Malware Analysis Report

2024-11-15 08:50

Sample ID 240123-18k3jsbdh9
Target 70b4e740a07d198ec5ac903eaed6ff43
SHA256 718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce

Threat Level: Known bad

The file 70b4e740a07d198ec5ac903eaed6ff43 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 22:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 22:19

Reported

2024-01-23 22:26

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Pse2t\WFS.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\44URQ43K\\31\\rekeywiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Pse2t\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 2680 N/A N/A C:\Windows\system32\sdclt.exe
PID 1144 wrote to memory of 2680 N/A N/A C:\Windows\system32\sdclt.exe
PID 1144 wrote to memory of 2680 N/A N/A C:\Windows\system32\sdclt.exe
PID 1144 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
PID 1144 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
PID 1144 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
PID 1144 wrote to memory of 1688 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1144 wrote to memory of 1688 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1144 wrote to memory of 1688 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1144 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
PID 1144 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
PID 1144 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
PID 1144 wrote to memory of 280 N/A N/A C:\Windows\system32\WFS.exe
PID 1144 wrote to memory of 280 N/A N/A C:\Windows\system32\WFS.exe
PID 1144 wrote to memory of 280 N/A N/A C:\Windows\system32\WFS.exe
PID 1144 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
PID 1144 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
PID 1144 wrote to memory of 1712 N/A N/A C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe

C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

Network

N/A

Files

memory/1940-1-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1940-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1144-4-0x00000000775B6000-0x00000000775B7000-memory.dmp

memory/1144-5-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1144-15-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-14-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-13-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-12-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-11-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-10-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-9-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1940-8-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-7-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-16-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-17-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-20-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-21-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-22-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-26-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-32-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-31-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-30-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-29-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-38-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-37-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-36-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-35-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-34-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-33-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-28-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-27-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-25-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-24-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-23-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-19-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-18-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-40-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-39-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

memory/1144-48-0x00000000776C1000-0x00000000776C2000-memory.dmp

memory/1144-49-0x0000000077820000-0x0000000077822000-memory.dmp

memory/1144-47-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-58-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-63-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-64-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1144-67-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\2gBC6gHGV\ReAgent.dll

MD5 dd4aff5307fbbf2b0cff9363ec608f02
SHA1 63a267b1c6acdedfd7dfcc526e3493909538e614
SHA256 d17543c8a22146f1e9a520bf173f667520a566ad1e81e9bf4c361e3816b0413a
SHA512 a1d5a51d804abc8f10b3de04799cedc2676f6385d8bac0e1b1d869a654f972881f32ca292706d37ce213336b6e292249023e3c1f9206afd8f3c5df5c20b5a37d

C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

MD5 f2f2c9236757972919d937cec1ecd98d
SHA1 93b815ce93a8b2cdccb8b29ef447ea61bb51ce81
SHA256 57f9b6a01bb88737e9314f6ea4b3871269cf9dcd34dee51867549a2ced0f8507
SHA512 6800c345efe3054a10b7f105eac83e8c23c11d46ba65a5e8858a17914a1540bcf513c40a70f2aa62479e05f22ee13ead640e394e8548092aed073a7618893f61

\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

MD5 edcb85cac2d68fb9d1f1e7d11d609767
SHA1 01d5fd64707fb339c7443bc46db576b084a157cf
SHA256 e8cc0e80627458de060ffcab82b81371c931c697fbcc38a6f5cf37e4d4e43e69
SHA512 d6f6071399fb9729f2f51c75e08b341af3a2906264a7b7c3c7164b9283474e158ba09d7ccf2f018d42fe87bff023589f942f9ded73e4be6bdfd00a2c985a93dc

memory/1664-76-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1664-78-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\2gBC6gHGV\ReAgent.dll

MD5 3d074088395502aebb8fcae47a0e51b7
SHA1 fc7272b5e7d609e909f58010774ea507768f5499
SHA256 9bdb22866fa2a398c21fdba7c3e68ee2ff7006ded224f68948618558122f77da
SHA512 b45202ffc0c22fe471e3455fe642a038d8016ffba1d266e6212670322914a7f3e3de8e136288c08e1075e34904ed48e2c291c07f15ee60ac1ac79e0173b4eed2

memory/1664-81-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe

MD5 5e337a70c60cf4e0227bed0587e394bb
SHA1 fa0635b9b68beefc33b1c9914ce01465c3479bf1
SHA256 85d2156a9c549a7e8130b9d95bc7ac29e7731edab93d9d9b03572da69ae3af61
SHA512 1e6a220dfe0e4490d1f945b9ebc645fcadc5cb5abf7f08dd7136f5d549241e3523cfa009712028909cbfb7de8b9eac05a3abc90fd2ad4ffe7c52280a9ba28bc3

\Users\Admin\AppData\Local\1mE5tc\slc.dll

MD5 e2d71330c89a6614be16a986455e4e14
SHA1 467b72da16532707892cc3fb0db29d790b997156
SHA256 2e366232cfc006093bce3e9a9df813779aa49ccca9a55621c07768f10446fa7c
SHA512 508e48f75a06c34b0699e6f4117b09dffdd68482058fbe460f0c2330b59d13160998c015d9491d90f74d383aaf302257b57fcc1ffd770ef85db54db49831fb29

memory/2844-100-0x0000000000170000-0x0000000000177000-memory.dmp

memory/2844-103-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\1mE5tc\slc.dll

MD5 e07858204845210b6f67b04fd69d5dfd
SHA1 0d79a6e50dc5c579b26825a171189c36f48e67ef
SHA256 e77160f9a8af23cd09f9535184fec47078f7a76c049e152c395b858fabd1ad0d
SHA512 ea7192d3886e01b4a9ff7feff866ed3d62c164c03a27b2a0ac5fc575ec273dd69b8128a3eef2fe3cb661dd2d7f785af922134c345eba136c8514c9334dcfacdf

C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\31\rekeywiz.exe

MD5 391b327bc982d40baf2f1e125f230c1f
SHA1 f1e508f3d14f44a5fd2e692c31988c7b416a58b2
SHA256 ed55034a0ea2b67f1948905a0f79adcb8368dc8539f7d5f9008466e5fb9f29fd
SHA512 4d3e71cd6c340ecbaf95f4433554ab41bb0d0aad8dfc8c910c299c67dc038ae50dcb03c1b3554f5495f587917010e25e3f163f1b2be093fd623bce3fbf645e4b

C:\Users\Admin\AppData\Local\Pse2t\WINMM.dll

MD5 ed7b90e5848238dab736e50693bc7861
SHA1 9aaf8a80dcefbb1bf7021526cf1591394f36dc39
SHA256 007c48b87e41be8cbc9697c10abc111716c8e87ed65583edb6a92e050a783eee
SHA512 8911fa5308ac82687b26023bfb458b3233a67adda9eea17fb8e472e591936fe539e860d952b304b2a92e774c239fc5247d0fd381039b1f4552a1d57b5cd712d4

\Users\Admin\AppData\Local\Pse2t\WINMM.dll

MD5 ca9c7773818844fad518af7cb09a79d8
SHA1 65d2f9a254f4ea74c123c5ae6e358b099165aef9
SHA256 6fc660a671b0537486209e029e8220c470c318dde976dbe98905df44b19eaebf
SHA512 b614f76435fe50cd6af2839416b361ffae7ad4fd123507a1d92cb7dbab36736bdd8e9b8dfd77f656958caa6a5d2901dc747867ea11a8d33570102e7a307c1759

memory/1712-118-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

MD5 ed17bfb811bbd973eb8e68f2ce1a3577
SHA1 12612dc723d00c7a63afc39df60b5f977cd142a3
SHA256 7ab208b039eb4c594b5e2388d528107410b7077336129dc4b930bf2f15f8dd15
SHA512 191a792479a97b4f3b1d12fabfa5a41fbf5c2050bfaf48b62aaa74ea5eec2d73da1c6994024ed953fd7a6272cfceead939fdc89d0fd7664bf806ac70c3db87b4

\Users\Admin\AppData\Local\Pse2t\WFS.exe

MD5 c6891385852a00edce28a47f02ade7ba
SHA1 865c266e0742d206eebd9fb5cdb38d6b2a425c00
SHA256 b05fad7dd31d3a7621c9941698ccf186f2195401eef1683c9eefc1fe6ffb3598
SHA512 9dbb59ae37b041be482523939659acf32301a40c42c814c2b3960bf8e195ce9cc68c2612c667d05729a29aaef1a341d015311df94f24049637f926de91045ce2

C:\Users\Admin\AppData\Local\Pse2t\WFS.exe

MD5 99c81cf4a496f3f7c15675cfaa1084f2
SHA1 edbf4ec02cc5d1a351c0e375939ac7260b2875b1
SHA256 b85a848ff829930b536938563100fb26eefc38aa09efef3b7a9cee0bea94a2a3
SHA512 7f3fef3b41d5b4dceb54c8aeb10d8e0099547043d2f8a38a325c41dbeb581fe0d488bdf766ce0026bf98a9e76ce520a38740a3622c2a931fad427f202fdbc523

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ukCnzcZs\WFS.exe

MD5 8b983c4a7034807392eb6d6750e51e77
SHA1 a6878f8c8b3677dbe76ba4e96e59de3eb107a28b
SHA256 6915ad8ea73b50da494129a9fc9ddc9723ce0d04139cf72c4c359224696fc5f9
SHA512 865e7a25a6c878a8dfc0ddfb1a206e6be99952f45f45d44665bc2e2979d012ed727efecfdec9ef49f3eae3d934a06425cca68bd5cc69582d1c435fac207d5f98

memory/1144-143-0x00000000775B6000-0x00000000775B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 8a60736349bdcfdcc152136d6aed71bd
SHA1 5cc6c138836ace26a6bba30c80f03ab07fd71ac4
SHA256 ef49f17f0ccf2dfb4cd04d508ecb2ef63e9a1181f83d640560e1b9646210fcbe
SHA512 2b956b42aa79dd7b15b5ae26bf76e617108c28e51873c8cfeed61cec1ffe125c8166e2a0d108ceaacd3ef0c2378d7024b10235f1d71cc9b2b79def01d592062f

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\r0W0sH\ReAgent.dll

MD5 99eb6ccd39d5985c94ef90d6eac3d4e9
SHA1 8d6e7227c55fac5c604a06a337d671cbf168906a
SHA256 aa02869970cdee8a0744c9da2f45d87acb868929241f7f3c245ea1a53a3bc575
SHA512 2377e15136b5c52dd394433b036123e68c6c21b661762f2b20edced0d5491e9928168a5615e28d350ef1388534b7be41f172e63852f13528be1e947a76a339a9

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\31\slc.dll

MD5 1901dbef283abf9de000cc1fb8ff6858
SHA1 23af6d74c3fdea5396fb9abb0c73a699b44d1832
SHA256 9bee9d7bd8bac17443340a7a4beb3f29ee81ecf7d52eb69ae02d14cbe97d1b0f
SHA512 4aa4df2e371ed81bef3d76446af25806c737ede95b6ccc205d2a64172072d83b5350bfcd09a69177723ffdb9ac88bd151580fe6718c22c7488da7b337b2632fc

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ukCnzcZs\WINMM.dll

MD5 bff0ec3d31c16c6146034b25d0bbd48a
SHA1 79ff181c2ae88a3708334b426105dd59f446cb46
SHA256 f104fdf6052e4e0bef6adc14dc7c9f32e8077598419afdbed7c21551c87a61fb
SHA512 84f3694ed92e2a8e2fb1cb03379f057b2d40bccb5d32ff9a79d2dd86046c9f8ee8eaca990fcad4611dfe32daa7461560bfc9f80652bc710e1304f7dae4514ca3

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 22:19

Reported

2024-01-23 22:26

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\YH\\DISPLA~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 2760 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3484 wrote to memory of 2760 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3484 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
PID 3484 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
PID 3484 wrote to memory of 3760 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3484 wrote to memory of 3760 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3484 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
PID 3484 wrote to memory of 2196 N/A N/A C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
PID 3484 wrote to memory of 1516 N/A N/A C:\Windows\system32\recdisc.exe
PID 3484 wrote to memory of 1516 N/A N/A C:\Windows\system32\recdisc.exe
PID 3484 wrote to memory of 4492 N/A N/A C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe
PID 3484 wrote to memory of 4492 N/A N/A C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe

C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 227.162.46.104.in-addr.arpa udp

Files

memory/1208-0-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1208-1-0x000001F7E9FA0000-0x000001F7E9FA7000-memory.dmp

memory/3484-5-0x00007FFF5FE1A000-0x00007FFF5FE1B000-memory.dmp

memory/3484-4-0x00000000011C0000-0x00000000011C1000-memory.dmp

memory/3484-8-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-9-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-10-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-12-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-13-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-14-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-15-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-11-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-16-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-17-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-18-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-19-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-20-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-21-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-22-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-23-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-25-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-29-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-28-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-27-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-26-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-24-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-30-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-34-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-35-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-38-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-40-0x00000000011D0000-0x00000000011D7000-memory.dmp

memory/3484-39-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-37-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-36-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-33-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-32-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-31-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-47-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-50-0x00007FFF61440000-0x00007FFF61450000-memory.dmp

memory/3484-57-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3484-59-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe

MD5 d45618e58303edb4268a6cca5ec99ecc
SHA1 1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256 d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA512 5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

C:\Users\Admin\AppData\Local\VkS\UxTheme.dll

MD5 ba418bb8c71b995a4bb720cbfd18cbc8
SHA1 a5894fe11034def0b8d8a26544fb060ad2542cb7
SHA256 53dabed7df35dc900577ca99ce018b184106655e1b98d1032af5fbfbad8537a2
SHA512 5f8ac0ae0aa689f956f13e130456268a72270173998186b161d0ad68ad66db8d9f73ad29baafa50db2ed563080996a0d1672bb2aaaac644f22d932493a2ca6b1

memory/3016-69-0x0000021B0E9E0000-0x0000021B0E9E7000-memory.dmp

memory/3016-68-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\VkS\UxTheme.dll

MD5 f19c295517a2544f0c76fd35367c200e
SHA1 b687df2b1499be9d52119e5aabbee4ad2ff2a12a
SHA256 d99d1066c8a403ea596b117e10551df4f5a609561f8d19efd26d54c1de39fac2
SHA512 bd07e5134e2c53dc97d0b900d1cb2c20997ac81c67aab0c2e51221eb0c0702134303679d38be70f2c9bdda8ea0a969c3ac8d702b2a2aae60e4c9e3e3dd0536ab

memory/3016-74-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\N3cxLFj\DUser.dll

MD5 6e1b445fdc95d49a910990b74a810361
SHA1 c2eb16c1274d667679d612d4fac674c2e30a5134
SHA256 d6dbe459c91b9347d11973e61eabf1dbe6dee46c33bc85cfe3d36cd46dbcbd50
SHA512 d2bc77f335e1e0a6a3bd26a06f269f25f4c0c8dddf47e83e63f025b65202618d6c6f8f09ca586e76be4760951f9aa90bf344e81d0af37c6f0b69503a6ebb3de5

C:\Users\Admin\AppData\Local\N3cxLFj\DUser.dll

MD5 892bc86121ff29941810ea6850712196
SHA1 bc11a183354d72bb099dd6fcab66be03ff743765
SHA256 816ad33e3627107def478cb9e4c96126792f51e5de362c8d7c432a22f3134529
SHA512 e6fb7f2e36c7673fa9020b7c08e687ebf0e0c0714311d5354f7633bdc1afaa8c7849e5279ea1b43e73f62ca0e45a740af0d8b2fb31b8756465d17efd0d4f107c

memory/2196-86-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2196-85-0x0000024D87860000-0x0000024D87867000-memory.dmp

C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe

MD5 47d22888c4b9855ec38b6c5d0192d4c5
SHA1 4a7100ae1ea332176fdb9b0b35ace23952f8d8b0
SHA256 26bc6232758bf094620082c441aab8ae6c9f1f658e4259ef25c6d3da6aa80bd3
SHA512 1c7e9fab54f352460aa71b01c3d9530b7e0995e57662eb16933b46a1070e1ea1d611c33139a6cb944b277515a1a9a84137dc727c3a0088a063010e059fdd2131

memory/2196-91-0x0000000140000000-0x00000001401FA000-memory.dmp

C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe

MD5 57774c84ab1c462e681f163bd0ec34b2
SHA1 8d832a6f708e9c4bc4ed9981ebd5490eca17566b
SHA256 99c04229c3a4a7dc8065f61ac40d170211140b510c731328fd5bafb7f103690a
SHA512 372762e8b4eb4f43a4117af2343d74d6c90fe8b995eb14e0f54fb1f275882e7830ddf87e9a43c5633b49be03d781837e1f44fe3fc4b7d64dc49f5f955abd9822

C:\Users\Admin\AppData\Local\Yi1lYyLD\ReAgent.dll

MD5 047b3a9325bf1f9c957a70fe85784625
SHA1 1e4ff4d52dc4424df44f263ec8160eb83c2d9c1c
SHA256 6040ff3766bcc7ce674683141273196f9b4ae0f603df3a7cf0b7a2b444c7fdc1
SHA512 aaa1997275dd2aae6ae3afe8c19eb49161187f1b1e2768180c2abfdc23892c2270b7af38faf54e0202735b1d36fb1b932ab7910145e1acfb1ef96fe4b473bfea

memory/4492-102-0x000002C3E3410000-0x000002C3E3417000-memory.dmp

C:\Users\Admin\AppData\Local\Yi1lYyLD\ReAgent.dll

MD5 bb1e752b02f68738d12685c448e6b504
SHA1 0e87e4b96f785a586df169cc6135ede4d0d65b8f
SHA256 5b67b9cdf78e3d5c1ef5db616f777343969ec29035740bf84e3ed8c2d42dd55d
SHA512 2da4283cefddeb66e5b00de36a96733ea7c250bc6bd22c89e66d2e33ee524b50ae6fe312f207228024f2dc5ec2b42b1f58be9e709025e12703ef3c98f9796fa6

C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe

MD5 18afee6824c84bf5115bada75ff0a3e7
SHA1 d10f287a7176f57b3b2b315a5310d25b449795aa
SHA256 0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512 517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

memory/4492-108-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 62878cea522ae4fa8a542e1e69f6a774
SHA1 5648faa1df93a0e2fd138e4781b81eae8fe8e916
SHA256 efe28dee85281e7505f8948b46181a4e21609fca751e28cb11785b9106afe2f8
SHA512 f9f2a0fc33d866bca56dc594cbdec09a87329a0e4382f43b2cf76ca732b17549fddc2e5178ed7ffd757ad5f48f87e778561bdea95729e0728ab747020755a0aa

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ZM\UxTheme.dll

MD5 f27bcccd664dd381f38b2293794ae986
SHA1 21c054ad027086551177c14fe9206e943e8ce5cf
SHA256 ff4abbf4680ecb72f085b251f3fc4de867e4d6c61dec24f6f3bb1fd80546146f
SHA512 58ffa37f2d766b71c28f57e81173c3715ef0008d6c00a69f4708ebb86cd007ec319620baa094661e7974199ffaa085b2282fbf66ad542222ff6e2915c3b7768f

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\YH\DUser.dll

MD5 1ed377af627d161e726bc312332939ee
SHA1 14bfb3e65a023d356c1a7081a76c51a68859df6f
SHA256 f3a5a198ca08eb31dbe795be2738ad3997f7d4064c8d3ffc92cd663609db1e83
SHA512 bae97b3b5753fe284615e242d188a7b86ec26fdda8c05d2d2639ff6aac2a8c0cbded987e8f37f508a42f5f65cfa8b312719235aaf1567627305f2cd4b329bee6

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9Cutlz\ReAgent.dll

MD5 32c5cf7c9a788050a2a1b60b86878ad8
SHA1 d45fbbd392b7155b9b63eff73343d412f13ea3f8
SHA256 9f42583af85355acc2b9738b2412ae643c06895363fcb3e77e7e807082c71ec4
SHA512 ca6546a319e9fa3e208c531ed6b608d5429ff5f4fed53a373bdd636e1bbfb48169827d63f230c180ef0edcf3bb09b5c5e518ab18e3645f5bbdc0cd47598741e4