Malware Analysis Report

2024-11-13 16:41

Sample ID 240201-lkyw6shed5
Target 868df0fad643001bb45bb8b38cfd7ec2
SHA256 35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e

Threat Level: Known bad

The file 868df0fad643001bb45bb8b38cfd7ec2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 09:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 09:36

Reported

2024-02-01 09:38

Platform

win7-20231129-en

Max time kernel

150s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\HOK47D\\DisplaySwitch.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2540 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1340 wrote to memory of 2540 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1340 wrote to memory of 2540 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1340 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
PID 1340 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
PID 1340 wrote to memory of 2752 N/A N/A C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
PID 1340 wrote to memory of 2804 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1340 wrote to memory of 2804 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1340 wrote to memory of 2804 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1340 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
PID 1340 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
PID 1340 wrote to memory of 2440 N/A N/A C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
PID 1340 wrote to memory of 1640 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1340 wrote to memory of 1640 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1340 wrote to memory of 1640 N/A N/A C:\Windows\system32\ComputerDefaults.exe
PID 1340 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
PID 1340 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
PID 1340 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1

C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

C:\Windows\system32\ComputerDefaults.exe

Network

N/A

Files

memory/2372-0-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2372-1-0x0000000001D90000-0x0000000001D97000-memory.dmp

memory/1340-4-0x0000000076D96000-0x0000000076D97000-memory.dmp

memory/1340-5-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/2372-8-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-7-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-12-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-16-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-24-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-26-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-28-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-30-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-37-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-40-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-42-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-45-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-49-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-51-0x0000000002D00000-0x0000000002D07000-memory.dmp

memory/1340-48-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-47-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-46-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-58-0x0000000076FA1000-0x0000000076FA2000-memory.dmp

memory/1340-59-0x0000000077100000-0x0000000077102000-memory.dmp

memory/1340-57-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-44-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-43-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-68-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-74-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-73-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-41-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-39-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Local\DnWGgH\WINBRAND.dll

MD5 d031fb5ee9e6951cf6fb11c4a6ebc4cd
SHA1 be7f43f92221007444aad5f894f96557d7a6b12f
SHA256 fbf80714def3f7a4c667a096130dc3b67be07467b64c6defae6bf259d3faa6ed
SHA512 0c9b394b00d37ec535fdcd4571d3cf495ef480b9e8497a0d904aef44033fe0f80d18b19a551dc436cf8b742c84028c5f48dd6b92a3be35aa8db499d4f3557e0d

memory/2752-86-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\DnWGgH\WINBRAND.dll

MD5 75a1ff996cd67c62aa82e7819f163764
SHA1 a07c0a8f60fb1c622e0a1c37afd0cd2bbaa20744
SHA256 00431b028d95739d1d3a870caed364954a3c2e9510e5f970c238ca0c5435fbc0
SHA512 a0ee062da0ad521d331043b5576ab9c934f41af778c5e5e56df0380f8904a480c11517fcfc16883c7022a32e61229187caa844af50e90350114506b6bbb30492

C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

MD5 20e60cf11b90f4eddeaa366bc24c5bb2
SHA1 37da21e9a1869a702f9d236ec0050891b5ce4607
SHA256 1a62a3ada4bf83fd8ecfab574f6682ef772188e58f48dbedcffd339deb3cf1b6
SHA512 977cf46bf206da5ec0e5907e20f9a676579b6d60c1ea78599b261a64eb34d7ce5f85c21e1de730fe878b144b4b69ba951e24a65b302bb950bb1807ae35880156

\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

MD5 bf51290cf3b61042e2a96f7b7d1eb155
SHA1 ee6101dbe9e0c85bb93cb33bbdcdadfef1fcf0d7
SHA256 96c3e3ecf3e7486401b24d94d4a17bcf0176edf0d4e218feebb8d9f02e3e93b2
SHA512 1d963b9e9d5caf39f9521d85f6f698dcb2bcb05987e1047b565d0208070aed898386747d2e97d6d17579fdf01167c94268974e44f073ad869a0693519227cfed

memory/1340-38-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe

MD5 8cd690b45937427b6b5e21e3061d28d4
SHA1 c12c6d1bbac7cb6e4cef50b7168c4d8dccaa47d6
SHA256 2cb91010998e51e0b3ca08e0a5d1af6c2ad89063d5ac801f6bdca7d899af13f2
SHA512 e2290f7c1627db80547b9f125e676e8210d4853af854dff7cdf3dd2dec494cdba9ebad0c57e46ce07a21db6dccec13d4ce26ca666171365521d56edbfbca2d64

memory/1340-36-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-35-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-34-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-33-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-32-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-31-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-29-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-27-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-25-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-23-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-22-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-21-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-20-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-19-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-18-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-17-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-15-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-14-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-13-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-11-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-10-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1340-9-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Local\3clGYl7X\slc.dll

MD5 8e62a307c83a9543e0de744ffc9d6cbb
SHA1 8f40e09cc77aa1f315d564d28d7de94726c1ac6b
SHA256 89e90fe75ec609307e90cf5fe46ee639debaa63eb7c7d87ff020e4cbd4f13cd8
SHA512 6be59f59bb7c4987127f00273c253d8bf28ecd1833a726ba8b67112692e922a1c8824005bc278b858b912320f71eef97368dcc2627986184de5206303ffd7ecb

\Users\Admin\AppData\Local\3clGYl7X\slc.dll

MD5 cbf66a15bf1039503d092dab1abe0436
SHA1 2135fce96d3457c3f5ccd8a8c751a495a8a0812e
SHA256 55a462acb269a02eb025be05554f45eb3786fb2d472d1eba48ecbd457f22fa23
SHA512 c5d720e96146da21f2f9aebab16270cbe6bf91106b1397fbe099f69d195d5308d505d43372cde538a533734934670b2ec4dfa521ce765bace211852e764b889b

memory/2440-108-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

MD5 11d86d4d7425ce220c022e156507c25b
SHA1 7296aa31ca9beaece281167122f9b82de8fcb1e1
SHA256 2d8eb9cf23785f90a89aadefa0eb480131dad0ff1eebf0ea0dc7072394bfda86
SHA512 77657cab66ea5c2bf798106937b3827fe8335793e35f85cb2249747cbc5c3a29f33ac798c9c34f0e25695b0110a81b11cdbf52b618c40c8ffb06f678330e8642

\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

MD5 045640cfa4317b88c65a3cea3e99f6fd
SHA1 f547e40c04f14c2dc8ca88ddfda28cc4c8c311a3
SHA256 b7f132285b26f6df1909087002eaef7bceab5cb9ed7f15c71d1e7e7138d1f195
SHA512 943bf7a1544f5a353cf34cc59981f85aa43f83ab4a378d7cebd563f873a0224fbf83619bd871ceb21dd0cb71f12972c22fb84186ad8a9c313b8d3d5d3b57fd00

C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe

MD5 5ed2103185309b94fc0c2b8692fb3997
SHA1 e9c026891eafb9b0a54cf761be52204e19b38e1e
SHA256 7d83d1c9b2092945fd7308eb921a14bfb796b827e937a7035ad674ff5728f81d
SHA512 74421cf4afd8f84516d8045765b04638831b7a5759da5d500fc6d8927962eb323c5f929fb74ef1ab01e439398b4af84a7c8da77b75679f33d1276e45fd4899ca

\Users\Admin\AppData\Local\4Jv\appwiz.cpl

MD5 ce267730c6482a667bb3f97d425ff622
SHA1 710a5896e652ed9d30e443a82213effc5af076cf
SHA256 5afe4d86a3f60b4055de742ce5181f060ed59f531c66c68e3bbcddf19d2dfe39
SHA512 0104d59fce5c525c9af9e71bd23b430850113f5278cf50abec955e180cd93e87784107f5caf5cadf90a2c562c06334620234f769de655541e21d925dba4bc98f

memory/1532-132-0x0000000001F20000-0x0000000001F27000-memory.dmp

C:\Users\Admin\AppData\Local\4Jv\appwiz.cpl

MD5 060ac1669a10ea750aa266ca5e8ef86d
SHA1 da5c83b212cadecf28c9c7125038a60ad933f477
SHA256 64a292109bfad018e355c5ada730843949d4bb0f6f579506cf0565bf57a33159
SHA512 18a2d2a1bf0800a8be8116466052d9d1985dda9db4d98c1a1ec7640485961a1b5ac11a1ecba6df660b60a9d5647898558b80a523d79da1b73cff68fc09036a69

C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

MD5 86bd981f55341273753ac42ea200a81e
SHA1 14fe410efc9aeb0a905b984ac27719ff0dd10ea7
SHA256 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3
SHA512 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143

C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe

MD5 0551023b51f71ddc980c910e15fa3dd4
SHA1 cbe88079c8f42d18104c5f3d312211a77548ea89
SHA256 d86fb375b7ba52974d9f2eb5f09e97736b21ee1ad9b451b03fecff10192e60ae
SHA512 8ff4725b169ed6691f2411d5a4727e2e9d1c8d6e53a2dcd0378080a846440c174075af8e0db55a1857e461a014b2a38e2734468ba0479feb19132552b9400882

memory/1340-151-0x0000000076D96000-0x0000000076D97000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 4848138dc93e8a65814b698ca8322627
SHA1 ba9b30bc23971429c41aca93746c7d315ec1336e
SHA256 933b6805327a91455086f0ef4d51782e0aef403bddae3a51b80da245f6684101
SHA512 0ee3e0d9bcb14c19068312f1c2d41eda2545b2c04e48b81cc0810fe2585185decc0bb18d0d78538c7f4eb753a95523c9ac6f3ad8a6d196aa6b0efd1e6c8637d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\JY0lT\WINBRAND.dll

MD5 da15cc19cd66cdbc39614d0294bd6c4c
SHA1 bce06039a7e8ea875f9e09a30d12b5baa295dc1a
SHA256 34002f55b3d769f153aba81be2584823e9fac91c3692fc6bfe64db7bc347e9ed
SHA512 900313e7fb8a6d2650e1f4f0e07ea4a61b7d784ca7835f2b13a92295bae96422c09333861c69f8f74301fb25c41911ee1120a688309f43c3bffc026db0c53d6e

memory/1532-164-0x0000000001F20000-0x0000000001F27000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\HOK47D\slc.dll

MD5 bb3a50cca8d525bf8a7420b7240669c5
SHA1 f44e505e03dfc014a62bb97cd5d9cf2d61856c3b
SHA256 a6244fae4fecbc7532efdf4037d839cc624b04ff4768215cc6077c09bb97587c
SHA512 7a88d00b17a40a246ea2266653e9b948065696fd07cd199712480847f4175007b0b32b0aceca671c2ad706103a6228c1655361ae239f8e52a967e73213933bb5

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\nBfA\appwiz.cpl

MD5 682e1fea84d3fc6e0090791254ecb398
SHA1 02364698c4255b98bc75645f9c02d377fb9b967d
SHA256 30ac1676610e66e167b2b8e41397a20945c974c075869c790989b8e218fc7a76
SHA512 3d292073f35070622d24d346fffbb6d8753495369c5a080c40853e5642ba60da65e247bb47c4306313e698eb550a22de72fb6c43f2c25a07f68c68f3b10ba04c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 09:36

Reported

2024-02-01 09:38

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\0gF4kz\\rdpshell.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3lgk\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 3444 N/A N/A C:\Windows\system32\wermgr.exe
PID 3408 wrote to memory of 3444 N/A N/A C:\Windows\system32\wermgr.exe
PID 3408 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
PID 3408 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
PID 3408 wrote to memory of 2812 N/A N/A C:\Windows\system32\rdpshell.exe
PID 3408 wrote to memory of 2812 N/A N/A C:\Windows\system32\rdpshell.exe
PID 3408 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
PID 3408 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
PID 3408 wrote to memory of 2120 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3408 wrote to memory of 2120 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3408 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe
PID 3408 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe

C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe

C:\Users\Admin\AppData\Local\3lgk\wermgr.exe

C:\Users\Admin\AppData\Local\3lgk\wermgr.exe

C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

memory/3236-0-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3236-2-0x0000026840380000-0x0000026840387000-memory.dmp

memory/3408-4-0x00000000015C0000-0x00000000015C1000-memory.dmp

memory/3408-7-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-9-0x00007FFDE7C5A000-0x00007FFDE7C5B000-memory.dmp

memory/3408-10-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-11-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-12-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-8-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-13-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3236-6-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-14-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-15-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-16-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-17-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-18-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-19-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-22-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-23-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-24-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-25-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-21-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-20-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-27-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-26-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-28-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-33-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-35-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-36-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-34-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-32-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-31-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-30-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-29-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-37-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-43-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-48-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-50-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-49-0x00000000014F0000-0x00000000014F7000-memory.dmp

memory/3408-57-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-47-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-46-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-45-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-58-0x00007FFDE8CA0000-0x00007FFDE8CB0000-memory.dmp

memory/3408-67-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-69-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-44-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-42-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-41-0x0000000140000000-0x0000000140235000-memory.dmp

memory/4692-78-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4692-80-0x0000017F7E980000-0x0000017F7E987000-memory.dmp

memory/4692-84-0x0000000140000000-0x0000000140237000-memory.dmp

C:\Users\Admin\AppData\Local\3lgk\wer.dll

MD5 d80f79e5b1eac19dac428df5da4210d9
SHA1 037a777c7482c40a5d29d12640a24e33509bc1f1
SHA256 29b44bfc8ad46b3d6c2583e5be8b043a199b1abce5709ca69c941cfe12e953a1
SHA512 da06bfda132c5c411054cc6ea8bac1737c97030fc882b8d56501fa8379d780c11b52981eb040305a082421805eb0eda50828eaf46b824d90010077ebcf74c8f8

C:\Users\Admin\AppData\Local\3lgk\wermgr.exe

MD5 d3963f52f8c0abf67f229bfa8ad0d73a
SHA1 c9f90ebbc9b6f4b34f823378bfe4e1108a3be92a
SHA256 b5764e757f94aaabb0fa958c1358eed33d6fd81a593b04c64f82b3273a3f883d
SHA512 6c2c470cc190f31d76e22440c47ff104430cc4f06d8a2acd990c8e7ae9a09fe8e9fcd2ff2ae5cdf7e3c4c940e8abb5a6f3cf555575f4fe3b231eb83a9fb1769a

C:\Users\Admin\AppData\Local\3lgk\wer.dll

MD5 cc85ca465742d3255e9990b59cb10b69
SHA1 7f7b8c2cdea5d9ac2736ee597a1f713519bd062d
SHA256 8fe06c39c610a82619a9bba3c09f83ed764839676d7aec90f0e2ffd783b983b9
SHA512 ab0a47c0c424c2bc605d1ee5098ea9a814fe10e94aba6ed4868d423536abf654474f54077086df86eff4c979ecf28c3ea8c0391c7661b0b2c999dfa8495c5b28

C:\Users\Admin\AppData\Local\T0A7R1we\WTSAPI32.dll

MD5 5edba5994b49f14fc6bef0b74c71d7ef
SHA1 f37177cd4e721b829df67d7a8fbdb3a04babff92
SHA256 f8427baaf2480c1d44768c31771b2aa13636470a6fd99092bec0e14a0e3a1c2b
SHA512 cd4089e2b37bc3487a17147c502db752c33e0c88f92d18a625b32e656b697d027c73fe211a0c87d6f0ed02c19698ec6623dd98fd1ba849217576b06fc127565f

memory/1616-96-0x000002B3E8D10000-0x000002B3E8D17000-memory.dmp

C:\Users\Admin\AppData\Local\T0A7R1we\WTSAPI32.dll

MD5 fcdc3243d4476c7ee5aca417c7a87bb5
SHA1 545e885c5e33e2f4fd852e233a27c7a1cb12954d
SHA256 b306b19e0d60bba3342cfdc210c54115a9fa73f041e8be989cf5a7ba2f966b35
SHA512 83c159d436462d050458df052b1b3da4401904a92498bd0d8d8aec6471e0ff2237780ea69302fc0f3aad403872c247abd319f0eb844426aa0f2420dae68faf34

C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe

MD5 5b4a14d793b24d89b0be96b5713c980d
SHA1 496fa4f9fea7479ebbfd727ea1487b5bd33bef49
SHA256 810856a5877f380d353f595be7c653485293de01bf8987d30f13012eee7f6cd1
SHA512 fbfd6a6ae33f868304a27385bc04cef5500618e27373d8dff3e4c1fc6ff356a8c390de615888762cca8515d9488f4f1cda04f6071beb3356d28a020eed8d8fa2

C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe

MD5 df327a60a368d75cb46ce0ad48ea4a1e
SHA1 5bc83e186c1b87f606253431b7d8b0ae90344a76
SHA256 a250660ca0413cab558b7c1aa7f2a9304eb02ad1ec258d611ab86575e65f3052
SHA512 6677670afdf39b632c41b760ddc5453bbbde989dccb8a31dbf315fd083f3eca177d0e4fe49fe93a6798cc7c2e290252648c74f85707bb91f6a6674fc8309bad0

C:\Users\Admin\AppData\Local\3lgk\wermgr.exe

MD5 f0290d52ed1be017930790f9dfbd4c97
SHA1 5c960668c6b1213259736a93b24c118314bec560
SHA256 5cbb932752f9e5624f16f2dc0f5d33487984f424f12ac0e5e87ff856505279ac
SHA512 b0022e3e9056287aaa63513ed8e09d43c346ed3d511a3c1781dd8b0557cd260b9d6a3f63f7a3425129684ef8e7125d626ec523d66c3e7ac20633ec30cb86e4c7

memory/3408-40-0x0000000140000000-0x0000000140235000-memory.dmp

memory/3408-39-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe

MD5 9e98636523a653c7a648f37be229cf69
SHA1 bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA256 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA512 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

C:\Users\Admin\AppData\Local\Zrkg\DUI70.dll

MD5 791076ab34e22acbc7976f3b53caf8cc
SHA1 2d38e0fb1660143bcecc2357cfeee83399f0fe4c
SHA256 b349954ab2e72b34f99db204136f30d86613655cf00fab65e02e02ac7d8ffc1d
SHA512 7965f5287f4f38aceca7608b17e49a631427e9a5492a551a2d69551fe3e14da5effcf68c526590860d03c6ce5b8e8059dd2cd0a23104f2910828233aadf5a1db

memory/1400-115-0x000001A288800000-0x000001A288807000-memory.dmp

C:\Users\Admin\AppData\Local\Zrkg\DUI70.dll

MD5 1d8450348de10657d793211c01e1423b
SHA1 ac1d6105eed9703da5d63ab0d4bd0a47cc545e59
SHA256 f69ca0691f6fbd8ae6d3af1f8883f24975e90e8b0806922f6665687443e52789
SHA512 e5defa660a73f893690c2b7881f0097d9302bf4d094368c32f6036898dc1e5283a9af4ecf0c4e9898ee4af991eb9c226547604d31464f1dee25564490d0ce676

memory/3408-38-0x0000000140000000-0x0000000140235000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 0c9e8c90bd569b766ee0d8f81bb2185c
SHA1 ad568e549361f8314612597b8cbf6e4d0c03781c
SHA256 0c845afd25468e6bc6b94d32f54292b02e961efe41089ff65622763aebe2898d
SHA512 d269b4c4337b298e65787d6ce286fdfb0e5035a9c22eda0c8066cc0accddc70416733be05476606abfdfef44f115eaa7185ff4f8a32c84fba938095f59ca5d22

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\1wd\wer.dll

MD5 8283232934a41d7452eed2b88e208dbc
SHA1 23cd6227871c2191037a4953c8c15f647fef21f0
SHA256 49a551d977cf770ad59b318394604e5d49f46af59186cb4dd4789a7bab9dbbd0
SHA512 b6ed9e07754629caa7ed31cd1f98bc1240e56df7b8ff85493969dd2fa44c500f1f8a9d8766cc170becece1defb17eb8714f7e4ffd7024f32fd51ee4db45d7976

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\0gF4kz\WTSAPI32.dll

MD5 1ad6773b5d92bc290ef6a07b451ea749
SHA1 37fa77626267b31afb7a67fecd3cda6fcaa189da
SHA256 f29c80a5fa69278eb998839b4d076fceccbee186a380ff650e76e0fa38bded61
SHA512 37cb1eb4ea06e37fa677002e275f7cd683f688bb602848974d749e88f101e7a3fcc979fa68621fe95ed5f9375efb0c937bd803e975fabcdba89cf03f5d710ad4

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Q20r690eNLh\DUI70.dll

MD5 7d89922aa33d13c03b554e792e8fc7c6
SHA1 e8631ca5423577ab4a6767fad2f8fce33f80a771
SHA256 d12b282c79a9005a19f6eb1e613a5fd9fe36a74fb50de808f83037b97528ac55
SHA512 c9daa9e4ed099ce3893494e0e7b97e78e00e8504556c042f1623360b097628ce204b887f8210b7bc32a3e622ce71e5aecb396877507cec41ccaa50b501dd7a5d