Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-zye8waede4
Target 7862e1e052ba3eff8d397f0c28d8fea7
SHA256 eeebc052be55ded532fd74517fae12e73ab5054eb3c0d61f000ec87ccb16f526
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eeebc052be55ded532fd74517fae12e73ab5054eb3c0d61f000ec87ccb16f526

Threat Level: Known bad

The file 7862e1e052ba3eff8d397f0c28d8fea7 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 21:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 21:07

Reported

2024-01-26 21:09

Platform

win7-20231215-en

Max time kernel

150s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3601492379-692465709-652514833-1000\\At\\Dxpserver.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1180 wrote to memory of 2592 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1180 wrote to memory of 2592 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1180 wrote to memory of 2592 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1180 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe
PID 1180 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe
PID 1180 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe
PID 1180 wrote to memory of 2124 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1180 wrote to memory of 2124 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1180 wrote to memory of 2124 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1180 wrote to memory of 1592 N/A N/A C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe
PID 1180 wrote to memory of 1592 N/A N/A C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe
PID 1180 wrote to memory of 1592 N/A N/A C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe
PID 1180 wrote to memory of 352 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1180 wrote to memory of 352 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1180 wrote to memory of 352 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1180 wrote to memory of 852 N/A N/A C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe
PID 1180 wrote to memory of 852 N/A N/A C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe
PID 1180 wrote to memory of 852 N/A N/A C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#1

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe

C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe

C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe

Network

N/A

Files

memory/2148-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/2148-0-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-4-0x0000000076D76000-0x0000000076D77000-memory.dmp

memory/1180-11-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-17-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-21-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-24-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-28-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-35-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-37-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-41-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-43-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-48-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-51-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-53-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-56-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-59-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-61-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-64-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-65-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-68-0x0000000002630000-0x0000000002637000-memory.dmp

memory/1180-63-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-62-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-60-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-77-0x00000000770E0000-0x00000000770E2000-memory.dmp

memory/1180-76-0x0000000076F81000-0x0000000076F82000-memory.dmp

memory/1180-58-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-57-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-55-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-54-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-52-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-50-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-49-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-47-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-46-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-45-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-44-0x0000000140000000-0x0000000140333000-memory.dmp

memory/2836-104-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Local\5oO6A\FVEWIZ.dll

MD5 f247e96a8024d1bc14b5248da46619a0
SHA1 721b7bf7fd4585bbdb115f2e873e2d7b14416739
SHA256 d6ae40fa5e9ebf5589830719cffbf79a63b7ee80c5173e183548ada25c76bde5
SHA512 2cccb211d1e619ea8fd91c9fdc97e594b34281aa4f9431e99c2f14027195413fc122016fd490ee2b63c97540e579c904ab4172049367b16b7cd3ca109ab93be4

C:\Users\Admin\AppData\Local\5oO6A\FVEWIZ.dll

MD5 8049ad0673ced4b79ef37fafeadd62b9
SHA1 b6d5a7bc0ff3a86f09595920772a708adedf500e
SHA256 196e7d8c200f2ee30822206c6d4ee1e7dcefe35ed71e475285a959410a6c93f4
SHA512 47875e78b297250c7c317d9c5457320d725887f9659ee71262ecc444abcdd52d91f982f72ea8fb64d9e7aedd83d6aaf194bd7576c94db8d5677f715420bb84d2

C:\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe

MD5 073db153bae5b2b3a7050f78f5e7d471
SHA1 f6c99095c0d45c78f06bb1beb0748c92ae71c96c
SHA256 2a36e1806831e7aa271fe4bd2db70e05514e8fd7ade367b0bb6b39f82f0541fa
SHA512 d636148ddc2ad11a718d21b45d2cb272b4ed02bdc75c73f66de36a5cbb4396419c2bee843427d961cb529f4a144083c1bcd40ac3560912b8e9826e0416ac4ba3

\Users\Admin\AppData\Local\5oO6A\BitLockerWizard.exe

MD5 08a761595ad21d152db2417d6fdb239a
SHA1 d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256 ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA512 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

memory/1180-42-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-40-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-39-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-38-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-36-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-34-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-33-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-32-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-31-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-30-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-29-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-27-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-26-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-25-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-23-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-22-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-20-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-19-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-18-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-16-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-15-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-14-0x0000000140000000-0x0000000140333000-memory.dmp

C:\Users\Admin\AppData\Roaming\Media Center Programs\2U3XxLT8Ppv\BitLockerWizard.exe

MD5 7ba362ee62f16d95647f31bd24024ee9
SHA1 11ba01a5ded8785f799a40405427ca75e61bd915
SHA256 9c94f6ad83b434f6044de4170b489615a3f3d0f948d07d253eb3ef29a2b82089
SHA512 df0121d8401bca0cd9d14946b65fb8bc997fc6fb921946880bafc6499d2a854e12d7d81bbfd1900739244836c1f55956f9f91ebfc5b82e0439ccc7e943de744e

memory/1180-13-0x0000000140000000-0x0000000140333000-memory.dmp

C:\Users\Admin\AppData\Local\1Won\XmlLite.dll

MD5 9b28a659213092756cc1f2198f8e6a26
SHA1 0068cdab5b2ebad9d4daaf131d35d9037b39fad2
SHA256 cad8394684ba0eddf853f259df25229e3a126d1c5b39cd201fa4580861287e41
SHA512 178472fb768114a582bcf907373c77c427fe8da05d743de8815b94573f5c43adc71f5c5ebbf51d10db2858f55d4dc67279d0510fefc65b56a17b7cc350dd9902

\Users\Admin\AppData\Local\1Won\XmlLite.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1592-123-0x0000000000330000-0x0000000000337000-memory.dmp

C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe

MD5 e4165935223eb9f9c5b397907c1e0595
SHA1 50d56bbf260b02712e8e92cd25ef709fd3da081e
SHA256 1edd8f3c7a91a7680d0cf62df6131fa884859c6fd2a54247c70901f6d4d17590
SHA512 aba97ad66cae4db486d9cce01125abcb5429c028292fa50b9b5392b5a41d3338dd53a14cdb66cca9d1a6e827deddcdaa9e758d1aa104bf0ab9966139c6a04cc9

\Users\Admin\AppData\Local\1Won\Dxpserver.exe

MD5 7a3edfc7845e3a6c7c53918d23a95ce5
SHA1 52136ab9e16760edb8eac4cb87e421f3b99e7898
SHA256 d6113c195770228d9a918bf75b4c7879be57bfc0fbc126c486c3bbb459ac894b
SHA512 bdc606cd4d5310162371a6c6a9e2cb8f8b1df98edb4f8e20f90fa697f6fdfb24e56d343083e2570ed450a469fa78d3744cfaad2ad180ecee484daa8eaa6c7c88

memory/1180-12-0x0000000140000000-0x0000000140333000-memory.dmp

C:\Users\Admin\AppData\Local\1Won\Dxpserver.exe

MD5 2b1edaf8107605d7415fa0f5f06d9f66
SHA1 8f21ec27ff39c1657b47c9106a4c3c210933f2fa
SHA256 b53a27841f80c0c1e95458b85c4e8d7c92b220fe4d7f176deb91df047afabe61
SHA512 4b6a2bec4c747bef6d834b3cffde34b268919bc99de12fb3d1f049d8accafee89728492de73b958be4f2a319df09cb10f0097f8f72aed5c16d115922ee23d4b8

memory/1180-10-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-9-0x0000000140000000-0x0000000140333000-memory.dmp

memory/2148-8-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-7-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1180-5-0x0000000002650000-0x0000000002651000-memory.dmp

C:\Users\Admin\AppData\Local\7BlOZIKZQ\WTSAPI32.dll

MD5 2499bf64d14e18319ef4749b09580944
SHA1 767f4f9ea1f35a4fac92a6b3ebe223cd43d0c744
SHA256 ed4ab74ab2e849db654fa5d6352660ef47b0c0eda65359d4c21d92f811a0534b
SHA512 7b9bc313471a90af84830498d84b0099d8efdf261a2600d93b51a2845aabb1c9b40de064d6272aa3684c791eca9a5a21cd7cec0bd12cc547624e17091324486d

memory/852-142-0x0000000000200000-0x0000000000207000-memory.dmp

C:\Users\Admin\AppData\Local\7BlOZIKZQ\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

C:\Users\Admin\AppData\Roaming\Adobe\uwQbZHtAXrL\BdeUISrv.exe

MD5 c77a92b7d55eee4ae5655151c89df3cb
SHA1 8e5dda6e253dd439aa87074084c55765e88c59ad
SHA256 e1af3310c6d80ff1727533e68efd376561383da97b3a25b36778eef0682b3926
SHA512 87248d69e67e8969ad9b03ec0896008282b6f728e5fdc62cd915cd76b49503073ca259374378b8b853fd43ad339f5045ec7912bb77d97c607d37428685d7cfea

memory/1180-161-0x0000000076D76000-0x0000000076D77000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 891d0a656623fec5cbd314f8ec60205c
SHA1 43fe8401efc44e8d5a81b225b779da7f2096d229
SHA256 d0efe1ed3c666fa2003cd8317152a1b1dc0d27ea94f55500416436d836dc91c4
SHA512 72d6d56e7d60d19c84b381a53cb71cacf32d2d97ec75aa308bba0dbaf5af038a10b99ad588b7c3ebf0cf76622bd812bf27b876bb87d8ae50974bee18a8f0dd9b

C:\Users\Admin\AppData\Roaming\Media Center Programs\2U3XxLT8Ppv\FVEWIZ.dll

MD5 1c2c412fd4ad1fbda29353c7ef18d5d3
SHA1 08bbee40eb64aa30f44ed226dc6693e8cadb8b75
SHA256 9c608e33a49fbe159339db77ed18478bc8149292cd85ceb3758dc179e24a0bf2
SHA512 cb2b34930d61db10f0b0770b87fe5172619be674ecd6cacea2ae0f5b6a7a474f1d683fe3bb407228d5d9d7774f0956f47664f8717368acf194c2aa8b271ae724

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3601492379-692465709-652514833-1000\At\XmlLite.dll

MD5 baecfd9987810c756559d3bc30d83561
SHA1 691849987d60ace40fb6fc8dc73797a2058484c3
SHA256 1ef5358a14e6185b2b1544fd14bea834c2a61a5dea52c02c9c0c402f303f0ffd
SHA512 caf7a0329f28e1064bdbafc3ce0c8d06f96f8922fb74f1c0d47473b8fbb4b54a2674041ec011a6e59aec536946824cfa9c432366bc8d73a6f420b2ea74fa64ac

C:\Users\Admin\AppData\Roaming\Adobe\uwQbZHtAXrL\WTSAPI32.dll

MD5 1ed890b1b59a34b2f7b0d1def632f0f2
SHA1 57643de0db54d246704e2454d53857b4e1d67c8b
SHA256 8301cf6dbc0a70a61574840634138a5e2f315fa2aeb1cc9daabde804ac554867
SHA512 a8ca9440727b75300f3c044112de9c0563c3fdba3581bf1542364503bef0ed30327eedc1950b0289ab3f24ab2157e6624c2f58a12062ff0c333b96a1db393993

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 21:07

Reported

2024-01-26 21:09

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\XF4kfc\\DevicePairingWizard.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\c5zN\AgentService.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 3404 N/A N/A C:\Windows\system32\AgentService.exe
PID 3556 wrote to memory of 3404 N/A N/A C:\Windows\system32\AgentService.exe
PID 3556 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\c5zN\AgentService.exe
PID 3556 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\c5zN\AgentService.exe
PID 3556 wrote to memory of 916 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3556 wrote to memory of 916 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3556 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe
PID 3556 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe
PID 3556 wrote to memory of 1008 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 1008 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 4160 N/A N/A C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7862e1e052ba3eff8d397f0c28d8fea7.dll,#1

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Users\Admin\AppData\Local\c5zN\AgentService.exe

C:\Users\Admin\AppData\Local\c5zN\AgentService.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/5080-1-0x000001F97F290000-0x000001F97F297000-memory.dmp

memory/5080-0-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-5-0x00007FFBE6C8A000-0x00007FFBE6C8B000-memory.dmp

memory/3556-4-0x00000000081A0000-0x00000000081A1000-memory.dmp

memory/3556-9-0x0000000140000000-0x0000000140333000-memory.dmp

memory/5080-8-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-10-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-13-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-12-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-15-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-14-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-11-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-16-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-18-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-19-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-20-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-24-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-25-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-26-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-27-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-23-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-22-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-21-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-17-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-7-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-29-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-33-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-37-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-40-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-41-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-43-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-42-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-45-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-48-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-52-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-54-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-55-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-56-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-58-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-59-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-61-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-62-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-64-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-63-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-65-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-60-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-57-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-68-0x0000000002350000-0x0000000002357000-memory.dmp

memory/3556-53-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-51-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-76-0x00007FFBE8560000-0x00007FFBE8570000-memory.dmp

memory/3556-50-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-49-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-47-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-46-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-44-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-39-0x0000000140000000-0x0000000140333000-memory.dmp

memory/1668-96-0x00000265065B0000-0x00000265065B7000-memory.dmp

C:\Users\Admin\AppData\Local\c5zN\ACTIVEDS.dll

MD5 4300e9f66cff7dc91fdba571c766ed21
SHA1 031857b5c4f6f50edc6e03802a2bda609cc8249c
SHA256 a2b4593d1e784eb8245e90b7251579c71045a540f6b84de0447f43ff7c424d5e
SHA512 f776e8989b204a5b2299ad16c0919aa5dd230b679cadd61372cd2c2fa3c3d9cb69c21146e83a2e56de80a803eb126dcb15ac5e5a41abc005b419c6cceb0320d4

C:\Users\Admin\AppData\Local\c5zN\ACTIVEDS.dll

MD5 581296c51dd70f3c928a784024accda8
SHA1 1bf4b39f28384de79c48e6812935a86a84f063ae
SHA256 3f786e6cd5ccceb6f97b277a022e60aee0c00ee3e67397950cd6033aace5e5ac
SHA512 5cb5303e5b79c11df7535eda37ac291c8bd39934c505e0c969dc996adcc3d252c6df75804d19905b4b90076997b70ed4532964a4ec99dd67e6e1dc72857448f2

C:\Users\Admin\AppData\Local\c5zN\AgentService.exe

MD5 1e0a022467dba626c731b4823b9d7b68
SHA1 2e30c40e0a9caa5b1eab2c5f8455d679e2ad3359
SHA256 74393143401ccce505dad174e64fdb654e447f84fe0d38735c6f245b5669d48b
SHA512 6310fd0e333a46b6a191731c85aa33ec91010bbca26eb38a69c69b45ee7ceb4697cf39947aa33e14a5d6ea7b456caf87bfd2030d5b3ef6e3da164a0d95c1d74a

C:\Users\Admin\AppData\Local\c5zN\AgentService.exe

MD5 d24cf666d82522cf733bfb410d7a2f35
SHA1 b47a49cfbd9e02c45a1c72656a4091d18e906481
SHA256 ef9ac15c64d05084a7be9d16d2d244a2591fa3d2ed7b5f2f4d9054d63f71ee41
SHA512 dfdd04bf32057a358d619c9dd0ce46664fdfd004eb3f906ed5f2f674c0277c70cb79c4ea43175ba1bab0dff251616605ffc3bc8eadf6a87e717be8e605889bb0

memory/3556-38-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-36-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-35-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-34-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-32-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-31-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-30-0x0000000140000000-0x0000000140333000-memory.dmp

memory/3556-28-0x0000000140000000-0x0000000140333000-memory.dmp

C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe

MD5 d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1 b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA256 2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA512 1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

memory/2924-113-0x000001241CDE0000-0x000001241CDE7000-memory.dmp

C:\Users\Admin\AppData\Local\mLoe0plH\MFC42u.dll

MD5 7420122424c76275a8042b1e0a0ac0c1
SHA1 3d58ee071169bf03fe868301986a90c172c8a7e7
SHA256 9a8ddfd28c762ea64b5146449e7ca2917c5d6f03a8f285e56497b01afc692593
SHA512 4cb67c8beabbe6775e7115a64f62e5e7ab31fcae5ec4fd70e6bf4b36479a7dbe75cc8c53da12dab2a6937b516c02e3bc07f783212bbabbb294819a54c2861631

C:\Users\Admin\AppData\Local\mLoe0plH\MFC42u.dll

MD5 e5afc672aee3b692364f445d2d7adb6f
SHA1 de3029979f635ce2b2f2e07a3e46fd32c7fc896b
SHA256 350da1906ebd85f49659e0bef26985095275386201dff95aa56c4f33a3654881
SHA512 93d166b757bc3258849ed6de55e9891fdb48b8b132ba6a8bff37dd41b3c8891bc93552a13eb68120ea2018711e55fcab5a43a82ea3777feab3bc0a83cff2d6ac

C:\Users\Admin\AppData\Local\0orjyp\SYSDM.CPL

MD5 5799dad79a9acfcd465008f31eb1921d
SHA1 2e7b82882fe9336a334614f1d23a09db5bd1ae0d
SHA256 ae3cccb970c41f2fc15687b3a2c6478903d631cd774ae254078c9fa37a155f52
SHA512 06ffe71b59470adbf918f9ce97cc0ead3e1095fecbe5e465c8040238eaeb430073ae08b7f9071ced18684001f4d7a012c6b161bb3eafbabdfffc2cecdbaecb09

memory/4160-133-0x00000212C1380000-0x00000212C1387000-memory.dmp

C:\Users\Admin\AppData\Local\0orjyp\SYSDM.CPL

MD5 9d5dd1fc6428022c50bfef95b57ca6cc
SHA1 0152092a47af26b0ee2b044274b7dcd63b2e8e7d
SHA256 2ba9fa0364b0db2e7053d2b3a8742c310e5ab86ea3f49ae6ccea460fba4fb274
SHA512 a19c95f45acaf21012c82aacf5f751ce0c0904b5df912feb7e8eb9273b387a2095db17db9d445100de55258b68ad69d63ed2992f3899d9a149c2fca863ce8c36

C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

MD5 bf5bc0d70a936890d38d2510ee07a2cd
SHA1 69d5971fd264d8128f5633db9003afef5fad8f10
SHA256 c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA512 0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

C:\Users\Admin\AppData\Local\0orjyp\SystemPropertiesHardware.exe

MD5 f82e6c45eeaf80be3ab6cfad8c9d4ce0
SHA1 0fcfe4e71827c498bf4bc846ac88c948dffe67de
SHA256 88731c259a1182fb35003d97dcd9f00134ac70ee2b2db727a9fd1de636032f89
SHA512 fef9be224f89319cb8515f795f4d45c37ca39bde58417b185bfae9c0419871954f2de0c460d007502c0373440d3033a7df2e65076e5af5801d6e8d7c9e456752

C:\Users\Admin\AppData\Local\mLoe0plH\DevicePairingWizard.exe

MD5 9712efbc7c8bc6ddb8614cb72dfe13d1
SHA1 6e366d39bdf433debc811aa70dc212ae75dc47df
SHA256 5ba95695d46ab4005a962c69404f1a292e79250383561e61836dd53bfac71146
SHA512 2b6e7cceb09a3798bcd4ebd7ca8abd1a08f994edbe2d49f3bbf921a23e579a0dff4658c25278678eee63e194c2ecf364466b1ee501be07169e95b0b3e0245203

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 131ed5fd730b1d258735e0d1e2bac999
SHA1 dee3d486196464d3ac5a65b0d311a2d0d94cf87f
SHA256 e218398df57ed69b562ce2793a109cc840255ff53877351461b980d2a06a7cb3
SHA512 e6fd21ede1082c711480f4ab6f0fb68cc271a36e44f2fe66f94ac53b5952cb00a69ba5d470f738b9870b6d27da9d435a9ce88eb54b0b65b1e6cb09fc922bd81a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\72\ACTIVEDS.dll

MD5 e551bd3a48f599cc243d08665e325db8
SHA1 094a21c54326de967fee71e4598448d7cfcb90fe
SHA256 c48ccb609c70a735c0e1f472a34c95ef0fa6df5ea1742791eed71bfdac529eb9
SHA512 c8b07bce487ed79ef41affe27eb10fd173cbf6f6f1e8e74c160c5f20a4b574ac6a64379bbf28144b267540687fc2f0db8e897f2462f232d4d629c50084820f2d

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\XF4kfc\MFC42u.dll

MD5 ec02758b0b29364ece3172ece700d37b
SHA1 4945bec190e9b453f4554412c0303a49c82cf178
SHA256 aca9ba9664a8d6871509e404bca7a48ce06c063663eb187468282774873ca8be
SHA512 9ab5cdcfafd4a0531dfb619d5da64ab738d0d71c701d47b007c427961150605b61b90ed5d1606ab946c821d25d0d74fbdd66ec6a2728c9fb29c500ba46602aca

C:\Users\Admin\AppData\Roaming\Sun\y2\SYSDM.CPL

MD5 da944b012cc14dd24573c629808d245d
SHA1 fc9bc07be113c666befc2779c0ebc7ba00f0b269
SHA256 5190dd1d76c28ba43814b085c06fc040589fbebd205c5d7447f7cf981ab8687f
SHA512 b9c045d09381b7ab33b01d5e329bc06124a4dcc83a0177b799bd2076da91807b3908c743953fbe180983238d506d99d6543bf78179c660b414c5a13f4d7ebe09