Malware Analysis Report

2024-11-30 21:25

Sample ID 231226-ky1ggsdeen
Target 61f2627485987b4054ff97050f0dfe2b
SHA256 771e168408b17e5f7ae16bd3a878820d0e0a844f25d549507b6d2b9c8ed0c9e2
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

771e168408b17e5f7ae16bd3a878820d0e0a844f25d549507b6d2b9c8ed0c9e2

Threat Level: Known bad

The file 61f2627485987b4054ff97050f0dfe2b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 09:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 09:01

Reported

2023-12-27 15:14

Platform

win7-20231215-en

Max time kernel

3s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61f2627485987b4054ff97050f0dfe2b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61f2627485987b4054ff97050f0dfe2b.dll,#1

C:\Users\Admin\AppData\Local\v30v\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\v30v\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\DeV6irs\osk.exe

C:\Users\Admin\AppData\Local\DeV6irs\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\nEke\notepad.exe

C:\Users\Admin\AppData\Local\nEke\notepad.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe

Network

N/A

Files

memory/1880-0-0x000007FEF61E0000-0x000007FEF62D1000-memory.dmp

memory/1880-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1220-3-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-24-0x0000000077150000-0x0000000077152000-memory.dmp

memory/1220-23-0x0000000077120000-0x0000000077122000-memory.dmp

memory/1220-34-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-33-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-22-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-14-0x0000000002E60000-0x0000000002E67000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-8-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-7-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-6-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/1220-4-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/1880-42-0x000007FEF61E0000-0x000007FEF62D1000-memory.dmp

memory/1236-50-0x000007FEF6EA0000-0x000007FEF6F92000-memory.dmp

memory/1236-54-0x000007FEF6EA0000-0x000007FEF6F92000-memory.dmp

memory/1236-52-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1220-57-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/2512-71-0x000007FEF61E0000-0x000007FEF62D2000-memory.dmp

memory/2512-69-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2512-67-0x000007FEF61E0000-0x000007FEF62D2000-memory.dmp

memory/2844-184-0x000007FEF61E0000-0x000007FEF62D2000-memory.dmp

memory/2844-181-0x0000000000100000-0x0000000000107000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 09:01

Reported

2023-12-27 15:13

Platform

win10v2004-20231215-en

Max time kernel

139s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61f2627485987b4054ff97050f0dfe2b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\YCW4X\\Utilman.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ehB\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cY4\Utilman.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 4356 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3500 wrote to memory of 4356 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3500 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\ehB\dpapimig.exe
PID 3500 wrote to memory of 3248 N/A N/A C:\Users\Admin\AppData\Local\ehB\dpapimig.exe
PID 3500 wrote to memory of 1368 N/A N/A C:\Windows\system32\Utilman.exe
PID 3500 wrote to memory of 1368 N/A N/A C:\Windows\system32\Utilman.exe
PID 3500 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\cY4\Utilman.exe
PID 3500 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\cY4\Utilman.exe
PID 3500 wrote to memory of 4268 N/A N/A C:\Windows\system32\BackgroundTransferHost.exe
PID 3500 wrote to memory of 4268 N/A N/A C:\Windows\system32\BackgroundTransferHost.exe
PID 3500 wrote to memory of 3360 N/A N/A C:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exe
PID 3500 wrote to memory of 3360 N/A N/A C:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\61f2627485987b4054ff97050f0dfe2b.dll,#1

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\ehB\dpapimig.exe

C:\Users\Admin\AppData\Local\ehB\dpapimig.exe

C:\Users\Admin\AppData\Local\cY4\Utilman.exe

C:\Users\Admin\AppData\Local\cY4\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exe

C:\Users\Admin\AppData\Local\AygmKefh\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 82.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 23.44.233.195:443 tcp
N/A 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 udp
N/A 20.73.194.208:443 tcp
N/A 20.73.194.208:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 78.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 24.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 47.179.17.96.in-addr.arpa udp

Files

memory/5024-0-0x00007FFD67970000-0x00007FFD67A61000-memory.dmp

memory/5024-1-0x000001B5B5C90000-0x000001B5B5C97000-memory.dmp

memory/3500-11-0x00007FFD765DA000-0x00007FFD765DB000-memory.dmp

memory/3500-19-0x0000000000B70000-0x0000000000B77000-memory.dmp

memory/3500-24-0x00007FFD76F50000-0x00007FFD76F60000-memory.dmp

memory/3500-33-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-23-0x00007FFD76F60000-0x00007FFD76F70000-memory.dmp

memory/3500-22-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-12-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-10-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-8-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-9-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-7-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-6-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-5-0x0000000140000000-0x00000001400F1000-memory.dmp

memory/3500-3-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/5024-36-0x00007FFD67970000-0x00007FFD67A61000-memory.dmp

memory/3248-48-0x00007FFD58BE0000-0x00007FFD58D17000-memory.dmp

memory/3248-45-0x000001BE5CB80000-0x000001BE5CB87000-memory.dmp

memory/3248-43-0x00007FFD58BE0000-0x00007FFD58D17000-memory.dmp

memory/1704-59-0x0000023FBCB60000-0x0000023FBCB67000-memory.dmp

memory/1704-64-0x00007FFD58B80000-0x00007FFD58C72000-memory.dmp

memory/1704-60-0x00007FFD58B80000-0x00007FFD58C72000-memory.dmp

memory/3360-75-0x00007FFD58C20000-0x00007FFD58D12000-memory.dmp

memory/3360-80-0x00007FFD58C20000-0x00007FFD58D12000-memory.dmp

memory/3360-77-0x0000021BFCA10000-0x0000021BFCA17000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\GaM\DUI70.dll

MD5 603bedca38c1e59c5a49117bbe725e3c
SHA1 4274698f08110944de9859a2329dfafd32f4c211
SHA256 6f01557d006b423f898b40b0845787e3aacf04d56adedeb01d5a9d9428fca0da
SHA512 8845cabe5eab951c7426b74b48f83d9dff8eeb47399b012231aa1c8a0541749f42cc6066aa1eb679f8da6e22a9b242b6d58682c92dca41716bc8ecf347230682

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\YCW4X\OLEACC.dll

MD5 fc91963f9914095408400cbf68c7e63c
SHA1 ff4ee0a0e39adf602ccd607ead80381ecbc28c62
SHA256 d68dd9b61cdf6ff4f541556eb151bf6fb5a90c1661723fe6687508ba808677dd
SHA512 156b011224dd568834a48ff728d1beed53781dad993bc4e57cd08fde36e54309603f13aab930849a965d1698401a89e3c5a686fc9729045d6990b778d5108a08

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\uS\NETPLWIZ.dll

MD5 f37e4c44fa9ef56cf5166248d227f17e
SHA1 84ad32cc6b7e61d35321e8bdb45a47abc2266fc7
SHA256 d0a58ce0c8bcfe06b35e1bd56e075f48caee1ef8423dc47f07b8c95953fa11b4
SHA512 7606328375df617355429fdbe6f90952dc27397899df051b4fd224072ac260bff82575c763ff0dfebfb984b5c04b1ee0a794e9becf9b40c0e621db369e817d8c