Malware Analysis Report

2024-11-30 21:39

Sample ID 231231-q99geshccn
Target 38ec817281b968a0e07a9a5123de5f8c
SHA256 9e1ac6a5594d7742eb158084b9e056709d59cdc0974efec1116261fb87fb6225
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e1ac6a5594d7742eb158084b9e056709d59cdc0974efec1116261fb87fb6225

Threat Level: Known bad

The file 38ec817281b968a0e07a9a5123de5f8c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 13:58

Reported

2024-01-05 14:02

Platform

win7-20231215-en

Max time kernel

151s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ec817281b968a0e07a9a5123de5f8c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JzK\spreview.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\006JL\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JzK\spreview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2588 N/A N/A C:\Windows\system32\sethc.exe
PID 1224 wrote to memory of 2588 N/A N/A C:\Windows\system32\sethc.exe
PID 1224 wrote to memory of 2588 N/A N/A C:\Windows\system32\sethc.exe
PID 1224 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe
PID 1224 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe
PID 1224 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe
PID 1224 wrote to memory of 752 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1224 wrote to memory of 752 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1224 wrote to memory of 752 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1224 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE
PID 1224 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE
PID 1224 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE
PID 1224 wrote to memory of 792 N/A N/A C:\Windows\system32\spreview.exe
PID 1224 wrote to memory of 792 N/A N/A C:\Windows\system32\spreview.exe
PID 1224 wrote to memory of 792 N/A N/A C:\Windows\system32\spreview.exe
PID 1224 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\JzK\spreview.exe
PID 1224 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\JzK\spreview.exe
PID 1224 wrote to memory of 1048 N/A N/A C:\Users\Admin\AppData\Local\JzK\spreview.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ec817281b968a0e07a9a5123de5f8c.dll,#1

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe

C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe

C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE

C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\JzK\spreview.exe

C:\Users\Admin\AppData\Local\JzK\spreview.exe

Network

N/A

Files

memory/2512-0-0x0000000001B60000-0x0000000001B67000-memory.dmp

memory/2512-1-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-4-0x00000000773E6000-0x00000000773E7000-memory.dmp

memory/1224-5-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1224-8-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-9-0x0000000140000000-0x000000014023E000-memory.dmp

memory/2512-7-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-12-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-11-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-26-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-27-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-25-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-34-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-35-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-33-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-38-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-39-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-37-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-36-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-32-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-31-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-30-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-40-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-29-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-41-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-28-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-24-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-42-0x00000000029A0000-0x00000000029A7000-memory.dmp

memory/1224-23-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-22-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-21-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-20-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-19-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-17-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-18-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-16-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-15-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-14-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-13-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-10-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-50-0x00000000774F1000-0x00000000774F2000-memory.dmp

memory/1224-51-0x0000000077650000-0x0000000077652000-memory.dmp

memory/1224-49-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-60-0x0000000140000000-0x000000014023E000-memory.dmp

memory/1224-66-0x0000000140000000-0x000000014023E000-memory.dmp

C:\Users\Admin\AppData\Local\i3Mihp\UxTheme.dll

MD5 e68c1a38936f404dd3cd0be776c5d8e2
SHA1 9865f6d5f5076d69be00a2673f032762af57e64c
SHA256 5606c4a83cd82205dcb03e1a8e4673ed51f292d53d11d9912964e7bac35a66ac
SHA512 5f4701c1c373b0a6a5438ce038069495278e5d72c498815ee687289760f853a8c3e5057ee6a1eafd83372844a83e15de52fea3642f2b98dfd759d1a87a2d2cda

\Users\Admin\AppData\Local\i3Mihp\UxTheme.dll

MD5 c93b4f17fb643d846edd24f12f4bf261
SHA1 a132fd2ff3821a85ba7965e34d9e9d511b245c72
SHA256 2f35b506bd1ce03412d776347527ea8ad37cf37bba4b61a6e294d3c2d75423ef
SHA512 46305f04da4731f4be9571f387ccfe7f1caa84c2ada4f576a0a3a522babaa6ab6b317a8ea657340967f3d719d4e141ad7811a2957d3139346b014b6304a12925

memory/2648-79-0x0000000140000000-0x000000014023F000-memory.dmp

memory/2648-78-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2648-83-0x0000000140000000-0x000000014023F000-memory.dmp

C:\Users\Admin\AppData\Local\i3Mihp\sethc.exe

MD5 92858d5c5532c2e35bf6162a9e2d65fb
SHA1 b856d8745618b8842f8d3882df980b6a8fd4611d
SHA256 98d0e543e5fa20756c6fb62b97b5cce47c8d89f96242fb20f2f9e7822489c6c7
SHA512 07f6d524089578c4b5fa6bbb764d0be5d0f511790130ae3db2ff2b37bfa981a6542ba89ea1d078cbc5a92ef8c6cce6ff875b4178eee84cf92515dc1c3a0c838a

\Users\Admin\AppData\Local\i3Mihp\sethc.exe

MD5 e42ec434fa04dd26b5b5db10decaf573
SHA1 aefdc7af5c1a0c818ad238d8d1e858c2174d7ded
SHA256 f54fc0d3de8b38f4124bbaafe44594c904aaf5a7c80891e2abeb55aad66841b6
SHA512 da45470e9360383b7fc6ec4cc46942aae949d4b4e9ee74b1f38c6c5695f0b78393a3d2bf2be460b4e3b3ebfb781e04b4ca738eca467a1943b1f9f9a5fbe4149d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\k1NbgcGqMrt\sethc.exe

MD5 cdf9811087b22a1b13b9d465057674ee
SHA1 d3ed93523c8b2be47983aec896ccbb7b37057230
SHA256 b33bd687929e52fc0a0dc49b8e24a50a10954b44ad70cfdb91d9b1c50e6cc972
SHA512 01fa7a4c50f6381ae32222e14a4eddcc3995946c841869ee964caad4437066c9703e8f74ea75c944082e269ca9281d198e00c39bc6d416f36c3ab4c395e3cb46

memory/1224-88-0x00000000773E6000-0x00000000773E7000-memory.dmp

\Users\Admin\AppData\Local\Mm4zWruo\wer.dll

MD5 55a061115a148a506cb8aa4766dc78a2
SHA1 4efbf1d992d887709f1a864411c5c1d8fabb7117
SHA256 ff76c9845c1d6b10847034775d0e64f063751f3f61fdc3db72bc659de414c0fa
SHA512 6b055f4017631caa468e87567030d7400baf3d05a8c8b1e5f885137184f8b7fd242cfc7f1ff184bbadadb58745ccaa16a05c5d7bd1a362a2ee2ffa8fd97b72ae

C:\Users\Admin\AppData\Local\Mm4zWruo\wer.dll

MD5 14e60038d32aad9bebbea0037303e143
SHA1 46203f1e31530aeea0819ab2cf85648ca409b60a
SHA256 c20cf5b9f0ffb631069b59f6ccd0c96a85b20754019667660d3032e529186c60
SHA512 bab574cdfb6e26497f17edbf28548d9c937ff55aa8ab21c491738a2b6fae2f3523c52f54bea78de4625d727b3a64646238e2337a0e473b3d4c7c124a7658ccf4

memory/2824-96-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE

MD5 25247e3c4e7a7a73baeea6c0008952b1
SHA1 8087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256 c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512 bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE

MD5 1d8205b88fdc9bc9a9f4cd3cf867acf4
SHA1 b6ffcde5535634e754c3df101633f637a63d9d97
SHA256 620d118a62786d09c4374ad8b69fd7d5a74b144da28fd9f764f1ac07e74f9cac
SHA512 936ba0d584fc9feeb1dbdf2129045dfe14583cdb6860c3f6facbce93256a2c99ad1f5e760841b1570af2b75e08ada841b16d15ba20fdb867e2f42edabfc06c0e

C:\Users\Admin\AppData\Local\Mm4zWruo\DWWIN.EXE

MD5 46cf205c6c68793a54993f7b0fc46084
SHA1 1367b303285c6413bee141f7e4f9d3dfcccc4628
SHA256 e87f530d86c4523940eadbfd0d4f2d5d068689485c1576a08e50ed55920129b5
SHA512 72150dbae847de4b4a9cad4e74c8e34de25fc90cc92df7f7a1066a57475ee6186092637edb9703dcbf335a98c223dcace64192ad68bf09ee15a7c4e6d5df6236

C:\Users\Admin\AppData\Local\JzK\spreview.exe

MD5 3410f4620e071ade77c27ee11d327d06
SHA1 1342e407961bf5a553d09b2e4166fab4703601e3
SHA256 df37496704179a0ab15b4bc775f768b60c47d90e4d087546d08d5f3aa029df35
SHA512 b20749c399c3c6cb1f012edbcfd701e563b7cd02f90f8c405e8fd2c575f5b9878b11547fa47bec608fb0d52fff428fef5c8bd9789fcf4c7c9dfe76e0b9de2bc4

C:\Users\Admin\AppData\Local\JzK\sqmapi.dll

MD5 aaf043eebb76c185cf13ab93fd7a05d7
SHA1 ca04197359dee9731a18c59ea61922bd5f1ea88e
SHA256 8867741e1b4d46f88e7f8fec1e4c1b7062b0730fc63ace6ccc70c40830e45d8b
SHA512 778571b19d656b3df629383b906b02501e33ea815cdaca4a6429d8cbe4dd3f1108ed5fe62d610bc80edfff47a202f3d3c590438de35943884d857e1d1191e5f3

\Users\Admin\AppData\Local\JzK\sqmapi.dll

MD5 7d47cab2cf5f3c9962f2d58f15c408f1
SHA1 b9051e3a2843972374ea597a4d1514626817e059
SHA256 e55fa262c7b9406be2071bff87c0b4833c994c03a2c2663cbb7b7d06311c55a4
SHA512 dde1222bdbd9442380cde7a37d3f7f3ee87ed8a5d57cd6d79b62bf8791509688c431500489348f125da4827b45ed16d98451b14a653c62b8dc94355e35811021

memory/1048-117-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\JzK\spreview.exe

MD5 951405e870dee183a4f449c7143a07b9
SHA1 309eda9d3030ce64a827f0329a637562e9b21002
SHA256 a5f408d698508c54c44ff7388035b77b32385622220eaca3b50e2d4eb5b2808c
SHA512 8edd1079293a8d0e5952ad621f029f3901ab5f38cee80146e09b17e5814cf8120bf5dd722f2dddd14952592f4d725dd9651e95ad9d44792cc2bb6aed8530e2cf

C:\Users\Admin\AppData\Local\JzK\spreview.exe

MD5 016f37fc0563aef5dc73054c0f4a5c8a
SHA1 47e90e3492f1b3a46ea74de6fd7b0b245263b0cd
SHA256 1b504ff082e13a55cd9119f76d9c7278df69c44404550ed9cfa4226cba81f4b8
SHA512 4626fc15c09c7b88a6b490c0421969df65c30212cb06b05b9c8662e1ade934fe1ea15c34798b7195cc8acb1de678e4a1c6ff21453f06ac48997f45a6988c378a

\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\006JL\oitF\spreview.exe

MD5 efdf8444448198b3dc8fcd4422e7b892
SHA1 ef5d2ab2a5765117a04276c42bfbdf9703f9dfa1
SHA256 fc556beb72baedfebefefe9da7a039c6222e366ab1c1737c10431a3463c676ca
SHA512 22b4508cf28a3b228086d0ce7a52b80c8e594f44dad98e08e0533b27ee78b90eec8517e6b8e0f7c6f254f05659809f5408004f575361b5f594ae719ac9397db2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 5525272b57818912d8df98830074046c
SHA1 4039b703b0b45c409a115c31481d9475283bb326
SHA256 36d6e30aaf1c5aa9af950164765ab9b5418b5f517a8e9a3ff626915184300f0b
SHA512 ff37ceb0425dd0dc6abe5a7f442d697ce05120ed514541cc79a000d1a3c2175e46908bd9e1acdb520d6b538e349f74d2e5bc7b9e71e871a1f28d51aca21946e1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\k1NbgcGqMrt\UxTheme.dll

MD5 ddcb6b1646dd94480960157809097451
SHA1 aa4adf611fcdc10ed1312741a714f02275d89643
SHA256 a5e3ab6e46fcc2f89c8efa87c507e1938f901cf4fa7742cf5a48a96610fb8426
SHA512 b26c1dc9fc96d5de48e0db259d3e8394806854ba4b882de9c8fd4f243e8aca9d297ccbf26dba735bf274f4d3ac4b72bec0c44d73b378e54292a67151dd996564

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\006JL\wer.dll

MD5 4c1a78e4254e24ef8e0d7a8480db3359
SHA1 1432c009e5fb74301c7e4f0bf5d1ea64c71a8f96
SHA256 18d426957143ad3c808f1facb0adfcc1eeb5484a7b03103ec92923550a766cf8
SHA512 5e7c4d307b581883218ccb6a2f1c5c26467c87ac0bb4797d3b1eb33212eddeadcd304c9bc953e166dfac56af87971f479efc742d868319cfbc3fb654c74f4ca3

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\006JL\oitF\sqmapi.dll

MD5 9d764edae7a6a54e46ba47e5459ab5be
SHA1 a4b8881908861703cb1f315fea3a4a853d88d87f
SHA256 017a5862fbd2e76de56a9a487b676c15d90d0748bfa3e949986bef4b980fdf9b
SHA512 734091e15ed17823d7115ca64846b7831adacd23f4415c9c1151d8b71737e7c73fe524ee61cbdbc9dbddb16f5eba5f2b57fe51489f4e3471837537a34f10adc6

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 13:58

Reported

2024-01-05 14:18

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

84s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ec817281b968a0e07a9a5123de5f8c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\38ec817281b968a0e07a9a5123de5f8c.dll,#1

C:\Users\Admin\AppData\Local\ZHWdgywM\slui.exe

C:\Users\Admin\AppData\Local\ZHWdgywM\slui.exe

C:\Users\Admin\AppData\Local\jER9Nn\Utilman.exe

C:\Users\Admin\AppData\Local\jER9Nn\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\OaqYRfIfw\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\OaqYRfIfw\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
NL 20.73.194.208:443 tcp
US 13.85.23.86:443 tcp
US 13.85.23.86:443 tcp
US 13.85.23.86:443 tcp
GB 88.221.134.18:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp

Files

memory/5060-1-0x0000000140000000-0x000000014023E000-memory.dmp

memory/5060-0-0x0000000140000000-0x000000014023E000-memory.dmp

memory/5060-2-0x0000020D2CE40000-0x0000020D2CE47000-memory.dmp

memory/5060-8-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-15-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-19-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-25-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-30-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-34-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-39-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-42-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-43-0x0000000001F90000-0x0000000001F97000-memory.dmp

memory/3420-51-0x00007FF807F60000-0x00007FF807F70000-memory.dmp

memory/3420-60-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-62-0x0000000140000000-0x000000014023E000-memory.dmp

memory/60-78-0x0000000140000000-0x000000014023F000-memory.dmp

memory/60-74-0x0000026610490000-0x0000026610497000-memory.dmp

memory/4768-90-0x0000000140000000-0x000000014023F000-memory.dmp

memory/4768-96-0x0000000140000000-0x000000014023F000-memory.dmp

memory/4768-92-0x000001BB5E2F0000-0x000001BB5E2F7000-memory.dmp

memory/4928-109-0x0000011ECD3A0000-0x0000011ECD3A7000-memory.dmp

memory/4928-114-0x0000000140000000-0x000000014023F000-memory.dmp

memory/4928-107-0x0000000140000000-0x000000014023F000-memory.dmp

memory/60-72-0x0000000140000000-0x000000014023F000-memory.dmp

memory/60-71-0x0000000140000000-0x000000014023F000-memory.dmp

memory/3420-50-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-41-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-40-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-38-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-37-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-36-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-35-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-33-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-32-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-31-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-29-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-28-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-27-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-26-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-24-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-23-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-22-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-21-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-20-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-18-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-17-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-16-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-14-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-13-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-12-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-11-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-9-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-10-0x00007FF807ECA000-0x00007FF807ECB000-memory.dmp

memory/3420-7-0x0000000140000000-0x000000014023E000-memory.dmp

memory/3420-5-0x0000000001FD0000-0x0000000001FD1000-memory.dmp