Malware Analysis Report

2024-11-30 21:44

Sample ID 231231-m327zshcdm
Target 33706acbd1f245fe707ff6b8e05edfc7
SHA256 c6dbca3b4b4801df42431bcf7334245440b49f8af3e2f66af99dcb110079610f
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6dbca3b4b4801df42431bcf7334245440b49f8af3e2f66af99dcb110079610f

Threat Level: Known bad

The file 33706acbd1f245fe707ff6b8e05edfc7 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 11:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 11:00

Reported

2024-01-04 07:49

Platform

win7-20231215-en

Max time kernel

151s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33706acbd1f245fe707ff6b8e05edfc7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\52g\cmstp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\9QXRAE~1\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\52g\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2468 N/A N/A C:\Windows\system32\cmstp.exe
PID 1264 wrote to memory of 2468 N/A N/A C:\Windows\system32\cmstp.exe
PID 1264 wrote to memory of 2468 N/A N/A C:\Windows\system32\cmstp.exe
PID 1264 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\52g\cmstp.exe
PID 1264 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\52g\cmstp.exe
PID 1264 wrote to memory of 2028 N/A N/A C:\Users\Admin\AppData\Local\52g\cmstp.exe
PID 1264 wrote to memory of 2976 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1264 wrote to memory of 2976 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1264 wrote to memory of 2976 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1264 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
PID 1264 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
PID 1264 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
PID 1264 wrote to memory of 1220 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1264 wrote to memory of 1220 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1264 wrote to memory of 1220 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1264 wrote to memory of 2016 N/A N/A C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
PID 1264 wrote to memory of 2016 N/A N/A C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
PID 1264 wrote to memory of 2016 N/A N/A C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33706acbd1f245fe707ff6b8e05edfc7.dll,#1

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\52g\cmstp.exe

C:\Users\Admin\AppData\Local\52g\cmstp.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE

C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe

C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe

Network

N/A

Files

memory/1536-0-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1536-1-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-4-0x0000000077216000-0x0000000077217000-memory.dmp

memory/1264-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/1264-8-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-10-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-11-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-12-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-13-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-14-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-16-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-17-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-19-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-18-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-20-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-21-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-23-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-25-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-27-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-28-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-29-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-30-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-31-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-32-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-33-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-35-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-36-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-38-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-39-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-40-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-42-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-41-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-43-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-44-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-46-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-47-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-48-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-49-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-45-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-51-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-52-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-54-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-55-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-56-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-53-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-57-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-50-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-58-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-37-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-59-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-61-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-60-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-62-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-64-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-66-0x0000000002A20000-0x0000000002A27000-memory.dmp

memory/1264-65-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-63-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-34-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-26-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-24-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-22-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-15-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-9-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1536-7-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1264-74-0x0000000077421000-0x0000000077422000-memory.dmp

memory/1264-75-0x0000000077580000-0x0000000077582000-memory.dmp

C:\Users\Admin\AppData\Local\52g\cmstp.exe

MD5 74c6da5522f420c394ae34b2d3d677e3
SHA1 ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA256 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512 bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

C:\Users\Admin\AppData\Local\52g\VERSION.dll

MD5 e8e8a8186e9a98cc931c1425aaf8ed9d
SHA1 0cb13f6f43a1e55997077846d1d5ecdce5ad089b
SHA256 eb1156bc8cfb7e179e7f2f2f4f11331c53956d3b8467847682dcc3b1e5dfa86f
SHA512 fd969f58f81db33ecdcb2631302a0d07c18d65d5736ff6a68b98cdcae0f82f81b2569abbabaa293856d0ce9b33421cad057d6601e3587642c90b2017a1f0af49

\Users\Admin\AppData\Local\52g\VERSION.dll

MD5 39f0bfec53979f68ef6f4713a906cfff
SHA1 d4a80c3b78831e0e183ea5460c4a2a31c28363fd
SHA256 fcc89dcaeb9c0b158d356d7d78534579e8310b1a64cb5a99c2a70a43ccab962c
SHA512 d03d15642f22ca9620b460f9471fbc51484b75a5ef36d816b0082cd06660096ac9d8a7c1ac04e634a4259edbd6387afe319dbd2efe743e3229c30bc1e6a7e51c

memory/2028-102-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\52g\cmstp.exe

MD5 9acf35b08d0822cd38a005a6a8b20f12
SHA1 97171cb1bcb7ab4bdc8bc2366550abfd1371d426
SHA256 2cd601e15e8fc9a509b7636264a3af6e27e1775fa6878b71561eb099a36d912d
SHA512 5595c06fd83a755edcc8db6e45cc4773a3899e16937efb8e66f47837bccded87c1cf8f858c0707abf67f0b2c953ff67da0576a9c9c429d94e25e77286d162e3e

memory/1264-113-0x0000000077216000-0x0000000077217000-memory.dmp

\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE

MD5 02451a0f87db5d97e54f2aab0839db14
SHA1 b5d1e29a51b936f2f998294374fc2c5b0adb508e
SHA256 cc8e39e7a46060f50ff92df5962ae2e1870414e15285f9a703959eb647725e67
SHA512 6849ec2040582a534f1d6ac3a353be2f7c763db26a404b3a7e60f3030f99ffdcf7b5d9ad6c71d8ca5b8697ab2d0a4a03d1685a36ddbe9a0170e5410ed1dc6d87

C:\Users\Admin\AppData\Local\sY7m5\VERSION.dll

MD5 27d186419604edd3335f2950bcde9c02
SHA1 0f232aadb5493cd3eed89f1ead2344fb0c821418
SHA256 c62f62ce696bb1101108df8440d7cafdac2ec327c4275516179815fd9a474da0
SHA512 c37093c30e2c638471e071a78afdfe96705e6f8977614655492a6ab8815a28a14c7eabc778eb1ca6b70a85ad88a19f30521e1033b30e0d05fbd82c7920e4df3c

\Users\Admin\AppData\Local\sY7m5\VERSION.dll

MD5 40a3e415d23e2de6cb5ba95c18c7e77f
SHA1 9b44e4006a2b02a1517df37d98750101710c0e18
SHA256 eba98dee421b4535047f2a7f4c5e0078304873ac653a0b00243d3e80001812f1
SHA512 670ce9a9ecaef1a7a9be75f9b5489fd06f5dba763573795069c351b79c2468eb320f4a25555f89d7efb09601ebbb5acf347135dd00d959c23e9fef57fbc79546

memory/1908-121-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE

MD5 d2142a22cd7eb3b950de1d3c0bc9fb20
SHA1 6f607adee6683537736c69ef108223840535e28d
SHA256 5ec7dc539a49175b44484d04b8ecad5891c1a7fbb0bb319ec2e7de0e774c8877
SHA512 304551cbd68e3da46bf3a0cee44217effc107d88d1111f57c9017de7c85e2c8d1e4dd1736aaba602e663b9bab2959e182500c22e9f7c06c498bb652b6a002e1a

C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE

MD5 473d2aad3e931822444ef3308ae12d2b
SHA1 0936557eb9961b8b924f65dcac3e9b4f0f050b8d
SHA256 fd128c1cf5911a2ce2d93b287e55392c6f22304b31d0fcb67370d1e024f17774
SHA512 a2b75c4483e8bca0deae7dfd917e6145f5be19ddc79b82ce79f671e961f48cbe907bebd73b8faaad4e52526ccf83ec70e68a011ea958592cc42d144eb7ca225a

\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe

MD5 b0a7e45e9092919ada852aac345d648b
SHA1 eccff35b310bbf1cc6d5128cc6d16a1f6a8102fe
SHA256 dc13e7ba9fe638ae6190e399c3d80a36c0e94b123dee27e914e8e6ab5d6b3672
SHA512 48a22e28afa130e04d872e4fdf25a0dfbe33df1c8f54604d2a1ba8a437de5123a9702989374378fb9436dd8416e1d2425c660b2393fb58098313c40cce40eecb

C:\Users\Admin\AppData\Local\6cpzBYt\UxTheme.dll

MD5 258e310875bbd525d812c6a485eb2e0f
SHA1 c3a910e3f3c1f26322dbd1e5d443067b44d1651e
SHA256 a4575e9ca01d9a333b08e1d023d34cf79bc200e2eea6fcbad4b59ff47951aa02
SHA512 393a296da8529ca7c818c01f120c5fd97c383adc5493f9c355694f84a8e766c51f365b411905a1e211d6f3cce6b9f443b929504ade8f34110edc943dbcb97b80

\Users\Admin\AppData\Local\6cpzBYt\UxTheme.dll

MD5 fe6ba298fa096f2564a0dacef5382884
SHA1 4a8d43a7267c2311d051bc8ee03baf38a465d6b5
SHA256 a718663424fd8be648e57df2abeb4e1abd4bdb996f96d8072957383670b030d5
SHA512 9df5ac17ea89341e6c9a05fb7759777f43dd26da08bd84918799613b4178543a172d9c4aac559745db722f86130791ede5bfdcfc2eb21429b1f1e3702a4019f9

memory/2016-144-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe

MD5 a0765ad14bf3807df9dffdd7adfafbbc
SHA1 1d4affe71f0560105d6329d8666b788dad1585e4
SHA256 2034be3d47138aedfa8b48ab9e8031a70220d4716bf22af08b1cc0911e680916
SHA512 9c994de994d551ae7b5bf83b6b7edaa55b8993f7064773121175fac904d9c493205b43734de254b324c0c63d38a1a0d23a83d145840d7374680edd78a94aaa35

C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe

MD5 399891d65c671db1c826a9d16e6c2dc1
SHA1 f650763ae3ad94bc966bbe8d8ae29bec1dee8102
SHA256 4e1e36e04553aab93f5f2281102fd5f8be78dc9beeb311ea2e6058ce86d978dc
SHA512 7c2a963973a68e77e7a878b655f1f2c2d8642d1e45fc2b21e68db86f4a4003d323e5e5713d3a7f12aa46f7a1aa8403fd2206a5bd24936ecdd48104256410eb32

\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\hRM\SoundRecorder.exe

MD5 69283295b00727b5532f3e3f26930f66
SHA1 8d7ca837300d8c25fe9bb8748003c7197bb06845
SHA256 404f8c454276fabd4b836747d81316709b599021bb8a9a0d0424156a9bb0987c
SHA512 2277a68a40cc33675d5ebdcd3f3c09532f4a72e25f5a7bc4271f46234c6a287531b1ab57e15991a95717f55d267f20d7ea2eb87ea3e370701fe3c5fd288ef4b2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 19d379d7ba9e0a29db89269bfa314009
SHA1 e8c2cced4ad2a487877205533edb195f50138ce1
SHA256 610dbf198e2b474aaea18da1015f8d8494ea1e6b4d2a194838041e10fa14af78
SHA512 46364802efc1397508f28f80d58dbcdc786a1d01d11c7ced568262937117c3c9907c3968333f37521ecc911e2817ba2d6abb619aa59e40212de50767abc6cb5a

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\O4\VERSION.dll

MD5 338484bd0a6ee39eb33c25f34427289c
SHA1 51f467498a0f579f3fce98571bacf306fd2d77a6
SHA256 47a44736748a14f0152f86ffb0b27c9ba2ef95c8ab8cf23aa0261d1869ae454e
SHA512 64f2d0e5374d0af1d6c0415bc1c057ceb3be59e20ad32136101a7b496741ee0a4aa7b1c98aa4d1290d62664dfe587f6fb0fe3d4c84708a71bae93aef4d142e02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\9qxRaEG9dWZ\VERSION.dll

MD5 37d54dc945a3a16eb97258900fbcdd04
SHA1 f06f3ffadbb643baf5e65606c57664180800d780
SHA256 fbb0bb67e1bd063b51bd4e7202dcacb932aa2ec723e5d0388aae3b10112a9c83
SHA512 5662700a7ae982546723aa247d223c69fd9bf06ddace2ab6babf9115102746e75957df626f42542c83982c951992074b9600c2248eca689e7fab45ccdb74c716

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\hRM\UxTheme.dll

MD5 02431285d28b515aba8d1c325d8025f7
SHA1 a660de36d1dd7ef875c2a850ffb32ee6baaea154
SHA256 03bcbdb7f8067f12a1cfe68c9cf3305ad429f3aaf14bc0d9d9445df22f552ea6
SHA512 5c4554a2a8e73939ca4cab14d0ce480f623ca4a0de04146d365d5372daa42aea4c6d2bb6acbbbcaa21e0a0df10e3d46cd1e25f423cb98ce895cf7eec73e316f9

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 11:00

Reported

2024-01-04 07:50

Platform

win10v2004-20231215-en

Max time kernel

38s

Max time network

93s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33706acbd1f245fe707ff6b8e05edfc7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33706acbd1f245fe707ff6b8e05edfc7.dll,#1

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\TGMs\mstsc.exe

C:\Users\Admin\AppData\Local\TGMs\mstsc.exe

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Users\Admin\AppData\Local\5Sw1\CloudNotifications.exe

C:\Users\Admin\AppData\Local\5Sw1\CloudNotifications.exe

C:\Users\Admin\AppData\Local\OP2YMLbr\wextract.exe

C:\Users\Admin\AppData\Local\OP2YMLbr\wextract.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4624-2-0x0000022316D90000-0x0000022316D97000-memory.dmp

memory/4624-0-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-7-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-10-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-13-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-16-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-18-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-21-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-23-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-26-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-28-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-30-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-32-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-35-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-37-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-38-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-39-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-40-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-42-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-43-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-45-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-49-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-51-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-53-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-55-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-58-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-60-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-63-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-65-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-66-0x0000000000770000-0x0000000000777000-memory.dmp

memory/3604-64-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-62-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-61-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-59-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-57-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-74-0x00007FFE7D820000-0x00007FFE7D830000-memory.dmp

memory/3604-56-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-54-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-52-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-50-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-48-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3024-94-0x0000019AAFDB0000-0x0000019AAFDB7000-memory.dmp

memory/3604-47-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-46-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-44-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-41-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-36-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-34-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-33-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-31-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-29-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-27-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-25-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-24-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-22-0x0000000140000000-0x0000000140331000-memory.dmp

memory/2356-111-0x000001F2BB2E0000-0x000001F2BB2E7000-memory.dmp

memory/3604-20-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-19-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-17-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-14-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-15-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-11-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-12-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-9-0x0000000140000000-0x0000000140331000-memory.dmp

memory/4624-8-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3604-5-0x00007FFE7D66A000-0x00007FFE7D66B000-memory.dmp

memory/3604-4-0x0000000002120000-0x0000000002121000-memory.dmp

memory/4648-128-0x000002BEAA950000-0x000002BEAA957000-memory.dmp