Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-plg7lahhcq
Target 6a6b1b2cfc389798b42fa591a501875a
SHA256 0aecdf55017f43fa0c4a2c407c639d854fb2fddd9400e047d573b163596ef7f5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0aecdf55017f43fa0c4a2c407c639d854fb2fddd9400e047d573b163596ef7f5

Threat Level: Known bad

The file 6a6b1b2cfc389798b42fa591a501875a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 12:24

Reported

2024-01-20 12:27

Platform

win7-20231129-en

Max time kernel

150s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\6qzS02ZGQEk\\PresentationSettings.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2748 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1376 wrote to memory of 2748 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1376 wrote to memory of 2748 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1376 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe
PID 1376 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe
PID 1376 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe
PID 1376 wrote to memory of 2856 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1376 wrote to memory of 2856 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1376 wrote to memory of 2856 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1376 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe
PID 1376 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe
PID 1376 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe
PID 1376 wrote to memory of 1904 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1376 wrote to memory of 1904 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1376 wrote to memory of 1904 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1376 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe
PID 1376 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe
PID 1376 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#1

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe

C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe

C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe

Network

N/A

Files

memory/1328-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1328-1-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-4-0x0000000077696000-0x0000000077697000-memory.dmp

memory/1376-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1328-7-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-10-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-14-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-16-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-19-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-21-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-25-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-27-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-28-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-30-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-34-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-37-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-39-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-40-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-42-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-46-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-50-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-52-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-54-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-55-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-58-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-59-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-61-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-62-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-63-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-65-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-69-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1376-64-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-60-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-57-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-78-0x0000000077A00000-0x0000000077A02000-memory.dmp

memory/1376-77-0x00000000778A1000-0x00000000778A2000-memory.dmp

memory/1376-56-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-53-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-51-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-49-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-48-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-47-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-45-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-44-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-43-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-41-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-38-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-36-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-35-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-33-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-32-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-31-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-29-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-26-0x0000000140000000-0x0000000140403000-memory.dmp

\Users\Admin\AppData\Local\78FYwIu\WTSAPI32.dll

MD5 0ed044f01d09402b5d18e434a4f80f27
SHA1 0eba20f35ee69cf7fec1cc11aac8a2850007c455
SHA256 98cb94003307f35c2a627afc90754bea7343266a2fd5b36983ac3936d1f4aaaf
SHA512 9c8c47dbfc4bf8af3bf7fee277204f454e51707725f44623c2e3e6698d4b5a03fff21bc3b8895e75ae0e21ade7043b19737591f366ea7ac8f0fdcaa3c595dda4

memory/2880-105-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\78FYwIu\WTSAPI32.dll

MD5 d0938eafa3aa38ec4042d798cf02009a
SHA1 2386635f38732b139df7f5f1644425b17740f5c7
SHA256 f95401c58cdd855647715d6028f7d20906b733db4509ea8e0178407f5be3ced9
SHA512 f091166901ac32d7a2db5b1fd6d558fefcd9dfeb1ecb8ca81e7f19a34de81223aaf5bc35460ba06c09955fce53a1a531fa8bdd2a621bc127384bf5a365a6f010

C:\Users\Admin\AppData\Local\78FYwIu\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

memory/1376-24-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-23-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-22-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-20-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-18-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-17-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-15-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-13-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-12-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-11-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-9-0x0000000140000000-0x0000000140403000-memory.dmp

memory/1376-8-0x0000000140000000-0x0000000140403000-memory.dmp

\Users\Admin\AppData\Local\kLV\WINMM.dll

MD5 b78e5ed769649523be9cd7e66dbae9eb
SHA1 a6fbae94665dd0cbdf72130f954a5b42644dda68
SHA256 7ef3160c3a03e77f12df97e1733696c84060ba9b43ff0d6e299ec8c98f4d1d43
SHA512 493815eb4d185b948c108d7c4fb23eee2304a59f3cd124145e64093cd16add028f291a66cc1247656ccebc10e5a460224ef0cc5890d8513311f5dfc7e03baae1

memory/2932-124-0x00000000001B0000-0x00000000001B7000-memory.dmp

C:\Users\Admin\AppData\Local\kLV\WINMM.dll

MD5 468d2c71bbfd85067a5dfe0b0e51f391
SHA1 5042fa756c67a0ab7bc3cb4a7233735de611264b
SHA256 07a6f7e5849f70f8b4515aecfa399ca3fce6811c7a4202f9d46d676cb15a99ff
SHA512 0a843d455510fb573c0d40b8c280024cb123fa0ea3303bf55d80690c4e0ad63c20f75f52d656d51374055cae75174d192494619e5d993b74ab33311122c33377

C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

MD5 9881ef3b0061047d87a3c953cada7ba5
SHA1 636b68dd77eb9f60ad317f09efc5ca25ef9d33d7
SHA256 2b35c8ef24690e7452cc443d4c5efac92ea831eec1240ec171c1f329279f26a2
SHA512 c28c31a2bad27bd02930156c8b31810bfc362b42eaf39ad007eea5fb1e6a4898d6a50507279d2ca39faf4aaaa849b5333983c6cce378fddfc2e762699ce8d67b

\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

MD5 f43111e470dc3ff167058422c7058255
SHA1 b9078991697074f2d0c15585e4a205ceaa2a563b
SHA256 a2ebeb1eb46d03e7cf29f0255db9ec4857917af2905f52421a2fea72797576ee
SHA512 4696d8eb1485b16eb6d0f6d94b9444f3344b83eecb11b9cd2066c2c5a2534325abee3769cc0c77f114096cd23fc70a88356af25561235aa27995222ef41c3f1b

C:\Users\Admin\AppData\Local\kLV\PresentationSettings.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\S1xY\TpmInit.exe

MD5 60998f8a5e6a44be228dd1e9252008a4
SHA1 62e67c590cdfbf95310b00f0c1cdb2cfa815de10
SHA256 54a6767aef6e416039eb69fdd1477f6506df2ea4fe4a1c4186a283036c5a032f
SHA512 0e206622b2a0bf47b681d243141967973be0f60958896eb96a4b03a4560097ff4d2acc1f6c57ad87da30a8ab98969ad14e9dec2f8f52538c8f7a2015cd9dc70e

\Users\Admin\AppData\Local\S1xY\ACTIVEDS.dll

MD5 33dc2ce41ff9f725adebbbc23c0689e8
SHA1 84aea24a4d475e74cda12952c8f58cbda9406502
SHA256 dabe8f9d76546415ddbe9de7f7e37212955d264ae59fb22e1ce0382d07ed3c05
SHA512 dcffda46aa6540588319ae6ac85da90c18f87bba77738e62bf1d3ed12526047fc0a6425b5add07b15cd98610576ed9bf21b92a8c34f68fcd73db2550a762e74f

memory/1612-141-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\S1xY\ACTIVEDS.dll

MD5 8dfe271a2eee0e62cbd6265b7e6e0eaa
SHA1 6475b3db24a6bd213615102e74d84a80b30943ce
SHA256 c7eee6438f1e09bf57f2883c5f04f23c6d43911d2e218eabd75d2d3a1f4c7907
SHA512 6617f4a7926de203751d703caca5581536ba22502f9d051b05dc2b19e308721ab87db1b464d1add3e33e73cf9cbea025f0c77bd49287dd165116f57f0d38c8bc

C:\Users\Admin\AppData\Local\S1xY\TpmInit.exe

MD5 f84bc948f77db38303ecfe1f92e39d73
SHA1 66492270dbce27b7ac06239cfbaf042ce9280bdb
SHA256 dff9f2bc2d3bc7444d7952566a0b7e3d73d69ab56387336860c1fff13f4ac72d
SHA512 155d65559f7d7431629a2b6355957d15c9e82f529cb93aeab2652df28abe88ff8b6495967c4ef26c3fe9157acfe966c647037fa6368e83f2af38a460d8b6b418

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\vS2GjI\TpmInit.exe

MD5 823c5c9c82be14e0f57c116d633a25ad
SHA1 cfb9785cbf9cb784d18a3e0a09d24d99d19c73b9
SHA256 229fe92cb27bc94b3492ed294ef1117a77ede1310baf58f86b5bf9762b13d51f
SHA512 e441563aabf6470e7d4687ca61b5ce7aa8fdce73fa56d1ff8629c25801d0ab1d396760c5a085cb7197c04eb645c71a89bb8e777919d7e68083af25bde51e565b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\vS2GjI\TpmInit.exe

MD5 40837885276d2e7ee109a8e5fb3c810e
SHA1 0d69bb43bceddf249e9d23c04f6d63070d89651b
SHA256 adecd79c7125dec9f4f34aba7d81a2158c4f1bfb1ce4ac3c937ebce332c0eff9
SHA512 d928080c65cec0e3c99631393694cd01d45561ec398019596b14920a76e7bf4b732ae36d808292264acc546d1c22b80b540750c168d28e32e5c44cf46a5780d5

memory/1376-160-0x0000000077696000-0x0000000077697000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 6af3e4b186d76a6e4394b00e7479f4a3
SHA1 ea018f48d27fc13335767ff4784ce8da81bf0143
SHA256 3d7e3012b04da7ca139f0b5786f50a679d69975916638f6ef05a56667f7ad218
SHA512 36ba2a0b13f320e5ebd84ff8941f6e25b8cba471012cb487edd131305a00aac6b86f032d883b63cc84f58499f22983cb333961778b81257c5e76449dfb356728

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\7PV2N4\WTSAPI32.dll

MD5 0652b3de3cf062d5383811c999ea413c
SHA1 808094b5ea7891d91522b729693ea034f1c1c565
SHA256 66a0d7df9ab3152078526d178dd4672c71d061919b0e95b1bc939f62f9dc443e
SHA512 4e49bb1ad3587daa3bcc3d51aaa21c7e54532c0e31259586ef192435adf81e71ddcea71deb76edd79a567a114b84c18821b71deac5ecbf33e14a00a11100da5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\6qzS02ZGQEk\WINMM.dll

MD5 a9ec62a845004ec7d3448e8d5411575c
SHA1 a20790b48be83a45ceb349416a78b5d9e34983a3
SHA256 deddcc236ffe1dbfc556355073792dcda5f82796009226feef43d26c13188b09
SHA512 8855d120f418bfba4aaba8ee88e062a41ffce7ec3b76c1e346e2cd3df19938c4fde6b58c2752fc65af80af23e6264cb639345a146cd3eddc2a424293436eb397

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\vS2GjI\ACTIVEDS.dll

MD5 79a1353d496f07f627cb487c588ea6da
SHA1 e8e0c725b1b01f3984d3d12d8b202dda554998cc
SHA256 4a96af6c8dceff06d888ad3d73edba02bdf41452301708bee4906adaf936f308
SHA512 a1e8201e9d528f7eac80371342ad0a8924e75e397f8086899e0d657c831b3ed1d45f61a746f2f171266ca6d5a80411d89ee186d1a7b32d362896606109d1ac85

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 12:24

Reported

2024-01-20 12:27

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ\FVEWIZ.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ\BitLockerWizardElev.exe N/A N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\VU6ip3zKf\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\r3k2\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\auaOx\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 3988 N/A N/A C:\Windows\system32\msra.exe
PID 3528 wrote to memory of 3988 N/A N/A C:\Windows\system32\msra.exe
PID 3528 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\r3k2\msra.exe
PID 3528 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\r3k2\msra.exe
PID 3528 wrote to memory of 1728 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3528 wrote to memory of 1728 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3528 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\auaOx\mfpmp.exe
PID 3528 wrote to memory of 4328 N/A N/A C:\Users\Admin\AppData\Local\auaOx\mfpmp.exe
PID 3528 wrote to memory of 4804 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3528 wrote to memory of 4804 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3528 wrote to memory of 4272 N/A N/A C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe
PID 3528 wrote to memory of 4272 N/A N/A C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a6b1b2cfc389798b42fa591a501875a.dll,#1

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\r3k2\msra.exe

C:\Users\Admin\AppData\Local\r3k2\msra.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\auaOx\mfpmp.exe

C:\Users\Admin\AppData\Local\auaOx\mfpmp.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/2696-1-0x0000000140000000-0x0000000140403000-memory.dmp

memory/2696-0-0x0000028E3D9F0000-0x0000028E3D9F7000-memory.dmp

memory/3528-5-0x00007FF95885A000-0x00007FF95885B000-memory.dmp

memory/3528-4-0x0000000007F50000-0x0000000007F51000-memory.dmp

memory/3528-8-0x0000000140000000-0x0000000140403000-memory.dmp

memory/2696-7-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-9-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-12-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-10-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-13-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-11-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-15-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-16-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-18-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-19-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-20-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-21-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-22-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-23-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-17-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-24-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-25-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-26-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-28-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-29-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-27-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-30-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-31-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-32-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-14-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-33-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-34-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-38-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-39-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-37-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-40-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-36-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-35-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-43-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-45-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-46-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-48-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-47-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-51-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-53-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-55-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-56-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-58-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-59-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-60-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-62-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-63-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-64-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-65-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-61-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-57-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-54-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-52-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-50-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-49-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-44-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-42-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-41-0x0000000140000000-0x0000000140403000-memory.dmp

memory/3528-70-0x0000000001220000-0x0000000001227000-memory.dmp

memory/3528-77-0x00007FF95A700000-0x00007FF95A710000-memory.dmp

C:\Users\Admin\AppData\Local\r3k2\UxTheme.dll

MD5 836db5aa3379da7be07bbffde22b50a1
SHA1 0660f2b3ee85fddf49974d4d8d8e573dedae18c9
SHA256 d0b618fb197f9206134900728a5908890bec2d78020ba6ddcbe2832453df909f
SHA512 5f3d7fb2d3d8959634426f1fe6462f91ce5d7361c1d5b22675478e2429e7eae2e7811c8c7a0583c80d11a085eafdb5134e7d8fee49c6f9bf47c4f9dc53e5b935

memory/1956-97-0x000002A3B4FF0000-0x000002A3B4FF7000-memory.dmp

C:\Users\Admin\AppData\Local\r3k2\UxTheme.dll

MD5 158efa34afa3ad3ecdfebb44d64bb127
SHA1 cd7baa1e71aed07a304a16f3e98606687343e231
SHA256 c26594a0522018aa15828f5f9f04a104bb6504ea3512c2a756dae0f8273cff8f
SHA512 a8e168b026cdaabff5f60b1581370cbcdf66138326a1a6675fa9ac11ee4ea48e8fc8620833560ce80d0f09403c0963aa70835c0e2449c5985cfffe054055df72

C:\Users\Admin\AppData\Local\r3k2\msra.exe

MD5 d586ea3ba1d29a5b754aea8f3f703a03
SHA1 929a309d54715e224198385c5e7721874837f7a1
SHA256 995f930c3b4310c9449e4e585a9bd718a313ed4c1aaadb3aae64cd2fb46dad7e
SHA512 15fc78a448e8e2bbd7de2b50f222390a985999a35df2379ec8c874f69afb33823d6b5b04e3d98cea30ba6fbc7d847d47a89e1bbe3735715b9aa531f4abbbb5de

C:\Users\Admin\AppData\Local\r3k2\msra.exe

MD5 400b880bdce2445fc113b4a5e2a2499b
SHA1 8eabb5b795f392e64faf5f3cb581ae0cfd701019
SHA256 60e3525be63b45a54e2bc10e0199fba7b603f98fb3eccba71fd0a1befcfd193d
SHA512 be123bc05d53de478af7c5225b0e619a07ee5edf80689847da0c75b2121334145c9c16d360a4757d303168a83335cf694207121310a999c8de1010784d0dc56d

C:\Users\Admin\AppData\Local\auaOx\MFPlat.DLL

MD5 927238ffdcadd5fe585d632ec8755962
SHA1 ae8b86a22949aa8973174ab5e9d9cd3dd29460ff
SHA256 2c5738fa5c2f46fa8f911fd65fef4287d5245145ebb535c53eef5ed5bd20ec46
SHA512 1debc5cd22a063dcef7d7348cd956bfa047d3ebf496ce4928a2e377018d00a486ae78fdedcb21261f3bddce115162c5360718f685b8a20b88b366aa25a0d0857

memory/4328-115-0x000001FBF0AA0000-0x000001FBF0AA7000-memory.dmp

C:\Users\Admin\AppData\Local\auaOx\MFPlat.DLL

MD5 cd9aca571d930d4295f7915a8f4a461b
SHA1 98aafc34634d74c1a07fcf3c56dabdb98c64b5b7
SHA256 57ccdd0297d5b773b779e376ad3305f119b25371610617f2d7bfd2642a249307
SHA512 ad99507fc1f390c34605919d8eab753a431328d247bcadc485762de51557c5429073e395444f870867a09107f470d847e68ee52537bfa3be052f367013e4314f

C:\Users\Admin\AppData\Local\auaOx\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

memory/4272-132-0x000001901B8F0000-0x000001901B8F7000-memory.dmp

C:\Users\Admin\AppData\Local\sfsFTIoji\FVEWIZ.dll

MD5 07eaf9359d605cf013b20aa816c83efa
SHA1 2858d90d8a421ae05d03175618854f2b3619637e
SHA256 50c83c7a9609fe5aa74118b5626ff8918bdc163c7aab308db3f38223184664fb
SHA512 88292cd28ea8fa50318f4447d187ebb4735305e47bb2676bcfc33ef79441be55dfa002c48cbef56f9f43dcdde4860958e82792602d450f57336d106e728c21b1

C:\Users\Admin\AppData\Local\sfsFTIoji\FVEWIZ.dll

MD5 c875067683ede9ca8e686ab7ade73a5a
SHA1 716bfd7182f301731661ddb1f7503e5a113672db
SHA256 364902b3e3a5e974e36ba9a573c3e84fa103cc2a994b371fc34558275d1730d8
SHA512 873aed324231eda4e63f6659f4d23cf7c0bab0d55daa7ff9d70270b77afada347d823e3383336bb53775971229135683288d10d76398c8ae185862112c9f0d1e

C:\Users\Admin\AppData\Local\sfsFTIoji\BitLockerWizardElev.exe

MD5 8ac5a3a20cf18ae2308c64fd707eeb81
SHA1 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA512 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 856e649b8cf113ee7f060663cf12d3c5
SHA1 2d4419fab7652262407d243f69804e4668faf176
SHA256 9adff31fcdb6ca24e3912682f6c39bcfd0323b5cb2183f726f667b79ac59fcd6
SHA512 7208aacb2ac49d19fd0a8156d6395aaaf2c580d1cd3d6fd98cab4beaa8ca9cd4bf1cb6711d01b0640008670f7c2a65584f668b00ce296a52590a47040daa72b8

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\updCasWY\UxTheme.dll

MD5 6e23852bae62ddb9fd140ba5c6daa4aa
SHA1 53d9c7d5fccab9d287ae1d3b14a88349e852c0ff
SHA256 ad69d03399366c65b3018550e04253c45df83e6efede52852ef947e96dcf31ff
SHA512 f85dfe8b330ae060e2805ad84a5879484467ef56f04b19c6b1f56b2f6fb0bfe486d77a4c490459c6b28c71f72cba2924418d2fcb16a9a8fded283ebc3fdc2f7a

C:\Users\Admin\AppData\Roaming\Microsoft\Proof\VU6ip3zKf\MFPlat.DLL

MD5 f208ef34299c376b1c1c84948f84594c
SHA1 53ead9ade4f3cacf12e7dcfef0a058c0d35dd12a
SHA256 6b2a5b41e7e1d761cfd5afb83987ef3722a65483b8387b19b5c8a5163dd5cbb9
SHA512 b409a0b2ea64cd7e823c0e33c3919906be9bca34152484c0ded645f5b35be351b69983039ad27db90f8fe0bef74a2de08cf2cc849c803aca006b2785d88b30de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYQ\FVEWIZ.dll

MD5 268e624df6d702c3d938b7700fa4dcf1
SHA1 4dcd869857ea211dab357378fa9d7c3494d45a7b
SHA256 40a2798e5b5f70c8f97bd5a40f19a70b7c1067578106b2049c592816ec08372e
SHA512 fe67afc73520959b4040d1056373e2b4f82e12a7d5d3792f3987cbb26eed9758338d46f31c06ded1e3cf75ea4b9d648dec2a59d4a5e31c3c359cd608b9193043