Malware Analysis Report

2024-11-30 21:20

Sample ID 231230-11lzwahecq
Target 1dfa1a210dc26d055f7772891bbad566
SHA256 54895b5bc04d47369590549b3e298ea9c04642ddb4d482bbda92334689067eaf
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

54895b5bc04d47369590549b3e298ea9c04642ddb4d482bbda92334689067eaf

Threat Level: Known bad

The file 1dfa1a210dc26d055f7772891bbad566 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 22:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 22:07

Reported

2024-01-01 08:12

Platform

win7-20231215-en

Max time kernel

152s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfa1a210dc26d055f7772891bbad566.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\FBPZPS\\EhStorAuthn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 528 N/A N/A C:\Windows\system32\icardagt.exe
PID 1276 wrote to memory of 528 N/A N/A C:\Windows\system32\icardagt.exe
PID 1276 wrote to memory of 528 N/A N/A C:\Windows\system32\icardagt.exe
PID 1276 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe
PID 1276 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe
PID 1276 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe
PID 1276 wrote to memory of 1204 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1276 wrote to memory of 1204 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1276 wrote to memory of 1204 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1276 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe
PID 1276 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe
PID 1276 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe
PID 1276 wrote to memory of 1844 N/A N/A C:\Windows\system32\wisptis.exe
PID 1276 wrote to memory of 1844 N/A N/A C:\Windows\system32\wisptis.exe
PID 1276 wrote to memory of 1844 N/A N/A C:\Windows\system32\wisptis.exe
PID 1276 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe
PID 1276 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe
PID 1276 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfa1a210dc26d055f7772891bbad566.dll,#1

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe

C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe

C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe

Network

N/A

Files

memory/2900-0-0x0000000140000000-0x0000000140184000-memory.dmp

memory/2900-1-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1276-4-0x0000000076F16000-0x0000000076F17000-memory.dmp

memory/1276-5-0x0000000001C50000-0x0000000001C51000-memory.dmp

memory/1276-7-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-9-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-11-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-12-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-17-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-21-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-25-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-24-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-26-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-23-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-27-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-29-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-31-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-33-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-34-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-36-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-37-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-38-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-40-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-42-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-45-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-47-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-49-0x0000000001C30000-0x0000000001C37000-memory.dmp

memory/1276-46-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-44-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-43-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-56-0x0000000077121000-0x0000000077122000-memory.dmp

memory/1276-55-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-41-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-39-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-35-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-57-0x0000000077280000-0x0000000077282000-memory.dmp

memory/1276-32-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-30-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-28-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-22-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-20-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-19-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-18-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-16-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-15-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-14-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-13-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-10-0x0000000140000000-0x0000000140184000-memory.dmp

memory/2900-8-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-66-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1276-72-0x0000000140000000-0x0000000140184000-memory.dmp

C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe

MD5 2e0f2d3ed851deab0b079c02c6319a5f
SHA1 85c9d9cded243062743b8dbc347af9e68e5d91eb
SHA256 68e3d9be76c070b8a27062591d0fe9bccec957f729de71f9dcd6cd24453027b9
SHA512 cb82420776b49435fea258534080e186184e7fcbc28d1c2b2bd5db2a4fc9f9f0b5c7deaab1e08addb2e827ac6885e8467586fe814690b1348d08e1d1a99db58a

C:\Users\Admin\AppData\Local\hDKLGjE\VERSION.dll

MD5 1f7e3307bcbcb3cabef82987b4f46089
SHA1 8fe7137c6e8e71f65a4b16806e940e7c01865b1d
SHA256 059daac1ed16b9b5e85f48f34a3bff7640f4d278b1aa2c796e4b54c2b3e05bee
SHA512 8d88c897870472ce55a5c5ea2284b9a2323a0c806f8d893c5b566691c7a7461a0c984480571b901bb2e4382172b7eddd51cd5797c74eba2b1c42645076fb72ee

\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe

MD5 5b103a03cdc4b03220c7c5f38ebe8f82
SHA1 990a7ffc24492234ec079f060089c4d8dc6c6a74
SHA256 7d761a11435985a36a87ec83ecbed3b53902d14e7a09ce62c2c68905315d6546
SHA512 19987cc91bf28dc6025048fcd89026fe61dab5082a7c18ec5258ae553b6bc36f99815c053b1775d28ddf89c26d73a9f16f125dfbda00a2d418e578f56be0f19f

\Users\Admin\AppData\Local\hDKLGjE\VERSION.dll

MD5 838b030d49f145566f7120f18a4c6bb0
SHA1 677f0c85d8b74a6124dc8630cecc0268a1ae1f95
SHA256 380f8a0effb0eb6180cab39f1089577291febdb53ae16d20e02e44d692e92389
SHA512 095086351a801a0cfd6943ea585ab7d3c11d88ae8f2f232423c663e8ade7813e3481b9f0a7cb7b66399f2c417cfa3d33e9c928f999d37ae4b1e805e264c44d3c

memory/748-84-0x00000000002C0000-0x00000000002C7000-memory.dmp

C:\Users\Admin\AppData\Local\hDKLGjE\icardagt.exe

MD5 e820a0f7c5bea18b8ce03a98d3916b78
SHA1 2bcc1e651050e686d1594c5dd499e849a5318f2b
SHA256 1b6daefaa836aee77ce20b793b4e81a093c4082822fc1e400146ae2c094fb95b
SHA512 47e07f90df0f2cb015a92fcc6382c489d73d07035522633d3f75ec095beff9d510154124de85adbdfe548dc7e65f3c7f6ca2174b7ddee7789874f27755e497d6

C:\Users\Admin\AppData\Local\74t6j\UxTheme.dll

MD5 faa77d9bc01bf6d5bfcaa209fe8bb5e5
SHA1 57898719fb9a3cec18e3b4c5b1accb7119fd4ec8
SHA256 edfd286d316e3202fa58481881e2dbc84905a5734d1074523c74f65c78980d08
SHA512 5a50c91bde6384b9eab7fdacb57f5e8e3105230e21296289e92e8afa06d1afe3512f6f104a4457014e1855e3c738babe38253201848f1f15e73967b7a5a6cdc5

\Users\Admin\AppData\Local\74t6j\UxTheme.dll

MD5 3aa6dca8ca86556514d424749a0ed75f
SHA1 9c49ada22ff609b296e880ac16cfee2844342cf5
SHA256 34c43276cff86a5bea9e020665ab7406042dda7491cc685ce36616c924ed16e5
SHA512 926828c72a44e5dc6f828796434d75b35fd219ed8501eb8ef9bb4cf72d970a4aaa3de352faa0a034d79848298849a2938e4d45478ebd6e954d807eb85b330efc

memory/2468-106-0x0000000000270000-0x0000000000277000-memory.dmp

C:\Users\Admin\AppData\Local\74t6j\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\FBPZPS\EhStorAuthn.exe

MD5 6c029c4319a446c991cf5fa73451a8c7
SHA1 e2252198171cb79304460f127288ad1e84cfc6e7
SHA256 fe4dab0b7fb55a759f5f6b4913559208d5928d8c4474aad77d14532637c3a4fb
SHA512 e9426347d691c99c7ec0f35d35ab64c60ae183a418db9b8227bca84b7b95d1cf83ec26cf4da8942c668229636b2c1b4aabd88a5451b8b14d6b57240d11f2654e

C:\Users\Admin\AppData\Local\3Ouj3Hq\OLEACC.dll

MD5 ac4da07236238290a4946e85116b2ee3
SHA1 37f5353bf11e5a0a7e17c228f6f03738251a3a41
SHA256 1fdb9c21d4fe96bb8f4fec859e21b967c6d1b231881bc52547bd359ef1ef9dfa
SHA512 61b75a5b2a8211f38860cf23e8579cc78924405f827d4057c87bdf882fff6c9af1ebb6c6e4986ea9fde0d5c512845599345fe8e2427ae7582fc191219109c41f

C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe

MD5 4e5f888adeaac5de97c2267b92cf9fad
SHA1 c0b4ed1411c817d2442cb1cddfeda6933c483ddd
SHA256 07713f2b18faf1653ccdb2fc8039d4dc077563263284551b38bcf1f825952f63
SHA512 993bcb7cb8093f80c00a0b8a3e025aee869b8d3f1fc4abdfc6ce342b625362b08601c0d2bb9f4e96636cf81d0e2f21efe6b9423d8699ca7af03db7334f1ca1cf

\Users\Admin\AppData\Local\3Ouj3Hq\OLEACC.dll

MD5 6166878bbb190246b9f8e90117e03fad
SHA1 e8708f41fe2d2b42c7a835ecfee39b60ed3343d6
SHA256 2e46900e51c76dde16fb6ce311398306d12a327cf1b09842180ddbcb698d7ccc
SHA512 82a285b29640954900eb32cdca691f806d2ee7568bdb3bcf1665b3a172899e9ed323b9144ed11ec3ea83554a7a2fe17c76fc0f565d3d8ba1f541731b893948a9

memory/1976-126-0x0000000000320000-0x0000000000327000-memory.dmp

C:\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe

MD5 5761b5eea2e1a252008761d92082a157
SHA1 d3f8906a70db22ebfd01f99848cea2a42e527875
SHA256 147fa573b7f5481e044c9d0041a94229ea632d8e8fb9b1f462ec801108f2fcb3
SHA512 b371ab3d274884a2e98d1b22cf2138d5b07e99d884af49e0e33b1958687c7188892a3a9dd55c7a4d0f6fadb8014bcd523cdde19948dfd4d11ed3f3527c663db6

\Users\Admin\AppData\Local\3Ouj3Hq\wisptis.exe

MD5 bd91bdcb9ad118f71567623a9cc21b11
SHA1 5e5ea8dbb800d1b85940845b7e345f03271a4eb5
SHA256 fa99d2068b1efa0c7e2380ce2e56816c6ee3eb75cb9b1094df6aa922049439ad
SHA512 3588b7b27b4bf78806d4e89ebad5d255f99874f78570ec4458b04a4451e7a0a8f03d18424b2217c21147726292633297b7a5c074ae7f3c199b5c86092e3c9e74

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\oSndnN9YQ\wisptis.exe

MD5 f891e45520297283519d680e39db33db
SHA1 7052cace48d48e308931b910d3db223284841136
SHA256 0cdd4fe61dd08ce1bc75ed682299528b87244d6be43a836ad040d4d6ff7ab2f4
SHA512 b4ff077a5519c4eaa86b349df0bfbc9a3c34ccbfe03f61128bebc9f8eb1003121cacd54395718f7136a75a05ce4f39f587bf66aa2bb81acca963b1b7d7df9a1b

\Users\Admin\AppData\Roaming\Adobe\Flash Player\oSndnN9YQ\wisptis.exe

MD5 d3bfe2cdc51a5dcb521f13789a5afab6
SHA1 658979a43cd87918e7b44b264d559e35638cd38a
SHA256 f42b797ddf5cf69b85a5fc11c7d3a054c39378bfe41f8398370def0ee91907bb
SHA512 3b4526a60fe24043ccd6645587ed2e80adf85e8585c8ab5112a18a1914fce5e0cdf2cf30ea0b87f24eae08802278b0371eb54d39bda101d93c299d0f94eb6ac9

memory/1276-140-0x0000000076F16000-0x0000000076F17000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 301604fda7254508f41df16e72d9c744
SHA1 d63582b2b64e1fa0bb50aa06c0d2fa445e7cd83a
SHA256 63d28d573f763e11e3dfb5649a1a76340865659367ce4acc0206b47f886edd7e
SHA512 bcdcdf92b9b0bcbfcf8a9c5cfe0e541e6b54a0ecffe6c13a6d73f1d7c794522a8ce43d9dc2d8ae2f56b29f9ce224a231d22e8068d1602649d430cac284d3f4aa

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\KqDzyG\VERSION.dll

MD5 4a437bdfa0a759152b82fab48306e2c3
SHA1 5e2e7d8090aaf168139a0a9f9d3f5c850acebc2f
SHA256 bd6a097e3ac0be114ebc1d9b8aac063393fdcf42eb625b50fd78f1738a4f4e12
SHA512 0c2a1bc8b5544043cca98a7cadf955317e88dfe87e3560f712834f2cbd25e610e6c80e071a397bba90916840e6e43f18008481071d9c35dea964670615bd19c9

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\FBPZPS\UxTheme.dll

MD5 c026fef0b6c83c6a08c9087fc4fb41c0
SHA1 d029a15df448443c79f3880f07bad27cd0e514d7
SHA256 b6f78736575bea5b38983159e95a2f629265f4cd083f5773fc418b4c88ce0f41
SHA512 f5fb293ef024d11d6cae0142e199c134ce3ddd03bab007f41d07ca896ff7dd38cc86556174f1da5f6affeedd1e09d245680e294f7629c5b73fe9d9de7fa12a6d

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\oSndnN9YQ\OLEACC.dll

MD5 42e1561a1fefffb306b74df388d7c778
SHA1 b0325a9c420c12d8dc1a12ea30387938fc5994c2
SHA256 7ad7280d11d8238d94c3ee35b097b8ad3bbc3d45ed607b8aa8f15c11c282a74e
SHA512 4a4d351b41de1c3219aeb1794c6f79fc4a2961cd5d05042c0688596d1f2b34c8948069af2ebe26a889a0f5ae24b27f183c6ec96444e960e6c5980e8dc4fdd11b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 22:07

Reported

2024-01-01 08:12

Platform

win10v2004-20231215-en

Max time kernel

158s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfa1a210dc26d055f7772891bbad566.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\wFX\\wscript.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xDM\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bhE0\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zx2owRd\msconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1980 N/A N/A C:\Windows\system32\msra.exe
PID 3580 wrote to memory of 1980 N/A N/A C:\Windows\system32\msra.exe
PID 3580 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\xDM\msra.exe
PID 3580 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\xDM\msra.exe
PID 3580 wrote to memory of 4608 N/A N/A C:\Windows\system32\wscript.exe
PID 3580 wrote to memory of 4608 N/A N/A C:\Windows\system32\wscript.exe
PID 3580 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\bhE0\wscript.exe
PID 3580 wrote to memory of 3344 N/A N/A C:\Users\Admin\AppData\Local\bhE0\wscript.exe
PID 3580 wrote to memory of 3208 N/A N/A C:\Windows\system32\msconfig.exe
PID 3580 wrote to memory of 3208 N/A N/A C:\Windows\system32\msconfig.exe
PID 3580 wrote to memory of 4444 N/A N/A C:\Users\Admin\AppData\Local\zx2owRd\msconfig.exe
PID 3580 wrote to memory of 4444 N/A N/A C:\Users\Admin\AppData\Local\zx2owRd\msconfig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1dfa1a210dc26d055f7772891bbad566.dll,#1

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\xDM\msra.exe

C:\Users\Admin\AppData\Local\xDM\msra.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\bhE0\wscript.exe

C:\Users\Admin\AppData\Local\bhE0\wscript.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\zx2owRd\msconfig.exe

C:\Users\Admin\AppData\Local\zx2owRd\msconfig.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/224-0-0x000001DEF8D50000-0x000001DEF8D57000-memory.dmp

memory/224-1-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-5-0x00007FF93046A000-0x00007FF93046B000-memory.dmp

memory/3580-4-0x0000000007F30000-0x0000000007F31000-memory.dmp

memory/3580-7-0x0000000140000000-0x0000000140184000-memory.dmp

memory/224-9-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-8-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-11-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-12-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-13-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-10-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-14-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-15-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-16-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-17-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-18-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-19-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-20-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-21-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-22-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-23-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-24-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-25-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-27-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-26-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-28-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-29-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-30-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-31-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-32-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-34-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-35-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-33-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-36-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-37-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-38-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-39-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-40-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-41-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-42-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-43-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-44-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-45-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-46-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-47-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-48-0x0000000006F70000-0x0000000006F77000-memory.dmp

memory/3580-55-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-56-0x00007FF930500000-0x00007FF930510000-memory.dmp

memory/3580-65-0x0000000140000000-0x0000000140184000-memory.dmp

memory/3580-67-0x0000000140000000-0x0000000140184000-memory.dmp

C:\Users\Admin\AppData\Local\xDM\msra.exe

MD5 dcda3b7b8eb0bfbccb54b4d6a6844ad6
SHA1 316a2925e451f739f45e31bc233a95f91bf775fa
SHA256 011e1decd6683afe5f1e397fe9697f2cf592ae21766a7629e234682f721658ae
SHA512 18e8c99f8b86375627aba0d2b10cf4db24ee5ac61a3d6a73d382a83ec63217c7e455570d4fa7dcdbb188dcc73988689661f8cab2337ae8c615fa6bc9a08f71f5

C:\Users\Admin\AppData\Local\xDM\UxTheme.dll

MD5 e7c0b098da9f3c859da13638a55a3260
SHA1 fe10c4d1c36859e001c060f005a3795ccf62c91d
SHA256 6d1b384e3e514f82a19c7dc91a6aec56b634116f2b6f643788e44cdc21f9434f
SHA512 7984c029255017200411a3840612eafb012b69e25a2950f40dee78410a2236e2752c84e3da1270c6a634bc28b0394d7223d97f21d9b65341fcd2bd36af962f5a

memory/2376-76-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2376-77-0x00000152CE8A0000-0x00000152CE8A7000-memory.dmp

memory/2376-82-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\bhE0\wscript.exe

MD5 a47cbe969ea935bdd3ab568bb126bc80
SHA1 15f2facfd05daf46d2c63912916bf2887cebd98a
SHA256 34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512 f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

C:\Users\Admin\AppData\Local\bhE0\VERSION.dll

MD5 b08e979c6f66d47a7038078a177b20bb
SHA1 6c6c8f6ec1c54c63603e6159964d001e7fcc8b50
SHA256 4ed7893cd03fd9da1f0125dac224b8adb8f8c8d550a040340369c4b23302dcbc
SHA512 c2df5af758676670b4720d68ba69094edd1aad6ece0c76feaca65f8c401a9e9efe9eaaab21377d1424720153f129ed26aaa5b359e085e994fae1f5bc3ba571af

memory/3344-95-0x000002DA68E80000-0x000002DA68E87000-memory.dmp

C:\Users\Admin\AppData\Local\zx2owRd\msconfig.exe

MD5 39009536cafe30c6ef2501fe46c9df5e
SHA1 6ff7b4d30f31186de899665c704a105227704b72
SHA256 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA512 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

C:\Users\Admin\AppData\Local\zx2owRd\MFC42u.dll

MD5 c5c1d3b52710f0c794fb023d719e7fba
SHA1 4d6671162639089cd0c48fd593a48f0568f1ad66
SHA256 626e5ba287a1b4f6901b2a9e7795440aeaffa1e5ea9bc1dfd7d2e2aad5658cdc
SHA512 265810cd55b80e0e20c1e5fc0c2d7be3c859915232b62b85dbce6cc38e641d02fb1022a9d13e4c90851be740b2b4069040bf2d9ac29bb2229b5c3bab3f0f663f

memory/4444-113-0x000001C18E1E0000-0x000001C18E1E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 c9e07a8218372fb87acc306ab2a47f85
SHA1 8314d945bd7143d236ab00eed9fdac1f66882755
SHA256 8d9057ca87cc5636a9ed43eb33f7e7b49cf445b25db751e1a4562a818e659ba9
SHA512 f3da9275c5c59815caa6ce9285b49354416c680094bc27d4085149606013a3941fb023b5a64082be630cce9cb27119d403c9c6e34fe8b022c0cc4def257cc3d0