Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-rb1x3agfgk
Target 778d4730d5f23525661b573a83f5a65f
SHA256 72ab82c1cb0c63ec0a02f3bd9061de964700d7490d0704cafc3eb3459b0e906d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

72ab82c1cb0c63ec0a02f3bd9061de964700d7490d0704cafc3eb3459b0e906d

Threat Level: Known bad

The file 778d4730d5f23525661b573a83f5a65f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 14:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 14:01

Reported

2024-01-26 14:04

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PBI\msdt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\k4xPwzO\\rdpinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PBI\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 2584 N/A N/A C:\Windows\system32\msdt.exe
PID 1252 wrote to memory of 2584 N/A N/A C:\Windows\system32\msdt.exe
PID 1252 wrote to memory of 2584 N/A N/A C:\Windows\system32\msdt.exe
PID 1252 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\PBI\msdt.exe
PID 1252 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\PBI\msdt.exe
PID 1252 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\PBI\msdt.exe
PID 1252 wrote to memory of 1156 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1252 wrote to memory of 1156 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1252 wrote to memory of 1156 N/A N/A C:\Windows\system32\rdpinit.exe
PID 1252 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe
PID 1252 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe
PID 1252 wrote to memory of 748 N/A N/A C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe
PID 1252 wrote to memory of 2964 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1252 wrote to memory of 2964 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1252 wrote to memory of 2964 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1252 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe
PID 1252 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe
PID 1252 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#1

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\PBI\msdt.exe

C:\Users\Admin\AppData\Local\PBI\msdt.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe

C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

Network

N/A

Files

memory/2144-0-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2144-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1252-4-0x0000000077716000-0x0000000077717000-memory.dmp

memory/1252-5-0x0000000002960000-0x0000000002961000-memory.dmp

memory/2144-8-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-39-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-41-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-40-0x0000000002250000-0x0000000002257000-memory.dmp

memory/1252-38-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-48-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-49-0x0000000077821000-0x0000000077822000-memory.dmp

memory/1252-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-50-0x0000000077980000-0x0000000077982000-memory.dmp

memory/1252-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-55-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-59-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-64-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1252-9-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\PBI\msdt.exe

MD5 51f6e08c39f2f1c46e1f80c3550f6596
SHA1 fd59a0e6fa4c65c78ab45ee435c6db93c06281a3
SHA256 ffb68ab699d32900cdbf2b1d3c8a7a71dcc7e2ac0884c1d170e14458eea0d3d4
SHA512 3d502d0a0810f686f85047f80075f6eaf1515695fa21f5c582781ab7857a022eba22b39d97e895849848371191f5a4e58a017251afd8639759df0610b0694451

C:\Users\Admin\AppData\Local\PBI\Secur32.dll

MD5 7d68750f6a08025d0728ccda2a9d5fcb
SHA1 b2ed946722ef9d8d255ba2c787e6562863a3e84d
SHA256 8ea501d2d76b7ce1d48b8ca2c6105866307c55c95ceda248d87f6532b6171fe1
SHA512 81e1ea131fcafdaf8fefd910b9ebe80f5cf702747a440beab03f51f6b4caeb7e962dd60d282290b8a4ab2772441bf5aa2ab5ca334925fb8600b451dbe73f4908

\Users\Admin\AppData\Local\PBI\Secur32.dll

MD5 c0878943b28d02d694d1ce5a86752c5f
SHA1 90d1f8ab98c5fa2e7bf12c63d90d4044e0bacafa
SHA256 9a77faf54407ae848e9ba95ff85fc2f40ca8cf65e2fefa0e9d9c9c963d3f409d
SHA512 1518d9f1eb279d116002a7f297abc6b157ca6fc130764b4450203be9327f24dc055a670e66a150070e1f22c03652c7dc2a8e62c5444c8f8171ad996c9546f41a

\Users\Admin\AppData\Local\PBI\msdt.exe

MD5 ec4e80eebeb4d2726a8961bb67e0885f
SHA1 764a9cf67092dc1616b1a01b9fa96c4adb02b1df
SHA256 1f1f8a3e54be47828cd04304e4fff7e7e7b6d8d5a75d72911bc6efbddab2b4e6
SHA512 5edb21333062ede813d0b0a37013cb77e380ecf7c582966d41fb4496e51ef92d89eb80910e7015a46edffb8cf055e88670749e1bad9349540c4841d9071d98a5

memory/2640-74-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2640-73-0x0000000000370000-0x0000000000377000-memory.dmp

memory/2640-78-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\PBI\msdt.exe

MD5 194c73b7fadb1e79c1c84d092663177a
SHA1 8ee6a5a2b82dbacb7cef6c067b5fd86051a65344
SHA256 ffabd359a9f4de658a9f4bcf2b0cec251f5c73bec5936a2ef34536a4a550e209
SHA512 daa279fc2c5e597eaca287b0bf781756128d722ac8e9c49a9241bff3551f64706b357302d019eb57056fdfe55b0405ec7a5eb07a569740f43adeb60525a358ec

\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe

MD5 a6a11c90b70811659e0750bd93902046
SHA1 c4fb3c93a3297ec80dccb0f349f0a177e75d5e1c
SHA256 6cb0ffbce52e31367d325e6a58b2d5454b824bf5a791f0a597e4421fd597f595
SHA512 546f6a6a57f35d0c3d3b691b0eb78c4c4f60124d723ef339bc4da1f88c384f7b604375b4c83dda6c2f244c38ade28357c5a220b271b5a96df2735e50935662cf

C:\Users\Admin\AppData\Local\ysgckb4kP\WTSAPI32.dll

MD5 26ad07a4770912eec58abd5644213b73
SHA1 7f715a1047daa2bcf046c93c07a8aead826749d7
SHA256 16962166f1713410aabd8cbbbb67c0e7c1bc68984fe17eb54a106e0bf2e58bcf
SHA512 8c9e68c729dda1129f007ca98e65052e07358168f7f03c66219fb0cd944248133d6fffb520c04e0f87c92d43ed539675e0fc213b871dc16d33ccd66652ad955e

\Users\Admin\AppData\Local\ysgckb4kP\WTSAPI32.dll

MD5 4b0315183eaa630e6e44532fdc09bac9
SHA1 78f77533a62ec802aeeb673aee709bc89efcb8d3
SHA256 931ad1a4fc76006966a9b8b2d80a1cd4447d5fccf08086343d561f94dede683f
SHA512 9163e88d4eb55618fc39b8cc34b87cba0cb60340e9c52d10585b842ecac6a81e7fa39610aae212036df1ffa68f920d315acb030c6e64a2bc5e29c29850c17421

memory/748-97-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\ysgckb4kP\rdpinit.exe

MD5 c95c06ba102102a26de91a3947927ec6
SHA1 e4cf659a6c1931493c746e908a1b9d4b4536226b
SHA256 62874984595212117ac92983e9c1fe90f27373e8129855f211c38f4d80644bb3
SHA512 54568b4068b823f4b62122759dcf22e8f326d86618130456a8159c22598810790f4ed2afd7369ed5863ff552ae34cf011557dea9454e1d49ef6e2fb445245e50

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\k4xPwzO\rdpinit.exe

MD5 f8901aaa6a4f1114c6ca42bfd4955ae3
SHA1 9dac033f80a3fc94cf7751f5ed0da4b4021a1245
SHA256 6d4161e1ddc6507922433455ab620daf6bd66d44758fa307a5d6e136797890fd
SHA512 15ca01e6018fc4e8b01ee4285001a9c3f23789b395b6b2f4dad9ae0d1143165fa05f7e5835f34c231907a0466de8ff64de8ace4fe381aaae74bfe3d60daf53de

C:\Users\Admin\AppData\Local\riKqWacaW\MFC42u.dll

MD5 43e4456d9539163197a0ed76f2b4e30f
SHA1 437908db9834ee8b5934995e3f74442334af7560
SHA256 bba1d292dd66ca86230ec459bfc0d4eb64d9b33070282583fd4604a512495a42
SHA512 04c48b782b156a8b33d9acbf17ed8cc3ed80030fdc0522286476fe8ce8eb761bc975d8b24065a415c80550eb2a87c0ddf17b09e37cb215623337cc9bfda07dd3

\Users\Admin\AppData\Local\riKqWacaW\MFC42u.dll

MD5 476cc01f8ea1b82107107322578d665e
SHA1 74763e32aa08e3683c663d60075c9c5c95472198
SHA256 a246164225437b43336c2bd39aaf26da68bb8f1022a28f9b2268e0521d0ec30f
SHA512 04b33a2500c370bcd5b48a7d1d77f8687aaf0a980fb057dc34a7ba267f8bad9fa96116df41b261a15201245a79bfac9100eaf5a9a4f0cceeb5549f144ecc374b

memory/3016-114-0x0000000001B40000-0x0000000001B47000-memory.dmp

C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

MD5 698715487f6176f68d70ec6a90bd7455
SHA1 7877eb01ddd7e01b4f3dd5d5da5e974b66b6f789
SHA256 47d6ed10b22984428964d9749565cea365c9c3e9eca0903e0246ded4203687d3
SHA512 39b02c4f04e3a9dde4ecb03bec9a8935ddb0c305b90f5c9595a2244cbcbf2ed41063ced405f8b02d762e618c51d48f5dafc96b3b23e888b8b3625cf533ad29f5

\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

MD5 c594432d751279e1d640d8706d1ef786
SHA1 5f778437dd968356917a8e4e2bf48a8461833568
SHA256 babb74b5b305291e95a46b9261da770d5e9713d7ad4dfdc2a491ff8ee6e23c5c
SHA512 f31c88a4b00cb1e5372bca0ba3f407fdc9d6366328bbb988198244b27ffd70c6add2ef0c175e87270924ddeda8086fcabf6bfb3a92a6561ef05a302dbee075d8

C:\Users\Admin\AppData\Local\riKqWacaW\FXSCOVER.exe

MD5 d93aaa73de5c563f11fb8dcc44dde566
SHA1 37020f3b5661d13a1b38740b44eda063a0c53285
SHA256 3a431d3d3b48e1ced4d6357b89e9663df5a809921d1a9cfc20af785c255d3a73
SHA512 8c753900ca7ece8b7bc719b9213b1059ec9ddf0d15b7806a70d3a43eea3d448ef3e4bbb28bceb43323acc4528f3e5711912ac284c70faae36a0717008813f7d9

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\awdcnB3Nw\FXSCOVER.exe

MD5 2f70b2d1e8ba87cc3d27c1b86d2bc550
SHA1 a9bb005d93fb9136824ec721ed385a6d1e6f7069
SHA256 2aa21e22cccff9419a2fa7a5eaa16319183e0be7633f0482aacae59ada5adf1c
SHA512 eae423d85c633a07415fc5dfdfcb333cddcb4fc22ad72cd39c556814c7cd1991aae09e1a697b58540441d3746be4b4b12cde481bfbce7dbce73d01d9dcc717ad

memory/1252-136-0x0000000077716000-0x0000000077717000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 16999e5b5f4784468e4872f5d1d6e6f9
SHA1 53a017ba930a5ec781a5ce6072ea1de98c080abc
SHA256 b456a24b6127ca4c6279c46dc0fd3bcc5392939fc2ec16f4e5ba627ca61a574d
SHA512 30789583fa7cd2c6ae4cd0939e9373c23080003386d18ef336685b7f4faee122e42bcd49336cb3b37061ec5329756d3b35af30052adcbd7dde0b24f587d4ca17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\KJrtmDIX3HO\Secur32.dll

MD5 84f9c9fbf14549881f72d7cf6c615974
SHA1 67706faf64b6715fc3da96da3fe946f2e77289a4
SHA256 c59d50c503c181c0af9fdf19a0e448aa98787aaf70ccb0b811d70ef81301770a
SHA512 60be5a635ef6eeb9234398ed2b48b3647844404437a9dd8c616a81d90fad2c3528241042823e297a11479ad0cb0ab6e140599721b180ff6248ed631c1ff75b11

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\k4xPwzO\WTSAPI32.dll

MD5 ac6d82aa633f8a0487594326a7718aac
SHA1 93904096e733057b12dafe4e4152fe2629ee6b8e
SHA256 c50fa5d5483856fb01a99b33466bc83046c4a7d422159bdeecbf39c3ca8c995b
SHA512 022c108aec640fe6fee5809abf075dcf47249802df309559961f548c348641988e89d1d423377d313fb8902904ecf73a11673e6a9d7d2e5a47e0581134e15b5e

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\awdcnB3Nw\MFC42u.dll

MD5 dad0a9b61d0c4c1baa3963c6a70d00fb
SHA1 02d1144208bc83af3d0c82293d009618d4f74551
SHA256 819c7a31bd0d47cd797b7fa8589c1f8caeac47e60f034b40d5bfe2efe736b3de
SHA512 53a208130432f3b63d3dfb63251f210642ac20a60e459b0bfee03d7fc08f5a5ddf3656684cc635382a3221cca6349d4875eaba8708fcbf9bf275b093ac910099

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 14:01

Reported

2024-01-26 14:04

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\62wNgUSp4K7\\rdpinput.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4048 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3524 wrote to memory of 4048 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3524 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe
PID 3524 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe
PID 3524 wrote to memory of 3716 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3524 wrote to memory of 3716 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3524 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe
PID 3524 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe
PID 3524 wrote to memory of 2776 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3524 wrote to memory of 2776 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3524 wrote to memory of 4736 N/A N/A C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe
PID 3524 wrote to memory of 4736 N/A N/A C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\778d4730d5f23525661b573a83f5a65f.dll,#1

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe

C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe

C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe

C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/4616-0-0x000002412E1D0000-0x000002412E1D7000-memory.dmp

memory/4616-1-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-4-0x0000000007EF0000-0x0000000007EF1000-memory.dmp

memory/4616-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-6-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-38-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-41-0x0000000006C90000-0x0000000006C97000-memory.dmp

memory/3524-40-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-48-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-39-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-49-0x00007FFE69F40000-0x00007FFE69F50000-memory.dmp

memory/3524-58-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-60-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3524-9-0x00007FFE6990A000-0x00007FFE6990B000-memory.dmp

memory/3524-8-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\ILOlUnA\UxTheme.dll

MD5 70d7d8564f5e8f6764e8ba01efe2c9aa
SHA1 b688e28edbb3b3587ddadea0497d29bcef5b1b87
SHA256 f205ed9943460fcd660e59ddc69f56d4f0d2d4befdfc1e1066c8937231446ecb
SHA512 e089d4849833b508cb3dee0854f1d83202cca5c32f91ff088e08dff78b8d2cf8070fe3c53cd541dbd255a5eb657aa437cb5128daaddc85c1a1eaeff5b494d21f

memory/1584-75-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe

MD5 b259bfc10b1eb89c109bc840c5927a33
SHA1 ea8e883bd8628573a695f5e7316a2174fd9b2b77
SHA256 198b2485ef951d552a22fec9e3c7250f94a7dd3ffd3db63909556e4cdf817387
SHA512 96ad9dc137062221f1813df79540fcb6e593e5597b756d7c60b92362c78485cef8527260d5b28e9e9e71ab1e2896217d89ab229051b2fc296ba8135a9080c421

memory/1584-70-0x00000197D3400000-0x00000197D3407000-memory.dmp

memory/1584-69-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\3EQz\WTSAPI32.dll

MD5 d1e14d377e3852932b064e68815b4bdd
SHA1 7ccbce62539a4208fdb4cd1b9de25a88db55b57b
SHA256 b343b47ddfb95a6ba891f1ea0c32861fd129ee35fdb9bd6be6233afd8d649e1c
SHA512 719c3ddf2e7abdaa2294d5e6cf425587a6e8150219cfd2d55ae1cfba6d5bd226a393e30ed8236b6fc493562147f6133793fde89a1e5d8fe60a72d96e7101bdab

memory/4612-89-0x000002923F6A0000-0x000002923F6A7000-memory.dmp

memory/4612-94-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe

MD5 df819096c593e0eb4517065091fa539e
SHA1 fbd453245c324a9a725ed09a2739ff21eda32e65
SHA256 77894be49ef07bc2bcc9fdd0b543d96eeb86a6bd6dfdb423617b8dd6b20e71c1
SHA512 79765a71bdd13f5b386f47dc6af23668fc45792110d8244b02ec8b73d30e543e9afafcd60a9a98e8e9601f6646f8215e6f0faf001232c262321362539a57f1b9

C:\Users\Admin\AppData\Local\3EQz\WTSAPI32.dll

MD5 aaca957bea06f0c413cc43d373278ab9
SHA1 4ed5c08126eaa86d41131da65b35d47d739bb23f
SHA256 de606ff3d0ced095a808df46c2710351284ba3eadc19ccf730068c7f88769ef9
SHA512 9b599c9dc4b776d24fe162409891773fc46db741a28e3c15ed3054165d83929409cccb65d7508ec1f1222d657c6a2cb417c2e77e486c95277a199fd81b566213

C:\Users\Admin\AppData\Local\3EQz\rdpinput.exe

MD5 047a1fa4b4508077b121c33b0e8961bb
SHA1 88d45575be36637302b0c80fc5b17ed57f1e07d8
SHA256 dd720f2e1f97263342dc49385ddf2331ade65e548d487532d1084dd9dfeb4e27
SHA512 abecc0aab398226efb5a92cb7f8765844ed64353aaf035ac3a7697ebcd3c7339d431b48112a5dd959e49e3e395771198debff784ead63d799912482ef62d8d59

C:\Users\Admin\AppData\Local\ILOlUnA\UxTheme.dll

MD5 9a629552bd220598094051e6add8a3dc
SHA1 06885d1056dbd4483b1a098ea6ce2483d30337ac
SHA256 8a16472dbe08d90b5e0a56815c72c66f751dea047ef898f58ae4e93242c43850
SHA512 89c23451c6e5deff2386e040466b30c831e5862605da0e5271f57f1278d48eb78333d15ae83863fd1214e7f13c1c473cc58a70da543599217de773e75dbae988

C:\Users\Admin\AppData\Local\ILOlUnA\FileHistory.exe

MD5 98422fa6e3634d976bb2113bffeeded9
SHA1 0ebbdbb8e85659bfbd5ced0d84e01a634c156611
SHA256 3723fd1be24117d4cdc283fbaf7b13ea62aa9ba72496263b9e3f9a3363506d4a
SHA512 ca654412f5c6efc2bf2b1f391e3b1bd007029b297c53a9fd4d7db903b563d3b2ab9c85c38ea1d423194ad8da2f971c6b4d8ac9a34f470253d39106a829c79697

memory/4736-106-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4736-111-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/4736-105-0x000001B82C070000-0x000001B82C077000-memory.dmp

C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

MD5 d84edd8bffdca396bc4c10344b2154c9
SHA1 4e54b42f487e588fdfc6ffeb8fef28aefc582215
SHA256 95631f91287943b0bb91f39831e4b0151065707df2dd1e545471dccaafc731fd
SHA512 5fea155287c3e3d9a24ef33189c433a70caf71f4cc1502f614619c1d46d37aff18bad07c02dc5e39e7dd5145ac008f4f60d95b4da1d8383dbdfed294af524822

C:\Users\Admin\AppData\Local\OR365dd\DUI70.dll

MD5 d699e2eb5e20f8280f69215d180cfa86
SHA1 bdd47d3ffaba4d1fb7ed7b23edf11deb264b93ed
SHA256 3a67b4d27805e686e45dafed6cdec6c95b59848dc844f43a0c400b03a9d9bbb5
SHA512 0d0f9154094780da1d22da95a9b74e96c1028dea7fca536497a38fc6a5d79c3c771d05acc1e1750209b480d8dfc35e0df243d4367349f39c680e623466ed5cb3

C:\Users\Admin\AppData\Local\OR365dd\DUI70.dll

MD5 02d76c496c9a36de55e8900443319258
SHA1 e4a982ba7779ac895375ba79b7c8dc94fb55405a
SHA256 e141019b34848238b47bc7c43418c5f3341b531f9b06cf31bcf921a8328636ec
SHA512 9d70bb58422029c424040be6ab29960d344ea0bc9270c8dde1f0786345b79d710495782abb063458c3005fa2a57c25c89d4ecb0622cd59c30d92f0c78a9ba51f

C:\Users\Admin\AppData\Local\OR365dd\CameraSettingsUIHost.exe

MD5 da17a6a7d6e3ff35a7f5984ce97be49c
SHA1 0a2664f81f50e4e179210bb1cf128d4001f504fc
SHA256 4c02e14d02c38996e0579860808befb6d4a3e713d84e73e1647009a9483fef1f
SHA512 2cfec5fc388dc7cc8f6ffacbb08061989b2b5dbbe1019b6d461b4d5ad7472f4f0db550c5d9bdb40c5e37fe094552ab1246ccc3dc977d0199a9827aae22bbf335

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 b43be7c81b662e32f94928d5a3c48512
SHA1 547a724a447ed3c8597d7f8fc2a138d27ffcb0e6
SHA256 7e2e42dade5620715d8e2d4d011a1869014e285eb63d0621b17a9326e12ae9c9
SHA512 4e919334a5d6369b1e4529dfcc119655a8a195d3705cdbd4569322d36098440a6bf51278e9d28b58f8d0ed40986cd9640c5bfe1639feb5ff438911fa93a69b88

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\T61lOVAof6C\UxTheme.dll

MD5 6d39d78de04f93b4d647cbb566b4951b
SHA1 4bbd6fd6e77de810f09e336e790f7dc7e4423049
SHA256 a380cc7170ae3d265161b3fabba51d01dbafbb7a96ba3b424e537ef31b34e4e0
SHA512 9f5796173b9f66dc48ca16e213b3eb3e99a0ba427840f6b975c8fbfaba46b0752426542d58c463db309698167dc688130a2da7d4e48af3565841a1942cf6bec4

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\62wNgUSp4K7\WTSAPI32.dll

MD5 c3f5b04fd3f9dd4e9b637973e8fe6dfd
SHA1 251267a5660413fe4a60f057d19cac21c2050ee8
SHA256 83fbe09fa0d77634fc78b4cdaf85b7b47558c80ddff3cfec915a756a9a24b144
SHA512 0f846191d996d32dc3a7cd84eaaf1ee27c3815060c214221b5cf97829fe0325340086b4de809e9871cf524dbddcbbe172228d1e93ffad11941b7783b2b5c9c0d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\yNfEYmKGrv\DUI70.dll

MD5 b45d5f3b3fe2668c50b4e6ffd24bc60b
SHA1 28ffc6d8c05a45bb2babac05ab89c08ea808ebcb
SHA256 aaae862c980f4907ec442c109d24fa5f80abd0682086de34b4bf19f64a641218
SHA512 9435891efa832ff363d5accc6e5e8f7a931bb7cb3e87497f01580e2364a610bbdb3711082dfcd3e4c27e188e43247deed7314d0b12d8d7187f14b46d6f49df04