Malware Analysis Report

2024-11-30 21:45

Sample ID 231231-rh95babggq
Target 395d378023d358e9f2d959f13a9bda5f
SHA256 58436285ac048322ee3aa0e60a475f002f3da9450bb79c12b15fdaa9802ea8c6
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

58436285ac048322ee3aa0e60a475f002f3da9450bb79c12b15fdaa9802ea8c6

Threat Level: Known bad

The file 395d378023d358e9f2d959f13a9bda5f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 14:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 14:12

Reported

2024-01-05 16:54

Platform

win7-20231215-en

Max time kernel

27s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\395d378023d358e9f2d959f13a9bda5f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\vBy7\\Magnify.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 2656 N/A N/A C:\Windows\system32\spinstall.exe
PID 1276 wrote to memory of 2656 N/A N/A C:\Windows\system32\spinstall.exe
PID 1276 wrote to memory of 2656 N/A N/A C:\Windows\system32\spinstall.exe
PID 1276 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe
PID 1276 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe
PID 1276 wrote to memory of 1936 N/A N/A C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe
PID 1276 wrote to memory of 2776 N/A N/A C:\Windows\system32\Magnify.exe
PID 1276 wrote to memory of 2776 N/A N/A C:\Windows\system32\Magnify.exe
PID 1276 wrote to memory of 2776 N/A N/A C:\Windows\system32\Magnify.exe
PID 1276 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe
PID 1276 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe
PID 1276 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe
PID 1276 wrote to memory of 1308 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1276 wrote to memory of 1308 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1276 wrote to memory of 1308 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1276 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe
PID 1276 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe
PID 1276 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\395d378023d358e9f2d959f13a9bda5f.dll,#1

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe

C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe

C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe

C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe

Network

N/A

Files

memory/2232-0-0x0000000000430000-0x0000000000437000-memory.dmp

memory/2232-1-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-4-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

memory/1276-11-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-15-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-17-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-19-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-20-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-26-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-30-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-37-0x0000000002A60000-0x0000000002A67000-memory.dmp

memory/1276-36-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-34-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-35-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-33-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-31-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-32-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-44-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-29-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-28-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-27-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-24-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-45-0x0000000077CF1000-0x0000000077CF2000-memory.dmp

memory/1276-46-0x0000000077E50000-0x0000000077E52000-memory.dmp

memory/1276-25-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-23-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-22-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-21-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-18-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-16-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-13-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-14-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-12-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-10-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-9-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2232-8-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-7-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1276-55-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-61-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1276-63-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\zOcfwO\VERSION.dll

MD5 d8bf0cf0d244f9f9c524fe9e29c1881a
SHA1 55fc585911300a68571c2f74826685c47fd6f137
SHA256 2a5514e6ed7a111c661a07b093191dbf67fe37ec33b952f8cf0cae69cb373cbf
SHA512 c8b64d31218cfed852f16e43aa7175c07bb92a515b876a5dc197565fe64656bb9eb33d0c142a2c49dad22bd41b66b852507fe3464b3792f015a795827df0d1d8

C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe

MD5 07d3a95abf7406b235773d814c55dc4d
SHA1 cc3154a3aac5fd6a6b164fa157eb55dad340ee6e
SHA256 59d9438c835e09c7920b741515eb4df77b50f64b0c3e46dc709cdfe41a574419
SHA512 ce983a7673ef3db72288cfddad6469b13a6974a8be1c51e56ead5a58383803e696e671f14bc6f6aa28b0ffef71047fc1b2c9fb9c632b5dd1ad5f33d05651ff05

\Users\Admin\AppData\Local\zOcfwO\spinstall.exe

MD5 98cd09b560c1ada9deaff41a42971e0c
SHA1 55ac5e9b0c54ad24c3ac35be41e7426ca002fe5a
SHA256 afbc023ceab0aefb81bdcc6b7c8a5d2233b1c6da50b81ff404f2ba59d245ad65
SHA512 ee47114f9a146ce39c525397e291959f60206f0ddf224337ae7ec884ec552a5bb3e2b2c4cd438f3f9f505e3feda9dc9fa0975d5d817f144968dd8ee199e97cb2

\Users\Admin\AppData\Local\zOcfwO\VERSION.dll

MD5 0443a18cd3110cfca7ab8240e539d4e3
SHA1 ac31ad60862f06771886cf637e9e0d44ad79f46d
SHA256 a7f14a1c6dc67c373068640440f2cc75aafcaa8d60107cb8e742869e921fa9cd
SHA512 83e3a7455e51f803cbbba0be5509cb8581b2bacdb72840ee2eed4037e30b0f77c41605775f8d0d8f8be941a0ae6ec9fc3c9d36c3f31743b42cbb84e2c7f81b2e

memory/1936-75-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/1936-80-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/1936-74-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Local\zOcfwO\spinstall.exe

MD5 904348f26475ba26aa3ae439e322a69c
SHA1 582cff0c6b74b57b82c1eeb97bc6f2aafa757e58
SHA256 d1a6908ee68fb367b5184ae124e62eb4adafbb7441dc2e738a5159e760abbdb0
SHA512 c4c1635d2ac29d520e82767ecc7f0fdce0e70237db3c2d9cc4067d51602894a0e27d846821351232c73dfcad73cdee7d87585054de091c5a34edd839e250c57f

memory/1276-73-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

\Users\Admin\AppData\Local\vD4K8\Magnify.exe

MD5 433c87394fab9f82b2c446f2655f8d0e
SHA1 37ac7dad72e612c971015b1c67b5f293c1411706
SHA256 243539bf7e1227cfd161fefb40a952d2c686348e7e33bae2df0b64b062ac93fe
SHA512 dd357efa9d4923b7d5588d0fa828fa2718b58c7fbaeec527505efaade16255b2f6c163f479aa1e5a5975bc27c9bbdc4a85eeb37ffc994f10298aa55b701a19de

C:\Users\Admin\AppData\Local\vD4K8\dwmapi.dll

MD5 69b6040ed8542f47155f2125005aa7bd
SHA1 78d30d7b18e036cd62849388509518438461241f
SHA256 021fd15280b92323a907a402cb0816a51645d8bd299299a84417bfb9a17f16fb
SHA512 a6cd29af6ebb79be2c233401122647527f482e88adcffbce0239d9c86ad4e7d1a4b2fe01c2e8b442b4abd495794082c7bbc765d885b01df781133a0f3f2388b5

\Users\Admin\AppData\Local\vD4K8\dwmapi.dll

MD5 7e58d526ae44fce5ac3178aa23a33937
SHA1 5e9cfcab90c5e90c6062715388a621e155c5307a
SHA256 9e4f8a615b41182256bd69217c47e4b11fb3fac325b4d61ee994e32c7c63572e
SHA512 84b193ed2a86defbce049b707f7404aa38f8e2b61964eba1f9ebca3e68ac6cd61713b1fbae8b95ee519c69a2c78b6207786bf88c1833e853c8185951dcc26b61

memory/3064-92-0x00000000002B0000-0x00000000002B7000-memory.dmp

memory/3064-97-0x0000000140000000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe

MD5 2ada1baf30592db88df33a947d2b9b7a
SHA1 966fde7997a2ecb0d5ca0cfbe95df92273b9c456
SHA256 60a4bff724148df537d5ce7e5f90f6a29fa116272a695cb9499562195375486f
SHA512 286f502a0fb6260e61ba9a72a7b4848d9bfc662664a0b5e47c37356a3d186b414373827003dac3d2508f1263fb4d2a45e2a0ae5800d3c3cb7d6b9d13f98306dd

C:\Users\Admin\AppData\Local\vD4K8\Magnify.exe

MD5 1575ff26933cb506e7d1f11947a25a9c
SHA1 6f0bcb520d791a3f057c50e612b9cc27302495d7
SHA256 f3e837eeb4b7cec1a098481fa3f4725b44260869bbf8258fbe1c005342aa2b69
SHA512 53b518306af707b7c81af243bd8563c4ebbc5bf6c89eb2e2988efe1d66cae075744dda1e6f99c5ed4c7239224359d6bccccc8566a9381b1eed558b795396bfc3

C:\Users\Admin\AppData\Local\fXLtFC7oq\DUI70.dll

MD5 f7cd4de4e20627a83b40705a41efeebf
SHA1 1dc48efc6591818bff2e9b7de76d8c951e18f394
SHA256 b4c1ab4db76f97f0be2f343b0b70c2446eba60dd5fc8a507cb6713f59c918a2b
SHA512 8b4357e55569f27b9fbc7a91896f8dda4b49a3fbc21a24c6665f10740fea9426e0e03b1ae0a949282b3484736c2831c7c5fbe4d9c414e2cc6a4928c501f1bfd7

\Users\Admin\AppData\Local\fXLtFC7oq\DUI70.dll

MD5 67df6affb73b47e76dfc7fb82d920bd0
SHA1 6f3f38d3bea3865237ba31fafd8b6131bc94e0b2
SHA256 9dcdf75dfc8ddd7f8ac7cd3faf44ac3cd551f4e5bc995fa29ef25c0027fe813c
SHA512 dd51b3a864caa960063b26d615e308448e7b19a2289eada8e3b82c0da7f6646ca53b50e58e44f09a70a53c9ed615f891ac6badf5865d8f86baa3d1306dbdf67e

memory/2784-116-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2784-117-0x0000000140000000-0x00000001401E4000-memory.dmp

C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe

MD5 5b85cf54fab1029870ed592071f50ccf
SHA1 fa0923f31ac41805b70cc959d7670d61b6b136b2
SHA256 efec00f865dc85b62f03e4b9cfc672d4a03b3a049461ce3819142ba426164430
SHA512 2c930097ab3f67d3bb09b2f26212af657dc8ae3c38a39c374abe76df7f1039902b962c59aade2bf4c2217bab6614aa4b0d960fc7d5116cd1a8d305b8b86dd4a9

\Users\Admin\AppData\Local\fXLtFC7oq\dpapimig.exe

MD5 6babc646c7217512f0f387d3e39033ea
SHA1 18cf9a3a2305079cdcdc7781d52cb6a0a4e6859f
SHA256 d5174d2e0b41051c08caa73777151ee7a15b8d0240ceb75e530f154f09249553
SHA512 9b982f0f136e3a197d01c976435dea84da0641c4b2dd67011a0fa06aa06d2e7c683c376a3ed6fb9bd5627060ae3347b7477368d8f0c759a0e22804961ff92633

\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\y2V2oPYWg\dpapimig.exe

MD5 1231e57ed9564d93110864aa741ec404
SHA1 6d263b36372bddaf2b1073324925a6f82a953bd7
SHA256 09a7d3c62dc4a025afea1ccd5ddd3f2f6cb3ff8402bf5ef5b68bc2d150eac8bf
SHA512 e1b6ca865792a043ce0ab25a615917f475a115e032ca6773216113f738556e5f87b81bf9d5e1a3da6f1e8e51e05eb9672f682e59006ace440270769fc172cbac

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 40fb672eea577d5a44ad9c4fb6f5c2a1
SHA1 779fac1de7575405211f75756cb40625e1413d51
SHA256 62d3d699f7b8e4ccd15df20fc372ecd23b7701620e36478a429eb90da8ddc43f
SHA512 c2e62975e0be0a60ba95ebf75a3bf5e775b3f9be1e4e4de67d7a6e57589ca84088b0e89168c6e591fafdab2a75dce6bd712716b36c6d03de979b0d0930a74f5e

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\rYSliXGg\VERSION.dll

MD5 4ff3c5398ae801bf950f6df36a429370
SHA1 a9b61b20ac97fb3a61704bea2d11d1d23a0e28fa
SHA256 3f23cdfbb1b017807d4050aeb1d9812317fafae47630d4ddd619910752f2884a
SHA512 36259641d0eb4f3c205e75beade384bee479b80faddc77a75f99b7baaae110ad6c681c6e45c45ca57eacfe9ec52ee6bd4eaab949f93021fd1f77f445d9daf9b3

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\vBy7\dwmapi.dll

MD5 fa4728a09fe102dce5e8f17b68b15ab9
SHA1 e135b5b4b832b53c7ec203ac622853ac7c98e6c3
SHA256 0f411e848a04f94b36212c391e849085dcbd9531f7b3b00521474ff24bcaeb82
SHA512 63c3fc20d37962505d84b7137788313f09e8438b3e592f09718e44405bbe2e624397988850a0966df35dd33accfba2e524bbdfcdf08e4bdea20fbd6c7bcec010

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\y2V2oPYWg\DUI70.dll

MD5 7308f034f92fec1eb53635d53ced723f
SHA1 82daba9331606d30d7c118dc4366f72333c0ae09
SHA256 e5f28f94cc6f42fee0b6dc7f9007d083e2bdc1451a32f86d0227dc682e637db0
SHA512 099070eb2e58cac1ecf9fb429ab9d1ffac229b9a5f900b0f7b9b4fe7fccc40ac7f34dd510f4aa18f10c3d2ed940f905f58982bedf9e5e92d8405b69a20bf3077

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 14:12

Reported

2024-01-05 16:48

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\395d378023d358e9f2d959f13a9bda5f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\VuNdrXxYtpE\\Taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1ir\SysResetErr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 4956 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3496 wrote to memory of 4956 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3496 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe
PID 3496 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe
PID 3496 wrote to memory of 4780 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3496 wrote to memory of 4780 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3496 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe
PID 3496 wrote to memory of 3996 N/A N/A C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe
PID 3496 wrote to memory of 3600 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3496 wrote to memory of 3600 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3496 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\1ir\SysResetErr.exe
PID 3496 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\1ir\SysResetErr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\395d378023d358e9f2d959f13a9bda5f.dll,#1

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe

C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\1ir\SysResetErr.exe

C:\Users\Admin\AppData\Local\1ir\SysResetErr.exe

C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp

Files

memory/3492-0-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3492-2-0x000001E620A50000-0x000001E620A57000-memory.dmp

memory/3496-4-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/3492-7-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-9-0x00007FF83197A000-0x00007FF83197B000-memory.dmp

memory/3496-10-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-11-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-12-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-8-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-6-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-13-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-14-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-17-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-18-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-19-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-23-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-28-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-31-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-35-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-37-0x0000000002F30000-0x0000000002F37000-memory.dmp

memory/3496-36-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-34-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-33-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-32-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-30-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-44-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-29-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-27-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-26-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-25-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-24-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-22-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-21-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-20-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-16-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-15-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-45-0x00007FF831C40000-0x00007FF831C50000-memory.dmp

memory/3496-56-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/3496-54-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/4212-65-0x000002C3BF110000-0x000002C3BF117000-memory.dmp

memory/4212-71-0x0000000140000000-0x00000001401F6000-memory.dmp

C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe

MD5 78957ab23beb828f0e08285dbcde04f6
SHA1 5c59fa8dde236c379fa61a2572d5f555e09e2313
SHA256 a363570cbba780d0a102a7ad22526e7a1daec6d658b9e787bc442bc1756850cf
SHA512 f872c1005e0bed5b95b52013539e38a01bd9e61ab28800f0e4ed6ab2ce4d7126e50a2050920af8482dc7d8ff8930a8264b33816d38eb7d068afc4f79e0e4622b

C:\Users\Admin\AppData\Local\aLo\dxgi.dll

MD5 739684dbf2e34d8da3e8c2b0fdec543d
SHA1 a6ebb35a87978351610b905c030909aa5cbf9c97
SHA256 230f5a087874f9f7a11203a1d60dd46b1a5704d5b65aadea2ffd2c4bf46053a0
SHA512 648fb1c8c4088c8e5473d269cd8c157a5c69bb1b7f5537d03f5d57a20f0b32ee5f7800e0af1a2337fcbf78b43a599acc6ea2f5dd6cc357cc3ae6b044dc643677

C:\Users\Admin\AppData\Local\aLo\dxgi.dll

MD5 2c54aa816401b10398c7d99beba2382e
SHA1 cf8ed8d3b1e61f36a3ed696665134350661903f4
SHA256 019d1d3ff67734b37b640d00d0e138e20c52c681e942e8675680ed31aaee06e4
SHA512 6e20e2159b913e1fef137c6c2f0212dc0d81cd4d6bf5e136e7fb6d4fcd8ccb0aea54f455d07a67fcd57abdd36eb7f4d6a5afa9c92f5a3b53d40697aea8d2ae31

memory/3996-86-0x000001CE629D0000-0x000001CE629D7000-memory.dmp

memory/3996-89-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/3996-83-0x0000000140000000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe

MD5 112a3da8adc170e06fab1c30a51f0a41
SHA1 d4827acda98074313e12dfc0ad206f457650ef02
SHA256 cce47d40d4a61621070bb6a59670260e112cb7ca0fe2c456946b583de2b19e67
SHA512 c5326c7090bf8c4e1d1c9f36d86739c152a026cdee13d2db509d3c4542a9ad545e26b254766051fe26044298085c72e39b3485daa2cab46faa3ec5120aa8c0a2

C:\Users\Admin\AppData\Local\aLo\dxgi.dll

MD5 751b59e3b64791586a91fa315e11daac
SHA1 84ed1e308ef3d71d5f1d370b731b4b7f253c32b0
SHA256 2c77466819a52246b41bf2a3d657c41469ab87a063d876dfb0e7086b85ac8b02
SHA512 bd32fbef03652dc0542513ca55240388c946fd4d81b0cd9a2d5b5cdb857fe1aa99ef31ef6cf551298d76e16d8831365e13ffff150520b1738cec86cb936adff0

C:\Users\Admin\AppData\Local\aLo\Taskmgr.exe

MD5 0505d9c95761c4dc6ba84534ec4b7681
SHA1 868d18eadb28b9c621dbae59cdc169be6d4ac6e6
SHA256 a2cb2ef4513d1c819909d94cde298ea7ae9ef24aac9144d0d8d0d4444b91a66f
SHA512 405fa707f8d9a1633e7ad94bc446eb739e392d52761c611d58d1c911f01689c8126900d440fad239db361ac32e8c145b29861cff7ed8937467a28fccfdd1a1d1

memory/4212-66-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/2336-102-0x000001BF63CD0000-0x000001BF63CD7000-memory.dmp

C:\Users\Admin\AppData\Local\1ir\DUI70.dll

MD5 915ce8937062dfac8830de1e11557cc4
SHA1 bdac2033b6150ef956e23c74622a16cd5419fc43
SHA256 1836ca9088d9c8696aacc46bf59160792fd041153ce9e3447876a10bcf57bb2e
SHA512 2b07d92cad6eddc5db37338de0751e45ba2a34db56a7b0a4cc697034e0cf8bd0c1c418c23414ea2a0639139eb0050b669e1adb1d37ef8af558716b5e61089c5c

memory/2336-106-0x0000000140000000-0x00000001401F6000-memory.dmp

C:\Users\Admin\AppData\Local\1ir\DUI70.dll

MD5 bfa59f107adc5b3d99f3b878939fca54
SHA1 c70a19826d88245b9eea2ac580f517746a8f93d6
SHA256 d428265a008f6f512d40c984e6267620a8fc923085e7175ec91891566c8bd341
SHA512 bcc83f81b2348d9a3a1d4bee919542f366f9be7309426962669e274b60cd7d2806e0af66f6f5ede72d97a85272d9e7f7e07307dc9004138591e8a8df2b514409

C:\Users\Admin\AppData\Local\1ir\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

C:\Users\Admin\AppData\Local\4VD\DUI70.dll

MD5 4781fb2638f05d412b643a910d162508
SHA1 3de556e245b09652d70c907d94ad7d5bf208365e
SHA256 10e37a9099193ccd96c7000e2727df4103295fc5277f52e305653de5ac15a85c
SHA512 f63d07574483a948ce64772fb0a51fbeddab8b2aa17456ad3fd70289213a8abd94fc3dcfc10c05d416ee91083bf2233750a118d0771577d63d714ff6eb296e97

C:\Users\Admin\AppData\Local\4VD\DUI70.dll

MD5 930f8aceb950480d83aa27933c9cceca
SHA1 ccd495ef789e27ff4733995b41df65ab5d14ed38
SHA256 f6da91f277d2601a4c6bd19234ef06cddbe875eccee3f4db358c7e97d0d85312
SHA512 ad4f4dce9dd203b8506f7d0ddcc18858bfbb366e217c97fd192be9de5c6b9d78b016623094bd49a25f8e9a0102d9d2e1675bd7d84208ced25fbbd8f9c63514d9

C:\Users\Admin\AppData\Local\4VD\WindowsActionDialog.exe

MD5 73c523b6556f2dc7eefc662338d66f8d
SHA1 1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA256 0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA512 69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 5dbdc364a1b1d7b3d167adf507ed9a27
SHA1 4330f90e644de130ea67bd7d5fd9646a4108f7a1
SHA256 6d272d0ad6bf9a2a510007bd7f52b16228bff1bd93ed19bb861d850b057530f1
SHA512 59164c7e1fd32780180c1d9f3e274772cf2c6f0d5c31be19855ee43acf605712d5673e3eb5f91575c20f3a2b38a02eb672fa45021fba93e5fb0f60cd1794e9ed

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\aTQhLSN\DUI70.dll

MD5 a2e1f3617be1009d5c4d3ffa302b1f8b
SHA1 98c7eac37d4d2642360772aa4b6937472b30e5ef
SHA256 1ed58e61e7a38cedfd0acc13abc336b7c329024359004dce8377f81f21b46124
SHA512 20950f8842aeaee3ba68059e670ba75e1c7c2be778e14f305646912d1c34de7316686fac9ea3eed189efebde38a4ad2c064b970ec3dfd84e9b01be7f30073aa9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\VuNdrXxYtpE\dxgi.dll

MD5 71b40a33b782f0f22d833d7c446e543f
SHA1 e2f267b5bb65b9bb4759e7a4e0dc017c8623333e
SHA256 39fa21f9d8afb4648afc932ef75cca0829cb0c1d9366d076c0b5d2215968a8eb
SHA512 d31ac13fde4c20bf593547eca342ead55d53812c35ddca1921cc61cbf8bbfa3d9f54bc68f967cb38f03e29c0acc9f3cb116d234b9a0c5155910c78db4275a312

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\jVfAUadl\DUI70.dll

MD5 395c63f3b698af028ed1fa64526a48a4
SHA1 ffff1ebffdf7d3253b284fb7ca7cc0549dcd85c7
SHA256 ce6ceb9cba75db26c064fb75a2d9ffd414ad65972c84a0c60ffba6c343e630a1
SHA512 77dc7de1594375b493791c52f5f4a7db393026f5fcd0d899bcbffdbcaf9ef1ef80dfc53b5b1005f929e321335fe5bbebeb49f1516ee13de40d5fc9d8eedf4357