Malware Analysis Report

2024-11-13 16:41

Sample ID 240128-d589msadf8
Target 7c0b7776d8e7e775fb646f2bf3c91c46
SHA256 6e2ba94de342be1b5ed71468cb2628106a823c38419cbb3fc6f612465523853b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e2ba94de342be1b5ed71468cb2628106a823c38419cbb3fc6f612465523853b

Threat Level: Known bad

The file 7c0b7776d8e7e775fb646f2bf3c91c46 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 03:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 03:36

Reported

2024-01-28 03:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eivoq6h\osk.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\ctmlmJox\\unregmp2.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eivoq6h\osk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2184 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 2184 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 2184 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
PID 1256 wrote to memory of 2848 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1256 wrote to memory of 2848 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1256 wrote to memory of 2848 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1256 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
PID 1256 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
PID 1256 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
PID 1256 wrote to memory of 2492 N/A N/A C:\Windows\system32\osk.exe
PID 1256 wrote to memory of 2492 N/A N/A C:\Windows\system32\osk.exe
PID 1256 wrote to memory of 2492 N/A N/A C:\Windows\system32\osk.exe
PID 1256 wrote to memory of 308 N/A N/A C:\Users\Admin\AppData\Local\eivoq6h\osk.exe
PID 1256 wrote to memory of 308 N/A N/A C:\Users\Admin\AppData\Local\eivoq6h\osk.exe
PID 1256 wrote to memory of 308 N/A N/A C:\Users\Admin\AppData\Local\eivoq6h\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#1

C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe

C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\eivoq6h\osk.exe

C:\Users\Admin\AppData\Local\eivoq6h\osk.exe

Network

N/A

Files

memory/2636-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2636-1-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-4-0x00000000773A6000-0x00000000773A7000-memory.dmp

memory/1256-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1256-7-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-12-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-14-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-17-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-16-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-18-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-22-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-23-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-26-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-28-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-31-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-35-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-39-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-41-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-43-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-44-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-47-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-49-0x0000000001CD0000-0x0000000001CD7000-memory.dmp

memory/1256-48-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-46-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-45-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-56-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-42-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-61-0x0000000077710000-0x0000000077712000-memory.dmp

memory/1256-57-0x00000000775B1000-0x00000000775B2000-memory.dmp

memory/1256-67-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-40-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-38-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-37-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-70-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-36-0x0000000140000000-0x00000001401C9000-memory.dmp

\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe

MD5 45f90408b91d3ad51f833969944f4a9c
SHA1 05f4a31c17ff91aa13385454c7206889eef7c31f
SHA256 29ce6f9219d5fad505e2f032e4bec4a03968e1d0793ad2b19391e21a4a7e543d
SHA512 6a8944c1c67b874fcc538c7fd05e90877f629f1f04e3e61810913c0a8aaccd1bac5a8cfcc58ae09bed8b6ec0c41ec36b5d5a9f6826d2616f9ff5ec15de460344

C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe

MD5 37fa7da4810c10f5940564ccf5fdfdbc
SHA1 b6ac471b0670f87fd8578058e883a31135913a68
SHA256 9e05ddd9044df09a49082ed9fd01cf7429bb692a58a683dfcba63724f06cdd03
SHA512 8fb8314bc2854aaaa0a5355b84840a61b4a725ab6aeb603630df25b8cd27e1cf3f7370ef599b845b5e8356182c259c6c7e1769b60a76caf95f4a4c599fe8b640

memory/1256-34-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Local\Br0Ir\SYSDM.CPL

MD5 75b461a9f3af80e9e9bb2a813a74c6d6
SHA1 dbaa791cff9c1c84a54997f3f51a4d7e8d0b0bca
SHA256 717aded95a6154f66c1e93a592023422c6d72279e555afa328f5362215f51941
SHA512 7be3af8cdbe42b42a574c781782bb4dbdfa16ebf3340a823050f7946fee9d7ea4df6047b6fb6453e4a0eee75927539d1db74509bd74033503582609a1e15477f

memory/1256-33-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-32-0x0000000140000000-0x00000001401C9000-memory.dmp

\Users\Admin\AppData\Local\Br0Ir\SYSDM.CPL

MD5 444a96a1e3459b278e9e68814e9582df
SHA1 52cca8c4f69b253e3b35d0ed977dcfb06a83fd22
SHA256 fc64041f6d9f703ff981d77677d3010ed4ed4ba5d2477c0110f050897a07c435
SHA512 84b10b41ca2997a549382c5469c1b4a4ac3ebe7bbc0c06089ddfe57e2580bfe7597e01333641dbb970e50309bb3f38ac8700463727860a2024030cd9602aa14d

memory/1940-85-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1256-30-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-29-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-27-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-25-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-24-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-21-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-20-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-19-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe

MD5 116309b2d3057eb5f87fc4a85aaa51db
SHA1 9d4f18a8b693e607e296c30cf9912c81b06ee586
SHA256 21b6d6fb58972dc05623ea606bc0533d7db3cdee2617446ae5468e5b944ceacc
SHA512 530ca913aaeef8f4c7a8dccea966e229bb15c65c8e809e3d4eed75ef4661d80b5c5e7ceef6099f393cc79f0c20050cea50bb80e045ad1038d569cdac157c2687

memory/1256-15-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-13-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-11-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-10-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/1256-9-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/2636-8-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Local\mOzU881s\VERSION.dll

MD5 a0c3afb4c22a779a54bb07eaad989fc6
SHA1 2a373e462226635beb5078acfec8460968e04cc8
SHA256 70aa4b43a770d3339ebf444b82daca28c875a7cb432f3bb37a79a834fac86cff
SHA512 9e2fd9e548dec8499113547cdcdde7b8e25ae7fcf3272918fc9fb1ea8c1cfde9c5798aef8f1ae627f429f6c9fb5e72062697e25d69a8330c7c5071c2b74caa4c

\Users\Admin\AppData\Local\mOzU881s\VERSION.dll

MD5 59a73b4f1869e38996cf4f67b8986833
SHA1 aad59f2bd204f2e958b340dd8b8d2c04d9a91f51
SHA256 ddc528a7bc1065b5f09774be1ffd72320df2821440ef746e96468ef6a5b43185
SHA512 92de5db32c9d6006359282ab8193846d1625d1ecce1c583fcad52d6fa6834f610a206e5ee75718078655dd1a475b17e837cc85b0252b8b6e82cd35dae875b55e

memory/2844-103-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe

MD5 fc25e5af88252293ccefbc61e065ba5f
SHA1 e598ec93f597d2337c53d3d8a712f48cd4d9d291
SHA256 1c88b47094b366e8597f5776fb59a9820ee853c596071616b855835b5b47f31c
SHA512 a1c6543ebe3c0bf4c5ab9c1d177a5dab2903372ce5bb191bddde57a099bcd96afbe3aaee47cb522fa38221222a2e642e02f9d922ca441d791ea3f639196469d0

\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe

MD5 59b2ae056c8e8b18a1026f60010a13ff
SHA1 bfb1fa267f389316a4449dfca684d7adcd541b5a
SHA256 e78e644b7c05376b3c43ae352aafb24883aefdfc8170eb4acc88d5af08219632
SHA512 7c08798720f96fc74e3e14d9253fb0025ad45c01cba7fe8e28af809c35d4b5cb97c262eb055f2d5fe1cd42c62ab527593d938f169205d8477010e9143386c02b

C:\Users\Admin\AppData\Local\eivoq6h\dwmapi.dll

MD5 1bc43672b3459c229aa2e7912a46a5ae
SHA1 2bd87532355190d3daed7d11e81eec25ac726e26
SHA256 8ac3f9b9f46f58630647fa8a6fd0dea1298b737edbd5dc415f8550581ac765a1
SHA512 6cc989428cd12c18e9b898f47d8f7dc1f65dd501ab2462bb2a4b84745965ac7ea3375478b03373e65d75b928b87e1b11ffb322175df7c632767eab90dbc0fdb6

\Users\Admin\AppData\Local\eivoq6h\dwmapi.dll

MD5 9a8a38f5e4cc9a1a18b74d5c183cee84
SHA1 4fd8fdd3fa7fcc5a891cfb1dac2fc1fa84c6e79a
SHA256 e55a4b6f68759d4d6f2ec2f9e8cb431ebf0f789bdd2b055e3b1374fc6bc09be1
SHA512 ec92ec336bd4887e8fcaecc01d78e6a52066f671a848797b6f3c2f4ba9245266a16949ddeb2da8b51dee378d769f7897230579c51758ca8c9066a3bec908b7dd

memory/308-121-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\eivoq6h\osk.exe

MD5 9ebbb090e274558004a628467ac6829e
SHA1 6912d669a25a9d1c5ad1e45cdb4d5359fcf82cd3
SHA256 7973f8f27c13a5b18841cb9a5ee5ec00c09ac47a7f47d2787268126e002c54ad
SHA512 05b9458f14bc77602586a69164288c2dd40aed6937aea53f895a15c764aec86cff9f545dae618fe2d5fd84adc21cb9157c3bca12fc01f24910770155c81aaeae

\Users\Admin\AppData\Local\eivoq6h\osk.exe

MD5 da39d6556bc0c1e94e793743297ef02d
SHA1 4927986cae0f07715ee14b76c973969ee1777d9f
SHA256 2a4a2c39fb527095835427a02b52cce8f433e8479b8b1306c7e3989d2d4c90c0
SHA512 a1c94acf63ecb432f66ebd69cc88ce1c580c12b4320167f19e017f556c7a680b8df555f5bbecdc3c2a7564bcfab27dcefec87701a0ff887a5a68c5b9aa9e08a2

C:\Users\Admin\AppData\Local\eivoq6h\osk.exe

MD5 c4441d3cb133ddfb35b1f0be187be9aa
SHA1 4fc63540806d93be1ca70587a17ec7091877e9db
SHA256 710c4f7984f78e7af0bea6193193483b3aa1a963174d154b5ca3da69bb243dcb
SHA512 57da2a5f58f5793d1a0cd0634b40b820a8e1c4fbe0379f75a56f20978343c601cbc7cc2f649ee841a24426f972e4d5c2525c4caca0d4ce8338f2fb260f15ffc2

\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\KShaY\osk.exe

MD5 98a9be6237792bda26f6d26de3d8f278
SHA1 8fdd1941b3da2a2e4eceda5e42198e9d738ac6ad
SHA256 8497de5d8fce79d15614872e421fa77839b5d9791c8157c8473180d6bb01fd5f
SHA512 8228fd0b07ecfc88231cc94de21799c886826091eae0d4cb811b60a2c1d4b4d05fc8d7566f4f73a41655b8efc94442044c3ef28c060d5da3731d27bcc75ca435

memory/1256-149-0x00000000773A6000-0x00000000773A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 60dd1aa885393ea7cb7d058951f921f2
SHA1 125567b1f3970fa93a55fea6bb027ae9f80f5d6f
SHA256 625c739a61eac29e48b95eded3ad7614418fda1c00e87e8d1d953ebed16a0867
SHA512 d61e421869898df6036cb4805087bacb490d78c318a855814517402e11b12468dceda828fa2bd995e599eabfbc7464df62a7d9bca55ba050380639a693e20d8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\GKk\SYSDM.CPL

MD5 48488d6df62d162c9c6de917807207cc
SHA1 c5b01a5d30c04be29fa047536f8591cfdd5a3a97
SHA256 b364e12a918f82e2ac8c20bba2ae76cec350f777f0bc1b5ad849dfb3d781536e
SHA512 6fd9a7fd9585a192de9753c4d334a95e810ccab4e231dbf136c3f44a89678d7c12d1fe2c18ea40d65f1600cd1e21e9fc118b4476221f4ef90ce5358a4f8a45a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\ctmlmJox\VERSION.dll

MD5 31cbfb419d45a55b51b3bc4341ca1cbb
SHA1 0bc84059d3637468774bc6765900cb0b1b995c52
SHA256 7be7a1fa881efc6c9f24bc800c37ab0018836d986625b5478b613a5eb6e7f559
SHA512 f72f73043aaa32ef16508abd0c258f86ace5400c2d320ef3ae5e80b26b34a1556da27dbdde093c1695aaedd6ca611f35ded760d2fc405763a5c3082a1c9ef6ab

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\KShaY\dwmapi.dll

MD5 130fde09bb8e2fa3449dc0ea08f93eee
SHA1 88258ca50d9080b0a223ba437b6d5dca1f38f6db
SHA256 e3d3a199ddc4e17ca0327b8985dce74078d3714892b888fcd6672818edc98a7c
SHA512 13dbd06feda0f1424bc87a351198c5e48c00c3adcf3d9d944b8c0d5c91fe7b3d3e10d7045296c4d4b788ec15904bb09e8fb6775d2840148b67710cde2d692c50

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 03:36

Reported

2024-01-28 03:39

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\SGVLdslV\\BdeUISrv.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\43C\AtBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4624 N/A N/A C:\Windows\system32\tabcal.exe
PID 3408 wrote to memory of 4624 N/A N/A C:\Windows\system32\tabcal.exe
PID 3408 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe
PID 3408 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe
PID 3408 wrote to memory of 4400 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3408 wrote to memory of 4400 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3408 wrote to memory of 4896 N/A N/A C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe
PID 3408 wrote to memory of 4896 N/A N/A C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe
PID 3408 wrote to memory of 2952 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3408 wrote to memory of 2952 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3408 wrote to memory of 960 N/A N/A C:\Users\Admin\AppData\Local\43C\AtBroker.exe
PID 3408 wrote to memory of 960 N/A N/A C:\Users\Admin\AppData\Local\43C\AtBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#1

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe

C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe

C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\AtBroker.exe

C:\Users\Admin\AppData\Local\43C\AtBroker.exe

C:\Users\Admin\AppData\Local\43C\AtBroker.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/5028-1-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/5028-0-0x0000021ED6110000-0x0000021ED6117000-memory.dmp

memory/3408-4-0x0000000001260000-0x0000000001261000-memory.dmp

memory/3408-6-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-8-0x00007FFD96C5A000-0x00007FFD96C5B000-memory.dmp

memory/3408-7-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-9-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-10-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-12-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-13-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-14-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/5028-18-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-19-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-17-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-16-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-21-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-20-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-22-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-23-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-24-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-15-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-11-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-25-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-26-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-27-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-28-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-29-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-30-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-31-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-32-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-33-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-34-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-35-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-36-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-37-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-38-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-39-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-40-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-41-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-42-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-43-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-44-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-45-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-46-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-47-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-49-0x0000000001240000-0x0000000001247000-memory.dmp

memory/3408-48-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-56-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-57-0x00007FFD97820000-0x00007FFD97830000-memory.dmp

memory/3408-66-0x0000000140000000-0x00000001401C9000-memory.dmp

memory/3408-68-0x0000000140000000-0x00000001401C9000-memory.dmp

C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe

MD5 40f4014416ff0cbf92a9509f67a69754
SHA1 1798ff7324724a32c810e2075b11c09b41e4fede
SHA256 f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512 646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

C:\Users\Admin\AppData\Local\KgDgCLleX\HID.DLL

MD5 d3612bc6eee20a2ff7cda0181c1a58b5
SHA1 ddac83dabd84c2703264d37bb06e5b12fb16eb02
SHA256 9eccf2ac1cac8c0627a5a49f32327646540d11bd9665521b79264985adeea6b9
SHA512 d4211df62162c1910abd224d161c1c0036542af07fab092c70faa3ed1747062712eafc22dd002af0ce205db9828facee8288c50ec5a5b203d8eb990e0e1f6e76

memory/4636-77-0x0000000140000000-0x00000001401CA000-memory.dmp

memory/4636-78-0x0000020F3DEA0000-0x0000020F3DEA7000-memory.dmp

memory/4636-83-0x0000000140000000-0x00000001401CA000-memory.dmp

C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

C:\Users\Admin\AppData\Local\ps3g\WTSAPI32.dll

MD5 b02cdb5b656541cb78958d358d40dc6f
SHA1 084ecd4932aa300c9d711f15ca3e49adc1fabb1f
SHA256 ae0e4c90b8c07841001790b6caf1ed3eac1cae74bf0bdf244824c027be780099
SHA512 ed2e305d379ca352027e497a6e2ea9faffcb0fac48f7961de763e5051d6cc70b7112b86c44d9cc4c84cd5a8aea40bf28095493ca5e5a7577e8c45e7d579c1800

memory/4896-96-0x0000012A3D710000-0x0000012A3D717000-memory.dmp

C:\Users\Admin\AppData\Local\43C\AtBroker.exe

MD5 30076e434a015bdf4c136e09351882cc
SHA1 584c958a35e23083a0861421357405afd26d9a0c
SHA256 ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512 675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

C:\Users\Admin\AppData\Local\43C\UxTheme.dll

MD5 e1869764e0d2e79ca1973f305fb88cfa
SHA1 553ca6ac4c5e43d069b7b82cecd45b07cf981063
SHA256 6098597b8235df47ef83d204c96f3056310691690796fb2fb187837db67d6f39
SHA512 a35f1fa6ad9dd9c2466f40adb8f428b7b436c08216f3d0b62a53fd4c465192fc34594e726d6d53a410fa67511bf56600bbc6b1fc51d47d4a9dbd265db6d829dd

memory/960-113-0x000001AC7CA00000-0x000001AC7CA07000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 f21166e7f65374f6120da87470359c0b
SHA1 9a669feda974eb2c1c5d685d6aadd7319ede2e49
SHA256 63fe54526deaf8292d3d23ebcf47a672f1d5b2305bc317428533e10a58e9a0b4
SHA512 988074f9e7b5d44df3c347580bb32434b2a4d13d07454b29528883973ecf6b950a8d47e7eea40c2a752e6d2b925cf118e8c9b82d718ba0208053f275d45a6b8b