Malware Analysis Report

2024-11-30 21:27

Sample ID 231227-d1rh2ahaa2
Target a0f41bb92994a10264ad86e919305f37
SHA256 d184fdbcb99208ebb87d37628cc85ab3a262db30b4d5db1269c3d99ed83ed026
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d184fdbcb99208ebb87d37628cc85ab3a262db30b4d5db1269c3d99ed83ed026

Threat Level: Known bad

The file a0f41bb92994a10264ad86e919305f37 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex payload

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 03:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 03:28

Reported

2024-01-07 13:36

Platform

win7-20231215-en

Max time kernel

149s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\KkXpg9m\\FVEPRO~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 356 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 356 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 356 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2096 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1204 wrote to memory of 2096 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1204 wrote to memory of 2096 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe
PID 1204 wrote to memory of 1320 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1204 wrote to memory of 1320 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1204 wrote to memory of 1320 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1204 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe
PID 1204 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe
PID 1204 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\BpKmPs\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe

C:\Users\Admin\AppData\Local\8APE2\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe

C:\Users\Admin\AppData\Local\8LclAGMys\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

Network

N/A

Files

memory/2232-0-0x000007FEF6690000-0x000007FEF6748000-memory.dmp

memory/2232-1-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1204-3-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-29-0x0000000077150000-0x0000000077152000-memory.dmp

memory/1204-38-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-28-0x0000000077120000-0x0000000077122000-memory.dmp

memory/1204-20-0x0000000002530000-0x0000000002537000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-8-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-6-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/1204-4-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2232-41-0x000007FEF6690000-0x000007FEF6748000-memory.dmp

memory/1204-40-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/2620-57-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2620-59-0x000007FEF66B0000-0x000007FEF6769000-memory.dmp

memory/2620-55-0x000007FEF66B0000-0x000007FEF6769000-memory.dmp

memory/1204-102-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/2064-169-0x00000000006B0000-0x00000000006B7000-memory.dmp

memory/2064-173-0x000007FEF66B0000-0x000007FEF6769000-memory.dmp

memory/2280-284-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2280-286-0x000007FEF6130000-0x000007FEF61EA000-memory.dmp

memory/2280-282-0x000007FEF6130000-0x000007FEF61EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\lBXRQlhw\XmlLite.dll

MD5 0bbba9670e1fcc6db991c05533b50f22
SHA1 e527b5a4595bea07888cff28e580e1ab6fd46eeb
SHA256 207558c238fb6e7f109ff9a5a133ae49ac87207e82b259d96afdc819cc934c99
SHA512 54a53c2f9973cea7f3a03ecb1f0e219bf14aaa483e1e7accdaa0993ab196a562eb6f752e192f0170512165ec4604d09ac8b52512b79e8ebe4408f02961b71eb5

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\KkXpg9m\slc.dll

MD5 de3eab134e90b1b04f61c189b97a976c
SHA1 63023778097abb4232709b7c41e21ab3a3e25611
SHA256 d7bfe0a6975f95312787179359e10ebbaeea22a031268bce1152e1768687dc5f
SHA512 0cfc7c6c807270f21032afe5f0496d97f378cbbe46a5f42903833596d0fdeaa96d2b8ff29fd8a823199b9a9670e3f6b8293c09f7ef588d93d28275757a4d3b7f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\vLT\MFPlat.DLL

MD5 5f648c151134add4109185564c158cc4
SHA1 10343ec58b55fe7cbd2fd94e7b347eef274a82d0
SHA256 4e36a149477e6136e05e11d448272ca234767501d84eb2f058c042520cbdf388
SHA512 8692a981c3c62055f3adf0d7a445592f6645bbf213421c61dbdc727885049e95c35d04665425789865b40a0b93114419b2542bc58fc3c41b0e04eeaa0fb3b894

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 03:28

Reported

2024-01-07 13:36

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f41bb92994a10264ad86e919305f37.dll,#1

C:\Users\Admin\AppData\Local\MQ5QMkVgO\rdpinput.exe

C:\Users\Admin\AppData\Local\MQ5QMkVgO\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\5SWzjLM\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\5SWzjLM\SystemSettingsRemoveDevice.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Users\Admin\AppData\Local\0m9QYl0ar\bdechangepin.exe

C:\Users\Admin\AppData\Local\0m9QYl0ar\bdechangepin.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 g.bing.com tcp

Files

memory/1788-0-0x00007FFE27A70000-0x00007FFE27B28000-memory.dmp

memory/1788-2-0x00000230E7C30000-0x00000230E7C37000-memory.dmp

memory/3408-11-0x00007FFE3562A000-0x00007FFE3562B000-memory.dmp

memory/3408-19-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-27-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-29-0x00007FFE36790000-0x00007FFE367A0000-memory.dmp

memory/3408-38-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-28-0x00007FFE367A0000-0x00007FFE367B0000-memory.dmp

memory/3408-21-0x0000000002580000-0x0000000002587000-memory.dmp

memory/3408-18-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-17-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-16-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-15-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-14-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-13-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-12-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-10-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-9-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-8-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-7-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-6-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-5-0x0000000140000000-0x00000001400B8000-memory.dmp

memory/3408-3-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/1788-41-0x00007FFE27A70000-0x00007FFE27B28000-memory.dmp

memory/3136-53-0x00007FFE27870000-0x00007FFE2792A000-memory.dmp

memory/3136-50-0x000002AF36CC0000-0x000002AF36CC7000-memory.dmp

memory/3136-48-0x00007FFE27870000-0x00007FFE2792A000-memory.dmp

memory/2020-64-0x00007FFE27770000-0x00007FFE2786E000-memory.dmp

memory/2020-69-0x00007FFE27770000-0x00007FFE2786E000-memory.dmp

memory/2020-65-0x0000029E51D60000-0x0000029E51D67000-memory.dmp

memory/2484-80-0x00007FFE17B70000-0x00007FFE17C6E000-memory.dmp

memory/2484-85-0x00007FFE17B70000-0x00007FFE17C6E000-memory.dmp

memory/2484-82-0x000002256E8B0000-0x000002256E8B7000-memory.dmp