Malware Analysis Report

2024-11-30 21:08

Sample ID 231230-c4y7lsdffn
Target 0bec2c92bdac461fc73c8abe152f4572
SHA256 2fa65c257d31fff96e1be457dda7e948b37629882afcff21dee8fd7980edb38c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2fa65c257d31fff96e1be457dda7e948b37629882afcff21dee8fd7980edb38c

Threat Level: Known bad

The file 0bec2c92bdac461fc73c8abe152f4572 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:38

Reported

2023-12-30 17:07

Platform

win7-20231215-en

Max time kernel

136s

Max time network

128s

Command Line

C:\Windows\system32\notepad.exe

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iqdp\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\rb\\icardagt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iqdp\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2856 N/A N/A C:\Windows\system32\notepad.exe
PID 1256 wrote to memory of 2856 N/A N/A C:\Windows\system32\notepad.exe
PID 1256 wrote to memory of 2856 N/A N/A C:\Windows\system32\notepad.exe
PID 1256 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe
PID 1256 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe
PID 1256 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe
PID 1256 wrote to memory of 3004 N/A N/A C:\Windows\system32\icardagt.exe
PID 1256 wrote to memory of 3004 N/A N/A C:\Windows\system32\icardagt.exe
PID 1256 wrote to memory of 3004 N/A N/A C:\Windows\system32\icardagt.exe
PID 1256 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\iqdp\icardagt.exe
PID 1256 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\iqdp\icardagt.exe
PID 1256 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\iqdp\icardagt.exe
PID 1256 wrote to memory of 1652 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1256 wrote to memory of 1652 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1256 wrote to memory of 1652 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1256 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe
PID 1256 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe
PID 1256 wrote to memory of 392 N/A N/A C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe

C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe

C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bec2c92bdac461fc73c8abe152f4572.dll,#1

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\iqdp\icardagt.exe

C:\Users\Admin\AppData\Local\iqdp\icardagt.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\taskmgr.exe

C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe

C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe

Network

N/A

Files

memory/1256-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-39-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-40-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-41-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-42-0x0000000002A50000-0x0000000002A57000-memory.dmp

memory/1256-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-49-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-51-0x0000000077C20000-0x0000000077C22000-memory.dmp

memory/1256-50-0x0000000077AC1000-0x0000000077AC2000-memory.dmp

memory/1256-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-9-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2088-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-60-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1256-5-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/1256-66-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe

MD5 fb23a92cfd2d900b82fabe6e0b6b730d
SHA1 98ff2dbe192f5f14e9d401e3e3b7dd97aa728bfb
SHA256 8d2cca08fdcebd70429b1d74504ff12ac5e7bf0bf601c386f8fcbf229de40451
SHA512 f1e04b257a4621a240ff41241a4d85172e879746ffae33b2f0ab3f73eb9ca3252e683baad72a57cc87f9c1568af503267d120c99574b25a37f4c5925a850ce5e

\Users\Admin\AppData\Local\sA91nRe\notepad.exe

MD5 f2c7bb8acc97f92e987a2d4087d021b1
SHA1 7eb0139d2175739b3ccb0d1110067820be6abd29
SHA256 142e1d688ef0568370c37187fd9f2351d7ddeda574f8bfa9b0fa4ef42db85aa2
SHA512 2f37a2e503cffbd7c05c7d8a125b55368ce11aad5b62f17aaac7aaf3391a6886fa6a0fd73223e9f30072419bf5762a8af7958e805a52d788ba41f61eb084bfe8

C:\Users\Admin\AppData\Local\sA91nRe\VERSION.dll

MD5 bbe316fc2cbf8fa80b41af5d9921b8c0
SHA1 2f29a4b5e89d77e5c13764070af10bbb871d53a4
SHA256 69dbe0f5cdf1755d5453a44aa848b4b08660be99ae1f059d9392bc6538c45697
SHA512 8269d21e8f2f223ab0d24f064e9d142fb872a1ac13f6fde719f44cc948bf02e3ffabeb8fe7744bed50c40f735d48af05d90c0c87d5f71cfbd507d547cfea938c

\Users\Admin\AppData\Local\sA91nRe\VERSION.dll

MD5 25d41c21bc7b70b7a8d8c36f7ec232b9
SHA1 15123c539349a14abf07dca6c902c1f60f8cf930
SHA256 02c59eb516a5882f15ee973b1532e0270c7e84bead177ef9815ccc8e1c53c2ce
SHA512 6591b27a7cdb74004ecf9c9b3a001d361d1cbb046088cc3dbfefcf5990e7b9f6fd34ce80beec99fcde303b01d32003f288437f0e38a7e701b24e94f609272526

memory/1256-4-0x00000000779B6000-0x00000000779B7000-memory.dmp

memory/2148-79-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2148-78-0x0000000000200000-0x0000000000207000-memory.dmp

memory/2148-84-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\sA91nRe\notepad.exe

MD5 4dc0614bc05ad92e060471566cdba101
SHA1 661f09c430499e6ace6d90fbbe8a19e2d7904d30
SHA256 56f16bb0229a1d9a88de9174a74ca04868ad54f55e983b69fbd70a5ba78907ae
SHA512 61df8d4776ec41aa59d072bba177a98792dd46f6664890db62e2ee777256a08aaa46dd0ff26525f2206a973cd10a44155259acbffac022f81a15e30c98a3d14a

memory/2088-1-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2088-0-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\iqdp\icardagt.exe

MD5 a7b64f9c48621a7cd6e0464051e405b6
SHA1 261d08c1850bc8d237487e04a6207e73c3065323
SHA256 a7447e108696286ee4e0ff14a79e34e67663767dd7146239340a9c828e570a5b
SHA512 dda8ff97b6874a35828b950c82645dd808dcae9d4e950ccc06fedbe321bd3ad90b2f2ae2815b6c76fa8cbd71c2dfdbca3d4e53e95b6498a0638c1823abf43366

\Users\Admin\AppData\Local\iqdp\icardagt.exe

MD5 4607791fb5cf339246a2c1ce02be8a78
SHA1 1a969952c7c2a7b07fe195e1b6996139b6501eb1
SHA256 2bb2924b4d1e63f4c67cc6f22d133076ea71b4c075935c7428be691479000c9b
SHA512 ac9619a276b0ea1e454c41a9b404709ace47fbc93c41dea34fa410e3ac126b4e19b88abea0b0fd643af19cb72a0bed1bdb00e723f52a049b943d10c456f053d3

\Users\Admin\AppData\Local\iqdp\UxTheme.dll

MD5 93bf7d8e4a023385f6e50440f508bf1f
SHA1 9dc363fab192d915fad44a1846b2dd6682c588b2
SHA256 97315ba195b83be73a03372f0ce6bf1fff3e400000bd372e56c40177c0412601
SHA512 56f78b2cfe9c5a666c4ffee7e3945e6bf2bd297972cb7fbe0d4fc93c3386792051738407774b0df1b50d138ccf96cfdc211a7c7adf4260d5080d17f098137a2b

memory/2968-96-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Local\iqdp\UxTheme.dll

MD5 2aa06f00621d7fc31b63800cb5c42ed5
SHA1 1063a058c4fd4ec147381c4d6db93b6cafcab8b4
SHA256 ed8f0fadc8895539cabcf930b91e50d0f1bdcd8fec61542f06f01637c2e63a6e
SHA512 05a3581448b37e0a8bb1d3a8e39865bb81d1fff4b295c5793748be9dc4b6a52482218a9bf0c314da54d3076532e3cc220bf527371af7fe557f0843e6049ec166

C:\Users\Admin\AppData\Local\iqdp\icardagt.exe

MD5 417de8df2849e5e161b3102aca28416a
SHA1 7e917f07536c83588fd4f4b228260ea702b69e5c
SHA256 5034df06792ddbb6764b08ec60110444608a303d27b6ad59a686a3d84c5250d8
SHA512 50d66cc781a21bffbcde095f0f2670b468996ca3c92326c85a5654012680c99c73bbf0ace147cce3e201214fcdc4e8fdeb7efcc9c1f89421c218edf462e8f1f2

\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe

MD5 9812723b7411ec4b0ea5f77c6235767d
SHA1 bd1d0304d10d1ccbc800827e2d844cbbe4c8e3c8
SHA256 7c8a21aacc7803aa6ddbbbf23e82b97107b5b92d0279a9b2d97b6d5525527d5c
SHA512 8190fef0936b61763ba12727f9b1878e31801627255542dc7450bf2f00503a9aa90bd18a57bcdcb1cf7556d37e7b3af0a98677afca61a6f56b115718d3ff25a2

C:\Users\Admin\AppData\Local\B4yckDE2k\Secur32.dll

MD5 3bf0a544a67fc990e54af76cd988cd82
SHA1 0db0c215a15ce856db8b0d5d39c225486922588e
SHA256 ead597be54cee5b07e936c1d9467281a19e5afbe049959b4eca3a5a9499d4375
SHA512 6a74edc71c0a83f48484ff7ea7ffa3e0d619cfec5e0e2d1a5fe48183e6cec600533b3a6486a3b18776295f3b1296025942a3015cdbadd6a88a162e9851eaaafa

\Users\Admin\AppData\Local\B4yckDE2k\Secur32.dll

MD5 eb54fb7f940f116edddad2862043cd48
SHA1 7f8a8b6c2b91417819a258c2c877c67273d12961
SHA256 939dbf8e115119c1f544bedca79f79cd3268b8ce451f3c4eb16b980f3b338988
SHA512 269fc0687ce5b03ca2dac1e51def0eaa7913396cb497c7c522d5bb963e41d5bdcf9c2aa856989a2e079fff33cf07800f237bd93a7fd24edf354a80a5a13b00d6

C:\Users\Admin\AppData\Local\B4yckDE2k\taskmgr.exe

MD5 d6589ad3fd8c0322b58e584a0db1b9be
SHA1 09a2065a1029c6d72825ce6be01dbdaf86498665
SHA256 529afa01d31b7451265b0fa64b4d714020f2cfbd904fcbe83c0eda4a23b258a5
SHA512 3ebaf96248403b86b1313881ca7b01a926ece3312d3175d6c7f76c11f67738f9008809fa0212a9965fd8e011ef463ea4afd33fd2debf0655514f06ba08e39999

memory/392-117-0x0000000001B50000-0x0000000001B57000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\PG\taskmgr.exe

MD5 c72d86b7f1e405942c57b3ace8fbc650
SHA1 faec338e6b80874d247e74bcd44d1d25bd132780
SHA256 c2b27cf0cce903e93631af8e81f30be45ca3b427ebc30d615bb3d1a48d3a28b0
SHA512 b632cd384a4b56ea882dae8def834284c1da82ca19e8d34299907b07a82ece856e7411bd496dd14b1f6ed5a66b001345acdd4a4ce990436f850dd4b94bbe43a9

\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\PG\taskmgr.exe

MD5 9ba1aff58599da8d004b1088c418d1a7
SHA1 27cee649e41ca2b5547259e3ec0cf98688c108ac
SHA256 de045e64cc0ee09b6a7c450f98d28e2ea810977ac82f0e19fb1666729b4e1632
SHA512 5857a00049a4e051c2f376035e76e92c3413ad9c5611212dbf05f20a4492083486279c2502b3d81c26b276b9034dd7d9bfc230ab7a8b130438082a64f8ba5162

memory/1256-138-0x00000000779B6000-0x00000000779B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 19dfac9667edec64f5e937d31eb693dc
SHA1 1e544d778fda732acae7e1ee0257e65155ff2ee3
SHA256 98040fbc8e0ea52fe2a43ca9fca6a625b67f73e62f0907f4d1cdef10f6403f49
SHA512 ce9481775ce3486ec8ff372fbd8cec2718c7576f9cafb56ba4e63b2f97a532050b1d7eb5926223a6b10943f87fc73ed4ea708fee53d3ca32736e0a2073533cc9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\T0\VERSION.dll

MD5 03c46ce7341d9fe72ac6aef39e8849f6
SHA1 0be30590104bdbb4d1ba1d7e9c4187718d9fc573
SHA256 02701d2c34748f40668b814fc9ff5f99cf7120b47b928739065408d6980b4309
SHA512 8da63812c092eece17908d7d6f4603420515d32380633f09d92da712b95f5435a8486ad7a95b3eab93c905f363c9b20e5fd8824e2abbdcd7423f76b9984fa5d8

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\rb\UxTheme.dll

MD5 a3f5aa75c1ef18f8d0185d4f85814cf6
SHA1 2538d5ce8bdaf187402dba7021b5f2c8b4abc042
SHA256 cb317410a3c79225262d455a5da307378e89a749929576c4bb28eef55114f740
SHA512 a5ae2d659413f430692c1282fb7ed3f1c4c6b9704591eb0771f9a298cfa5436ed4a9ba4cb99ed6fb037a6ef06a14f94e63915e7ef51838fab1a3a3ee4aa1179d

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\PG\Secur32.dll

MD5 98d5cc3ba230488d40197effa2b28c9d
SHA1 5fd7107cce83e6fcb9ad15b1e65f117104841286
SHA256 7f5cc8afda6cae5eaaeb91d6d865efcee70813f0eeace6f3d129842ea5afd963
SHA512 8c9a32a68ea58c2405cb17504a8918a9ef3bdd703f971121f4ea02a9a6c47ddd03f5fe4a3ade4879124a66af3b6102015a13d33a0c288444adbe899297084490

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:38

Reported

2023-12-30 17:08

Platform

win10v2004-20231215-en

Max time kernel

178s

Max time network

171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bec2c92bdac461fc73c8abe152f4572.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\aoa1\\msdt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 1544 N/A N/A C:\Windows\system32\psr.exe
PID 3576 wrote to memory of 1544 N/A N/A C:\Windows\system32\psr.exe
PID 3576 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe
PID 3576 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe
PID 3576 wrote to memory of 628 N/A N/A C:\Windows\system32\msdt.exe
PID 3576 wrote to memory of 628 N/A N/A C:\Windows\system32\msdt.exe
PID 3576 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe
PID 3576 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe
PID 3576 wrote to memory of 1152 N/A N/A C:\Windows\system32\osk.exe
PID 3576 wrote to memory of 1152 N/A N/A C:\Windows\system32\osk.exe
PID 3576 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe
PID 3576 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0bec2c92bdac461fc73c8abe152f4572.dll,#1

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe

C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe

C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe

C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/2988-0-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2988-2-0x00000183037A0000-0x00000183037A7000-memory.dmp

memory/3576-5-0x00007FFE15D8A000-0x00007FFE15D8B000-memory.dmp

memory/3576-4-0x0000000007910000-0x0000000007911000-memory.dmp

memory/2988-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-9-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-39-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-40-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-41-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-42-0x00000000078F0000-0x00000000078F7000-memory.dmp

memory/3576-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-49-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-50-0x00007FFE16080000-0x00007FFE16090000-memory.dmp

memory/3576-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-59-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3576-61-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\r1EAUbIsB\XmlLite.dll

MD5 578547bc5dae6af624d6abf43a566a59
SHA1 080bc094626c31fe53bc5cdb96b282c0125488cb
SHA256 6aa0bde7080aa8bb0532e8a5a4cb89b4ba6f399c31d10621b34ec27842460338
SHA512 89f7ab13d6a97afb362a2d6b6140c9f6cb774d49e7e4b25c7e8f9894439e36954e6e052170f5c990eb981468fb8676e3112329b0fb94d7e0261a27de73852998

C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe

MD5 923a27fd9ddcc4eecabd6ee5d1b60c64
SHA1 87b3df7f03f7c47df16bb937ea58b5a5c8ffb2c9
SHA256 21483cbd02c12ef6bee2bdee6f9c5acec0d82e9b664c0c794de3dde435dc8b53
SHA512 90aed86316c495e9afa6d562bfb3a53b98954c701aa1a4b61ae7babbc1305f979f80d2f95bc2a7d4056ca34dc771c7c2ff3753cbfa1be14b9ab4dc4e37b9fa62

C:\Users\Admin\AppData\Local\r1EAUbIsB\XmlLite.dll

MD5 ef6618e1f1b6d12e13c9d601d9fc3072
SHA1 5e62d7062016a00fe3c2807cf92e97d0f98a75c4
SHA256 7c4d6303cd62015bf64273c8730c5cd7cb465f75b1403bc6fdc384a1d5927176
SHA512 004df5b876e1386a6136d35509f899495dd33fc2fdcc324be3c30c699bfc9adbe38a3ba09aef649cf57c796d745bc19c28209774ec161c2049d01e36e6f2e42f

memory/2248-71-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2248-76-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2248-70-0x0000028324580000-0x0000028324587000-memory.dmp

C:\Users\Admin\AppData\Local\r1EAUbIsB\psr.exe

MD5 950554b7c54758e1b9084c0e5389a054
SHA1 06f538003f32a74dfc809864be603f60cfdcaaaa
SHA256 c2b71ad64f92d195097e58cf595154ddb042f2eae6296a5a92043324076d73ec
SHA512 773ad9a1f233e28e259be58595da6502cdae225b3038e7df1f36466a30ec6f126430d2d5ec6b9651399e624b1e925d8ea650ac0149fff6e998fa3d45ccc8cc15

C:\Users\Admin\AppData\Local\3FjSXIlE\wer.dll

MD5 a0c1d00cfe2530aea8c17876b75d33bd
SHA1 778eb667acfefeb72b7683d2de07a92e3791a224
SHA256 7c9aec4329178b6242d463cf915ad9d406c22a233ed6919430f4bbc778280206
SHA512 27b12a464cf03f7601cb8b2d9d5c8fa37e8ce21a027080bf6e0289bd2547361fd954680f9ed0a9d5036b40a1081f686d8ba2af62148aba31b57a33cb05197d18

C:\Users\Admin\AppData\Local\3FjSXIlE\wer.dll

MD5 2020dacbafa77a92303447c386fd4854
SHA1 8944e499d28b04b6db4f7b4c355e8b226e93f13e
SHA256 eddb350126efa90f9d21464a8dc6995a0de0c3865ae0a0469bffeb9735c41a93
SHA512 5388e1f4c6467913a59f148bcd407e400a9d1ad9a633b4d4dced0f1ac6d53e56bb98ee2f3448d218f2da9e9b0b094672272c25bf87c48fad61377dfabf613b19

memory/4804-87-0x0000012E03110000-0x0000012E03117000-memory.dmp

memory/4804-93-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe

MD5 8e1985814d248b32589da53a9da730f7
SHA1 53f520743a39c2b373ec225e5f585e5ecaa3fffa
SHA256 60764590519d0be59a1a1c440caf02b5ae753b1e7ab3d5ffceb62c0e3d017995
SHA512 9694ac85c2dbb65de9bd72a7ec3557f42c544794bf3d4b2bc44f1973a11cd89230c742c4ab98cd140c6f1ee25e5a2bba146ac79b20f530033682180895ad6115

memory/4804-88-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\3FjSXIlE\msdt.exe

MD5 2beb88428697938d58fcd59236eea4f6
SHA1 72eed4bee4980e7fd6497effdfb5e8bb659df85a
SHA256 4bca29cd6f3a01f30eac1aa07bdf5bd9137720b22373800ab0578c9824c9e2ba
SHA512 ac4ed0bf995491c923df10f8cb770273b674ffa2ba47b414178dae0c8cab34c6ee0c93b4d7163d9501ec8ad5b0be82cdd8ec06af9b2a54d27c321b6d7f32c9bf

C:\Users\Admin\AppData\Local\YKuWbmu\WINMM.dll

MD5 d122fde1035d0caefbfebf86f3601514
SHA1 e7f8eef0685605e5495fbd0e3e4530ea6015d7f6
SHA256 cd53bebabf79d8b7f11d102ca2cbcee773a3e4b0230576a687c8aaf10c78c5e7
SHA512 96174fd6effe0a13a3feca92c4a376b710847a80cbc821e724216aa64632c9f44ae2201e1d17e5ed63bd97ca7be544ffe460fcbecddf4c0a8b15a9f7ce712f13

C:\Users\Admin\AppData\Local\YKuWbmu\WINMM.dll

MD5 0b9627c210a3cbedb45155aa5dfe588f
SHA1 280c1c93f52cdc1d280a38bea8ca5defb4335bad
SHA256 75773343c6130d559947d752bc0edbf554418221144b9934a33a9a92c84e94cc
SHA512 c406d3663dbf8762dc4dcbb260a2cd5b402c3f9a739d69a368cb2d7bfd6e7d50a3508c0ed301e034f34b35706eaae140f0519780cd62ffdf4c7170329bef2c09

memory/2636-104-0x000001AEA2EE0000-0x000001AEA2EE7000-memory.dmp

memory/2636-110-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe

MD5 30c1c9f469d2b514ca57a6c2b81afa73
SHA1 3d521f53f1dee3680884c96cb4f051c16e63f4d1
SHA256 688cfc9e91e2a0712144e7caab5898a20df602e713b0bb22ecc89f6c299f0819
SHA512 818e6e8895a71ca3e5f3d8231c2f128aaf502a8cf48e7d244f33fbd233fc59f4bcf7ad68fb9d6957bcd41fab221b1e3740bd394cfb83a2ebef8d89ce5fb4a342

C:\Users\Admin\AppData\Local\YKuWbmu\osk.exe

MD5 e702f11f7d7d6fa5ad4d8ba6be21df26
SHA1 b7d6a224f3fdc5122d47a1c278f375951dc061fa
SHA256 c75f9c4dd1309b1d7d5d8ba3cbc7298d7d70b2a75662aa415f319dc8affb825c
SHA512 7c78d99c8e3ea2281fd1887d799cedf89ca63d00f7bd434531e149ac53a0879afef3105e30d2d58e0abbcf5f7c408c99e620d4383c6ff039cdc6ead9a9a4d37a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 3c7138473f9e6ebc9a2b842d8c0d3fd5
SHA1 741b9dc16aa2bab5c4e82362d6bfca37eea55457
SHA256 ee695e6b2f6b68f69bf3f847369be63fd9f7ad740d0bec6117852429adc7db61
SHA512 d720d9ff0221907e5c890c9d9a123206b425925b6d3ee670238631e0679ad34f359fe5a2c2295886d3c89bd074bdc8c03b5f8addffd817f75c62f91255186335

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\GzNCwkTh\XmlLite.dll

MD5 1c0253a45cead8e2870dac7accac4db3
SHA1 406bbf4ada064330da12e3f9c6a40f7274aa94b6
SHA256 e79c80f546e6ad168b236fb34b1e84709b09d058617c7707697e55a41438fa1c
SHA512 1a748ee93310dbdf4a36509b7858892f9b6aa0e9499fb3e62248f6075c3b4c66b3da2d35e7c8bfd7f73823672fab1136792c601360f12535f70cb60beda015b0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\aoa1\wer.dll

MD5 7540621b893b79c74339950c9f999d69
SHA1 78611b70a0be6cb3faaca7f42ab50462fcbec99c
SHA256 5f339438e22a9e80b7417be9e154b082f30c94941705d95d4bf05403612c0977
SHA512 cc38a1ce52ce3d889fc9758394ca4f531a6226209c419f19396492b697c10595d71579ebe1108dae7d887200a6d59860945403b43f4deff1ae797f7b90af7dde

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\b9\WINMM.dll

MD5 85765259cd3c9f5aa95a765a0ea58b74
SHA1 6a9a80073f34ca562021bfa90b3fd8de352d1640
SHA256 67ea687e86af905171c2f64311a5def649ddde3dc27ef4bd9eedd45f8a6818a7
SHA512 25eef2be04e81f71fe308ab64ba4d7ef94ba74eb29090bc7714170fa7eba39bea4f9866b4139127532d1ac13d32fc092c7d6e972572ae7b09cd3111ef77371cc