Malware Analysis Report

2024-11-13 16:41

Sample ID 240131-pbp5fsbgb2
Target 8460ca6c008df062af50bb935cad86e0
SHA256 b656eba38e60d3e5cf61d0f7ee76348ec9053509d5c3fe2c3256eee34993cccd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b656eba38e60d3e5cf61d0f7ee76348ec9053509d5c3fe2c3256eee34993cccd

Threat Level: Known bad

The file 8460ca6c008df062af50bb935cad86e0 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 12:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 12:09

Reported

2024-01-31 12:12

Platform

win7-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\00G\wisptis.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\0IDhvPYU\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\00G\wisptis.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 2912 N/A N/A C:\Windows\system32\wisptis.exe
PID 1140 wrote to memory of 2912 N/A N/A C:\Windows\system32\wisptis.exe
PID 1140 wrote to memory of 2912 N/A N/A C:\Windows\system32\wisptis.exe
PID 1140 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\00G\wisptis.exe
PID 1140 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\00G\wisptis.exe
PID 1140 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\00G\wisptis.exe
PID 1140 wrote to memory of 1004 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1140 wrote to memory of 1004 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1140 wrote to memory of 1004 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1140 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
PID 1140 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
PID 1140 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
PID 1140 wrote to memory of 2796 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1140 wrote to memory of 2796 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1140 wrote to memory of 2796 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1140 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
PID 1140 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
PID 1140 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Users\Admin\AppData\Local\00G\wisptis.exe

C:\Users\Admin\AppData\Local\00G\wisptis.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

Network

N/A

Files

memory/2432-0-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/2432-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1140-4-0x00000000775C6000-0x00000000775C7000-memory.dmp

memory/1140-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2432-8-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-12-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-17-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-19-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-23-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-27-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-29-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-32-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-37-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-40-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-43-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-42-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-47-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-51-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-55-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-59-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-62-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-63-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-64-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-65-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-61-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-68-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1140-60-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-58-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-57-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-76-0x00000000776D1000-0x00000000776D2000-memory.dmp

memory/1140-77-0x0000000077830000-0x0000000077832000-memory.dmp

memory/1140-56-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-54-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-53-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-52-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-50-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-49-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-48-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-46-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-45-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-44-0x0000000140000000-0x00000001402A8000-memory.dmp

\Users\Admin\AppData\Local\00G\HID.DLL

MD5 0a306a5bcedc17525347bd2a170d4f37
SHA1 647af58acab81025b36285d1f40f8df24f8ece40
SHA256 36d9c4371e952086d3872ce5817cb92e06a9bd5e5a2b75575c0da84f9d16ccc8
SHA512 f259063384c8af2d3c76f42428208356c4fae21867619e2add82f3154825f2557afee5f27d52daf70058f6c8a0c05c1140fe7ff2899700b3f4a25972057f4526

C:\Users\Admin\AppData\Local\00G\HID.DLL

MD5 1d1082f9e179e26536acd46f78daf515
SHA1 2d794d1781716c7f2a0f0d74ec22233fc3d21454
SHA256 2ad22fe2deca594a536fe4a10779123b7d237345aeddb8ccf707548e9320ae2a
SHA512 2f8f603381de007d1b3afdb33c09065d6e202534e65f49e6f7866c4baf6aa700adee89a9861dee6e207032c0afbe00cbcab4f97718488a568ef2a48eafb78a14

C:\Users\Admin\AppData\Local\00G\wisptis.exe

MD5 a4a7499a782ed6585f6b8d88ef42f93a
SHA1 ed874b807a1567fdd84c8439a81f1df8498fa457
SHA256 a7761b3944193dfcbf9a27e4225087ff189ac6e2819fa701ce3dc0e279224b77
SHA512 c39444fa58e3fac433e5e1aea708a7ea44ff7488e9a2aff921a7734e32b711877ff6df414fecf26dc5abaa0cf83feaafed5c5bc7151dc09f8831454d6094fa66

memory/2892-105-0x0000000000390000-0x0000000000397000-memory.dmp

\Users\Admin\AppData\Local\00G\wisptis.exe

MD5 d6fe05dda45418b5b681df7792b3d3ca
SHA1 4af7831b5b645bf823acfa8c2cfe77f7062c9d2a
SHA256 132de2b1e63cdae8a88e129fb3c6cd25f2dbb51ec7330980241fa501c10ba9be
SHA512 0ba8f2d0cfb737e2a2b40ec9b9f4bb0ef5c974e161e527001300b021d9d9c6dc1f4e318530066c0d086390c09fb3d5a8b625a8b19b1ab897c93de63fdee81c21

memory/1140-41-0x0000000140000000-0x00000001402A8000-memory.dmp

C:\Users\Admin\AppData\Local\00G\wisptis.exe

MD5 4f659d88e39bc08110095506488088d4
SHA1 5d2637ad1d2dde6eb374db3299cc3128600eba82
SHA256 ed2e0b51d4ab8a0de43b7fd2a8bca70fc739ad0bbadfb721493012d5b8ae0080
SHA512 73a091ce1ac346148962f0ab6abfe8963b2421ee6e48ae4fada4133427d12d9f0860ef9c71b1fd2403c456fac74fbc433d21b53d579608e52ca17f077de7c266

memory/1140-39-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-38-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-36-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-35-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-34-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-33-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-31-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-30-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-28-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-26-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-25-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-24-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-22-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-21-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-20-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-18-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-16-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-15-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-14-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-13-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-11-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-10-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-9-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1140-7-0x0000000140000000-0x00000001402A8000-memory.dmp

\Users\Admin\AppData\Local\SEIo\SYSDM.CPL

MD5 4afa442a4eacae826d79d85a2a103eda
SHA1 df8ce952520743e13624d1759e3ca99522dabe0a
SHA256 d1d3395d55ca00943b75c913589697c7a1f4fd4cadcbe2664c10c9d1eaa9ea25
SHA512 c933a6142866a34d9706ca1947af5a598cbf99af1c58d3ef68cdcf79a45df885d547b9cd31e8284e16cc3cb3aaff17b2a5a13a2df343da2f9b92a044273c8d8c

memory/320-125-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\SEIo\SYSDM.CPL

MD5 970258414dc9dd3543aee1aba6d6ebbd
SHA1 d4cdef0bd8d5b41485dbdeb61248fb3d80959c22
SHA256 5e3dda87c45a978c961a489b5b6932864dbba50afe717676f2d1ed2c1133c00c
SHA512 29fa03815342f399d7c6b42fb3caac04870d52bbb67f15ac377355c1f9775aff5b70b328f3fa477dcce95ce6492df04ce8565b02b94f0a2a912ec7626c61e488

C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SystemPropertiesComputerName.exe

MD5 4805483cbda964b5055efb4537c1fd83
SHA1 1e022ef80d4c09ccf971a5968464942e5ad61783
SHA256 6fb20773446a91f1a767372edd428fdf6df1ee04be6fc81aa90b093bfa0e86a2
SHA512 ee03ece32fa0f26a2fbb010655ae46bda04087d65dfb853c1eb40912796ef746e1e029aaf0e851d1373883e0166e605ccfe10cec232b4c4fdcd9bd90facc79f3

\Users\Admin\AppData\Local\rnik5\SYSDM.CPL

MD5 22d243a413e70a0fbd0bd4fd2d065dbd
SHA1 f1ef6a70f503cfc3415b1b241517727388ffb5f9
SHA256 115fa91ef2a73a845900503da4ee5a7b6dd90b0bacfe66d8d34e85c6645a1910
SHA512 ead88e96f838b128b1d18b9594fe96a857ba9bdfd640855ca3f956e183b72edae2e5e7782dbe35bdec913b469864ecc31d323254716c94ee5275905d8bdffc58

memory/2800-143-0x0000000000290000-0x0000000000297000-memory.dmp

C:\Users\Admin\AppData\Local\rnik5\SYSDM.CPL

MD5 fd811adff43f700f6c62ed939c72ed15
SHA1 8180b5e3bbdd98e7ce32d4bbeff3fb1f415841fa
SHA256 5bf649678686fe161f8159db7758309f1b9085e3d52304457b205cdee7ec0aba
SHA512 a2cdd64e32f70014e408810248544fba0273d2d769e859e9ae13c29c664d12135b7037debbd0a765448dbf28d3f69d45ec8c15d834447a4ec572e3c919c2ac3e

C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

MD5 05138d8f952d3fff1362f7c50158bc38
SHA1 780bc59fcddf06a7494d09771b8340acffdcc720
SHA256 753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA512 27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe

MD5 2759d5e8fb493711b86225cd139aaeaf
SHA1 6fd55f11b6b2520e240c99e7ba4c5b7ef855b36f
SHA256 cab43db2ab832822925b527ebd49e7e82111c677255d5df1e453494314725a23
SHA512 7861868eef60ebc026d1c7cf8025ea0b7b8572211aac78df8bd7baf3740d43ee20a51dcce28589851e629e8da107573b8b73b418e7b52d9326f00756bfaf1adc

memory/1140-161-0x00000000775C6000-0x00000000775C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 bdbc3979dc1de247aa85858567f0f97f
SHA1 b9c578eb9239f1543cd61c87b0a1af0b3c795525
SHA256 e084fa9c1082bc1aea625a7f5e44d869ccff3e385d18b52fdf4ddcbab897dcf8
SHA512 971d5fdf442cdfe5f8bcd4e09285d6af9ba4f5790cc37c88a74bf6a14a0b1cf20a24e30ee065e8ce058ee630b664f4b300e9b0ea2b1a43dda610627733ba3705

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\jenIBBC2Gy\HID.DLL

MD5 7db8b11e35aa3bd8ed0fd87bd63ab6da
SHA1 3b47ff073d8a33685e6a6a073636c7ff85e899a2
SHA256 42e3352a84cf2b3ce9890dd3aafd6419e9e74e4c9d30ffa56c6d066b0a333781
SHA512 bc10d28de92ba904b5e4cded3e6f889df108a6095ac521f82741bd75c96f31ec682f1ba5e7e6e65ed17199216e447115d0bee11544c412f2e68f09661c5c38e2

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SYSDM.CPL

MD5 013d892b2972e197f166a8691af49d79
SHA1 c8174ce30cb793308893bfc099271dfdc95b730d
SHA256 28b52aee18388bacf4280054cca4d83d51f3fbd686f30394286932572c02909c
SHA512 97cf0b4db6cd31321c463de8bae9ca69f20c351f1d7224c2fd0d7c36870bb816a758501009b31b61cba99d7500cfac87b7dcf3f05be20668ab115a116343dac3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\uC\SYSDM.CPL

MD5 1b1be9c45a0ba03c80b2a26c57a3c410
SHA1 cf5695f5b59bfd887c99b59c770b3788f90abcf2
SHA256 8b11107701bb271586109bf2d62f076208adb6a21e6ce2846bec1b2223fcb542
SHA512 a383d51f25456d672e6bbfc1211a3405e292ab12a85e2699573714981ac8f2e56b1cfab1fa0e1b632cb4c634b5bc177be1d2b644a591ce596bcbc37b6b7b7baa

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 12:09

Reported

2024-01-31 12:12

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HliaK1KxLc\\DWWIN.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3344 wrote to memory of 3036 N/A N/A C:\Windows\system32\rdpshell.exe
PID 3344 wrote to memory of 3036 N/A N/A C:\Windows\system32\rdpshell.exe
PID 3344 wrote to memory of 3852 N/A N/A C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe
PID 3344 wrote to memory of 3852 N/A N/A C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe
PID 3344 wrote to memory of 3584 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3344 wrote to memory of 3584 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3344 wrote to memory of 3728 N/A N/A C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE
PID 3344 wrote to memory of 3728 N/A N/A C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE
PID 3344 wrote to memory of 2316 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3344 wrote to memory of 2316 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3344 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe
PID 3344 wrote to memory of 1776 N/A N/A C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe

C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE

C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe

C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 32.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/3252-0-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3252-1-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3252-3-0x000001B6FDC50000-0x000001B6FDC57000-memory.dmp

memory/3344-5-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/3252-9-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-7-0x00007FFACB12A000-0x00007FFACB12B000-memory.dmp

memory/3344-8-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-10-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-12-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-11-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-13-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-14-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-15-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-16-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-17-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-18-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-19-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-20-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-21-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-22-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-23-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-24-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-26-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-25-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-27-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-28-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-29-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-30-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-31-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-32-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-33-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-35-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-34-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-37-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-39-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-38-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-36-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-40-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-43-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-42-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-44-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-46-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-47-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-45-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-41-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-48-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-49-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-50-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-51-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-53-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-54-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-56-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-55-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-52-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-57-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-58-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-59-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-61-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-60-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-62-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-66-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-64-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-65-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-63-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3344-69-0x0000000000B20000-0x0000000000B27000-memory.dmp

memory/3344-77-0x00007FFACBE60000-0x00007FFACBE70000-memory.dmp

C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe

MD5 cb37a40b2ac07e3dd2a8aa26824b9bcb
SHA1 ec98fb90ca897bc7f02e772c38545673da3af525
SHA256 8da28b2e62e464ff697b8063ffcce3222a15536de99de2f30b48ff10fea2916d
SHA512 68567d1e7f891894a646bc9ec1f091e27a15c3b7d063711cea22a3e9c7064b0b5b77ecdbb3f7ce9ff4dc37f9ed297928df527edd4299af3223ad80199e8bfe35

C:\Users\Admin\AppData\Local\8WDc\WINSTA.dll

MD5 0db629ff51f6b29a540419f15d0463ef
SHA1 cda2e6c24856293b9e3d282115004cde0ceb39c3
SHA256 ef139179e68155572a71976b580eac530c5bf3fd1bec18e3f2613b8cda7ce07a
SHA512 571aeb83df72958d78a58b6d1f27bdb78ec1eb04cd200f837967ab78e6a2482909fcaaf9fda76cc8a0bbd6f6ad3890f32f5f553a3490cfe28e01ba1a80c1f7f0

memory/3852-98-0x0000000140000000-0x00000001402AA000-memory.dmp

memory/3852-105-0x0000000140000000-0x00000001402AA000-memory.dmp

memory/3852-101-0x0000020C5A880000-0x0000020C5A887000-memory.dmp

C:\Users\Admin\AppData\Local\8WDc\WINSTA.dll

MD5 bebfb94035272a21a3ba28763cd024c9
SHA1 3fd59d52c33a6cb392411ddb1af8fbc0537aecb3
SHA256 ec306971b953fe7f0b53528991f9183f8e2ce0bcadb03ea36609aba501e1937e
SHA512 689df3977476e9f589971bf648dae72821f8aaacd506a26c0986186295d59ca8edac59e7766bbffe87b425fb71c442ea5393881351ddec74669afc6f9401011b

C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe

MD5 f8f15bf82b501fc5413dca96a5f5ac70
SHA1 831cfa1414a14ec005a9fb123fd40cfdb8b6ddad
SHA256 6688a6d6d130a6f8ecbe07d654cca2921cb24f01320e92a8ce801b27f992250e
SHA512 cfc53925f7bad418cbb44a40ad0eec7119d9f2732b3a25d6b9ec57883d8cc23557647b9c5b3d0297413e22268972436868668b7a609e87128a0a70d304580e74

C:\Users\Admin\AppData\Local\hxE\VERSION.dll

MD5 39f00bc67d94f532383ede7117a127ed
SHA1 001ce32beb24cc7dc6c92187582d92e3cf5c118c
SHA256 70cbaa79fb603c3522529597473ffa333f1d308d44fbcce11f257348f5032a49
SHA512 2eb7d9b3133666a97a1aab61b388e94616f3a5ef8a1bbf9d0ab01598db6eca722dbc08060c9cb1587819be8d17925e28e169ce2525c666f5ebb3adeb1a2c56f3

C:\Users\Admin\AppData\Local\hxE\VERSION.dll

MD5 32df6889d05ee3c0c8c926e3e4e3cab1
SHA1 46ce2d92a58b499113b4689c608999bff0e4e009
SHA256 63b83e1a99e7be60f5090351615b655cf53799cdba8a0252517273c3a32f87ab
SHA512 709c2ed0d279761ea48b970d8d481410d834b60db698dd23bf0edca8ca9237d3550654c5d6003e545e7900814746db416bf6db740d9c501b3fb651d1764b26f7

memory/3728-117-0x0000000140000000-0x00000001402A9000-memory.dmp

memory/3728-119-0x00000257F5FB0000-0x00000257F5FB7000-memory.dmp

C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE

MD5 834be95372b0aebc0393ef7cc6e198f8
SHA1 13831b3999fa5473f687e751ce5d729e6c06922c
SHA256 63311b274be14a353cb0e935954cabbbcc4b4742748d97bd0b85ab50f39dbd86
SHA512 9ba9abadb89cf5c419f1290a402a710cb3f13aea7bbe40127313342cd0a94d702f9a1cd662dffaecad19cd0a082f3913c8c78e729f731142421221c572e18a29

memory/3728-124-0x0000000140000000-0x00000001402A9000-memory.dmp

C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE

MD5 635b6a05d5f9f72f0e9b7d8a45b704c9
SHA1 0c9783c7ff8715668806e6ba4538eeca823ed40f
SHA256 651066e7bfe7dcfe60feb60def1b1986fd3f6b012f9cff3e74111dde6c29a23f
SHA512 b9a9ceba97a9c393a444cae1c6ce96fd6aea17d37eb33e33152d171dccc25a899f11c512f752378a15a724180eaa86bfaeb4e21e6608463c25e94aba7f29595f

C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe

MD5 34832c2d300b89e20757c1939c3ebab4
SHA1 ac0a96a0d5217fefb4cbce1f56870115cd7ab8ba
SHA256 b5e53d261f029f8dd4d00c2ecf2c4d8eda722dd9fdda8e27f8e9704fade583e5
SHA512 b23673020505189dc5594975f6abbb2ee408d486c261afc3ce8e913e3f484ad65037ff12b8a6b6841391de15e6cafa25efeb088fd03090d3f52ba50653638162

C:\Users\Admin\AppData\Local\F1m9fi\WINSTA.dll

MD5 7bcbaf864e9eacc88e4d541d17ef22e7
SHA1 1666efa591fb88ba3af27dcef88bd8215debb634
SHA256 15a71ebdb7b0d59c91b60d227b04d98168be51b2293168414895db79041c2887
SHA512 7d61325d1da78195ebec621e38dd4d2ff69f459a4c6dde0a0757c2767c8a1c389cc51410af01b13a145d5b6c718bc04fd2de3d7b747cb4afeda6efc2d428224f

memory/1776-137-0x000001DACB140000-0x000001DACB147000-memory.dmp

memory/1776-135-0x0000000140000000-0x00000001402AA000-memory.dmp

memory/1776-143-0x0000000140000000-0x00000001402AA000-memory.dmp

C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe

MD5 186826c42b6f0d65daae6f003b79890c
SHA1 f68d4cfbd936c8bd9f80c59df34607ea55446605
SHA256 58679986da41f6a5466832365b0d76d2641bf4ad7cf5e40a8eb7e959065294ff
SHA512 77e18941bbd2132e824a4ddd117c541aae2fa7179b528fa47db4b717e00c8b5ed02d199786a09458d71868f21062af005110061dc384f032f813fc39686cbd35

C:\Users\Admin\AppData\Local\F1m9fi\WINSTA.dll

MD5 c17db059e439fb3b0da6ecc6c9c030a6
SHA1 b7dab8c100da81729b423dcf90c31e735b35b518
SHA256 5d74000b954645e577a89a8b067416924d01ef96d7c37a80f7ff52dd690d4468
SHA512 04fb12a75e73ca421b1e8b2a32738179f8450c520065239a54fe9b679d59f689a66ea5faffdfa9b455dc1f27de16d0363d8f0eb528943ca4f8a02b1b6a1516b7

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 585090cd6fa8e9b1d0fa5fbd47a64dd7
SHA1 49a0610b7a2508c37b3edf8507fb17a97037e04d
SHA256 f481f461a7d5839cc56f7900cbd01bbe930a551d77576c98d9747aa8b3e2c81b
SHA512 da5662505d6d6bab34abc4ebff998e1f734088f5437e089c8ce3dc9ae2db5a56a0956b1532c9dd7c329d7e44dc7ebcd7ef105456b71a5e8be9620ce602ffc05e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\men\WINSTA.dll

MD5 ee77f57fd4540d4bcbfb721f3ee5fc58
SHA1 2abd50088ea29c58ce762918ca603f174d36aeab
SHA256 6687b4e2fa0b43f96bce1944404c469630c1b5edc927656b5d7911fe3f2371ba
SHA512 df1a1c4e6dcf45dd5fa121c649b481a6c328e7f64ef2386fd726ad4cb0b8482869e9e0392170778fff0e7f7a5dfb8606e181f96a871d6d2e8d73e82933c0ad7e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HliaK1KxLc\VERSION.dll

MD5 ff15024e50290f1b8461e6439d97fde8
SHA1 83dbeb0f7be1d6be3428dc9ecd6824c95d35d968
SHA256 aa0fe4b6df92813a8c569a4e6890e0e7656ff6d2aa935f336092db92dc09c73b
SHA512 71657c013814d27b62a4b5bc80e01a5acd5375024510ff7b3105075159f744126a5d18dcdf44e6e08642a672d1adba479c809ff88e366f500c7ee903cd22946c

C:\Users\Admin\AppData\Roaming\Mozilla\SQ\WINSTA.dll

MD5 0c7249515aaa01e6931f9cc374452752
SHA1 c8b7779e3a96d51def81445e2599b52ebf83ee1a
SHA256 5a96efb4d92ceff6db68dc2eef9abd852baf9753ceaab3b72ed9b171cd520dee
SHA512 6acfffcca0bf7bd11dde93834f1df75cbd0180d6136d1358e598c1613748f6afd077dbbdcda9c2942833376792b9c7ac1f29327919dbdcc389222f559bb0f775