Malware Analysis Report

2024-11-30 21:24

Sample ID 231226-as55nsdhak
Target 4679898201806dc6de8e98d5fe539ed2
SHA256 b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b60b7a922e6e0e011f495a1be04333582f76e52ddabefa0b020ed51a0d263cde

Threat Level: Known bad

The file 4679898201806dc6de8e98d5fe539ed2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 00:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 00:29

Reported

2023-12-27 01:29

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\5O2Cgz\\dccw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\bKA9EJ\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\system32\bKA9EJ\SystemPropertiesDataExecutionPrevention.exe C:\Windows\system32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 2636 N/A N/A C:\Windows\system32\dccw.exe
PID 1184 wrote to memory of 2636 N/A N/A C:\Windows\system32\dccw.exe
PID 1184 wrote to memory of 2636 N/A N/A C:\Windows\system32\dccw.exe
PID 1184 wrote to memory of 2564 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 2564 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 2564 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 2700 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2700 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2700 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1184 wrote to memory of 2792 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 2792 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 2792 N/A N/A C:\Windows\system32\cmd.exe
PID 1184 wrote to memory of 2900 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 2900 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 2900 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1844 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1844 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1844 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 2020 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 2020 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 2020 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1852 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1852 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1852 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1760 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1760 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 1760 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 396 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 396 N/A N/A C:\Windows\system32\schtasks.exe
PID 1184 wrote to memory of 396 N/A N/A C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\0FgA1.cmd

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\luhNUw.cmd

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Taqnqntix" /TR "C:\Windows\system32\bKA9EJ\SystemPropertiesDataExecutionPrevention.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Taqnqntix"

Network

N/A

Files

memory/2600-0-0x000007FEF79B0000-0x000007FEF7A51000-memory.dmp

memory/2600-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1184-3-0x0000000077926000-0x0000000077927000-memory.dmp

memory/1184-15-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-21-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-23-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-30-0x0000000077B31000-0x0000000077B32000-memory.dmp

memory/1184-29-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-22-0x00000000029D0000-0x00000000029D7000-memory.dmp

memory/1184-19-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-20-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-18-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-17-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-31-0x0000000077C90000-0x0000000077C92000-memory.dmp

memory/1184-16-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-14-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-13-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-40-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-12-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-11-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-9-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-10-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-8-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/2600-7-0x000007FEF79B0000-0x000007FEF7A51000-memory.dmp

memory/1184-6-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/1184-4-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1184-45-0x0000000140000000-0x00000001400A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0FgA1.cmd

MD5 44ef23122f9c6882172880580c3a9bd2
SHA1 9c6724bd938055cbecebb960994a7306ac2e0823
SHA256 1af4c5f60134c972014575aa65709648b21b67cd641908625122d04e2ab7a5a9
SHA512 38f60c31b6509629a94d5cc29a90b40b7dd898c59ec9937ff7432a140a2e3918ec1e51e2929507e46fc7dcbc50185e40a311c77c3ac8a00a726bc120d058840c

C:\Users\Admin\AppData\Local\Temp\J8CC5.tmp

MD5 cda3d6b59074eed08ae89a3735c6a736
SHA1 0eaec007c3d670dd196029a6fd23245e0c4175e8
SHA256 86692bb36b0f8ed48076625e114804106ee01635ab889ae1e7e62462eb735b77
SHA512 050e09608eadde801217724082d83a23235cf2b5c2e6d06c19584e004ea0ea56548987608612f35f9ea7bed1436b53823b2aa7ca73927f0b930b23041a544b20

memory/1184-57-0x0000000077926000-0x0000000077927000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luhNUw.cmd

MD5 f08ca0cadd065ffb3995794e4836930c
SHA1 ef2e6971d53f6d0f701ae49a64bf8d754bcb4e1f
SHA256 431c39141868840b9fd09bb6d56f6f1065e2f6b6def1bb9d6a426c4fd3deabc4
SHA512 e37c9a68bee0a44ae2595ea9f81c700a0ac40c02a67a87500882a56cfa6fc9b8c85b442dcada5438ce64166918821eff3bb1fa8c5288c8534ef3d202db1f2dc2

C:\Users\Admin\AppData\Local\Temp\0IBC6D.tmp

MD5 3ba00bb27baf3a06c49ed976d63a7e08
SHA1 356efc33877ca7cdd85e0188f4a76f3b9cd01b0a
SHA256 db299ecba0e57ddd72befafec1125bb7502232517cd60228aac4af8c6a33a494
SHA512 47e86386f9183c0bc5cfecaa19df13f4cc848c6f658ac2a342befbbc47cf8f10d360ff870accb724dbeec04cc057430fa8391d5bb0199b3310405fd9613369ca

C:\Users\Admin\AppData\Roaming\5O2Cgz\dccw.exe

MD5 a46cee731351eb4146db8e8a63a5c520
SHA1 8ea441e4a77642e12987ac842b36034230edd731
SHA256 283526a98a83524d21ff23f9109754c6587380b67f74cc02a9a4cd56fdb720d5
SHA512 3573c0ae21406db0c6fdda7c065fabde03235bde7f5589910822500bdfa37144f59f6e58e753e7347b899998db1dcb28050ac5a4e2c611558ae5fa405fbbc5cc

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Niubkzso.lnk

MD5 3e3b29b4c915d23f0dc2907e6314c66c
SHA1 c8425f92e910e329e85869cdba9cd32f5f206831
SHA256 876a2117d85eb40da0dfd84e399acd22b22d3797f63123f0529fd5047ce6776e
SHA512 cd5acb9340c46d875555b307eddc89f458c3994268a6a84ac24a89791745a8918233a65e14f25d51190ce11916ac742a3056049367991061134e233b7c018687

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 00:29

Reported

2023-12-27 01:29

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4679898201806dc6de8e98d5fe539ed2.dll,#1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\mqZ.cmd

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /F /TN "Mtkoqsmyqyvls" /TR "C:\Windows\system32\xYsMc\msdt.exe" /SC minute /MO 60 /RL highest

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\KrK.cmd

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

C:\Windows\system32\schtasks.exe

C:\Windows\system32\schtasks.exe /Query /TN "Mtkoqsmyqyvls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.134.221.88.in-addr.arpa udp

Files

memory/3392-0-0x00007FFFD7DD0000-0x00007FFFD7E71000-memory.dmp

memory/3392-2-0x0000013267080000-0x0000013267087000-memory.dmp

memory/3392-6-0x00007FFFD7DD0000-0x00007FFFD7E71000-memory.dmp

memory/3468-20-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-22-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-30-0x00007FFFE6080000-0x00007FFFE6090000-memory.dmp

memory/3468-41-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-39-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-29-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-23-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-21-0x00000000008E0000-0x00000000008E7000-memory.dmp

memory/3468-19-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-18-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-17-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-16-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-15-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-14-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-13-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-12-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-11-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-10-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-9-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-8-0x00007FFFE540A000-0x00007FFFE540B000-memory.dmp

memory/3468-7-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-5-0x0000000140000000-0x00000001400A1000-memory.dmp

memory/3468-3-0x0000000002A70000-0x0000000002A71000-memory.dmp