Malware Analysis Report

2024-11-13 16:41

Sample ID 240201-t1zseahhd4
Target 875d030c5fc6c9897bd817f84ca43711
SHA256 2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256

Threat Level: Known bad

The file 875d030c5fc6c9897bd817f84ca43711 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 16:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 16:32

Reported

2024-02-01 16:34

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\ZV\\taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2800 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2800 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2800 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 2860 N/A N/A C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 1112 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1192 wrote to memory of 1112 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1192 wrote to memory of 1112 N/A N/A C:\Windows\system32\taskmgr.exe
PID 1192 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
PID 1192 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
PID 1192 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
PID 1192 wrote to memory of 1284 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1192 wrote to memory of 1284 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1192 wrote to memory of 1284 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1192 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
PID 1192 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
PID 1192 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\taskmgr.exe

C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

Network

N/A

Files

memory/1956-1-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1956-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1192-4-0x0000000077A96000-0x0000000077A97000-memory.dmp

memory/1192-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/1192-16-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-15-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-14-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-13-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-12-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-11-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-10-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-9-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1956-8-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-7-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-17-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-26-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-25-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-24-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-23-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-22-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-21-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-20-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-19-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-18-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-31-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-32-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-30-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-29-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-28-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-27-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-33-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-34-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-36-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-35-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-37-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-42-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-41-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-45-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-46-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-44-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-43-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-40-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-39-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-38-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-52-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-53-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-51-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-50-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-54-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-55-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-49-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-48-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-47-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-56-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-57-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-58-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-60-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-61-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-59-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-64-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-66-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-65-0x0000000002BB0000-0x0000000002BB7000-memory.dmp

memory/1192-63-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-62-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/1192-75-0x0000000077D00000-0x0000000077D02000-memory.dmp

memory/1192-74-0x0000000077BA1000-0x0000000077BA2000-memory.dmp

C:\Users\Admin\AppData\Local\iOtt4B7I\SYSDM.CPL

MD5 3d4d377d0b4ed3553d3722e383ba5bf4
SHA1 1a079675125661fb2ad5991504e54788b0442334
SHA256 2650e1ba5e497177131abcd71fd1db0dd857930f7139803e1e32ad2a7f9736ce
SHA512 d33000e4280ed428a4581e7170b488202b91e13da2c89945867bf1dc185c385940098eb6bca076fd541b64a7b59fef3a4c3918db7852e7211345bd2fedf74539

\Users\Admin\AppData\Local\iOtt4B7I\SYSDM.CPL

MD5 61f56d0217cd99fef80b72522e61cdc8
SHA1 01541821a9135aa4d9bb0f983094072dac47c7fd
SHA256 2627c384643d7c9f566ce0875c55b274242d309eb06d1491d59d8253e840e569
SHA512 15bba337a3d43f43f7117da1b564fef360cea3242bb2c93f747529f53cb3e27bbb6b2978b54a6f4d3a6cbc2b6ccb04c1e15208e7b8ed4393d073a1ac8ed05e19

memory/2860-102-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

MD5 870c7f902a5eae940c76b5e6bfd7f64b
SHA1 b7a09b41f32b50155a73cf9e6d72c93c0cc57601
SHA256 b7811b67f57b834483f4c931dfc1b8a402ccfffe4b27c5a511ea9b8cf76a9ce1
SHA512 39c3b85f212286929032c348a4b9ae2fdb6e474b546b783897340025ec206c293c9a6a2c4b943f71b79bbb0c333228e21becbda31fe2877436c2fe85b13d694e

C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe

MD5 92a04675d1dcf7a229c0709fafc44076
SHA1 7f54cc87ceda0510e66ebe7f11e1168438913d71
SHA256 c9f51f1440b12023acf7e78d83f24b8df88dd51ed969f0faa4e00a5ab1e749c8
SHA512 21f0b3194284e86e920082c00acd5c963499cab0f6a8cb82d048b6910affc7f9ff8c23c98b8cfdd03bc73ed72db5c9f92db5f6b9de2a66dad765e2795d892dfb

C:\Users\Admin\AppData\Local\OfNqYkjn\Secur32.dll

MD5 8929bc89a3ea791715782aa0725e324c
SHA1 ca2242f2beb3ce063467ee5599ea2d2b93375572
SHA256 127b932a31c6a04d34b9d8ba2dd51b4aa6706e2a06e3d122db11375f77add746
SHA512 c2c5251e1d7bac2e8b8eef4e8126fd7e6d73e0d66e9d22ed351ceeb973d6100e6ab9072cca3aa20ae900890bd72339b731c187755b1fea0d4c30abe13d929725

\Users\Admin\AppData\Local\OfNqYkjn\Secur32.dll

MD5 176088226afb70ea27aea51a1e3dd8e5
SHA1 9d20fa5d31fc1b15a88fee0849cfd6174fe60e7a
SHA256 6ffd287b878f7f141421f1ea16d77d7254d2a29230422434de2d569832568956
SHA512 be3ab23f46ed4400887ee416ee986c3de30e7ab9b1029ad8df755ab08969df140960c0f91d74eb23a265049a0267334be45b51d1e26b4aea5e5f602626dc3332

C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

MD5 a769c6a0e3d070bcc54fc41580a1d007
SHA1 2c00277b80c1ca40d77202c4af367384b659bc9b
SHA256 b260d7659bb1a58ea78cfe3e6d7e2bb7819f3a48d5febfd496b24eee45c723c3
SHA512 1eba28659888cd19fa2a0ced0094f618bfcbc1148900d2c0a42004ee7aff6244e8deb150353fca27e89817f0cefaa3cb2b9508d5e831d2aa2f1dfadfe0d4a39f

\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

MD5 2cecc19c537e8a9fc2417ecfbbd432ac
SHA1 52c1c5fa50f5d96758dd95abc99f4991ba6bfb26
SHA256 3a776d16c59ecb35931ede343f9187dc16317bf1a7b14c52975cd5bcf13f10b5
SHA512 2733187909e98c19008dd6d771c4d972cf4e6e03b89456dc521a87334c98c5b27acc367d005d1ef44a6176a09dfc1324735445581d502d7232ce340fecc88691

C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe

MD5 e93b5e3719ba5f2cd603bd4c3b776932
SHA1 382ac9ea7a5fb3b99f2c5b2503e5a8360252497e
SHA256 2a1a3f46dd61d0105835025c0039872270fc7ac9d234735fd0287316ad6f7fbf
SHA512 a886f533e23c638de84ddcfd92ba2eb7f828d562811e8a236c248335ebc2257e2e773da5ac8211c423130cf3b83aa6bcd5323bc6eec90a55c43e0baee9fd17b2

C:\Users\Admin\AppData\Local\8ipY5EaU\VERSION.dll

MD5 b6fe94566625c1ba81beceb12b26239e
SHA1 ccc2510eb25dac1d094e6a35d8eda108294be9e4
SHA256 7ebbe8b362c73b51e7838c83c10d8f3de872034e258374b844ac93f36e6942be
SHA512 6887d57d29b789a3f98039a66995eec94c2cdffec784c1c745b4e2547c3448806de8e4c94a9ebc3a46c6b3d1815ec1f1a4c1f5b3a3345858618a281872e607cb

memory/2464-137-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\8ipY5EaU\VERSION.dll

MD5 73f3c80710ce2e2fd129a1714576fc25
SHA1 c142e4b8bb7801c89b5a5873409b77eb5df456fb
SHA256 f0c4f11b45bd441ec85d36e8b3de0f82a86d8533865c92e3e74258f68bb8d510
SHA512 ce4245249dc53edd3b811cda4404ec0049f91bd6818a79a7c432d0526f8736ddc362bde99978e972c1156ec50ff6018c12821cb185bbc44e49b85bcca8fa0b64

C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

MD5 fee33d1833716e6455071f0392718965
SHA1 28b7a1cccb8164c1d3dc6262af4ad8897038a6a1
SHA256 5eb2e41c2f4188885231ee6f55d27915424d7238caf70f4611b235a34683d9aa
SHA512 276672528c1a7e03aa5c522bf44be19de391b3aa83f926b9d755623af93281fda735c34fce7ada529c3519165a4877122beb7d05b9ee8ae06cd9974dcaa7512b

C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

MD5 a3ca98a2e443c36714633b14e0a1b91f
SHA1 33fb287ca151945aaa0726d975d12299081b3ec6
SHA256 b79e07b142e1214e2f0edcb1dbd542e5b0ed11b862cba624f7314787cee5a462
SHA512 1006be53236afb5ba5513ba9dba28b46b3eb55e7c8dc093b7d3e95a9f68bd1730347b4d3f5692bf4c88282d5b2d1097d2f686181e30c34fe59fd7dd515d1a066

\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE

MD5 af279bf6b2b27ae69b348a7394aa3e8b
SHA1 b115dd9f949a7000fccdee04cff7096835c89a04
SHA256 79bd133a40cde72351c3e5e5f7676b0619f0b37c361c8a3fb02cf18f25a8a2ae
SHA512 caabc5069f22fb4a41d5155a48a6e24a6200bea9de0370c7369081d9ae2e651bb7f8b155d1101127dd6c5ab39d23a3152e3d68f571b81657e5aa65a394e45f62

\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\idoRtXwx83\DWWIN.EXE

MD5 56d1759d5f13348dbf2b0f48c63d3873
SHA1 a544b49678354c1292f9938ef1a53dad32a97415
SHA256 f1ad6ab0642e559ad74c3eadf62083b055c0c9944d93a36889a98a8e4ad54396
SHA512 2310d904372fe8fdac4b1f52810679b257335fe1894909f698c133936949cad04051bce46960adfc4e65703c4184452229bd59aa86bb7a9465d1631c10180668

memory/1192-157-0x0000000077A96000-0x0000000077A97000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 c375509f66de33365ade0a4ad044f4ee
SHA1 6fb1d9043c91f8b08c2c02084275351ad5b2c59f
SHA256 e38476a287b8c9d4435a16a8fc390c90e71162029fd3c3543ad9a2c95b45bd70
SHA512 5beac96e408a9f7024bd7ccd4ce3c9d063c434b57d6000de9e84b2b98b28a10c921803061ac1818282cf8415c050496eafa2adae015b85d492b4407d708e7104

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HU\SYSDM.CPL

MD5 31d5be96cae9221f64a666bc3e590696
SHA1 3c12b9e404447ec8f9a14ace55647db8fe2dbca1
SHA256 967097d8be163ff99c0a2233b7c16c582d40c7bda31cd43af1aa15e4c95ef556
SHA512 2f9d7943077a2c44c053a83246fd012c33b5c810ed4ea22103d0dc0fe32f0f28220e4689830c0ff9c0599cd326fb9827a9c24f00938f7b8096acbc6c0c040ed6

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ZV\Secur32.dll

MD5 7095720ceb241935f055598e0ef9d154
SHA1 716c47be9876cccbd91ec6d652bfc5c5da4a9264
SHA256 f7de773ddacfaed5cf3130a260695fd6a51aa1235e8c3382a66f85f4ee0d2df3
SHA512 b66c650aca17597ba27d7b9d90bf2d5706fa248c315ac3d238b77b2a86cbfaf4b1f5ce7cdfa17f47a49c2046ff25faa09e0f094449372b2c0e886710e61a4263

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\idoRtXwx83\VERSION.dll

MD5 0c96a0a35ff7d8dd6780237e2e0f1e5e
SHA1 9a5d3e39186971a57380877b7bab3a94f1f773d2
SHA256 ee7fe8ceff9102c3a35168b25d385a1caa23077352debf14182f8e51e386f0cb
SHA512 4230ba09a3146c223ed161465e4327709915acd4bcc44a46bf0abd864e5dd917c030e770b6c8e00f40d1e84e5d948fde1da1303acb7d55afa93412478f3ba0af

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 16:32

Reported

2024-02-01 16:34

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\AOkJb\\perfmon.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aKU\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 4584 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3476 wrote to memory of 4584 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3476 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
PID 3476 wrote to memory of 2108 N/A N/A C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
PID 3476 wrote to memory of 3656 N/A N/A C:\Windows\system32\perfmon.exe
PID 3476 wrote to memory of 3656 N/A N/A C:\Windows\system32\perfmon.exe
PID 3476 wrote to memory of 4932 N/A N/A C:\Users\Admin\AppData\Local\aKU\perfmon.exe
PID 3476 wrote to memory of 4932 N/A N/A C:\Users\Admin\AppData\Local\aKU\perfmon.exe
PID 3476 wrote to memory of 2932 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3476 wrote to memory of 2932 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3476 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
PID 3476 wrote to memory of 4804 N/A N/A C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\aKU\perfmon.exe

C:\Users\Admin\AppData\Local\aKU\perfmon.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp

Files

memory/4792-0-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/4792-1-0x00000279B47C0000-0x00000279B47C7000-memory.dmp

memory/3476-4-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/4792-7-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-6-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-12-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-16-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-19-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-18-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-20-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-17-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-22-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-24-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-30-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-32-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-35-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-37-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-42-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-44-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-47-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-51-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-55-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-57-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-60-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-63-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-64-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-66-0x0000000002D10000-0x0000000002D17000-memory.dmp

memory/3476-65-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-62-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-74-0x00007FF931B60000-0x00007FF931B70000-memory.dmp

memory/3476-61-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-59-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-58-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-56-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-54-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-53-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-52-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-50-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-49-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-48-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-46-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-45-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-43-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-41-0x0000000140000000-0x00000001402DC000-memory.dmp

C:\Users\Admin\AppData\Local\pN8UjZK6U\SYSDM.CPL

MD5 e0f222df7b84a9832baaa2d20a2cb3ce
SHA1 7bf1f284857d55e1e4fcbff5e91641990b070cd8
SHA256 d170dc3a00e24d1af0d4e935455c5cdb4998f92499e11d56fb13a8e45a3e8285
SHA512 fb6cc7980d6625fd2e40f4c7a8f367c5f09ebf542d1393df9a79b0a624417e4ace3d90e941c74a2c4111a5c28c1831626a9ca3a778c2df0eb0146692690cd362

C:\Users\Admin\AppData\Local\pN8UjZK6U\SYSDM.CPL

MD5 032a00a6cec70c25dab3d7a07d7156d9
SHA1 6ba1018ad30743908e6b4dd11aa2fcd140ae3c61
SHA256 3f0d10ef9e89208237346f65b687408bf1a4131dadf80f9ae6bcab7c89992aab
SHA512 5bf896c720a90e5575e990e0874b367d9780e2dc0d96b2cdce51121fb462851c1f21e5e0b619aef40b8841917fa1f5147688564c101cf6b80e55bb35ce9f1b45

memory/2108-96-0x0000017810C70000-0x0000017810C77000-memory.dmp

C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe

MD5 4a70d5107178e91de8887eb7bf432c0e
SHA1 083ee63cf469f311c77dd9b17d6a7780813ab29f
SHA256 b351f0efc5bc8d34de7dae95e2e1521147b690e3ce487429178799b7961d313a
SHA512 282df6d36a2964ccbd3fc7e6b5867b5927c1cded6682d4f35a70d6e6ca65e5a8a7b4148d81a958f94ac36a6abb198d512ae4aa5979fd2c646df76f66751c1a50

memory/3476-40-0x0000000140000000-0x00000001402DC000-memory.dmp

C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe

MD5 286000af312605193247bc0f4b1a6f40
SHA1 0303ec4a444cb95182cc0e950039d35e67e26f7f
SHA256 5d2b95c69a7a218f389b33d3e0f795085d63a7e16ec5f1ad66ddf9bfce5a3d71
SHA512 6345414821b189afff6860562b29de06977198a17c08346cbe732ee18041368c766bce380f649c7ad23d622fc2e912e6936bec95ec77dc1ea8460f3542dc98ca

memory/3476-39-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-38-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-36-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-34-0x0000000140000000-0x00000001402DC000-memory.dmp

C:\Users\Admin\AppData\Local\aKU\credui.dll

MD5 314f6c7f16d5fb2716e1522aa9a18820
SHA1 872a0560e675a97e3eb2af699a1cd7e00263d31b
SHA256 c49b4a248359597b2e45c46ba7650d2bd6ac220a84cb3e2101c0f43ee7b2fc86
SHA512 cf1eb185f8770943dca341dea026f84a3536a2a9f0eed3d7414da18d6e4bb9423222bc773f6b77726247d3f533f61facfd4dd12421707cb6ef609f47624fccb6

C:\Users\Admin\AppData\Local\aKU\credui.dll

MD5 d7dc8eed4044324135c15a3b0514d98d
SHA1 2f5e0282cd5425681882306356c7bd0207a9895d
SHA256 c949a9d53dc13743462e07e659644dcbc5125680e171a6924e55e872b9e00bac
SHA512 7879db1f6b9546fe1129d64d595af3da516fda9924f3bb47d19c7950b2aaaa56b8aeb9a79f2da7dc46decef65bd90172930bcd043f82f695170fb539f2a5d5a8

memory/4932-113-0x0000025D10830000-0x0000025D10837000-memory.dmp

C:\Users\Admin\AppData\Local\aKU\perfmon.exe

MD5 e6fcb021f69f747424d5cae244231d7b
SHA1 9e498a85ff65b1e68dcc78f0e651de5dd29bbdaf
SHA256 d94d3e2cd29a7bff5798312b800be0760958edbcad1f1881c2c4237b592117e5
SHA512 c3e14b43e4e0a5692a98398d2d6ba3a3f1da2ccec4d37d10ce958ebdfcabe4fe0a6e0877b5ceaba20f19c1f7901833d0e79d134337e0400d30f730516173b495

memory/3476-33-0x0000000140000000-0x00000001402DC000-memory.dmp

C:\Users\Admin\AppData\Local\aKU\perfmon.exe

MD5 fd4fe809327ed3aa30e2257f29845fb7
SHA1 d60dbd95d482b20b09bd093d8d5bc675a5070f46
SHA256 39d2138c161977b9e80124f181af493a22a01f571a6477e1aed200ccb6d66120
SHA512 1c932b5a130959632d34f63a30ada402cb9c4b0505cf5554d60cfbec42597f0f76f5561273f647717e6bdbed5b1b41baa1a3b026f3dd3fb8bfb3846fbd1f88e8

memory/3476-31-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-29-0x0000000140000000-0x00000001402DC000-memory.dmp

C:\Users\Admin\AppData\Local\Gxb4\dwmapi.dll

MD5 949e25ad7091fdc09721ba28aa3217b4
SHA1 122b9594d991b31c5f653e7718479157c8417cf7
SHA256 41d34657d5cede6c9b325b8d923cf5ef893f633963480461a50cb557143da3de
SHA512 965fd301f93e09697b5f7e4ac903e4a264739ff25fb09eac84e7e1ef7bab22d6c92db997bce7554930a5bda9c0cc09c79c5536ede530f934bfa4ac14943b4bda

memory/4804-128-0x00000267F5E70000-0x00000267F5E77000-memory.dmp

C:\Users\Admin\AppData\Local\Gxb4\dwmapi.dll

MD5 2cf6b0e09a31ad97cf6b4b5742dccd5e
SHA1 6e6f298fdfeb06e63c9079242f52609bff76f045
SHA256 1bee8d526438e1a705405fc5b047350fba22848f6d7f5a420e92e97b098d0862
SHA512 9222b7c9382ff49f312223abf513a4c769bc484a71d9181b366cc8fa52ea9c41c3a72f7d1e49cb48c8ed214c4e295e444a35dc03305aff79434e72bc416b53fc

C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

MD5 d8d69894d1c8208c1de0a8160ef00b03
SHA1 bac8472e728de47a79068aa5fa94e7bf7dd1a48d
SHA256 d1f854b6c5686b6bcb5816b63b5a609c5cbba9a00fc52abff7b0ce26d98e95b0
SHA512 f7595477a4fe9e3807f89a5c0d778ef17fe4162f8b94c65d46e1a4b365406dc6b380eb8805ca8d5d878377b7c2f77783859b01282335e422d2e6e1cb10f1bc35

C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe

MD5 675e58c5c39098da7b62e2d2e2a0ad8d
SHA1 05e6ac73545584462366c6f2ee01a0bdf718d7a1
SHA256 eb0051a83c533515346aced55567dd51da28bb51442e64463dcd54fc5b7dba12
SHA512 517c7f3db24b74e0f56dd211ad69d5a336996722003ebfca0e250c18bbf3cff2296769a5f7bd941fd9685a23320bd4582451fc1b73fbde4b0fbbd6363079b245

memory/3476-28-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-27-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-26-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-25-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-23-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-21-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-15-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-14-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-13-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-11-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-10-0x0000000140000000-0x00000001402DC000-memory.dmp

memory/3476-9-0x00007FF9317DA000-0x00007FF9317DB000-memory.dmp

memory/3476-8-0x0000000140000000-0x00000001402DC000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 50712ca3160b5a7dec36f0034ea14ad2
SHA1 adb8f59bf905df10865360325834dee373daa699
SHA256 46241544c90c79b13411d6f72a335de136fcfeaac55edf88703081fdd1f8751b
SHA512 0d16ba5716ec680bab45201c49dfcb85198d019d951190af82c1033988a9797f691db92fcf4c5367015a00451aa0ea9ab1cd90c45eda74e602335a587048d858

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\EQt19Hh\SYSDM.CPL

MD5 615bab233249caeb3c60f103fa44a937
SHA1 75856f11a63be04eac227f183def37e3af93cb36
SHA256 074e6ca2a537ddb30eaec59e1d284803e28add7060c1467b3b22d377b334db87
SHA512 46d29771d497371f66e37fce1c6b7ad5d25873ac096c34885a851dadcc13f5c5adbb6dccb533ced5fa837e660acec8149769a9103b5e7fd376e0b834e261a94e

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\AOkJb\credui.dll

MD5 4000828f80141e667e09fadabb6b1dca
SHA1 fd7addfa2b4ee4ada753e25f300788ee589df16f
SHA256 2f7a5eae5026ad437e92561fb1f92a69d2d87dce611b0c5a88e8159b1c76380b
SHA512 3c8d5a952726056e48f29cdf58b914ce38f653697889563e04621ba2bb80198540cdb2f50d5bcc99100021629592f9d8c2c6f3323ba8830be513c1929c16cd5e

C:\Users\Admin\AppData\Roaming\Sun\ArRkyy4tW\dwmapi.dll

MD5 e61a06405aeb928ab6294e54f1aedbb7
SHA1 32698792cb2d3c272db080a1481380e6f82c7cdc
SHA256 b58b4f6c40230f8e59f22ef569457b04d9b3ccab32091e4dc676337bc66960a5
SHA512 fd2e08571c19cc3dca750dc9a309e7c67f4c33872dfe7c10dc8580573ec5bc78df66545b1573b4afdfb94c892c980409ab22a2e8037717cce425e998ee97d8de