Malware Analysis Report

2024-11-30 21:17

Sample ID 231230-hfrqhsgbb3
Target 1148c244776cff187360131fd499ba07
SHA256 2505158abb338e29bf14bddbe3f0c9f18fbfc4ad163804733ef7b50c288a2798
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2505158abb338e29bf14bddbe3f0c9f18fbfc4ad163804733ef7b50c288a2798

Threat Level: Known bad

The file 1148c244776cff187360131fd499ba07 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 06:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 06:41

Reported

2024-01-01 06:07

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1148c244776cff187360131fd499ba07.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\myrziZR\WFS.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\JWYWD6~1\\8Y99QZ~1\\msinfo32.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\myrziZR\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2672 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1200 wrote to memory of 2672 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1200 wrote to memory of 2672 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1200 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe
PID 1200 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe
PID 1200 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe
PID 1200 wrote to memory of 2352 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1200 wrote to memory of 2352 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1200 wrote to memory of 2352 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1200 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe
PID 1200 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe
PID 1200 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe
PID 1200 wrote to memory of 1424 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 1424 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 1424 N/A N/A C:\Windows\system32\WFS.exe
PID 1200 wrote to memory of 388 N/A N/A C:\Users\Admin\AppData\Local\myrziZR\WFS.exe
PID 1200 wrote to memory of 388 N/A N/A C:\Users\Admin\AppData\Local\myrziZR\WFS.exe
PID 1200 wrote to memory of 388 N/A N/A C:\Users\Admin\AppData\Local\myrziZR\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1148c244776cff187360131fd499ba07.dll,#1

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe

C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe

C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\myrziZR\WFS.exe

C:\Users\Admin\AppData\Local\myrziZR\WFS.exe

Network

N/A

Files

memory/1528-0-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1528-1-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-4-0x0000000076DE6000-0x0000000076DE7000-memory.dmp

memory/1200-5-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-34-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-35-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-39-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-43-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-45-0x00000000029D0000-0x00000000029D7000-memory.dmp

memory/1200-42-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-40-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-38-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-37-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-51-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-52-0x0000000076EF1000-0x0000000076EF2000-memory.dmp

memory/1200-56-0x0000000077050000-0x0000000077052000-memory.dmp

memory/1200-58-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-36-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-62-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-31-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-67-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140171000-memory.dmp

C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe

MD5 8db8553980323273cadef3a98af60ec9
SHA1 8334bb009e05f76bc5ca34ad6b2d1e5b3136c3ba
SHA256 5a3b6aeaac7b8edaf2c40f9a566307ab395e3865350a3e8ab8040324317767a1
SHA512 cbe454fa0ad355057842e92bb27be1dcd72abc33ceb17e6ad1572da8bfa1a66977136b900a5f13bf2489fddef0ed134f8f5876910963adfcc4682e7feec47c4d

\Users\Admin\AppData\Local\X7Lb\slc.dll

MD5 79579574d4ea979ec311ff8d0c733d6c
SHA1 6cc43aae6d7f3d78e29edcf11217e5555bf6ce33
SHA256 159ebc612506caa598c587a44974c8f1ba2491b37f9e6fc1242f783d07afc577
SHA512 f0707f40d2b2d80b41be1b97c76ac0deee2a6b1ee96c346fea8755f19a466e22a965213d80c4457a3b71a5afd5fe2845137e7941b9be69cec99e7e935d8e12d5

C:\Users\Admin\AppData\Local\X7Lb\slc.dll

MD5 5173411e0064dbb608cd39124e268a26
SHA1 6c7dd83f9a6c10afd5c4f73b48123c0c260cf70e
SHA256 dbe77ca73fd6fff8dd06e96d6f656262beedb0270999b60ad67bd95dda52e01a
SHA512 210959f8ad6048a03a1796ce8d75655369242ec357e0e7340f0da34fe688a238f11a3e2474542b0a818042f980ef8c59f3e6c4eddfa27c6d1e145adef4b205b1

\Users\Admin\AppData\Local\X7Lb\rdpinit.exe

MD5 12a30fcd333a91180ecf38b11267c49f
SHA1 ce2717b031361dcaf6311d7d65f62ce37b88dd71
SHA256 77ef5f555513d45abd6d3368fd5cca5b40201fbf73739f3920fbde601863b495
SHA512 d8e91942faf3679f947ff63b7d829ed788cc4f59027be6589809f7d1ad87a8965014ab455e15c1bce790ae44bcfaff62c91ea3ea662040f1918f8435bd5d5365

memory/1668-76-0x0000000000270000-0x0000000000277000-memory.dmp

memory/1668-77-0x0000000140000000-0x0000000140172000-memory.dmp

memory/1668-81-0x0000000140000000-0x0000000140172000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140171000-memory.dmp

C:\Users\Admin\AppData\Local\X7Lb\rdpinit.exe

MD5 559b54af8e4506e1f8f6431f14460b4b
SHA1 746cfff6b81e1da80164c06ab1e40d9724171b95
SHA256 b2f0ccfe2c2c3eb6b55e3de4714cda368c4b4e444f2b1730731b95dee260e03b
SHA512 accaff1e47aaf585947d3e2732422ccf8004a19757f6ef1497fbc781545d2201c0b2e9d03411b291b81991a89cea042704f4076b1c7540f7026130d80d7db198

memory/1200-10-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1528-8-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1200-7-0x0000000140000000-0x0000000140171000-memory.dmp

C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe

MD5 43fb0b3fd2ca6c54b0180319d18969c0
SHA1 e898d7f4a602eb4ab2dc6b6bbfca709705fd6779
SHA256 437905e8fcb6d42ae1edb311c87b3b353102bf6b8d6a60aa5bb244dc40bcffc4
SHA512 f2098639a4b6fd9d0c36cf8ecdc66b313f68ec1c91734f455734f8d7fc3a35114648dd464460dae92dd336308c1b31b88a4dfd5fdb5712fb395e8267d06927a0

C:\Users\Admin\AppData\Local\eZHAG1K0f\MFC42u.dll

MD5 00416f5774cdfc9218335096f620775f
SHA1 af00e394daeac684e17a91bf8c6477b9bb627bd5
SHA256 41975588d309c2c383dd0fd01ae67ea8e4b894bba7d9ad024af8ed40dda8969d
SHA512 213dc029c2c76f2d4e6676fa359d15390597bbe6473aa9c197f3f2d1487884f7fd73f0ba72a3ef85aff44d00358bbbc6a7bbcc76b8aa6a0fbaf55a4ce18b1856

\Users\Admin\AppData\Local\eZHAG1K0f\MFC42u.dll

MD5 432422bd9ea2566f5576398e0bbf075c
SHA1 63c3e46e2a49ccfec69a7dd25b6d5baeebbfec04
SHA256 f89845bc8cd25e479628d4dad76045cabf59981661579f65454fe0983ce1df2e
SHA512 08bc429cbd70eeb9e798abed237bad56dec99cbd04fd3e823a8ee3eb5ac9297d4fe38b6f4099588417a903b7d1eb202a6643c718bb6ab515be4b3f15b7789a1a

\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe

MD5 f36714564f709d7cf6d07b9592a89bda
SHA1 587911eac0f84eb562e38809db25fbc8a57f3edf
SHA256 3679ae1fe2ae7496c672a296165924dfd61dacef3f2bd6d81f4c6a9a12204f90
SHA512 b381c88a2af5bfe15a40d4f7c05a00de65ab05f520a2e74cf2306c441b1fc6fb3a5658f44741216561b2408ba38c736f79cf64fe50ada72721582b3d10e6802f

memory/3004-99-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\eZHAG1K0f\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

\Users\Admin\AppData\Local\myrziZR\WFS.exe

MD5 3bf061186cad5815914a7dac398607cc
SHA1 8041c076891009c14adf6cb920cee6859ce0d32b
SHA256 a5047db5b5ae401bc585dd3a16371f887b2c2c49c7ec8c280f474b7692c94740
SHA512 68042d4e64958c2185a244be472be027d6d234344d035004cd26300063fad5a99da46859efa5581768bb6fcc679d09b35a8eff90e232ba6bf22f5b5413fdf268

\Users\Admin\AppData\Local\myrziZR\MFC42u.dll

MD5 38afb8be72773e0429430cd86dabf085
SHA1 844cf223933f423cbe58fbb33a4ef922a7fc6370
SHA256 aada2aae1e0a98389c08799c9130931b52d2876549f64c631b1034c7491ddd4b
SHA512 2f37d66abe5defa4c5c58264447d925f2667cd09ce3fede0db41e825ac686016131f7d04b6eac82449e3cfcccd3a49e156a9d624c1c6ed7e6a58b9d915bc9210

C:\Users\Admin\AppData\Local\myrziZR\MFC42u.dll

MD5 acfeff781899e0a005c92ccfe6c9a39e
SHA1 664fd611a3df68931c9bc9f973b05c4fe4c2ece4
SHA256 ec0f0470d38d35e84963491d389e8f845d597af46e89eef1ba19bba6a067e92c
SHA512 f402436d89a0ca51441e65a698cf00004966f25e66bca3e332fffa16e09873d03777ab9617331ed8d56e938a06b7e7c725648182d62384dc8414305688ecc0c4

C:\Users\Admin\AppData\Local\myrziZR\WFS.exe

MD5 fee4f9d9d74354142aac98770d0748e6
SHA1 5f4b77633af602c6dd2b97615786dc9cd57f029f
SHA256 c74397bcf477d88a12404add16a1df7308f00da62aa1e6acb3baa0e032be86fc
SHA512 ff53cd36e028ab613a1e4e18bfcee936bf2e3c2028eedbcb9e65874ac6617d025fd60757176d49e0e06573be72928d95e54cff0d8536f76c9b726daf742ef7b4

C:\Users\Admin\AppData\Local\myrziZR\WFS.exe

MD5 6c0b23ec2e4552a16e4d0ff83ff40ea5
SHA1 48add900c0559e3830f651b494d409c37378dd26
SHA256 06324c862c62328ae68b3c0f93cdd71e20f5047e80cf4a0a9bfe4a8009f4a7a9
SHA512 a6ce6ce593f18466766a5c66f73214fd5a56eb4a85bf065ea660a390ee83f5feb2944389106713485a649cc62229cd8ab6075d7cafa697a8041fb75c2bbeb1fc

\Users\Admin\AppData\Roaming\Mozilla\Extensions\xGyyLlqM\WFS.exe

MD5 1a76d85158b734f7357103c90cad9b73
SHA1 b4a9030b2711bb9e56b548e8dd9b08f682403805
SHA256 102f26ca9d0196beb7fb54f66cefd6667abbcf5ab2cef57c98de88829045e267
SHA512 7e267541ae3d8a252009ecea926c930403a8209d74658689234ba863505c1aaa3494355c305573cce3d14eacb87ed8777ba04e5b018a0379a9cd5a6ef7eaad19

memory/1200-142-0x0000000076DE6000-0x0000000076DE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 9b36008b2ce6f4d593ec07699883acaf
SHA1 1131ded0cf192d78bddf8d9324f4eb391fd80dc8
SHA256 af94080d15fc5071bd13a2f81ef7f3b095a7a8e36d77c8da0ca1394b4ef55b5b
SHA512 89c2528e9cc3045c8617d54657da84caceaf91a344bc81b9be10df41cc284e77aedbfa65041c04b322a1964c3f4824051eacab4543e8a74e42b445b8296af449

C:\Users\Admin\AppData\Roaming\Media Center Programs\JWywD6BqRfr\slc.dll

MD5 ca420f862904eb843e943b4752c8eed0
SHA1 0a95a18e47509144521ba4599e35d4e18930b4eb
SHA256 8135fcae553925f0c2efa6494840ae0128c7d488a76dcffb08849a8b65279a19
SHA512 e60f274f5851e732634e866a91c99bf04128ee8fb3bf440715b7924905c977d88e2d71b7d17d50a0f8d137ee870b376184175cf58c63647ba4967e25ad7b8390

C:\Users\Admin\AppData\Roaming\Media Center Programs\JWywD6BqRfr\8Y99qZBkGHr\MFC42u.dll

MD5 9b584132795e4e41eff53163e8b27eda
SHA1 3012ef892a813c25f434841e516409999b94e506
SHA256 3cf0aa9cc0a94d8bd939461f86330be6064b6130e58bd8594df197be3e9abd90
SHA512 239500aa4a4f51c13dcabfd2077b6640a61eb5594b9a8fd2327b67312489bc76cc0db403f4535712eef2b9ead48073279e01530be1e1c8eda1bfe740a31d58b1

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\xGyyLlqM\MFC42u.dll

MD5 0ef0fe25e7431ffb00383f1ee1ddd440
SHA1 49b1e669af0caf8bf549cd25da482b1bb950f0fb
SHA256 8f33100b220dc6ad4756ae243ee4830190e1fac8bcb2fdb3adcfe7e0726a51e7
SHA512 d7dae24e8a9ac969569f120cdecfd72ebe2321d93cec41229611afab78fdff4903f1c3aed78900dc2fc1a0f4bf18b39811db6ce3d1932a60d2cc6def81c39e7c

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 06:41

Reported

2024-01-01 06:07

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1148c244776cff187360131fd499ba07.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\c40\\SysResetErr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\p8B\DeviceEnroller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JQMGwsW\SysResetErr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TxVHCdhm\SystemSettingsRemoveDevice.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 464 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3488 wrote to memory of 464 N/A N/A C:\Windows\system32\DeviceEnroller.exe
PID 3488 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\p8B\DeviceEnroller.exe
PID 3488 wrote to memory of 2964 N/A N/A C:\Users\Admin\AppData\Local\p8B\DeviceEnroller.exe
PID 3488 wrote to memory of 1420 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3488 wrote to memory of 1420 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3488 wrote to memory of 3332 N/A N/A C:\Users\Admin\AppData\Local\JQMGwsW\SysResetErr.exe
PID 3488 wrote to memory of 3332 N/A N/A C:\Users\Admin\AppData\Local\JQMGwsW\SysResetErr.exe
PID 3488 wrote to memory of 4992 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3488 wrote to memory of 4992 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3488 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\TxVHCdhm\SystemSettingsRemoveDevice.exe
PID 3488 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\TxVHCdhm\SystemSettingsRemoveDevice.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1148c244776cff187360131fd499ba07.dll,#1

C:\Windows\system32\DeviceEnroller.exe

C:\Windows\system32\DeviceEnroller.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\p8B\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\p8B\DeviceEnroller.exe

C:\Users\Admin\AppData\Local\JQMGwsW\SysResetErr.exe

C:\Users\Admin\AppData\Local\JQMGwsW\SysResetErr.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\TxVHCdhm\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\TxVHCdhm\SystemSettingsRemoveDevice.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/4672-1-0x0000016292B00000-0x0000016292B07000-memory.dmp

memory/4672-0-0x0000000140000000-0x0000000140171000-memory.dmp

memory/4672-7-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-9-0x00007FFE81BDA000-0x00007FFE81BDB000-memory.dmp

memory/3488-8-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-10-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-11-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-12-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-13-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-15-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-19-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-24-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-31-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-38-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-44-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-51-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-43-0x00000000077D0000-0x00000000077D7000-memory.dmp

memory/3488-63-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-52-0x00007FFE835C0000-0x00007FFE835D0000-memory.dmp

memory/2964-72-0x0000000140000000-0x0000000140172000-memory.dmp

memory/2964-78-0x0000000140000000-0x0000000140172000-memory.dmp

memory/2964-73-0x00000251C63C0000-0x00000251C63C7000-memory.dmp

memory/3488-61-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-42-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-41-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3332-95-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3332-90-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3332-89-0x0000024414050000-0x0000024414057000-memory.dmp

memory/3488-40-0x0000000140000000-0x0000000140171000-memory.dmp

memory/2216-109-0x00000271DDB60000-0x00000271DDB67000-memory.dmp

memory/3488-39-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-37-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-36-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-35-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-34-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-33-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-32-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-30-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-29-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-28-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-27-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-26-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-25-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-23-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-22-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-21-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-20-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-18-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-17-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-16-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-14-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-6-0x0000000140000000-0x0000000140171000-memory.dmp

memory/3488-4-0x00000000077F0000-0x00000000077F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\sZFTR2yF\DUI70.dll

MD5 b67edb71054a7159e90ad5d93fae15f0
SHA1 b8517369d72bb7addcb753e273fba2acc84ddbef
SHA256 a82b297a87896ca038b4095e4b0eb7993b26bb40aa16d3aca0f6ae7fa302db64
SHA512 554d8b910f61b2876477b2463bf84edd1d9efaed97a46075fc599c99c4bd01dd662334917026e6757be2fa86d7bba9cf08bc5fffe91d67d64b2e003454d29de9