Malware Analysis Report

2024-11-30 21:42

Sample ID 231230-28xxsadbc3
Target 1fb0650833a45e6b7611fd961af6cc8f
SHA256 82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82f87ae7f82947667739ae073c48d9e810af9c638fad471918918ab78d5aea9d

Threat Level: Known bad

The file 1fb0650833a45e6b7611fd961af6cc8f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 23:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 23:15

Reported

2024-01-04 19:33

Platform

win7-20231215-en

Max time kernel

104s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\EUCj\\SystemPropertiesHardware.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2092 N/A N/A C:\Windows\system32\wscript.exe
PID 1200 wrote to memory of 2092 N/A N/A C:\Windows\system32\wscript.exe
PID 1200 wrote to memory of 2092 N/A N/A C:\Windows\system32\wscript.exe
PID 1200 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe
PID 1200 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe
PID 1200 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe
PID 1200 wrote to memory of 1908 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 1908 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 1908 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 1572 N/A N/A C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 1572 N/A N/A C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 1572 N/A N/A C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe
PID 1200 wrote to memory of 1872 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1200 wrote to memory of 1872 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1200 wrote to memory of 1872 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1200 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe
PID 1200 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe
PID 1200 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe

C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe

C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe

Network

N/A

Files

memory/1676-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1676-0-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-4-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-37-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-39-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-40-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-45-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-46-0x00000000024D0000-0x00000000024D7000-memory.dmp

memory/1200-53-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-54-0x0000000077CE1000-0x0000000077CE2000-memory.dmp

memory/1200-44-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-43-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-55-0x0000000077E40000-0x0000000077E42000-memory.dmp

memory/1200-42-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-64-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-38-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-36-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-35-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-71-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-70-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-34-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe

MD5 05e1d2d8d598b93b3b379bbc8e576020
SHA1 76b3d116950290bf48b3d48b81ef8e07ed24a5aa
SHA256 aec7348a392bb6fdb023198f5ce632e37753c3ff39a395593f16abfbe514b32d
SHA512 eb177550fbb92285fdb718b51f4c45f487b56820aef2d747a6e001f7fe36f0187b0d8fd706ab23d5912015b844f6aff02b31e8b7991f6f8e26724b0fcdbfbbb8

\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe

MD5 7ee858dd8e886f8d3d3a8f69a9f7ed86
SHA1 53e740268e883a950e723fedbeaf3e06e2172e8a
SHA256 dee8d6a974a8604d8c387912eb5c9d59ef23b63d958ca5262f28c573b20af5dc
SHA512 aac57b3aabe36ea97af675c7662c4cf8160e3202354063d532338a8ceedb8dcdbe573c741d8c1c9ee88c23cf4a02c516bf18bed2cb584fe80cd2ce8f0559814a

\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe

MD5 8886e0697b0a93c521f99099ef643450
SHA1 851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256 d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512 fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

\Users\Admin\AppData\Local\vcQ9Xie\VERSION.dll

MD5 568eaba82a1ba580ec66b9bef02ef16b
SHA1 1f7d76923081e7d9c34f73b939cc9ea1fe238532
SHA256 674d886c11112daf7b33bbef56bcdafd0c1074870d6ca99d26dcfb35382e23ce
SHA512 fa65ff316b207ff0422262d6ef72dea131a48341eee885031928a94d578dd089ec6d949b12e5d09b0740dbb8bd27f1b36ce10bca700574d12104758bc3c98dee

memory/2128-88-0x0000000000290000-0x0000000000297000-memory.dmp

C:\Users\Admin\AppData\Local\vcQ9Xie\wscript.exe

MD5 93b7cdd40974f2331938cc4fdd8ca1c5
SHA1 4e4c200261ff1f1d6bfa0fa405202f9d3cb3f9d9
SHA256 de47274f5ab680f5403829d6d7af064f7a211b527e62506d8b8482336dba8634
SHA512 3b2ddeb38365afb66af18560360a48a9eb57cb1857befb7ad7b3047679bb5edf9e56b04b5d0ea0b7e4d3ab2f7dd723ac85a84a0010104e274898241dada05039

memory/2128-85-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Users\Admin\AppData\Local\vcQ9Xie\VERSION.dll

MD5 b1f0968f133533b3fa3a029f296d397b
SHA1 67c2ec68333ca2cb538f046ee3aac27ef1744a7d
SHA256 9ec7172b34e31c29b04aff727d338d2da5c29cb6949a1bfb44722eab9cf13b15
SHA512 354c15f3a95c2cd6f163d07282d62a3df0a9bbfd2fc90ce5666ffdddefc3eb99e540340644f2be56252a2c492994592dfa1ffc0b40eb591e359e05539e5cdd09

memory/1200-31-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-10-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1676-8-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-7-0x0000000140000000-0x0000000140201000-memory.dmp

memory/1200-5-0x00000000024F0000-0x00000000024F1000-memory.dmp

\Users\Admin\AppData\Local\rkNJ\SYSDM.CPL

MD5 604b9e15368d78f1f994b497f0092cb1
SHA1 2ea8c89ac4dc6c2a532ba894fab3ed944cd7153f
SHA256 6062d954b689307537dd895230b30a5eb5e115a084122215a8f3369f64515d8a
SHA512 43c9a979e66bf8dac46fa30f10a3f945a8d7f93aaba381810d1adcde892655f19db44a5946df444d3b2e6669485b6572188cd9b2ba2da8b3a216d9f3a89dcac4

memory/1572-106-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\rkNJ\SYSDM.CPL

MD5 11cbc0540076f5348738901625e7d399
SHA1 aa37b07d5f61f42818262aebd71699c7ece24bc5
SHA256 b813e2820237d7cb16a463c2a10451c76ea450f7a2159f77af2dbb0a12835297
SHA512 32f442ea16615a3561ef339645d850c2a8456458c9ddb0927c107153148973bfd5c664669f0cb1e2074252abab3d2be4df3fbb7da97dda87565ead4ad09e3c87

C:\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe

MD5 c63d722641c417764247f683f9fb43be
SHA1 948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA256 4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA512 7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

\Users\Admin\AppData\Local\rkNJ\SystemPropertiesHardware.exe

MD5 c3bddfc97fdf2c4838ceb183d41663bb
SHA1 471bc3e0466e91b79a7f85f5741d6c930c05cf51
SHA256 6f2d8b6a9f56d4460d2c047e92426d99a3755a41e52c8655c1cf2724131df712
SHA512 bdb76153bd32000c40d3f0f8bcf54564cbefb8451de2b3b135075bc7e07d7b4666a2200d44d6f3dcd9aced50c78b4c0250ca0bf93ec0cc5e04aad8698a947895

\Users\Admin\AppData\Local\xpVCVUoQO\XmlLite.dll

MD5 510065bacf509350e317ae63b6ec88eb
SHA1 97cd027e47e1a5b274684178bed5fac2d72a18af
SHA256 4ba973e44b44e6d40cdf0522bd93845e20069b57a59396fbdbdd5de7a6e72ad0
SHA512 d0eddab2e067b3c9b0af6598411b298a75c309e9666a49b9cedcbf4a47fd9262bdf1885d0b953ea60abb4a6727dd9214495131a140ed3d6047470b9dd5d0f8a7

memory/1852-122-0x0000000000380000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Local\xpVCVUoQO\XmlLite.dll

MD5 015a76fc1b68d657a463d7c1e1aa8fdc
SHA1 0b765d5d37402ec739037b1031f4d2548904fc85
SHA256 fbad4c3452a9a3a287ff75d21d34286a91942ca3e4da422762e06722005b4f12
SHA512 08bf924047c4bdc5cfd22c7dbfad58678aea9dd346e9daf5bb5897606bcea657ca5a9e3aea3ff114218194e3d76ac9d114847a4a79d3d3dd9c794d863af8e700

C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe

MD5 030e2910be8a8f1d8b050bf2faa1ee51
SHA1 423458f53d29a1322a10a72ee4ca41e17678d8b7
SHA256 5f6fca3c5b26638ae4bcdae7c15405b4a4dd13756fddc9137e5a02b8890023ab
SHA512 7f396a4acdea9c876c1e96188a36ee52063abb32fa629b712e5f46f2eee050296f96887813f718ee004c6290fac0140481fbbf010c4da4e9141b2fd1028a66a1

\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe

MD5 c01ff43f8e27e69184bd94fcfcbd33d9
SHA1 d7a80c35801b6f9fb34d20dc136eba20517f646e
SHA256 eaaa6050009aad744c216de79213bf66c73bf774a4dd88124166448a66382dab
SHA512 ca27156b5f2358ebf45d6557663921e7192e7368577a201bd740e21052db32a0be8ef18a0be6ece7469547ab884c0a6ed1d6b3391858dcd1da172e180960a3c2

C:\Users\Admin\AppData\Local\xpVCVUoQO\DeviceDisplayObjectProvider.exe

MD5 bec89918caaaad64004586690cbd9df6
SHA1 d750a848f033d076492ff7d8ce25362458026168
SHA256 fe3d1f88bceffea8e3dbd3fe2161228d6aafbc821f943aee4456a8211902edbe
SHA512 dc02e987600fd292efcbaccfb3677afe31c576bd0b7b7f34fab231bf5b7177d2190ae4d2cc40e8cacafc3165d30e4d2a9466cdacacd8fb508865637f2c23281c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\EUCj\SystemPropertiesHardware.exe

MD5 48f0a7f6dc5a51ed139dd2477710686b
SHA1 98c4cd4047a80faa1c052932c542a45802f9842d
SHA256 3174bc58f971f089a944e95cabb2a1032313adb6f32c41afd5f15af0f35fe1a8
SHA512 61f8a8bfe110e7b857a08d963a582094c37a4d4f8aac595002473808868b5f0a60ce886e44df8d6675e908a80ab4bef15320b14e7c6481605722d0fe2b8c83f1

\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\GQV\DeviceDisplayObjectProvider.exe

MD5 7a4897aa42e4e56e6cd7183311adfc62
SHA1 d0e873d8a792d85e1ab33bb98904d57ec8e5ccf8
SHA256 db8241a66584adcfdc458a5973f79ee8e6dd31223b9448cfc1e31ff33711584c
SHA512 b58d214d3a0adcb2d34b755f6cbd5be738d12e296a36d01c943ace55d133a85931ee97ab4eacac7e294e4aa0130edcdbac4ee387270ce60a64f39bcaf35379ec

memory/1200-144-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 9e7574dd305b22d414f7e187d677d567
SHA1 bcc7c889eacaa22a12b302e908a6d9763362414b
SHA256 00ed8bb52c58f47dd3821ee2dadd7529f2b411a7701c63fb7afb8e569e915809
SHA512 e1d0e0db809c9432145b1dea34692ecf92489b5e7d0a838cc5469de1c0dc2f72feb79b4b2d696ff0c1f91e15d8af972fbf740aa97873f1371b833abe4f5ff3cb

C:\Users\Admin\AppData\Roaming\Identities\{4C0CEA03-C988-4067-9D42-5D4466084111}\lsuRP\VERSION.dll

MD5 6ab8a73686f8bd64067782a4d89f2fa9
SHA1 b03703432517ca9fd2a6a56033bd3cbe7ddf7a01
SHA256 62b52d47bc0df08083d6c579aa5af65742675157b9db33b33206b5350400f603
SHA512 9941b4100d9c9208661cba398cc054863392a6a077a49e3b6f26e06804163c8a2fa18a78eb9a3b9951cf73b4198e898ba7589672075ec9e21ff7c3175ee13e88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\EUCj\SYSDM.CPL

MD5 48ca22dcb39e4398fbd8a4c12296aecc
SHA1 800d75fd9e85fc220d812b1abcc217ddc3295b30
SHA256 352444885c865e9d790e1de88f3da096442a32ada266f17ada6705450d7be8f0
SHA512 46ea493ada2ca5404fb1af6705f342fbef5995d6c10cd9058056889d991ec0254c665e3f364d530d742a91c29e95c6093f9eeebf92c56d86048ca9939fd7dee7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\GQV\XmlLite.dll

MD5 04bc511e4edb0214d3dbb055101f6cc7
SHA1 057d18725fedcb3df18f0b2eca50e30d1eabe77b
SHA256 5836b270c4a30c414a0409518ed8df2d399610ce5be26a07c36a7a7a78a1bc55
SHA512 ee1c5f5cd29c0295642a4c1152fedae0bd05ce3e7a9449aa0131b4b82c82fa3ac645042bc07ffa317251449da980ed32a54f11fd83ce03267ffa2baf698c87ce

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 23:15

Reported

2024-01-04 19:33

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\LPFRMf8WR\\InfDefaultInstall.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6zAS26W62\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rhYq\InfDefaultInstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fXI5A1\Utilman.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3348 wrote to memory of 2492 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3348 wrote to memory of 2492 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3348 wrote to memory of 368 N/A N/A C:\Users\Admin\AppData\Local\6zAS26W62\mfpmp.exe
PID 3348 wrote to memory of 368 N/A N/A C:\Users\Admin\AppData\Local\6zAS26W62\mfpmp.exe
PID 3348 wrote to memory of 2024 N/A N/A C:\Windows\system32\InfDefaultInstall.exe
PID 3348 wrote to memory of 2024 N/A N/A C:\Windows\system32\InfDefaultInstall.exe
PID 3348 wrote to memory of 3096 N/A N/A C:\Users\Admin\AppData\Local\rhYq\InfDefaultInstall.exe
PID 3348 wrote to memory of 3096 N/A N/A C:\Users\Admin\AppData\Local\rhYq\InfDefaultInstall.exe
PID 3348 wrote to memory of 848 N/A N/A C:\Windows\system32\Utilman.exe
PID 3348 wrote to memory of 848 N/A N/A C:\Windows\system32\Utilman.exe
PID 3348 wrote to memory of 3740 N/A N/A C:\Users\Admin\AppData\Local\fXI5A1\Utilman.exe
PID 3348 wrote to memory of 3740 N/A N/A C:\Users\Admin\AppData\Local\fXI5A1\Utilman.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1fb0650833a45e6b7611fd961af6cc8f.dll,#1

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\6zAS26W62\mfpmp.exe

C:\Users\Admin\AppData\Local\6zAS26W62\mfpmp.exe

C:\Windows\system32\InfDefaultInstall.exe

C:\Windows\system32\InfDefaultInstall.exe

C:\Users\Admin\AppData\Local\rhYq\InfDefaultInstall.exe

C:\Users\Admin\AppData\Local\rhYq\InfDefaultInstall.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\fXI5A1\Utilman.exe

C:\Users\Admin\AppData\Local\fXI5A1\Utilman.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/2436-1-0x0000000140000000-0x0000000140201000-memory.dmp

memory/2436-0-0x000002678B370000-0x000002678B377000-memory.dmp

memory/3348-4-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

memory/2436-7-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-8-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-9-0x00007FF9E25BA000-0x00007FF9E25BB000-memory.dmp

memory/3348-10-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-11-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-12-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-6-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-13-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-15-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-14-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-17-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-18-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-19-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-20-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-21-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-22-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-23-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-25-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-24-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-16-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-26-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-27-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-29-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-31-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-30-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-28-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-32-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-33-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-34-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-37-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-35-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-36-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-38-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-39-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-40-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-43-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-44-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-42-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-41-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-45-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-46-0x0000000001FC0000-0x0000000001FC7000-memory.dmp

memory/3348-53-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-54-0x00007FF9E2EE0000-0x00007FF9E2EF0000-memory.dmp

memory/3348-63-0x0000000140000000-0x0000000140201000-memory.dmp

memory/3348-65-0x0000000140000000-0x0000000140201000-memory.dmp

C:\Users\Admin\AppData\Local\6zAS26W62\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

C:\Users\Admin\AppData\Local\6zAS26W62\MFPlat.DLL

MD5 d004e1ba1ee4c755df0dfc1edfda627d
SHA1 1e97265719ccce50762a638da2ea3f0fa02adbc6
SHA256 e798cdf172b999b396a6f2b83cf2b5115ea5252b15e577bf1c60448ca6c919ae
SHA512 d1ae66c52bbabb93d8c5247e11ebd2624d3a8a7d259203817d43ff73aabfa5a102478787f045df11def2bac0766d534ce92b49c002149d3fe0a0f2806c4dd7e3

memory/368-75-0x0000000140000000-0x0000000140203000-memory.dmp

memory/368-74-0x00000226B1F30000-0x00000226B1F37000-memory.dmp

memory/368-80-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\rhYq\InfDefaultInstall.exe

MD5 ee18876c1e5de583de7547075975120e
SHA1 f7fcb3d77da74deee25de9296a7c7335916504e3
SHA256 e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d
SHA512 08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

C:\Users\Admin\AppData\Local\rhYq\newdev.dll

MD5 1ab82034cd967686c0b70c05a41ab9b4
SHA1 175079596e6c31ea76c7dbcf0e66878c7d3bbb04
SHA256 1b622de05ea1090bdc253db417d9799ae8da598bf00ea6132c19bce3e7247fcc
SHA512 32ec3a05cceb364de043f23dae6d04b0fb89133a1b419c3f780f9c8745bcba3f8ac90b9234a402d98efce0e50e3f7fc601edb6f345d269d64730ddc9be2cc41c

memory/3096-92-0x000002436AEC0000-0x000002436AEC7000-memory.dmp

memory/3096-91-0x0000000140000000-0x0000000140202000-memory.dmp

memory/3096-97-0x0000000140000000-0x0000000140202000-memory.dmp

C:\Users\Admin\AppData\Local\fXI5A1\OLEACC.dll

MD5 eb0fff7e51e79b341da2fdc32dbe23d8
SHA1 11fb5830327833d2b57d87fcc420c703981e93ee
SHA256 b5083f867766178e4c692a82ede72753962e0222c4d20fe6a32d2ec425dd1082
SHA512 bf9eeea0620da45cc37e2ce86d5a20c5139592f21d41741425d7811e7979ec6b1276e65584fb47eb9138857512c3ce7441f778711b39d3ff7ee984a897d031c2

C:\Users\Admin\AppData\Local\fXI5A1\Utilman.exe

MD5 a117edc0e74ab4770acf7f7e86e573f7
SHA1 5ceffb1a5e05e52aafcbc2d44e1e8445440706f3
SHA256 b5bc4fce58403ea554691db678e6c8c448310fe59990990f0e37cd4357567d37
SHA512 72883f794ff585fe7e86e818d4d8c54fa9781cab6c3fac6f6956f58a016a91f676e70d14691cbe054ae7b7469c6b4783152fbb694e92b940d9e3595fe3f41d97

memory/3740-108-0x000001C7D60B0000-0x000001C7D60B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 ccff54df1aa17e2fbe248c7b5a5dcded
SHA1 fcb8d3e3f13afb3e91ed3f6079ec8dfc336bf8db
SHA256 44555bfe2c7d5d7cd9fe01df14933b52440ce3a66a6507bb0a53707da62f7a51
SHA512 4879b35e24256fd9b0f3d3e6d3962de25c0e0db6a895ee17ae2e4e874e4987ac25fb003a31f5b3612bf88536e0aea0bd4fd20c3004224a7626a5b7366594f5ab