Malware Analysis Report

2024-11-30 21:27

Sample ID 231222-vxdansfbc8
Target ffc534d7f4ae842b482459d6c9bdf83b
SHA256 edd5115e384baca646c21047b643317e71d268059851bb97426d07b1b9db9c23
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edd5115e384baca646c21047b643317e71d268059851bb97426d07b1b9db9c23

Threat Level: Known bad

The file ffc534d7f4ae842b482459d6c9bdf83b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 17:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 17:21

Reported

2023-12-24 09:13

Platform

win7-20231215-en

Max time kernel

153s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\4CGMM5~1\\SOUNDR~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2092 N/A N/A C:\Windows\system32\icardagt.exe
PID 1196 wrote to memory of 2092 N/A N/A C:\Windows\system32\icardagt.exe
PID 1196 wrote to memory of 2092 N/A N/A C:\Windows\system32\icardagt.exe
PID 1196 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe
PID 1196 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe
PID 1196 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe
PID 1196 wrote to memory of 1020 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1196 wrote to memory of 1020 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1196 wrote to memory of 1020 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe
PID 1196 wrote to memory of 524 N/A N/A C:\Windows\system32\SndVol.exe
PID 1196 wrote to memory of 524 N/A N/A C:\Windows\system32\SndVol.exe
PID 1196 wrote to memory of 524 N/A N/A C:\Windows\system32\SndVol.exe
PID 1196 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe
PID 1196 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe
PID 1196 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#1

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

Network

N/A

Files

memory/3044-1-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3044-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1196-4-0x0000000077216000-0x0000000077217000-memory.dmp

memory/1196-5-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1196-9-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-7-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3044-8-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-10-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-13-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-14-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-15-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-12-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-16-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-11-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-18-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-19-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-17-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-27-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-26-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-31-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-30-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-29-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-28-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-25-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-34-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-35-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-33-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-32-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-24-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-23-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-22-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-21-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-20-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-36-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-38-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-37-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-43-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-46-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-45-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-44-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-42-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-41-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-40-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-39-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-47-0x00000000027F0000-0x00000000027F7000-memory.dmp

memory/1196-48-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-59-0x0000000077480000-0x0000000077482000-memory.dmp

memory/1196-56-0x0000000077321000-0x0000000077322000-memory.dmp

memory/1196-55-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-66-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1196-72-0x0000000140000000-0x0000000140183000-memory.dmp

C:\Users\Admin\AppData\Local\3DDyKG\VERSION.dll

MD5 a31a80d976a7df97e62989a077184f8a
SHA1 13eb241115ad7db63f586276e352edb6a5f8b15a
SHA256 b4de51b9b50c0c02de9218302d4ac8774a925bc5522e0b97041102d6ee623734
SHA512 022976d01a37f6cef50ac319fd3b90e8ff19f16d5e1a5fc8c51e9740dd64b3c81a8c95f9c66663a020ac9113792e23ebeaa31563b299e414416c62573e351bfa

\Users\Admin\AppData\Local\3DDyKG\VERSION.dll

MD5 2255f7b54f4983e50206f2948283a2bf
SHA1 2578e15b2cdf973a00289e4d7d3b8468c0829160
SHA256 d784f35948f3e05955708a56e47ab36c00e7960d1ab34e957e8fab7439bbba3a
SHA512 84c938e76879e19c219da349f9e97d843a167ffa103207596c723b28515f8795a96993036d03f298fbf26adae0a1158e139667542a15c14bb04bd3d2a3b703da

memory/1988-84-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

MD5 fe114118c0989f57765e7579a931dc68
SHA1 142e96c7e490ffe22558b8c48dab6294478371e8
SHA256 0961b5506a1bbfdf39a887d3a59690b5a0a938a0ba42cdbf6c58f0be560075ca
SHA512 fad8cec6b27ac4c13a631d775404cb7109eed180da1aee0719c9e8e819049953f849f8443cd3aef9ac8b2ccef04282221b2c486e1a7ea3d20a595aba5cbc37e6

\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

MD5 4d0d61ac2062f6264a91868b20ba87db
SHA1 ec59d4b33e63c8615ee30faf4c91e2b12eff08e0
SHA256 dafabb3f979b4c4b5bafd9d64e8514bdd2cacf67b0fece899d55ac6cf96e2f25
SHA512 5b48462d31c3c0de3b0432afc218ea6f91d22b609ffa8f0f480dc2f22486e64ad26a1030f2065cd8b262635e78bfcdb16bba08303f7391d051e56021727b02f3

C:\Users\Admin\AppData\Local\3DDyKG\icardagt.exe

MD5 7c406123a0548a1a9deca7dec9191a01
SHA1 eab8d75728cfc08e338a0cfba5f27cb40e1ebd0a
SHA256 4ebedd9561540ad1da4141d5eb3e8cec8916722d3d764d172705d63c3d116c30
SHA512 8eb727b879f0642468bddcd928016f043efc3664d9ce8da7e466bb0fc040b66374564fc9626c906fbc38b1801f1d73ff3dfb3958082801c3b9f9e3658efc28e1

C:\Users\Admin\AppData\Local\UV7ipgUQa\WINMM.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\UV7ipgUQa\WINMM.dll

MD5 246ef2064ce46caec8a8794077ca9490
SHA1 e8faf5c9d43dc801d07548d3a9338f766fb7e0d8
SHA256 0699ce390b7e03519421e14b08ae0409618153088d53bb3cbdeadfd2ec13a276
SHA512 db1951956212aa1d5086df997f3a6a9837c8da7ce001cbb8ea559c35c9c21ea39c70454b891ded5ec0fd2da6617295bc126dd214de4d520f1f507f85305f538c

C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

MD5 5c28dff02d93e6bc5b146ea5a197b68c
SHA1 9c3865393a3dd930315267bf2ae56f46a4cbb157
SHA256 24b89dce76f8e0b4e918a158d31d537a78aa2f0cb56dab89f62f6613dfb01ec4
SHA512 9761b0a6842be3f5686fc00cfd7075f2c3778480ccf20a343716914a9975d60d05fb687e36cf0d5ffe76411095f30920ed5b6e4b3f04087a2568dea5a76e4354

memory/1452-108-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Local\UV7ipgUQa\SoundRecorder.exe

MD5 0c1fb28a0de7cd99f98b6a4bd7a8069a
SHA1 5962ae20a002514fd5450e57e7e159e322b180bd
SHA256 04552d919ba006a39b9620fea2d4f88c2ae2facaf59473bd86b487f74d75d05a
SHA512 d7a45c347a50558e998cc8429572ac81e1d3a8bd9b5863880a13a7cb93d066251bb803120ab950b77dffcb1268ca03e49e890fe7e3f9ea4669b8f77dd3a23a3c

C:\Users\Admin\AppData\Local\rWeeZxI\dwmapi.dll

MD5 f2e8483e992b9ed7b36728e4b28c4443
SHA1 e41b5cf157321e8e353b1c00ba4338d5cbe09bc3
SHA256 b53c9ba382fa2c5b57cef936c56e850c9cd7e63fca2895b0ea228f83fe4f8ee4
SHA512 7ffb77efe875406d563fdcee4d7699a13cf223edc1f925f722310c2997bffbb7e4165ba9b531270b27981804ba3c6b3da9b048b8847f2e5a08f955d1bcfd702a

memory/268-133-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\rWeeZxI\dwmapi.dll

MD5 9793e6e55caf039e648a1708bbd509c1
SHA1 2111e34a18f785a9786e2a36bcb49d2cbb10c87d
SHA256 9aa57ecda8f9324ba13fc32e7fd7e65830014bbad45f82ec6143cfc05118bb77
SHA512 adac8a986a3673c9530369c4788d7c224eaba8e4325223299670f51a927229ad4ab365550ce96a52a08bf9e75f34d3d4e8df187a98cbe05653bf254ebf246507

C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

MD5 d484e0302f0400a7586e52213d6f8db3
SHA1 a1ea3f124fe8abedac7debd7ed4a98bcea705d0b
SHA256 85b05a7497d53e64a726fec91507ebf9cbdc115f14d227f427e4fbb460e1f278
SHA512 90d89c186d345a9f7c298beb5d7711c87de0b199a7bfcfcef11653996613d5e83e3da632be97fe82d154b973617f1fb67ec2a51a331699c9b71e7dc408a83bd7

\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

MD5 e137c6bff3af6bdfa68e0d3aa2ee15b2
SHA1 84895c64a8df0c786a5526c7a5da77702bbf7d30
SHA256 bed1175c90e4a8fdcd5e7a4902abacca555380a238092abdbd1d23ddf50360d0
SHA512 16ee7fb5a2c86ae75380d347f1813cf86a680581f844ffc347fc15ade5c055d7684062e255707494617b54cd40fea7e32999771721d67376269e04dc69ab4d4c

C:\Users\Admin\AppData\Local\rWeeZxI\SndVol.exe

MD5 02b0c6f460c13666e88d39ed6cfd9d96
SHA1 c0759fce22f1ac862ffc92d1e79ee8bb0f3cb3d8
SHA256 45c61cadd1c6fea3baa517252ec2f59b117297ec137f8512de556daa23b951dc
SHA512 6678bcc7c7c48c34e08634a34ff90ee27ce900f62536b10f003df61e7fa8e60f57072b77c616df5493512380e49f971c8bd216277e3818d775b7ac3d0138c4e4

\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\qhxe\SndVol.exe

MD5 9c1e4218600731194bb2dc94b3b371e2
SHA1 8a7d6b87d0002338916f07d22ee96d01b97be20d
SHA256 e9d7d229d5cb548d3b5a18c666b7c724f737a2a828c19b631d8a7fe770f9d153
SHA512 c145e8d432674729b0005210d5b2abca96c7cd036b382112d4a39b416f4d11de5973eb3bc12ad20d1af7e80a2ac3681df419e0f5d283e6fa1c6415341af2d664

memory/1196-153-0x0000000077216000-0x0000000077217000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 4673d1947bbba2167a37796b87fee55b
SHA1 3136284bdf9c89e81da615c1cb694f1022a9ce63
SHA256 eff00e101c44f46905ef0d8b14752e3ca5b92e097f1a80888baae63e2d71d4c9
SHA512 38edcbd86f9d125c0ddec39fa9d7f2496baee679787dd329e810f8f0c88c0ab011384c34c89e0ae164186b6a3ebd44423dbf0e17d3ba8441b279172b5d9a37cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\iugqAeiOmi\VERSION.dll

MD5 f016b71a7449a608d99362bd557a2520
SHA1 88c703b7f3f86c428008c3224b39e3e19f75ff83
SHA256 ed6938c029332ea842066b1f1c7b1210258636345d99173f556496468b6ee589
SHA512 5515b74e64be382b980523d586aca44e6ffcb0afd35ffe384463b9ac62dd13790dc2ba6ad2497ee881356bd60df0ec3a2d2145d74f6c942f3abcb0f6cd32d937

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\4CgMM58Jp\WINMM.dll

MD5 1afb2c18f96da77eab89b0afb55efe8f
SHA1 41426bd74a7761df70d7d6ab059053b9acc4f0ee
SHA256 7b98d9dba6bec66e7d824dcc36ef066a0d2a56935dd1cf10f8ae51313fcffaf5
SHA512 f121901ac0220a06ca3a5cd75f14b789430d3499a043e72f3d92407e73968e9272b68c8118a4f469624bc589af815880a3102e4cf801b3d68b39bf7bb34c832e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\qhxe\dwmapi.dll

MD5 a519b5a7222eaf471b817f175795fb03
SHA1 28e81f8d2e45d954f2e943ed680f2b24d17006c8
SHA256 ca115d18ea55f4aa1c64b80b2aab183b910e1c60607157270d74213caddc965c
SHA512 b8114e5e691307fa13d106605da23dbf85ef8869bf9986691d679907ac1d60039ef1c9632e8ebcf606d4994fdf9cee4cf5ebffb076e5c9bc97fb7ecc9d24ee7d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 17:21

Reported

2023-12-24 09:13

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\tpA1kPMd2Z\\OptionalFeatures.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1108 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3480 wrote to memory of 1108 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3480 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe
PID 3480 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe
PID 3480 wrote to memory of 1008 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3480 wrote to memory of 1008 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3480 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe
PID 3480 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe
PID 3480 wrote to memory of 680 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3480 wrote to memory of 680 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3480 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe
PID 3480 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ffc534d7f4ae842b482459d6c9bdf83b.dll,#1

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe

C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe

C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1016-1-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1016-0-0x0000022567A40000-0x0000022567A47000-memory.dmp

memory/3480-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1016-7-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-6-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-9-0x00007FFE4AB8A000-0x00007FFE4AB8B000-memory.dmp

memory/3480-12-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-13-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-11-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-17-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-18-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-16-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-21-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-23-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-22-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-26-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-25-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-24-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-31-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-34-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-33-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-37-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-38-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-36-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-35-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-32-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-30-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-29-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-28-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-27-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-20-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-19-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-15-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-14-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-10-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-8-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-41-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-46-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-45-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-44-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-48-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-47-0x0000000000CD0000-0x0000000000CD7000-memory.dmp

memory/3480-56-0x00007FFE4C300000-0x00007FFE4C310000-memory.dmp

memory/3480-65-0x0000000140000000-0x0000000140183000-memory.dmp

C:\Users\Admin\AppData\Local\RfD0a\WTSAPI32.dll

MD5 b59f83d06e0b518473c4af064bc292aa
SHA1 dadcc26b02ab1527392f892f6045c4b6f1f07ac3
SHA256 3a6ef09cb6232b0039bddfa5c27e0d6cb8c2d2b876dd711c0f2943bb51f7869b
SHA512 4e830e711ebb7bad83801a0dd141de33ae42e0ffaddb0afa5ebe5a6db244f14646575107f255550dd20ad1f76e1dcb968652371dccc87bdd9605af640c62cc9e

memory/3996-77-0x0000022B08DF0000-0x0000022B08DF7000-memory.dmp

memory/3996-82-0x0000000140000000-0x0000000140184000-memory.dmp

C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe

MD5 e3a89c145fab99bf047c84aaa89799c7
SHA1 f5a0430cf9e7148dc8f03b1bdff79dfd098ea33b
SHA256 24ff0db52cbf8d8a3a77f6e4e07de74c74d0f4e710c1dd70fd81f9db83e47578
SHA512 4b51dc600446087aac4113f5df288aeef66a9a269f2f027ec78b1b93820566a4f3ab1af3aad5cf0880c428dd1241b2b7d8749060b5448ee5d911f37b4ce3631e

C:\Users\Admin\AppData\Local\RTZOS2I\appwiz.cpl

MD5 b5b11dd493cf110be72334454aba433b
SHA1 f868b2fd29cc081403c036e730105386280b1e4a
SHA256 4f9257ed3c4c95726bfa6eb868b27fe977e64210cca7f0b54f84b7a46df01f83
SHA512 a81afcab7f5473eebd2b29c4ca74b867f78776074ae626752dd1edb4464f0146b9f9991fad776c529d51a54a9b2470495d554c77dd590cf8de77e271e3b9122b

memory/2212-95-0x0000013FC35E0000-0x0000013FC35E7000-memory.dmp

C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe

MD5 3ba651f6b3bbb38bccc32c3bff684283
SHA1 e81292ce436222cefef3f25053ddd2a690eeba32
SHA256 be82f9afdd7d813bf1846970d4c97e2e0c48592ef9c2737456780036cf50c282
SHA512 3d7ae8ade1039c7a879636a7daf124079f452e5d1da6648d914d646e32389498672d4e38ba3890b0462e641892f5da0dce4d8d37c63059609dd4b879346dae56

C:\Users\Admin\AppData\Local\htQW8tzp\WTSAPI32.dll

MD5 c875d6faaee649a20a3d72de6cd29b45
SHA1 13e1cbd9bf686a9c64ad8ff99cffca7a8b50db47
SHA256 0b19482925e8d882dd2555f6fbb1f22a82095f0cb8ee42a60daf6f5edd8507d1
SHA512 9e38449033acbc6aeb218aa3773c2448280596ffb7ff9ad2f3f0058b2341ac5dd2addd3dd59f0c9bbe22db0b86112118a09444d973e36e544125d22d6448da3c

memory/372-110-0x000002E70A2C0000-0x000002E70A2C7000-memory.dmp

C:\Users\Admin\AppData\Local\htQW8tzp\WTSAPI32.dll

MD5 7359ae495306f5507ff51feb48a5137c
SHA1 72dc4034d43fecd85874ca24c13003c0ae9f959c
SHA256 16a2688b065671665850a18ca421fd44444f34f57da908082e2fdebb386d988a
SHA512 788d87f075a648b87dfbd4b898b713ea58759bca1e62a1166fe98430fb1c606c66d696816c3748ae7e7366bd08a25e66834200cc520d862749ed2a14345e0a02

C:\Users\Admin\AppData\Local\htQW8tzp\BdeUISrv.exe

MD5 4018ec8a19c0795c624e2e111f90b535
SHA1 2fd2365b6e5ce56d1dcfa00ea1694a8682c5861a
SHA256 36c1153dbe32c2d5d77e44608c665745aa6ebda83ed3b5dfa23bf804993b61f2
SHA512 b677046bd6e390bfd026f37f405b46c37e671253a1e2c29ce4ac25a2a5edf86ae8b71de2e7b6efcfa1531d2c293cbf2f61b3128a0a71b9cdf721f03189d7cf7b

C:\Users\Admin\AppData\Local\RTZOS2I\appwiz.cpl

MD5 7c02cfef846d97270949979d0e3c141f
SHA1 28311ee286528cb22b287e976b3f5cbbf84da106
SHA256 79ddfcba287936c9f38b914791522b9d017383462c6ffdc3f0b0dfff4186063a
SHA512 8b8cc6e6986bda48d038b03bb0bfa74de4193132e2cbbd5d70149530d5d5f290bbb949b34b8537a23dc679a858f44966208059bb3872f621ef502a4f6867985e

C:\Users\Admin\AppData\Local\RTZOS2I\OptionalFeatures.exe

MD5 e168c6143af8d783b72b5ae4db230796
SHA1 7c4d30a7ffb00662e7f38c96ddc73043114ece61
SHA256 d64f277a1cb27338dc9bf0a5a5c6f47311bfc6bfb59766d32e6e46e582463b88
SHA512 40e9ab9258c3861a90c3d8e7c8fca7afcb9a088597215952f7e08a190e6603321a31b872e57d66f5dc6a4a1df3a1c71853872972c392671693b8d7f9e2d90827

memory/3996-76-0x0000000140000000-0x0000000140184000-memory.dmp

C:\Users\Admin\AppData\Local\RfD0a\WTSAPI32.dll

MD5 c4b2edf7d7f0e9c6fad896bd8856e174
SHA1 86c6a875909b585a696700e6af5be3474ea3b4fa
SHA256 66b3859cc619c44d3216aecb6babccb94107a27e5fd8a6e6a9b15034f5421f7d
SHA512 ab4f14f6e922c91eb13ce72f4530c6cf7ac1fa9d0cb1c47fd1120fe0173d673f37d3f3c7a317bbea797f52551eed5c8d5493047e1b7a6419bb554cdee2764eb2

C:\Users\Admin\AppData\Local\RfD0a\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

memory/3480-67-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-55-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-43-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-42-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-40-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3480-39-0x0000000140000000-0x0000000140183000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 9116abcd6aaaa5747234ba0b5801ae2b
SHA1 65a5282e6858f800bc3a21807b52b009245a3f26
SHA256 74744fc1150dd6c488bc56453fd01ee1b6f88e376aef8a9896a879d0711934cc
SHA512 60c94678a610d56c29de3033c6ce952fc08a59d2fb7ceab1a1805cb1001b63acf80cb10d07249d76a5b4bdb07a316244c60d54ded8ff511cc702cfd20df22a40

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\vKMGJ9hF\WTSAPI32.dll

MD5 b2e7e217a8d999fee7a86b4ecedec76f
SHA1 d53096479daebe9e73bcc655fb6aff8c5ec3f70e
SHA256 24d8e92753921a8a011acea957a9f9d3e9032d8184a146c6ae36b856a5f0096f
SHA512 834458b7d349345a8d26372da72b5954dd4c61cecdde47a2689dde12e825311eaa88bcffbe111a3eb349006467b1ebc832ec1cee26bfa486861f66cf051db7e0

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\tpA1kPMd2Z\appwiz.cpl

MD5 1a0c5ee0911774f20bafedde4ad8d25b
SHA1 6408f911329b3ba8ba2d6b1f979be923e7ef5ed2
SHA256 009e30ac140775de5f78c8fe0effac7072f6b8d648978a9dfe936c9c6dd47f5a
SHA512 bc33e3f6df5df7f7cdc0f8628d77be8af55fea76eabe0e23246a1dc27ba71b8541595fe371e66d8c6d828f06f904aa73a37e093445c1f4d6b5fa766dc33de29c

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\oeCmqtxx\WTSAPI32.dll

MD5 ce17b59c0a46de6a8ab566af8007a84e
SHA1 e573c479ea1b60160cb8bb85c7cb5ccc9fe99af1
SHA256 3df35ab28f39191c3c756763c1c8a0495693322248648a32b4f8d29721966d27
SHA512 2bb08ba8589d18decf2cdd04f8a0cb90d8c4181f89abe7c710f614d87ba646c98da4b97cfe4cfa062d075d342a6cac06c1b2a2a5ce30cd61fbd1c9a73e4a2461