Malware Analysis Report

2024-11-30 21:27

Sample ID 240107-cx8gpscfdr
Target 47c907d018f8d31a47ec8872e3a54858
SHA256 be4115e03775755e155a94b8fdf067dee6bbb4cf81ad9404b1f1f49a07b4130a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be4115e03775755e155a94b8fdf067dee6bbb4cf81ad9404b1f1f49a07b4130a

Threat Level: Known bad

The file 47c907d018f8d31a47ec8872e3a54858 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 02:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 02:28

Reported

2024-01-07 02:31

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47c907d018f8d31a47ec8872e3a54858.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\3WHGQ3~1\\wbengine.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2732 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1244 wrote to memory of 2732 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1244 wrote to memory of 2732 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1244 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe
PID 1244 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe
PID 1244 wrote to memory of 2824 N/A N/A C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe
PID 1244 wrote to memory of 2332 N/A N/A C:\Windows\system32\wbengine.exe
PID 1244 wrote to memory of 2332 N/A N/A C:\Windows\system32\wbengine.exe
PID 1244 wrote to memory of 2332 N/A N/A C:\Windows\system32\wbengine.exe
PID 1244 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe
PID 1244 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe
PID 1244 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe
PID 1244 wrote to memory of 620 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1244 wrote to memory of 620 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1244 wrote to memory of 620 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1244 wrote to memory of 1108 N/A N/A C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe
PID 1244 wrote to memory of 1108 N/A N/A C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe
PID 1244 wrote to memory of 1108 N/A N/A C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47c907d018f8d31a47ec8872e3a54858.dll,#1

C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe

C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe

C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe

Network

N/A

Files

memory/3052-0-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3052-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1244-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

memory/1244-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/1244-7-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-9-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-11-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-14-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-15-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-16-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-17-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-22-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-25-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-26-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-24-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-27-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-23-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-28-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-31-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-32-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-33-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-34-0x0000000002A70000-0x0000000002A77000-memory.dmp

memory/1244-30-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-41-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-29-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-21-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-20-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-19-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-43-0x0000000077540000-0x0000000077542000-memory.dmp

memory/1244-42-0x00000000773E1000-0x00000000773E2000-memory.dmp

memory/1244-18-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-13-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-12-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-10-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3052-8-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-52-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-56-0x0000000140000000-0x000000014016D000-memory.dmp

memory/1244-61-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe

MD5 29a29c5f66a7291c6be2c748170d4ce7
SHA1 4ac4b8162feb1ebd80eed9ee432329f2df17e50d
SHA256 ff6ff096074194c09f44e5a8772ba90a674e1b7b906ecf9f6b95c327270fbadf
SHA512 17bfef9b97541eb9c359af9a583a3723ab725e3c4351ee5792ac1fe216a2cbf667e94fac14b05613ec76f63226a6cf43ca40dcaee867f2c4ce5c0c4850121d42

\Users\Admin\AppData\Local\WDx\dwmapi.dll

MD5 359ce0cb844dc8bf72b9b96230329898
SHA1 4437e57d826f955c2cd494e97bef8af98161e916
SHA256 f3548c21b4f3b8c5a89db6fcba203c6131b297054ded664af50059bc7cdd3538
SHA512 6c5e8fb64e8b49a8c40d96dfb188402c2f4f1e93a42c4fce5e6da6e0e8ca79680811685354223f7b0e4b180f38b668153146ae6b6e9cb812e37b7fd494413bd2

C:\Users\Admin\AppData\Local\WDx\dwmapi.dll

MD5 40af14ae4c46dca70296cffff63d5f05
SHA1 755888ce13c351c54489de1663b86d5845dcf37f
SHA256 d0ec981ff4ca6ba4c779afdb72b8423ba6be1217b8ada7f2d7816447e20636db
SHA512 93ecad998bb332b3f72d5241ceb513354bafd6882950292083bafe5377f5b5fd95610ea5593251befafad8f9253d73e4c7fadcf3cbb66f004367da9489a31693

memory/2824-71-0x0000000140000000-0x000000014016E000-memory.dmp

memory/2824-76-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Local\WDx\RDVGHelper.exe

MD5 fa752a29086bb6b748e234ecd94eaecc
SHA1 5668b9e0a3546525420511a951cbb29634c1d349
SHA256 e6af000d12e77ff69fd470d4e32c392d3f42eec81faa690f51fa87c7e2178174
SHA512 17fd986904aec5971ff13333860fe82b775933fc5753f1ef15f2d6dc8fe4d705df60ef5d3a318185226cdc64dfff9dc6e1ce744316ebac0e71591e71963f211d

memory/2824-70-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\WDx\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe

MD5 3fb6885fe8bf14266ec397d259e62215
SHA1 63ab3f60525ebeb2abb740672c292268510b8f69
SHA256 25ab3660cce1f4ae70078e1f2062976620184990bc7ca11d5b3a1869f57d389d
SHA512 cb7d53a920da31e90e241becf6e1fcc72a152578d58c8cb0e1de9892f2ff3d7c386bd4761b7be68ac56548f6e0c3e9a4facff5a68542e296c6ea84f7fd3ade02

\Users\Admin\AppData\Local\SFIn1B\XmlLite.dll

MD5 0f682d93876c800cd3366a4f3a604bf2
SHA1 82b900902cc5e7afa8932131a04eabdda0003379
SHA256 0bdc2c8956dd75da73fd348be7f161d4a4b610447ea3c35a78e2c477139ae887
SHA512 23700bf5889879782a63f124b0191b55e9c072fe752fba2f1cc083d621ec80dd83d9fc52afb82ed432dd381ff845b264dbe310256358ce087bc75574eff10a36

C:\Users\Admin\AppData\Local\SFIn1B\XmlLite.dll

MD5 0e8e3a7a954aaf447d55dd9ebc5ab3c4
SHA1 42375a443531498f5ac3903f5dfa490a2a26c0fd
SHA256 5ca4e67dafbcb8d9962602d7c1e83dfd8ba3d9cb29420e9aa458a89b92ec56d9
SHA512 3dd569c43672d3959e9366fbe69a370259e859de82019df09e3b06b6ecaf3905071a32ae66ef3de926d93f6aadd394a93c6e48de0df4d2f9a3ea4f839fec18a3

memory/2160-90-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\SFIn1B\wbengine.exe

MD5 c2623ec3339ee88c5a05a1d1bf931a27
SHA1 e64c1010bf0483950a94a90d63729b3b11b9ccd2
SHA256 055ead7c7e18ecd2caeebd6f8b6cd65e49bd6fd26f5c7581f012142dd1273938
SHA512 0886e58ee5fc76c0b699b73319c5eb7178f92268051dc73debcfa5bb8f6c0314b2e491f8a4713c28af8c6810929daaac02da1d726a8849f970df5701f096ea79

memory/2160-93-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Local\SFIn1B\wbengine.exe

MD5 1efe55c6692bbe6b3d761cceec323440
SHA1 7193caddf2f569aa841b6c2d7aeed88c222929f3
SHA256 e37575c52126c86c7bf369a7d901141071749a42748d643c62c23dc50e37d0d9
SHA512 c8e11ab82069f026036030b97b0ee0cc78616ea8cce1b76a94ade92c8e5070948d022211ccddae8ce05b6fa21a9af0c35c6ed682f40a32ddb1dca74c2c38e951

C:\Users\Admin\AppData\Local\EBS6Y9Sd\slc.dll

MD5 8ada7d527778c691452b29470a8a3f8f
SHA1 f5e29776243e73516ecb79aefb3559535c549738
SHA256 bec0efb691a07592b60b541f13301788fee1b9d373cb478ac489e235da8e0ff2
SHA512 ae14599fda7828335ca3d9536c23c6bf4e07ea1b89552a29c30166d1fca2b8ce1cee548e549c3c6aa70fff9d675a941b49771dd0e89571c34bf80cd09e8eb59f

\Users\Admin\AppData\Local\EBS6Y9Sd\slc.dll

MD5 d1f23abc2134f028e3ff7c96df40d7ef
SHA1 f99227dc12cc10cc9171c3c9056a2d0cd31f42f1
SHA256 766fe58a7c701eb9d6d036ce80a6cd4f00c900f434f580d4df5424139756e063
SHA512 dd8b2cdd51d987c932b637f702a82ea817bd5b9431d1715349a38f6a1c0c28effcc8771bfb9fceb7ab1954d7f872fca2bab7f6017dc0aea56376cf265ac50d8b

memory/1108-112-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1108-117-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe

MD5 56790237d011ba388b2cda6eab851d29
SHA1 5d27e78ef313e65d065ead51d4fb8fd1cdfa0f3a
SHA256 74cf3497cbef78c5db1cad8507fe9b088182f6c1b2d98a558f9d7417a83990ab
SHA512 568a904fc0c6e27b35156585c9c904450a7e59c35fe0a032b00e46158029564c54be0968c096a2fc61f838cc06f70be3e6cd4f5d98f9e59bd12c5eba7b210237

\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe

MD5 48f977a6ead04ad8174c70d9b388312a
SHA1 1b028fec1c5e5a5a7c19ee27daa940470bbb7c82
SHA256 cb75a8c54fd98c39bbd3e10e8da3767d205801474d17cab52ece3c5950fbc0f5
SHA512 e0e85033c2cc31e3d752d3aff1e0494fff86c1bdb95259f076f5549a3152dd429e88c32314e8a27ab152d6085dbb4b5fcec8fb9e14dae9f8b46fb0b6065e1498

C:\Users\Admin\AppData\Local\EBS6Y9Sd\DisplaySwitch.exe

MD5 d16691de47564713478c2711cfe10ba9
SHA1 65ee027464e02b975be773cedb2c3eeab24ba33c
SHA256 f2ca6ac7c7c157fded173de5a53ba3d9ef785547509b2129385438e22d732777
SHA512 3caed63162936708a308e09dbcf3fe586cf3e0a193b0cabf635129680cd8e4b77f31a792ab6763a53931cd912c63ed02632e0e96928db63fe972a9b01a0deae1

\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\fnGheQYzKY9\DisplaySwitch.exe

MD5 477d1742f1377688f5212682833eded8
SHA1 8e308ee9af51caaf59377069dfa6f4b29666db0f
SHA256 ef9e6aa99639a7f7d78cb6747e1fbd97de1d2008292deee977698c6ba4a424fb
SHA512 9711d9e41d7bdc335692f83aa09e03eaf5499aa5b2f8a62a1f49152c952f841e59370fee81b62aacd0a36c77933c5937fa56bfb91433d58c065ef243d221f3c8

memory/1244-137-0x00000000772D6000-0x00000000772D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 7ff9de250d91ab4bb36c3e0c90fdc64e
SHA1 c98c33d1a40c447db1e5ef99c5aeccd283e46433
SHA256 bd86a47fa267974a7c8f68d9bbd5bf59928a2e0f86272a9804e1e31c14b68a9a
SHA512 de01365e4a521303e2026b260f03dafe439ae756c4ecf1582569acfbb84bb234ec418cfa9fe14513acf86a6ea60c9d265f20a174e0b9242671b4b2c289dc5410

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\SNES8ZEX\whhAnYS9\dwmapi.dll

MD5 1bec956ec9c1bfac2561fe90ee7340b9
SHA1 95df6d35801e74a44f521e765bd3c5bd192aabab
SHA256 b4fc737cafe64256d3fae82a884ca2605388a8fa5adc03a68a3b29a4fe82f9bb
SHA512 01cda5ba0062c5fbdb5ad083ef4e4332c0077a0c0e3dd109f96edccc5621210f7b72b65953bbe48d821ee4d38312d949f673ba92f3c6e11beacefc651319d36f

C:\Users\Admin\AppData\Roaming\Media Center Programs\3WhgQ358WJ\XmlLite.dll

MD5 9b27bf2422cf18f59863a5d2168b8ae6
SHA1 7115e49683444377939a481580e904d5b29bca00
SHA256 dc244becf0d47d1e44b07d8a3c2bc5a3876dae242a49b95acd4a1c2f048137a5
SHA512 e1442a79b076884efac4b6d32daeb387504475af4947caea0055486c80b924a78b8c487e29219b8bff27fd75430d06e434f7cb1a5017fdb287a86317de7129a2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\fnGheQYzKY9\slc.dll

MD5 23c9dafa0aa594f9d7c3c0691bb9a6fd
SHA1 09fabfd100f3beac418a6a9b8acd9dc546a9227b
SHA256 e037e99fb272e6c2f5b6452e46d33e8c6fe873115e5a7c2ba1444f76f194eb7e
SHA512 85a89b7796d1c5f259c9f88b1614ffd054788079c26eb773236512721da595b0f0bc0830d5c710e7bc13ed2e8f6f685df102bb3e3c51cf39d890777f56e42a2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 02:28

Reported

2024-01-07 02:31

Platform

win10v2004-20231215-en

Max time kernel

130s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47c907d018f8d31a47ec8872e3a54858.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\QrGmLJ\\GamePanel.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9iQn8K\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Zn1\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kuEtGema\LockScreenContentServer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 2040 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3576 wrote to memory of 2040 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3576 wrote to memory of 4928 N/A N/A C:\Users\Admin\AppData\Local\9iQn8K\SnippingTool.exe
PID 3576 wrote to memory of 4928 N/A N/A C:\Users\Admin\AppData\Local\9iQn8K\SnippingTool.exe
PID 3576 wrote to memory of 2832 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3576 wrote to memory of 2832 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3576 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Zn1\GamePanel.exe
PID 3576 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Zn1\GamePanel.exe
PID 3576 wrote to memory of 2568 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3576 wrote to memory of 2568 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3576 wrote to memory of 2044 N/A N/A C:\Users\Admin\AppData\Local\kuEtGema\LockScreenContentServer.exe
PID 3576 wrote to memory of 2044 N/A N/A C:\Users\Admin\AppData\Local\kuEtGema\LockScreenContentServer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47c907d018f8d31a47ec8872e3a54858.dll,#1

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\9iQn8K\SnippingTool.exe

C:\Users\Admin\AppData\Local\9iQn8K\SnippingTool.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\Zn1\GamePanel.exe

C:\Users\Admin\AppData\Local\Zn1\GamePanel.exe

C:\Windows\system32\LockScreenContentServer.exe

C:\Windows\system32\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\kuEtGema\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\kuEtGema\LockScreenContentServer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/376-1-0x0000000140000000-0x000000014016D000-memory.dmp

memory/376-0-0x000001A9F5210000-0x000001A9F5217000-memory.dmp

memory/3576-4-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/3576-6-0x00007FF9BD53A000-0x00007FF9BD53B000-memory.dmp

memory/3576-9-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-7-0x0000000140000000-0x000000014016D000-memory.dmp

memory/376-8-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-10-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-11-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-12-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-13-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-14-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-15-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-16-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-17-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-18-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-19-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-20-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-21-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-22-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-24-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-25-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-26-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-27-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-28-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-29-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-23-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-30-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-32-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-33-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-34-0x0000000000F00000-0x0000000000F07000-memory.dmp

memory/3576-31-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-41-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-42-0x00007FF9BD9E0000-0x00007FF9BD9F0000-memory.dmp

memory/3576-51-0x0000000140000000-0x000000014016D000-memory.dmp

memory/3576-53-0x0000000140000000-0x000000014016D000-memory.dmp

C:\Users\Admin\AppData\Local\9iQn8K\SnippingTool.exe

MD5 f06d69f2fdd4d6a4e16f55769b7dccc1
SHA1 735eb9b032d924b59a8767b9d49bdb88bed05220
SHA256 83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d
SHA512 ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

C:\Users\Admin\AppData\Local\9iQn8K\UxTheme.dll

MD5 b906fa67182ac672279910c768b292cd
SHA1 2fa6b44f158658220edaa05a78e0b970ef1ffad2
SHA256 79587252b614fb338c9903a0293299e69e832b4bbce462605ca73b9d4f0dee7b
SHA512 8040509064eb81ab98fe1b3498a7b9ea9d3767a781aec33f6961df40a7c9404f0fef905cb6c9f81b285e4bc069e41e5d87c780a1c411a83b23ae9fb1107c3039

memory/4928-63-0x0000020C0B510000-0x0000020C0B517000-memory.dmp

memory/4928-62-0x0000000140000000-0x000000014016E000-memory.dmp

memory/4928-68-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Local\Zn1\GamePanel.exe

MD5 266f6a62c16f6a889218800762b137be
SHA1 31b9bd85a37bf0cbb38a1c30147b83671458fa72
SHA256 71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd
SHA512 b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

C:\Users\Admin\AppData\Local\Zn1\dxgi.dll

MD5 62f05f5618fa2abe928bd232c1d83a06
SHA1 d46ebf93016068c0257cd88338c9ff762898d396
SHA256 0c134e2b7f983b1cfc8af32a9b1ac34333a2bb7f7408ed282ab32b1cfb6fbf9e
SHA512 abae61ea798c91eb370b7a6ad645da25bcdb605f8712af7596831dab1044620548232dd2a97592e737bbe8a6ce850bfc38215c5a7d2630ee04d016ccee1dcbc6

memory/2636-81-0x000001D8A7390000-0x000001D8A7397000-memory.dmp

memory/2636-86-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Local\kuEtGema\LockScreenContentServer.exe

MD5 a0b7513c98cf46ca2cea3a567fec137c
SHA1 2307fc8e3fc620ea3c2fdc6248ad4658479ba995
SHA256 cb2278884f04fd34753f7a20e5865ef5fc4fa47c28df9ac14ad6e922713af8c6
SHA512 3928485a60ffa7f2d2b7d0be51863e1f8197578cfb397f1086a1ab5132843a23bbc4042b04b5d01fafad04878bd839161fa492d0cf1a6bac6be92023cdee3d15

C:\Users\Admin\AppData\Local\kuEtGema\DUI70.dll

MD5 26b17cb5cdd7ce0c602c75aa1b747cf5
SHA1 3910f12154d8b7cbfefe853ed600c0b6566b5ad5
SHA256 e60c55ff1e89cfd29b2f51cc0882ea76bbd99ad730de7996c77bfb70b3c4b0b3
SHA512 446f1698a8022df0131f8cd7dcd9949ba33553e105c5a66bbd6f7a5be6914640206249d113e8d5fdf5b029120f1a4ec224d8c52a1c3a0527d0acb004e6ca05bd

memory/2044-97-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/2044-98-0x00000294BFBA0000-0x00000294BFBA7000-memory.dmp

memory/2044-103-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 1495ed93f911bb81f4b70565e7fdc9b4
SHA1 3a587c4efbca14d46c5b481fd123e06124bb71f0
SHA256 e1062ea2e98f0a9e92d32ff0c9f2bf257fb76d4dbd4130fd9e35196a5f7c8be3
SHA512 a5a75f2cc8cad37205cca390158ce217ca5e6a5e135708df901fae0545eb7d6b2a583a32fa95ac672ff6d4e0407164584ea92637bc6131b2dc2c3f90f361dfbf