Malware Analysis Report

2024-11-30 21:40

Sample ID 231231-q2gfnsehhj
Target 3888e3acac52c686141303c1979fe06f
SHA256 ce0ae9daa74e8fa902d050d77e568d060323fbb7a62fd798266508036742bb9e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce0ae9daa74e8fa902d050d77e568d060323fbb7a62fd798266508036742bb9e

Threat Level: Known bad

The file 3888e3acac52c686141303c1979fe06f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 13:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 13:45

Reported

2024-01-05 09:52

Platform

win7-20231215-en

Max time kernel

151s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3888e3acac52c686141303c1979fe06f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pqja\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\jXGBT3y0p\\fveprompt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pqja\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 704 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1200 wrote to memory of 704 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1200 wrote to memory of 704 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1200 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
PID 1200 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
PID 1200 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
PID 1200 wrote to memory of 1996 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1200 wrote to memory of 1996 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1200 wrote to memory of 1996 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1200 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
PID 1200 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
PID 1200 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
PID 1200 wrote to memory of 1976 N/A N/A C:\Windows\system32\tabcal.exe
PID 1200 wrote to memory of 1976 N/A N/A C:\Windows\system32\tabcal.exe
PID 1200 wrote to memory of 1976 N/A N/A C:\Windows\system32\tabcal.exe
PID 1200 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe
PID 1200 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe
PID 1200 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3888e3acac52c686141303c1979fe06f.dll,#1

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\pqja\shrpubw.exe

C:\Users\Admin\AppData\Local\pqja\shrpubw.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe

C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe

C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe

Network

N/A

Files

memory/2008-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2008-1-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-4-0x0000000077406000-0x0000000077407000-memory.dmp

memory/1200-5-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

memory/1200-8-0x0000000140000000-0x0000000140342000-memory.dmp

memory/2008-7-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-74-0x0000000003960000-0x0000000003967000-memory.dmp

memory/1200-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1200-83-0x0000000077770000-0x0000000077772000-memory.dmp

memory/1200-82-0x0000000077611000-0x0000000077612000-memory.dmp

C:\Users\Admin\AppData\Local\pqja\MFC42u.dll

MD5 c24c452502613080de271f6e5acc2304
SHA1 00d8c419dd671d3b389d25464edeb3bf6eceb52f
SHA256 683c5c1bd3ee0c2a4cffa60bd226725660c81ce3cf97548e7e55488a536cd5d0
SHA512 849d2c9b986ed1ad3acb6844eb7810e9a85702aa91f1128a6ab52011c8c4b4e5e32389bf1f45c5a41629f009e108e7c9ee5367a15d9e5f06dec98f5151db415d

\Users\Admin\AppData\Local\pqja\MFC42u.dll

MD5 9be05c12ec4a7f9925f533f8c83c8b44
SHA1 9171d5964b4ce2fc2c6c43bb64135037221e587b
SHA256 e749afa3fa1678d3f1a454eb853edaab9fbeb88f45a63e0c90838e67a4785287
SHA512 48bfc15196c020ccd17f638f4b5b78b84a982a83f20cc6728098d907aa9f4c12b3330460f5ee4506fa2fb791379f4ea21e9bcf917c2fbdc66b8e7d22beba4c10

C:\Users\Admin\AppData\Local\pqja\shrpubw.exe

MD5 3316fc5587edaabbba28095c9884d0e6
SHA1 a1ac67c9852cd2b40ac3161bbe66a1d6c6e21b3f
SHA256 ce76a851b563f5ad7f0a7ead815649b9e0e5798b1975886db4c816f269df42e9
SHA512 096264e88da07687fb7f344bf0aa8a389207f8b8a9791d83f24b762401e0a81c9e42168f78ea4dee7f02374e46a8526d1803af10fecdcfcb17e6d2cee9ff4135

\Users\Admin\AppData\Local\pqja\shrpubw.exe

MD5 2448459423a125256c71e06f0d2bc320
SHA1 e0a3c526cfeb14454b8d15d997de728e7ef4976f
SHA256 f1e364670216c693b494aca2fa4bcacbff2eb1e335a9b2eefa987f57c7ed6891
SHA512 3f15bcb7b8e572c0c8ac46f591b5704a43d5a1a534c5fccae847edc7a47a4de97807c79be77ede284a38a10292b31f29718b0880710f169b72aaac252fba86f6

memory/2624-110-0x0000000001B40000-0x0000000001B47000-memory.dmp

C:\Users\Admin\AppData\Local\pqja\shrpubw.exe

MD5 ed8a1605f8d22eee61ad10444a4af289
SHA1 52a233205f218036f5c53c1188bc6ab514130e3e
SHA256 0d10de0a238520caeffab8ba6161d214d28ff7d65c27c317e192e9f24ca81c01
SHA512 85b94359c5adb97e3ebad60124195ecc07aff7939b9081af745f9638bc88f69f24a260eb41c513443d6cccccd9774f97ce746dfdee89467a646ff3a3cf0f65d8

C:\Users\Admin\AppData\Local\ezYP\slc.dll

MD5 d7c4e843cdf9fbbd4d54f4288a11b7ed
SHA1 18779eca5bd724aeabd4d8e16702548989cb8863
SHA256 27bf967698eb7321af05c050921be7cdc853fe95a0c73a0a05ed8638c3e59c8c
SHA512 78453f761fc91f1de0da309b2a1d8ac44a7c815a39c91b94a601af34c1575fce88396e424b2cd6198e1d06cef1ccb2ea0aa873bb7674b03047f9d38417909909

C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe

MD5 a117e463b3f816b6404fe70775c7abc7
SHA1 5bbeec3c04bd6f9ab35d862c6ae09b7329f1623c
SHA256 32b00e424c6bf21576471661a9fac7497ec261f11b0d6a3cb5af45aa25b0ac84
SHA512 85fee9516ce8fbc62cb2547c4dcd6c4e63501d448b11a4a54852069923401caa3979ce79577227f3ffb9dcbc558bd5601989c641e912c61cb796dea78d703e1e

\Users\Admin\AppData\Local\ezYP\fveprompt.exe

MD5 d6093ec95ede38de41fc993a4d10cba8
SHA1 2eb95a2f15738ff503bdd8a2b1a91d900e6de26e
SHA256 bcce81e763e194c15f6be1d4af3c85afdf420e82417173dd41e8ae01523491a0
SHA512 64a7819ec37ce9eccea1b9bf21fb998445582b27b8b787171b42cbf9aefe5afefe088c4994602ef6ea453dd8b3da324b46063c9194cab736ca469df6e8086892

\Users\Admin\AppData\Local\ezYP\slc.dll

MD5 4bdbb0615138e13bfe281deb485a9237
SHA1 7fee1d99ed2b64e71921d7d210252d03468de57e
SHA256 0e79aaa4e7c04fd7fccda57568b02be37d7576cdfed3c8986a20e74f3a419c15
SHA512 5436135e501325324c87efc6e523a18f22217e8fa46c98380652c848b1afcc538b6877f3dfa4ce5149b62dc808af8bcbd365c58a6ec1835180f0f8133fd76dff

memory/2888-129-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe

MD5 7afa7147f80d609ef7912206a040c2d2
SHA1 3ef4572fd1d2e0b61d13e0cc290ff9942b554a88
SHA256 44d193d8b7e13681acd03f1cb7019c02564a9c04ee44618577fd2c28ac11ab94
SHA512 fc6be7700e7b725e97919f13ac4814abf9298995941eb05cf7a6cdcf480341c15e0d09129c857dfe99f2d3707419ba14fe9d32001fb2a7885b49ff69ca2aa258

C:\Users\Admin\AppData\Local\EB9yu\HID.DLL

MD5 0617b24e42d815193231fc336cabe125
SHA1 941a0829515b83f87392f8cb5ef9b70de7fb90e2
SHA256 2a7154d4d124652dedbc0b5a13af12916096c569ce3d1622e71a64476f054379
SHA512 d5a9e7eec9607cd6001618599ac1c2fe18715a63c7fb380c07a3cdc20b87bb7bb2edb0075228fd0c4cb2cd4b40b7d2cdd06aa097540b137b888ba9d4b65930ed

\Users\Admin\AppData\Local\EB9yu\HID.DLL

MD5 3f38f6d9ace85d531cdff387239d8be1
SHA1 d2483a64cf112af39b5173092af5844902551ab0
SHA256 e810db9aac6ad837f5f9b78e6f6cda488623f515abfef8c2c7bbfe10fdf9364d
SHA512 a3706cd1478d8319a228a5c8193d74fc30a45bbbd60b907130aea9fa281e2411503fdbeab5860c7a5d719abeefc3955d248b642f22e823fdf946a46e1e5b8a1f

memory/752-147-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe

MD5 0391f3981db4d6b47c411658aec8725a
SHA1 1cfb9b3fedebfbd685e0bb7f11ce67bca981411a
SHA256 ad8e56201930436f63e417a7319d1d07916b27035015656d387e8651fb531f68
SHA512 c4d6e4b22e53d00fac0cfe1d5483ec9b8b5a9595f01150afea8916fa82afa56a84cc0c4d8c0d9bdbf19cd5b55eda3084cac83c725cafdb5cc49a8fdcee880946

\Users\Admin\AppData\Local\EB9yu\tabcal.exe

MD5 272e63fd45242f5f5afee86a0255ea5a
SHA1 1ad86fbf47ddce05860c93485770ac9278c5e7a5
SHA256 5e69c15ebaadf3246fe3dcbbfcbbd92246e3f18e1ba28a579aa8c8631737a217
SHA512 06aa6a61bedd0b5c6dffaf2ad5089c0008f2b90e4d96f2e9c8f6e6cc71e55c0b3aaa40740e0bebc6a83edaadd4bc6b2c33612241693a688e1129a335593dab44

C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\36GE4cj\tabcal.exe

MD5 6b71015eb85ca3f5edbc19390d0a5238
SHA1 275dd2f6aea5b126375ae07a9e92fd170177819b
SHA256 75b318e3c117fc152a3fb17d943a7e5e53eaef514e7f4141c918f175de4f00be
SHA512 ce1ea60aca8223ed63d81aa8781c5b08af32b06806b6b9917963c1ddaf89e5931926a492abba1949fbb9cde1cdb5ee8341f36efb8a82d603e1c66cd8a4165466

memory/1200-165-0x0000000077406000-0x0000000077407000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 8a4aa8ff1c791121042c497a0efc620a
SHA1 1c4eaca5be596d7320e33d688681800a70381d37
SHA256 550843355f2be04a8a66ebf7acd3c98eeef9d91ff32d72dd20d2c5b40d9d3690
SHA512 4aa90aea52fc79f6324bdfe8f2cc376068c42f67a7255900984a8e6ddebf689fa984372cadbeb5047cb6df139440fa98892fd8e92a6bf6af6eb96ca137332379

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\2Spq4Fc\MFC42u.dll

MD5 924baa6abb252af213dc46a875bd4e4a
SHA1 3090f8eec7cef490cd1cc6af6ec56b1e3259ff2b
SHA256 549c4f9750e790e480934461c9c23e8adcaac36a778ba3e179fd4d46f7552b1a
SHA512 ad87e0a82682a1ad826e15faa152a2f794697bce35190953795a0bafddd3b992306c9fa373dda522576899db2fd593ba82a211193f25aa90fea057723df18a3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\jXGBT3y0p\slc.dll

MD5 a8260950f0eae6b1da44f45528bd74d8
SHA1 efce0100901ff957fbbd13e60b1897c00fd68fbc
SHA256 4bebf3321a3cc5a6b194091c6fac3ae52c5d5db27b1c049cd7ba9925e2f4e21b
SHA512 9fd36db6ad120fc7f5d6574bac877e93df3466e9090b1a94886ab1afaa484a29518bc72026f93acd8ffe727b3dabdb5a5225a12edf2906d706ef2b10b7391273

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\36GE4cj\HID.DLL

MD5 3f499b4610887c63de0efd6792f8b441
SHA1 15bc6debf34700631ddcff234060354a13821e36
SHA256 9865278df785646cc940c0d0349c06d8e52f4e5da8d3aa712413622901b1488b
SHA512 bd17a0d4aec023536044e4b4d101dab6e1d0e9a79db2fb12e0aa3ea873bf228f6a94492b356b1fbc22d2f68e728bbd0abe6caac37e53f0a0ae943ce7a9713338

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 13:45

Reported

2024-01-05 10:07

Platform

win10v2004-20231222-en

Max time kernel

6s

Max time network

80s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3888e3acac52c686141303c1979fe06f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\3888e3acac52c686141303c1979fe06f.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Users\Admin\AppData\Local\nn9qq\dccw.exe

C:\Users\Admin\AppData\Local\nn9qq\dccw.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\zf5E\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\zf5E\DisplaySwitch.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\PjLhmJokk\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\PjLhmJokk\SystemPropertiesProtection.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
IE 20.54.110.119:443 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp

Files

memory/316-0-0x0000022752EE0000-0x0000022752EE7000-memory.dmp

memory/316-1-0x0000000140000000-0x0000000140342000-memory.dmp

memory/316-6-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-8-0x00007FF87C87A000-0x00007FF87C87B000-memory.dmp

memory/3496-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-74-0x0000000000820000-0x0000000000827000-memory.dmp

memory/3496-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-82-0x00007FF87E7C0000-0x00007FF87E7D0000-memory.dmp

memory/3496-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/680-102-0x000001DF7BE50000-0x000001DF7BE57000-memory.dmp

memory/3496-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/4156-120-0x000001E90F500000-0x000001E90F507000-memory.dmp

memory/3996-138-0x000001E71BD50000-0x000001E71BD57000-memory.dmp

memory/3496-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-7-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3496-4-0x0000000002690000-0x0000000002691000-memory.dmp