Malware Analysis Report

2024-11-30 21:28

Sample ID 240108-je77jsdfdm
Target 4ad438c7cc3df936568e20850bc2daad
SHA256 a8f8057aa9fd339815baffe9221e0f59f92947f45ee1d4a7c42770f5d0744170
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8f8057aa9fd339815baffe9221e0f59f92947f45ee1d4a7c42770f5d0744170

Threat Level: Known bad

The file 4ad438c7cc3df936568e20850bc2daad was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 07:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 07:36

Reported

2024-01-08 07:38

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ad438c7cc3df936568e20850bc2daad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\uCkyR0Z\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1996 N/A N/A C:\Windows\system32\sigverif.exe
PID 1212 wrote to memory of 1996 N/A N/A C:\Windows\system32\sigverif.exe
PID 1212 wrote to memory of 1996 N/A N/A C:\Windows\system32\sigverif.exe
PID 1212 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
PID 1212 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
PID 1212 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe
PID 1212 wrote to memory of 704 N/A N/A C:\Windows\system32\rstrui.exe
PID 1212 wrote to memory of 704 N/A N/A C:\Windows\system32\rstrui.exe
PID 1212 wrote to memory of 704 N/A N/A C:\Windows\system32\rstrui.exe
PID 1212 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
PID 1212 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
PID 1212 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe
PID 1212 wrote to memory of 872 N/A N/A C:\Windows\system32\mstsc.exe
PID 1212 wrote to memory of 872 N/A N/A C:\Windows\system32\mstsc.exe
PID 1212 wrote to memory of 872 N/A N/A C:\Windows\system32\mstsc.exe
PID 1212 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
PID 1212 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe
PID 1212 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ad438c7cc3df936568e20850bc2daad.dll,#1

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe

C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe

C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe

C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe

Network

N/A

Files

memory/760-1-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/760-0-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-4-0x0000000076F66000-0x0000000076F67000-memory.dmp

memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1212-7-0x0000000140000000-0x0000000140182000-memory.dmp

memory/760-8-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-9-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-10-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-13-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-14-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-11-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-12-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-15-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-16-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-19-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-17-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-18-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-20-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-21-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-24-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-28-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-29-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-27-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-32-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-35-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-36-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-38-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-37-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-33-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-39-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-40-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-41-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-44-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-47-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-46-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/1212-45-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-43-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-42-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-34-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-31-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-30-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-26-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-25-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-22-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-23-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-54-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-56-0x00000000771D0000-0x00000000771D2000-memory.dmp

memory/1212-55-0x0000000077071000-0x0000000077072000-memory.dmp

memory/1212-65-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-69-0x0000000140000000-0x0000000140182000-memory.dmp

memory/1212-75-0x0000000140000000-0x0000000140182000-memory.dmp

C:\Users\Admin\AppData\Local\H5Wh4T\VERSION.dll

MD5 19b775adf33cea3ff4abb89931960bd9
SHA1 bc874ab26743412fe43b712bd145242c1134c252
SHA256 bec0191f2554dfc417cd585081ce62019985a985db71a537d8325263c9eb30b7
SHA512 33a403bb8af7246102fbc28fabea1f9e106eb852755120d483b6109b9ef989429549a2a92bac9cf48fcfc3eced1a25ef3579f95362b86ef9d917d0ee0ba9e24a

\Users\Admin\AppData\Local\H5Wh4T\VERSION.dll

MD5 9e667b7965a7581430b1ca6e98c977ef
SHA1 4b7feeab29b39d56102e9891c21f46a79b6572ea
SHA256 5f2d1aa290ee0faf95d64116e0bf635acb99f8a671e8847dc0f5c6c9450ad4f4
SHA512 36ab5cdf34a8acfae94217df62f598c432e8fe3f61c511c0bb5b961343f8422d3830928bea265e7289ce76ca620210f8e91da6c1f8d0c34a4ea14177d448588e

memory/2428-84-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2428-83-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe

MD5 c21611aed7faea7da784e205c4a799c5
SHA1 f6f1c62c9aa52dafd47fd0805fb6e1191a9ceba6
SHA256 04aaa6cf10841549a41cdf6dd028bfdcbed163e2a559078086099afc7a1a8240
SHA512 9421ae2de44d85181e814fc29713e689b9a68647f662528c9975fd18f1f81dc9781c0290491d85c044516e2500954a1a3b2b4260856dbddfb6024bb9b9de8445

C:\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe

MD5 8390b8ac0b6632803f5faa9c930acdc7
SHA1 3798ca50c6069fe2e0a6c873c1e4ddae7eca6b2e
SHA256 89887a4fe44a64698a044f154c21ad5f71a7f18cbeddbe00a2bec0d7da89862e
SHA512 6516e11a4774b6a4684ccb543b5671a9e92421a2aee64751131a563558c7fbe23e9d67809354f13653cb16c26a3309d03845cb97462a4a531ff29f001a81594d

\Users\Admin\AppData\Local\H5Wh4T\sigverif.exe

MD5 e8e95ae5534553fc055051cee99a7f55
SHA1 4e0f668849fd546edd083d5981ed685d02a68df4
SHA256 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA512 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

C:\Users\Admin\AppData\Local\4d6SnF2Jt\SRCORE.dll

MD5 11e11ca22d92810abac16e965e372b8d
SHA1 de01f798af963512a69f6ee9d1e3685644c17acf
SHA256 d0191718bac1bef333b58e749aacdce6bed971898f6e3d3b3d931aed24c0c4ea
SHA512 8a9e5c38f3ec0047fd9ba5812708503b7c37fe8e043dba17908a13077f9d9b6bfda55af37915e857e8193075c172f1bdab638c75e0fb99eb641696ea37dd6552

\Users\Admin\AppData\Local\4d6SnF2Jt\SRCORE.dll

MD5 d40941522200ff8c76041c048476f663
SHA1 56d84e74ba97989dfab91d2df20db596b4322949
SHA256 01c53b49b2a22c271c77f0643e39f16efac45446c5eccdb5e2ddac1c88061684
SHA512 5edb56502505291877c59f48507ed9ff55c1c89fce672ab210101917b591295afd531d178e88d3380e0efb5ae3917ea7fa55d74309306b6e83892d84639c0e32

memory/2872-101-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe

MD5 c8bf27bb959ec55b95ab68ef62873a07
SHA1 43fdfd994440dafe611164e502ff72f2d066ec9f
SHA256 360ce6f28d7b2e58a86096e3d6472ae4a5f69ae6247e8b7161716f9b614b32c1
SHA512 6d1cc6aea12f28e44f2d1dd5ad2fe712621797b79d8b2182ed985cc4e86e78dbec1a19304145373f94b5d78ae5c420266a3483f92d8f786666378ad664c1b145

\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe

MD5 3b5516a9a6400f725dc584a2a2866288
SHA1 de8f21273b31f978ae6cebae35ee2a0be37a280d
SHA256 e1fa55ccf1d232a550aa40977324925ef4acdba7c1a9fb9a267cbf9191785da6
SHA512 d3c938be92318742f5db5e149be2189b150396c035dfc1080e0340d059713e868f232b2a5473ed5db3eeb2228123066e88588a5f2320d9ff03557bba7b724983

C:\Users\Admin\AppData\Local\4d6SnF2Jt\rstrui.exe

MD5 54f7a8d30d651733cb4d7faa3440d50a
SHA1 5ed7f892fb11c9d75d52cf995c6cfdecbe77173b
SHA256 d9fdf31360158092588076a2e59fd4bd6405a512853584922730951c922e938f
SHA512 e3670e0ce704220df96b15dd8257efe9069fa910315aefc68d35657453a0670b689666bcbab8071ded234951f1344d23216d89113d76a5114107c5077f04e426

C:\Users\Admin\AppData\Local\8NXxjtKJP\credui.dll

MD5 40c88ef5c0323999cac405a511d57712
SHA1 d9429a0b08104bfe815f63b9f53e6849d991bcd5
SHA256 87f8049cbe541b58dc6e2123fe6a05f8548631e464b89291f2201706d27caf5a
SHA512 8ae0a0675469c83e2c75003900fb3f2c0806ae4e66c03361150292765a974054d9a342c358ae6648ccae0e0c76375b12afc27f21a0296d072d9d59d4dedef27e

memory/1964-123-0x0000000000390000-0x0000000000397000-memory.dmp

\Users\Admin\AppData\Local\8NXxjtKJP\credui.dll

MD5 6735cc0c30d1da2b5d7d7e7f05ac5b31
SHA1 7cda787307252f9cd866cebd8836bcf13c6164fc
SHA256 2dccf107f295523cf9e8d39ade2336d3b3a8ed8bf395491630f81f607a3406da
SHA512 e38ead07a63c4b221ce26c3bef6717ed1747b40b69935e0083cf6e4c042ff9a74e03ad370ae53a55e799c8543b5a6ba39fd97bc21ec38aafbbfd77a97d1bbac9

C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe

MD5 b74fd9655f325c39d355283a5483b2c6
SHA1 25d98ead7633ae705cfbb2e3eb489922bed64c75
SHA256 84839c7150e3edfd9ee320ff1a407d46b66c2753773a36d6505d0ff02c20ee3c
SHA512 f41467bb57199334e93cbe7f668c98338e507ed450a121cd2a2cca175b120aa6ce44158e8fd6ae31ff1af0e9f424a6bf2e4d176c7fd30650ce0281178535c6aa

\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe

MD5 25487566fbc9130567d2d5627b102e59
SHA1 3c6ebc48bf81e576f12ae5bfae0205736ec6be33
SHA256 c7e8e42c20d5ecf82b1a2a05a2acd57f5168f5b1b5a83a92c62d7fa5ce9ea5ea
SHA512 22b90c056d4527a0aa0246a89117fd96c6068b1859c6ab99b03544cde1210cdfa01e8ce875bbf8a6a6b203f3f335272c122370ec9c7faab2dd1b5d3446e9459d

C:\Users\Admin\AppData\Local\8NXxjtKJP\mstsc.exe

MD5 1b20f7c3cb3617e5b35a2f4bf961877b
SHA1 97c18b1d85efbb7ecbe216e5e0c68f4bf2a7fae3
SHA256 06e2ca18341a3c92b14033094f66dd8821e96a7521f87afe9efb0d9bd7c32630
SHA512 1839de9d576c093407434ed1102ea58e78204c0ad134528b777f1bf530c709384036aa2e6747d30242ff9fdf514fb617e65fb4e53b43c0121f9eea148e08c7e2

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\HNXMTQXM\KX2XT\mstsc.exe

MD5 9db6b983c0cfa8495cd6d488ab2f00e0
SHA1 c1d3ea31a2454c5621af0b1c5e1f183530955bb7
SHA256 8ceab0906997130dacebca54c9994656d486420b0391e077daf3a8d90cd776d5
SHA512 9c43b382bddfb94375cfa78a1288fc721cc7874d0403fc4aed1e2e2843673be24eaeef662794eda59d2fbf0a56586692055e44e52300b8b1a51ba0027133aeba

memory/1212-151-0x0000000076F66000-0x0000000076F67000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 981f715fa467e38f939b3c2383476870
SHA1 645beabf38aab15606cc9a3b5be306d38f54ae66
SHA256 16164a19686758f2060166a7ccd44f424456a7479aac00eb85cb6fccc06fe37e
SHA512 e4ff5bc92f0e3c4ccfb3254c257ee5ccd6049b536e0eb184b2a745da8eb634c63118611eb661f105356be760e48a5c8b878cb89d61fbb7cf20300b524911fde6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\rzux\VERSION.dll

MD5 edb746fa6802359b5d23cc7d4efaaca6
SHA1 5ac6df76b72898bd4abb0f666647d2db6d3b5219
SHA256 cb58419366e42b08eb81973eb82816af37e575d6d9831a2523d90759a9a11da6
SHA512 e37e0ef24bc6a9684c4d2f931e5be3c8fe2cd4206f535394867e9e1d6835dfa01bd444d5d0b4a6020cf2cceb95d2d6fc12f10560578a20017cc628f1efada665

C:\Users\Admin\AppData\Roaming\Mozilla\uCkyR0Z\SRCORE.dll

MD5 dd18f0c8cf80a7cc05df9c09ab408d21
SHA1 2f14113869f3c4248199ea87021db015218d7b58
SHA256 ebdb5b329a2cdac97e4d82d8102ab1cc2bdb36b421ae5f433f5a441bc88d9758
SHA512 51e175a96ea122766c5bdbf89920f0df6e099dedb88ead3b458b5215fb6497164f3463801cce52e0b3e94317eac1e2d8a56e498eb485d03a306f68572e83c3d3

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\HNXMTQXM\KX2XT\credui.dll

MD5 c8bbdda711ae5d11a3338490e107ad04
SHA1 161e6fa7e84aec0a8c0a81bdc94d168836b30e1a
SHA256 a88dd8aff24974409236ef6e7b652e0e707ec6287f34f17f3bf7f9d2b6aa82f2
SHA512 e563e4d27aa46028217489589c15842a1174e1e6370e774bdf1232a6bb25f7ae87f13a58bcf3b3405d06d63a63478583401bc1af1eda1a2c783902e3f2f9ef50

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 07:36

Reported

2024-01-08 07:38

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ad438c7cc3df936568e20850bc2daad.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\mGXSbkbSe\\Taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4828 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3520 wrote to memory of 4828 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3520 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe
PID 3520 wrote to memory of 4860 N/A N/A C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe
PID 3520 wrote to memory of 1992 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3520 wrote to memory of 1992 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3520 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe
PID 3520 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe
PID 3520 wrote to memory of 4020 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3520 wrote to memory of 4020 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3520 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe
PID 3520 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4ad438c7cc3df936568e20850bc2daad.dll,#1

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe

C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe

C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

memory/4980-1-0x000001E07F0A0000-0x000001E07F0A7000-memory.dmp

memory/4980-0-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-5-0x00007FFCBB41A000-0x00007FFCBB41B000-memory.dmp

memory/3520-4-0x0000000003410000-0x0000000003411000-memory.dmp

memory/3520-7-0x0000000140000000-0x0000000140182000-memory.dmp

memory/4980-8-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-9-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-10-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-12-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-11-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-14-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-15-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-18-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-16-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-19-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-20-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-21-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-22-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-23-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-17-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-13-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-25-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-28-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-33-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-35-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-37-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-39-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-43-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-46-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-47-0x0000000001420000-0x0000000001427000-memory.dmp

memory/3520-45-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-54-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-55-0x00007FFCBCD80000-0x00007FFCBCD90000-memory.dmp

memory/3520-44-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-64-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-66-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-42-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-41-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-40-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-38-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-36-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-34-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-32-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-31-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-30-0x0000000140000000-0x0000000140182000-memory.dmp

C:\Users\Admin\AppData\Local\RC2s\UxTheme.dll

MD5 cd7f8d849598917af4e42ed268dc06f8
SHA1 522f1498531ea50a106ac964963863d2f90a9e59
SHA256 8aef6a98a545d89fb9c6d224f66602607a56f6d39c206bb553e4b4cae84062b6
SHA512 7d778af82a1c5b2e6564923204c06840bde93f8a6997986d0243fe50221103708475f1af2ef4ae1eae319de953f5438140aafcff53c7b5858491bd6a17a30927

C:\Users\Admin\AppData\Local\RC2s\UxTheme.dll

MD5 19a787a46d3b8dab2de170aac5d5da6b
SHA1 2cae8e19c40b5e586f80e3ab80270339dcb26a8c
SHA256 9ece708e55740d5fe155b458c6476703fbebbd51ad99b5ca0873ee12b7150182
SHA512 3562663b8757b1326021faac9baabffbf7a0088e289d54068635dddc07c883abb65e080b36172f94b396dd0b43f46e5db0d19bf5f644c7558c68663e366af983

C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe

MD5 d138abf0b41cd2e341ddbddabb261c4c
SHA1 80c24615c4633f64bb9e70395556e1cdd300618e
SHA256 89f70566f1648030fe7b8ef7e76a704cb61e25fb9812b123333574b94dfbf9b1
SHA512 a9b963291895e2903bf1c3f2bdd66de361c480eea1c24e296436fd0a593892d6e7adf663664887bc2240277e79480533f7b47cff4d8018dfed03777114742a78

memory/4860-75-0x0000000140000000-0x0000000140183000-memory.dmp

memory/4860-77-0x000001B148E80000-0x000001B148E87000-memory.dmp

memory/3520-29-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-27-0x0000000140000000-0x0000000140182000-memory.dmp

memory/4860-81-0x0000000140000000-0x0000000140183000-memory.dmp

C:\Users\Admin\AppData\Local\RC2s\GamePanel.exe

MD5 6b4e9854fd16e6e862c808769641eecc
SHA1 377330e9c43d75d43b195fd7134192f075f7377f
SHA256 e1027e08f079adbe33789c9a066eb068b1ba4a4843b37dae9e31af4042d910e5
SHA512 6a99f038d1c96f6e37a4dd7b51a5a5ecd64c4b53f920597a47a438e4da5f22d687c2bb0e63eb9218efdd5f6e79cb20a9c78650219119024c92b4baa726152af7

memory/3520-26-0x0000000140000000-0x0000000140182000-memory.dmp

memory/3520-24-0x0000000140000000-0x0000000140182000-memory.dmp

C:\Users\Admin\AppData\Local\9i2C0nYd\DUI70.dll

MD5 df42231ebcb1530651e35dbdf7063511
SHA1 75f181678ec565ce0e3e2d74d5a8e7dabd62582d
SHA256 816138a5772da44c40848527cb117a5396bbc26a4a641bd6615f7b899e06bd46
SHA512 cc5e9027d2600eef8ff061da1629c4c2b1d3da470db35dfebbd4dc6d8acda422cac9a285687c3169ab6cfaa77ff9f5f81931dc2604a071cc47cd1a5b778e20db

memory/3124-92-0x0000021F6C780000-0x0000021F6C787000-memory.dmp

memory/3124-93-0x0000000140000000-0x00000001401C8000-memory.dmp

C:\Users\Admin\AppData\Local\9i2C0nYd\DUI70.dll

MD5 03919bca73beb487992799f891b3cd37
SHA1 afe51b86bea124d0a7d0b763b3955910892582eb
SHA256 1e64b21516d01565e16027126f417edea03639974b6da3fcd5496d951bfcbccd
SHA512 df2927975d78cb60db105afdb669e6e1ed0bcea1d0066461733e4ec772c75016a28b75f4f3acf004046aa24e9eaba66a6510108fe9ed64f721a45c88a8f76549

C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe

MD5 6a19ed3df002b862e01f55344b5e26a4
SHA1 b2d1783540a6b4e878d959f413f2d589b81432aa
SHA256 4107f97da799219ba8c2b0cae08e4d475c809dd7b8997c9f831d61a5522f3bae
SHA512 93e4e821687f1d5cbd93970ee72f27d7ed14a332edacd697240eafebf9f683638b9d3a5d024a3fcffed3b50e861b44edca142773fd0ce050aa3afa83292a3efd

C:\Users\Admin\AppData\Local\9i2C0nYd\Taskmgr.exe

MD5 fea6cd6c1a19e1e692897634537f4088
SHA1 1aa654928bb6262af4dd3d5f62efed21e6725e31
SHA256 17e21bf3e47930fab9e73a499996a3e22fdca0599903e2bbb6133e3bb1abfa98
SHA512 8e0d23ce70578ec7cfc031bbdae76aab638e17aaff0c8591ecafed9cdbe879ee4815db80a6a3d2b91920f72fe29792b158bb21884d04e9187adc1b6165a0315f

C:\Users\Admin\AppData\Local\aQscxslk\DUI70.dll

MD5 bc96aa1b6c4a7c70153b4ef677ee54a0
SHA1 b026ccfaaf13ee5e9f015a596908f736fb31165a
SHA256 0b075dfbb042d5fc02729eaed105f4691e1bde9efee94e8a90dc3bc98bf28d56
SHA512 98c5bd3771238ec43fc62aaea25bcc8a387c67e239e5e37a7347fe34a06015305e2464268e748a6d152bd63af1ad1544557592c4f70ad21b9a8c540f5b314972

C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe

MD5 138d87483d0844c80599a20c5785bf49
SHA1 74287c0af37ebb4e08fa6c0875e651e6c7b71e74
SHA256 a1914e53c524299ea848467920a6e141b83a270f4545788127b7a2bf4c387620
SHA512 9db25e156ccd49b6297622be89a7a0844eae1983c99db6c8880f5020da939d6a673c4f255e1dbf1ecf85c9ed33b37f7cdd3ede2bdd6d60fa33bff95ebda18fde

C:\Users\Admin\AppData\Local\aQscxslk\DUI70.dll

MD5 7eb532bbaa08cf6a39f55865f7bcea5d
SHA1 e4cfd6aabfad3722594af09c7d81678bb79e5a94
SHA256 194137ee2613f513748f635c5685104adf79035066ba80c9dff45c6f66f7fa92
SHA512 a98500259cf581cda1dd2aa47e9b3b9ba6b2ad1727da662e2e6f714c11ac010e965a3d4db56333ebcfb16c204e8f31d5df39bc96fba8019a840a1e5d0c16cc9d

memory/2508-109-0x0000022603CB0000-0x0000022603CB7000-memory.dmp

C:\Users\Admin\AppData\Local\aQscxslk\ProximityUxHost.exe

MD5 fafea0ffc8de3bd5837f5289b04fc2ac
SHA1 61ea07c5004e5f47eb7bdd4fe581e5b01598b275
SHA256 79340d320370db57523a8d80369fa8efcc9a16029f410278ba62af9d45181339
SHA512 490565cd8aacb842a61bbdc30c30f5150e3afd6889bc573ca61107b2b992487af22fdfe00db5f31b4a685a907376307b6c432ea5f233f45b0ee10a33297313fb

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 1b161be93d7a89a6327cd20356686186
SHA1 b650f475111082735ae27345724b7b3ad4745914
SHA256 fa681a73d3b9458ea37a58941217e812b4a432c853e7e17e81f81edfed450271
SHA512 c7cebea8478e1dfdc939dcbecc1c000cb77397f3178a972f6dd178a1c885d1cff0a8529550a7a6baeb9007bd323f8cf3ea60fef1cb50df9063386cddea6d6437

C:\Users\Admin\AppData\Roaming\Microsoft\Proof\9sAG1MrD\UxTheme.dll

MD5 5092033041540b01a4c43503f3975d92
SHA1 173f0675dfa692de50d3cd347507c515636c2d00
SHA256 9e356ec40154103b052fe2ec3fce9b949ebbc621b3c2043b0add712c49842316
SHA512 5f75e34c37c8cf6429e7b0599da35f19147ea8bf1332d70c7cbfb2374b0fc8a3aef4b436e8c49fccf5aa43b34652be3b58a2dc40b5136cbfbd4da887ad1d8329

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\mGXSbkbSe\DUI70.dll

MD5 1b3945e2f68300d9dd00580143146fbc
SHA1 c985dab40eddc66c2e408e44af2e2cfb01eab57b
SHA256 0a437f12ee887efce36bdd8446a3a862699d5dd527e5743d35bbe10a22820f7f
SHA512 38bb43a43dc1a0d7267b890e192fbfa7782732d08e980c66253d546b28e88e16452a571360ffb324c1425b4d4f281ee9f90c3724344cb20117d5de19834ba3b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\ZW\DUI70.dll

MD5 e8c074263ff1e8cedcefb5348c39d7b3
SHA1 9c6950c3b8d84621ab725eff8b9dd7cf61235bc7
SHA256 1f820dff5d171d1fd5ae4d6f7abc735cb0f9c19eae9113bd889b4079acf05e33
SHA512 e831dbeb0e4c5f405010fba8bb8fd2d86bb9dd5aa10555a13fd6efd3297752afb6c61ce90a4e59963c62a7c1db1b8b57858916670067a06692a5323c8cd24f6c