Malware Analysis Report

2024-11-13 16:41

Sample ID 240128-esg53aahh4
Target 7c1e2e5883295d072f73627f00279333
SHA256 20d290a43af5edaff7a58b11a463755ee38c570a6e9258e9672146566ed58ced
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

20d290a43af5edaff7a58b11a463755ee38c570a6e9258e9672146566ed58ced

Threat Level: Known bad

The file 7c1e2e5883295d072f73627f00279333 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 04:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 04:12

Reported

2024-01-28 04:14

Platform

win7-20231215-en

Max time kernel

149s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c1e2e5883295d072f73627f00279333.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\A4\\UI0Detect.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 2892 N/A N/A C:\Windows\system32\irftp.exe
PID 1184 wrote to memory of 2892 N/A N/A C:\Windows\system32\irftp.exe
PID 1184 wrote to memory of 2892 N/A N/A C:\Windows\system32\irftp.exe
PID 1184 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe
PID 1184 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe
PID 1184 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe
PID 1184 wrote to memory of 1768 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1184 wrote to memory of 1768 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1184 wrote to memory of 1768 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1184 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe
PID 1184 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe
PID 1184 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe
PID 1184 wrote to memory of 1084 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 1084 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 1084 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c1e2e5883295d072f73627f00279333.dll,#1

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe

C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe

C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe

Network

N/A

Files

memory/2488-0-0x0000000140000000-0x0000000140338000-memory.dmp

memory/2488-1-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1184-4-0x00000000776B6000-0x00000000776B7000-memory.dmp

memory/1184-5-0x0000000002490000-0x0000000002491000-memory.dmp

memory/2488-8-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-13-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-16-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-19-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-23-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-27-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-33-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-39-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-41-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-43-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-48-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-51-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-53-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-56-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-59-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-62-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-64-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-65-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-63-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-72-0x0000000002470000-0x0000000002477000-memory.dmp

memory/1184-61-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-60-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-58-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-57-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-80-0x0000000077920000-0x0000000077922000-memory.dmp

memory/1184-79-0x00000000777C1000-0x00000000777C2000-memory.dmp

memory/1184-55-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-54-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-52-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-50-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-49-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-47-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-46-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-45-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-44-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-42-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-40-0x0000000140000000-0x0000000140338000-memory.dmp

C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe

MD5 0cae1fb725c56d260bfd6feba7ae9a75
SHA1 102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256 312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512 db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

\Users\Admin\AppData\Local\Ffhcg2RwK\WINMM.dll

MD5 2acaeb2b67afc582b4279ccc27b849da
SHA1 c0bda7cacf86b7ef2b6532230d32505dfe1c7189
SHA256 f623770873077f03464469bc2ce5e19618f895e43f47f3f18b97efe47bb5699b
SHA512 72a7970ba953691f106faaf5ce44c6962c7433beb29c8dcb94456b88da5f659b5c33ed16b092f47df321410499ef5e91b39d5741111547660ff0f7314c9eb954

C:\Users\Admin\AppData\Local\Ffhcg2RwK\WINMM.dll

MD5 ff9e1cc81480937a3ccfdd61e8fb072e
SHA1 74c83a58c44c62e57b25c9aeea2607650eb74d3a
SHA256 72409a4f54ac0f049b119fa92795adba88f66e5cd4658610a7dc588a5a290736
SHA512 8898480142795d16f60027039773e6fc974fd8e9f88939493eb998f29567287b1dccd47ba819b33294ce4159cc1dbc5db1805949629f01fb06a3905f6e2498ca

\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe

MD5 eed01552ad4c50a00ab99a6f4c3619b2
SHA1 7de99f2e499ac1f0548eec510a38ecc2d8f75242
SHA256 891138dc953c701c432aa98bd32b926785a6fe4aa0980fd2364e66938008f630
SHA512 fccbd6fa434e237faf7abcec1600ec6b02dd9cadcb31bec6c9793b4a8aa91e1f1ff9190aa30a1a75f02003c64c5898fc86dceb3b67e7b9052f98a02a46a5fb0b

memory/1184-38-0x0000000140000000-0x0000000140338000-memory.dmp

memory/2756-103-0x0000000001AD0000-0x0000000001AD7000-memory.dmp

memory/1184-37-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-36-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-35-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-34-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-32-0x0000000140000000-0x0000000140338000-memory.dmp

C:\Users\Admin\AppData\Local\Ffhcg2RwK\irftp.exe

MD5 27fb112b432868929145a202c6454755
SHA1 c17b31ed1de523b938325976bb29298dd70f497e
SHA256 fdadc65ea3df6b291df31f45c1b892805987831e7e09b68fcd0363454928e839
SHA512 1a2763efa72aa8d006776c5b0e4aacd446618e806d18c08bc5de95e6a327b9f745b54055bedae4402fee3aae057899bb224ee17bb60cd123e91ae5621c7c770f

memory/1184-31-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-30-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-29-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-28-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-26-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-25-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-24-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-22-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-21-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-20-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-18-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-17-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-14-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-15-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-12-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-11-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-10-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-9-0x0000000140000000-0x0000000140338000-memory.dmp

memory/1184-7-0x0000000140000000-0x0000000140338000-memory.dmp

\Users\Admin\AppData\Local\6OnPwGdDt\WINSTA.dll

MD5 db9b7a3833105bf60ec88807b8cdded2
SHA1 383d6ac1a6134ce560821fe3954797712829f0ae
SHA256 4454e2dd955165912a3543ddc8480046229c412bbf1669198fb8df11a51bd97d
SHA512 2c998948a477d8726d4c9a74f959e1c1c9f7e3c11e5c75c57de50913cd78a6af59a131566c20614736f95a3ccfbcf235b21fbee3638c276c4db245dc9e37b80f

C:\Users\Admin\AppData\Local\6OnPwGdDt\WINSTA.dll

MD5 68752e53704704ce4cb6be677d37a111
SHA1 38533b77ff0a07627e3fd5ba5154eea96eb2618a
SHA256 a24d5935905c1c1cafc9212a3215890001149e1be9dcd1fb8a229b058f890dc3
SHA512 1bd4f0e5f160ba7872e87f4469e7c15189301a960824c2ca2ea8dba9f12ed1db616cb03188841deefe98a84af0e63224e82a7b16154512aa83f54823d4bf2e43

memory/1584-127-0x00000000000A0000-0x00000000000A7000-memory.dmp

C:\Users\Admin\AppData\Local\6OnPwGdDt\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

C:\Users\Admin\AppData\Local\aY8\SYSDM.CPL

MD5 34654c5000e25d14c8a41452db1a553e
SHA1 ed65fb9d871ce63b75e31388a934876c070896c2
SHA256 a38f49f4df8c8e0a8917df787b105ead4a35aa5d0ec45e2ce133815b56220e90
SHA512 4fca48e6b7bdc0c3cc986af658c896eea4e642b40715f1580d4e2ad55c402a18f32d8219e3e6863a7da43fbce636c1aa5e806c8653acf28943be458a838f4995

memory/2152-145-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\aY8\SYSDM.CPL

MD5 e119cce8ae2101e65574939c90b400f7
SHA1 97d78fad300f914f2f2eb30ed46df56785a9ae15
SHA256 343aeb53f1a67d767e8f6e4aef650bf1313eff22f87c8caa255bf5860a0a14e2
SHA512 56f3a0df37764bf19b36d552a54763e1d0953956684164b57a1de82f644c3900d5c66ca17da9aa3a85958b79737baf27c3a8b885deb2a339300f86f08faa2c56

C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe

MD5 1ffb9b9f012a216822509e82a49c4c14
SHA1 4fa1cda19d8c9062cbca69c9f767249fd25f42fa
SHA256 8c404130d92403cb5325b25b875172d853b8d71e4b030cf616e4e535863e4b66
SHA512 02ca1cfff20c18dc6d131fda2832703bbe5523ee1dd2fc098859178af5276a4e75b5baa634ba878818c4b738f8e917c638e1d01b62f44a544e58b0ee54196e7f

\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe

MD5 5ff88343abd37e15a5c072d4aae85730
SHA1 82bd3c054fedb317bab5b7ce9b940f1c176d36bc
SHA256 d6909dbe019ac80ee65fc6eaed9dce84d7ad89a4383924e4393947bc90067cb9
SHA512 40792986d93124322c42e84f2e4e2b326c939e8b55a96e22a6b955b3e9f200e4012d6a2ccf09a68309d708938b1435e7a2261b061cb2d92c1563e3493334ef9b

C:\Users\Admin\AppData\Local\aY8\SystemPropertiesDataExecutionPrevention.exe

MD5 d4c2b5fe916656bddd76e1bf691ae971
SHA1 935eaebb779ec946911093e0aa4463be70685edf
SHA256 1ba6bd7ec0739aacc91b968409687e794aabd79133a2e820f5da8b33c634aa20
SHA512 c7fc1c2285cf889c9e88d4604ed0023ed78e262853a5a3c4ef35a7b55611f0a65df2d362c7dc62a96f321ab34e4523018e9c084588ce1bf75f11f0babe0acc9b

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\wz\SystemPropertiesDataExecutionPrevention.exe

MD5 78f14b763b3697606cfc5fe4a646badb
SHA1 89716f9885570e252ce9bd84a986a14ef822d82c
SHA256 89d1cbcc525009e189e16c85d64569ca6749cf909ecdda485cb569db360095c7
SHA512 4f6c019fc32b4ab9a474c2df99847505bdca1221bd758a1e9a461145c1ec8132d03157e730f6f8d45d7ed4c3310dd66ea4624dc65db0096cf9f8d1163d22314f

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 6b1dca5693f3ac7f92a17db60931ade2
SHA1 0e6c4cc2169670af5eaf3d736f998ee24b6f38e6
SHA256 d070d405953093fbb0bf50271daa424dd4ba22617cda3827578d10799c5ae5c4
SHA512 a8877c4e2e208440d82b98b5fb1b456ac5228c01a807af74d4cb0d7a5d0c59e0c0abea9d88395657b5b02fd2d6ae11e36db0fcd5834c20eead1455acfc67b72b

memory/1184-170-0x00000000776B6000-0x00000000776B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\MAu\WINMM.dll

MD5 b183edf18ce06e56745b7ebfa899bc6d
SHA1 32334b2983308a662b75cd08ab5e2c228e481248
SHA256 16dd3d9e834358931a104cb4a37505739b41cb02336bf0c268fc1a0419643389
SHA512 fc2c03d29f76d626360817d8b6ab133fa62a1dc0976b42bc142b0063a57f4a8506227f3bd52ecf8bf63fa16544c600c5d91e643c035b9afb95f7e4cbe5f482b5

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\A4\WINSTA.dll

MD5 207cc835694fae24ae6fea7e09952d59
SHA1 8f940bbf87120d7232c57e5e09e82be6a82f5b11
SHA256 4efc72953b0307f9e2993a11432580c32fc6582cc6e15a0f7243b75d0c89c8d2
SHA512 80e376423ec2cbf3d258f25e3b19b48bf31ab45338197b8b62bf34b3f0b492b9b7358d1f4e03a52b5219ca943214b85c52dd15f1eb2788c994846d18adbb3dac

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\wz\SYSDM.CPL

MD5 c2b99394bd095dc1265d08a72212b81b
SHA1 b235a71bcf2d5e2f21d627060b33636ca40ac421
SHA256 93891343d0cda68c20854f7840c416340a867e69e1518dd98a44461fe4df1bf0
SHA512 2837897b8766fc5151de177b3db991764e97c37e6a95e078e8d2ed300c46b659eeab83bd9df67e3f0c6c546d770b802379ecb7306f8197072147116fd358954f

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 04:12

Reported

2024-01-28 04:14

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c1e2e5883295d072f73627f00279333.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\fx7DKf\\SystemSettingsAdminFlows.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ujc\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3Q3\upfc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 868 N/A N/A C:\Windows\system32\upfc.exe
PID 3504 wrote to memory of 868 N/A N/A C:\Windows\system32\upfc.exe
PID 3504 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\3Q3\upfc.exe
PID 3504 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\3Q3\upfc.exe
PID 3504 wrote to memory of 2256 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3504 wrote to memory of 2256 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3504 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe
PID 3504 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe
PID 3504 wrote to memory of 2816 N/A N/A C:\Windows\system32\wbengine.exe
PID 3504 wrote to memory of 2816 N/A N/A C:\Windows\system32\wbengine.exe
PID 3504 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\Ujc\wbengine.exe
PID 3504 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\Ujc\wbengine.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c1e2e5883295d072f73627f00279333.dll,#1

C:\Users\Admin\AppData\Local\3Q3\upfc.exe

C:\Users\Admin\AppData\Local\3Q3\upfc.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\Ujc\wbengine.exe

C:\Users\Admin\AppData\Local\Ujc\wbengine.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2892-0-0x000001E2A5F60000-0x000001E2A5F67000-memory.dmp

memory/2892-1-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-5-0x00007FFAD15CA000-0x00007FFAD15CB000-memory.dmp

memory/3504-4-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/2892-8-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-7-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-9-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-10-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-11-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-12-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-14-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-13-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-15-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-16-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-17-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-18-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-19-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-20-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-21-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-23-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-24-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-22-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-25-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-26-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-27-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-28-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-30-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-33-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-36-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-37-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-35-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-34-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-32-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-31-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-29-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-39-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-43-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-44-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-45-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-46-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-42-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-49-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-50-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-53-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-56-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-57-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-58-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-59-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-60-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-63-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-61-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-64-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-65-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-62-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-55-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-54-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-52-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-51-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-72-0x0000000002400000-0x0000000002407000-memory.dmp

memory/3504-48-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-47-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-41-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-40-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-38-0x0000000140000000-0x0000000140338000-memory.dmp

memory/3504-79-0x00007FFAD1660000-0x00007FFAD1670000-memory.dmp

C:\Users\Admin\AppData\Local\3Q3\XmlLite.dll

MD5 c78fdb6dae69af9a035a9bb4f747e2f4
SHA1 2e4b10f0031b1b1287f295f1e2cacbd35e40211c
SHA256 6f481cf0cc6ea273241c058908980ab718e624ea9be1e06788b28e2eab5878ce
SHA512 92cf796793ecde3fd064c801d4259d0c3d6446ac07927375a4bef5930565a266398436b6805ac252ca93b4f28d2bf56507f19596fe66524cc7c3a353ed58c10d

memory/2696-100-0x0000024F36C70000-0x0000024F36C77000-memory.dmp

C:\Users\Admin\AppData\Local\3Q3\XmlLite.dll

MD5 ddf7f70cf62ddb48ea6d400384830c24
SHA1 dbbc07892b8987c6238e7410a73790e4f9c42296
SHA256 44c45ce33950642c623d917f78743b303f6d16786c6487c8995ea95a1c736896
SHA512 bc01332dbe6710616eba5316a39fd30ca4c546ceab00ae5c40ec4b102ebe8c4d5389af331a3e723c5e51f35a9726a4c48c8984cf4abe36ccb18795184c22ef22

C:\Users\Admin\AppData\Local\3Q3\upfc.exe

MD5 299ea296575ccb9d2c1a779062535d5c
SHA1 2497169c13b0ba46a6be8a1fe493b250094079b7
SHA256 ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA512 02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

C:\Users\Admin\AppData\Local\3Q3\upfc.exe

MD5 09e094e8be0e4ee7db913bef7262a312
SHA1 061845e0db136d92003c578cbf147b1efcf15de5
SHA256 81b55b7db25b9f035ce222b0acf48573660c35fa0970b91a9da591158a6eb70b
SHA512 fb6aa89293124442d3a7ab3c139c2395c721874e224f649c9f042bb0832a7137b3c2a8c8f899a153297ee5cb5ea64ef957d4ecfbeab6d244b9935761d0e8adce

C:\Users\Admin\AppData\Local\K1XGagU\newdev.dll

MD5 5a1f26d1eac6a38eb2e8a23b408f0241
SHA1 04fcd476c2c7861e00b05f786f449b70f0f2834b
SHA256 fa2e8ffb5e0464fe33f286d7b3f88ab1436daa729c6e279dd3d7c1f6825d40dd
SHA512 1f761aac06697847edbdf609bce3beed588471c5b8bc95de2feece153927ca89a596b66e941c1991d6ab45aa2ab71669060ecd4497979143fced311260453969

memory/5108-116-0x0000020036020000-0x0000020036027000-memory.dmp

C:\Users\Admin\AppData\Local\K1XGagU\newdev.dll

MD5 8ba4fad275d574a0aad833eccb7fdb99
SHA1 4e83c5de81dae62fc5a3bc4fa75d5d9b2a02cbab
SHA256 83a0f2463fd6f84736cfadda687acaf6f763479c0507e0690f46a08537da3e93
SHA512 edb22065d1e42dfc16ee6a39dc501104170727e223aae2533452882ccaeabf5749cb62b0c2de5050733fd00fa7364bf6c380a268ce0a6f965ae848363533ed7d

C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe

MD5 3dac1f19dda5df7d36f5a68d732930ec
SHA1 071acddc521d81b1bea9cc306284c76dd3f05684
SHA256 1872274d2f5364bfd6b20e730e080e8c9399d0a3dda2f37c8bd15bd61a81d8d6
SHA512 3810473e5762d7a263edd6b6477f9b7f853e0bb8c5aab87415d66811e49b177a574e0501f39b7b83b66f0f7cdbce53de4de2ab55e3c24babb19b204bb2c50dd6

C:\Users\Admin\AppData\Local\K1XGagU\SystemSettingsAdminFlows.exe

MD5 4887517805ab643e50a64e86167c42ba
SHA1 c3fb12b85753f26b4c60b4853af2fbff7dd8a247
SHA256 bef6757738cd2ce036a563402bda11d88f6568b3bbb46bd21c0dec9d6eb0c202
SHA512 15b97a01bf77c315adf84fa17178898e11d6ca8305294380adb36339f2b28599eb1b0b35fd2b4c6c0cc3944c5de0031f7245fba9509a04b5d74b452d06d8337d

C:\Users\Admin\AppData\Local\Ujc\SPP.dll

MD5 7619313476dba75258f758a8fc090780
SHA1 dd926ad86c6fcc639e80be4d5c443eac664a5d45
SHA256 8266d181ce71949c861dd06e976eff83508bd468c439714d89c8dac7d4f6b929
SHA512 c311ccb7596fbd9d007283707d74e451c29ff10e40b94e28310eedfb05aff4ea053e779882cf75428a98fbe8ad717755e27e315c6c977a7a05ccc6709b4274f9

C:\Users\Admin\AppData\Local\Ujc\SPP.dll

MD5 b6e70d2c1146e10d4be41f9f471257b0
SHA1 0e99c19645e36ccf9dcd15fdb6c2686d09687f76
SHA256 f48c01de822715e4701586cd2411966ef52b51a8b23fdefc02faf7a74870fb5b
SHA512 8d3d2d25c8608c4c8fd5b8498ad26ee55efa6ab1d7d558c1a2f4b48f13d0f11f9977bbdf328a24307984b28b57867b8ae9de4d680bb09fd042b56e66740ef1c1

memory/544-133-0x00000263435A0000-0x00000263435A7000-memory.dmp

C:\Users\Admin\AppData\Local\Ujc\wbengine.exe

MD5 555b904ab4154dfb6b1d73121d64cb66
SHA1 f8a93e039cd7b1f6528867dc9ae91786ccaa27f6
SHA256 133fc41aefb1db552731d5b8a15c24cb51b24f14d3e28b4110317f9096c14050
SHA512 64993a81c275774c23714d420d9a8923540590b35ffa3dfa06de2dc79d55d86907c520c12260a540cdec835a9bc8a7bd3db3333da973c7bf1bd859c8f6645e0a

C:\Users\Admin\AppData\Local\Ujc\wbengine.exe

MD5 89da55a431778e5f2bbb6273d1cf03ca
SHA1 564e1774210e8a5eadc4e1106b92e124063a83b3
SHA256 bf63a24d92ea0bbef70e995bc66b8f092562bce8b5c6f603b64d30ef668d7536
SHA512 5605f8877217ff3367ec5980c6352c9908f92618888ffcf0d2c706ed3c8b1a9d099b7613a2ae88dd414324db5e9a1d5bef49ff5d8c06f777833c2a221684d597

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 e17f391a325f2b278b01ba20df1d7cfa
SHA1 bc2523af20380b2c74e0f97d7c932ed64133d01e
SHA256 62b3a3ea2dd4ecf591df7b48078cf42dd20cf18f24767aa702551eab44c47359
SHA512 8649c27ed504e93016c474bca2a301336981d688d6509805ed6e38d4e79e671c13e190157474ff49052a5612dae65dfd0fc3382c2fa874b758b1b718b3e09597

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\2FNfx\XmlLite.dll

MD5 3d93d05e0fd5c8b2727ba84754b644f9
SHA1 cad6f9fd57c9d56737896cc557a884c5bd645047
SHA256 9440efee669f1ed492be7657299f81be084759157400f33b53e712a3ba3500f2
SHA512 dc1c5a9c9555ffaa279a4c67865cbc8ea600b55963598254904b9fc17aa303492937597e09e9f2efe34967b950257d2bd8c8e216bfbe6b93bedeb7db86e3d1d5

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\fx7DKf\newdev.dll

MD5 eafe2d03935be1bfce29773165f2cdff
SHA1 f400bb9a434334b3972c78c1af3b73ed9b90b524
SHA256 2185bc3954aec0174d4e0685f16f80502642dc79322817ffc2af1f7f57ab198f
SHA512 0c727d48e6b0061a6ad605b53699440938780c56682258ea6a674e4c638cfa123125a0445d8ec3ebfed53bd5f756a11414fd62ee5061b9a5cbe9b6ba29f0f11d

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\jXdg8331qg\SPP.dll

MD5 af4cf7d7720fb2d24af2b666797b7433
SHA1 cbd6c4cfb7b59964a1a47f53fcbae3f6ed98cd33
SHA256 69c411546cc1b00e99aa58d2d29f6ad19d24c64d79808c4afa87a39c4cd0e427
SHA512 c4faf1333da247331ba8f9cc92f3ecf7be003f0bda93966a922f7fa2d3d74bdace2b189e853c94456751cc910720821a9549544d55a2c97af186fa675c1fbe1b