f2cda31dbf24c9250dc960bd5c317fdcf9c
SHA512 05ee3fca9acec9dccb249cf137091ffd28d9ea4be6d454dcb519efdb873facd1ebb03b1afbbff3c130ff0d9b2a3cb2a748f1469f0aad283cfee14e063ef4e9eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\0vXp\WTSAPI32.dll

MD5 6afb7f084762f7cd5682a320b299390b
SHA1 f72ecca44cb053565b12e13ba7f642b77175967e
SHA256 6efc9a362f460e9ce6fd9919ce4570c13fe450271afd792729e3f7d10d423568
SHA512 edb8c5c1159a15f9daf62d12d461f35495ee8bfe3e79d1fc783ef0231100d6e6abccf4096c9c0251554f918a782b0ee19ad4ad5e476ddef772a3507c9d23494e