Malware Analysis Report

2024-11-13 16:41

Sample ID 240130-fxwdxsaear
Target 818f6364c18d61853f5e7875c46b41b7
SHA256 354581ef623c4841ef267fae935ea55b0aa622c1de1aec7c31d3fbfe05005e00
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

354581ef623c4841ef267fae935ea55b0aa622c1de1aec7c31d3fbfe05005e00

Threat Level: Known bad

The file 818f6364c18d61853f5e7875c46b41b7 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 05:15

Reported

2024-01-30 05:18

Platform

win7-20231129-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\EYSJKQKJ\\SbtN6Xl\\vmicsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 2524 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1348 wrote to memory of 2524 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1348 wrote to memory of 2524 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1348 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe
PID 1348 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe
PID 1348 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe
PID 1348 wrote to memory of 640 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1348 wrote to memory of 640 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1348 wrote to memory of 640 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1348 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe
PID 1348 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe
PID 1348 wrote to memory of 2720 N/A N/A C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe
PID 1348 wrote to memory of 1620 N/A N/A C:\Windows\system32\javaws.exe
PID 1348 wrote to memory of 1620 N/A N/A C:\Windows\system32\javaws.exe
PID 1348 wrote to memory of 1620 N/A N/A C:\Windows\system32\javaws.exe
PID 1348 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe
PID 1348 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe
PID 1348 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe

C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe

C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe

C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe

C:\Windows\system32\vmicsvc.exe

C:\Windows\system32\vmicsvc.exe

C:\Windows\system32\javaws.exe

C:\Windows\system32\javaws.exe

C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

Network

N/A

Files

memory/2380-0-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2380-1-0x0000000000430000-0x0000000000437000-memory.dmp

memory/1348-4-0x0000000077476000-0x0000000077477000-memory.dmp

memory/1348-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1348-8-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-16-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-22-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-26-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-33-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-36-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-41-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-46-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-49-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-51-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-54-0x0000000002E20000-0x0000000002E27000-memory.dmp

memory/1348-59-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-50-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-60-0x0000000077581000-0x0000000077582000-memory.dmp

memory/1348-48-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-47-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-45-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-44-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-43-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-42-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-61-0x00000000776E0000-0x00000000776E2000-memory.dmp

memory/1348-40-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-39-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-38-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-37-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-35-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-34-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-70-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-32-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-31-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-30-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-29-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-28-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-27-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-76-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-25-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-24-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-23-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-21-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Local\zEey2an\Secur32.dll

MD5 a4ff18c9c99cf7800ea520b8f80c2157
SHA1 eca83f3e80eb4d43bd524dc414b7b01f99501ac4
SHA256 39fa28f3860b4c25c2d024b0610005dc14ff9b14c983fb6f9f873b2cca2bbf5a
SHA512 4ccb1fe3889863eb2e251f7fb503beffe7cea148c745b1a1f3e9e7186ebb62722a9fde921d85d284df9b573c54990e230a621cf9ced0b4b2f03933d5a708cc98

\Users\Admin\AppData\Local\zEey2an\Secur32.dll

MD5 d3ff5172c1b1939c4c5b5f8afc9d5fa3
SHA1 9eff15e815a238d621aa3adcf7211f15a5536cda
SHA256 d0ef50d238627b66b7c47a51a3a673c5825a30c13f837de594cc64e5214507f5
SHA512 5d43856dadf30945cb46eb3c604123ab36aee547f2033c097c2a61bfa18083a16637d8002373dcb1727b58cef05e328d3f9b1f93aa646388d72a741038a711f9

memory/2416-89-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

memory/1348-20-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-19-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-18-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Local\zEey2an\PresentationSettings.exe

MD5 32f2035674b7d17ff1b7a7fcd6ab20d1
SHA1 5744604e4edb72c0070edf89c58eadfdd44db347
SHA256 a81c646b892cc845e5d9e7ecd9546513df8b3edd406481892121f712bc689f12
SHA512 164addc49fdb1a9046931d176535e12dd6ba3e60f98e8b0a182690f41f16aeb0f426bc8e067ec60b5f95c3138bf2a8e2bb6522d3c1d3446f948378eda6fb26e1

memory/1348-17-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-15-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-14-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-13-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-12-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-11-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-10-0x0000000140000000-0x0000000140237000-memory.dmp

memory/1348-9-0x0000000140000000-0x0000000140237000-memory.dmp

memory/2380-7-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Local\IDn\ACTIVEDS.dll

MD5 b70921fd96675c8628f7fa935ea4386e
SHA1 a6bec6a71137e5fb6b5164b2a16c43976e575520
SHA256 7e55b7699588257e3f4bc1d346f184c1257a643b113d2cf0b1447c8cc7730ec3
SHA512 80b57d911f1342fb730e614bdfc0dd9063c227209cbcf43a51881c194b5d8948409174559bc9c09e03fe569fdb03e54420c2d0154d1fe27c8c1854b3cae8bab8

\Users\Admin\AppData\Local\IDn\ACTIVEDS.dll

MD5 ec6f33dc086ada6f9a477f3988fa786b
SHA1 e0cd94a71f5b33c3342a532ce0e1ffcf576ed425
SHA256 7125df48c10669714a6ffc5da7a98cf31c000d0b41bd1b369f22ef9dd6fcccec
SHA512 ff25777a670b955fa14b24d4588956343e8a8dc3d22bfb2c00d0fddf6944e7870c36f9ad5b77ff5dc5ce3f007e23bc645c80b72d04f140f62e93820fa2d32800

memory/2720-109-0x0000000000330000-0x0000000000337000-memory.dmp

C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe

MD5 ee32b0796020e4557c99e1f4cc5f67b4
SHA1 27d3058bfa19d7f367cb0ca4254d8fd32aefbf0f
SHA256 392073a784de91d6c687706287b5f679764ec87440248160fe6b6413efaec4f0
SHA512 624b14381fc919580744e74fe5c855c70033712d98f68f7b99fab9d1ca9e51698b947d19fe9bfb4e3d74766c9d0cc1b8f5cbbc2779d178fd3ce01b52b99077f4

\Users\Admin\AppData\Local\IDn\vmicsvc.exe

MD5 5756cda0f93bc8f707745aaec32a1826
SHA1 bb7b507fe43bfb68b3e6306f44f0fbe47f68e341
SHA256 6fcf27fdb4aedb24553b55fec8f949d73969ba130e3223c9ce9c20a0e7a0ba64
SHA512 03a107b60812e5cc731180dfe07b4d119a796fed96ee85a072ca7cb14d29798ac70391b8d75da9ccac238682006acf39a73cdfeaa8bba4f9c28fd0c12868b3eb

C:\Users\Admin\AppData\Local\IDn\vmicsvc.exe

MD5 69423b3d5c58c30fb49ccd2e58ce20eb
SHA1 bb990c90c87f67047888f74b3c86b5148450b79b
SHA256 6741607482ae7b057679b3f6eebd44ce9d06b72f78724c942c85a147abb88add
SHA512 38d775f7f9c67f88ab5fb9b85278e0f3e751e346567ad9ac9b71f443e1ae6843ec96f0f45896e1f2f30744fa40507c73b46c74a7cf8232b481dd5f5a91b410c3

\Users\Admin\AppData\Local\bJLGHX8B\VERSION.dll

MD5 85aef3c0287d44f28406684d5a7d1271
SHA1 eafa51c5d2a5d549b792ea45d1059ee012756844
SHA256 315f9a39ff4651346a50ef4e5f82a2cbc73e130271f023139f17f6e01485699d
SHA512 38f51181b559c3f73e9ce9959d6372668a663003f914bd73f6e0232be8912f83707efa9843d433877d5bb058ae4c7e2440efaf8c50c78151d3b9fa52cb52d4a2

memory/1524-129-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\bJLGHX8B\VERSION.dll

MD5 d60d2dbd2f9c5d505d0e1049d9dacf14
SHA1 fed505730558f9e3d0d023dcd098cfec3a775dc8
SHA256 29c32072c11b2df0298332eff50cf141416a35d136cc0ab0a8598616f28def27
SHA512 b90e1ab9aad3a07a970c4a637ca306ac426f44cd63e6565d44810e1577f7b8b380439c018784216a6f4ea7a0e4f86c95d16f544eebc95857d3f0cd8184f27e01

C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

MD5 463ba46e391828dbcdbb542438f8b909
SHA1 5dd685e9c2b2c64db447a8cd2066368695609752
SHA256 3e0aec56c449407530759b86c55a8ab9a73c87324909ed0d6a856f14dadc3393
SHA512 6c1e956d6dc24eec6cbad8d2c524b133111bc0c20a49cd47737985a81a8d87d91e6eba684d975bdca91cc2eb424bdfc4858643f174413967e1246cb977af2f24

\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

MD5 b38b4485e202acdb263e8ad7aa0760a9
SHA1 17255abbcc2cc4486a0499ee24b88855f4017116
SHA256 dcc7ba71d7d0bbd1785713c3bfac7291c4eadf063067475af3cb60ce51fbfb98
SHA512 daf9f0a85f9601fefea1450181d9a380fbb8be07a3d3f29a1658e81c6fab48cc716089d30c5d09f4b155d045e64c1f3864e9f8a6100da48c68817bfe196014c5

C:\Users\Admin\AppData\Local\bJLGHX8B\javaws.exe

MD5 100835591a336be6a9d1728a71763821
SHA1 cc71d367fad4a351d2650e1ab0113b96857a7c03
SHA256 8870f5a0b2e4a4969874a17a36be07343373b7504fee306b43d967cd7da10414
SHA512 8a9e0da69bbcb15f76c4746dcfa339c89813114b5ef73e97521f3a915270b36ad7536458c3ffeea1efe5884504d6f3c72abc03b83d9d6c3189d3df376f2d1a6b

\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\cIDjCf7\javaws.exe

MD5 3934d42bd7446ac123a1bd9f615a7cf7
SHA1 1a22309b2e06d7ecb0a3c80f5d08e21a1b9d7cea
SHA256 7e928f5cd61a31f125f555c35a1953ce63e0acc91c45fc7f797c75b66837e071
SHA512 f7a460f5222f5f513c5976aa8cdd569bc5933ccd80e6b6cfce715cd3bdab63dfc085d4bb1034ffce88f0a9474245ffdf68b7bfec54164fa1e7182663048cad71

memory/1348-157-0x0000000077476000-0x0000000077477000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 e56c8071a970ce5cb6be1efe5e0b77ef
SHA1 06f0b93948447350a98539439c8eacfe868f783f
SHA256 d329794f7cfd365772458b9e30e4d662d3008de03ace29fc1be5759dd7fe7c1f
SHA512 823b62d8384f8401077897c785436793a6bd9ca1d064ff07772fe979ef6bc7904bd10cfc901322c4774ed2ec0cc58748de02469eb76c95eb7c2f37765b031533

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\Collab\yNpVN\Secur32.dll

MD5 6848563d823a5d6fb37067326d1bd7a3
SHA1 5edefd7ddc485cef1deec8851dbb43603831c95f
SHA256 222363cc04296e2e981ff247c9b55feb7df51a9dbcbb34df2cdd6026faf9ed9b
SHA512 7734e25d6982a69e713d0acc6522f5e9425060ad3ab27323067ed38b23289a5d45c09cb33d9e8aabe762f9de11ed8d8f97bae907bb9fda406666db74810c8afd

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EYSJKQKJ\SbtN6Xl\ACTIVEDS.dll

MD5 49fdd74456889c3ddda8b496524f3d46
SHA1 b64c2f75b263514bfe6797506baa435430cb2d27
SHA256 afa34d321e8a4126054f126d9ed439f929d3a290fe4a2c4c51f78710ace8eaa9
SHA512 a53afa28240b77f2f78bd5c71c3cbe37acf4539b7265d65dad36e641de9b69fda27c1729a6f2ff7800b10591f51e21d2d0a62e25a370822350a970bc5f3613e8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\cIDjCf7\VERSION.dll

MD5 27c326f08a78c8f97f48b1cab0e02cdd
SHA1 78558f3b9d5b34bcd42710604f1e7feb42525af3
SHA256 638208e5954cce59030067c9b922ab85fda5a39438d720f91a7c3e9f1e621cef
SHA512 69767378114edc427f686ca90c6a1dc1851f43dcffe67f9228fa49ac0621fc366e610f2a0f4b65b0764c468dd95fbbd53600322ec9c3f00f0defa94725828cc4

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 05:15

Reported

2024-01-30 05:18

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\8nbxRuK\\qCrs054\\wlrmdr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\x85\wlrmdr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\swX7\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3140 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3492 wrote to memory of 3140 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3492 wrote to memory of 972 N/A N/A C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe
PID 3492 wrote to memory of 972 N/A N/A C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe
PID 3492 wrote to memory of 2432 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3492 wrote to memory of 2432 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3492 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\x85\wlrmdr.exe
PID 3492 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\x85\wlrmdr.exe
PID 3492 wrote to memory of 3980 N/A N/A C:\Windows\system32\sethc.exe
PID 3492 wrote to memory of 3980 N/A N/A C:\Windows\system32\sethc.exe
PID 3492 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\swX7\sethc.exe
PID 3492 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\swX7\sethc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\818f6364c18d61853f5e7875c46b41b7.dll,#1

C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe

C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Users\Admin\AppData\Local\x85\wlrmdr.exe

C:\Users\Admin\AppData\Local\x85\wlrmdr.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\swX7\sethc.exe

C:\Users\Admin\AppData\Local\swX7\sethc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/2280-0-0x0000017405EC0000-0x0000017405EC7000-memory.dmp

memory/2280-1-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-4-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2280-7-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-8-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-10-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-11-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-12-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-9-0x00007FFF27BAA000-0x00007FFF27BAB000-memory.dmp

memory/3492-6-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-13-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-17-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-18-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-23-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-27-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-34-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-41-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-43-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-44-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-50-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-51-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-49-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-52-0x0000000000D30000-0x0000000000D37000-memory.dmp

memory/3492-48-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-62-0x00007FFF28E80000-0x00007FFF28E90000-memory.dmp

memory/3492-69-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-71-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-59-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-47-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-46-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-45-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-42-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-40-0x0000000140000000-0x0000000140237000-memory.dmp

memory/972-80-0x000001B0ECFB0000-0x000001B0ECFB7000-memory.dmp

memory/972-81-0x0000000140000000-0x0000000140239000-memory.dmp

C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe

MD5 98db82126c29023e05ec1bb6c3351ce1
SHA1 3cd19753b1bfc047c7fcf3bdd83d1d6ff5f5bea5
SHA256 1baab8693d6fbbc472085ba171736c459d4ad66e923d5e1b48f939331c7a6d10
SHA512 3fd10735098f66a4fb7f30e23a35c4ba202ce396026cdb8b8659559b6c0a926f9141a2e09cc3365240b08451141f48043f8bf07e62235e6c8f32ea884da6f6f9

C:\Users\Admin\AppData\Local\XSLR4F7mS\WINSTA.dll

MD5 57bb8b24d89cc7e9266107503113cd3d
SHA1 39126cff71e10501cadac8c50453324c1ca31a73
SHA256 694d883da6561b9ab8cd2b22262062ead9c06e35e7e20fbd8f4266cb05fe676c
SHA512 b17158a64a84ba826445d2bfc85445ba3754eccdcf7a174988df55cf93414d869de0aa065a21bd6c8b99f85cce0e19eda1e11b1990f77548d446f650764a784a

C:\Users\Admin\AppData\Local\XSLR4F7mS\WINSTA.dll

MD5 f31e1ea3f455c9cf77ff62594370396f
SHA1 53596b8971fdd53080b3d6e8cfce87b6834ada57
SHA256 1946cd25b41870560867b984fa88e61aa81b2e9c55fb5cd9d904e78d31ac739d
SHA512 7641921136dfb34b6b395038f8a4320ea288e3a0496538e96d9a421d40a71f9b21e11df7c04b99288f80b317ef55a2b66f5c9a513da920c4a2c5bcc7f3e104fa

C:\Users\Admin\AppData\Local\XSLR4F7mS\rdpinput.exe

MD5 bd99eeca92869f9a3084d689f335c734
SHA1 a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA256 39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512 355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

memory/3492-39-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-38-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-37-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-36-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-35-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Local\x85\DUI70.dll

MD5 a5c31dee2a20ed09c68956f3d989067e
SHA1 9303e302dcf793ae5f49e967445d222225a40628
SHA256 5306b7bd81386fe03f0f6771533a57e5ee59676e59c8e90893c45d562df1eb1d
SHA512 56b589bc7a62d30a56989c0c9487e109cc7087e469b1fcfed04556e6575089ac00432104ad45a98bf1041a04d42aeebd34ab32ffc48920dc7dd106d608e77ced

C:\Users\Admin\AppData\Local\x85\DUI70.dll

MD5 019247d3a01d27e400006bf4014c4a6c
SHA1 f9f889fda9beb81c5574e948021de16187efb423
SHA256 14b540a4a62283e0c084852fe2e614c84fa63c7a0b457196bd93fc92da88d602
SHA512 7984a14973bb462acf8537585a84cc60179edc6a5e4dcbb6af71f9410b27543dae2c6e258930dab23d69b0a3ef08b874e3b7aab659ad88b041b3e61fcc5d49eb

C:\Users\Admin\AppData\Local\x85\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

memory/3652-98-0x0000027E16AF0000-0x0000027E16AF7000-memory.dmp

memory/3492-33-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-32-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Local\swX7\OLEACC.dll

MD5 03ca70b4315eba71c70020823ed8fa49
SHA1 9fd3a4692c0951239e3743184207e2b326368f90
SHA256 5437745dd8bd5a1e06eb644fe1bebd5d7d5f9d2d6dea6d2e850817d91d104518
SHA512 f6b4144eed2dc97be9b5bdb1d5a7bea4464d490e5cf329395e387149a11a83eedbd05c7d6ad3b049cfcd9bbf7e28f03ea2e12ee478fa46db01366319e912b190

memory/4692-115-0x000002114A210000-0x000002114A217000-memory.dmp

C:\Users\Admin\AppData\Local\swX7\OLEACC.dll

MD5 71e1d5254bf334ee4527ef6cad795dec
SHA1 4c0ea7d705abf262e4e3e27b76feb41b83b7e28d
SHA256 b4c782e10187bde171527a1228679acc9c49be4b122c810e70b9afc4ee5c8f93
SHA512 e8e2e7fd0aa2987b33a3df65f2a87904a909f18ec8160b99be2d45876fc43b9bdb1f03728d349450c822e7393e76178d3602e00733ba32e576e5cc0f016759e8

C:\Users\Admin\AppData\Local\swX7\sethc.exe

MD5 9a188a8b9116b1a59f437328821716d4
SHA1 c4940ffe21ec20155c66a4a6ae42b7bf48933486
SHA256 1642cfac46db4da96d73a1f94af537bd22458e441f0e5dd7a8834f465488c96d
SHA512 a7f92717716e2e76c0a004964063a59f5cd829920c44b7c5fc64419b4c1bb0d4c33ae9ddf5a9dd72db5ba27c6f7ab25ee0857ff617c1899aaede310370165684

C:\Users\Admin\AppData\Local\swX7\sethc.exe

MD5 2adf4668a6b0cf1eca412b90f9a3aeb9
SHA1 8b993639c8629672f8efe1fd063b02e6dce4eefd
SHA256 1ec0517370cc05c441fb90423d26280b5ab2951b40388d3187cdec3f968c0590
SHA512 2861928dab32130cf1408e3cb0a601bdd1f666c096bd9e2270dce176be32921342adf6a1d8d35f3cb57b52ec3be72bf701e8ebd884e421bc3be3c58179e7d895

C:\Users\Admin\AppData\Local\x85\wlrmdr.exe

MD5 d7f43233c53ad1dc2a51e13a05f2afd7
SHA1 f2178d40939e7526a3cf1744afb2f436f6940e2a
SHA256 cbdc9b0468082c8d87184fc0489771ac32d02cc6ce69bbcdc7eb022e7ab66fb3
SHA512 7a79ecb474985b0d590939080b6a302d4aba9809c28e98aea8a54fdb4c1c808232672ad8e44bd896146d0753fd9445059cf585aaa00ab73dd9ca6c04252e39ab

memory/3492-31-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-30-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-29-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-28-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-26-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-25-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-24-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-22-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-21-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-19-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-20-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-16-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-15-0x0000000140000000-0x0000000140237000-memory.dmp

memory/3492-14-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 c34f3b22688936ce3efd547744de53e1
SHA1 e13613447cece208c13d49d8ff6c46d5f45bc6e6
SHA256 41c1560c983eff74da4fb86d54e9e3f6e3c362bb9c15c4c7883ffb8dfab05db7
SHA512 914bb6ba14c3cb6b251bf5187aa33b1f20048755a5e193c8e7152e1cf08f76d3c4a33242ef85ad44da1c477e011c5b60ab1de3050123c033532a90c48bb0628a

C:\Users\Admin\AppData\Roaming\Microsoft\8nbxRuK\WINSTA.dll

MD5 2cf421d2c3d3a370a1401b89393b6ea7
SHA1 4325ff38ef271661a9cee55d4272c815bfe6ab3d
SHA256 7cb24762facf1071281d189d05efaefe6c08ef46caea218a188bc1a6cee1fd45
SHA512 a006ce3b0e8e725e43c8237e1505c24f64acf584d81ccc847b4704278debd23670ff5c4828b5d6a98f4288ecdcef5e8dafafe469a5445d84e57984a75e5ae3c3

C:\Users\Admin\AppData\Roaming\Microsoft\8nbxRuK\qCrs054\DUI70.dll

MD5 7f14c5294024b823314f71296a351800
SHA1 7781568f4cf91c2471314a42f4d8b98967a425ff
SHA256 2e74be119835cbd098c2009ebe51bc30bc0bdb3c72f186c8f13b110055f7bc4a
SHA512 ccb23e533e1f8a0dc954a3bcd9530cb94ef6a476718ab510ab19bfb837943fbe3f67ae71ac3f4a43be1a798e51ad03e50b2abbd5b28f37baddc29c278d55366c

C:\Users\Admin\AppData\Roaming\Microsoft\Word\Sfw\OLEACC.dll

MD5 33cf460b026cf971050fdbf216bbb959
SHA1 f7b384fd0897affc96b93bd86da41bb507c16ad1
SHA256 a78c37a86f012e0c56096575622afa201f12c39a6d3d72c60d1589f3bef550e6
SHA512 b2677f6403d42525e284ac17dcdc705612d6107df0b9bfb61ced506cf8f74b3a06482e7a11d6b5c2c976b70a525174dbd662a85ae1372b25a1f84cff639d787a