Malware Analysis Report

2024-11-30 21:30

Sample ID 231230-nm6e5sbcf8
Target 1732a5c98ec8eaaf345b95acba0d06e4
SHA256 5ba39417a43ac8190e9251866b1049b3eebd029c8856d93e77649f62549d3ff8
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ba39417a43ac8190e9251866b1049b3eebd029c8856d93e77649f62549d3ff8

Threat Level: Known bad

The file 1732a5c98ec8eaaf345b95acba0d06e4 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 11:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 11:31

Reported

2024-01-03 08:04

Platform

win7-20231215-en

Max time kernel

151s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1732a5c98ec8eaaf345b95acba0d06e4.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\dB4N4NewFS\\winlogon.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 1772 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1272 wrote to memory of 1772 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1272 wrote to memory of 1772 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1272 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
PID 1272 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
PID 1272 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe
PID 1272 wrote to memory of 1808 N/A N/A C:\Windows\system32\winlogon.exe
PID 1272 wrote to memory of 1808 N/A N/A C:\Windows\system32\winlogon.exe
PID 1272 wrote to memory of 1808 N/A N/A C:\Windows\system32\winlogon.exe
PID 1272 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
PID 1272 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
PID 1272 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe
PID 1272 wrote to memory of 588 N/A N/A C:\Windows\system32\icardagt.exe
PID 1272 wrote to memory of 588 N/A N/A C:\Windows\system32\icardagt.exe
PID 1272 wrote to memory of 588 N/A N/A C:\Windows\system32\icardagt.exe
PID 1272 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe
PID 1272 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe
PID 1272 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1732a5c98ec8eaaf345b95acba0d06e4.dll,#1

C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe

C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe

C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe

C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe

Network

N/A

Files

memory/2408-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2408-1-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-4-0x0000000076F36000-0x0000000076F37000-memory.dmp

memory/1272-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1272-8-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-9-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-13-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-12-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-16-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-14-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-15-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-17-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-20-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-23-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-22-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-21-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-19-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-18-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-24-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-25-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-26-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-27-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-30-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-32-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-34-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-35-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-39-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-40-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-41-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-43-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-46-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-50-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-52-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-51-0x00000000029A0000-0x00000000029A7000-memory.dmp

memory/1272-49-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-47-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-48-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-59-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-60-0x0000000077141000-0x0000000077142000-memory.dmp

memory/1272-63-0x00000000772A0000-0x00000000772A2000-memory.dmp

memory/1272-44-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-45-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-42-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-38-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-37-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-36-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-70-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-33-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-31-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-28-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-29-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-11-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-76-0x0000000140000000-0x0000000140212000-memory.dmp

memory/1272-10-0x0000000140000000-0x0000000140212000-memory.dmp

memory/2408-7-0x0000000140000000-0x0000000140212000-memory.dmp

C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe

MD5 6d46216e8a91b9abe632e8e9989b30fe
SHA1 0736f51b8522b123e12cd5d6de0cfd0d41048a78
SHA256 2c12c9234eb173db4384207536bdba5e6b968dea0f22bd0a1c26c035b7a6ca73
SHA512 883a3c4cef8996a73d9ee53b08fec87fc3ccbe2802f59062246b14c9cfff09b10234d5e63339054a3b02928b841e6186da525c1d577bcf72d8867ed7ae1cb533

\Users\Admin\AppData\Local\NPVSt\srvcli.dll

MD5 469792a7038883d108de7d748e9a5b6e
SHA1 3dc48636b63d6c3f8b5b419f071cfd54e7628416
SHA256 a4fd872eda65620716c46ae1d109a64a81ae38e42e1ecc9478e40da261d1974c
SHA512 2788f85146ad5e748bd374936ccf31636ad931f3ee970cbb992dc919cb4911a53daf4373b2a29751afd8383235b5e8f051f2b68fe3485a090ad25ef9f623baa2

C:\Users\Admin\AppData\Local\NPVSt\srvcli.dll

MD5 a5f9e3064e69d7a4e453ed966cd04b54
SHA1 7f68acec80ef23e371ff408b876afde36d66b79d
SHA256 a2e46a374502c77c6033f7a2caf61d4e2dc1c6fb1e32ac10e014430f57de0e99
SHA512 2dd204e3f5a75e8e169d98879439d72ce58f33e8c9846f707dce5af373272b1d92ea26b80c8146488a75661f0d8c1025b83bc7fd44fa1ed99e763016805e6cd4

\Users\Admin\AppData\Local\NPVSt\shrpubw.exe

MD5 bc426482fb02f7e4fc4a597da923c46f
SHA1 c887f332a4097b4b52e5019e8a23ad0e0f7131e1
SHA256 cceb3ca66184e8269a1de6a884b308d37b64d988af1b52d5e4f03f1a20a68153
SHA512 92f65d2360c1c2e94580a945f2b9dfd7daead7c2b7e80e7f942cbdc311fd9decf67b7076101eaf3bce47a189e0f2664e48706beefd40be6b004b364cf2d598ef

memory/2620-88-0x0000000000130000-0x0000000000137000-memory.dmp

C:\Users\Admin\AppData\Local\NPVSt\shrpubw.exe

MD5 d5f4e9a4175a33acedca7ad70d452f37
SHA1 d1699a7188aaef030b2ee330e8d40d50fce0b7e1
SHA256 f3fdf127a92322f1df17800c03408fd0a99e3ebc18ec06acaade3697b155139d
SHA512 50539c2aaaaf97edf670e992ff3a8c8d4dd1cbf3e3d143c2cf10b128994e50d9d746e159052c877ac08853cafa5d5a157cc701f474f4c31b87f903153a4c35f4

C:\Users\Admin\AppData\Local\74EoYSNwZ\WINSTA.dll

MD5 0f6f4ca76c22f72a77ca75e7a2328fa5
SHA1 7b5fbb4ef5d8f7f4be37c72912064ce4ab1cbc1a
SHA256 252da9e06e4c8ccdf3a7738b48e2c548ddd4d52855fbafa02b6f2ce6793202d1
SHA512 d6011d61cd00fc54a4a6e5474a5fff4e8364b381dd7d7eb8859f34382bba62c5a5127564df40cb08cd3b5e98cff14adc27c54277b664d0bcbcbcf8b401e83b85

\Users\Admin\AppData\Local\74EoYSNwZ\WINSTA.dll

MD5 d2407b5c2d7fa0be735117401ecd32a1
SHA1 e7952d66f90887a99146c88319c7c452252f9deb
SHA256 a36503f29dbb1bf4163481ff7a750d0894aec59310a6ecbb965e0297a8cefa44
SHA512 a7e05428323340e8494ccb65b5300a88167f7a0fac7cf4450fd97040752ba81845acb651803c5d8a1386e0d557cdd09a9e5b36fdb8110948ee5bea97d886fa89

memory/1272-109-0x0000000076F36000-0x0000000076F37000-memory.dmp

memory/2028-111-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe

MD5 e323d64e62b24cb1a7a9a1f7500d680d
SHA1 1480be3c11b8075ed4cb93acf4b03428255481b5
SHA256 d56abd632a6b82408cf0cd236facf4a2731feb1d4d38957ea0689365fb34f43c
SHA512 c20fc228a11a530794661bbce6681dbcb8580d23198152206221222e9655448239524d4bffe47d0843c8c36a62b623fd847c720bebc929e311b8f4aed2f36730

\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe

MD5 0edc3c681983b7710885d2ff2958bba8
SHA1 a7b76898f9345cffca260a6b88e559389b46dc0c
SHA256 ea0aa0807243fb4e7bd0ab59e3e665c65d452a7ce189a7c96b89116af49553fd
SHA512 f2a42b1b44e57b9c17d031b59f386ce363f816a2f4a10bd0656170dffa80b11421e9ce1699d9645273c8ce943c93b9cbc6cd79535e78e9861c9bca1925742e36

C:\Users\Admin\AppData\Local\74EoYSNwZ\winlogon.exe

MD5 913c6750cf6b5c542879cc1281ccbaa6
SHA1 713c702ca708e2444575b187cb4b3c59c86fce10
SHA256 de8fcdd72915ae1565d8a2e97f28a325418fd609623a04d9388081fe055903c1
SHA512 dcb6df9ef99d86ffd74bf115fdda3cc18c7cf9c7b7289737078db5a3772bce507b40ec46850d64ee02df34db7fd4cab2cf4d7e3c4504ca902b613d6f8f1f121b

C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe

MD5 07dac92b5e966297efb65deb6a59bcdc
SHA1 e27a40a56630dfa1c6e406d5ebb62c726476e938
SHA256 426535c1ad94cdb625035de0bb3f945f1734b28f8bf06063817f566a7c0bdc4c
SHA512 30ced6eb0a97d983e945ec22f29f7994fff76ee4e37a677b6201fa62800596d0a65b22949dc30f306229f709038c91197cf4f137587778eeea8e440f0c3fadfd

C:\Users\Admin\AppData\Local\yLuKd\UxTheme.dll

MD5 26b496852655819ba49217c56e8fb743
SHA1 5f830184c0d5445881df12f006d1508075ecaae8
SHA256 5431af54babc079160f1ad83de605e3955185bf5c0d73a5b8aa6daa15d879d03
SHA512 8607f2119ce21a641fc6045ec58f8e8a494e3d051a120573f5927118f42856bc2cfbf6397ebf894925dd4d169e944ff7387e748c2fbc5c7620974dadb9d3b9f5

\Users\Admin\AppData\Local\yLuKd\UxTheme.dll

MD5 462fc7cbc4fc9167d7a28a3a425ea467
SHA1 064454ab1749c1c95fa62fe38b948ae1df03f6fe
SHA256 0a37f365009554ad7bd19f1170708009a8f94e5abb814547ddd4fea55794c5ee
SHA512 82b75861ad76c4b92e44e9ff606e7f57bff1e7793120400830ebfa5f1674f9489f0319e73cafa5e4116d622c8bd68b6bcfbbf33e8d242558e4cd441bdc979fc6

\Users\Admin\AppData\Local\yLuKd\icardagt.exe

MD5 b00b88c1b1a6a31b59be3a16d2614e24
SHA1 c56d5526c128e769041521ca6960368212dc6a4b
SHA256 2526b410dc42931011c1a3b89ebbf595354d34ccbc628f3767c53ee88c4b90cb
SHA512 f7e774cc645cc3bc329f09695cd64c232631980e6b6ac884dc2d709606aa4e8509afc4f2d0be327b7553d116ac9bc924bd9e27f0329bf5707a0430488c9c7b70

memory/268-131-0x00000000001A0000-0x00000000001A7000-memory.dmp

C:\Users\Admin\AppData\Local\yLuKd\icardagt.exe

MD5 11fe443f287e8eecba59bc40ee1ee96b
SHA1 d91274fb5846bbd7266d5b281cd20cbd9a9dc98a
SHA256 c9538c7671de2846dbe5ad3afd885bf14c114f7661d30f09c01a6e94eb3b9c05
SHA512 adb5c2f174703934d8f7186e39f453f1989a700c351f3e9443e5826f0951ee72aebbd0ed53e68094e55ea279de9476e3eaab634bd078c8654fd0752d201a4160

\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\ovarRR\icardagt.exe

MD5 36e7c7232caef1de2e8b558edeae3dee
SHA1 f8408966990a1158c25a8d689644c255f6c57658
SHA256 81bd443fb394485b3946c131df9f10cbb87c708088f69f3ad549c2fe8678ed00
SHA512 2e267b1e044ee3e90017f17da6070eb759e8959a6abe5fe21739a56d45287f2c3679717723b7430c6165a10810434098e3f6e400f3052a548bbefad173ee2257

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 042ca93ea07fcfe8bf54e9b5b637e8f5
SHA1 cb46c5fcc50035493b1b46d3f949ba6622f88d50
SHA256 945f6f2a465264343dd9de44b8db6b84bf05d504a88f6abdbd97403522783267
SHA512 7a6bbb2fbbdea0ee47ce6ea55631842e570591a18fd35a7f969ab29b6bdcc40a7f7be5414b4785eb6e71905b97d47d8a27cf1a4605f366351a0f687a8b654165

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\r2F\srvcli.dll

MD5 1762f6e525a8e5671b5d8648d2eaae72
SHA1 11243360531e0187102d08c13fe4fd69907df8e5
SHA256 27fab2358f7fa8d5f489d39d24ee347d9383f9d28a12f7f892d24402402a837b
SHA512 4944d8a46d337c367211c10a794ee97c32ebd9d7ba8161a2eea745c4e2bb43bb66f778e59af201d06acfdcbd4a0ffa61f1b6b3925efd6ef1c6e4a341ad2ebcfe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\dB4N4NewFS\WINSTA.dll

MD5 34a8b40b846ffa0c21e15d5a530c7dbf
SHA1 3603ac5af1bc1794671c15068173817a2fa569f6
SHA256 f80bb0a49bb41f13f577fe904f086ad245d621592c9174006fd2f46b91d2f742
SHA512 47e539dca1966d5998ff8dc83059e9ff483467f9c887dbe07e8412885b1553d590f22ac05c14f33b3280cd71b99fe72dd368695ace542033ceffe0f5a0b3b887

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\ovarRR\UxTheme.dll

MD5 bdd5b8575cc81a61626ec62b02044109
SHA1 8e4b70057d5a6efd1fcb02c9b85675dacaeafe12
SHA256 6cd914e80312f79b02ceaa39796e7ae2a7bb48ad6bee8162c844f224923bc0da
SHA512 6f56a0e662fda0e6ebd4e3c5640d6e2026454f128971c54464754b26d4b705f57f59c2e1e30c97939c4eec8d2272b3df2accd47985480d2972d756fe35c34d9b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 11:31

Reported

2024-01-03 08:04

Platform

win10v2004-20231215-en

Max time kernel

89s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1732a5c98ec8eaaf345b95acba0d06e4.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\dr6A\\recdisc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WrkBC\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4780 N/A N/A C:\Windows\system32\cttune.exe
PID 3368 wrote to memory of 4780 N/A N/A C:\Windows\system32\cttune.exe
PID 3368 wrote to memory of 4124 N/A N/A C:\Users\Admin\AppData\Local\WrkBC\cttune.exe
PID 3368 wrote to memory of 4124 N/A N/A C:\Users\Admin\AppData\Local\WrkBC\cttune.exe
PID 3368 wrote to memory of 2612 N/A N/A C:\Windows\system32\recdisc.exe
PID 3368 wrote to memory of 2612 N/A N/A C:\Windows\system32\recdisc.exe
PID 3368 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe
PID 3368 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe
PID 3368 wrote to memory of 3100 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3368 wrote to memory of 3100 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3368 wrote to memory of 100 N/A N/A C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe
PID 3368 wrote to memory of 100 N/A N/A C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1732a5c98ec8eaaf345b95acba0d06e4.dll,#1

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\WrkBC\cttune.exe

C:\Users\Admin\AppData\Local\WrkBC\cttune.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe

C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe

C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 92.123.241.137:80 www.microsoft.com tcp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
GB 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3876-0-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3876-2-0x000001C1D5500000-0x000001C1D5507000-memory.dmp

memory/3368-6-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3876-7-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-12-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-14-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-18-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-23-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-24-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-27-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-30-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-29-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-31-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-32-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-34-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-33-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-35-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-36-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-38-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-37-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-28-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-26-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-25-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-22-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-21-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-20-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-19-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-17-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-39-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-40-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-43-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-42-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-44-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-41-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-16-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-48-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-50-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-51-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-52-0x0000000000390000-0x0000000000397000-memory.dmp

memory/3368-49-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-47-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-46-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-45-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-15-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-13-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-11-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-10-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-9-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-59-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-60-0x00007FFC56780000-0x00007FFC56790000-memory.dmp

memory/3368-8-0x00007FFC54AFA000-0x00007FFC54AFB000-memory.dmp

memory/3368-69-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3368-71-0x0000000140000000-0x0000000140212000-memory.dmp

C:\Users\Admin\AppData\Local\WrkBC\OLEACC.dll

MD5 cc3280e57757e1ef0e746a112b3647b6
SHA1 9c62a2f872d15b16b34a5479d2bb4ebd579e233d
SHA256 fd97ed50abf79ee77e63795387cff838568a2018f5b50f262527a4dd874f72b5
SHA512 5790fa31492fd3127ea9e26ed65c316c0bb0b219bc122fd5f958247781acaed565a85c1ea43ea5ba77f00ded77975a8c81f885076ed1b88e32bddca61ae7b791

C:\Users\Admin\AppData\Local\WrkBC\OLEACC.dll

MD5 d5aa070d3bd68b109d07b34424741a48
SHA1 9021aefa72fcc1cb83ddfaa04121de0c09afb014
SHA256 7c29f591a0bc81849ca7ad66f9412d0b536c5658308e7714dc1d2d319573a6d4
SHA512 3325a08f044723333cfd311f5a844ac69f4b43302bdcd6aa73867b68f0a19f892db514b6e569772eded82b7931ef30516822fc221cf3f49b0eac704d1f0f059f

memory/4124-81-0x0000017328900000-0x0000017328907000-memory.dmp

memory/4124-80-0x0000000140000000-0x0000000140213000-memory.dmp

C:\Users\Admin\AppData\Local\WrkBC\cttune.exe

MD5 452dcdca7d693548387ad646e9b359d5
SHA1 ea74dabe00ad9336a5170aaed6f8704e7ddb4a06
SHA256 76906c623de4d96eaa9fce0ec48b1e8553e74d1306516cbc82e5b585897fc62e
SHA512 440a7354e8a949fe9d524d9e1122e23d2a10bfebcad5d3e993fc053c135708b8c01e36eab830227bebacb289135bfc69f6a8343e95fcaea74ffd4dc32c173c35

C:\Users\Admin\AppData\Local\WrkBC\cttune.exe

MD5 925e63c632b3bb7ad8d6cfba63c304c7
SHA1 14860b89a2f2b9be8d2b9ca7c6ba1d664374cc8d
SHA256 ea0a7c063def75de956bcf241ff8f447cc7a6e5c9828cca37dcbf768cc8d91df
SHA512 fcc1f286e5988ec2d2241e2ded1fc387b52e55399b6641b617d00c48332d819e08ce85f31982fdf683de6e129c9a2ad7ac31abd452f705c4de05b26433ca1b6d

memory/3368-4-0x0000000002310000-0x0000000002311000-memory.dmp

C:\Users\Admin\AppData\Local\WcmnPL\ReAgent.dll

MD5 8fdb754f8b1e656c5dfae7b9cb607048
SHA1 9af849cc5d8ee55a6cae16fa8dcf0f0da4877498
SHA256 7f8571f7bd13ec09c0de22661de9b4561c3cca89e39c999a49c98be187273499
SHA512 79ccded17816ed79f5f57c206a78802700f0773118d87fa9b80dd6a175890314ca3ad3eb0aa092f7e336807da3c040bd9fff17e6def7af1895d1841e0c56174f

C:\Users\Admin\AppData\Local\WcmnPL\ReAgent.dll

MD5 e245fccef6aa30de779a797c646db893
SHA1 565bdea4a9ea9ee89112bdb46bd628ac08b856b6
SHA256 4b8600d278fbf40a370729c6279fe076552c9af27178937925bb8121bb4e8822
SHA512 b6c7377b1ce7dba2abdab7490cf5905a6112620f3b892439aee51bed67748fc6c5211959eb9d1351abbc75eff5c1a246d3f99463f30378585932ddb7a91171be

memory/2372-97-0x000001F2F88B0000-0x000001F2F88B7000-memory.dmp

C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe

MD5 dec457cd983decf93ba56bc2cc3634ad
SHA1 e74f9fe78eb3576c188a4c53ea33b75c6098878c
SHA256 ca751a359bfc1d8e981f34bbd110615426883637af5dd75da5d242fc30a2fc5d
SHA512 ad95b00f19f0c0910c17b204035d76a8abf3b49e82ab9cd13d7fbc3250b42f94c6c054e513f3063c197793be6c67019af08257aed520c0f1215be2699503c5c2

C:\Users\Admin\AppData\Local\WcmnPL\recdisc.exe

MD5 3bd0f2898ece531fbcf368e5224b47aa
SHA1 14817a1efeb40ab1908e103b552f3828d0456023
SHA256 ffc2d7d4e7475becb7b6660da1391947960f39200db92b26173cff62c2c47ccf
SHA512 c5635ca83e5984cd63706824f3c616c191878e93ce0585464e6eecbaaa371752667bcae08db2695c069c14166f6cb26a638cdf0eb0e69237d5e0cdd3eaac005d

C:\Users\Admin\AppData\Local\EwqLdRGQr\SYSDM.CPL

MD5 927cbe2e19fe9408bcc257d79e5820b7
SHA1 a4a4d678865310d732c254abc63b921f2e255ae5
SHA256 8a9420de2f358e934652a7a126f23d96a340e0108f42ecc203a9d8a1d2e93d91
SHA512 044ea39d08ad7fc4d571485424db12d8b9ddd1bccad3f12fd5359fc9227fe2b6a3fff6f41da5ae66c45f9d2687c4699a915df6bcd717af30af5b44d80c0f70a5

C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe

MD5 26640d2d4fa912fc9a354ef6cfe500ff
SHA1 a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256 a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA512 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

C:\Users\Admin\AppData\Local\EwqLdRGQr\SYSDM.CPL

MD5 d3e913ec95aa0b25f1994c614188acbc
SHA1 104dac7141991afd0f1f5f9376327fb82bcbefa9
SHA256 7b19e1fab193b862d4f60a030c6155a7864f4c19b24bd2bd04556272f3c8ac77
SHA512 cd947c6d8ebbb3ace4c4d89cf01427a8586811e286d0580221f6964ec644ea9847f016068022655be4f9c1c18e175b2e837e01de9295c88b20e293e3a8635dea

memory/100-114-0x0000019687650000-0x0000019687657000-memory.dmp

C:\Users\Admin\AppData\Local\EwqLdRGQr\SystemPropertiesProtection.exe

MD5 831cab68f55d3c3195ff8433ba560ffa
SHA1 67d5696fff903f4f3a35190a3cd447a1861820b7
SHA256 819dc05cc57a5f74215241f2747ae21fb568f0a472f76b7a5314ff48915d2261
SHA512 74dcde33cfa5e72dc363389f2743a1c21d6cb2f51788947c23c2cecd48aaf7fa0bc1d2d0f36cecfd5fa00634ee9d5c96bed48f8b392778bd7f7f00f7a4fd00d1

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 513740f43f61e17ced073181621d742c
SHA1 e7ca8c1b3814fe170d62de6f5bb32fa2f615b1a4
SHA256 27087050ddca392be0edaa740fbc090dbf8ccf23e81ca0ecff0f59deb2107265
SHA512 10b2771fa54076eb9e51af0b92f9c493fdef25eb7259a23de458a174ade01e6e6f822e5ef4469ac7d40ce93b39150db323cc3578a4eda2279591dcca138489d3

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\U8fcFPN\OLEACC.dll

MD5 2d66e1a60a7f7f7f23416c7a738e2db3
SHA1 586c2b6337e3b7c283bfb98c4ae96a06660e5f28
SHA256 6d2e5c6ba7c0ae94eed66fb676fe4eb566c58396241c831e139448100cbc8bf8
SHA512 cfd178c599a5e7913b54c57eaa4e5e2c67c038fbd942641341ea172d9a9a134e70fbd6d92fb2eac387a87dc3d03a3cb51916095315ec67342217eb2dc2db231e

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\dr6A\ReAgent.dll

MD5 33fcaa7a7427c8d8d03b9f55ddfefa3a
SHA1 7f51d7f38f7eeb8b94d3a4317d4522097dc57325
SHA256 5e881d01d2e353a221bb9a12e7037fd8e345297867fc2ba13b9d18a8001fbb7e
SHA512 427e75a2703d6010174fd83324cc8715f56c5b73391d928fe16c898d877095a3d3b525138d41b77ef93c55a336dcb75207947d575f5a9837d35000080923d6ae

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\vKgmerL0\SYSDM.CPL

MD5 4402aaa615afb8d993da1ab8df43cc48
SHA1 658c30911e8037711f6c32ee7cf85b89226e49a5
SHA256 147649adaca70003d356e9c6030be425222e2d8030f38f69b6c6b73bd2be43b0
SHA512 0d03008c21a5fd13c5d919e90f8e23ab0b84ca05912e3705ab3bb590c589519e2a9d15013c40b7d9e4aadf0a92f8f0d0be08e365eff997781a8ec70cecf94386