Malware Analysis Report

2024-11-30 21:28

Sample ID 231227-alm1hsbbf3
Target 988a665960686e93f6e271c55e56873c
SHA256 250de592c42aea8b2531d46e8e62c48005c259abee9658d1ba1fd73202e18507
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

250de592c42aea8b2531d46e8e62c48005c259abee9658d1ba1fd73202e18507

Threat Level: Known bad

The file 988a665960686e93f6e271c55e56873c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 00:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 00:18

Reported

2024-01-07 08:44

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\988a665960686e93f6e271c55e56873c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\W2S1\Magnify.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\oP1R62\\Magnify.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\W2S1\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1420 wrote to memory of 2896 N/A N/A C:\Windows\system32\psr.exe
PID 1420 wrote to memory of 2896 N/A N/A C:\Windows\system32\psr.exe
PID 1420 wrote to memory of 2896 N/A N/A C:\Windows\system32\psr.exe
PID 1420 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe
PID 1420 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe
PID 1420 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe
PID 1420 wrote to memory of 1476 N/A N/A C:\Windows\system32\Magnify.exe
PID 1420 wrote to memory of 1476 N/A N/A C:\Windows\system32\Magnify.exe
PID 1420 wrote to memory of 1476 N/A N/A C:\Windows\system32\Magnify.exe
PID 1420 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\W2S1\Magnify.exe
PID 1420 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\W2S1\Magnify.exe
PID 1420 wrote to memory of 1656 N/A N/A C:\Users\Admin\AppData\Local\W2S1\Magnify.exe
PID 1420 wrote to memory of 2872 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1420 wrote to memory of 2872 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1420 wrote to memory of 2872 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1420 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe
PID 1420 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe
PID 1420 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\988a665960686e93f6e271c55e56873c.dll,#1

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe

C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\W2S1\Magnify.exe

C:\Users\Admin\AppData\Local\W2S1\Magnify.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe

Network

N/A

Files

memory/2640-0-0x000007FEF6720000-0x000007FEF67F4000-memory.dmp

memory/2640-1-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1420-3-0x0000000077536000-0x0000000077537000-memory.dmp

memory/1420-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1420-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-19-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1420-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-29-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/1420-28-0x00000000777A0000-0x00000000777A2000-memory.dmp

memory/1420-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1420-39-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/2640-47-0x000007FEF6720000-0x000007FEF67F4000-memory.dmp

\Users\Admin\AppData\Local\9JSNPZm\psr.exe

MD5 a80527109d75cba125d940b007eea151
SHA1 facf32a9ede6abfaa09368bfdfcfec8554107272
SHA256 68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
SHA512 77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

\Users\Admin\AppData\Local\9JSNPZm\OLEACC.dll

MD5 a9c8ce24c1ede34b65340a6e65a8805b
SHA1 29d0cb900db2e28fd7b3a0ef315344548dfdf430
SHA256 ec40bed6364c6a441d5b0b2896555c89e098f4bf5fd6023d57cfa05ddbd7fb5b
SHA512 fecf8fca4702377fd4f813beef5b2628392ee69a01e2d9531d58de6f44b1907edeaa63e93a22c33ca68c33aa08ead5d321baf82136976123dff415643336ec5c

memory/2608-55-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/2608-56-0x000007FEF6D80000-0x000007FEF6E55000-memory.dmp

memory/2608-60-0x000007FEF6D80000-0x000007FEF6E55000-memory.dmp

\Users\Admin\AppData\Local\W2S1\Magnify.exe

MD5 233b45ddf77bd45e53872881cff1839b
SHA1 d4b8cafce4664bb339859a90a9dd1506f831756d
SHA256 adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a
SHA512 6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39

C:\Users\Admin\AppData\Local\W2S1\DUI70.dll

MD5 6ffcabb661851536ad9a796c4329afd9
SHA1 b496c6e7772d36354502043d8933287936e7f4cb
SHA256 7f07bc4008e7c1e996999ebcf63734b054c00f6a1199e7b39ae15957d3249410
SHA512 66dc7114be8edd52dff4803847ca73a739b1605cc10af3e6a65fd54446202784189a18e1a34d6a570ba4e89d534affd02555b934c119133ff6ab3dc63746eccd

memory/1656-73-0x000007FEF66F0000-0x000007FEF67F8000-memory.dmp

memory/1420-72-0x0000000077536000-0x0000000077537000-memory.dmp

memory/1656-76-0x000007FEF66F0000-0x000007FEF67F8000-memory.dmp

\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

C:\Users\Admin\AppData\Local\8qNqH\UxTheme.dll

MD5 4429a3f1f2f991b1bd83cbda8762ef85
SHA1 ce17840032e17dc141ddafaf8cbcc713a05c8e10
SHA256 b88e9291b51854d734e42f685714779f22277c43394f71f220554fac8d01975e
SHA512 e564ae664e95e45d6fd66ed07e38bc44cd8a00e54e5f86245b93a36f6b1587320b365d6d5a9940880bc7f286b103a8fe978c29126edb4946272dfd66d7599213

memory/2776-86-0x000007FEF6720000-0x000007FEF67F5000-memory.dmp

memory/2776-88-0x0000000001B30000-0x0000000001B37000-memory.dmp

memory/2776-91-0x000007FEF6720000-0x000007FEF67F5000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 00719e193c2f9c8957ae3d0e897e445f
SHA1 19a9425c7c8e91c018f6c4554b800a5ffd8c8e86
SHA256 c2ae505eb5227ebe51efd006522571317cec98a0cd9d0b5a27302d6b0d5cafb0
SHA512 aceea434e7fa3adb72009ff65f06bc760cc987fa678ddc433077447451ec4e3dcee83c0960a4c68ab1849158bcfc27e1c04a32c0459767fd545210bf2ae89c30

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 00:18

Reported

2024-01-07 08:44

Platform

win10v2004-20231222-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A