Malware Analysis Report

2024-11-30 21:45

Sample ID 240104-yzkdjsader
Target 0905f3b5aa3ee361ef34c75769c6bf03.exe
SHA256 57dc3169be701c4d85f51a5b168e4bfcdf6052661809b35c17d49d7da216ad56
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57dc3169be701c4d85f51a5b168e4bfcdf6052661809b35c17d49d7da216ad56

Threat Level: Known bad

The file 0905f3b5aa3ee361ef34c75769c6bf03.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 20:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 20:13

Reported

2024-01-04 20:19

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0905f3b5aa3ee361ef34c75769c6bf03.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\G5bs\sdclt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\SHD3GV~1\\DXPSER~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\G5bs\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2336 N/A N/A C:\Windows\system32\sdclt.exe
PID 1224 wrote to memory of 2336 N/A N/A C:\Windows\system32\sdclt.exe
PID 1224 wrote to memory of 2336 N/A N/A C:\Windows\system32\sdclt.exe
PID 1224 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\G5bs\sdclt.exe
PID 1224 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\G5bs\sdclt.exe
PID 1224 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\G5bs\sdclt.exe
PID 1224 wrote to memory of 2952 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1224 wrote to memory of 2952 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1224 wrote to memory of 2952 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1224 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe
PID 1224 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe
PID 1224 wrote to memory of 2968 N/A N/A C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe
PID 1224 wrote to memory of 2408 N/A N/A C:\Windows\system32\spinstall.exe
PID 1224 wrote to memory of 2408 N/A N/A C:\Windows\system32\spinstall.exe
PID 1224 wrote to memory of 2408 N/A N/A C:\Windows\system32\spinstall.exe
PID 1224 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe
PID 1224 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe
PID 1224 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0905f3b5aa3ee361ef34c75769c6bf03.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\G5bs\sdclt.exe

C:\Users\Admin\AppData\Local\G5bs\sdclt.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe

C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe

C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe

Network

N/A

Files

memory/2760-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2760-1-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-4-0x0000000077816000-0x0000000077817000-memory.dmp

memory/1224-8-0x0000000140000000-0x000000014023B000-memory.dmp

memory/2760-7-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-17-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-18-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-16-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-15-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-14-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-13-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-12-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-11-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-10-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-9-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-5-0x0000000003A90000-0x0000000003A91000-memory.dmp

memory/1224-19-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-26-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-27-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-25-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-28-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-29-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-24-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-23-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-22-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-21-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-20-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-32-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-36-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-35-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-38-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-37-0x0000000002C30000-0x0000000002C37000-memory.dmp

memory/1224-34-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-33-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-31-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-30-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-46-0x0000000077A21000-0x0000000077A22000-memory.dmp

memory/1224-45-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-47-0x0000000077B80000-0x0000000077B82000-memory.dmp

memory/1224-56-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-63-0x0000000140000000-0x000000014023B000-memory.dmp

memory/1224-62-0x0000000140000000-0x000000014023B000-memory.dmp

C:\Users\Admin\AppData\Local\G5bs\Secur32.dll

MD5 7800ba9762a801130fe974dd7ebbbe14
SHA1 961725b81a162c6c8cebc2e78ec5a6f55eac91e3
SHA256 4c41c05d68a64ae0f2e19496daa1cf7917f31e4ac1ff7e7d3283c1f5c1cfbb86
SHA512 e048f65b91654bfd3fca888062e1ef7a5ab7e04eb66627a721dde916f84ad75cfb101f0d985d655ca5d08be3b50ebabe9b07137c8966e0d688a002857a4fdaa4

\Users\Admin\AppData\Local\G5bs\Secur32.dll

MD5 8fcdde7326ad18564cd87f68b901d508
SHA1 4822422aaae89e41ad1e038351d198d46ff092e3
SHA256 0a4c1173df33fd2ce87ae9d608c9ca109bb168419f9e6675ed079619bc949f15
SHA512 66b3f5bc4d507d00f4ea4fdb1a738f58fc1585ada0ac1e0a6fb89702e5a38f1371042c64f00ccd5ea9bbac697e8c12b82b6972bc0f5042c028ec9861c314ef87

C:\Users\Admin\AppData\Local\G5bs\sdclt.exe

MD5 b0434df0d7abbe70197dfc586227c6fa
SHA1 eb9c7eec77045ce5341c87446d2217818c1b7805
SHA256 6019d4dda496f498649565fa14f575a38f7d5b253c5beee6bd31806611ecff44
SHA512 4a339d214a36fb976fd00e076baf951f59b693653873033c79bf7dfc094875a097f46f3b36a3d6b1e264f8b6148065c28ecc37fc4af6dea08c647a7c1c5daf3f

\Users\Admin\AppData\Local\G5bs\sdclt.exe

MD5 5f80b826af57d70feaaa0c6d68331523
SHA1 5d2bdee1236a897f4ae67e16f099f34cf12493fe
SHA256 ba7951c5227fa490d18acb39268ff252ce93586ce913d965337cef61d174e74d
SHA512 5d66492bcdae10e3fe4bc7c90841df5610177adcb7b5bc5bcce5dd2fd6ca19900f8f98c69329ba81f009e1874c4f1465d9e6527271ed33c170114c8e5df1ab57

memory/2580-75-0x0000000140000000-0x000000014023C000-memory.dmp

memory/2580-74-0x0000000000340000-0x0000000000347000-memory.dmp

memory/2580-79-0x0000000140000000-0x000000014023C000-memory.dmp

C:\Users\Admin\AppData\Local\G5bs\sdclt.exe

MD5 49141d8f2fa31f3e86b5b5846ef69fc0
SHA1 58eaaa20ae562a7f387311c8930c76a2955a226d
SHA256 b1221afc83d60f6f238dc23e6ffc424c63ded6eaff0789d79e126d36afa5a55c
SHA512 66ba4424e93241f3d2cb0fccfa692be768b9ef63786a94b1ca7c9fe46ba6231c4c6c155cbe8483b5b2b2a09d0bd06c79ff9fe5e53f183f863d5572ea05636578

\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe

MD5 d3da5f85e00d9688cc112a97d3c55439
SHA1 7f2637ece2f0f3fb6ab1c6e8eb3aa8ad57d6d672
SHA256 555af86d87aa5957c1b29c3ddc7dae09fcff47d06321be373a67874d666bbca0
SHA512 2189048bea7207ee9a012f64f3f6dda36423d2376c2473c5cba300886b3ad9c82eb7394d26e1a22df57cb60d71778ce55f4ada1e3f8b7d7136b52d49b7cb0b7b

C:\Users\Admin\AppData\Local\bfLVtB\dwmapi.dll

MD5 7bf648509c47544978eca90e827c3cc8
SHA1 3072697e361708bd07a166fd0e351d8c0e9d4ff8
SHA256 91883e8c002a3238609713a71c28904ccca6dcccb8cc46ff55cc81d658bfc6c5
SHA512 c37adffe22d5d646c1d2ab70e5c77539241a273f17cc33f1a63f46db0652e6796c77270d3475d4784616a38b83a05aacaec400de80196af020473036543fe25c

\Users\Admin\AppData\Local\bfLVtB\dwmapi.dll

MD5 ac988d64d3ab2d7a5616b274d0303254
SHA1 10420b914bb314178b82f070a55d308652a856b0
SHA256 48fc4ed71e97e441979da14ac644d113396832efc03336088600756bf4941c7b
SHA512 f7d9e9eaef1212e14535c952b1f821bf48da10f797f5ae752915337eb9a83156d529c18ea38eb4a7151817ffdf7170e8811a2987a7c90f903c56a8e199254b71

C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe

MD5 16cc0b104adc124ca9461d02a0415292
SHA1 1964049e042a9363cccc31a7a92cc76dea4342be
SHA256 d0273013c6234436319120028d4543d93255b54be4575a02f705a0c826db58c1
SHA512 867437eeb655a2a3b7f092c96d32f34c960ab168b241672f9711efa3de6ad44b88f938c53e9007e15c62f1aa6b08e06f12ffa569906255f0126f9fe7fbd31df8

memory/2968-98-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2968-104-0x0000000140000000-0x000000014023C000-memory.dmp

C:\Users\Admin\AppData\Local\bfLVtB\Dxpserver.exe

MD5 af1c0366c2c956a17eb230b542daced4
SHA1 5c72ca53d0fadd5fdc13c89cb646f4d9f6ad4bae
SHA256 b5f375ad9003564f6f7d571cb26c4af3307ff20976c5409476a400b3e9aab5dd
SHA512 f5f399c9d174c2e3b867e83158a5628eb0c6955e46725f8ec1b9fe974a9dc5a10c748336d32487e1fa0d91e777d63de8250b1aa9b3fe8b626805a6ff6363baa2

C:\Users\Admin\AppData\Local\TftnY0Pr\WTSAPI32.dll

MD5 18e881c2e5838e5b1571072833cb80fe
SHA1 180d87f3f0813a48e564d66bcbb544ce116a2433
SHA256 2e39d72d06a9e75cc54aadef61c9c45c0b5fb1e60217d3f5b9054a65d8019cd5
SHA512 ef588306a0f620f84a8daa4e4b1b8e15f1ceaa8668ca38ea2bda03eb173f3ddb3dde7ecff2b321950be49acfbf8313e73252dd200826854f170e8a03b7074dc6

C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe

MD5 72b29e4b6bff7eaea68ca0ee11054e55
SHA1 5df7a2f1cb48ad6ec9b0934947475fec92434450
SHA256 e8e23f08dc18a1fb46c998189bfe7185c427b19c6a859f8435f522a9288048d2
SHA512 030302f80df9f0d419812246c729ec2c67742829ee5da7ab5a03da0c9f5726e71c9805da5f7d89c213527b7ab8915ac0e20469f999b8b69fb095f80b0a4f8014

\Users\Admin\AppData\Local\TftnY0Pr\WTSAPI32.dll

MD5 49c78d1517fdae309dabaadf0f582900
SHA1 80100ddf05416b2972d4aaf3855e9a602f248d1d
SHA256 322425499bcbdada4dd2291bf4a44a0139e3c7300489f2e6bec588a47cf15152
SHA512 8cda9bb3ef23155fcda278b291ca84a76b7908e62606e3257b81cec5fa731ec9a0fa978b709631cde1a16c3a5efd1616e1fe2b401bc1a6d6a8b7cd7aea1a4029

memory/2468-117-0x0000000000410000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe

MD5 cde790c976fcf0aabccfa9ec265bf421
SHA1 f154f3083a9938adbc8b134f50cc4dc317a6d0db
SHA256 5bd0dc1508cb9e11a70e67bcfce3fc6321a65ef825f6f27a2481e0ee01b3ad3a
SHA512 126e0c6b58acd2a145b11072620a89b30d7be90b8f1056fa8757abf20d759829903b8f40237e63e02128da8e74531308aac1fe91922de0395296b7642a8a9ecf

C:\Users\Admin\AppData\Local\TftnY0Pr\spinstall.exe

MD5 914e070740667f1294fae83b9501d180
SHA1 b403cdb7b236a2f3b8042e5749718a419035839e
SHA256 05c8a96525c8289dd824ca66df2014abf1970d4ac0c10186a8c3bafa4f519455
SHA512 8ddd6daab891aa49b80f92fecad94cd64f1e8785a3587d6bb6098f9c141bf4e05c9b4556ddced71250855fbb091cb05ad185d3d918442f8d7cb85fcaa0c8c9d7

\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GWqMyl6jP\spinstall.exe

MD5 4bbc3a9d030944a5ace457aafbacd05a
SHA1 a9e8b4747a3dbe71f3a308807a9266b50cede423
SHA256 cc053a59a54f51b2354303c9d3458279f78ed729ea618650c67ff5e8f65c52cb
SHA512 51317d34dd0641af67a7f78755d48e923f81bf13d175cc0cbe573db42e57a2c3fda6e25a15b3532c0b591de4d5f5facfbba9dee631a04b981d80093589cae05a

memory/1224-138-0x0000000077816000-0x0000000077817000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 0ae1811b83d906a1dcf91015cef5b5d7
SHA1 e54fee716e608de410c6e5c176dcc3ce7e75e284
SHA256 ce225130c6cf07688413dddd88481983f42d120cc88cb80559fd4cd38cabdfed
SHA512 233bfe0c943de99b3091af7a3e6b38c4e0dc92d7da7ad7326f232d2077a3f09a32a0b27cecb05a9db7f5830f3e9808de38354c3a13f59860f4b257c5da26c26d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Ap0\Secur32.dll

MD5 67ac1c6c2cd293c90284bb5ca88faaa3
SHA1 f27bc70e8d8819b98d5b2c7dfa7845ee6c249ca4
SHA256 9ba12f90a4b4e905f69b7d6f0b79f748af30ad1b2ce18f2c45074bba88aed69e
SHA512 78b75eccdc98bbd5234cf8512e1057722ef598081a0bc620ba18a285501fa65ba4723d21f4167daee2a76178cdb96361ec24f1a685a6de3597876fc2885cedf3

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\shd3GVBnqK9\dwmapi.dll

MD5 60677ae09906c98af8fb70ebb15ea39a
SHA1 80e79b211d93f34188e3fef542b212f2c28657a2
SHA256 bf782fc0d4b5c4d08d5c10f68fd888e6ed8c24066687c7ec62b5358bd367d212
SHA512 a32a86944a4760529ec7424e69a79e56b12afc571ee4c01a493cfeeab7f232ba59104b4f93c2d60b3a5a68585c8beb7e7c1130f6e1ca60d7b49b87dd6c07975d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GWqMyl6jP\WTSAPI32.dll

MD5 0343fc5396921bbb2b9cae7dda41ca4c
SHA1 3c5dacbb30680ee4dbca7a62b8d7dde4e45e529b
SHA256 ce696ac203e2956bb171e948519ce513233ad63ab3ca2a1f7f6994c78f7d679c
SHA512 fd2452eec63c8e93bd343a8d5bc2e6bd4b4f1d6603e4be712567f862166a1532fb2d88c0affb31a830583c94c150df13b9f9d574ba8e11567165600138c620a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 20:13

Reported

2024-01-04 20:21

Platform

win10v2004-20231215-en

Max time kernel

102s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0905f3b5aa3ee361ef34c75769c6bf03.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\xVY\\wbengine.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8ygXlTbdu\wlrmdr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 2548 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3320 wrote to memory of 2548 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3320 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\8ygXlTbdu\wlrmdr.exe
PID 3320 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\8ygXlTbdu\wlrmdr.exe
PID 3320 wrote to memory of 4896 N/A N/A C:\Windows\system32\wbengine.exe
PID 3320 wrote to memory of 4896 N/A N/A C:\Windows\system32\wbengine.exe
PID 3320 wrote to memory of 3432 N/A N/A C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe
PID 3320 wrote to memory of 3432 N/A N/A C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe
PID 3320 wrote to memory of 1128 N/A N/A C:\Windows\system32\cttune.exe
PID 3320 wrote to memory of 1128 N/A N/A C:\Windows\system32\cttune.exe
PID 3320 wrote to memory of 616 N/A N/A C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe
PID 3320 wrote to memory of 616 N/A N/A C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0905f3b5aa3ee361ef34c75769c6bf03.dll,#1

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\wlrmdr.exe

C:\Users\Admin\AppData\Local\8ygXlTbdu\wlrmdr.exe

C:\Users\Admin\AppData\Local\8ygXlTbdu\wlrmdr.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe

C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe

C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 171.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 28.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 143.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/2972-0-0x0000023F2A5E0000-0x0000023F2A5E7000-memory.dmp

memory/2972-1-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-4-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/3320-6-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-7-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-9-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-8-0x00007FF9B4BCA000-0x00007FF9B4BCB000-memory.dmp

memory/3320-10-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-11-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-12-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-14-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-15-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-16-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-13-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-18-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-19-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-21-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-22-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-20-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-25-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-24-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-26-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-28-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-27-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-29-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-30-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-23-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-17-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-31-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-32-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-35-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-34-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-37-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-36-0x0000000000EE0000-0x0000000000EE7000-memory.dmp

memory/3320-33-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-45-0x0000000140000000-0x000000014023B000-memory.dmp

memory/2972-44-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-46-0x00007FF9B60E0000-0x00007FF9B60F0000-memory.dmp

memory/3320-55-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3320-57-0x0000000140000000-0x000000014023B000-memory.dmp

C:\Users\Admin\AppData\Local\8ygXlTbdu\DUI70.dll

MD5 01e69e69512aba0786d34c8a892f80d9
SHA1 b9647482aada90b20455d9621579cbc82b41c7f6
SHA256 d9eb5ecd6b7aaa75ac08fb759c99a36b77a919466c9ffc5d8c82f2aa859a137e
SHA512 ea71f89845d4d7cc088b8410ef36b0249fb33360979134b09994c10762370802dfbe55ee6c6536e298a4a70c4d2febdfc57a85a10e653ed8c71b7ea45e36dcbe

C:\Users\Admin\AppData\Local\8ygXlTbdu\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

memory/3256-66-0x000002B843C90000-0x000002B843C97000-memory.dmp

memory/3256-67-0x0000000140000000-0x0000000140281000-memory.dmp

C:\Users\Admin\AppData\Local\8ygXlTbdu\DUI70.dll

MD5 9b6133d1055b45211ab5fafd7f7fb52f
SHA1 3332476da5baee05229f07829d69d7b804c556ca
SHA256 b7b21d24df820f9827a66bd2fc001ba7597c1283321541aaa172f692f6bfe245
SHA512 4750ff357337be1af9058e97010003feceb9d88093a66fc8d5b056f8a77b611359a5e0efe6142ef5cea119d53f420a1520c263569f7beeeb114f1b069c7fab9f

memory/3256-72-0x0000000140000000-0x0000000140281000-memory.dmp

C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe

MD5 d65a3005a451b94fd9270b0d40e9df76
SHA1 498c91cfc64fc4e3ea67e238867bc8417edb313c
SHA256 bbb90ad1e986f8a36c7f86732e0f4660b114d08d55142931ef04916dc248f5c0
SHA512 ba25b4ebe5c7d3ffc1d4d9c8f78bd0bd416b0943affb2fa98576f27a6ebdd1a27fc37c3afad8ce46334e8aa59a1523523a560792f9db462de4c967c944dc1d6a

C:\Users\Admin\AppData\Local\RfWJ9v\XmlLite.dll

MD5 afa2a07d24053a6d5b2486245f19172f
SHA1 f4e5d71a094fe22af6ca4609b21554604f3a5470
SHA256 371df248ee15a7d4b7e1a02088838f1de9e4895e859fbcf4a7f7cffa194caf9c
SHA512 e5c48b32e0e1095d542152b9e23eb3786151b4aa18ef7a75d0148ac28cbcc40e1cfd9359feacd54dea96bd4800f0333cf104e4a9ad9859eaa03468f2bd21d9f4

C:\Users\Admin\AppData\Local\RfWJ9v\XmlLite.dll

MD5 c3eb09e34cbe20d8ca21dd79a69c4374
SHA1 f90d11bfed2d6d356d9b7cca4740aa140a31ca7b
SHA256 b05562ec6bd6a1d27f58e6007c3e662e0992e3a0b262281e609beb524846a8af
SHA512 cc42cb87d64b17f652c15f394bb837334e89c2d895428c33dee7bff6602b950707c4c17fee2ce136e43f2b4ab35ef322624a1ac292e35ddca818a744378cbffd

memory/3432-84-0x0000000140000000-0x000000014023C000-memory.dmp

memory/3432-89-0x0000000140000000-0x000000014023C000-memory.dmp

memory/3432-83-0x000001AD97120000-0x000001AD97127000-memory.dmp

C:\Users\Admin\AppData\Local\RfWJ9v\wbengine.exe

MD5 9e3b69b378725e612a7b66e6ecc792be
SHA1 5f5f018b8091d0a1103a88892ff16351d74483f4
SHA256 c183d1dd5a33f7bc52cad3f22ecfc18f80d6afe3ea3d6f51212d9e2c0d7d2fb3
SHA512 4f580c14d46ee1b4d22fc0081b264b147920eaef9aeabe2a4f3138248a0700b5e2fc70e866e4ef4430f6a503aa19ab1b1fe5865ba45e28866b2220d296dc8bce

C:\Users\Admin\AppData\Local\H0NI7rEq2\UxTheme.dll

MD5 b5c59536093ae5f449797c5594d24854
SHA1 cd9f206c4834a6e637e195aa6624df820b2cd096
SHA256 21a6ef5a3f9e3c63081fd6e3f80b370c935a2759656e7f8cddfab8972d852f60
SHA512 bff086e345750b0d598f3838590135dc976f20425058076c10215670cae4d3e6f1087e3d4bcd752f47b6436efbabd43069d09d5965f076060993309741a2853b

memory/616-101-0x0000000140000000-0x000000014023C000-memory.dmp

C:\Users\Admin\AppData\Local\H0NI7rEq2\UxTheme.dll

MD5 53f164773b9cdd78de8316e8a1bf0881
SHA1 708cf7c6ef7ec78815facca7d5ac3deefb231330
SHA256 9073cd059c90855a1f47c3fc64d039ef55e124e2508689e2dae2e0780d729746
SHA512 6a301552dcb6b0ad099d7264d736942bc42ac0fc0ae0f6249131cb7fbb366cda26b262f7e735843dc453ec4fb316508c806b257dfffe8e1ae74957399eecc7dd

C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe

MD5 fa924465a33833f41c1a39f6221ba460
SHA1 801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256 de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512 eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

memory/616-103-0x00000236ED750000-0x00000236ED757000-memory.dmp

memory/616-107-0x0000000140000000-0x000000014023C000-memory.dmp

C:\Users\Admin\AppData\Local\H0NI7rEq2\cttune.exe

MD5 dd69273b20064b4655d25730ca89fc19
SHA1 32243126fcf70e02d9a6484b8f376e8333170fe4
SHA256 95ef3caafb952d26612e81c1a56e8cf851c0e1cbe010cca5b8ab1c3555189580
SHA512 5129889b62c165c678d0ba5bf7578f188a1e0fe30a50b93a33fb62091bf179e1bf6ed93492ec4c7bf1c14fe295900adbc6d3cb089341db2711a99d596fafe2f4

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 3f38374fbdced2e09c64127cc767292f
SHA1 babae3c33bed0036b71bd968e2c935cedcf3ec87
SHA256 ac2e6f242021e02f51c8bc8551b9db3bbb21ebf638fff94ed4885c9fe1febce5
SHA512 f0ac5211c0663b958f87274c85a60e42762c547b194f09273bee07fae2c0063abdca3ce9f0b7e4b9a196026306f13c9fc3659a7907e5e4c1e992590fe6085f49

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-983843758-932321429-1636175382-1000\2R02KGpx1K2\DUI70.dll

MD5 c4cbd45de83b9cc1b533f144036d0ff8
SHA1 841005861d564077e68507888bff2c83f61611df
SHA256 9cd4b0ece40ad401e290e5a747168d9e101419c934bc9a0c9a56bd0679a06eb4
SHA512 08aedab80ee65a2109b802c9f117b287ce432503b72188d3842f564a6fdf8b856fcff22545bb13b80eceeaf88ed8ffe0476af35e58b2a6c96a823a09ade8d27f

C:\Users\Admin\AppData\Roaming\Sun\Java\xVY\XmlLite.dll

MD5 4daa812f3f1f9cc503afc4b57f8aefbe
SHA1 8d975677f8e30de9798549a35ef58fad4e75e36e
SHA256 fba9479775b93f8f9a291e54201f56942c72ac27b46e8ea117f75b89b624b8bc
SHA512 8209da7f255932af1fb2431aff290c075cdce06bb7ba3f98f8753dccf9d5de0b3d06011d698d8c84104a7f290c067aef5be4d53f991cc14cc9dc2914af156ec8

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\skjkBF\UxTheme.dll

MD5 3d965ab1243c428fe6bea17211c05db0
SHA1 343cf9d7d590cb7eac811fa3f52e8fd72677501e
SHA256 2876152a4903f74694df3d5641e4bd65f089a99f92b15b9d11c1a1332774a214
SHA512 8a15d185d3c8bc433171b0a464718049c025f3bef58a5cc78a34fa54720d76c2cbd1e9ef0ffa86b47e552c59a05e328ea5d85659ba35fc80569efa9ccfb6078c