Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-bcmttsggaj
Target 6913c976717f771261d42365e9ed8940
SHA256 f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a

Threat Level: Known bad

The file 6913c976717f771261d42365e9ed8940 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 01:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 01:00

Reported

2024-01-20 01:02

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sqaZ7\osk.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xQu\wbengine.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\KVQ7cn49HUu\\wbengine.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sqaZ7\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xQu\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2732 N/A N/A C:\Windows\system32\osk.exe
PID 1272 wrote to memory of 2732 N/A N/A C:\Windows\system32\osk.exe
PID 1272 wrote to memory of 2732 N/A N/A C:\Windows\system32\osk.exe
PID 1272 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
PID 1272 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
PID 1272 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
PID 1272 wrote to memory of 2540 N/A N/A C:\Windows\system32\wbengine.exe
PID 1272 wrote to memory of 2540 N/A N/A C:\Windows\system32\wbengine.exe
PID 1272 wrote to memory of 2540 N/A N/A C:\Windows\system32\wbengine.exe
PID 1272 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\xQu\wbengine.exe
PID 1272 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\xQu\wbengine.exe
PID 1272 wrote to memory of 2632 N/A N/A C:\Users\Admin\AppData\Local\xQu\wbengine.exe
PID 1272 wrote to memory of 1712 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1272 wrote to memory of 1712 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1272 wrote to memory of 1712 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1272 wrote to memory of 364 N/A N/A C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
PID 1272 wrote to memory of 364 N/A N/A C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
PID 1272 wrote to memory of 364 N/A N/A C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1

C:\Users\Admin\AppData\Local\sqaZ7\osk.exe

C:\Users\Admin\AppData\Local\sqaZ7\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\xQu\wbengine.exe

C:\Users\Admin\AppData\Local\xQu\wbengine.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

Network

N/A

Files

memory/1964-0-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1964-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1272-4-0x0000000076F36000-0x0000000076F37000-memory.dmp

memory/1272-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1964-7-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-9-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-13-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-11-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-14-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-17-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-16-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-23-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-22-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-26-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-24-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-27-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-31-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-30-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-32-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-33-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-34-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-29-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-35-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-28-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-25-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-36-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-21-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-39-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-41-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-42-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-43-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-40-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-38-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-37-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-44-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-20-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-45-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-47-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-48-0x00000000029A0000-0x00000000029A7000-memory.dmp

memory/1272-46-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-18-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-19-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-55-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-15-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-12-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-10-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-8-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-56-0x0000000077141000-0x0000000077142000-memory.dmp

memory/1272-57-0x00000000772A0000-0x00000000772A2000-memory.dmp

memory/1272-62-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-66-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1272-71-0x0000000140000000-0x000000014028A000-memory.dmp

C:\Users\Admin\AppData\Local\sqaZ7\osk.exe

MD5 82612ccff43b4bebd91d9be898bb905c
SHA1 08d8fccd8cd426736c0dbf8557390c95b03d1b0a
SHA256 ba6b30151a1b797b0057ff50b368dbfc0074038efdf61171d6dc1055abcf18a3
SHA512 18b72581f4dc265d4c3966023508a1aac6bb76c4ae51d68a52ab29d18c7510b565765df6f1a7c1474191a1a768139dcb172d8b8eebf4c8fb860b8e0eae153c60

C:\Users\Admin\AppData\Local\sqaZ7\UxTheme.dll

MD5 94db4f643fdbceaed6936c7a0a074b79
SHA1 69998bb161ae3e65a7f8fc569d4975e8d9858174
SHA256 580db80103977869c05569b0b74a36b18822d4eb641a76b10e3aa4d94deab4b1
SHA512 3130fe329f4062dc5c00feac1fe075c1210793683d6ecd8fe46aa3455e63807510f34946681a27c6f2475c579f4b465c4dfe70faf1a7cc137a4b3b1a734c4b32

\Users\Admin\AppData\Local\sqaZ7\UxTheme.dll

MD5 d39c9934e9c3afc06b325055bf1c1467
SHA1 b39c6e547f200b77b7336a45eda6067cafe16b8b
SHA256 32392eb6f8e0d41e363f943191f00e2b952bad593c935188047f0feb03fd2237
SHA512 26e71c6b236151b8a93ff36e4d1cd792ae8f4a188c40f1e2cf87ee737aa82aaa4630641cc7a92f15aa9d9c6afcf60e78583cd70df388845e97fcfe1218e1574f

\Users\Admin\AppData\Local\sqaZ7\osk.exe

MD5 cbbaf202fbf1b2933fe2e757e4999acb
SHA1 e8bf1f6ee44a5e344e3707b48001b7583f5b0e75
SHA256 89bf6ace53974e3a014dac5105d88c0723e7ccab24acf7bd148cd182fc73a97b
SHA512 b30b1c5849f60f9d17e1e4ed7c341ba4b7a83ddca8720bd7cc7baa1fa6daf77d09ed68c938eac070170cd1b57d95f3813c5a374d4f66d647c7e54415609ac125

memory/2840-80-0x00000000002C0000-0x00000000002C7000-memory.dmp

C:\Users\Admin\AppData\Local\sqaZ7\osk.exe

MD5 265b903c98fcaff6ed48b82e9b2627d9
SHA1 496b54a8e23731c1ec3fbe89cde134d9196df133
SHA256 e1fec0c9177b0aee052c7017a87cc73a36740617831fb6bd126b21030dddd9cf
SHA512 33dbf14321a4a8363b01412ad26c719cb144aab88fd3b3178a3ab9166a7fc5818be94398f78d8cc38a4d42c1c56ce6ce56ce8160e7e0095414b06307272bf9a9

C:\Users\Admin\AppData\Local\xQu\XmlLite.dll

MD5 966f7a7d8a2a143c2af2c974c8b6ef19
SHA1 9c56fc1d48f5c24be522e8f2cc19a77ac97388c7
SHA256 3f80d06d08f23d2eb6da4bcb62cf1d5f5af62c3774c83c4079b5483b193b3c00
SHA512 8b9195f8b26f55803741186f1b0a17f6704dff24b8caa6c86f47015514a0268143d85eea53c1a25cc661257f0f67bd3f0f25f446c8a3465d929ffb8a245d9d2d

\Users\Admin\AppData\Local\xQu\XmlLite.dll

MD5 83f261e4ff09b931b2ad336102616cb1
SHA1 8b3877159d4e72c79f8d204500b015eb34c84c60
SHA256 67a944af02e0dc98d6bd47c9bb5b69b55e738947fa5894f25cce201001f32d4d
SHA512 6f2e09def7f60c676ec1364fdfba5f7d124aa06e9e3d819391d0a653afb418e606b5c38523b98a37a9afa40a73254b29aa723def80e336e36ba1d67c8636254f

memory/2632-104-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Local\xQu\wbengine.exe

MD5 0e0bacce676a25aadcf28e49650761c2
SHA1 cd8e77787fdff7f3af285ee4a2fe826b205994d2
SHA256 dbfb61dbbce53afa43499ffa833ba1deaa141ad3d4551344b74dfa6a7f85d7ba
SHA512 3f505d7d6ba42bf7fd6cbe225b27089eed91565f8523c625568ab483399b4e2f0ffca59e86778b179ff68b3143eb1078756ab347a49877990040ccbb9f1c75f4

\Users\Admin\AppData\Local\xQu\wbengine.exe

MD5 4b687288782ed067b8385b1ae0ba1040
SHA1 dbb9e216f72f5f8fbb5c36b0ddaf43622532bb66
SHA256 669a123f8ba35da35caaa9a830c2b28e5158cb834b36f39b4e8984e6bbe56ad2
SHA512 bee16120a3207a572031e3c4e324fc5ea1ed971f0161d0044011344887ed23078d0bfe9a355d3e9bce8ee0cd0d1ff768f5a879a7e0bea4b7e5d8e2068693ea76

C:\Users\Admin\AppData\Local\xQu\wbengine.exe

MD5 a76c3ac80448aadf2c712820e5bd3788
SHA1 d23bfb2be8b63eefa70f2f0da3a70f1946a7f5df
SHA256 bc0b7c0c6054854c5d81972ddd19467589e13d987612490afcb2305673faca5f
SHA512 aeabf290f8ba234c88fdfb4862372f70e1f56ec378df4542a887ba65506cc414dd66cf23bd024cda04f053c220f6a25622fda6aff10d3eb9de329579dc9ab019

C:\Users\Admin\AppData\Local\Y4PRBO\SYSDM.CPL

MD5 2bf62b235ab0a21be522f0ef6c8eda3e
SHA1 de35da9db87d8f833f278a93ad18df5c006f0fcb
SHA256 a2d7b9bc28b54f1a7be608232250d68848ebe1b595072f655ae816f26e3f163d
SHA512 62fa4d5e55bbca88e5abc25949ac34a5f0185f2ae919118ad834fb6b4661674e2e38f382d83a2542703ac5ae3a8673fe6c76c7f698b7763bb5158edab9d68797

\Users\Admin\AppData\Local\Y4PRBO\SYSDM.CPL

MD5 d858aa91301e807f3d361ff0f9cc184f
SHA1 451c4b6353b780e7c4bde3f94c3710cf94008ed7
SHA256 d9a24787844f5d387b336f9cb390f1743acb9e9247cdeb1fa55b6ac7222e0507
SHA512 7cf63a2b5dd39cecca5e2d419ff0975d0747c872f1fb8b92263e36a45d7bb5032ce719b5a89d9cfcda9e2a961bc300013fe972d4c0271466e82ce946e2511ab5

memory/364-129-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

MD5 74bd95429d5383e61874dad934730c21
SHA1 5000c16c2dd3f337d25315dc935db93a3bd51119
SHA256 f984ac688b17d9fae0fc811ce9a3f0d10eefd9189b7efa7fbecfa3869b314e27
SHA512 e4908a422586927b65d79366b554a20b24eadf835015929869de8ec09d11be96cf84abaabbe2b9f601c98ee032fabf71db0cc777b812471af558446534687c73

\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

MD5 2c78be1298c249d6c50a3105c5ab0d91
SHA1 f51bf8e2b7f395e38ea34476d3f2adab69a2efc2
SHA256 55a4b6983566e2d444068127b9226a3431144506b609723a29bee8f23321446f
SHA512 1ce3d2b7119ff0bdb498178e84d7ea07729199dbe04681df591af77ccf9c4309e0e30a3dacb223d85a24db4f206e42efcfa905599c875cfe831227f3c6f49acd

C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe

MD5 ad9722789e5ab34bd33286d1d7e2e9d6
SHA1 c0106ac69144502be89179dd0f19e3476172eb9e
SHA256 1b4c3a8c45d6af7541e81cef0877c18bda3e43681881563cdfddc6e1ff6e5735
SHA512 d262ec76c0062bbbf347d26e065f9b8e2be03cd752b55e687247ecca5c5ac6ece7ba2001681b96ae51c156c7c1ef6c73d4375b523ab1e2b4af34b2d2d0814336

\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\oM3MTl86Uy\SystemPropertiesPerformance.exe

MD5 870726cdcc241a92785572628b89cc07
SHA1 63d47cc4fe9beb75862add1abca1d8ae8235710a
SHA256 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA512 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

memory/1272-150-0x0000000076F36000-0x0000000076F37000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 77a4b3f3109d2eeddb0970ed422aa097
SHA1 4a005d623b99e448809b3828f3c37b3c91f8c7c5
SHA256 948bf86a8c4a53a80b161eff70f0024a9a9b28a94ce7348dd28fba94f3149a0c
SHA512 7b4e9de20ec264ecf4756108b9fc2719cf006b26f8481a4121cdd0c99457a6bc8066f2a38b7252fbe53c4c126a40af1e7c7198850cc05bac15c1546c70e02434

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\OojEKAxl7wr\UxTheme.dll

MD5 294380421a493ab1a2fbee72b2d34308
SHA1 b2571b067328f5cd842585bba832d5a4ebd498e5
SHA256 ed7384fd815236dbe2884caad341932453a7d0207fa5a7839f32032cfac7ed01
SHA512 5ba1340fca5534d09de2fa98226c957b21738e655ad859590668b540a0658fd2f9a1bd5c2481c0a1da7a542c23c58a4c55d9b31982f9f0cdbd38c21bc4512ed1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\KVQ7cn49HUu\XmlLite.dll

MD5 33dc3f101a3dd47cd9d27487ed4f0c89
SHA1 f3337514e88b278750e800bc6913b130ad82d74c
SHA256 0dc27192b4b5b64fa48e2af7de154d164e787d05d64b90add64d010ae504c6d7
SHA512 73178ec64ff165ac5ca39834ce0035b254fa72bd85e7bed3b8bb0add969d91ecf1709716afaee0af6405f8cc11097b0bcccb45f4fc364dcccb787ae765d1a937

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\oM3MTl86Uy\SYSDM.CPL

MD5 ff94c2777d864da474251275a67a6a21
SHA1 27cf58296d4d74217588073018aaf596d04b3324
SHA256 2998641fc3542ad418739e98697718594f28dc8eea0d9bd8adb8b9545082260d
SHA512 982dd91511c6d4d1a01acaf139600b7a81fe8f2756bc99963cdc038d7b619492a9115ead099480bc4f528888a4d133cd1c37453872f8662dc46ce78e69d5fb9f

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 01:00

Reported

2024-01-20 01:02

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\UbAqzoaRr\\FileHistory.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\j72g\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4180 N/A N/A C:\Windows\system32\wscript.exe
PID 3368 wrote to memory of 4180 N/A N/A C:\Windows\system32\wscript.exe
PID 3368 wrote to memory of 4404 N/A N/A C:\Users\Admin\AppData\Local\j72g\wscript.exe
PID 3368 wrote to memory of 4404 N/A N/A C:\Users\Admin\AppData\Local\j72g\wscript.exe
PID 3368 wrote to memory of 2808 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3368 wrote to memory of 2808 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3368 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
PID 3368 wrote to memory of 1920 N/A N/A C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
PID 3368 wrote to memory of 1628 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3368 wrote to memory of 1628 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3368 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe
PID 3368 wrote to memory of 2740 N/A N/A C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\j72g\wscript.exe

C:\Users\Admin\AppData\Local\j72g\wscript.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe

C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

memory/2364-0-0x000001E65DDB0000-0x000001E65DDB7000-memory.dmp

memory/2364-1-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-4-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2364-8-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-7-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-9-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-10-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-11-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-12-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-6-0x00007FFBC930A000-0x00007FFBC930B000-memory.dmp

memory/3368-13-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-14-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-15-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-16-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-17-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-18-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-19-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-20-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-21-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-22-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-23-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-24-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-25-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-26-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-27-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-29-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-28-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-32-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-30-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-31-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-34-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-35-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-37-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-39-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-40-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-41-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-43-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-45-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-47-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-48-0x0000000002920000-0x0000000002927000-memory.dmp

memory/3368-46-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-55-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-56-0x00007FFBCABC0000-0x00007FFBCABD0000-memory.dmp

memory/3368-44-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-42-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-38-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-36-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-33-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-65-0x0000000140000000-0x000000014028A000-memory.dmp

memory/3368-67-0x0000000140000000-0x000000014028A000-memory.dmp

C:\Users\Admin\AppData\Local\j72g\wscript.exe

MD5 13551f0e862ff11791f590fbfb6c168f
SHA1 4bc640fc6714ac477a52409085988eeea3111a7a
SHA256 d7ca3b728722ae4e2b1cc75b689b989f4938c2f333f8715bb5931743368d2156
SHA512 a4ec387c4755c26921e241e5fedc3f8f94a611c91c849e630383761bc431e4657095d0b6900e6d8e5826b6b38cd73ab39f7e66cca7c1cd90243bc1c3ea028a56

C:\Users\Admin\AppData\Local\j72g\VERSION.dll

MD5 f860d9536a778bd6847453c8dff01b33
SHA1 6982321f1ee69078ff24b6dbf1ff673183bb296b
SHA256 d6e6faad725b215cd10aa1b31727a6a0bc474cd8702b71e1480e8afceb6b5ac7
SHA512 c185e4f53a7f2c85e0035191aceee6585af7b750df5dbceafbdf93d099b258a25af9a45998fc2f34545cd9504a70f4bce5fd405e2230afadcbcb166e0069c575

C:\Users\Admin\AppData\Local\j72g\VERSION.dll

MD5 33cfc1a00fd09b900c9ca572409494ba
SHA1 448741a0dda54d729b7925ce0b10a7398c7eeba1
SHA256 2b56731e4390c3d88821cb3c20057219cf9e3d1a2affad8ae9c4470993d103dc
SHA512 b880b4ac89ca6fae9e448070d40d0212350d47e43aece4670817e9b27624ffd16f4f18de879947493eb55680454bbf7a81bc1ab60c9f3923e94e4e2369295344

memory/4404-76-0x00000179B7AE0000-0x00000179B7AE7000-memory.dmp

memory/4404-77-0x0000000140000000-0x000000014028B000-memory.dmp

memory/4404-81-0x0000000140000000-0x000000014028B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\wscript.exe

MD5 a47cbe969ea935bdd3ab568bb126bc80
SHA1 15f2facfd05daf46d2c63912916bf2887cebd98a
SHA256 34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512 f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

C:\Users\Admin\AppData\Local\HhFcEWh\UxTheme.dll

MD5 c0e2989a972a0fd1d863741a30c8d16a
SHA1 4629c7156e11c138a8df21343498a5d88d4db6d8
SHA256 2dcb4f1052cad7d06e2f9a467a238befb230ab769c948b75a0272cbe7dca85b7
SHA512 90d2b252c4ad761f02f80b34bc2203733bc10418c591bcf82b8cb2a5c261fe82d6850e8431f5ad02e470ba55c1dd659f99a10ff9afde7f30ea2b7188339d26c7

C:\Users\Admin\AppData\Local\HhFcEWh\UxTheme.dll

MD5 e0a462cbc5d21ecbe2c1ed4cd4d00fe4
SHA1 73e86bccfcd35662d4ad390617bde1eb4cb30c35
SHA256 b256e55e0e5a2b76867661090fd0bca5e0b8b74bb9dd8dadae86b1bdd9e3f52b
SHA512 86eed1fcf56fb48ac300973e9ad6d6fb90a436c74e85552b3f2b53d067e983c781e5e156cf670f04611eb61f0ca8bb4e825446a8af8f69826cfd2b0480a18dbc

memory/1920-93-0x0000020E92940000-0x0000020E92947000-memory.dmp

C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe

MD5 71c68c1755a51168a641b72db88e21f0
SHA1 753b07aa014cad800684e28656044b4c8ebf5e7d
SHA256 62231cb8fa31621b1672fd9c3365005143ba2b839bb3ecf1aa389a4fd1e780e2
SHA512 c5a4b2068a10f773169557d64f4f5351ad617f973b3ae62c226b392fd13143e143be8bf3eff0dda5bc40ed25a3b115c830939b60b8453f95a5faa16bab0f551c

C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe

MD5 6fff8baa880c9fe7f4444fd7ae9c7663
SHA1 918a6474d9e9df22c00be6f5b528c47dbbcbf4e9
SHA256 774efb39deba8ecf1cb96e3f7b35ab12e7ac8284136e7398213f7004d48ebc6d
SHA512 c715b8cc14c620451eabdb65b8a01f2d4c5996831a7aa299902619ae7aefbb54ff63997c68f304e719dfb872a94a375ab026a0398545c86ddcb4bee3c36ba068

C:\Users\Admin\AppData\Local\wEeE7UHW\WINSTA.dll

MD5 1466064bbfdff42e043f14a00f4cb2f6
SHA1 d119cf2d43815d2fc9fafcae94e26736ab821153
SHA256 ba47d9b2408117b7f48abadd4ff36f20a7358dfb34d9db221a28c3c9111cf3b8
SHA512 71808dcb377ebda24d4914e4351649ba8b1ebd26887c5a620bbfea74717dcbfb1ac3ea9d9d9211966bb26bbb75c70e3ce3ebf89559efd55af488226691df3f8d

memory/2740-110-0x0000025AD1DF0000-0x0000025AD1DF7000-memory.dmp

C:\Users\Admin\AppData\Local\wEeE7UHW\WINSTA.dll

MD5 0bc6f42d8f922c774b7ee4d90d99cfd9
SHA1 16e71eb1bd9a777875f3c45fcf2f0c9580691e21
SHA256 6520e561cf1f811574e23922f559e580742407796caf1c5100c55639b2e79a7e
SHA512 10fcd908d21cb225dda27e3809dd69c0e4582f74ed5ea5f2fba8b8bfe47125582b4d650c6ce1b2c2e282f7aadb64f0929a8247ad649ac8e21b31f281d0f73485

C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 1084a0430bc74734cb9de98d321905f2
SHA1 bfe1d4da7470285f2597a9ee9fac717743718aa0
SHA256 685120edca3b6d6c6ed9866ebf8a591fab07a77dfe22d436f2d10bb5f84dce58
SHA512 e22ba8da75c090b1b305a48e9fb9121a17c1c88417b1bad65e5ba2fc20ff9e6c60ad024501f6f446c9631e72ebc15ef0f3815496efd48505ae20fa8e758e502d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\VERSION.dll

MD5 8469e2e301699c9872ab52a393213a8d
SHA1 c0e3f6110939983923ca9958fd0171f52ab99d7b
SHA256 3f7df7b9d11eb43a173a4d5aef3003004c2e89071b7148495f2cf4ba689521ab
SHA512 8add8e569aa0c97a76a4cdaed6dc59c0ae28c1461157b92678fe77e5d4bf99cf47204f6ac8913f723fe3a2ed7e29d7d5f34f109ebef7e40eb4f97f9eca709853

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\UbAqzoaRr\UxTheme.dll

MD5 aa8f6f8e186b92078204d1cb5c1459b0
SHA1 fe520c2e4e9eac5e73dd09ce0757a75281c5f32f
SHA256 c0c038a51c9d7c53ce5dfd505c421bc92e7931cd201a5374c6cae3965c0780cb
SHA512 67ee8c0e59f00584501afee58b10e3d466bb1d110b85fa2ac98f0e4befe0d4b8a039ddf2ceec52b5bbf16cfbd17ecaf1aab7fc3503e5e410e6825c72731c9644

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cl\WINSTA.dll

MD5 de56ccf2370e278c425c1585c3cfa7d5
SHA1 20b97859173fc6b89997501d29b800acf4579c8c
SHA256 07a2781482a4cc8e88fc4eb4189be00dc1cf7d7f05d52f9257865a35a8e2a7bc
SHA512 9ae0e3b0227ed95b28254b52cb972408e2a79011b0b230a530e9b3d2af3b70b55dbe71bacc986f2599e29aa1c81be78fb74ceddd9d2a671bb9d2a3acbb610d1f