Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-e5383aeddq
Target 480959f623fb88fd1476a8a35536361b
SHA256 aaf057d28f4894157f637f1e5093299603a52de61448b1e7de38e614c0da50b2
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aaf057d28f4894157f637f1e5093299603a52de61448b1e7de38e614c0da50b2

Threat Level: Known bad

The file 480959f623fb88fd1476a8a35536361b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 04:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 04:32

Reported

2024-01-07 04:35

Platform

win7-20231215-en

Max time kernel

137s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\480959f623fb88fd1476a8a35536361b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkNWboJmqaf N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkNWboJmqaf\SPP.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkNWboJmqaf\recdisc.exe N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ojufVC\wusa.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\LKNWBO~1\\recdisc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ojufVC\wusa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2616 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1244 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe
PID 1244 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe
PID 1244 wrote to memory of 1236 N/A N/A C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe
PID 1244 wrote to memory of 2932 N/A N/A C:\Windows\system32\recdisc.exe
PID 1244 wrote to memory of 2932 N/A N/A C:\Windows\system32\recdisc.exe
PID 1244 wrote to memory of 2932 N/A N/A C:\Windows\system32\recdisc.exe
PID 1244 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe
PID 1244 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe
PID 1244 wrote to memory of 1132 N/A N/A C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe
PID 1244 wrote to memory of 1960 N/A N/A C:\Windows\system32\wusa.exe
PID 1244 wrote to memory of 1960 N/A N/A C:\Windows\system32\wusa.exe
PID 1244 wrote to memory of 1960 N/A N/A C:\Windows\system32\wusa.exe
PID 1244 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\ojufVC\wusa.exe
PID 1244 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\ojufVC\wusa.exe
PID 1244 wrote to memory of 1888 N/A N/A C:\Users\Admin\AppData\Local\ojufVC\wusa.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\480959f623fb88fd1476a8a35536361b.dll,#1

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe

C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe

C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\ojufVC\wusa.exe

C:\Users\Admin\AppData\Local\ojufVC\wusa.exe

Network

N/A

Files

memory/2672-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2672-1-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-4-0x0000000076B66000-0x0000000076B67000-memory.dmp

memory/1244-5-0x0000000003770000-0x0000000003771000-memory.dmp

memory/1244-8-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-11-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-14-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-16-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-19-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-25-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-26-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-31-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-32-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-33-0x0000000002AF0000-0x0000000002AF7000-memory.dmp

memory/1244-30-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-29-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-40-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-42-0x0000000076ED0000-0x0000000076ED2000-memory.dmp

memory/1244-41-0x0000000076D71000-0x0000000076D72000-memory.dmp

memory/1244-28-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-27-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-23-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-24-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-22-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-20-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-51-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-21-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-18-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-17-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-55-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-15-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-12-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-13-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-10-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1244-9-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/2672-7-0x0000000140000000-0x00000001401F1000-memory.dmp

\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe

MD5 d068d289b3d53c41f1b7e38c6242a6ee
SHA1 88d2d302685efbf19f581e39c3e03fcbfb433c9c
SHA256 9ac378e083c9fc01e2aafd28056432762156f4eaf2ad7dde1cb9fcf2a5ad0fa5
SHA512 91ef48a47e3efea7b5bc1e6f66543f0db7b11bbab56a08eb8a17e472c8cc36af704679389243490b0ce24b4a0b824d8b6902e69e574e208e5153f2626e2c004d

C:\Users\Admin\AppData\Local\Rsy6G8\MFC42u.dll

MD5 bf3393ada8a716a3c4f4b55acf529788
SHA1 8ff8412faac2c5afcc18fc458873e1a95fdc733e
SHA256 dd54b73c8ec52873fa549121b301faac3e71f9e7b1e52aa3fee216f2ecf5404d
SHA512 8c242b09f76efcb55ec64077eb5b5545ed4c70d3cca51098382efe696fd2e8a8b4dacee2b9fd7383d1b32f324f36923e9e1475ec9e4b296454d444c73dc5d6ad

memory/1236-69-0x0000000000220000-0x0000000000227000-memory.dmp

memory/1236-70-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1236-74-0x0000000140000000-0x00000001401F8000-memory.dmp

\Users\Admin\AppData\Local\Rsy6G8\MFC42u.dll

MD5 f3d96a5436e8d3ca70eefc9fd3dc9ffe
SHA1 53d4151f3197cd5b01d16a81a42c3e1b59fc5378
SHA256 84b0eb78ee966f0db3428644294a3eac9c64f2e48c3d88bbc31579eece129e0f
SHA512 f650d4433fed0a4c1135c5beeeb544d29f2fafdf22745744eda7219d608d4997b59f769a00dfcb6f06d60cbb4e32e349d4bbb1abea23d6ecc016ab92c5609f9c

C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe

MD5 ba1ef84c55998f1e61db584d7df82027
SHA1 20da539c9d2989305bb76ef72d2fc5d080a12221
SHA256 d7f9b675d5f1913f69b410de72b84cd1424507aa057c6c2c03ba6fca1383aa40
SHA512 aeb5a90e88e87efcb7ce800189c8dd3db6172fa5d49c10ddbdce7025bd3bcf6fccdb9eda60814ffc92a8f75dff0f857a8ed426446bf98bcbbd407923b0770610

C:\Users\Admin\AppData\Local\Rsy6G8\eudcedit.exe

MD5 dbd6fb17ca55859296c004e0d8dabe28
SHA1 4aeb2034e780573c48f1bd0c9110ae3b1f3d7a4f
SHA256 7cfddf00e52c7ec00f26c882e29d65578651a109e5824aedd55cb8285cd9a7cd
SHA512 eb5cf9b5cc74eb80f1041e7aac2a80791c896d813c67d654f7f0f6dbe6ee9121ce5238cecf33652aa5b8ff6d4b6af21cf45772c3ff19e008122e1acd17b07402

C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe

MD5 39480ca0e22ca0a3c3ef6a8c201dada2
SHA1 252e3cb7943f85f5ebcce69339f4559e104869e7
SHA256 7a9e40a852e8d18abba348205ef447124090a66665966d1886de17600be8512b
SHA512 f23e7f4ffb48c35e197235d9ca08c609773abf8cbc0f6f7e86ce24e3dec21c683185d964f2f4457a0311bfc03c9d37aaa57bddbf2ce3d1d5d37e75d30cb530a4

\Users\Admin\AppData\Local\Jrwa\recdisc.exe

MD5 bbbdf619f20c37f97d73cb0fe5a19cbf
SHA1 bc008cf3e92794d9c89ae0712a870d753ffcb955
SHA256 a892a45d5d36a1d596f2e5a877b721c68fbb840732776c65e99446a211dfb544
SHA512 840b3fd88baa2738a22056f300896355d2e48a18459fb87185f498f562de459c0318d8e575f9a5ea1b7225e5a9d508ccff032be4045890c90e2ca2a51f89fad3

\Users\Admin\AppData\Local\Jrwa\SPP.dll

MD5 3d17d4fced920c27dd2d2646d825bcaa
SHA1 07309b9ad0d2b0dbcaae593f2fd8530e051d55d9
SHA256 7d4d1c914d05eea0884d7d9e0acf57176c08a678970b4480ad4109d377be8296
SHA512 7cf21c822c8e6513043c9ff1344e9e481f0cad8b26236fb38b7adbac8f59ce13ed7bfff6d77e89f0787716ba6b3398825fa5952694c05adacee1ff6932a6551d

C:\Users\Admin\AppData\Local\Jrwa\SPP.dll

MD5 f1bc5cc4b920dcd9a23d411c14aecd12
SHA1 fcf1e8652f0fa6db4e237a7e05a151594b6f7e8d
SHA256 8bc088e0ad4768934286e17f190f4fb0d0dfeff413ba3f0f4b4cb4afb868a0fb
SHA512 36d07cf805bf03655a97bf4cb360ac5ca6e3f84449c76fc477a0908a2081fd96e7d607b26283a0fd20b765adc97632676debf14d6e2cc4b60ea40af7e91927d4

memory/1132-89-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/1132-93-0x0000000140000000-0x00000001401F2000-memory.dmp

C:\Users\Admin\AppData\Local\Jrwa\recdisc.exe

MD5 0a9ac5b8c10dacc8754ea4354a50bbbc
SHA1 3f46e8103357d75f4b8d7ee854b6c3fba9adb652
SHA256 ccfa1be87960b88683e9cc850799091b76627d41b59151feaf3f65c6e5e6e2f2
SHA512 e9fca606065670908830dc09b6eb18371c18393a0f7bbd18b76ff85141004bb36a1dde04be6205759c8b22321f6405c463019528d496513186155a01e293dfbe

C:\Users\Admin\AppData\Local\ojufVC\wusa.exe

MD5 cd402ddb2c607de40bd460de62977792
SHA1 3801455e78c332538431ada4c95ec718887025c0
SHA256 66e0abdb1bcdaeaef174cc8222d04e505d3a189183507f0e5011626b4bde3077
SHA512 e1077355fe401db3ffa3a3f3cf3a2674c8a976143d188435b72f718bf5948122f89c7e61c5d28579e5278d5865d57f9680e9c30989d89008d9cd986f4f72277b

\Users\Admin\AppData\Local\ojufVC\WTSAPI32.dll

MD5 877d6fe90892160de452bd5e6bf2087a
SHA1 1b4ceea54658779de00db52003175d3de73e982c
SHA256 341f0ea4d03e00d1141eedca879f14b20fa3b948655c289eeb3cea2de70cb1dd
SHA512 5a33129ac94be01531d8d0ec4870cf9cfdd2a7a8cdfc8c712dcea428176d8a3b46b1b939e04258b432464b6f6868e8823f31aca7503beef4b83402d0bb5047dc

C:\Users\Admin\AppData\Local\ojufVC\WTSAPI32.dll

MD5 cf503c135864d6bfb80bdbc840b83f2a
SHA1 6b027022b775bd4169241a7738ec8a5d6f2802d7
SHA256 cd4c25db52e24dd7fc12c82fa36493fe46a373eaf12326687c79077533a43b7b
SHA512 c785950d81d78197d087e288672c01c830b1320c724d32fa0a97775db99cb172ee9951e54bddc47ab94b62b12da8c4a2c1867fd8e1f9c7cb4640248048d131a5

memory/1888-112-0x0000000000210000-0x0000000000217000-memory.dmp

memory/1888-117-0x0000000140000000-0x00000001401F2000-memory.dmp

\Users\Admin\AppData\Local\ojufVC\wusa.exe

MD5 670354b04ed9b9f8c8cbb3f7d863e6e9
SHA1 6998cbeb6ae37fce542adba34c08394aff7db5ca
SHA256 ed5ffbb01699f8bf46524d530f3bbf858c4ee797b88eec07b9f607c0246875f4
SHA512 d22a17f431983d61eec9979da4b3cbd708cc20fbaa27134ff88b32a74850d0763412bd720c76ee3cefde36ff8794aa15eca17582ee2458b5aa7d5bd9502164c6

C:\Users\Admin\AppData\Local\ojufVC\wusa.exe

MD5 fb530994a07c32bc1349ee3c1d5864aa
SHA1 8aadcc984972b9294593107c2ee2e7351eb03acd
SHA256 f9f9fc25ce3cef976f0198a130a7a70ba680c4e9f6c56ed59331ef53b33f87a4
SHA512 540313e86b475419b728ccfc6b00f1ddfc443ff72810cb202c2f68a8d2038dc920965666edd8fe5acb46b7a305ab8ab3856caa9b93f21f748bd6744fbed051a9

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\wPD9Vt\wusa.exe

MD5 680492d8a589e2826e1e6a93eddeae35
SHA1 193bc3762fd7dd6c3527b3b06d6df21c0a4be32d
SHA256 db3001c9e81f0b5fb2e5e241f0edf95fe37f9874d6625e802c0a0931d72e89f8
SHA512 e42bc87ce5cdbd8009fd23d5d1338d2df1ab714b7ac5b1ed96e1dcd35b61ff6fbf527f8bed3fbf57e51428a6921424a6aa7f56c76b63d9dc33739aff50263d10

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 7971e796c40b66a4919dbafc771455d6
SHA1 3c7e1e531667ec634af5e8d9608c8d37ada6dffd
SHA256 4547f64cfc9a926acd7b802b5366687288983f6c148dad3f0d7d1794f6823c80
SHA512 7e15d624d07a4bb3bfb01a8d03a96ecfc964f6f3ba88835a4c473ab9692905ea44f18bd290634fd1ff921b5053bb92e535fe4795981ced1a5c81b4e914ef212f

memory/1244-142-0x0000000076B66000-0x0000000076B67000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\FxNwYmMr\MFC42u.dll

MD5 10b26d05313b977d03c8db897207327c
SHA1 147d59b17fcf29fa2b6e73eb959675f85329753c
SHA256 b25010bdfa8dc4d467318a9ab91ce71f5f086678786106bd51b1c47611729400
SHA512 f0219ce514c8484df88f85484691737f6a3fed4226089ac30cb9d8e050ecd6f69c5f521ae90a48afb8b4af37cb592da7961f04fccf12f7ad4b1e482980b030c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lkNWboJmqaf\SPP.dll

MD5 0652b3a7c27d3e3fecaebb6d5138a60d
SHA1 2fba38056174bdd148a9ebd517f668e0559c9187
SHA256 36493211331867e6f12782bd965bdd284ddbb9cfe876e4de0e24bbb6e8270670
SHA512 df2d3153560aca49936c36f8730d459510b1683799c6273f54ac6b23db98e0cb50b65d55eb17c1d12adca6b9b7a8eae5ee788f70ff7a3d10ea0301d611fa1fd2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\wPD9Vt\WTSAPI32.dll

MD5 ae8720d5c6e5abf5b23dba3b202081a1
SHA1 a5f463485fb541585714f509fd9e6e33282ad5e5
SHA256 eaa38e243b82f1a7e31604f26b03a8c548a43ee19424b529bb1be204daed9768
SHA512 ca50a0ae90a74797826d9701704aaa1a84a6e057d3c4ecad131ec924041e485cd23f1ebbf5a0625fbf4663ed6a123e2780e2156c6ed48c86308fae2a5378d95d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 04:32

Reported

2024-01-07 04:34

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\480959f623fb88fd1476a8a35536361b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\kEghPU2\\cmstp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lKp1oj\RdpSa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0Kb3U\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eDRhWGf\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 5112 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3488 wrote to memory of 5112 N/A N/A C:\Windows\system32\RdpSa.exe
PID 3488 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\lKp1oj\RdpSa.exe
PID 3488 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\lKp1oj\RdpSa.exe
PID 3488 wrote to memory of 436 N/A N/A C:\Windows\system32\cmstp.exe
PID 3488 wrote to memory of 436 N/A N/A C:\Windows\system32\cmstp.exe
PID 3488 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\0Kb3U\cmstp.exe
PID 3488 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\0Kb3U\cmstp.exe
PID 3488 wrote to memory of 3628 N/A N/A C:\Windows\system32\wscript.exe
PID 3488 wrote to memory of 3628 N/A N/A C:\Windows\system32\wscript.exe
PID 3488 wrote to memory of 4484 N/A N/A C:\Users\Admin\AppData\Local\eDRhWGf\wscript.exe
PID 3488 wrote to memory of 4484 N/A N/A C:\Users\Admin\AppData\Local\eDRhWGf\wscript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\480959f623fb88fd1476a8a35536361b.dll,#1

C:\Users\Admin\AppData\Local\lKp1oj\RdpSa.exe

C:\Users\Admin\AppData\Local\lKp1oj\RdpSa.exe

C:\Users\Admin\AppData\Local\eDRhWGf\wscript.exe

C:\Users\Admin\AppData\Local\eDRhWGf\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\0Kb3U\cmstp.exe

C:\Users\Admin\AppData\Local\0Kb3U\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\RdpSa.exe

C:\Windows\system32\RdpSa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3716-0-0x0000016F43F40000-0x0000016F43F47000-memory.dmp

memory/3716-1-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-4-0x0000000003330000-0x0000000003331000-memory.dmp

memory/3716-7-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-6-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-9-0x00007FF9F4EEA000-0x00007FF9F4EEB000-memory.dmp

memory/3488-10-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-11-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-12-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-17-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-22-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-26-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-30-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-32-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-34-0x0000000003310000-0x0000000003317000-memory.dmp

memory/3488-41-0x00007FF9F64A0000-0x00007FF9F64B0000-memory.dmp

memory/3488-40-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-52-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1728-61-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1728-67-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1728-63-0x000002A7C5E10000-0x000002A7C5E17000-memory.dmp

memory/2628-81-0x000002132AC20000-0x000002132AC27000-memory.dmp

memory/2628-85-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/4484-102-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/4484-98-0x000001D56A8E0000-0x000001D56A8E7000-memory.dmp

memory/2628-79-0x0000000140000000-0x00000001401F2000-memory.dmp

memory/3488-50-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-31-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-29-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-28-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-27-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-25-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-24-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-23-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-21-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-20-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-19-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-18-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-16-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-14-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-15-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-13-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/3488-8-0x0000000140000000-0x00000001401F1000-memory.dmp