Malware Analysis Report

2024-11-15 08:50

Sample ID 240124-mtys7sgda5
Target 72069f253d65873ca37d22ed502e1911
SHA256 95675ed8705063e78d6feec16544b7d5bbe62b4bc34b13462280c0ec046f0d71
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95675ed8705063e78d6feec16544b7d5bbe62b4bc34b13462280c0ec046f0d71

Threat Level: Known bad

The file 72069f253d65873ca37d22ed502e1911 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 10:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 10:46

Reported

2024-01-24 10:48

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3EzN\WFS.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\j0cb\\WFS.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3EzN\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1272 wrote to memory of 2756 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1272 wrote to memory of 2756 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1272 wrote to memory of 2756 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1272 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
PID 1272 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
PID 1272 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
PID 1272 wrote to memory of 1324 N/A N/A C:\Windows\system32\WFS.exe
PID 1272 wrote to memory of 1324 N/A N/A C:\Windows\system32\WFS.exe
PID 1272 wrote to memory of 1324 N/A N/A C:\Windows\system32\WFS.exe
PID 1272 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\3EzN\WFS.exe
PID 1272 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\3EzN\WFS.exe
PID 1272 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\3EzN\WFS.exe
PID 1272 wrote to memory of 2740 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1272 wrote to memory of 2740 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1272 wrote to memory of 2740 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1272 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
PID 1272 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
PID 1272 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe

C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\3EzN\WFS.exe

C:\Users\Admin\AppData\Local\3EzN\WFS.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

Network

N/A

Files

memory/3000-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/3000-1-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-4-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

memory/1272-5-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/1272-8-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3000-7-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-9-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-10-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-11-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-14-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-15-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-16-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-18-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-19-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-17-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-12-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-20-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-23-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-22-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-24-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-21-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-25-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-26-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-27-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-28-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-30-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-29-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-13-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-31-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-32-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-33-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-34-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-35-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-36-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-37-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-38-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-40-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-39-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-41-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-42-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-44-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-45-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-47-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-49-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-50-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-51-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-53-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-52-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-48-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-46-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-54-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-57-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-58-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-59-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-60-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-61-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-56-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-64-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-65-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-62-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-63-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-70-0x00000000026B0000-0x00000000026B7000-memory.dmp

memory/1272-55-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-43-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/1272-78-0x0000000076EB1000-0x0000000076EB2000-memory.dmp

memory/1272-79-0x0000000077010000-0x0000000077012000-memory.dmp

C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe

MD5 d526dab478969eb6fab7a82d4be6cb59
SHA1 200f04e2a2fb2f04d12775cd9fe40b40f76db705
SHA256 bb5ff742ef3ac2a5f08e2cb8b3e5e62fcb0afa4ce9012ac720192de11e228bdf
SHA512 252803d5f46b721d3f0bb082dde3058f0414e71ec5ee9cc327c8b21981acd8c99e960c85d0e793d6dfefe67726e1483f87ca0897b4aac04c318f81967712f951

\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

C:\Users\Admin\AppData\Local\vO6mC\WTSAPI32.dll

MD5 441810deb20a0beeaca793e5dd68b04d
SHA1 f07bb853f68fc07b61f98aa462fb3495ee7faeed
SHA256 4997997f49f99e9150f448064918a848933a787d3956f6bfa7ec37bd9bbbf0a4
SHA512 8e732739e4e0e2aebcd65475230f6edaea2effa611e90c5fae2d7e6744d4874eb4ae60d5fb3c6897a92c68d55c0a4365af60456e14821d316e75315737fa54ec

\Users\Admin\AppData\Local\vO6mC\WTSAPI32.dll

MD5 75de1f25a2b37fdc4646176b9aaa244a
SHA1 f92fbeef48bf85b229e1ebe52652bb9847aeb5be
SHA256 f50ff03137ad126614e76dc9b9faa367ff89e2a6ca62b3530ca1ab023aaa2608
SHA512 60d86e9eb4c35f4ac12f3cf9cbb6ae272c34b056b7b9be689ae3133a5fcbccbc94c8bc62b6f88e6623d47955a024ec6caf0e91f1b7c0f90ba00bbf2243503fa5

memory/2932-102-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\3EzN\WINMM.dll

MD5 116b328d5248bdc6f56ea5688f35521d
SHA1 725b240e1320140154ee684f2ef3977ddbf6bc99
SHA256 d97f86c6d79d4bbe54a30b649a85a1e05f211e94cc3fdb285f3c80c6a35506cc
SHA512 685a7176014d8e94d7e101e7701dbfc402882d5609afe9d0838260ef6996e4ae95423a48ee4d50a247aaf439c6b121f305863170b605d1a63919982ee4d1af9d

\Users\Admin\AppData\Local\3EzN\WINMM.dll

MD5 ef7f4cf6bb53de0de186f4ac52832f7b
SHA1 515772aad7d2a5dc0a12b5ae61b5aead5cd5781b
SHA256 46fba5763a98cb8116c953cf31ac7fcb8d461ad9ba091942025fe87412497875
SHA512 561ca1233e9fb2ed306af632feba40505963c2e76f716b0fadf1963b02aa6388b902d8c4f0386b94edb40c6923c0e209a596392ef20c8d9739bc95230a99a22a

memory/1624-120-0x0000000000120000-0x0000000000127000-memory.dmp

C:\Users\Admin\AppData\Local\3EzN\WFS.exe

MD5 8f20249758d6982a016560c01f3a26ab
SHA1 8044eb22f0c30289071c1bda3899694eb8f4520e
SHA256 ac2c57348bffd7f2e3bffd2d46fdc206ea8171cab049212da4177308ace73268
SHA512 a580f7725de17c59097fc8682ab6a746bf8db2938c6559111390f30b4eee199626b4b62855f8eb07af52cf9f6cfeca0b9ce3d3f3761d236123898ef9682d840b

\Users\Admin\AppData\Local\3EzN\WFS.exe

MD5 6be99cac1629ad7ca4b8c9769d911bbf
SHA1 bb54c3ec95988430922f5458c7f99abd2dede7f8
SHA256 1897d88db026b4244cc123923ce052dbf03d9d633420b987e8b6de9674893672
SHA512 5bd152044d151459af4912f6556eed34236f754235c705bc81f6a62bef25adbb5177f21c6f59d53bdf1fb99c76670c8194e0d4efac695f530bd8d9b34575a736

C:\Users\Admin\AppData\Local\3EzN\WFS.exe

MD5 2700cf7fad30f650eb8bae4ad14cd789
SHA1 7ae736913d0e5e653fb9ecf78db728cc02e8c7c5
SHA256 b0a605836be4d3363df0083660f6ce5e506ae67261b4767db8c2f57b0a33f3ce
SHA512 24a1ec8f70cfe69906a1429d059e1b7dce57eeef0d5076d205fed2be300d7e194e04cd09719fa6f12be1a8e50898f7bbc9c5a5ca282c0d07896c3a41c637a12c

C:\Users\Admin\AppData\Local\eSnT4YjY\WINMM.dll

MD5 ff112775613be272d655da374e7b72c3
SHA1 3a270c68d61b9b14465b70619dc304bf2126d781
SHA256 6d3a99dd94ad5a62c0d654ab4c6b17df78babe3d447a8a47bcfef372671f1fba
SHA512 350594b9e647253d2e52ebc04115d7952c282b592537195fc753f8d747721ce9c3cb3012d887739b4a9b0358d9af0b4a0c8b55838e34a3348bbfc7abbb1007ca

\Users\Admin\AppData\Local\eSnT4YjY\WINMM.dll

MD5 b404e8598944c13f6a6330bb1f7bfa92
SHA1 217f43354732856ac64382197f5fabf7ab75b48b
SHA256 d9bd9a5b86c21500ec39b3976468176d6a3455214917da8397e96e168703b9a8
SHA512 86f1995710c7cb6579a63b9646122e242672be81be63d426284bd564dfbe24d793f666370bb04934fedc7b6ee851d840d0ad8255829777edce08039665195834

C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

MD5 a419b97ad08f24d52700575f506b202a
SHA1 54b87b9becf67ad9e3c03815f6d304bc6e363eb2
SHA256 acdc1947e48ff26eeed7f945795fd5293d66609449b22e75574db1c5218e7c99
SHA512 61a9afb5828e5e037d5a220a7bc573ea431ff222ccc59aa045bb4ca47591acf464bd77a898f26fe4edf1f479ea3a91391a84c05421e7ce439f97ebc9914c3914

memory/660-144-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

MD5 022d3a08d08f0cc6508db0c2dcdcfeb8
SHA1 361df50887884b1f3b7b4d2f2b31b1d3dea6c14a
SHA256 2708846d8a4bf5e77722970c16431cc33e1d5548d85fd98e64a498e9c77a3325
SHA512 205e3f1a9ccda9fe7ad3ebe5a7e9e04bcbd7a4191c1818241364a3c3ef0ec524da242c36c1f5e7316358553e69970e4a64dbe63da3e360d9d1ba132ed7925100

C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe

MD5 0fbaab96ccc53e466d3adf7a39d45037
SHA1 480c2bb23feaef2d04fa77f6ffb48eacab1fa3b1
SHA256 072b253815d41b57f78ff31783eef94200233209ad30ee1d99ccb398f8dcff0e
SHA512 0fd2b4a3e57b02f9baa15b5a8fd76d726f6cce71452812562e821cb549731b3486863c69f29d994b1f89f9fdfe3fa2495b27cd62c65a87f537d51586cf72d08b

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\srvnYygizj\xpsrchvw.exe

MD5 cba607de4b3afd201441ef1b57d86c9d
SHA1 540a2e7a476e21ea601304465a60022b57f9615c
SHA256 4135a4fba1fea5f603355105b3442592276928f60fae2a5c1fc1413ab3978ebd
SHA512 d7243eaec1b5e6fe88d601681b1e1cf50b7e507744ffbdacad83d1a55370ddf4c369f2a44839020225e8750e92c527fdb688b0730dca47864190688585d1b45b

memory/1272-170-0x0000000076DA6000-0x0000000076DA7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 708be9c3e850df602c1d752162510606
SHA1 3d48f749f90966c3cd64a1e13d4b6711e5724034
SHA256 dd367f316b6bf89cfccecc636a6cda7ee0502864472b6a19666757d6ee160893
SHA512 756274739b4032a04f755aa835ef06206a99a88b9d3d24125317323e130a4913bed0d10e3c2cf781de5d34df78882f83451e5a173feee288b4dbe661e7a95db3

C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\v8Pt7S7N\WTSAPI32.dll

MD5 2bf2f71bab5cad10b47031fc14915362
SHA1 2fff2c6089aed41d9ca06d8956f7ddeaf3a449fd
SHA256 a104192f8299b6cf53f3595e3a0d7d7beb3a2521473b72feef84507b6513c249
SHA512 e38cfcc75b1a2ed1564dde7479824b6f5cc9a84d506468b46c7abaeb686e429a7f77b69b1bc68771e122b3b456949a3220fcd7933484d574ed42ac7e0eb2c56c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\j0cb\WINMM.dll

MD5 ebde81d3a266a0ef0db55de7edc758f1
SHA1 a369b667a31b5eeb6f89e3266c8fa7e7f0f7cafc
SHA256 c3d7d968a01ac0a154091ee646dedc9f33979d9d1c9753ad75b3107e06804465
SHA512 818ef28b6be26847cfe5b86061ae4bfac4d9fb5979ad5aaad0574fbcca049033e6731fb3c71a5074cd14786275f1436f0aa696b47a02723686cd0829bc1faac0

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\srvnYygizj\WINMM.dll

MD5 92568ffe50d507281f62ab24bd01ee14
SHA1 4e4c552b664118b7e7726c013c3214315d0f6d9a
SHA256 a11f1e009014e9d75227f6d200d12b9ba0ae409287ac0b9a4832d53ac4ee3807
SHA512 4430fa89f22c62d2ab5718acb203674b2a76fb8873b256a7d22bc00d117d52bb54cc24786367ec1e65c8e78b42bbc8ed439c6b83460655927b71faa646ed87b8

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 10:46

Reported

2024-01-24 10:48

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\Oj03\\mstsc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pvrwm\psr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 1016 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3532 wrote to memory of 1016 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3532 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe
PID 3532 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe
PID 3532 wrote to memory of 2612 N/A N/A C:\Windows\system32\mstsc.exe
PID 3532 wrote to memory of 2612 N/A N/A C:\Windows\system32\mstsc.exe
PID 3532 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe
PID 3532 wrote to memory of 4136 N/A N/A C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe
PID 3532 wrote to memory of 2668 N/A N/A C:\Windows\system32\psr.exe
PID 3532 wrote to memory of 2668 N/A N/A C:\Windows\system32\psr.exe
PID 3532 wrote to memory of 1408 N/A N/A C:\Users\Admin\AppData\Local\pvrwm\psr.exe
PID 3532 wrote to memory of 1408 N/A N/A C:\Users\Admin\AppData\Local\pvrwm\psr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe

C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe

C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\pvrwm\psr.exe

C:\Users\Admin\AppData\Local\pvrwm\psr.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3880-1-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3880-0-0x000001DC38E40000-0x000001DC38E47000-memory.dmp

memory/3532-4-0x0000000003290000-0x0000000003291000-memory.dmp

memory/3532-7-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-8-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-6-0x00007FFCEFC8A000-0x00007FFCEFC8B000-memory.dmp

memory/3532-9-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-10-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-12-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-11-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-13-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-14-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-15-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-16-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-17-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-19-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-20-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3880-18-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-21-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-22-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-23-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-24-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-25-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-26-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-27-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-28-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-29-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-30-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-31-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-32-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-33-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-34-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-35-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-36-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-37-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-38-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-39-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-40-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-41-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-42-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-43-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-44-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-46-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-47-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-45-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-48-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-49-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-50-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-51-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-52-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-53-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-54-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-55-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-56-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-57-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-58-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-59-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-60-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-61-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-62-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-63-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-64-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-65-0x0000000140000000-0x00000001403BF000-memory.dmp

memory/3532-70-0x0000000001460000-0x0000000001467000-memory.dmp

memory/3532-78-0x00007FFCF0B80000-0x00007FFCF0B90000-memory.dmp

C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe

MD5 fef5d67150c249db3c1f4b30a2a5a22e
SHA1 41ca037b0229be9338da4d78244b4f0ea5a3d5f3
SHA256 dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603
SHA512 4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7

C:\Users\Admin\AppData\Local\xW0\DUI70.dll

MD5 684cce04b25930b040dbf691f6ff580b
SHA1 ba17ae8cbf0893bd298169e0e6928d237211ec19
SHA256 202e8fcf040fae82f7a4444ba2d7d2163b1e1fd24a373815746c051d66342e15
SHA512 912df62be718a70c60d9d49e97595f6bdfb07ee8d005d99a29d9d6088a8d26ca8771f84290d2b9d4bdc2d8b8d2ce7917cc9ee4c78b0f9bf5c308fb56a088bf94

memory/2664-99-0x000002942D390000-0x000002942D397000-memory.dmp

C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe

MD5 3a26640414cee37ff5b36154b1a0b261
SHA1 e0c28b5fdf53a202a7543b67bbc97214bad490ed
SHA256 1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f
SHA512 76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2

C:\Users\Admin\AppData\Local\CkXWAn\VERSION.dll

MD5 8bb25105d9d5636041ccf2ca13433658
SHA1 88470fc4fbfb1f4556606f5450147445f2fc2b85
SHA256 8d0df2b516e3ed11d8e79855e9df02f354ca679d2b9c5b0ef19a980d993bf213
SHA512 33a5e5f6e053c0215f804d62743fc12e990d1c3f3e04eb1a891fd8bad7380c37c91d56927bb51f7d8c212e864ac18cc431eebdc8eecdd6a3dedc597d8c7f5639

memory/4136-116-0x000001CE9E4B0000-0x000001CE9E4B7000-memory.dmp

C:\Users\Admin\AppData\Local\pvrwm\psr.exe

MD5 ad53ead5379985081b7c3f1f357e545a
SHA1 6f5aa32c1d15fbf073558fadafd046d97b60184e
SHA256 4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f
SHA512 433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

C:\Users\Admin\AppData\Local\pvrwm\XmlLite.dll

MD5 381797e980c95b8424c041050d038876
SHA1 7b1bba3615385706886afc863ebdd56e891bfd5f
SHA256 795e0cbd6ca8a2e7de9c73ced032b6626be2765a991eefc56894ed61a7cd3b28
SHA512 f7f39f1de9c268e2df962b9c2c4ce159952176687be8b9f9242ae01ef557761256ec4791abad6481c9db4da3ea556a72a5daaf2f9935526645c18c534e993c70

memory/1408-134-0x000001CD913C0000-0x000001CD913C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 517a498ad016bf4c1bd8bdb48099201b
SHA1 ad784f8544fdc339a0deeb22f5fd4c4649e7648a
SHA256 9283110c19063c935b355035646970db45652b7d5435f8bc0fde24b7c753bc02
SHA512 bb47da33c6bea430ba27ec32d90835adba7a5543bff106625a5bb073cde01e5d13fb4dd65303ca68bcf25897971e2fd80635a4d678ba56f8533cf115fd32633a