Malware Analysis Report

2024-11-30 21:24

Sample ID 231229-yjajeahgc7
Target 023797dc02047e4d9ff5a2192e29df8a
SHA256 9f8c3763244712c98190cd47b908b20c1a3486de99e3cf4b0d9b59b02bcb5f9e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f8c3763244712c98190cd47b908b20c1a3486de99e3cf4b0d9b59b02bcb5f9e

Threat Level: Known bad

The file 023797dc02047e4d9ff5a2192e29df8a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 19:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 19:48

Reported

2023-12-29 22:15

Platform

win7-20231215-en

Max time kernel

65s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Tqepb\spreview.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\L4QizKCcnt\\EhStorAuthn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Tqepb\spreview.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2660 N/A N/A C:\Windows\system32\iexpress.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Windows\system32\iexpress.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Windows\system32\iexpress.exe
PID 1204 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
PID 1204 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
PID 1204 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
PID 1204 wrote to memory of 2984 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1204 wrote to memory of 2984 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1204 wrote to memory of 2984 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1204 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
PID 1204 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
PID 1204 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
PID 1204 wrote to memory of 1252 N/A N/A C:\Windows\system32\psr.exe
PID 1204 wrote to memory of 1252 N/A N/A C:\Windows\system32\psr.exe
PID 1204 wrote to memory of 1252 N/A N/A C:\Windows\system32\psr.exe
PID 1204 wrote to memory of 1308 N/A N/A C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
PID 1204 wrote to memory of 1308 N/A N/A C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
PID 1204 wrote to memory of 1308 N/A N/A C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
PID 1204 wrote to memory of 2812 N/A N/A C:\Windows\system32\spreview.exe
PID 1204 wrote to memory of 2812 N/A N/A C:\Windows\system32\spreview.exe
PID 1204 wrote to memory of 2812 N/A N/A C:\Windows\system32\spreview.exe
PID 1204 wrote to memory of 2952 N/A N/A C:\Users\Admin\AppData\Local\Tqepb\spreview.exe
PID 1204 wrote to memory of 2952 N/A N/A C:\Users\Admin\AppData\Local\Tqepb\spreview.exe
PID 1204 wrote to memory of 2952 N/A N/A C:\Users\Admin\AppData\Local\Tqepb\spreview.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe

C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe

C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe

C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\Tqepb\spreview.exe

C:\Users\Admin\AppData\Local\Tqepb\spreview.exe

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

Network

N/A

Files

memory/1872-0-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1872-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1204-4-0x00000000776C6000-0x00000000776C7000-memory.dmp

memory/1204-5-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-29-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-37-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-42-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-46-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-47-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-55-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-59-0x0000000077930000-0x0000000077932000-memory.dmp

memory/1204-56-0x00000000777D1000-0x00000000777D2000-memory.dmp

memory/1204-51-0x0000000002E10000-0x0000000002E17000-memory.dmp

memory/1204-66-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-45-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-44-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-43-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-41-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-39-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-38-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-36-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-35-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-34-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-33-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-32-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-31-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-30-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-28-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-26-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-25-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-24-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-23-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-22-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-21-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-19-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-15-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1872-8-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-7-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-71-0x0000000140000000-0x0000000140248000-memory.dmp

memory/1204-72-0x0000000140000000-0x0000000140248000-memory.dmp

\Users\Admin\AppData\Local\RhTaSE\VERSION.dll

MD5 81732bba72971541eeddf71e39cb206b
SHA1 a84ec3c1a76f237ace52360cd93ac6048ad73682
SHA256 496bb8d799ad1b537e92231d8a80f4cefdfe372cefcfe666602ceb7e93a47f29
SHA512 99e33675a374e91c06f1619b125e89b420863a19b88d8fd120acf6efc86b38804400504383e296e0f745eb445cd7b300ba9e1fb1a3d628ef2b27940dc121f5ef

memory/1924-86-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\RhTaSE\VERSION.dll

MD5 b749ef8af1c46da616f42a7cb1b511f0
SHA1 62aeaca473c3249294124d8d810bcd3443b86752
SHA256 58283fdfc30dba7ad0048cf70eee5b5434b9bc4646c62d47b2a31c5bada52f75
SHA512 902b8fc797b8dda0e43f692acdf7b74815a467a2e861e389e35f24b5e875272e5efd9390a8ab7676b43f45b0d32b0f3095c20eb869827c3f7856c5d77349ada4

C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe

MD5 2ef15379cad403b515eeda3024fc582d
SHA1 a13a2775040ea5f007109916d4cbb5a059c2686a
SHA256 cf7606deb64f568ae63eb0e31a58bd9f5b647b6f53a8c7a67bbfd3df7cf952c9
SHA512 dde73caec9ac9fd1a4e29ad3734e6acad55a1569fecb4223b70b033284a564ed0e5cf097081c957616d2c37b860406cf4503bf1d5f74f08c2ac265b9a9372172

\Users\Admin\AppData\Local\RhTaSE\iexpress.exe

MD5 ed7b3658c6fedfef6d28bc0597bbf3e4
SHA1 21c95eafa87c806b47ec99a29c2891a93e0bec00
SHA256 b05131f4ef32c511978e3bdb54e6dbf5e5178c316f33dbb1344fc77f39dc17c6
SHA512 dab70af7b061f5cb4c33c82a3652f05522d30bf7641760f9b8170ccf05cb0f7050864ce96cb2eeac1134f88aa26d4c06303db69826d36973aa20bac22718394d

C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe

MD5 7becf6798af32e6ed52e09ddae0f3638
SHA1 56c30c16bdf7c65d6f5548d7c8f23e16d34b863b
SHA256 9952cbb3db723c98baaad7dc191b03d79ac765250169d695771cc5b2f19ed388
SHA512 b6b2b37ad97f0d7291703c1a22673fe6884c2c4dc1988dc4a88533b10ebed53785e1d7ba6b6eb2639b9b0bbb838bf28b4cc7d1bc49282522315f2037e26b7430

\Users\Admin\AppData\Local\ClC5\UxTheme.dll

MD5 15ee7fc73696bbe4f711d623e942e3cd
SHA1 c09076a8da10e188187ad79b62a9833b01ff9e01
SHA256 2958ffc50eae2b097c92af4ea20efbddfdde6231afc2a823de5bb7c87af92e69
SHA512 0aab112f5c191570ce2622a7e2be83570f1f0b159d0dabf8f96a798e790158829a1bb5236107169a6a58e3201f1dbc3c4c09aa24fcd27c6a47d90286e2e166b1

memory/3008-106-0x0000000000090000-0x0000000000097000-memory.dmp

C:\Users\Admin\AppData\Local\ClC5\UxTheme.dll

MD5 4554a7c3f834e4295314a635471c8717
SHA1 656252a565f57e836459fe357d7f021ab0bbe3ea
SHA256 84f1a1bd3493c088560a8114ddd8594d6dad14f4dd832175b813989980be355d
SHA512 7e2318db565753efcc099ef83a992e4441e032ac3b51cc404ccd6bba00116fc8f6ec6a6b00e239c379f206df2c98e3fd810af2ee30476ecce1541fb8121725ae

C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe

MD5 fdb0c8ca2dfdab29f0228c7174717ba7
SHA1 3c9f315b9a473f88e86a7a9a2c74b0ad9a7ea495
SHA256 80ec6b7cca8cb46bc3bdc051def1e4999c3989d668e9a553bd83ef6d91595fd5
SHA512 e644079f38f125edd9268167f6c0250264406837cfe30cf091bec9cbb96a1e11876e2aaee6ac58d528f142d629d171937d32d6e68af1b858316a48a0226d6a3c

\Users\Admin\AppData\Local\5QUshV5ee\OLEACC.dll

MD5 844361270d9275e521fdd8f56b3e0d94
SHA1 4df7da927cf81a29d98e39e4f83f30eead59da55
SHA256 9c10d992b7810f6ba1a59ea37c62a419442c086d5b989b60b55f714535d8124f
SHA512 641e1dd2a3efef8331c34d55f8eb83fbfc5aa335bca0f34dd35d3578dd243a6475b13854c9ad9f640f2e7ea792666439ec31d3ee34b2ea8ab639e65c28c94740

C:\Users\Admin\AppData\Local\5QUshV5ee\OLEACC.dll

MD5 71d96c8f73d47bc7919218d2b4be28b1
SHA1 2c1efe6e84641e96c8601d9d16f581f1cf9bf7ef
SHA256 93426c82c023d83a9f9935f3551b0690bf632a09779c0d5637e77584a3d53420
SHA512 158f5e6447a0608855c00360303570483b4ebbf0af8b34c0d8ae091343582725b23ba89aa1d25412db28459a79402a8d24605c903e15ca9c095775405a0d8e49

C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe

MD5 98c6f3c6536b6dbb84fd7f758fd2a663
SHA1 a2f4bd4512a3bbebabed8cf0e5192e72f6a446d8
SHA256 c0d1fa5e382b3e4d2786babd3b4d3f571cc7321a9248f3837f05b9e577d96972
SHA512 a34c7206c1cd85e5043ecd044fe3c20a71934fd5781da9e8cfca6bbc470151937072ad1bfccc679aad4823056465d54b668fd7432f116201c0b1a93269e02160

\Users\Admin\AppData\Local\5QUshV5ee\psr.exe

MD5 96680c01171b4be738b407a3fbc24426
SHA1 792f7b4bcfa7022515bcebfc6c5c7bef29ee6d0b
SHA256 398fd8e3d957a1b8b815bab3682b515bb9f9fa0cc8c301cb9fa3d5c944e14d11
SHA512 e95aec615ba040b77f28fd1a7d593310570d850801975d76252e436d374497d1c8256b6a3385faeac44b49da460186110839f3f4c9242b87334552d73b5a6e0e

C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe

MD5 f264eff76631ef35d6e44985008935c9
SHA1 3e6dd245779a519dd7152a946c72e85284dc9fe2
SHA256 5e8c802882e76a071d263b90f70207a03f745d4fadf43ae7d1c0af58a4c8279e
SHA512 7ebd601ba50edee34070cf17bd6ceee4932766b3f50560a2fe10427102ac7eecea629aa7abf9de610afcf709987c678815bb762487f763e2e6daef6546ca35b6

C:\Users\Admin\AppData\Local\Tqepb\VERSION.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Tqepb\VERSION.dll

MD5 c209171baf84453a9c1f0a8816bd64cb
SHA1 415271f15e101de24647259b4cb491b5cc93d898
SHA256 a43c725c3feb4a7a9eff9b9b8c83043de5963a60f42f57d3966a4bb27c929a5b
SHA512 f8f8bdecb0ee7d75fedd15356b65a85e92ba32354d37e54c7593fbcd5b2ac52f69000d1b25d7c8f4664b0a20e1301121582ccb17b30e667b31946eca92cb8ebd

C:\Users\Admin\AppData\Local\Tqepb\spreview.exe

MD5 f918ad016b81bf932c74927a3a58d7e5
SHA1 9fd4df14fb4cb01ff7803cd981bc0c62c689b3b3
SHA256 bd21fef1fd67d3f8c2b9c70be83161037d507a92f6df850cbcbb471dc56d5531
SHA512 eefb44c9aa15d08ca5a424dc6e0cdf34e21ec84f0d25deaf654bb41680ae7f0c21f7e15360e76b69e66a9f81adb67ae4afd26fc03e06738647c1b12fa41f1a2e

\Users\Admin\AppData\Local\Tqepb\spreview.exe

MD5 8b1a3d05e56d223ce7ea011addc808f4
SHA1 cebf2598950746af32999a3359da5142bf4b5306
SHA256 f6ce83287a687c7b148398bce3361bf08c2e2b379046e19166ccb537ebf3b958
SHA512 b9216be6cd7cb1bc6f036a79f8f71079476e59fffc61a24009bc3ae94da4f9665ea8735f244b3afc44937a5d6f72bf13995565c324ca99a70891a109b4e85b61

C:\Users\Admin\AppData\Local\Tqepb\spreview.exe

MD5 465eccbf6eecee3f4a69008320be3b4c
SHA1 601ccfe263f9ecc2bfa22714112861acdd51b7cf
SHA256 75367ba2a18e669d454abb21b18339f78b316778b77739e80e7443106a2cd894
SHA512 d4c1ca5221d2e4553f04a5356ebabeb7ae87d80dc5a838265edff3418df8b1cb71ed2f697b11c74396ceccf86bf0d2e6f044272324563ab26fa152a89398a743

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Q6r\spreview.exe

MD5 c4c7048426ccd375de1fee7b0cb8cab9
SHA1 dff4a99894a50f2c954e9bcdfc7ab0f4175231eb
SHA256 806566781ce41e8340a9c8d077d8681b1b752c8fc27daa6af4ad853954f5328e
SHA512 e59b0a983d2bb36756d602616e076b4784313b3c2491cf0d2d77efd74dd4c24d25d4abf215af6514ca992676416ddcb01319a7e105efd2b5b925ab877c742c94

memory/1204-169-0x00000000776C6000-0x00000000776C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 da2014bea5e7343ff57ed6cc0aa87076
SHA1 39a968dd9647559b001d95f170674285ab6ac437
SHA256 58c62e7c803099133e570d0357566f8a0ed452c82c29a1120de5887beed4c490
SHA512 69d16a9595c69b787786de685f536fddbc8ada7ad3b927c72802fc5cdaddc455c2dd81156c7d74ec4e369fda3d8c6eca3edf82a57f97b6045949b1f9aaf928c8

C:\Users\Admin\AppData\Roaming\Macromedia\vg2KZ2\VERSION.dll

MD5 4c5f88de373d25904f230d85fb2f50d2
SHA1 4e7255faf9cb91da1f4d2f647b125419b1aeeec5
SHA256 7000614148dc929d1a2759a40709b82aaa8b4aa74d18f720e3489d2a2da333cf
SHA512 6d9c630f5f09356d52743b61d06dabbb8c70c92722172968d9e7ed92c388f3a801bf5facaedffa5b71447dc337296c64103deef2f5ccbacac9ccce2babf6924a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L4QizKCcnt\UxTheme.dll

MD5 a4cce9f3712598402008ee26642f0495
SHA1 a2e4da79d3f83711ecf12a21426da0f9584f7f30
SHA256 d7978b7cda4da6d0235ac82e2dea6e5ba2642e0868131a0bf1050498ef2f4f8b
SHA512 ec22a6a02bf100d420b44e015346cbcee22c7008b84286e543b79719facbe2cb19773ea3a31b26c6385f8c32e0bbfc7009d368e4698dae030053b6b952b0301a

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Q6r\VERSION.dll

MD5 c69348776f573defa00ce71d1c558a21
SHA1 a17c50ef763901e40416bcdb2134b864c77babcb
SHA256 cc86e0d2696e9ec0b05ac1316932cf2b1bf188c1a4ff321a05f30eff01fd174e
SHA512 da79a4d093b2dad2a356dec21ab30ad2ac77f6502111b7950a61fc17c66fa503bbc20631c4a0bdecebe4774611eeba7255412fe904be5229b98c94b9a6be71eb

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 19:48

Reported

2023-12-29 22:15

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\LicensingUI.exe

C:\Windows\system32\LicensingUI.exe

C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe

C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe

C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe

C:\Users\Admin\AppData\Local\r9IkvDO\dialer.exe

C:\Users\Admin\AppData\Local\r9IkvDO\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
NL 20.103.156.88:443 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4812-1-0x0000029DDA2D0000-0x0000029DDA2D7000-memory.dmp

memory/4812-0-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-5-0x00007FFDC2DFA000-0x00007FFDC2DFB000-memory.dmp

memory/3428-4-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/4812-8-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-12-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-17-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-18-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-22-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-26-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-31-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-30-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-34-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-38-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-39-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-44-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-46-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-48-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

memory/3428-47-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-45-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-55-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-43-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-56-0x00007FFDC4D40000-0x00007FFDC4D50000-memory.dmp

memory/3428-65-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-67-0x0000000140000000-0x0000000140248000-memory.dmp

C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe

MD5 b2626bdcf079c6516fc016ac5646df93
SHA1 838268205bd97d62a31094d53643c356ea7848a6
SHA256 e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

C:\Users\Admin\AppData\Local\KB5CgUxjh\TAPI32.dll

MD5 53b19f4741865c00149f7ccd4114443e
SHA1 ef11b91625870aac6d44ee8617e1e4d25ae7f3ad
SHA256 3aed139ae8d03c9c789b8b73c957b3b09b588d7ee4f97a21f3627fd32522703f
SHA512 8b0d28956d076b5237761e692123e9dd85ebb4c69db69e6e48da3b5e0c34492300ce1c406e0fcaaba40fa1f7c2cf5dde746897ba579ddd8f2ffb9e4660f547b2

memory/716-76-0x000001D670F90000-0x000001D670F97000-memory.dmp

memory/716-82-0x0000000140000000-0x000000014024A000-memory.dmp

memory/716-77-0x0000000140000000-0x000000014024A000-memory.dmp

C:\Users\Admin\AppData\Local\KB5CgUxjh\TAPI32.dll

MD5 63b0450f40216bd8631d96045489b35a
SHA1 973d8caf21289625a51f3ed5b0ff6379b68a080c
SHA256 bcefa3d6718919dd2759b753d59d06be35dc1871702a6a1bf1a257e5f51bf08c
SHA512 ff3a63637cf6fdf0e583c354afb38bb5567ecbd01105f094003e7e6591b836587340047b5bd68a807fb6e2700f91fbbe3c6ae900fef9479d7a8c202f65323eef

memory/3428-42-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-41-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-40-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-37-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-36-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-35-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-33-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-32-0x0000000140000000-0x0000000140248000-memory.dmp

memory/4308-93-0x000001CE21600000-0x000001CE21607000-memory.dmp

memory/4308-94-0x0000000140000000-0x000000014028E000-memory.dmp

C:\Users\Admin\AppData\Local\YeJ7\DUI70.dll

MD5 27fc04ca19a90bab9a6822da738f5bae
SHA1 a87ca76a7685f1667cd1fa9bea68ba984b9cdc81
SHA256 e33f1b0bc286780fec32e49087f411c269d43e0281dec2538ee2db6de9b98d87
SHA512 913943a569371ec28551b8bb1874f75ccaeb55bb3cd04444daa6c125385f76c082471afcb28720a35b397b80ac8e0dbc481281388051e0d410115740c2cc217d

C:\Users\Admin\AppData\Local\YeJ7\DUI70.dll

MD5 6935f8327e12e0621cb0500ea483fb07
SHA1 dfd9e0ffb9c88f310298b2ed8f586c20334f5218
SHA256 241cf89f6bc845ec4161301c51f1959ac4b2b8c54c4974c50e70400838217e51
SHA512 867d59d46b7a4ee30946eb6597648b61d509362027a055703b719f000303f1044dcd3a8f9eebcff1a47438142527e966143dbe7539f9c372b512b998cb0b8f82

C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe

MD5 5eb2b7f44228a667dd409c347998416f
SHA1 0ef5465f0a985fb16cdde886d3ad5c91d7d8ef0e
SHA256 2199746702b0e7b8046dc4d1e8f7881ccef8bbb300065da36dcff34cfd3b8a99
SHA512 605df9a6c73c10a0b1c558131ed6356431cf035950f1c2f1624939acafa2eee0c9a7c4894621a20c01b07119f3eafcf275c3d7c4a81193278566508632df6929

C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe

MD5 b7c03d0089301703a6a00188238d99c2
SHA1 effa01d8c6c52aade41dc62aaefa5fc7c6744749
SHA256 aa1658de85bf7b7ebb76ff89b9bb1406b84605aac72f814598062a0cabc2de19
SHA512 0cc07d16c2f49a9bc906e1caa68bb9d928f650a88ec754f32ec14ff21db9e2d7d6b4fd7ff6fed899ad6d97955538f21699ec7200d9b90f29bece95bd37dd948e

memory/3428-29-0x0000000140000000-0x0000000140248000-memory.dmp

C:\Users\Admin\AppData\Local\r9IkvDO\TAPI32.dll

MD5 2907587a1274db6cfb96630b29a305eb
SHA1 4458b6c7516b599dd495533224e22a9a1af802c2
SHA256 e7b0959d6dd76423baa8e5fa5ca426a8c4b5437d9f563678361d5d51c59bf55d
SHA512 bf422e99feb3f66b294341f921d60584d839d78211be1dc6ffe19be71e225017fa5d65a4489b63161cfe0873b3eb1a72f8b154289751fe65796de17b5f6af50c

memory/1656-110-0x0000000140000000-0x000000014024A000-memory.dmp

memory/1656-113-0x000001C6E4920000-0x000001C6E4927000-memory.dmp

C:\Users\Admin\AppData\Local\r9IkvDO\TAPI32.dll

MD5 a0caa52fb29e049448f12d5b7f43eef5
SHA1 15e8dff88427f7315997849de6eabbbae717b5a6
SHA256 1717c25a8614e45f86b6e8d8c57ab97659a3f30008091997f88b585321ac1121
SHA512 eca2e54d24866b7e7aa4b3347010b9ec36f57e0271dbe139f723e6ae988c608852d0ffca37ea264f29dad04e8284c5cc809940c69fe23f8e25471d8068bfc19b

memory/1656-120-0x0000000140000000-0x000000014024A000-memory.dmp

memory/3428-28-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-27-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-25-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-24-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-23-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-21-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-20-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-19-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-16-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-15-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-14-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-13-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-11-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-10-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-9-0x0000000140000000-0x0000000140248000-memory.dmp

memory/3428-7-0x0000000140000000-0x0000000140248000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 36b8766b97d083b60fc22c8f2a0210a1
SHA1 1d08d6e13121a572684a2e5bbd668d7b127de7aa
SHA256 383689f17588b4d90e11c67f31cee386276c3c9bf4b76533e4761457ae711d13
SHA512 0128f03989b55bf1e33d38f36f2ba24dcf4b394c569304133f65fcf631be177db14ea6f64d1febcb92975ddb339bef0d3ad5dda6b5adba18e1dec730b98408dc

C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\f334QZGVhPi\TAPI32.dll

MD5 5596e4bd85f6a8e667e1f9ed7206ed0d
SHA1 74c5aea666751edbae4ef95cdd7cd9f4bd9cd1fa
SHA256 711a964371584613d2dcaae383070d9ae5f3c195ed74dfdc8787bd5010701eb5
SHA512 60bdda8ba5782c53724a545f21d7f48e500b0ccaaf1dbe466e2bde8b2f607da62caf36247b49120854735f9b25dc5e1ed21d3a73c6034e2579ffaa0fe345e5f9

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RUUq1Pv\DUI70.dll

MD5 a43ac31b698b4e87d1e68ee7f06fcdfa
SHA1 8f8030d54650e75d392f6f8af28105093138af2b
SHA256 7d2853c574bc884e0cc243957cd8175ba026b890d5a8814443f2cb9ae953c8cb
SHA512 4cbc3db213fa4cd588391331d43e4f14c16b09637a6907b23429c54a68f375c656c8100f0ece5e75abedf9b1e8fb37d06f074f7b6cf96e8c09dcc312c9a670a4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\3iOBJ\TAPI32.dll

MD5 3c2a9eb4c98dbbe0e42ef375fa57414b
SHA1 7e994852adb8e113a8d793a0849fc586c52c7c39
SHA256 bc49eaf09842a7c3b8a1fa37b94ba51e17f948736417cb4ba3d877738c8f4663
SHA512 6a894e3aa9a12a280540a67769072eac518a43dcdc942059117a9664708386c5b80d5ddbf9970113fda7a3c0c0337ef8eacfe091f5618bf2b4c129b415013bba