Malware Analysis Report

2024-11-30 21:42

Sample ID 231231-p1rdtabedk
Target 36aef32a8008ab32d1cced77f292c95f
SHA256 74232dc00ddc6a452efd3cf799348eb5aedc5a31dc6589e17f4b30c73990badf
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

74232dc00ddc6a452efd3cf799348eb5aedc5a31dc6589e17f4b30c73990badf

Threat Level: Known bad

The file 36aef32a8008ab32d1cced77f292c95f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 12:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 12:48

Reported

2024-01-04 17:03

Platform

win7-20231215-en

Max time kernel

100s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36aef32a8008ab32d1cced77f292c95f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mwr5\dialer.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4fe\msdt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{12BBF4E7-85A6-4BA8-A5EE-FE066C096AAA}\\uMeBeaNo\\msdt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mwr5\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4fe\msdt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3060 N/A N/A C:\Windows\system32\dialer.exe
PID 1196 wrote to memory of 3060 N/A N/A C:\Windows\system32\dialer.exe
PID 1196 wrote to memory of 3060 N/A N/A C:\Windows\system32\dialer.exe
PID 1196 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\mwr5\dialer.exe
PID 1196 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\mwr5\dialer.exe
PID 1196 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\mwr5\dialer.exe
PID 1196 wrote to memory of 3040 N/A N/A C:\Windows\system32\msdt.exe
PID 1196 wrote to memory of 3040 N/A N/A C:\Windows\system32\msdt.exe
PID 1196 wrote to memory of 3040 N/A N/A C:\Windows\system32\msdt.exe
PID 1196 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\4fe\msdt.exe
PID 1196 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\4fe\msdt.exe
PID 1196 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\4fe\msdt.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1196 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe
PID 1196 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe
PID 1196 wrote to memory of 2496 N/A N/A C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36aef32a8008ab32d1cced77f292c95f.dll,#1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\mwr5\dialer.exe

C:\Users\Admin\AppData\Local\mwr5\dialer.exe

C:\Users\Admin\AppData\Local\4fe\msdt.exe

C:\Users\Admin\AppData\Local\4fe\msdt.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe

Network

N/A

Files

memory/2512-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2512-1-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-4-0x0000000077836000-0x0000000077837000-memory.dmp

memory/1196-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2512-8-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-16-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-22-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-28-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-30-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-34-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-42-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-47-0x0000000002D70000-0x0000000002D77000-memory.dmp

memory/1196-46-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-45-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-44-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-55-0x0000000077A41000-0x0000000077A42000-memory.dmp

memory/1196-56-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1196-65-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-54-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-43-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-71-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-72-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-41-0x0000000140000000-0x0000000140249000-memory.dmp

C:\Users\Admin\AppData\Local\mwr5\TAPI32.dll

MD5 3fe2881a2f0e07a75e17687ffe049ace
SHA1 efa6e63187fb314dc28359cadd1184adeace7c95
SHA256 bbc2776d0573bc979c62bd1415ed1435b3a837070d55b4453d738edfe93a5a62
SHA512 d6d49f29179936382ffe673a5372c862acf59120cd3c242d5a7b51b315657278d46e7308ec938e99501c5e898f76c6102671c1f5518bc80898fe1a8e965d6723

memory/2552-84-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2552-83-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\mwr5\dialer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\mwr5\TAPI32.dll

MD5 f3f57ca05fe42bbd649d0f5e3fa906ee
SHA1 69aac8b6e7c49f43b72cc713a4dab07f12c13c22
SHA256 a9bdc18d9ed2dbcb1adbdcf3d713d9b05db73b85c1008369c486ed9e5605ac22
SHA512 0c62fe63f450559b398943bd04bb24864c798bd42a5a2eaab223ff7d4d8b6c81a49e76869bb69be0955fbbce06bdf9795076e49b39411dfc3d34e5a31cc293c5

C:\Users\Admin\AppData\Local\mwr5\dialer.exe

MD5 46523e17ee0f6837746924eda7e9bac9
SHA1 d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA256 23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512 c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

\Users\Admin\AppData\Local\mwr5\dialer.exe

MD5 38cca940394a698071c39f0403d05a00
SHA1 028752a4557e5a36cd81f8d85a168bec758b4c96
SHA256 1b722c8ad9f9b3a4c072fcb62399bcd091d1a874f7a450b44b6e664ef5ac5f55
SHA512 0140f679845022eeca530c91b61bccf52e25ffc6f9b180784124f5141615d3a7d2df9c0fafcda68a05e042757555dd001f50053f576ce1c0eb11319210b9351c

memory/1196-40-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-39-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-38-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-37-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-36-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-35-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-33-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-32-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-31-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-29-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-27-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-26-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-25-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-24-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-23-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-21-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-20-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-19-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-18-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-17-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-15-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-14-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-13-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-12-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-11-0x0000000140000000-0x0000000140249000-memory.dmp

\Users\Admin\AppData\Local\4fe\Secur32.dll

MD5 2315198dd8e08886103f911767f23cd5
SHA1 300ce7cbb6b6c3a52d7ca06dc30d3dd1fe2e43c3
SHA256 7c54dab5e857c236ccc4ffbea6dbc819b8e67d86b66bdea51bd71d9ecadc6c14
SHA512 a5746332fafa8f5078aae1de3e685d09c4a4144aa07eb2afa3f43bd624579b5fad58b3221317aaead5cb395305e18a788d44ed29ae7176dff1379468cc0d63b6

memory/2556-101-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\4fe\Secur32.dll

MD5 3226ad8af2c5f54ba23cfd7b3004109a
SHA1 6400811fc3e8efbfa778e535bdbe758fcb30ed1b
SHA256 4ee1aa81436a176d478ae672c3336d5a6d2892c0b6e6faebbabb2c632cc33525
SHA512 440107e7dbcdbcfec3c4b50ec905b91047cbf79c075f1304cb459b3754698e50b87eb942896cbed67b17dd8750dd3ebd7db33f54224f7dd0fe531fec99cea9f0

C:\Users\Admin\AppData\Local\4fe\msdt.exe

MD5 7ec54091f6e2c42ae286b237ebda7bc6
SHA1 e5d0f2304d1ddf64fe5aed539175983f71daa385
SHA256 265f11984275e038ad811356fb349546be96c3207363abb730c898f3be3e7b1d
SHA512 cce6b571c715d7bf48343ab1d9f726a6d47e5fe2a16c393f4d69ec0b2ab1f584f41f021c0f65573f45f0d7bcf30b38827dcae93a3f578b0bbbebb21d86d306c4

\Users\Admin\AppData\Local\4fe\msdt.exe

MD5 0092ba591b49079b40b7fb162cc854bb
SHA1 020b583e1c673730c54771457e237123b05c2843
SHA256 0653d654c8a70496cd604f075701c2f79fa4630afcc53a01229185bb762bf4c5
SHA512 ffa58ca39b43a9286c2704fc7601eff6086d5faac0588ecd113ffe9c11426d84f81b7194eeff7ef83934baa9ef73303cb76f009388644d074eda947ac071c6b0

C:\Users\Admin\AppData\Local\4fe\msdt.exe

MD5 009139115691c316e1e93a4b1b560f75
SHA1 98db463c1397c525bcd77645bda221d53294159b
SHA256 018c8e0f4f8fc076dc22c207e9c45d4f8565c4d6306848b8a24157a5abbe003e
SHA512 34ca82880671a508777dfe74c5a93111e66363b1968fc151dcb907330cbc8167502da9f18027950da6b0f19f8c320035e3011859909038a3bd696d968820f4fb

memory/1196-10-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-9-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1196-7-0x0000000140000000-0x0000000140249000-memory.dmp

\Users\Admin\AppData\Local\dQOqnrb\slc.dll

MD5 fa7885d667da7b450a6cea4cae1c7abf
SHA1 03fe994b3b0c59973f8187ae36262105a2880b2e
SHA256 0c3e7e7126507308af183e1659dc4b1999a468c775549c453d5e10fbe0731714
SHA512 8c5124477f7e96916a88bedd62f48bcd6436fc6dd719a23ac3284a3c1e32c6498f9cd38fd8d16169f59df86e9606d1e756f31ce816b54fde7d791f06399abd2e

memory/2496-125-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\dQOqnrb\slc.dll

MD5 cc4832e5424364da01bb89eafc82a4f7
SHA1 43137fbcb264570f74c7d7b81462aa417eea2cf2
SHA256 b80c07ecbcbfd97c4cbb28bd9f53c675084e17571529c94e418b7379f741dd29
SHA512 04ed7d64ad4ee595a6b2e49238eb9b39e3dfb453666e6bc7e13d684a7e87caf48687f890b59030f86001626611d6f5e2f8c4454609d16aab765e5bd04d3b5278

C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe

MD5 b2b08f7b12587f7f224ceda90d0068a9
SHA1 f38f658d74cfd90b3b46cb05a60a23aa1961c8af
SHA256 aea8c9e99d6822d95abe3f16e2ad65928c3a246b45126f41bcc21b6799890249
SHA512 10c82639f2b49e31860812ebb7344604d7eb38091764ca9277b25ff673f0db8ab9c0d65da1f82d54c32f292ae81779b14c4ca58c00b1800e96c7467b6c3b594a

\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe

MD5 621859a1e22e1c0b88079481ecf22039
SHA1 1ed9d2ab9f9f48b1aa1613f0c44d877640c7a2c9
SHA256 2086205551c065edd7085eb0648cc2e990f3e43220db4d90923466b0d51091a0
SHA512 6c1e2e5081a88cde69cf13e14ff78250af400c4ffd239b976ca346f2f2a2e73a48ae4b610822a9a948ad8200ff41da188eedc3875aeac2bacdc7580815d3f4fd

C:\Users\Admin\AppData\Local\dQOqnrb\DisplaySwitch.exe

MD5 e5e9ec86e20522170efeecda50f3b940
SHA1 ecfa209cc269bbd11400d2d5feccea40df7129e1
SHA256 98ee73b994a084bccb963888f557f36908b834b78cf1105acf14b9d6ba3c02a2
SHA512 f443d8b6bcd2452100af0e8b2d576e9c9ca3ab71c4dd8c5b6a909b832f85b9e8069a4008c794573acf6e6da89fe213955829718e02be8d44ef0dae2515f64e96

\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\S4jq0LQt\DisplaySwitch.exe

MD5 915fc9c6e26dbc9869ebae728845b5da
SHA1 f22904455388124cee24318e03c18f2cee15826c
SHA256 9a63eda1329d4d3bc0398518588b84928833d7cb4746970bcb33e2a4ef260d39
SHA512 3911fdca625a6e2d7a93ce6a6950662ea0c54e00fe22db125f481a722abf38346198f4da4fa6b28ba8de49f821c9ecaeee1d72355da0c4b22d19d3f11e522081

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 3a3000d57678379aa489f265a83e756a
SHA1 e0c0808ec8aac5fc4ee332c5f1b6c8f36df122c5
SHA256 49655116005ef387be78dfb795ffbda2099628d41cda52bd6a8cce0e5b53a3e2
SHA512 3fb876fc0d21777fb44bca47a5276e272ba77add85eb10750762d0d47a4fbf27dc101054b163b3a5068c4f0013881ba8391f192b3385fbe22f46a6f8fad9dbaa

memory/1196-154-0x0000000077836000-0x0000000077837000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\tRPG\TAPI32.dll

MD5 59c69ac77b5b23272ad1c5a519e975c1
SHA1 298623e697cbfa58f42189ebe6b3bd8e46f9dc4f
SHA256 d5ba1c31bc9349a1beb26e9bb8514e72ebef33e832652e967e70d6908369917e
SHA512 1c0501dc6a7244297c3bc836877d6c431aa92489b4d3b2bf0a673c853b692fafb4b76ceffc8b2bd4020378b527b17e30d2d28f7d4513344fa89a63b454af7d7d

C:\Users\Admin\AppData\Roaming\Identities\{12BBF4E7-85A6-4BA8-A5EE-FE066C096AAA}\uMeBeaNo\Secur32.dll

MD5 e47c3bf772a9e166d0efcc7a2b773948
SHA1 608064457070558cc2ac2a0c153063404a5b2476
SHA256 7fbebc65a0862b1c55ac75834889af59d3a0e52c22f98e3c485c58fff065099c
SHA512 1eea06513945ca8c2e175cb4467e57eac64b61c23c233aaeded122ee2c69d19f4b711d1e5f0f898eba6f5fb579df83cf2dedb5940ebab69f334d49cae02c4da2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\S4jq0LQt\slc.dll

MD5 155aa92eb6f52ff8e122fac59c1ba5f4
SHA1 15050ddf61d0d2d7ce1b30788371efadc9b5f3f7
SHA256 19ff31795a08be775ba1d76ee9ebd62b8220ea88dcd7765947addd79c59faca2
SHA512 3af67176561cc365a2af3ffd13423333ac1ac73d753251dda388c96cf2ce29963610a9958a5a853f70a36511c7e6596eeab1dcaa25008dccfac3416f75f8d83c

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 12:48

Reported

2024-01-04 17:06

Platform

win10v2004-20231215-en

Max time kernel

166s

Max time network

174s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36aef32a8008ab32d1cced77f292c95f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\s4\\BdeUISrv.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4WtrYaC\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\reOHiGHaP\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\A50Dt\WindowsActionDialog.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 1044 N/A N/A C:\Windows\system32\msdt.exe
PID 3500 wrote to memory of 1044 N/A N/A C:\Windows\system32\msdt.exe
PID 3500 wrote to memory of 4492 N/A N/A C:\Users\Admin\AppData\Local\4WtrYaC\msdt.exe
PID 3500 wrote to memory of 4492 N/A N/A C:\Users\Admin\AppData\Local\4WtrYaC\msdt.exe
PID 3500 wrote to memory of 2832 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3500 wrote to memory of 2832 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3500 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\reOHiGHaP\BdeUISrv.exe
PID 3500 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\reOHiGHaP\BdeUISrv.exe
PID 3500 wrote to memory of 4756 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3500 wrote to memory of 4756 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3500 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\A50Dt\WindowsActionDialog.exe
PID 3500 wrote to memory of 3520 N/A N/A C:\Users\Admin\AppData\Local\A50Dt\WindowsActionDialog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\36aef32a8008ab32d1cced77f292c95f.dll,#1

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\4WtrYaC\msdt.exe

C:\Users\Admin\AppData\Local\4WtrYaC\msdt.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\reOHiGHaP\BdeUISrv.exe

C:\Users\Admin\AppData\Local\reOHiGHaP\BdeUISrv.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\A50Dt\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\A50Dt\WindowsActionDialog.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1016-1-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1016-0-0x000001DF0BCD0000-0x000001DF0BCD7000-memory.dmp

memory/3500-5-0x00007FF8E006A000-0x00007FF8E006B000-memory.dmp

memory/3500-4-0x0000000002580000-0x0000000002581000-memory.dmp

memory/3500-7-0x0000000140000000-0x0000000140249000-memory.dmp

memory/1016-9-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-10-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-11-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-12-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-8-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-13-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-14-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-15-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-16-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-17-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-18-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-19-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-20-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-21-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-22-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-23-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-24-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-25-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-26-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-27-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-28-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-29-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-30-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-32-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-31-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-34-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-33-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-35-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-36-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-37-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-38-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-39-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-41-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-40-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-42-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-43-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-44-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-45-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-46-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-47-0x0000000000A70000-0x0000000000A77000-memory.dmp

memory/3500-54-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-55-0x00007FF8E0A60000-0x00007FF8E0A70000-memory.dmp

memory/3500-64-0x0000000140000000-0x0000000140249000-memory.dmp

memory/3500-66-0x0000000140000000-0x0000000140249000-memory.dmp

C:\Users\Admin\AppData\Local\4WtrYaC\msdt.exe

MD5 992c3f0cc8180f2f51156671e027ae75
SHA1 942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA256 6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA512 1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

C:\Users\Admin\AppData\Local\4WtrYaC\UxTheme.dll

MD5 2fde65f589335c221efd76f5be950a28
SHA1 eb880880c91d23fc9776199891fd065ae6eaf236
SHA256 caea3d63d624bf3506709e33948d62cd24617a81671d5e0bd76db449a52a8674
SHA512 936217fab92526ccd1f6202179103b6bca6ab40d5b7b5758a59d5c624a77486e3accf5b44a85f5526c1e655eeb4771a037888f00075d6f1c39ebe6e5562e5dee

memory/4492-76-0x0000028987000000-0x0000028987007000-memory.dmp

memory/4492-75-0x0000000140000000-0x000000014024A000-memory.dmp

memory/4492-81-0x0000000140000000-0x000000014024A000-memory.dmp

C:\Users\Admin\AppData\Local\reOHiGHaP\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

C:\Users\Admin\AppData\Local\reOHiGHaP\WTSAPI32.dll

MD5 b9cbdcff932e42f507c742ec3c6a6bf5
SHA1 5c862c4979bd33e1803d89215e0ab9c34f739d41
SHA256 c6848f7fa0e15201b499030bedf6c11361870e913b95d8ef9b6262e08c8e48dc
SHA512 b5e279bbb9458d3d7cd5a71b68dff1f17ecc315f70d009d0607a86aeec287343dc8809ba2139539597a3f3ae8c9b23e433d4be1de025ddb70d70ea62ff6b3853

memory/1764-93-0x0000020C67180000-0x0000020C67187000-memory.dmp

C:\Users\Admin\AppData\Local\A50Dt\WindowsActionDialog.exe

MD5 73c523b6556f2dc7eefc662338d66f8d
SHA1 1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA256 0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA512 69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

C:\Users\Admin\AppData\Local\A50Dt\DUI70.dll

MD5 719f2b25b9c6c7758bde0da6facf2b7e
SHA1 6ba192dc6880346bf1f92d2cfa6ba96ed03eab21
SHA256 a363a304c762f9b863fcbddda0a95f24484b2b59c7a3ef386632f7089c2ec33f
SHA512 dcf06a6096d00326af505617a31f9b5798854dd235d8a8ee45ce7838e90761514ca060e3751a9ba2f688565777f4b87602fe76b2b9e80fc545a81b42a345e1c3

memory/3520-110-0x0000026D669A0000-0x0000026D669A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 97622b8984c34f15ead791cf33c8effb
SHA1 b94baddd9a76e4391839aa8e7e9bb837363e6117
SHA256 f414615196cd5c8abbf72b51c449d63af9347091d0f83f19ceaf409de7a05a19
SHA512 c277f09f6b4a2f3ad44e641f45cd064b117f6c2b9989f5a22f6a4663ec6c228499619c1b305a00f60eb66f0d49740f5229f86e5c8025f09cb149d7f4878800ee