Malware Analysis Report

2024-11-13 16:41

Sample ID 240201-q8w5psehc9
Target 870eeef933351d3ca6e6f77f6f1b0506
SHA256 0244e314ec929575d050f32ef42e74e572b141b849802f6929ca22fc1401553e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0244e314ec929575d050f32ef42e74e572b141b849802f6929ca22fc1401553e

Threat Level: Known bad

The file 870eeef933351d3ca6e6f77f6f1b0506 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 13:56

Reported

2024-02-01 13:59

Platform

win7-20231215-en

Max time kernel

140s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\zzYUDHK8\\xpsrchvw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 2172 N/A N/A C:\Windows\system32\sigverif.exe
PID 1184 wrote to memory of 2172 N/A N/A C:\Windows\system32\sigverif.exe
PID 1184 wrote to memory of 2172 N/A N/A C:\Windows\system32\sigverif.exe
PID 1184 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe
PID 1184 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe
PID 1184 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe
PID 1184 wrote to memory of 2688 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1184 wrote to memory of 2688 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1184 wrote to memory of 2688 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1184 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
PID 1184 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
PID 1184 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe
PID 1184 wrote to memory of 1832 N/A N/A C:\Windows\system32\perfmon.exe
PID 1184 wrote to memory of 1832 N/A N/A C:\Windows\system32\perfmon.exe
PID 1184 wrote to memory of 1832 N/A N/A C:\Windows\system32\perfmon.exe
PID 1184 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe
PID 1184 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe
PID 1184 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe

C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe

C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe

C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe

Network

N/A

Files

memory/1428-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1428-1-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-4-0x0000000077456000-0x0000000077457000-memory.dmp

memory/1184-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1428-8-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-11-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-18-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-24-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-27-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-32-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-35-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-40-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-41-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-43-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-45-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-47-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-50-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-53-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-56-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-57-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-60-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-62-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-63-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-65-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-64-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-70-0x00000000025D0000-0x00000000025D7000-memory.dmp

memory/1184-61-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-58-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-59-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-55-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-54-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-52-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-51-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-78-0x0000000077661000-0x0000000077662000-memory.dmp

memory/1184-79-0x00000000777C0000-0x00000000777C2000-memory.dmp

memory/1184-49-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-48-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-46-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-44-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-42-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-39-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-38-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-37-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-36-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-34-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-33-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-31-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-30-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-29-0x0000000140000000-0x0000000140380000-memory.dmp

C:\Users\Admin\AppData\Local\5vWUO\VERSION.dll

MD5 8129b65d8cf55f3bde74c84910041179
SHA1 4ab1c6193a6a3749e3f0cae24afd6b865e689793
SHA256 9474e536fcb23cc075c9a63433c0fdde5d4dafdda3efd82e2bd5a613e651ee88
SHA512 4fa0026a6b9827e5128e80040c4bc1ed1515b8e102bf7c1f0c6374d2eae06ebf2316b0d96e0e378f3e26357c8c1344900c2790325bbbb5410a9631bc8a403a62

C:\Users\Admin\AppData\Local\5vWUO\sigverif.exe

MD5 e8e95ae5534553fc055051cee99a7f55
SHA1 4e0f668849fd546edd083d5981ed685d02a68df4
SHA256 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA512 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

\Users\Admin\AppData\Local\5vWUO\VERSION.dll

MD5 9941768515410a14403f003cd7c28b60
SHA1 0106560f6cac2345d1dd99c40a99c683f323baa2
SHA256 1dea8e692150da355da3fa14921e6a13460482b29169f80a127bfded2ade0312
SHA512 a010d87285d6c1234497c45edc4971e480e62a58cf5da76f407e1c6d9686d7042f29ea20261deeed51d1045d2b87f31ed064c1c4edb33b38518a41c5e6fe1d59

memory/888-106-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1184-28-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-26-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-25-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-23-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-22-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-21-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-20-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-19-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-17-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-16-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-15-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-14-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-13-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-12-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-10-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-9-0x0000000140000000-0x0000000140380000-memory.dmp

memory/1184-7-0x0000000140000000-0x0000000140380000-memory.dmp

C:\Users\Admin\AppData\Local\agLuwjaQg\WINMM.dll

MD5 3a87b94c2f374966d12237093b5828cb
SHA1 23ef1d49a795eae36ac8266e9880c294340a863c
SHA256 f014e17f1ceae69fc24614b1e2b5e668f83caf395df924c2ef0c8a7319a7661a
SHA512 8d4f854b8d964ec5e3a5260f0b011d6bac9ad55e0acce2b577703656588d48b25e73c1cc9736f296818385f7c14e10f07f6770716ffbd61b4259fd20b5abb4ec

C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe

MD5 9c88d46f1b7d4b411b9c4294e0b907a7
SHA1 3327e0c9bf2b0780a455ed9c40ded06e1701520c
SHA256 bf5c385b0c30ac2e5e138aa7a1cf5b2d87208fca2585cc3ff66941216697f10c
SHA512 78496edbad17bb329992975c7ae3cea9ed785f6340d07e761771fe60a5eade50302d4ed4acb332a8516d392012afe6ca0eb098f30bca7540b6f92d647bce1be9

memory/2192-125-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\agLuwjaQg\WINMM.dll

MD5 3cf51abf1230046e2c689a167c057be1
SHA1 4dd494b23404adaeefaac28e110191abe8abe41a
SHA256 f1a4658f91be10fc448b096a44deeaef77381da0df92c1497aee6c41f71a7c66
SHA512 77af32437e8095c1f4d71f251dbbc8dfdb82c464fdae78f6b0e5e0a1ca51a714dc8e6dcbbaeff5015c02c8a92b26f56200b445c2c29d8ac03713b8bc98ec17f7

\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe

MD5 f1580a3683f07d6467fc9ac9aee3a361
SHA1 d83fe8112744ce4df59529cfb876d2bce5c67294
SHA256 74bdd8b7e677f73e6b8f0bd819942e460f025f4fb9b40ca94aee1344e005f9fa
SHA512 d68930de906e3494121b19f53bd21442793e7f2fed844b1b4373e8ed4de7579c0e40f19f1d5107ea88939269e46b1d53f9b6e4c037ad193424fb27437e10078d

C:\Users\Admin\AppData\Local\agLuwjaQg\xpsrchvw.exe

MD5 693609ddf32481586c1856505ca38898
SHA1 f0db7aefb797d702352945747b8514abad9859a2
SHA256 e09910756072703e8afb3115d3c7fad75205c502b967d960eccc9d252ced5572
SHA512 2f2f4cebfe4a8ef9f6bbb7b735943f7a9a34b42b8d2eb7a22df99cbf086711686bd085086637ebb8a715b60c2e9af61f0ca5efa8b424e691d8b29d45739081cb

\Users\Admin\AppData\Local\RdaDc\credui.dll

MD5 176dd928ef85f23cb1c3de429a5b11cb
SHA1 9abb53bd6d749862b837ba38d87c77bd7624943f
SHA256 eda14e8e2fb3c1fd4615677fed092eee91ffad0cc3869a7665a66848b35fb59b
SHA512 d1c80875167310285a3885cb0d9792b657daafe2ba28b2bd877cdd68b54b838c5745ab1dc0a0c1a3b467c7300ca77f0000892b5ccb5a5c3e915c52ee8291636a

memory/1436-147-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\RdaDc\credui.dll

MD5 c6c9b550fa9915920b1042cbebc5c0ce
SHA1 e5a03c6694b578101af5dade9e6ef9b101fb641d
SHA256 c011d07b8dcd581efacb8bd562412af1401f6c924d6d8fc469c1b8a4270dc455
SHA512 ff087b63c4b1f6f1016df3d72d2c21a974b2820e2422ea53904c58a7de8523869fd02db264bf5c6bea802adcd623f1c17624e386ee4c25d202f3b86c33c3b48e

C:\Users\Admin\AppData\Local\RdaDc\perfmon.exe

MD5 64df089147fbfcdfdd7ee5a3f501c593
SHA1 a46f4ab09b5557bb1467bbb8bf2fc31d4fb17a09
SHA256 8843c777d1f4f7fb6d79c0956c6c21a25509bd6fb196b1ce6df800ea72c91c65
SHA512 cf8cd2e263e32bb3860bec777490d758516b52c86806f015f70e10624fbe48cd6444c820380ca9f54c1633082916ed9d392d532fbb66b033fdef26565a922b0b

\Users\Admin\AppData\Local\RdaDc\perfmon.exe

MD5 b6cdc7d02e7ba1f00688ff5d6c647c4c
SHA1 27427dd8e2680595e85aa54a8e3901701a0452e2
SHA256 c0566e6c0115254cce1325680cc5927bf77a403903146ad1eb2167f8348ad64a
SHA512 8fe59342754ae00b262a80b91b3581c699e16fc0c869787a1bf5b98644b60e138cf8a9734ad80972c3a3b7788fb926aa947c3fb2541a82619a3992d6ffefba85

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\q2Ma7Uj\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 55baa3c40c648375593671026c4d105d
SHA1 eadcfd3f797be8c00957e7245fde74553b9fd852
SHA256 be2acee9dc58f30153fa016f027dc86ff120693697f52ad378af41ac2c4648fb
SHA512 28721cef5ae0a0bfe86f0c8352f27ec3ccb5ca11bbd2465c150bf6c093d9d62bafcd5a8838e97d78c1e0df4b271828942ce0d7b880e39cc7c5347f9c8d236446

memory/1184-171-0x0000000077456000-0x0000000077457000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\S1CyFpmc\VERSION.dll

MD5 e6142c9a25ba8dda6028814648ee2600
SHA1 0ced623238f72f2651173e888ff701a44f506905
SHA256 85a5a441b5ec3b9a798f5998ad0d2de1f3d8fdd2b701ad41bcaef41fea2b6e25
SHA512 129d191a53bb50d8cec7b32ce5145e711bf4a1a2fffb3887ce3314f5455aaf083b54ba2a63b03ea2117f7ec5db0f1b232f1a5bf3d0ba3b60accffba09889e454

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\zzYUDHK8\WINMM.dll

MD5 9d01e0ede99eaf4408b0ba20c2a8f37b
SHA1 8212daa51a41395c937c064266045ff5fe2e0310
SHA256 d6700a8997f099a2caba3ab3a8d9e481fdc7a468222bb0ea8424205e61fe336c
SHA512 2d2514db9cee6f21864709df5ed7db258e217674daaa12c19dcde22f30f764d6917e1d574fe6b3fb5a9b557dd2fd7e06ad3f353900618f4b120d999e7e721b0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\q2Ma7Uj\credui.dll

MD5 25309d4f50efdc6cbc6e582141554160
SHA1 94079cce08f6a68628aef995fdc497912b56406f
SHA256 ce100fd50627c4db73eb8c85f7ba21d99b6c10200554420e136d8061b9e2345c
SHA512 39ea2c6eee78c57384287eaacbf0860b4f5b9da2ebacd00df4488493e6212ad970a874b4d9ad6e1f3ddd0351b16c57806c069233f6b4171fc9f26b07bea92967

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 13:56

Reported

2024-02-01 13:59

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\jFZztRz\\WFS.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ADK\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 1216 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3568 wrote to memory of 1216 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3568 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
PID 3568 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe
PID 3568 wrote to memory of 3552 N/A N/A C:\Windows\system32\WFS.exe
PID 3568 wrote to memory of 3552 N/A N/A C:\Windows\system32\WFS.exe
PID 3568 wrote to memory of 4060 N/A N/A C:\Users\Admin\AppData\Local\ADK\WFS.exe
PID 3568 wrote to memory of 4060 N/A N/A C:\Users\Admin\AppData\Local\ADK\WFS.exe
PID 3568 wrote to memory of 2180 N/A N/A C:\Windows\system32\consent.exe
PID 3568 wrote to memory of 2180 N/A N/A C:\Windows\system32\consent.exe
PID 3568 wrote to memory of 4500 N/A N/A C:\Users\Admin\AppData\Local\gvap\consent.exe
PID 3568 wrote to memory of 4500 N/A N/A C:\Users\Admin\AppData\Local\gvap\consent.exe
PID 3568 wrote to memory of 1368 N/A N/A C:\Windows\system32\shrpubw.exe
PID 3568 wrote to memory of 1368 N/A N/A C:\Windows\system32\shrpubw.exe
PID 3568 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe
PID 3568 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\870eeef933351d3ca6e6f77f6f1b0506.dll,#1

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\gvap\consent.exe

C:\Users\Admin\AppData\Local\gvap\consent.exe

C:\Users\Admin\AppData\Local\ADK\WFS.exe

C:\Users\Admin\AppData\Local\ADK\WFS.exe

C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe

C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/460-0-0x0000023B1A4B0000-0x0000023B1A4B7000-memory.dmp

memory/460-1-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/3568-7-0x0000000140000000-0x0000000140380000-memory.dmp

memory/460-6-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-9-0x00007FFA3DC8A000-0x00007FFA3DC8B000-memory.dmp

memory/3568-8-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-11-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-10-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-12-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-13-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-14-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-15-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-16-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-17-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-18-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-19-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-20-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-21-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-22-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-23-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-24-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-26-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-27-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-28-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-25-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-30-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-29-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-31-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-32-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-34-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-35-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-39-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-40-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-41-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-42-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-38-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-37-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-36-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-33-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-43-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-46-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-50-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-52-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-55-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-56-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-57-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-59-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-61-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-62-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-63-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-64-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-65-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-60-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-58-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-53-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-54-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-70-0x00000000010D0000-0x00000000010D7000-memory.dmp

memory/3568-51-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-49-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-48-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-47-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-78-0x00007FFA3F800000-0x00007FFA3F810000-memory.dmp

memory/3568-45-0x0000000140000000-0x0000000140380000-memory.dmp

memory/3568-44-0x0000000140000000-0x0000000140380000-memory.dmp

C:\Users\Admin\AppData\Local\mtcGu\SystemPropertiesProtection.exe

MD5 26640d2d4fa912fc9a354ef6cfe500ff
SHA1 a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256 a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA512 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

C:\Users\Admin\AppData\Local\mtcGu\SYSDM.CPL

MD5 8cfacb5c8d1497eddaf2d46b3dc2f99d
SHA1 8d51d5fc8e72fe63f7e976d5addba68a2dc1b8a9
SHA256 ed0bee0074bf9b003470c5763314c0c788b4e39632cdb269728f558f7456580d
SHA512 371379be397cb435629473fb2eb1ff881c36580ca82a95716689f5bec83a2a30bb99c627757ddc8d9dc542fc8cc92c61245a6e2e4cab83294015d98badf51c39

C:\Users\Admin\AppData\Local\mtcGu\SYSDM.CPL

MD5 b4adef0fdc696c64168afc2b5aa74c2a
SHA1 e6fcd4a17b2bd50738036ac62faad8e803d76d7d
SHA256 4eaa94e941140ce791ccf3cf314ca9a33ee2f6d2bf81f8d88e0be7544d43c151
SHA512 c79f188af494f6a80c922beff72f6f2f82850668bcaad050560810ae3662ea8e7c576a00eae0790c12057fb5262659763da84c4e63561a2af31a6c3a3d245582

memory/3228-98-0x0000021E6CB90000-0x0000021E6CB97000-memory.dmp

C:\Users\Admin\AppData\Local\ADK\MFC42u.dll

MD5 bb1317768fe31286457f39467bf2752d
SHA1 4c9e326001306fe436197670ad75e5c430086e05
SHA256 685bd7ce4a7e3ca87c46107d78fcef99393987eede3de909c4e1320030488a0a
SHA512 75844ceee768a464f7153a1b791f0d97fcbb153ad9d0c98265563394d73944fdfc05f3643179787d09d8b1abd68755d9de3e6291cb0df54b5f0ac2a308b8e2eb

memory/4060-117-0x00000207AF720000-0x00000207AF727000-memory.dmp

C:\Users\Admin\AppData\Local\ADK\MFC42u.dll

MD5 f874e7f70ba7e648e6364f4519836820
SHA1 aa29ac2a691c06d36caed0f779846bcdd864a273
SHA256 6a088ca7339d67c77901613491ff748001b45083d9d665a568bd925a34403cd3
SHA512 747730284889f497acd3275a23d6a6e9ac46a3a90be2de5889cbeafa940b44d4e10743f59a6eba54d0109aa49e7a3e3b0105486b6c51f5a9ff30ad69c1cb7b9a

C:\Users\Admin\AppData\Local\ADK\WFS.exe

MD5 58e102b977551521d268d5841c102882
SHA1 ccd5f076b6fc1b2738b9418980495df700ad034c
SHA256 37e8c54d0bd4463edce627cf303fc655ad9d02e5881754e94ece65c8a26733a5
SHA512 def1b7320cd2393be3bbc125ae59023d1314c0c7fe06369bc471896d8f91b4f3887b4f0634db89e4e4630958bf6b3c6da97c5186796ac7e1d9bb632dbdecfb96

C:\Users\Admin\AppData\Local\ADK\WFS.exe

MD5 a4fc10fb34de2050f1c2bc3bb57ca38b
SHA1 b31204bc6ba850a65c944c8c2a19427707f59bc9
SHA256 a7ce6dd8f834a9864af1790c18d15ea9a73e0af3d573a0aae5d6226894e6a2b2
SHA512 61ad5ee5beb4063230ad928d7bc07453918a9dfe576059462e9ea90389cdabf7069a09aad0c42d41588f49dac0cb0906150bc01cc06ec815a4091fa19b8ebcaf

C:\Users\Admin\AppData\Local\gvap\WINSTA.dll

MD5 d01001e27e3a8140e652d0e7c58bf51d
SHA1 f7f29d15146db5883d83ef62f007032b7974866d
SHA256 108429afda69982d1dcc1a75c728ee14c714f92f14765605c36b82f1efc280b1
SHA512 b7f06486173d60bbdfd2db50c0fdfbd079dcff261e16e46a6780034d103008e814ebc8e7887dd31a5ed1e227361dc49b8dbdb8f4ce5b88a647585e415e727819

C:\Users\Admin\AppData\Local\gvap\WINSTA.dll

MD5 41dae782693423580eaa8c26a9772e7c
SHA1 6580bf99762ac852c9e62c4d7dcfb490e3732aa0
SHA256 41883c7e3c6235b762e53989c93b3226c5043b0452eb899716c889f97b405877
SHA512 92aba9cc04221d0f809b05481eac17b665e8b504c6a368d1379a0f0c64300fcef80112522f25e19acc0383c4213e6ffcc6b6fbfbba879abaaffad3aa4f400efa

C:\Users\Admin\AppData\Local\gvap\consent.exe

MD5 6646631ce4ad7128762352da81f3b030
SHA1 1095bd4b63360fc2968d75622aa745e5523428ab
SHA256 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA512 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

C:\Users\Admin\AppData\Local\dSVFnZs\MFC42u.dll

MD5 d822ac764e42024860f8bc246860f8d8
SHA1 51d11a7b6d6d64a887e9b23441192aa04c3a04d5
SHA256 dee3d1fac3f1fb3b5b8eb978be94d37e90213c4b3fd1daaa7bb1eea82a81dfa2
SHA512 66be7830f258344375131914e1a85e8ba1742b91c5eedb23f1d676085381aa8755be70fdad802ac39a272602194aa64a69f76406127a199a914ff48b02db7dea

C:\Users\Admin\AppData\Local\dSVFnZs\MFC42u.dll

MD5 57c644384f898efdd1069670223b6fa6
SHA1 153a945ee8893c0d1f5c08e262a7eee0517aedea
SHA256 3a2382dee7e7aeb7f240e17b2bd53d9a47587d3fb651401350a3c510270f340c
SHA512 1f9b6ccbe698840c79e4c30429f74a3fe30198c2335713c3b92b0552157fd72892eafb49f7db41133440c3ca8ec06fafb580f4232122287e5b261d19be102c0b

memory/2508-142-0x0000023DB8F40000-0x0000023DB8F47000-memory.dmp

C:\Users\Admin\AppData\Local\dSVFnZs\shrpubw.exe

MD5 9910d5c62428ec5f92b04abf9428eec9
SHA1 05f27d7515e8ae1fa3bc974ec65b864ec4c9ac8b
SHA256 6b84e6e55d8572d7edf0b6243d00abb651fcb0cddddac8461de5f9bb80035a2e
SHA512 01be043f7ff879a683e53962eec58456ba200d6787ea66581bb62669ae65d5e58a5577cdf23441165f7a535fce1dec933e3ad2465c72172b4a1488b24ce722cb

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 ffcaa9d01c3434b14f464349f67178d0
SHA1 b7154af0a606e44cacc45b39a81dd98c1eece769
SHA256 a89c9f31810c8862b7c511fdbcb969cafa16bde8cbd951096151c629b80bd995
SHA512 6a6f46b4734d4be35e87900908b671bb0d4ced99287b29c53902726c6ae07661b0330d0ce0d79106cb9628d1eaefb18c61055beaba3a3685cdb77ecad1497869

C:\Users\Admin\AppData\Roaming\Sun\Seekc4vKb\SYSDM.CPL

MD5 e8c1d4e7df174db73428d0ba5004f090
SHA1 c16078d7046046fb6800b2b08add56edccdfa804
SHA256 076541ff52f6c0c0464fa0bf754f8f016e562d1836353018d9cf7c86c389c4d7
SHA512 ea94e88d3fdf9f532bc01c18a70dd6065b5402edc1ebff48ea40f135fa24f3bb02715096d38f1f45e338ca307165a8cfb27cd5b7a930d6aac5459ac04a284e4b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\jFZztRz\MFC42u.dll

MD5 bbe2d681c41296565c824df4b6faa504
SHA1 2e8d7e7011c972b0a651db179b0c0112a8f2971b
SHA256 fff4ffe577adeeed35308c0d925071fa06f5ce402570a77012ea7dd046423dba
SHA512 710dc54066cac025d528b3ccb9616b1bbdcdbd7d8e4ce151a10c5417f5c5f54db33c2550753edb9f0ec6709032fa633729c9a15a955d18b580806cb9976d35ca

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\it23j0u\MFC42u.dll

MD5 6e1dd9f95694dedfe1321641f505e026
SHA1 e3852d37e0b7e91f6cf177387f39e12f8480bef8
SHA256 8f1bbecd68e1f0a46b8bbffe5275a9c90066c59955b7b25d8c6e0b42105f1a0e
SHA512 944defbf6b91f4dec0a178f3cbf092120c985aef31bfe9656b7081297cb42f63c1e94458c3228711aeb0487cd8fd2569f2d7f022dd8c2a70ba769486eb0b9386