Malware Analysis Report

2024-11-15 08:50

Sample ID 240119-2dpb6aegar
Target 68ca805df0c74e02d25c86dd7d49303e
SHA256 f613f68232c24e7b4c0e5a49431a159dbffb259080f66d7e773de9649da7235d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f613f68232c24e7b4c0e5a49431a159dbffb259080f66d7e773de9649da7235d

Threat Level: Known bad

The file 68ca805df0c74e02d25c86dd7d49303e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 22:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 22:28

Reported

2024-01-19 22:30

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\DjWA5h\\TpmInit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2364 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1364 wrote to memory of 2364 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1364 wrote to memory of 2364 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1364 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe
PID 1364 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe
PID 1364 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe
PID 1364 wrote to memory of 3004 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1364 wrote to memory of 3004 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1364 wrote to memory of 3004 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1364 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe
PID 1364 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe
PID 1364 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe
PID 1364 wrote to memory of 620 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1364 wrote to memory of 620 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1364 wrote to memory of 620 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1364 wrote to memory of 2012 N/A N/A C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe
PID 1364 wrote to memory of 2012 N/A N/A C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe
PID 1364 wrote to memory of 2012 N/A N/A C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#1

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

Network

N/A

Files

memory/2476-0-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2476-1-0x0000000000240000-0x0000000000247000-memory.dmp

memory/1364-4-0x0000000076F16000-0x0000000076F17000-memory.dmp

memory/1364-5-0x0000000002700000-0x0000000002701000-memory.dmp

memory/1364-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-44-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-48-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-50-0x00000000026E0000-0x00000000026E7000-memory.dmp

memory/1364-47-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-57-0x0000000077121000-0x0000000077122000-memory.dmp

memory/1364-60-0x0000000077280000-0x0000000077282000-memory.dmp

memory/1364-56-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-46-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-67-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-71-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-29-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\oC6JnlpOk\FVEWIZ.dll

MD5 d35ea6dbf9b954d4cfc9608eb4c8dfc6
SHA1 7c8c2d992f1b71e0a77565d0e57701c92958c514
SHA256 0f1c0f70648db61c10a52663e0040a2449a59afd4cddf879385dbeaba7be95f9
SHA512 70f5694423cae7c8c9948de58b8a373e1aaf4ade41b60b33770a997198f3ae0b95e7d5d60debe64fdfb24527899155bb9afdb092cbf3ed66cd60c5b08f87539b

\Users\Admin\AppData\Local\oC6JnlpOk\FVEWIZ.dll

MD5 9139852848c2a5099bf361550b353160
SHA1 6e1e0290ff9d8ebf09914df99f692a9b7fdd1b04
SHA256 5de57e302d8f600328d6a3108fe6f72391f329793f5ee091ef9a3cf603f9180f
SHA512 25fb2af9cf01b626ee6c48efcbe2b4d01a983ff52ac9bbaa544515b09d8f19d0f700821fb8c719b5ce571c6991ce927c9d40b787c846fff248be218e6bd5af5b

C:\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe

MD5 babc017b98b03a8c28945de1fef64f59
SHA1 e4a9b3dfb7d7a56f645761485efe2ede337d2381
SHA256 9f5e1b545703b473712912e53799dc7e6459f67eb6f88b8478364fe4f12615d1
SHA512 f0d38e6101de4a8094d812ebd400a5ac706c486aba08d118eb0db4d0dbd81c888487b73ff3d7720b44952b8235ad2faa60814199b387de60b696619a2ae0c577

memory/2096-85-0x00000000001A0000-0x00000000001A7000-memory.dmp

\Users\Admin\AppData\Local\oC6JnlpOk\BitLockerWizardElev.exe

MD5 0cba4187bd397261930347cb203f0e91
SHA1 ca26eac633d06c2656f2bd8965b605a1b05b8c2c
SHA256 8b5e362f3b2183d6de02003f2222ec5d781c633f7fdcc28cbb61c6bb8b040f85
SHA512 62d8f0b93a7decd03bb3dfacd705c34a1c53b916363acf81613b5c4cb90effe4fcfb3e8766c37cb7467e4d904d0422a6e7dd4ffb1604d4c8cd56d9564824026f

memory/1364-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1364-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2476-8-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\BitLockerWizardElev.exe

MD5 10d4966e5a7c387df060ef1db2c0e727
SHA1 1b0d8ab3532a3063dd2733121d6991d377c8e290
SHA256 fa16d99a12600f3d8e8ac57f42917b09c9de1eb57837b1229fb392e94466d69c
SHA512 c40e4453c9d2f3e4e0391d70a4f35da54988a127fe896308591d3ab32342ea2ee94a4063e6a82b33b4ee65b6178c41de212a5867e6cb13da705ffc1ceef1bb07

\Users\Admin\AppData\Local\heUhJ\Secur32.dll

MD5 9513ee48b8c50a4ddabfb752ebc1da85
SHA1 920305216f307104a486deac764749f941a67ce8
SHA256 e60817d368b8418feb1259033fb853f05128ab89e4db9a7a672efcd01e72c1fb
SHA512 2328bdc773d6c8b402bd8aaca9e7bc2b21aaf7d9ad49881fc6b41141d9133cb93bc9a58a05a670ef0f6ea839be28431ac02954661b2a50bfef8a7366fa145b9a

C:\Users\Admin\AppData\Local\heUhJ\Secur32.dll

MD5 90fee0856fbe4df2342c45ec03deecca
SHA1 6cbcd55a006f59f4be2ba782c991c4e9391d45ca
SHA256 fe17c1d5bf26fb31a165e16140231e12ac66670696b9529941e49ef8e2e4463d
SHA512 342045baaca004077de786e4b40deb8b56b54424e04d44814513ffa9c4173fdc667a6bf9e9b2c9d5218de11b86d7488c82634741739616ecd5198e89309a75e8

memory/3000-102-0x0000000000290000-0x0000000000297000-memory.dmp

C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

MD5 f278003e9f0a687c2c743b491f23bc7d
SHA1 67b65464300a38007d55112830b76f067841f5fc
SHA256 768c554a90d673ac3544d67d37e3e912db734e12a3d462e0cd429a74cb614f79
SHA512 a5f15c658e448b32b0ac68e6790e0fd1b554db6d30e9702e3969372450173b1e266296beb405f23dcb73d7e8a82cb6b258f0701986a25cfdfe841df557c29e9b

C:\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

MD5 10a3cfe7254d403f7138388fdbfd07e9
SHA1 1cd35572784c24be2d708db39d8182c05c29f8e5
SHA256 d2d6ff09aa2377e5437eaa5270f5246a1314463d9a1af8d72811ade973bad7ff
SHA512 407f6ca76622901eefb3bc7f3d454e092ea19e25ebb2982d35292cdd2a23a0a84cb90c5e8b56cee473dd22af7e8a4cf6cdcd0c99834fc9615f052fe7df58ff5e

\Users\Admin\AppData\Local\heUhJ\TpmInit.exe

MD5 f0605b4c3753e6ec16a39b31c7921813
SHA1 3192b040cb830954281466499a29b755bb3099f2
SHA256 7ff0397e8d1f704bab94de01fbb9be8fa5d8a78bdc5dbd84d2c28da22dc53bf1
SHA512 674d737a5906c229cf66a66263892fdf1e736bed458795b8d19598f2a21b8d8c766973930834dfcf11371081093551f68ccecfec1239ccdaa3675e7fdc1a5c98

C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

MD5 d1e3d14ec7a5b08896990d6bb9840c18
SHA1 f3b92a639540ed8a23f722aeadfc7a80522bd5c0
SHA256 34218ae07defa4d2e29529aa72615162c5daae2aea652253f8b3312a5e7da919
SHA512 1879488bf270cd37381fc7c9c8a6f913ff3926da7f65424bcb9c45d3f1b647419366765ca992d27bb08bd6e15b92eea8c8ac4a13a70b4a2f84f7d8ec8e586388

C:\Users\Admin\AppData\Local\Qp4\slc.dll

MD5 a31cdb0be3f78a3a6d19b279440b9d6a
SHA1 a0ba873515401c12ade3664a5ffa6503701bf78b
SHA256 53a3b93e52e37beb7ff0433a5f25d7489eef503f3302e4f4c1be2dd6cf92f3b7
SHA512 7ca26c98373ecb77656c9e32bd1c1b542c8cc6b1836758178c52e640363b0903abcdca0b8598a76a132016f14dd12ad540c0f09d79dd571353448aada5e9dd12

\Users\Admin\AppData\Local\Qp4\slc.dll

MD5 411da1a6843e2da784a4997560e7ad15
SHA1 7a389831be6e892d82c4419f5d59f8a1c5a2e5b6
SHA256 6a4fd8dc08d03eda65c117966d3b71e35b8be6a511f34932d90991bdaf7ddd2b
SHA512 374c4ec74fcf03ce7d01148c81e526b2195239f2a106e6ef83bdf9eeb97c341ee0f5947c559c58d95cd6f7dad944d41b96f09576e05030ea2b27d0dea341e61a

\Users\Admin\AppData\Local\Qp4\fvenotify.exe

MD5 aadf8fb86c5c956cabb1ba956cfa326a
SHA1 c8b270bf02a5c5b1c858b327936518ada7ec40d6
SHA256 69b4da45817220c476e09b4c77505d66b631698484176227c57bdfa2591cef06
SHA512 ff30fbbf10e22fe0f123a09395cff15734ce6b448045929a7f03df857f6df3043c7aa79ef63bf258518c4e68eea1b9e5a1ea10350b8ef789f6018b31e3859250

memory/2012-120-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\Qp4\fvenotify.exe

MD5 1dac8319e3c12ec9df7e81c430ce6da4
SHA1 f46f37ae9d7b85106ea1f462226472fd0a6f2084
SHA256 9602ddd11d7b5930bf48f7558f7722fa274995f2461a69dde616f004c369a2d4
SHA512 69a6d9f1b41e008c56d8f098814d0c8f329c947bda36c638bf5539e845f14559b53a682ad6b740099342e56f8a74ae08785695b538f425ec29318819a5eebebe

\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\FnZ5EJNj\fvenotify.exe

MD5 e61d644998e07c02f0999388808ac109
SHA1 183130ad81ff4c7997582a484e759bf7769592d6
SHA256 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 25ce79429905ef53c780d561b9c041c3
SHA1 25cad8c52c94ea55156afd636c84cf2cfd3e4c8c
SHA256 96a9c16e7c295dac6c72309f30306a4a078efb3b29e27b683655fcbd2c726cdb
SHA512 f8b9960a08517a71cc0d30fdedf5d3ca3fcf21313642cb27ff95262542e72a1027cb4d05209fc71096a40e6d25b93f28f9e3237aa2bd83f143f626a260522091

memory/1364-145-0x0000000076F16000-0x0000000076F17000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\FVEWIZ.dll

MD5 8b22b843282ccbed97044c4a3d319ac4
SHA1 7854554e45685fdcd1ba2f695b588cde3b700828
SHA256 f66ba86c4186ac7ee7f308c5c7600e7e52be6100b1aada623dcb42b76d0369f1
SHA512 371a1e7875bf91be2a63c646a45705ce89e86320e169f8943b4ef5a19acc19588b5020f152e2d8c13dcf26f38d4936dfbf2d6785b45d82dfad90853875608afa

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\DjWA5h\Secur32.dll

MD5 079d114f0bef3506e5c48fb089d40887
SHA1 1a05966f9cebba45a67e65539d8a24c5cbc322a6
SHA256 c3e99e2c347e441d354dd13e6d201d2beb94df313f7fda7521953351090591c5
SHA512 548f364703e42f75759731a7ba1220c0b6ca8bf74cc4d58a537d61ed370037ed095bb9af7b0bc4c3f28cd4acf3361d7417b0a56120c840243959b194901cfcf4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\9d\FnZ5EJNj\slc.dll

MD5 5c0ffaafd4db1dc17d4f9308f002503f
SHA1 6f6a879e8a761c92c979159234cc61231397f69d
SHA256 47bfd48a5f9fbea616b46e9dbda249a4ba471d6d1a1ff5ea1b731ef787b8f142
SHA512 785fc2f52154a6564f78e2c3c74541d495ccad6cfbfb480e1d93f9c1775690108442f261c2f5f721ef380b11987fed8db6b8c7c424f902a1e1c140fa1380fa77

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 22:28

Reported

2024-01-19 22:30

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\MQhXWatA\\unregmp2.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6Mzww\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 908 N/A N/A C:\Windows\system32\msconfig.exe
PID 3520 wrote to memory of 908 N/A N/A C:\Windows\system32\msconfig.exe
PID 3520 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe
PID 3520 wrote to memory of 5096 N/A N/A C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe
PID 3520 wrote to memory of 1720 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3520 wrote to memory of 1720 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3520 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe
PID 3520 wrote to memory of 3912 N/A N/A C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe
PID 3520 wrote to memory of 4684 N/A N/A C:\Windows\system32\WFS.exe
PID 3520 wrote to memory of 4684 N/A N/A C:\Windows\system32\WFS.exe
PID 3520 wrote to memory of 4404 N/A N/A C:\Users\Admin\AppData\Local\6Mzww\WFS.exe
PID 3520 wrote to memory of 4404 N/A N/A C:\Users\Admin\AppData\Local\6Mzww\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\68ca805df0c74e02d25c86dd7d49303e.dll,#1

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe

C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe

C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\6Mzww\WFS.exe

C:\Users\Admin\AppData\Local\6Mzww\WFS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp

Files

memory/3144-0-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3144-1-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3144-3-0x000001C8F1B40000-0x000001C8F1B47000-memory.dmp

memory/3520-5-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/3520-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-9-0x00007FFE77E5A000-0x00007FFE77E5B000-memory.dmp

memory/3520-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3144-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-44-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-46-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-47-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-48-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-50-0x00000000038D0000-0x00000000038D7000-memory.dmp

memory/3520-49-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-57-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-58-0x00007FFE789A0000-0x00007FFE789B0000-memory.dmp

memory/3520-67-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3520-69-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\I8rluJUF\msconfig.exe

MD5 39009536cafe30c6ef2501fe46c9df5e
SHA1 6ff7b4d30f31186de899665c704a105227704b72
SHA256 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA512 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

C:\Users\Admin\AppData\Local\I8rluJUF\MFC42u.dll

MD5 2ad5b7439dbe6a97dfc43b5829f52ce9
SHA1 ccefce149c33c98abf204e6d73c788c9bc36c0f2
SHA256 72414d48b0b646f0ddd1b2aa7c5124788fe9983f328f2104f7f6236719c31ea8
SHA512 6e51c3d481d1b5a6cb8c82208da5ff2226e1cd4bc6edebdd8938834162166172a2694214f6c40aae1acfea5056ffaa4e4c3788882626129438d35d2b903f3bda

memory/5096-78-0x0000000140000000-0x000000014018C000-memory.dmp

memory/5096-80-0x000001E36F690000-0x000001E36F697000-memory.dmp

memory/5096-79-0x0000000140000000-0x000000014018C000-memory.dmp

memory/5096-85-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Users\Admin\AppData\Local\aZ0Y\unregmp2.exe

MD5 a6fc8ce566dec7c5873cb9d02d7b874e
SHA1 a30040967f75df85a1e3927bdce159b102011a61
SHA256 21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512 f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

C:\Users\Admin\AppData\Local\aZ0Y\VERSION.dll

MD5 d3724fd4d7c38463e033ac98278fbe78
SHA1 f0f1cacb271c0caa69588eea5fbd98eb31a38092
SHA256 d55eed4ed5fefaa8e0726f832e24e5791ad9b9c20cf7a7c016a5be803206836b
SHA512 5494408f15ee981fed3deb0452ec7110dcad29d5beacac9e59312186a372cb70cd107dc6b5234d3800d29d79e85b5f6222d62955f564119b8ebe45cdd7cbda70

memory/3912-99-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3912-102-0x000001B54B700000-0x000001B54B707000-memory.dmp

memory/3912-106-0x0000000140000000-0x0000000140186000-memory.dmp

C:\Users\Admin\AppData\Local\6Mzww\WFS.exe

MD5 3cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1 e74f794d86196e3bbb852522479946cceeed7e01
SHA256 e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA512 26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

C:\Users\Admin\AppData\Local\6Mzww\credui.dll

MD5 65293ff42f366605266adad27cd72fc7
SHA1 06bfc7c014a5df95f197ef64ad6092b51111637c
SHA256 e623c841b82256ad9937b95b7c8d882be53e3c7925c8cc6229c9f6432c3ceaa2
SHA512 52eab9c9408f425a1ee72a6b79fda726e28ced85e0325c056b74296289ffd15320a819e9179c62337257d1758960910175e191d63e472fe355c72f12e4e825ea

memory/4404-117-0x0000000140000000-0x0000000140186000-memory.dmp

memory/4404-119-0x000002B43B730000-0x000002B43B737000-memory.dmp

memory/4404-125-0x0000000140000000-0x0000000140186000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 5fa0617b3a65b0cbdb0ac88d17f188c8
SHA1 6a1444f2bce967ee7b820ffd81426df6a5abdeb4
SHA256 575f534dbe27f16511454e4fe9c48821e7c373203baf7cf1cba031cb9e3b39f5
SHA512 01dc9a84c9d98402e0c7f0e12c23600a227805a96b8fe4d12b06167dd564deb9ecc6cad2e8a834ee643e207ec3096eef0eb7d82b683d4e76ae899ef0741a6fdc