Malware Analysis Report

2024-11-13 16:41

Sample ID 240130-2cparsfeak
Target 82b98a019126a5f30050d77d82814f93
SHA256 9463a439b0c76f66e03535405b713b906c9bce1453dfdc13a0ce3579c7059e41
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9463a439b0c76f66e03535405b713b906c9bce1453dfdc13a0ce3579c7059e41

Threat Level: Known bad

The file 82b98a019126a5f30050d77d82814f93 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 22:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 22:26

Reported

2024-01-30 22:29

Platform

win7-20231129-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\19bz\msra.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\gpqP\\msra.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\19bz\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2036 N/A N/A C:\Windows\system32\mspaint.exe
PID 1380 wrote to memory of 2036 N/A N/A C:\Windows\system32\mspaint.exe
PID 1380 wrote to memory of 2036 N/A N/A C:\Windows\system32\mspaint.exe
PID 1380 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe
PID 1380 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe
PID 1380 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe
PID 1380 wrote to memory of 896 N/A N/A C:\Windows\system32\msra.exe
PID 1380 wrote to memory of 896 N/A N/A C:\Windows\system32\msra.exe
PID 1380 wrote to memory of 896 N/A N/A C:\Windows\system32\msra.exe
PID 1380 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\19bz\msra.exe
PID 1380 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\19bz\msra.exe
PID 1380 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\19bz\msra.exe
PID 1380 wrote to memory of 1140 N/A N/A C:\Windows\system32\p2phost.exe
PID 1380 wrote to memory of 1140 N/A N/A C:\Windows\system32\p2phost.exe
PID 1380 wrote to memory of 1140 N/A N/A C:\Windows\system32\p2phost.exe
PID 1380 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe
PID 1380 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe
PID 1380 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#1

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\19bz\msra.exe

C:\Users\Admin\AppData\Local\19bz\msra.exe

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

Network

N/A

Files

memory/2880-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2880-1-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-4-0x0000000077866000-0x0000000077867000-memory.dmp

memory/1380-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/2880-7-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-9-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-10-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-11-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-8-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-12-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-13-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-15-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-14-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-16-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-18-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-19-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-20-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-21-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-22-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-24-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-25-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-26-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-23-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-17-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-31-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-35-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-37-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-41-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-45-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-50-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-52-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-56-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-58-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-59-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-62-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-64-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-65-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-63-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-73-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1380-61-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-60-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-84-0x0000000077AD0000-0x0000000077AD2000-memory.dmp

memory/1380-83-0x0000000077971000-0x0000000077972000-memory.dmp

memory/1380-57-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-55-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-54-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-53-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-51-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-49-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-48-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-47-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-46-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-44-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-43-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-42-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-40-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-39-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-38-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-36-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-34-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-33-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-32-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-30-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-29-0x0000000140000000-0x000000014037F000-memory.dmp

memory/1380-27-0x0000000140000000-0x000000014037F000-memory.dmp

C:\Users\Admin\AppData\Local\Y4vs1\MFC42u.dll

MD5 11039144381d4b3ab64daf1457487d37
SHA1 99a10e763e6ebfca3f5452209dba337c425c1890
SHA256 87d8579015490581352ec2d8126322123ff24eb48629040f3fc8cb4bedf04178
SHA512 3e5a6882db7823fb6289747a0617e1806185f628fa6b8ece534e9d55ab18dc66a93e5834cd298234026aacee43b5c05e886fbee062383e5ce3b817865ebccae9

memory/1848-109-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\Y4vs1\MFC42u.dll

MD5 378a843b86d13f4f2a26a61694ead31e
SHA1 a2dc28c9501daa3c69dc20df41b506e908f09761
SHA256 770ce5f5fb4fcc47f5852d2aef8bf26c93daa6ed334b0bddeb2e9a9143068e2b
SHA512 ab831b622c8795b58ebdb719d0dde7f5fcde12d1e379cb0b29c486ed5bc0dcefcd6541d24789d4edbd3042d268d1865a93b90ac4d1e3bab843e412f695e53fa3

C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

MD5 8d395e79a524374d99ea4fc7b5fde9b4
SHA1 1dfc956ef9150014c905c4a1abca7b852236560c
SHA256 1348c2ecd998de6424a7acac12eec05f5833386c65a998e9040477275093bfca
SHA512 d56d9abfbc049f225248c79415ce3d154fc55de6218af4e45f2667c3d4abcc1b1e1e83e333e40ed07772fdf68ad59f186c57fc96fbb6c7f2d624814f52154a97

\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

MD5 da543e3f949e4b36f6a2fd2f4c8479d0
SHA1 8de73c7295668ec28a94a39b90446f828911cf41
SHA256 a2d55f5a8c47002bc003af7737b93ec15d7ffe6339649f5f5af8481925b5ca3f
SHA512 4329322debfbe2b26eb519f00cebd07e210286e216df02efdafadf0736dbeb77d8dca4d5140fbbd6fe816ddacc96b0a8479061bf499c990c277655f3f41a473e

memory/1380-28-0x0000000140000000-0x000000014037F000-memory.dmp

C:\Users\Admin\AppData\Local\Y4vs1\mspaint.exe

MD5 310568515c600e08c5b5743618c5f7d2
SHA1 d0aae6ef59b33a2a06a5d72c45d8ef99cb6d465b
SHA256 1ce773c7695b0c07b1f756833d2c01019f2809aaea7ca802d5902713dceb25f7
SHA512 d429e741ab35b563030f67e192c4ac7cadd1b3620fc67dcef5e7154600f49f680465284d341f8446abd7747f8f415c51c7f941b55a9e3f2bc237dd219e52af18

\Users\Admin\AppData\Local\19bz\Secur32.dll

MD5 f66504741905cbe1d742c133c03722e8
SHA1 60687c77d276b413bb1284f7d5e510ac5876e9e3
SHA256 1c0933aa32529ed48f64b0890a28094def995f687cb4e466443d1748e5c12f23
SHA512 37facc480def234784f0cd30f6784f10ecab0de42e0fa381956026745c0478f17c3c476d3bbd31aae3f2a02f7968e6aaec3faba5b6d54217d1f23d89fa1631d9

memory/1796-135-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\19bz\Secur32.dll

MD5 f2beb3380818a1d3b3a31ca35492c4ed
SHA1 556375c96734fbd6953351e772a3a82497650be4
SHA256 50d3076b45014be7e32f866eabcab14d7454f94b85976b0c0aad1fdd561f56bb
SHA512 4e0401ab134bf5ccae8b04ff36fa2079fdef713e8e4bc0aa093d714aa3cbcfa72fd0072ef4e4ffa83d00327b8e0a67d9a4e5aa3fa75412446d4bafffad08a45f

C:\Users\Admin\AppData\Local\19bz\msra.exe

MD5 fee1881479374568a8d8a05b700a4fe4
SHA1 ab329330117487091aa041ed83c1d05aba5ebcda
SHA256 c47c38fad79a01a25a98de4dc01bc0f3562f8c57db802b8ec127af998f590e64
SHA512 2266c464ed4df06a201d0364901df76804bfaf93e8dde393188575f5e63fc9db239ea9c8236f434729aa699d97f1a41e003686ce467b97548f5a2d43897fe53a

\Users\Admin\AppData\Local\19bz\msra.exe

MD5 d0af3305e149b1bc2722b241b75b3eef
SHA1 358c5ec22d123f92a161a5cdddc25aba5d128535
SHA256 ea0091ed06961a5db990461d2bba4d605e85e2098d2e34e41bd3a56c6489bd6a
SHA512 ad43aa7be846fa479692a9bd8e383b5c660397ea7ec0ab59164e2508ffe511db2854cd70e8a30b47112345e601cb5a7d31d669ceac78ef667473963aefb4a5ae

C:\Users\Admin\AppData\Local\19bz\msra.exe

MD5 1c68e664bba559daf7293872b77d5d10
SHA1 1426e7fce119c04ef433622ae77ec5f3428a2e4e
SHA256 347fc4edd8903071d1acd42c93ac0c3695cb850b49e1946d97e3b7f9390cb24d
SHA512 3b5fe8ae2c4d31cdadbe35546e1997c3c15a54fdd83ece6dc0c42d5f5685dd50a9c96efaa565d16fd5dc70f98633d01bcba2547f99ed73ecea47ecabdf6249fa

\Users\Admin\AppData\Local\q1JNgLbp\P2PCOLLAB.dll

MD5 c9e0d8bfa4dc8d13e7eb9f202d023449
SHA1 abd901708efa756927b1e6a12756873f02d9b388
SHA256 62458c61b55e7e01d308b7a1de1a6bc48a8fbf56b844c3a9f9aacee995a807bb
SHA512 bac5d0d58a1d5327e250115b8d60b212d83855ca95960f630f76efccd9fa1a38ce232993ae244e6cea5b7b4c0281d30b5c72db968bcf14e89ec62f62f55a20e3

C:\Users\Admin\AppData\Local\q1JNgLbp\P2PCOLLAB.dll

MD5 0f26e9a3559fcd9ef0632508aca2de3c
SHA1 8308d90a758b0a7803b00c3a60c5006390827906
SHA256 803a5a153f07e2270e896115087fda58831841c0f8ee06862507a420f5e8e408
SHA512 6b826657c27f8118c2bd20fbc1c9d996c25c8c03d89cf049c4908620d96810e271d33bedc67c1e1c903caafbe6fbaeff919d66c06a42493080966d51d3d3a80c

C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

MD5 c1ce469d418497208efda563edc69927
SHA1 b0cfdec97b89ca14af36c2a32859c4fedb3a53b5
SHA256 1aff2edbe45ad6f5900e9fea376bb4d0029cbe51304c300a882445184aa73681
SHA512 81a6a492258f1afa8f234ba85abd343dc34d95f9961f0bb3a19244acd83e2fce870de640be5548604f82abb8e44743bd48a11837dfb3947f59471dd27e530402

\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

MD5 870f3386e0a3ffe93616886faa092a46
SHA1 01e764d5b00787ccc8249e81c17406245a3b20f5
SHA256 81cb47631f1fca3e1a97a5186b0b1b9570bae5c7011cfb8d3e50339de886b0be
SHA512 1e944890bbdc6a2a06d94d457728079354be5fc791e59c5b1fda2dd75ac7e048833d29c88b978a8e849100a6106cea79e27fac4a57af6bb20567ba6acb2dcf96

C:\Users\Admin\AppData\Local\q1JNgLbp\p2phost.exe

MD5 0dbd420477352b278dfdc24f4672b79c
SHA1 df446f25be33ac60371557717073249a64e04bb2
SHA256 1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA512 84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 8096fedb7eaca1a65e1773d2994b5ca7
SHA1 ef5b195e4fc6b3949d00b5fb3c0608d1c09b250a
SHA256 62f147580774d8ce951d53137f633ed9a56ae912343d8be73e98d897e85b8fb8
SHA512 b07cd95889e1d0c2629937e1702a9f02d8726e6e16bcb8e5efb762a89d0a69455f7ea792a6cf6102fab5ea6294f3cc542b12cc58a7c964a979e57fa74876e61c

memory/1380-187-0x0000000077866000-0x0000000077867000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\k8Uw6p75\MFC42u.dll

MD5 6c1c8b64a709a6d44370a0c99aa87ae4
SHA1 836a32bfd1964a52dd3db6a35f3500924c530795
SHA256 0ed285382b8a30deb67bcfa23784f2be087e34c9de15ce96de4c592fa26cc61b
SHA512 e5af17ea02ebeabd9bf093bd3ee6eeef142ab1bb08851916844a5729706e44df6e72807df4991abed26a99e98fad107dfff912212655d04a224cffa07b9e29eb

C:\Users\Admin\AppData\Roaming\Adobe\gpqP\Secur32.dll

MD5 93ca81cd11837c3f5236756f1c505eb5
SHA1 a52ea5074e80b200e19560d32985bbcbb73d71a3
SHA256 f416f38e78e77e6d2198dc365b6c982ae2d43192f67154e991b9dbfe7fbf8af8
SHA512 0b45a0e11840a3a26a41d1890d623439936afea559788f37aca0a86141493b2c1581f713f1eb530e6585af7fdef1338387afe50981830103a912f80eac93c9ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\AI5aLZ\P2PCOLLAB.dll

MD5 f85a7fd91ce1966dcfa2835c3dbfa7a5
SHA1 9ca7ffeb7b11da2d727e92d9537db7426dddeadc
SHA256 e8fd8a5ea7fc17be6296631f0a6a4b3cfb887942d461a4ce32784bb3b8e672b1
SHA512 a44fc3321b8792643d25ee2beacc7d6425650767e08047eb76891a5f8d86a51b0b02bafae9f7117930f3d114e07496e271a4b3baf3ba1359da75ed822d7ae116

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 22:26

Reported

2024-01-30 22:29

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\B6NiKt4I3cg\\Magnify.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 4152 N/A N/A C:\Windows\system32\recdisc.exe
PID 3440 wrote to memory of 4152 N/A N/A C:\Windows\system32\recdisc.exe
PID 3440 wrote to memory of 1232 N/A N/A C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe
PID 3440 wrote to memory of 1232 N/A N/A C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe
PID 3440 wrote to memory of 5104 N/A N/A C:\Windows\system32\Magnify.exe
PID 3440 wrote to memory of 5104 N/A N/A C:\Windows\system32\Magnify.exe
PID 3440 wrote to memory of 4812 N/A N/A C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe
PID 3440 wrote to memory of 4812 N/A N/A C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe
PID 3440 wrote to memory of 3012 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3440 wrote to memory of 3012 N/A N/A C:\Windows\system32\printfilterpipelinesvc.exe
PID 3440 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe
PID 3440 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82b98a019126a5f30050d77d82814f93.dll,#1

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe

C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe

C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/1960-0-0x000001A460ED0000-0x000001A460ED7000-memory.dmp

memory/1960-1-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-4-0x0000000002850000-0x0000000002851000-memory.dmp

memory/3440-6-0x00007FFEB93FA000-0x00007FFEB93FB000-memory.dmp

memory/1960-8-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-9-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-12-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-13-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-14-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-15-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-16-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-17-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-18-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-19-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-20-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-11-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-10-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-7-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-22-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-23-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-24-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-27-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-28-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-29-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-30-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-31-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-34-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-37-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-39-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-41-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-40-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-38-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-36-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-35-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-33-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-32-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-26-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-25-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-21-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-43-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-44-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-45-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-46-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-42-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-48-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-50-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-51-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-52-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-49-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-47-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-54-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-53-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-57-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-60-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-62-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-63-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-61-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-59-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-58-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-56-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-55-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-64-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-65-0x0000000140000000-0x000000014037F000-memory.dmp

memory/3440-73-0x0000000002810000-0x0000000002817000-memory.dmp

memory/3440-81-0x00007FFEBAB80000-0x00007FFEBAB90000-memory.dmp

C:\Users\Admin\AppData\Local\dumg9s1h\ReAgent.dll

MD5 2439cf0a43a430357c184fe161b91233
SHA1 71c25e7c809d003bd4ea1ce66fbf4f60c2b97146
SHA256 4174d734ed3ac9cdd63b26741317df5b32cea2dfe52ff370f6070e189f8fb478
SHA512 36d9ee9daadfa362406a1d7b54d6becc38e68bfeeff3235687617c12e942ed0502df65b148af00b5687753b16dc962273d95937891f014c6a3885b0c9a997fd1

C:\Users\Admin\AppData\Local\dumg9s1h\ReAgent.dll

MD5 9e03bb817133a629095b722891d1382c
SHA1 aa486a54795b1c7dc718fb5ed85d878920afdbfb
SHA256 c81987311af44f0bc3d460ff76fc9e907dbec10af4d03d14d3ed15a98d26c99b
SHA512 87f65e9d9ef2c47f075df85a778e4556d1219052bde5885567d8a8bd2ae6d2b18444f20105953765ab4201bd65ecb006d9166b10e5b4d6c031af68acb0ed83bc

C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe

MD5 f461ff54eb3ba45b7b7a0d5d65398fd0
SHA1 017653bdca6b48f76f5adfc7496408dc18e9de67
SHA256 22c017dd7b992c6c64d7110935507563341334787b383f08aeeec1af51698228
SHA512 cde6689565085fc76267c05b2808f111e33f2d06c1a22e7b5bfb9501b9cf65c030834b4235ce1c39f1204467d0ff8ff3c5f13fdb07b048edd61b06815bef1b3f

memory/1232-102-0x0000018976350000-0x0000018976357000-memory.dmp

C:\Users\Admin\AppData\Local\dumg9s1h\recdisc.exe

MD5 18afee6824c84bf5115bada75ff0a3e7
SHA1 d10f287a7176f57b3b2b315a5310d25b449795aa
SHA256 0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512 517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe

MD5 deb1c965788b8d51905637c6b9b12ebd
SHA1 82af1c3eecf4f3d1c5a454839ff7f30cb04204b8
SHA256 2d23f281f0815d9d42786ab3f5475330f74cf8c3b5abe7760ab4367f369bd6d3
SHA512 95af508738a46b88a2750afdf49a1389b7e5ec73f4a70d88376d7fb08e169c51a0822003fac048cd9153b47484fa636e24f778b46f5dff422908dda719f139ed

C:\Users\Admin\AppData\Local\YJxUai\dwmapi.dll

MD5 472d16df6c93c35aa6d4d01680987b08
SHA1 3474903bb8f48a895da704d1a706322747c969c8
SHA256 89d2f715cb926c9b9db5b65374a325ea2df01404af3a3e88c84f667a4c16acfa
SHA512 9b5242dfe8d70482aae01277f99b1eddb110d38c040f1e8319f0e9455d61df723f57bd96ad3d7247efc21fc917a3f6b7a737e7b12e72a3c392bd46de4afc11b9

C:\Users\Admin\AppData\Local\YJxUai\dwmapi.dll

MD5 2e09da7e42797a019887261ede6b438d
SHA1 251fb0a23528d1a41485543b3cda3b5ccab2ce0a
SHA256 651569c7469a0140286b2e32bb9b57d63b171c147efaaa15f38ff9a881c01d05
SHA512 98dc51d602c78a9d6c68b9782ff4ceb6671034e46e855abad4facd353044c0aef84580e2a10cef4c33233bc2a79d857d5e2052647125fb5b04805d5e4f0bcdea

memory/4812-122-0x000001FEEA770000-0x000001FEEA777000-memory.dmp

memory/4812-119-0x000001FEEA710000-0x000001FEEAA90000-memory.dmp

C:\Users\Admin\AppData\Local\YJxUai\dwmapi.dll

MD5 238491598e30e0e05afc18e216f9104d
SHA1 3b48144b145cc0309efdaa190ea5e9736524fc8b
SHA256 8197a292eaa6639b88366fbe5dd2e05aaf389f1afc7031d06b6ad00e50c773aa
SHA512 42767d2cd712b3718310b5d84c929ee5e9b19ca74911371bc5fb1e83c7e9b1af0f69fc23f954d463dc24fb0886b3637bf41ae10ad89563aa98eed8b369f74f8e

C:\Users\Admin\AppData\Local\YJxUai\Magnify.exe

MD5 eee85e2706d0c28bf678caa3a819581a
SHA1 eba01b433fcd6a3bbbf5478af195efc8616f4ba4
SHA256 05e4a557572e181c926d8e8346bdf5f5fe11335907445c65948e5deb983fa577
SHA512 a3a88f51c632ee7ab64f53bb3b191da772a850b7e64469a678fe1f48bce4b593be0005489c7de619648609deb17774f0dbad22fdbedec519de89ff6c9ffbd54b

C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

MD5 2f67b49be077de9206e0d3281231c0b0
SHA1 a4e6ce15536e6e1d014c5a3406ebd7b41e297f05
SHA256 84594403fdd80a7fcf9f2230733312b9361becadc4ad75bdd60a8b2811d7eacb
SHA512 ef56025433045ae9d67b049a18bc903d5c9852a61094a256bebad59a451f6da2aec82364f7b9c6f1b8fe1f5f1321866b61da2c6316b2b7ca10390ca0bd6ed5f4

C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

MD5 2528a332d5b018a416ebcfe4a8d4ac7a
SHA1 e20ca9b86da2d8e082d780ba9d6155b5df2ccdb7
SHA256 21d24fdd050057028802ba280b2445bfe455785bf498d131d132fb600f6dcb40
SHA512 046d5c2e996977ef3c49ee11fcf128f503b54e0fa7b43aee09c8e71fab151febdb02f46d3d35766d4fb80b381a3e5ac3cce1d4f62ea8244cd8694b77f49b792d

memory/2888-139-0x00000226384C0000-0x00000226384C7000-memory.dmp

C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

MD5 15b0ec01e7112858406b45bc4508dc80
SHA1 8fddb90a029fd103b45ab96f4524f197141e7223
SHA256 70b9133761ae929289c0425acf39ae3b1cb1be2034e366303d1900f712e3b78b
SHA512 96387346aeb9c559da45abcc2a59ae294d38e5904ffe12d0c07323bf4f685d06d2225d77bce53f6491e142da2038296bc9d1a75d8098397e9f3c49c2a52ac705

C:\Users\Admin\AppData\Local\3e7S5ve\XmlLite.dll

MD5 97e5d336c66a40a95cabe8d11d7934f6
SHA1 00da531f5d97dba5ab01417cb2c987966f85c89b
SHA256 381018d15fcfd415812615b1511916d52315359bbf54c2513f15e26dde284261
SHA512 be27f590f7e7ddcec05ebb515bbf7407c15b315181b87de6883bd7e7f360bf5a427e4aec9b2eaf8da0154d644d2ec9ca25593bb6eef7bb56dc8b87e1444fdff4

C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

MD5 b2a7dc13ac88ca37015d28aa5dd8b5cc
SHA1 145c4d0c8fb9b5616a0dd618d51fe58bd9b89c5f
SHA256 5d3deaef291851ea58d24dbe693982c93540daa66f2e61b6d7712d4ecf50b362
SHA512 1f466f4d0baf1b9cdd7cd1664909389474aeac11260645e67e208d005762e00726da101e764b650edd270285beeffadd1417beed5b49532d6b28dbe5b135d840

C:\Users\Admin\AppData\Local\3e7S5ve\printfilterpipelinesvc.exe

MD5 312661a7a84e4ffb65ba9ba78d5a0c66
SHA1 d08d209c2ecb0abf44d4f7d91a8fa80770c0ea68
SHA256 18cb096c0617af0ee4a4a8338abc11c130b18d541622cae66bd74ed8a13d9d23
SHA512 cbecd8e4712d174e029c859dc942ddcb09e697db2064b9a71e2727aa004cde7e873807395f0f7d780eb5ac0c49eb5e6ba33ed638b9e06f6586742f9b894212ed

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 02f2ac4ba174c36e5207ccb0d2835d0b
SHA1 8590f7447b84754a10bd1316d98aa58c1b5c33a9
SHA256 7c1cecc18aad4b30117e06a7ed126bf4455395363cfffc09e2bf9aa8fc969ea1
SHA512 33806b0f719e49130049091bfb161afdde98cf6080cc78371c3d09a53b16dffcae8eb6ce3f2575648435063cc5c34924edc600ab870b0510f59bf9445987a21c

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\WHxH\ReAgent.dll

MD5 a42b4d81aff86fbfb69b9cbd3299546d
SHA1 4d227c3d71e1606fb1b6330a196d4128f1b668be
SHA256 d75264272b61ac364b71c8ce020e95bf270117cae9eee496746cb5896f8a39da
SHA512 b27f3b3c0f49b10c9b7fb6f8d51e0abeefac4ab24f05a336a4d85294ffc1d27c2807a2f4a1fa5bc563d4da1f796e08f9d769fdd0c58f598f07efb409b17257ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\B6NiKt4I3cg\dwmapi.dll

MD5 a07cfdfc907ba3b00df4745718687f53
SHA1 dde00128b69da5f1178e55bf2f54f4c53b5b811c
SHA256 d2539bba3d06d664d00d29cc453a9edbdd43a0ae5611d6f7405cd46b3dcb34b9
SHA512 5823812905caa1c670f41a9a76b4e9e3151dbc3e05317a3840c22371663691fdcd6f51bd157cdea085da933ccc831fc3cd4b5e2fb23feb0410459b7801d6337b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\7NrnvntQdBQ\XmlLite.dll

MD5 26e7b2591db586bc497bb7b2b75714c0
SHA1 e47e4a72f99991dad99d48e88c8e35f92d744764
SHA256 18bd7ca051de5d28aeb11dc0669d5bfd56f5eea45dc338aa00d05a5b5ff3d352
SHA512 bcf5f62409af904c6a09f3c134f8c879507f74f15b035f453690af7e2ebc44f27d57e4844d40a232291d391a3511849d2044e58d26fee2fbd4e99616bb288866