Malware Analysis Report

2024-11-13 16:41

Sample ID 240130-3gwfbafce5
Target 82db4107f6e131cd91a70e918dc4bfb2
SHA256 297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

297b30d04329d60ca335b82dd1d813b21d884fe642e602b61a9314501ad69782

Threat Level: Known bad

The file 82db4107f6e131cd91a70e918dc4bfb2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 23:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 23:29

Reported

2024-01-30 23:32

Platform

win7-20231129-en

Max time kernel

149s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\CF0VXO~1\\DEVICE~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2940 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1384 wrote to memory of 2940 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1384 wrote to memory of 2940 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1384 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
PID 1384 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
PID 1384 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe
PID 1384 wrote to memory of 1792 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1384 wrote to memory of 1792 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1384 wrote to memory of 1792 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1384 wrote to memory of 876 N/A N/A C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
PID 1384 wrote to memory of 876 N/A N/A C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
PID 1384 wrote to memory of 876 N/A N/A C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe
PID 1384 wrote to memory of 1496 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1384 wrote to memory of 1496 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1384 wrote to memory of 1496 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1384 wrote to memory of 2344 N/A N/A C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
PID 1384 wrote to memory of 2344 N/A N/A C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe
PID 1384 wrote to memory of 2344 N/A N/A C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe

Network

N/A

Files

memory/2948-0-0x00000000001C0000-0x00000000001C7000-memory.dmp

memory/2948-1-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-4-0x0000000077316000-0x0000000077317000-memory.dmp

memory/1384-5-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1384-7-0x0000000140000000-0x0000000140325000-memory.dmp

memory/2948-8-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-13-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-21-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-28-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-33-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-36-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-40-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-46-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-50-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-54-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-57-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-60-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-62-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-64-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-65-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-63-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-73-0x00000000029E0000-0x00000000029E7000-memory.dmp

memory/1384-79-0x0000000077680000-0x0000000077682000-memory.dmp

memory/1384-78-0x0000000077521000-0x0000000077522000-memory.dmp

memory/1384-61-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-59-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-58-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-56-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-55-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-53-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-52-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-51-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-49-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-48-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-47-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-45-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-44-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-43-0x0000000140000000-0x0000000140325000-memory.dmp

\Users\Admin\AppData\Local\m2cq\appwiz.cpl

MD5 bf730a89e3f78d94db9935ddfdf84bc1
SHA1 3d24069067f920801ab4beb378f9369ff2d2d0ca
SHA256 36e98fd33a1412f8b9428805a672d45d6a6bcc90799d8d5f15f42f5076287f1d
SHA512 6e27a68c10093610cbb002386f80a139a1d81b753cf9b7711a21407f3ab50a1b0e1e22a3424e203e453fe2a3ca1d1a2c30e7946d218ab94295b88a3f7b11e0b1

memory/1764-108-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\m2cq\appwiz.cpl

MD5 4a460c513cb5b5d541745ebdb7c24a89
SHA1 b7229290b0330bda1d2d36bb38a53eea385dee08
SHA256 ef1048eef6d240573e6cfc0790e4b64b57f6d0c89417af361d705ae011ab7d9b
SHA512 c2e46b421b0c71c95cba66043fc5fc92a058354ffc514b448b00b3374273c141dcaae6b0931b6cc103a1042d54ec8e61ca39bbcc8d9702c9a2bac39fcec11b2b

C:\Users\Admin\AppData\Local\m2cq\ComputerDefaults.exe

MD5 86bd981f55341273753ac42ea200a81e
SHA1 14fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA256 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA512 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

memory/1384-42-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-41-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-39-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-38-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-37-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-35-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-34-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-32-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-31-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-29-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-30-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-27-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-26-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-25-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-24-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-23-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-22-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-20-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-19-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-18-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-17-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-16-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-15-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-14-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-12-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-11-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-10-0x0000000140000000-0x0000000140325000-memory.dmp

memory/1384-9-0x0000000140000000-0x0000000140325000-memory.dmp

C:\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe

MD5 1fffd5db902c6bdaa7c56ee780fe9fd3
SHA1 3ad853969142f78835904de5aba74fa0ce1411b1
SHA256 2d5b4f609429806763f48b5fab64181f00e3fb60d30eeb3fd859c0598dbbee8c
SHA512 c215ccdf98d9ac47986062528d159554e68265688534d8bccd4484e6e99d1e8ba5e471a9c68a1fd8cd1fcac19ff03cd3e04a2215a8cd8e62a4a8b2a2bc8146a2

\Users\Admin\AppData\Local\rMqp\DeviceDisplayObjectProvider.exe

MD5 c96c8854766f7b5d314e5e5cb9dd37cd
SHA1 6a280be3746f052e01797d4b7b1aa12237421b50
SHA256 5b387569e33d1c5f6c100410bfa8346152fdc726fb894fb73315e5f17c6925d1
SHA512 aca48cd23524efde0c3975a394388fc12e578db974e1580737cda90d0c8d78edc1137d76fe82b2988f68bdc13a46f9c8c2c96bb3315a151ca63003e7175d70d6

\Users\Admin\AppData\Local\rMqp\XmlLite.dll

MD5 9086b275455f1233c77e2cb7c4077a7b
SHA1 016732a992c478559c7a92ae94b4f3cf7dee3bdd
SHA256 394cfeb66285fc5e967dc3d05b60040c779bcc0d9f6e0556e18d1db4b1a4f637
SHA512 d8d4fe290bd1eed81b04176bb2ced296880f85e9de7a2411773f27902f80a5b94c49d86193531b52fcd5ef6a725995181f217c1a4d7eca2f9c1be2b44652aaa2

C:\Users\Admin\AppData\Local\rMqp\XmlLite.dll

MD5 f9a79479fd303e74edca6b9079e9c839
SHA1 858b42b3f50fd24c7ce0754938e9d11dd53cbb20
SHA256 6ce3304366db0370ef22360320caa549360b429fb765088be6e6b7327df6f037
SHA512 a1e5229bdb3f08206c0c040d8f23b9ea87924d6eeff36fdc2f2ef86453f68e2fa3445ba043046ce6a46342aa3d30a82e44cffb230e621f1c8648ab48b28a5b9b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\DeviceDisplayObjectProvider.exe

MD5 7e2eb3a4ae11190ef4c8a9b9a9123234
SHA1 72e98687a8d28614e2131c300403c2822856e865
SHA256 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA512 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

\Users\Admin\AppData\Local\AMsGPi\FVEWIZ.dll

MD5 3367dd81b65c54db5d91bd476cb519bd
SHA1 e23863b6e28a3f0969ba7f04ab0e871bac73b9fa
SHA256 bc5036db87108d2e6259b3fe00e034b3d64ae837e8849a05aa64cc7babda1349
SHA512 6e77ea682275b87c6b59678aa1997df6ffa935cd0a21fb30af9ccc7bad4043500333515c0df10cec8db17b7320ac74a81a70c769ca2d406763c0d50ba60e864d

memory/2344-140-0x0000000001F20000-0x0000000001F27000-memory.dmp

C:\Users\Admin\AppData\Local\AMsGPi\FVEWIZ.dll

MD5 2be30f81b80bb026c2ad98a21fcfc7e8
SHA1 b9f42f38573d1b1da8b6a3ef954010b87daab7d8
SHA256 75e841b8d111057de153bdffff1cc0f3770c33aec4aa8b4f1de59ab5dab0cb00
SHA512 7de186b7f58cb2ce92db4a2838d32d16d1a4bf4ded4fdd5fbea085a7bf43214cebbbac954c3d3a93758b9ddcd1a6881667424b529d1b8daa023352094405d7a3

C:\Users\Admin\AppData\Local\AMsGPi\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\BitLockerWizardElev.exe

MD5 0bf47230134131e29b6882da88f46ba8
SHA1 7f8e57a2e713016a133fe5d753af670042677515
SHA256 f39bb73e7eb0c9152883471835f4c8053b85ade257b7e05b6d79ec55cf0b021f
SHA512 a285de5b15adcf66b522dc31c98d09de8f2ea9097c4f0e82bb2df42f17b17186d7bd13c5c524428ec50ccd3b720956edb71dc06ba04bdbcbc2cedde9a82ed980

memory/1384-161-0x0000000077316000-0x0000000077317000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 a1c097ca2d2e8f14e3856435a0d23a89
SHA1 6fb9a5afba99bb0590ccdc841a07d624c2112362
SHA256 93bcd20ad967694bdbc0bc1eb89f232fc251a51b8ec30abc2b24c458df2f8ed9
SHA512 31a20150a14a28ae4560a1e7fa2affc9bb71338023878034c52a7a85ff7dc2d2cb93ea387770c0ea6073870e7d4f600dbc2f0c65f94d7b26cd06daa0f15daa44

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\iLNrb5lZyS\appwiz.cpl

MD5 015c38842e81e36f68ccea31cc835480
SHA1 c29a109d93b15cb1361af74fa32b54825ade7c54
SHA256 160e230daf82dc4f482307c504d47e5aaa3a1d1083e033dfbf241bf9fd584d4a
SHA512 0feb506770be4bce18e967800cb6d531a37aeb6600310fcd187533c425db0af8d1cf0775641b96bf084c29d6b5887fcb1f87fe4bb14343bf084608196889d301

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\cf0VXOVMXTd\XmlLite.dll

MD5 7e0da16b846a6f71d494e4548f610a6a
SHA1 0987f9ae66ea08d766933d82e7c1371b8336d0d9
SHA256 6f00969e209f70c997c1440b13be99dd2a17cda19c0d9a36a437d3edba061cbb
SHA512 36771851af2245c96b304139f3235e4df453c75a5031dbe2a7ac054a8207b46fd03cac8ddef1799418864bd04ca254f5ad6e2814b8b9ac5876b004d374cf7542

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\IkhM45LsJ8\FVEWIZ.dll

MD5 1387b1b0e64d26e71f7feae51b049b0d
SHA1 da653da74e8a9da940864017659bd92c3c540532
SHA256 962396dddb441d5b43a19e038722091806f945a8cce79a082971f24656a829ff
SHA512 31f116a9d034651f5b1d89aa7dd7fae44184f0c63ac9e433316b07ca873fdb726ebab96939fbd2f57c34d70a7e5e48a1c5124d85ad2372fdb974b9c8ce0e595f

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 23:29

Reported

2024-01-30 23:32

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\VO9Pe2\\MusNotificationUx.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3n0LOro\slui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 4312 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3392 wrote to memory of 4312 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3392 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
PID 3392 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe
PID 3392 wrote to memory of 4764 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3392 wrote to memory of 4764 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3392 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
PID 3392 wrote to memory of 1484 N/A N/A C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe
PID 3392 wrote to memory of 4376 N/A N/A C:\Windows\system32\slui.exe
PID 3392 wrote to memory of 4376 N/A N/A C:\Windows\system32\slui.exe
PID 3392 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\3n0LOro\slui.exe
PID 3392 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82db4107f6e131cd91a70e918dc4bfb2.dll,#1

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe

C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

memory/636-1-0x0000000140000000-0x0000000140325000-memory.dmp

memory/636-0-0x000001227DCF0000-0x000001227DCF7000-memory.dmp

memory/3392-5-0x00007FF8C5A7A000-0x00007FF8C5A7B000-memory.dmp

memory/3392-4-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/3392-8-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-9-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-11-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-10-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-12-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-14-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-13-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-16-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-15-0x0000000140000000-0x0000000140325000-memory.dmp

memory/636-7-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-17-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-18-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-19-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-20-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-21-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-22-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-23-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-24-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-25-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-26-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-27-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-28-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-29-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-31-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-33-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-34-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-36-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-35-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-32-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-30-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-38-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-37-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-39-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-40-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-41-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-42-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-44-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-43-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-45-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-46-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-48-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-47-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-49-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-52-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-51-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-50-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-53-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-54-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-55-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-58-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-60-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-62-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-61-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-59-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-57-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-56-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-63-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-65-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-64-0x0000000140000000-0x0000000140325000-memory.dmp

memory/3392-70-0x0000000000B40000-0x0000000000B47000-memory.dmp

memory/3392-78-0x00007FF8C5D20000-0x00007FF8C5D30000-memory.dmp

C:\Users\Admin\AppData\Local\ETb9oF\MFC42u.dll

MD5 aed8988e35f05063b928a88f8fcd708c
SHA1 b26042d06d73bc0430ce041ea3f913e1f396df3f
SHA256 047911a6ade8398496049caab8a5c2b1742d55f48968c11ddc545777af11f249
SHA512 2efbc38985950099a8b02e0a730937e12464d4c36fa3bea04916ffb909935d08215b2e3cd72b017b697ed9c6630b042fab3bfd2d40581d60479e7400901bf521

memory/1008-98-0x0000025E31D50000-0x0000025E31D57000-memory.dmp

C:\Users\Admin\AppData\Local\ETb9oF\MFC42u.dll

MD5 0328f872e56e03d431511b816bafdaa5
SHA1 7c909e864144d88156fc17c9b8786a2f16168bb7
SHA256 e2a0a81c3951f9453c4cecb6087a51926b07a2d6d41379934af124b1bcb3256e
SHA512 47394a42af1555a8edf82c18fc68a840e958bcb4b191ff5f57152044a0a065d68d3540df897a39b19b5b94429161e31b904281796c1a6e4e24b703a18a2044e7

C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe

MD5 a31dd2bf8868f96e8e4da799b3c5efed
SHA1 669ebd8fce571337106619a95455b20fceaeba04
SHA256 9a1241c18510db5a3378143ca2381e61344de975784e348b166180ef8daa5e80
SHA512 f8df5d64d4459bbb1ee62bad65fc8f5b6de280edb3e4c8251604b93b330572146148b1a8da02b3409ae61f9c2d7a5dfc4b4cfb9e0e718db5a0ca1c3be18243c3

C:\Users\Admin\AppData\Local\ETb9oF\msinfo32.exe

MD5 85ac749bb1b114cce683f3ec15f4e548
SHA1 d6157ec509d2d3fb138f5a4b4c39b4df5ae00c97
SHA256 f014450fa8d4ccbd171997988a40848f081292e1971f8a6bacf229dc59744c16
SHA512 50ae04abccc807a6f4d2bdf4014ac9631cba47d4d9ebbd61aba327e74d2827bf7c9fe096dfe32b910893bc256eb523e6daa22f47637cfa0bd663076d0cad5434

C:\Users\Admin\AppData\Local\LSxc\XmlLite.dll

MD5 51efdb3baf5676cc76272bfa7c27827f
SHA1 e8d6da2c8f0df8c03ef37812b5c0e8afcd10f900
SHA256 ab2dd218c7a94e951c87b066741171b21871882e8bc05f9b5f93fc0b151ab82c
SHA512 75d88cbe1c33346a3ba0a9119fe4468cb13a59d20db81022455fc54b038542a59df216c61f7872e767104aeb2081bc867c5873d1739cc94e613c29841840cf46

memory/1484-115-0x0000021EBDB90000-0x0000021EBDB97000-memory.dmp

C:\Users\Admin\AppData\Local\LSxc\XmlLite.dll

MD5 d1dcac7fbc53da70821f2e6cddd3aab7
SHA1 8618b0294bf6902075f91096ad9c3dc39ef9d1a7
SHA256 67a0688cf98d2691014fd1b807bc832deab5bd32e83429f02138f654e5fc7311
SHA512 843de3e08f004a3dfac90931400585f500cb3522fb6f8c39a17f384d6af4c2f8283084fa787c900ae58a536d1bf7c8b581ca4279123722649bd27a4e10191dd8

C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe

MD5 270a4f431525a7368784707bbe0b438a
SHA1 993c33261fb6f4957418cb058b11c204e5f7f83c
SHA256 4ae2a9c5280b042c2dd6cf75f58b389838600cffa4362e55f224e9ca35f413a3
SHA512 e3f35c1c40fc96e296ac0fe80abd7c260642727a05be921c1c7884ca6dbdf2f05008bfbe9ba71c31e1c63b64ef55ae43dd2d4b0b52fa051f5661fc253beaa485

C:\Users\Admin\AppData\Local\LSxc\MusNotificationUx.exe

MD5 a3f58d7cff2631a3bd997e11c93ff494
SHA1 1d574e7628728c95c2771a95f83cad8e33f08477
SHA256 7a5ea80a67ddc4c68cf99e206452fb6b894f7f11479cc56b24d4f912010d2b60
SHA512 8f574e2ade7a6178b2889b78f147a64722c7249de85e4ef1d8feb89a3b13d5ddbb6a9307edc8c293e519b6bb3e41be27bae784a26d336ee4fdfdd8d668a964d1

C:\Users\Admin\AppData\Local\3n0LOro\WTSAPI32.dll

MD5 aab395b3713100e89968143e6660d35d
SHA1 3401423701e8f003683cfda11376e224f17219e7
SHA256 2861ea6962e3d0e73a4aa6376d29a487aebeeb419e3bf9ddf6d7a9b6503ed4d6
SHA512 31fe9bf069e7192e62dcd1ee71c273c041b242f7735f45f3666fec88dd9b8adc850b750ba6f2614be7a93c4fff6d4a99c4363a5f96605221add0b1bf7ae0db5f

C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

MD5 985e280b5f1a4e8c3d9a2488141f33da
SHA1 e487e8db6d6b4cdb265ee645cc3c115297d4a8bf
SHA256 bdb1ad1ce7a7b4d755c05bd9e8406a4b86bd7909e17e469f4dd05a2bb459654a
SHA512 1152466037a41791ed3555566fa1a0a95b8ac07df090bd47356bac8d9372e4ee689c129c436c7a3e0a2afb9924c261aae652e11f5bf86bc418f90173a8668b5c

memory/3068-132-0x000001D8E7A80000-0x000001D8E7A87000-memory.dmp

C:\Users\Admin\AppData\Local\3n0LOro\WTSAPI32.dll

MD5 e66e436895e57e36c87716f377be5c73
SHA1 80545353a7dcb288ccbbab4ae39b80206dcffe76
SHA256 62e3232323b8e0ce851e7c931c45eabdcc88b4b935ce8a05771bc817566cefa9
SHA512 6de6d76d9a9ed8125564c16e63470d6394250c047d3cdd99c97abe579eec53921ea74a470b2768233695aff7462fd6a85983358e25cf97ea76035b39465554e7

C:\Users\Admin\AppData\Local\3n0LOro\slui.exe

MD5 de50f3cd9d2e00d1f010963cf90471dc
SHA1 410e4f258916a40c146f7a341ae53cc624ae3b56
SHA256 ef072f41d0973cbeb251e721bb35fc6ffde04824f3e9bdbdda6901c057dfc294
SHA512 fd7d2ffd6c2a87b02e38ca1ce735f42cbecbbe9e6397a4a83ecf0626b145bcfdd3fb36823082ca259692db5c218f7d7f3bd3c8c9d2bd3f138c37cc152e3f33a2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 0862b73d5c2ac2616453a66be3f9ce93
SHA1 c2c69b4107d61641c253027548a0b26fd1c39aa2
SHA256 d7b31e9d67250c2145e103acd9fac29faf3b2d5104395a60765faa31aedb1f07
SHA512 bb042ec82c4d63c067f5e113381d417249a7fd057e7e556f02237e85ec4a28703b96da4d807594a0584331e4fb634180e91378bdad4994cc5728c141847201eb

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\Jy5vuk5G\MFC42u.dll

MD5 43bf94dd5a162e83cf4acd8db1c915fd
SHA1 e9afd1847746851722ae05b030b96b8edebb10b3
SHA256 6550eca6923c644d6accfb896bb085522a7d9dbbf468695182b95beba3aa3d3f
SHA512 418370019f8f44dc475bbaebf33263bd5f73de417e656854e2a64e44c1738ab2e1b41f9966dca0f242bc47e7edeff02a5b6c96bac1eedf0abc205d7a24314088

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\VO9Pe2\XmlLite.dll

MD5 045b2896f94f4f10a4863f7e09aa9c09
SHA1 0cf695742d107d544c3c41e5c8debe11e9c96f47
SHA256 c71d16a5b71de29c5d2dff9df340044bc038329c44949e7aaa3ffd78ad4e4d77
SHA512 b0fb4850b59d2c35cc5785465673cae149cfb43de393e1d8f899fc5a3492fbd8cd4619bd6e244dd3839b36c4fe22ef47eadb76862a15ec690913fc0c9c9c6f7b

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\nb2H8mUe\WTSAPI32.dll

MD5 b845a2df799155ba80eafae496796b04
SHA1 62805690f4cd9a13711529d72cacd5d359db3cbc
SHA256 961497d529a1d85b61e0d0eb35a37c587d40e30875f8632f16fb921a58565e56
SHA512 4e139803559bdfa8f8fbf606b9dc43969580a09bd22777f759362bb540f7f68138b54395182f0d80932fa02b72fe049920847f4a09667861452b65ab20749c92