Malware Analysis Report

2024-11-30 21:30

Sample ID 231229-zkncbsaff9
Target 038fac256867b97309719d78ffada177
SHA256 824b3fcc72e9e5493e7be24f46d26c1f5972846b947ce1782207faaf9458429a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

824b3fcc72e9e5493e7be24f46d26c1f5972846b947ce1782207faaf9458429a

Threat Level: Known bad

The file 038fac256867b97309719d78ffada177 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 20:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 20:46

Reported

2023-12-30 02:56

Platform

win7-20231215-en

Max time kernel

150s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr\credui.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr\WFS.exe N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\V2\\iexpress.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2616 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1200 wrote to memory of 2616 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1200 wrote to memory of 2616 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1200 wrote to memory of 1336 N/A N/A C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe
PID 1200 wrote to memory of 1336 N/A N/A C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe
PID 1200 wrote to memory of 1336 N/A N/A C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe
PID 1200 wrote to memory of 2916 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 2916 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 2916 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe
PID 1200 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe
PID 1200 wrote to memory of 1232 N/A N/A C:\Windows\system32\iexpress.exe
PID 1200 wrote to memory of 1232 N/A N/A C:\Windows\system32\iexpress.exe
PID 1200 wrote to memory of 1232 N/A N/A C:\Windows\system32\iexpress.exe
PID 1200 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe
PID 1200 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe
PID 1200 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe
PID 1200 wrote to memory of 652 N/A N/A C:\Windows\system32\mmc.exe
PID 1200 wrote to memory of 652 N/A N/A C:\Windows\system32\mmc.exe
PID 1200 wrote to memory of 652 N/A N/A C:\Windows\system32\mmc.exe
PID 1200 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe
PID 1200 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe
PID 1200 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#1

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe

C:\Users\Admin\AppData\Local\Ysj5\iexpress.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe

C:\Users\Admin\AppData\Local\k5IbmYi\mmc.exe

Network

N/A

Files

memory/1040-0-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1040-1-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1200-4-0x0000000076D96000-0x0000000076D97000-memory.dmp

memory/1200-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/1040-8-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-16-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-17-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-19-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-21-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-24-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-28-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-27-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-29-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-26-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-25-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-30-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-23-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-20-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-31-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-33-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-35-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-36-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-37-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-39-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-38-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-42-0x0000000002210000-0x0000000002217000-memory.dmp

memory/1200-48-0x0000000076EA1000-0x0000000076EA2000-memory.dmp

memory/1200-49-0x0000000077000000-0x0000000077002000-memory.dmp

memory/1200-47-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-34-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-32-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-18-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-58-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/1200-64-0x0000000140000000-0x00000001401B2000-memory.dmp

\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

MD5 79382ad57678cb38bc57de62829e66c6
SHA1 9f93bca069df1b5492f377976d3a3229e5e28e45
SHA256 1ed47b4b7ef9f5def330f2f7f744217b1effd812662a6713b9f495d756b52ec6
SHA512 f5ffe8d8d2d15e42c3aa13dc54379e5310b3030b47af7caa352b32043cf8ca1e07f65bb214f6cbccb3e59da14997f1567ccdb25cbcee4d61646b3f4a3c0cb212

C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

MD5 84b201fadfbcf1ce26955ba23887e1cd
SHA1 0dd5d527c0b6aeb6b0519e65a0b4bbf8b7f4a383
SHA256 977e036d98d91c4a6518f3f0b3ca48722d9e8465bf8f3a584394a01f379c456b
SHA512 960f212163c4e565bdc5eb74e2203345528295b187c1f5e310afb7df1b18f65f09c6bb837e78c20e4062ce66fd60f2c14375e47671d80e2880fc7da44f9e291f

C:\Users\Admin\AppData\Local\jJ3o07Ih\OLEACC.dll

MD5 aadc5bbc9150aebc63e13556f6abe27a
SHA1 991985ee5bfe67d09e1ee6a1381481136d1a0941
SHA256 64b6c9748e0d4f001697d1524c51402c12464e75df9b14cd5c04618a318a7203
SHA512 651ec2b436da88a7f95255a94e8c72963743f0e09b47f448c07c7d47bdc66ea9a66dee219c72e4855d92bede13d7cd8efe73d30c3e02747d88571122f62b0bab

\Users\Admin\AppData\Local\jJ3o07Ih\OLEACC.dll

MD5 6c0995128d501edbf35ae2bf56de809c
SHA1 2d94ddd3496b0b28cb31d2920eb7f23c63c45180
SHA256 7379d0aaa97c74a968df83a00a261216c3cef394310bd8cdc0a8d7976a605f08
SHA512 02850064fcd226dce5ffeefe672e3cdd7a2b57c6e000f4d0776ac84ae4f60a611e2176d91e51c8eb641804155dcf074cf49c544d4a01e46c1ba8c10f9d3c2380

memory/1336-76-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1336-77-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1336-80-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\jJ3o07Ih\SnippingTool.exe

MD5 ae6f30914c0fa5d298ee5e3808addf13
SHA1 14ceac0e4ddfcc16939bbc9a4e189834ed5f1748
SHA256 fc1424658496f34bc1aefb5c1c8b5649148491e29f2622af7b29caa893be1e0a
SHA512 e500196089517b5c9406307efb5b230e9e92b74c4b3b15de4110f0aed1d4e32f0daa16c5155e63206422784280db81ec60ca46e3108ebb7465c24f9d45b29316

C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

MD5 b8ea20a1033540fac5d6c39ebdb58cf4
SHA1 f44b0122258b2492baffb996d8935f58ec7bb035
SHA256 4b08b0b33edcc5b77932d95e4d5cf5d37813b90abcfa655123a59b8a26ed1ff6
SHA512 f8786dc8f807de21a016f3f18543b9ec208086946250439556b3643b6c6f43cd0479534b9600ecad712ad67ca6b0b6d5f1dc9ca5fbee2812bae98ef277ed7147

\Users\Admin\AppData\Local\GRfUG51h5\credui.dll

MD5 eafee89e622955d6a0f27e0ffa9973d9
SHA1 8e12aa04aa0a7dc9a6891a47317ef86c5c2cfc2d
SHA256 153b223b93a5a53201d65e998ed4182eb18f86e26b5b76afa56b6f1ee42c6ae6
SHA512 a75dd6f43c05cf114d6c886527382016ffa0068be750d518bf0226e4594f14955af2e10bf24054a770a04fcb7fffccfca32dfd7098dd818a25f129724a6753bd

C:\Users\Admin\AppData\Local\GRfUG51h5\credui.dll

MD5 afca11f26908e24b913e9a083b8cef0c
SHA1 6801c93aa01e60cf7055a3285c89577b70672922
SHA256 eb8748e9a2b3429ed5b4ebe4c33d21783b5a6c1ae626a4fa506fc8c62b9942f7
SHA512 41ce3b0781f8efe34bd846fc4bf83387956e24bd73ebee7f08c9f07e3661e3b7a26d3a75becd981a264415397da63d32e34342892e5d04533edee36512c90a53

memory/2848-93-0x0000000000120000-0x0000000000127000-memory.dmp

\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

MD5 61dec248231314aad706e956b7225dd9
SHA1 53ff6ab70bbe436843f4a984531745a0ad3b37cd
SHA256 45b48007f699f1cad9491471b0ea719d3b176c8ad8535a73ac62b61c347b5d2b
SHA512 485a20a5bd14c8b0c06ef5507f9a3434a2407ef84a282bd4e6d71dfca19f431734e74b116dd0924030863b1ff55718ec9caa29b4c7563f52e7e08ea1dd52f336

memory/2848-98-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\GRfUG51h5\WFS.exe

MD5 7ab42fbca12fcf43e84a4616cadf7628
SHA1 1c7730d668c4b3bd30ccc2226e53ecd9ec4ad7b4
SHA256 66cf9e6e5f1899db4d20cccef0507ffdcea48e3d4da70473bf285e0532af74f2
SHA512 a8dbbc126f2b75e02e2c878e5e5db9abfaa01c48ab8721b425bebe63db71fd24f62b56e3c2bca6994060c4c4a7e4f25ec8ff678196b9ab3e1f62b7c2216b8d5a

memory/1200-106-0x0000000076D96000-0x0000000076D97000-memory.dmp

\Users\Admin\AppData\Local\Ysj5\iexpress.exe

MD5 46fd16f9b1924a2ea8cd5c6716cc654f
SHA1 99284bc91cf829e9602b4b95811c1d72977700b6
SHA256 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA512 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

C:\Users\Admin\AppData\Local\Ysj5\VERSION.dll

MD5 8a6fb281c6ed7ec00d7da29e20e8dd87
SHA1 5da96e0ce45fd37eaa4d756eee0497e884009dbe
SHA256 ea91a08fcb14d19a80610534e5232fc8192cd35e5f88c9ab609c4c44de82733c
SHA512 ed650c6e014fdfd07f38720979ecb5b7615e73004f8d443e322611f9d28660be67ae24241d0d1245390d336050239065405ff791493dd381613e5072fb7f7948

memory/1712-114-0x0000000000300000-0x0000000000307000-memory.dmp

\Users\Admin\AppData\Local\k5IbmYi\mmc.exe

MD5 9fea051a9585f2a303d55745b4bf63aa
SHA1 f5dc12d658402900a2b01af2f018d113619b96b8
SHA256 b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484
SHA512 beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

\Users\Admin\AppData\Local\k5IbmYi\UxTheme.dll

MD5 547a835a27e3bc0747da8a3a2380bb36
SHA1 c0d4e69592fe7eee856db17ab855d702f82034ff
SHA256 f50394f89c05055b4684bf227df1390d27a336067541dae8a677b8909f135c28
SHA512 cd7ca9b80b916e9906cbd26b86d0651df76b206f6ead309f981b3d5a07319e224b28a305334377c6d99a8b8b1d06536c91b5f0b58c96678ebfb8a54fe9bbc14a

memory/3020-132-0x00000000006F0000-0x00000000006F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 6ee65acc3a8ac2b8b25ceebad45ade6a
SHA1 ef2920319b7688352f30c0f46513257a8bb0d6ed
SHA256 32809f315960eab615fb0b674c89d62f6bc0db3780c7ce78160c43607eb1fc5c
SHA512 4df730d2021be96eeabdb8a9a4909973ede593cbd6c495cabb6a7efbed6967cc79df1eacb2ab21ebab40a2c02b2eb1ea608e9f1f2f41180c7aa3c9821ace21bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hxr\credui.dll

MD5 37c6bde3a4996bd5f98e47b62ead2157
SHA1 abacbbcc12ce94a5c10892cd684eb2661528ac08
SHA256 d9de421deeba7dc03f790bf4c6a266a24ebcafb40176745db4432b451ef37e03
SHA512 cd1e31c57cfa73c64f970640948fbb234ccfef7701aad087f3c21e7df706fcbf607e45ae4cb5bd19c55b5928091728fcab9a9059a88cc12c41f4ef679964074f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\eoZQsB\UxTheme.dll

MD5 3948a3f3f7fbd491c0686e84ba9fc03a
SHA1 527693e1a20189ed80d464d0d8fa548b4f93f873
SHA256 5a950cde840e8f1c5c63490fd509ed3ae96c3f2f3ce31d131d87a071bf36f751
SHA512 26a49c9ec00a3fb05d23c3c9e81c73e62ea0405cbd607a3dd20f2d2a9e090c538a45b2097f3df4ccce6a7b2d756f941700d1859f9483df9ce286062ca62b4830

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 20:46

Reported

2023-12-30 02:56

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\9cIM\\dialer.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WPtS\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4628 N/A N/A C:\Windows\system32\sethc.exe
PID 3520 wrote to memory of 4628 N/A N/A C:\Windows\system32\sethc.exe
PID 3520 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\WPtS\sethc.exe
PID 3520 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\WPtS\sethc.exe
PID 3520 wrote to memory of 1272 N/A N/A C:\Windows\system32\dialer.exe
PID 3520 wrote to memory of 1272 N/A N/A C:\Windows\system32\dialer.exe
PID 3520 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe
PID 3520 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe
PID 3520 wrote to memory of 1048 N/A N/A C:\Windows\system32\PresentationHost.exe
PID 3520 wrote to memory of 1048 N/A N/A C:\Windows\system32\PresentationHost.exe
PID 3520 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe
PID 3520 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\038fac256867b97309719d78ffada177.dll,#1

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\WPtS\sethc.exe

C:\Users\Admin\AppData\Local\WPtS\sethc.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

C:\Windows\system32\PresentationHost.exe

C:\Windows\system32\PresentationHost.exe

C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe

C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3284-0-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3284-1-0x0000018FA45C0000-0x0000018FA45C7000-memory.dmp

memory/3520-4-0x0000000008370000-0x0000000008371000-memory.dmp

memory/3284-7-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-6-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-10-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-9-0x00007FFEDEECA000-0x00007FFEDEECB000-memory.dmp

memory/3520-19-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-29-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-36-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-39-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-47-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-48-0x00007FFEDF640000-0x00007FFEDF650000-memory.dmp

memory/3520-57-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-42-0x0000000008350000-0x0000000008357000-memory.dmp

memory/3520-38-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-37-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-59-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/2516-68-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\WPtS\OLEACC.dll

MD5 5df9d83b6d6d0f42b8ab88836f0ace7c
SHA1 cbea63d97174060bf1662f430bb802b1be0e50ec
SHA256 3c29bc7501b0004b4195b1937d29c5f6dba294b7f43e10ccfe4d521715a478e8
SHA512 0f73a97811d39835decece22a7ccd13f01ab61a5e2b7f20503ffee6b59cfa1ee0c5fc9460548d43dbaa01d9639e15eafdd96fa54ff07e989a024a97a3ea9ea68

C:\Users\Admin\AppData\Local\WPtS\OLEACC.dll

MD5 74759d0e38886614ffd970ba0e00fdce
SHA1 49fcbd308b8313840997afe050216c6c41857184
SHA256 531136979657015c6e57b5f2efbe605611437b631c97cb491b1cb0db9754fc06
SHA512 92b062d4804bef6d9605b8e16afef9aa405effa372e1d5804a0976898cd404e3daf4165bead96ec7d7b583de486a635cc0bc4d3ef88168f8aa3512b298abb3f1

memory/2516-74-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/2516-70-0x0000014BB6CC0000-0x0000014BB6CC7000-memory.dmp

C:\Users\Admin\AppData\Local\WPtS\sethc.exe

MD5 31daac89fabb111e93e2092414b781a1
SHA1 998fbd5c4b2087cf1257b3090d01283dd6b8922c
SHA256 6b7f60c9210435e8b91e19fae5f58837cbc859de091c989a072de483afce8d70
SHA512 49a7f1498c80b8cb3c2b3884fa7b180f0bd8379e5e88f67fa1f3659d5e0f70a0f76ef7a48b56dd7256ab13621f873ccf9bea933943b05fdaadf25961bc9326d6

memory/3520-35-0x0000000140000000-0x00000001401B2000-memory.dmp

C:\Users\Admin\AppData\Local\WPtS\sethc.exe

MD5 2ddd6bd13795c1ed85a2c34cde41be34
SHA1 0507accf6dde2030fb7b8d5a83f097f57d7534fb
SHA256 8f05b44d0b6216be1decc4f5ad105396612007118a42b5899cea183329a0e081
SHA512 f1dd8fba5f804a2bc41547ad62a2a5d038916ad6b69198da592c9e5668e71c57ee9ebceba9ef6adf8362b4ebbf0f4327b731b88333215bb530ec3300dda3168d

memory/3520-34-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-33-0x0000000140000000-0x00000001401B2000-memory.dmp

C:\Users\Admin\AppData\Local\taefz0o3\TAPI32.dll

MD5 1a52acad7b118ad7dd82ddc91ea25b86
SHA1 77db4df19f1a69e0448683c7131d7f1f6a93ecc2
SHA256 726fdbf987c9dcc1076ddc4e163bf772a37d9b93bef9242a60cd6517a9938138
SHA512 de1b62aada8c4703ac135aa249f3d784d4112e020a45dd1b0ab5c23dfbc61b27ffb29ccecb710b908f75ba245b45ed436ed07cff9a947326136cfaf1f87e4152

memory/1588-86-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1588-91-0x0000000140000000-0x00000001401B4000-memory.dmp

C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe

MD5 13443f83e72219bcce9808f725d78bdc
SHA1 0fd5d014e722576cf79e5f11db189f6ce3467314
SHA256 32a9f8305aeb9304eaf6e47313df525b5fe8db70540ac01241b6959b0cdf35ac
SHA512 ace4c879e616dc1d24985fa6fe0452628d26c63413037f03c2b9fd358e514cc668bb72fc3d38b1ddfda7ec8ef5ef6c2466cd13853360f61449a5decd3329f434

memory/2508-103-0x000001761CBE0000-0x000001761CD93000-memory.dmp

memory/2508-104-0x000001761CAD0000-0x000001761CAD7000-memory.dmp

C:\Users\Admin\AppData\Local\fZfLSmRY\VERSION.dll

MD5 2fa85ce75d415e6fdcf373af8eded28e
SHA1 eb2d9fffc43474a8ee35440df77cb14b74ba63b8
SHA256 b921e12c1c1a0558a25fbb910eb054dcda5ad641b97a2935a770599550b6ad34
SHA512 df7e302c4d8a80d02dad90f64b8650cbed92fcc0216b157b59e6a5c4c2ad1bb6f9dcd6dad2add7de4ac993ab7d0d1f97b1186d4a56eb5f04e93d73f42319d782

memory/2508-109-0x000001761CBE0000-0x000001761CD93000-memory.dmp

C:\Users\Admin\AppData\Local\fZfLSmRY\VERSION.dll

MD5 c0c40efe2324f16749010ad614da1916
SHA1 fe57416f136b5f4a06e538d8d31b2376a4dad715
SHA256 2e12f91a55d9302cb2f443e1401aca212e7cee2f75dd1f7e5ed2a4aef11e906c
SHA512 d5220da3f9905144a3221397193234531336ba27d2fbfb5f25eedb9632a696399d289a872c5e11a0a7292361e7c5a40ba422fc39cef900b9dc334819074fe19e

C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

MD5 99a9a64f40fa8ce1d33eb86d83312dfa
SHA1 648f17d5d47686fb2bed353428581bb4388437b2
SHA256 f9a2675dec64e7a3b96b803568b8389195130154b04df40d3ba47d55d7871d67
SHA512 8f9f3654f09ff82518ef5283381c5d9c41d9bd730315898b5f32316648fb7530ea5d637bd366e1c489dbc4afee4b81d0c6889f3326422de2954bf8e7e58ef65a

C:\Users\Admin\AppData\Local\fZfLSmRY\VERSION.dll

MD5 4e49d9ccd8c4a60a1df6c00003fc7d57
SHA1 149ff7ef6e9b38f1c94bb3d9a51e8cf9684e0d22
SHA256 3417279f0ee94a8dd3269e3eabf194247b96767e3c3daf51b4987eef05da3140
SHA512 6b98f290270683116cdfc4be268dcb1b6c9d3296734038fd5f4ad00ce37ad36d68f0ac14fe311623768a9ac7957edbc64698c9e831a56ad9c3600102d600ca47

C:\Users\Admin\AppData\Local\fZfLSmRY\PresentationHost.exe

MD5 ee60b1ef553dceadb946520849e9faff
SHA1 a95f2de4bf97e27c478a0aa8fa5525b67d993868
SHA256 028e9338f7bce3545bf555c91ae705208bd8a77292b67bdd3b297548e6ae4f3d
SHA512 ae6999c28989e7c189865cfdf9c7087e026eb8baa23fca205f4c715fd3bb50b6438e287564c71931f1e5f302092e865c79b3e6440244b8a6045dc425f67cdecd

memory/1588-85-0x0000029DAED00000-0x0000029DAED07000-memory.dmp

C:\Users\Admin\AppData\Local\taefz0o3\TAPI32.dll

MD5 4be7abd63212587d528572ee887338b8
SHA1 c5f2824696ea3bb6d25ef08b0054f416759154e1
SHA256 011c76173cfe98c345a30fc910b09f301febb497cb0ef6144eb48d43d93e127b
SHA512 ae1a576630ab726151c5ddbbb0ea5a8589a84ac5c06d92317acf1386890fad265f153661abd54e5e916a145065b3f55c271e1f57c1da98fd52956eb8cc24593f

C:\Users\Admin\AppData\Local\taefz0o3\dialer.exe

MD5 b2626bdcf079c6516fc016ac5646df93
SHA1 838268205bd97d62a31094d53643c356ea7848a6
SHA256 e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

memory/3520-32-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-31-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-30-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-28-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-27-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-26-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-25-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-24-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-23-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-22-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-21-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-20-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-18-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-17-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-16-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-15-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-14-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-13-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-12-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-11-0x0000000140000000-0x00000001401B2000-memory.dmp

memory/3520-8-0x0000000140000000-0x00000001401B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

MD5 4ff0eb7ac7c6cf76a384b9285f5e5b99
SHA1 aaf1e511831dfed824cfe7f161df53a9d29b33fb
SHA256 64f019d77ec06451f7abee18a165eb5fdecfeb2889b73890ee983b7cd4f66612
SHA512 dfd3b48856eedaed1d1e0bdd73aeaf102519886b7caee92ca4953a60ab188ae56fa6b67be64ef635bb15777d82c5014a8a4b296a4c086c66555a1544ace07acd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Nm\OLEACC.dll

MD5 629eb0eabb0ac593b7f6b4e1f1189c1e
SHA1 8076b64bf9b41c0f7e05dcbea1e1558931669039
SHA256 afed70f54c9ad83eb061f9f1bc1cd059df9749b6a577e1d25a12741b0e356b38
SHA512 3a9c794a89fc5cd2b70284d0c93d9db158e370de7f66196cdb0014b20877637e94924935cc66fe5d95fb10e736f65ce7a734cd0dfe00bed9954954afe7bfbd97

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\9cIM\TAPI32.dll

MD5 1dcc58dbe2b56cd1eaf79096f87399ca
SHA1 58952440b96c0f213dfd9e7f3884212d7ec37046
SHA256 41d8ffacfff41e0da324f1fcc5b67c0db5495c4c2472d4337d1edc3b29bd3193
SHA512 601f7c0abdaacf4e6390bd4f43371ec3d84a0e67b8d42683f93eaf4cf47250f42a12d3df1bef96c48068f984bfc008dba57590182bdc5e0564ab07cf3332f4bc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\H3wBI\VERSION.dll

MD5 ef78efa8aa3022fc0ad54d5cc94bda82
SHA1 90053d5694d1ed1591f4ae317915d7d6d208a66b
SHA256 32f6aab462897e79b41edf5265f431abc00e109ba6b3bf0325897153c63f67ab
SHA512 98b33223e8be4d9a1eee073e0964937e823c0612c048acabb7e4f2c968179503398639ab3aa82e19ed1644b89961a7e1ae86d9c93d24b87d16a381eeb9dccaf0