Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-hj9qhahebn
Target 76ab58fddc3a0bfc0befb9c1840e58c0
SHA256 1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e

Threat Level: Known bad

The file 76ab58fddc3a0bfc0befb9c1840e58c0 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 06:47

Reported

2024-01-26 06:49

Platform

win7-20231215-en

Max time kernel

149s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\TiX\cttune.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\lO47FAabQ\\winlogon.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TiX\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 2616 N/A N/A C:\Windows\system32\cttune.exe
PID 1136 wrote to memory of 2616 N/A N/A C:\Windows\system32\cttune.exe
PID 1136 wrote to memory of 2616 N/A N/A C:\Windows\system32\cttune.exe
PID 1136 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\TiX\cttune.exe
PID 1136 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\TiX\cttune.exe
PID 1136 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\TiX\cttune.exe
PID 1136 wrote to memory of 844 N/A N/A C:\Windows\system32\winlogon.exe
PID 1136 wrote to memory of 844 N/A N/A C:\Windows\system32\winlogon.exe
PID 1136 wrote to memory of 844 N/A N/A C:\Windows\system32\winlogon.exe
PID 1136 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
PID 1136 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
PID 1136 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
PID 1136 wrote to memory of 2128 N/A N/A C:\Windows\system32\mblctr.exe
PID 1136 wrote to memory of 2128 N/A N/A C:\Windows\system32\mblctr.exe
PID 1136 wrote to memory of 2128 N/A N/A C:\Windows\system32\mblctr.exe
PID 1136 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
PID 1136 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
PID 1136 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\TiX\cttune.exe

C:\Users\Admin\AppData\Local\TiX\cttune.exe

C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

Network

N/A

Files

memory/3012-2-0x0000000000110000-0x0000000000117000-memory.dmp

memory/3012-0-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-4-0x00000000772B6000-0x00000000772B7000-memory.dmp

memory/1136-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/1136-10-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-16-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-23-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-29-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-33-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-35-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

memory/1136-34-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-32-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-31-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-42-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-30-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-44-0x0000000077620000-0x0000000077622000-memory.dmp

memory/1136-43-0x00000000774C1000-0x00000000774C2000-memory.dmp

memory/1136-28-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-27-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-53-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-59-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-58-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-26-0x0000000140000000-0x00000001401F9000-memory.dmp

\Users\Admin\AppData\Local\TiX\UxTheme.dll

MD5 0d409848b9584d57c06be49afd8180db
SHA1 0bf53f74cd8b68afa3decfddea6900e85e906115
SHA256 f1ab500955c1cc1c4d6b47eeb06ecfc26484bd163909bbb43c9df486255e52fb
SHA512 5e510fbeec88c2cf40a9d6d4d7d7b4fefee416c7671d9e92d024f23984cdaefbe906bc6173f861ce2940872e6d8b62d50d432040abad3323fe41ab015d9f7302

C:\Users\Admin\AppData\Local\TiX\UxTheme.dll

MD5 1b6ec3f2058d3415c516de33c94b513d
SHA1 6ec0de533519894ae575ece478927c252615153d
SHA256 aefbb5edcb48fef2ec95b024efddd15900aca347f84359640708edfb7eafc280
SHA512 ea69938041d65cfdd5d3aded737fffe4a7e749c4309b6922a4d5c84c225ce8faadf530366bb27d0c9e714abfbd700f62ac1295ccfc6b480c72d1205e8c80f4f3

C:\Users\Admin\AppData\Local\TiX\cttune.exe

MD5 44befea0f5aaa8cd40f2de96b23e9267
SHA1 7b34d5d3b663a09cac8121a1e92b5774bc46f585
SHA256 5692265cc46b170529c3a3ceefa20ab51fcba4f0796783f7d0c17ef30a856bae
SHA512 816dead7477c04ebafff367705ef93364dab1f09bd9b003492abf4dceb830dda06e498be2ad4598af3b9e378f8e600ddad4c72f50fa53bfdf9fdf3ae5acb21b1

\Users\Admin\AppData\Local\TiX\cttune.exe

MD5 7116848fd23e6195fcbbccdf83ce9af4
SHA1 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA256 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512 e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

memory/1136-25-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-24-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-22-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-21-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/2644-71-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2644-72-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2644-76-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/1136-20-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-19-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-18-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-17-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-15-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-14-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-13-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-12-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-11-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-9-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3012-8-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1136-7-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\H4wcV14ff\cttune.exe

MD5 bb1fd1e5f83fd78003860ec0eb221082
SHA1 d59363615c899085f7cdfab86265816ebc2d0795
SHA256 baaf6c28b879064918c1af4b8e9e8ed247d56dd9d7c75f18341b72aa1a2436f2
SHA512 daa488ccd8312b47a288513b8857867f94e0ad99ed099284c66334914617293f2a4dfbeb8d014f795819137679bd0558bfb6d7edfe357cf6b158fa20f7c74b3c

C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

MD5 9323900374eaa65fbcee7eab34cadea7
SHA1 b8b32d0fc17a987c867b85dce1b668f25685d2f8
SHA256 4dc21d12954e9d5277078bf283f6070b875ed58ac67ab3dc2a9e2ee4733389c8
SHA512 a504c0443ef6cd80cf54dbecb2dff416bf4c5c5d036bb4484dc9ede0682fc6e71ccaf6b2aa2079f6e48d642f3fa37fd5cdb01533210c68f33005e3300449c37d

\Users\Admin\AppData\Local\jA2dBf8\WINSTA.dll

MD5 3dba63b890aa64c43a045b2dafb1dd4b
SHA1 124816b8d125a648c629c59f04e86e4bed5b920b
SHA256 c73cd0b9832eccd67e41a57431ad17a06118ebe4757e843554bb1073b653eeae
SHA512 9e60c15fe919b1ca3748a7481622eea44caa37c46b25f70fff1fa8a2c4a34457568b9fec87edc10e84267508b629bba3d2d5b15ba896234916112a4df4fb7f6e

memory/2544-88-0x0000000140000000-0x00000001401FB000-memory.dmp

memory/2544-93-0x0000000140000000-0x00000001401FB000-memory.dmp

memory/2544-90-0x0000000000200000-0x0000000000207000-memory.dmp

C:\Users\Admin\AppData\Local\jA2dBf8\WINSTA.dll

MD5 c96360e6e05f05eeadbb8eae0266f609
SHA1 9341b1a0fb611b385ea81bf37d8b05f8f7862c6c
SHA256 eb334135b0505b07318554972d74c7ea53be69538ffb2d129cadd4d1abd61b9a
SHA512 339b9c56d96353992c93b359923bea5503cb3a5da30f835b4abefb98f0be3bd9a3e7e0911defda0fac3902ff6d7b7a3e7f44311f3f8bc7c468c0361b98766e66

\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

MD5 d31d5a29863c6c2db208360ba1ebf98f
SHA1 47176cd3ccfd2da11d96e4b1cd9f8d1d1c1c52ee
SHA256 3a8c5658c4e775702f2aa285cf91434eae26ba7d697625400edb3c36cafd732b
SHA512 b08d4659ed78d8f2eed9db58801fbcf64c8417c443fe349f481aca3ee2c51ea6660f807516d351d0ca1f5c7472ae503396c98a426e0029b68de3a5d5e01ab221

C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe

MD5 57191c528425ddd52233a5d6d6786fcb
SHA1 ba77b08547b2ea187d558adfc4c90c39e7088277
SHA256 637e3fa140dd87926ab0f71269160d2e7b41d094ae276666330b102a250ab3a3
SHA512 9947f8173188d2159667773ca1def6ee548dbcda030e26cf9f24b70bfed5bd716c98c356cde94a03bb00f94c6edf000bb34caa20234073a93d5fb8b7bc7273bd

\Users\Admin\AppData\Local\bfo9Gpgv\UxTheme.dll

MD5 a79a56d0be7a15528e71c6e5e1a04211
SHA1 feb9cb7bbd168183d0ed928e2eea4fe8a19e4662
SHA256 f180e706211d2b755a94cfea322d6692bd6ca05dfae5b547a9d9cd6f4f75cc2b
SHA512 cea0d44f145298de0f5a7400b4741ce6507434f78d508c48e0a5522c1811148c7d04ae59ddbd75c0b67f4c43a98119547c0e8d473e2d56d26ec46778fb0c2004

memory/2096-112-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/2096-107-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\bfo9Gpgv\UxTheme.dll

MD5 072d5235099a241a32aba0bb0b0a21a3
SHA1 1d6a4196032f6c1f8832acf87e876f64c936849e
SHA256 e019e4274f035e14d2b65eeeed7f8ebe57bcf40a8f94d3e860d743c28dbf0d9f
SHA512 64d0ec0a84747ce13b0d8370c7e828ee3f77acf3bf29f862029e6d1a3264fc8efa260e731ce9c67aa0bfff75459228871aada016215c171c8b643aa28b812dfe

C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

MD5 844d6807a09af61035e815d74b735fe7
SHA1 a31a2deca0621e931e8cdb124f521449de40de47
SHA256 d1ddda41776efbe954dd50a0533c7f5b0757065395c7829bdfe04fa7f026ace9
SHA512 4c6a8e6d7b376fb0d315606cec83e087799c093e6e9bf331dd89ce15d5c79c3407b8d52cc5e08b29cb671c2a47c8bbd3cb34f71aeada0789fb01e550ff702818

C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

MD5 b7345aa83f5d30dc4f26945b08051a63
SHA1 1e61be248a98505b2007a91afcfa69aa856487df
SHA256 c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735
SHA512 76e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd

\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe

MD5 99d79c3e9be254c678f92b5eb96fda5b
SHA1 a4cf8c2615b7a5cba2113b51c2579a4ed876fa63
SHA256 5dad20631948b1028e782361dc9373d280ce393b562960b9efd120b400b8e4bb
SHA512 a26d34ad6ece2d6abc92721c422595fe31def90f3ea576748549f54206e0824db0a3c8547f495125ca438afd0f50eddb4a2dfabafd78b10eedbc6e8a9b2797b2

\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\2r9LtEnVR\mblctr.exe

MD5 fcdeff5e3f432c5b2eb3f6e5963c8c9f
SHA1 5fcd8a390143b12ccb97ed49513c231bbb097b07
SHA256 d79ef8c29f7412343f44551b2d4b17d9209b52a4732aab27957b64f4c2ebc07d
SHA512 2dc0c27b1e57566ba611b45596eb4edaea8a45d54de5863f69ef23f7f6e402196cd50bc61e222e2aee8e8d62236a7e55e2cde8f10c3c75ef10c9223f1cd9f3cc

memory/1136-135-0x00000000772B6000-0x00000000772B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 bf98aa7d4839e56d3ccf3f2fad838d5e
SHA1 414e271e52a71c35fcd22c04c4f4d47be4fbb2c2
SHA256 65e78437569d637b61aab4b9ae1bea0c4f1333627dca3331afaecb199e45c33f
SHA512 2e7f8f31d7ac4734174efb79caa5faf1e91e924894cc64d5815c288df5f72fd0fb67f03298868e199929743d5a17cbc4cf6f3cc73dfe0563535260d3a0d23394

C:\Users\Admin\AppData\Roaming\Mozilla\H4wcV14ff\UxTheme.dll

MD5 3270731020a6bf5f7e857d317b7011ac
SHA1 219798b9f3f7bf3ac792f26206a96a7e711d41db
SHA256 f87f1fa30faaff0c45828c2ee08cfdb712f1053b15942bbb8aa6734fb3f881de
SHA512 e3de5b86d293b8fb068738795eec07a742bf52f79b24c6f6c08cc132fd3325827c32fe19357c405ffd8fa2dadc14ffa8ea65f86dc38663ea6c04c1dbd6ebb693

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\lO47FAabQ\WINSTA.dll

MD5 d320497321e8f24ba027347416da2f88
SHA1 700b0bb714da82d373443862d3fdb33da91222ee
SHA256 f77bc99f2ca480d561eeb621c6df89fa06dc199199135d38042f2b36052d564a
SHA512 1fc289fd7b55230b4773563f2837dda825a8bb3d39a1043b0658a4dd9109c6b2b5549228a55b533281595ca2bf12fa9453ef150ce92b324f1e4f696d58ceeea8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\2r9LtEnVR\UxTheme.dll

MD5 df29c4eb083b47bb14333c66ec7defa1
SHA1 290aebc4d055c0f205f8d005ecbe1cb9b009c991
SHA256 f4447b5a498232610195dd5b4624ab522b6b9ae9b6e8b9d90ec6e504f013b0b3
SHA512 ef9da61e10174b9e4d95fbcf1d2c4850c04f51d278f41c9d3a1c8d0990402b3dfaf64428bd0101e4f90b257c10cd3268a970def51adc398c46a8a491f66b3c05

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 06:47

Reported

2024-01-26 06:49

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\YoSD0KT\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZJE\Magnify.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3600 wrote to memory of 4196 N/A N/A C:\Windows\system32\Magnify.exe
PID 3600 wrote to memory of 4196 N/A N/A C:\Windows\system32\Magnify.exe
PID 3600 wrote to memory of 4276 N/A N/A C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
PID 3600 wrote to memory of 4276 N/A N/A C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
PID 3600 wrote to memory of 4868 N/A N/A C:\Windows\system32\sdclt.exe
PID 3600 wrote to memory of 4868 N/A N/A C:\Windows\system32\sdclt.exe
PID 3600 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
PID 3600 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
PID 3600 wrote to memory of 2828 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3600 wrote to memory of 2828 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3600 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
PID 3600 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\ZJE\Magnify.exe

C:\Users\Admin\AppData\Local\ZJE\Magnify.exe

C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe

C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/1568-0-0x0000026E08C20000-0x0000026E08C27000-memory.dmp

memory/1568-1-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-5-0x00007FF8899BA000-0x00007FF8899BB000-memory.dmp

memory/3600-4-0x0000000003070000-0x0000000003071000-memory.dmp

memory/1568-8-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-7-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-11-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-12-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-13-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-14-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-15-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-16-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-10-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-17-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-9-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-18-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-19-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-20-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-21-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-22-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-25-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-30-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-33-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-32-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-31-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-35-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-34-0x0000000000E80000-0x0000000000E87000-memory.dmp

memory/3600-29-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-28-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-27-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-26-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-24-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-23-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-43-0x00007FF88A5C0000-0x00007FF88A5D0000-memory.dmp

memory/3600-42-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-52-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/3600-54-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\ZJE\dwmapi.dll

MD5 95beb85ebb3d9feecfc5fd2e0eed5884
SHA1 454a35c9d1e44f53d3e16eadbfacc055adecd697
SHA256 4770f8c5b23b07bf72b7944da99731922b28ad3ed08a2b2a98515d091c0ae019
SHA512 bb5624f85f367af7b328bc89dbdf7c3bf835e975a3cc45fcbceca1f229d2029df2a9fd1b1496b841ecba71cbbcce9cd5d498b3cde33d822679ea7c69ef7ede11

C:\Users\Admin\AppData\Local\ZJE\dwmapi.dll

MD5 2287a38a76fdaa3ccb60ade49f67d862
SHA1 f85f513abd19d9b4569cb54c6767ec03a1d0d0d1
SHA256 47fbd9ec6608008ae27e3f50e7e46f6ead13416bd80ac02278cf0ebeae3fdf8a
SHA512 93fb74f26f220b2a487736ccabef3836cb9fcf234ab8c841dae41788a497c562939d5813fe1b12d05b6cc24d51d7195b2314ff4b1b3558dabc4a1e290e244335

C:\Users\Admin\AppData\Local\ZJE\Magnify.exe

MD5 915851f133bd9c0e431e73b1cbd21550
SHA1 24c0cf0aecbf709ec0a178006ebd05ed560f582f
SHA256 07f5b6960262f063136e017384557643df57e073d7d8c7bdb812af09da64140c
SHA512 ee67b1913ec5d92316b0106be2b089d34797af158c7266fb6205885438c79e390e9f269152ccf31a26d375f4bbc52f9e26224bd8090c47fbac2af5931f498e8a

memory/4276-63-0x00000202468E0000-0x00000202468E7000-memory.dmp

memory/4276-64-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/4276-69-0x0000000140000000-0x00000001401FA000-memory.dmp

C:\Users\Admin\AppData\Local\vs1F3kfd\WTSAPI32.dll

MD5 5994182c37adc884cccbc50f16e5bcd2
SHA1 653452f3bfc779492258e1f763d56a855ef66e9f
SHA256 76bb5136a60f8b38417ef1b59f9d21904c3bbdc2d1dc6bdd40acb6553ee50772
SHA512 cfa2a2b283964b2a2f8676cf8c2bb2b58800ce7644e8cf2273c841baccdb4d91cab3ef99ebf7c8da40a2cba4c89570ddb0b7cd4b4141145ad101aa825d60a7d5

memory/1088-86-0x0000000140000000-0x00000001401FA000-memory.dmp

C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe

MD5 dfa53879ba72970e4d284b6d5f8a50e1
SHA1 81d25825f1fc03052ca177cce6f9da5a307c0405
SHA256 d044b2b516a51f1288e4ff126831b5072c0e5413bfc59d85de5c0e3f8f7f1eb7
SHA512 65b0d99f69c16112e6611d69d88ed65998c3c5d58b262221bf0a46ee7e74bbdb3149a6f43daa865acccd89bd6f54b5d505f532cbeea55f620758683aea43fc72

memory/1088-83-0x0000028CF1EE0000-0x0000028CF1EE7000-memory.dmp

C:\Users\Admin\AppData\Local\vs1F3kfd\WTSAPI32.dll

MD5 35196c56a058582ccad07a996ed9b024
SHA1 abd05efff5c91a1c6fbd7476c9a1f57322486f60
SHA256 9d7111bb2c827c08535978d480d115939a78ca19c4a804c887b37c349a41cbc2
SHA512 560f44495b84136d873836eb47ce30d2f989f7294680a2f0ada77f202354efd4a503429ec583c1e20a47e4a57f1cd5030b3f81bc57ae29cb84026980f4916b03

C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe

MD5 46f63a256874f0851cb07386ce5c43e2
SHA1 1dc73fa9e6771df0ac20ff10e3e64a3abd369dd7
SHA256 a55e6266f8477403232f160134ea9d399b93b9da17e4582e1ccf83d2c6eef113
SHA512 bf53443044ddaf6491472120799963925a87d31e92b6a0c53892953e9ab40ed0f1522356d631abd4556ab16f14ed88fb59876721f22e911bccea77bd2858a438

memory/2708-97-0x0000013391F50000-0x0000013391F57000-memory.dmp

C:\Users\Admin\AppData\Local\rYGJ\SLC.dll

MD5 b913937015b92cbde1ad3b0471a76b28
SHA1 33272e40934a81e62d5a9813633042ff1fd731b6
SHA256 5c88d69b72e77eca7fcb7b77c896d5c2880737147f2880b58b5f153c3e29760f
SHA512 f7b8ef56e64c95d526264f6499b42c9081a60ee0019794471d8d9f31436729f921a1e64746f022ac4de7730e161bbc123f13c2eca333277e8bd5d6e3a6d20572

C:\Users\Admin\AppData\Local\rYGJ\SLC.dll

MD5 be301255ab82f72a9acc9b65fe784ab6
SHA1 db0ebba36a4685b08542eb201926f52ac5fb112a
SHA256 dfc7b330c65ec66cfc9413eff06ac5bd7fd0ef7d88e76a3e9882b22af1dabd32
SHA512 f77e1c407963725ca8b2a611fb4ca73b44d30b765e6eec450d2bd1d8cdba0c6dc6aca57377e0df7740256588a52d4ee80a075dee666089a5f21beca25d1b5c89

memory/2708-103-0x0000000140000000-0x00000001401FA000-memory.dmp

C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

MD5 ee7c92dbb5f2c94e227637dec29c4f0a
SHA1 2de6d2c2b6c3f0bb6779a7b60b20fe6da8a119a5
SHA256 e034865d69650c30f02c0054b594207d35ff72358ac479503d08aa829f505e74
SHA512 b7d484994f7cc42e7f01c7c92b4cca154a0ba049298b17cd5e644e18a16f52758ad22c548df6aeaf6a2fbd59af490f85688080677d0499f8ecdf9ea387803aca

C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe

MD5 54501828e12542a579b8b18e238401f8
SHA1 e09586b324df680ba85ac31fc757556df8b5555e
SHA256 0a8864c458a49fa0c01c3c257726ddd30182ceaed7a1714884213922975f49bb
SHA512 39f36ddf4481255f4bfee933e2cd748e7245a487e688ff36877b8ddb01c635be827f2a280f78392ffd842428cf342be725cb1481a2cf06a4ef087813c99250b3

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

MD5 6909f4fe13b480ed47992f0309f9ccb7
SHA1 f0d4cedc0ef187449bcd071b71bc04e0841c7319
SHA256 0fde514a5ec438f487a507930265f48d171749f2d6b73eda03fc0adab6b55e20
SHA512 38a1eeece6f63b4a8b1abad3ee3bc7c4f3905bf61a17abff3fe268d2ba466685fc529ca7c399dac76bb242e41042ae735c3e5a42ba7c309d5a325fbb9acc1f7b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\2uWbturT1qt\dwmapi.dll

MD5 567f432979d582531f403ca45bd5f6f3
SHA1 b8568ca8bba311fff33aa90f636800e44eb5e14c
SHA256 cbd61e6a2b6a2815d38e7f48e7f97012215ac10509657ad6c30752e1c24397fd
SHA512 741362cffd484a51864e12bb1a51b4e33de6af649f580ac11f250cfb215f5339346bd47b2db0497ad59208c7c98a2f8980a289de69e843fa7fa82cc4d154d3bb

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\YoSD0KT\WTSAPI32.dll

MD5 6f36a8cb34f492831b93691b1ade1ab6
SHA1 df71e34d69f116d16b626542a0239474568aa05d
SHA256 5e37e9525728379d5987677e8cf73091d43ec9f8538c95512bbe0f7598893824
SHA512 a00d71b8163ecc9e40c2bf9ba3f05cb51dc3f614510390427f4dcc4e4a44e3a627ceb0ddf63af74d98d06aaed6230a210c8d3c692da4461ce9cf1ba490dd5ed7

C:\Users\Admin\AppData\Roaming\Sun\Java\O0L1lh\SLC.dll

MD5 0b1e6a95de1b74c3c47c54ef2efc10e1
SHA1 f72e212a29b2fd16c0bf3ee52266d43f19b5599c
SHA256 20a3e395b16491cc0bc177f786144edf93a991c5415d08d1c4aa8d17ea96644a
SHA512 54e4b5e432b35809b7f69364e316d0c61b88ff76c06c92da996b91ecabe4a6dd46609117c38981aafc1984284fbba16ea1cce5180b19c6b0603c3ca56444c97b