Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-lmpfhsbag2
Target 6cf99878a472700f873bfe4ba861b27e
SHA256 770fabafd2e9368ab8dfdcce39b8dfde8df9439be93f5fc9184c90206dae4d16
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

770fabafd2e9368ab8dfdcce39b8dfde8df9439be93f5fc9184c90206dae4d16

Threat Level: Known bad

The file 6cf99878a472700f873bfe4ba861b27e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 09:39

Reported

2024-01-21 09:41

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Yqj\msconfig.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\xy9FZ\\SystemPropertiesAdvanced.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Yqj\msconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2708 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1216 wrote to memory of 2708 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1216 wrote to memory of 2708 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1216 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe
PID 1216 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe
PID 1216 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe
PID 1216 wrote to memory of 2924 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2924 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2924 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe
PID 1216 wrote to memory of 2500 N/A N/A C:\Windows\system32\msconfig.exe
PID 1216 wrote to memory of 2500 N/A N/A C:\Windows\system32\msconfig.exe
PID 1216 wrote to memory of 2500 N/A N/A C:\Windows\system32\msconfig.exe
PID 1216 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Yqj\msconfig.exe
PID 1216 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Yqj\msconfig.exe
PID 1216 wrote to memory of 1844 N/A N/A C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#1

C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

Network

N/A

Files

memory/2664-0-0x0000000000430000-0x0000000000437000-memory.dmp

memory/2664-1-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-4-0x0000000077556000-0x0000000077557000-memory.dmp

memory/1216-15-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-18-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-36-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-46-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-51-0x0000000002A30000-0x0000000002A37000-memory.dmp

memory/1216-58-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-62-0x00000000778C0000-0x00000000778C2000-memory.dmp

memory/1216-59-0x0000000077761000-0x0000000077762000-memory.dmp

memory/1216-69-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-75-0x0000000140000000-0x0000000140192000-memory.dmp

\Users\Admin\AppData\Local\5f1\WINMM.dll

MD5 3c606c386ce5723f7a3a9266f33dc4e1
SHA1 226ff7ec913cf874cda957ee78fb4ab9d57b4751
SHA256 46839127b2c6e29412191f16f9c1f75155a6dfb42cc8a2123aba7e363eb29a06
SHA512 d545e2fd9dd90616601ae3d3e2fe283445e5dfed934b8c194a647ce39597a26663aac3572dd9a1dc3d5f0d729cab027667b5ee7b8b637b3cf61423924b8122bb

memory/1292-89-0x0000000000090000-0x0000000000097000-memory.dmp

C:\Users\Admin\AppData\Local\5f1\WINMM.dll

MD5 7b806a720dbe39890f2eca2e11ba8309
SHA1 5fa8378b8505d50005575e6bb90a51398ff6ba01
SHA256 899d791bd78375862e69e47ec08adc1cee40a64814ca5331888cf850133a2a71
SHA512 c198537de4dd921a0916749afade24375141c2ba902f573f93430599b41b173659e9ae2ea8e5884b369c9b0aecf63f3656c337d61750b567f55616a376f68688

C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

MD5 cd01476ba10d363fc923283d8cd56b08
SHA1 59a3d2b8d0727cfe24856c657c810fb2e3db30b1
SHA256 06862f900a1604875d8b17cd667507a00d0679de55f2c8962dd7eba91f8f5d9f
SHA512 a8f1440490ec9d807491ff894c1a8184aab13abe403f291e33d0d9324240d4d4c316722301f346056cb2458b8fb33b7f56658a61b79ccfa3046c512fe2bcad88

\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

MD5 730191b71f3aeba67026482ab955d5b6
SHA1 768675473ab90e82c87df9c2210eed07c591eeea
SHA256 12634afa07a7c7307291581b3c6971ad7e30424fd2f2d59833d668fd0e115c8b
SHA512 44c1374d497889f2abe15d4d0b9f56e8554da832297655d2a019edc2192ddb949d14f84c0ab5e7ccfddebe3d46a32df4bf20c29893384a5e00ab5675c1c8e2b0

C:\Users\Admin\AppData\Local\5f1\SoundRecorder.exe

MD5 19265727d110d662cf6bfadfdd4e00c9
SHA1 1b4d702be0fd50246b245098a867b50182563bea
SHA256 813e356f5f23e11bcf0ac4632d36520548c88330547aa0c5adecb7c87bf62472
SHA512 f0a1aa49f8a1c90ec866a6037ee5a5b4d91f180ac4c804c119caacb2b60e7378faa4f9ea0003063430a7592b9f7fc83f8bd668033e6b303ea80b33202a5f8fe7

memory/1216-50-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-49-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-48-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-47-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-45-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-44-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-43-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-42-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-41-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-40-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-39-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-38-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-37-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-35-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-34-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-33-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-32-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-31-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-30-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-29-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-28-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-27-0x0000000140000000-0x0000000140192000-memory.dmp

\Users\Admin\AppData\Local\IuyJ1\SYSDM.CPL

MD5 95e0b25bf51f48d7f9474a834dc9d1ce
SHA1 524eb97726b9e69b47db6f2e8f3222e874a72b17
SHA256 374e7edc13b23a3a0873385e79c035bae3413a5f9ddd84c046bda29c04691228
SHA512 f5516b722fd51b8b183ea59c9b483a4ad87aa9a6c81f82dbef1ad871e6cf1438e996b1e8ac6ad19306ed8d8f02655907781694098ab67c86b3748da72e188a8f

memory/2920-108-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\IuyJ1\SYSDM.CPL

MD5 ee0f110169b129e276b969de2c51355c
SHA1 6842d2c73c8f36f134c29f8652351fb4a7d60c3f
SHA256 51ec7a6268d026fb5fc87b85fb098b500352acabddbdf026b2315fc82292ffc0
SHA512 ee77528055bca2aa6fd82b7b06157320cf44435655623cacec0d99df63275f89f169465ba8e0cd2630dd07b349cc66de41f428ddc7b2b3d943ce8b830aa52a96

C:\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe

MD5 52677ccf0e00e6a1c3a6a4e670c316e3
SHA1 0d717bdbd63a293e780b92ad954a60f4ee81870d
SHA256 cedff001376a5cf428ed711aaa0d4a1a6a9148950bdc5deeaebb362f05329da7
SHA512 809fb48ccc627a78930c9125cc80226e1e5deb0d27d60d3a7a703eaefd91b88859aaa347d23c21432d54e1b2a41302b86e45eb0740410475e47316a4bb2d7a53

\Users\Admin\AppData\Local\IuyJ1\SystemPropertiesAdvanced.exe

MD5 f592f69aaba7e985c06d07aad25d8f4b
SHA1 d6b11806331fdae75f731da5e4c21ebf380c1ba6
SHA256 7fb944af8bdfba90c9a845cb5964b7f27037da221c16dc460365fdf2eaedbe60
SHA512 f822841b218efa2f62dbaec8d26f093cf764eb22babe1d8487dd3be9d8d39dc87bc86b8bf57f94ea9f16a78d7e0d5c36691206e1b7ad80dbb8022102f57b62c9

memory/1216-26-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-25-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-24-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-23-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-22-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-21-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-20-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-19-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-17-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-16-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-14-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-13-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-12-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-11-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-10-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-9-0x0000000140000000-0x0000000140192000-memory.dmp

memory/2664-8-0x0000000140000000-0x0000000140192000-memory.dmp

memory/1216-7-0x0000000140000000-0x0000000140192000-memory.dmp

\Users\Admin\AppData\Local\Yqj\msconfig.exe

MD5 aae2999ee9a060773660f375b64ec492
SHA1 d56d28e90dba3b60eafd09695da5eca97755e071
SHA256 22cad07bfc5784085ad6a7f33482d418265933e2cb6e15a23a7314c9925176bc
SHA512 41d5533dc89733edf4035e39b5702d37d7d0937f97b6139bad2cd73742c5fecbbf626d751dd26cbb533c80448e0972adb6595052ca8fd30cecb05a80d7ba6866

\Users\Admin\AppData\Local\Yqj\VERSION.dll

MD5 6a8017b0690ed6aeb9d12c41b873597c
SHA1 a6b6fe9e236b7fcaac311d153cbb818e5d707c16
SHA256 f81b2b9fef8d8e5a63819037d432cd8667f1c7ee926819cf99b05bd1311f5215
SHA512 7589572d35cac717028b98ad77322b20c9a52f44bf79b95343500f1d7609f8989b54ec7e97b4e343ede2e43c822df40a086466ae29070c830d14b396ad2c4adb

memory/1844-127-0x00000000003A0000-0x00000000003A7000-memory.dmp

C:\Users\Admin\AppData\Local\Yqj\VERSION.dll

MD5 04c87c34c3ed8efc420aa4fa397c7004
SHA1 ae3326ba4338a68ca9c00f0ba01facd932ae1f46
SHA256 dd7de0badd6bf4b5a7e3aa4b1fe5919b1f87df95cc772b97f895e644904b941b
SHA512 8fa2d8f13d33bd696d205a54effa306dfa6063b6c59b546a0451b3fa4526d23c6f6f8a981b89e8283f7f1e775abad2d1ec286aca182dfde320fd7b3fa0e2fbab

C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

MD5 5ac21c76b5fab933065fd80c63bde06a
SHA1 c31f17a297091fad0277999490914f03f63bce28
SHA256 c617230df9e34186f289425c9cef70e581eb746294dc61fdb30dd3586acebe15
SHA512 855deeb825b6ddb197b6db0749b3c1e751daaf4f9d995289c9abd14a232d21d155b653e45f69b92cc3b4f992d499922db6d4263eb61cf340326c403434d2e6c5

C:\Users\Admin\AppData\Local\Yqj\msconfig.exe

MD5 9eab35db34fa05dd5d69117173a726af
SHA1 442fbeaa5cfd402bd2848c2118a1dfdc3f93916d
SHA256 cf1bf7e109bac823cf549f676cfc4302768e14a1214d260cccaf6f185c3f86f8
SHA512 740273cef0e9d8780b08cd5b3c21a23f183fd1999b0a9ca2a5aafb30e477848daef4f54250e700b8d2635786d32555b238e4aae4b6e7f61bc4606bfac02a348c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\xy9FZ\SystemPropertiesAdvanced.exe

MD5 ead965d732d239d5474dacdf4afebf28
SHA1 8d39ac4ccb96bddbb7dc5df01438933b46981233
SHA256 070dea755a2c6d99c7d49dc267b45d0d9d6c7b0ec7bdc4c1cef130756c1de155
SHA512 2a16d6aa4f07eb344cea864ead90e6606e427c7aa7300f70708c62dd3dbfb6353d10650c92d79893b91f2a640eb3ccc8f9f4a22e1f7a4fcaf6ef7466f52b3c35

memory/1216-5-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

\Users\Admin\AppData\Roaming\Identities\0kZ\msconfig.exe

MD5 0c60d317dd776c0377f574ab777cfeab
SHA1 f44ec7ccd9b3dac70c53e736b52f805701dd80e8
SHA256 b6aa5aa94c0ffd2eaace97f77ba50bc8e65b7debadf2422631512d6fa8bbc9a9
SHA512 b047f411c285aa158139060722d95b30d1b412a67576d79be1eb000e91e3ebe07d2d7f2df4b4716f2ef4e8115085970868ee0452ce8e3aa178cdcbb00c39aeab

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 7f422ca1159b41e1a07f6feea4b0eeb2
SHA1 5d4b2370e91163eb23cf635379617c9c0fa418a6
SHA256 fe5f2fab05b725d7a167bb747e81d33fcea2570089056fcbf74a100e1d9cc054
SHA512 9366bcaeba91fd716520f0ba10d538be1d5e3d023ed283dbc3eeefe9d2e68ddb6bca5df68fd721fba0224af8cbf0d07f9b80202f24b90493cec5bcfe65cd3577

memory/1216-153-0x0000000077556000-0x0000000077557000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\LJQSpXMwGH\WINMM.dll

MD5 01e287f87e336e8a39ce70bc054d6de7
SHA1 dfaa3c8ba7ebee54c57ffada7ce3e3a8030fb91e
SHA256 1a6d91fff1d991c4f8fa17af63be5c962ca44edf0a4efc4201b9194ae1b1962c
SHA512 a2996bd25a5ec3a40097a7610823c68a05dc50795c4e9e77f2300d2507a9992e82ee50f2b7a5dfa2522f77ca5f33fe9ff2c95d30cf62fe5b39437426d9aafb1f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\xy9FZ\SYSDM.CPL

MD5 c155d0a18267ea1d067e6bc36173bb9f
SHA1 33bab8653f5dbed520720e9b6af844b2a4c35685
SHA256 0f82ca53c025ffdba719dc7508d8910c3d8bab25e721f97d1550352d58941e0d
SHA512 b7af5a805ad6c192a89d502d065a110ed965990c30c19cf41f44acc8427be0a5e213acda0b8d0023e9a396e718dbba5e297a8c5bec4a6b694d73b70c3bcc3468

C:\Users\Admin\AppData\Roaming\Identities\0kZ\VERSION.dll

MD5 dd616d9b615128f716552a26bd3f3961
SHA1 8e4c76d02e686bd93ed1dffe3365950edeb7026a
SHA256 57b06fbe0baba6e08c0a94f3e94282b6a474f6bbb9e989ca4888a5dd493e6940
SHA512 91ff79058c63fc6a022071ec13a61861aa7da4f768cb0d29652022b474ffe006846bdcb9a4b48bbf9fee4efee6199b2b5d433a07298f95f45d49ed7a5f11145a

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 09:39

Reported

2024-01-21 09:41

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\wFYO7\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\85KW\quickassist.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 2060 N/A N/A C:\Windows\system32\quickassist.exe
PID 3440 wrote to memory of 2060 N/A N/A C:\Windows\system32\quickassist.exe
PID 3440 wrote to memory of 1160 N/A N/A C:\Users\Admin\AppData\Local\85KW\quickassist.exe
PID 3440 wrote to memory of 1160 N/A N/A C:\Users\Admin\AppData\Local\85KW\quickassist.exe
PID 3440 wrote to memory of 928 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3440 wrote to memory of 928 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3440 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE
PID 3440 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE
PID 3440 wrote to memory of 1812 N/A N/A C:\Windows\system32\mblctr.exe
PID 3440 wrote to memory of 1812 N/A N/A C:\Windows\system32\mblctr.exe
PID 3440 wrote to memory of 3260 N/A N/A C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe
PID 3440 wrote to memory of 3260 N/A N/A C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6cf99878a472700f873bfe4ba861b27e.dll,#1

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\85KW\quickassist.exe

C:\Users\Admin\AppData\Local\85KW\quickassist.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE

C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe

C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

memory/3952-1-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3952-2-0x000001E417E10000-0x000001E417E17000-memory.dmp

memory/3952-0-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-5-0x0000000003680000-0x0000000003681000-memory.dmp

memory/3440-7-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-9-0x00007FFE42BBA000-0x00007FFE42BBB000-memory.dmp

memory/3440-10-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-11-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-12-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-13-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-14-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-8-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-16-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-17-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-18-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-19-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-20-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-15-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3952-22-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-23-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-21-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-24-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-25-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-26-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-27-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-28-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-29-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-30-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-31-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-33-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-32-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-34-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-35-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-36-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-37-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-38-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-39-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-40-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-41-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-42-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-43-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-44-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-45-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-46-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-47-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-48-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-49-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-50-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-52-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-51-0x0000000002F30000-0x0000000002F37000-memory.dmp

memory/3440-59-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-60-0x00007FFE44340000-0x00007FFE44350000-memory.dmp

memory/3440-69-0x0000000140000000-0x0000000140192000-memory.dmp

memory/3440-71-0x0000000140000000-0x0000000140192000-memory.dmp

C:\Users\Admin\AppData\Local\85KW\quickassist.exe

MD5 d1216f9b9a64fd943539cc2b0ddfa439
SHA1 6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256 c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512 c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

C:\Users\Admin\AppData\Local\85KW\UxTheme.dll

MD5 f0023d97c9b777bac1f115ac01afed64
SHA1 4d9558a9e07b2c8575aab6cfef2787b1e7d64433
SHA256 a43125a1c812376d5bf61ab9cc38c2933335f7a9c2a340392bf1e1007a140223
SHA512 672fc416ad2d3f169877160670f952e2f6bd9d15ba5e7089dbc229e1a02fc1064190b1d561a956af7861ab55eb84e57b078ec3ceb7e010a2e47b1d53e103f8f7

memory/1160-80-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1160-82-0x000002B253350000-0x000002B253357000-memory.dmp

memory/1160-81-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1160-88-0x0000000140000000-0x0000000140193000-memory.dmp

C:\Users\Admin\AppData\Local\FqtjT5EE6\DWWIN.EXE

MD5 444cc4d3422a0fdd45c1b78070026c60
SHA1 97162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA256 4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA512 21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

C:\Users\Admin\AppData\Local\FqtjT5EE6\wer.dll

MD5 6e2870da5d8fcb41cb744071f4c5adae
SHA1 03cf0a58405c394baf8021d5a0702f18801c699e
SHA256 61a54e740f5fb0620408b131a424fe4271799e5b2c9553bd2a531f2bc60bd4db
SHA512 6f6765ca268535e1cc584c5950890fea3def6cd740eaee6112467ea868d261c291973625a2a573089b33d6eabe024fc0cded0ff5cc7c316d6993ed179dc57ea8

memory/4048-101-0x00000298BB6D0000-0x00000298BB6D7000-memory.dmp

memory/4048-99-0x0000000140000000-0x0000000140194000-memory.dmp

memory/4048-107-0x0000000140000000-0x0000000140194000-memory.dmp

C:\Users\Admin\AppData\Local\nGSSjjB\mblctr.exe

MD5 d3db14eabb2679e08020bcd0c96fa9f6
SHA1 578dca7aad29409634064579d269e61e1f07d9dd
SHA256 3baa1dc0756ebb0c2c70a31be7147863d8d8ba056c1aa7f979307f8790d1ff69
SHA512 14dc895ae458ff0ca13d9c27aa5b4cfc906d338603d43389bb5f4429be593a587818855d1fe938f9ebebf46467fb0c1ab28247e8f9f5357098e8b822ecd8fffe

C:\Users\Admin\AppData\Local\nGSSjjB\WINMM.dll

MD5 239f513539b485b114d9a0815ae4afe9
SHA1 762bda55c5556f8972fb65856244dbff6fc20e47
SHA256 27ed7ff3725fac4d5eb83234e880e544dd3c2696edcd84f20b25921409d4a9d0
SHA512 3d3a6ba168afb20a01834966329f2d683e380e2aee124b79def7ff9eab10592515fc61eae4de7d09131552b84eaa020299975ee004b813311a9a5035fe0122b4

memory/3260-120-0x00000221EEDD0000-0x00000221EEDD7000-memory.dmp

memory/3260-118-0x0000000140000000-0x0000000140194000-memory.dmp

memory/3260-126-0x0000000140000000-0x0000000140194000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 3251cc23f2eeaa910c71ee60cfed9ffa
SHA1 03cf67d9afcdab0055d0cd443031053a15e1fe0d
SHA256 2e1cbdcfabec6a5183e49064abbb92a8f2f18702dd4aaa7d219a218f0a104dbb
SHA512 d3767959d706215a971535633f03c3ad459fece525907e3345658d055c8db37c6d0f0dbbc1d108d8789b7c35a0a399d43ceed52923a2adab5fac7e3185ca43e5