Malware Analysis Report

2024-11-30 21:05

Sample ID 231230-1846esbbfl
Target 1e48aa406f99b4d46aef4b07a2d523a7
SHA256 0e8e9f8cf167325c36810a7e2c2bade0a65f572ead4b09f1692a397837f50100
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e8e9f8cf167325c36810a7e2c2bade0a65f572ead4b09f1692a397837f50100

Threat Level: Known bad

The file 1e48aa406f99b4d46aef4b07a2d523a7 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 22:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 22:20

Reported

2024-01-01 08:47

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e48aa406f99b4d46aef4b07a2d523a7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\CKSSOL~1\\msinfo32.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 1776 N/A N/A C:\Windows\system32\perfmon.exe
PID 1264 wrote to memory of 1776 N/A N/A C:\Windows\system32\perfmon.exe
PID 1264 wrote to memory of 1776 N/A N/A C:\Windows\system32\perfmon.exe
PID 1264 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe
PID 1264 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe
PID 1264 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe
PID 1264 wrote to memory of 112 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1264 wrote to memory of 112 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1264 wrote to memory of 112 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1264 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe
PID 1264 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe
PID 1264 wrote to memory of 1032 N/A N/A C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe
PID 1264 wrote to memory of 1192 N/A N/A C:\Windows\system32\spinstall.exe
PID 1264 wrote to memory of 1192 N/A N/A C:\Windows\system32\spinstall.exe
PID 1264 wrote to memory of 1192 N/A N/A C:\Windows\system32\spinstall.exe
PID 1264 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe
PID 1264 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe
PID 1264 wrote to memory of 660 N/A N/A C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e48aa406f99b4d46aef4b07a2d523a7.dll,#1

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe

C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe

C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe

C:\Users\Admin\AppData\Local\XdTcEm\spinstall.exe

Network

N/A

Files

memory/1216-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1216-0-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-4-0x0000000077806000-0x0000000077807000-memory.dmp

memory/1264-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1264-7-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1216-8-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-13-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-11-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-12-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-10-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-9-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-16-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-15-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-14-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-18-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-19-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-17-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-23-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-24-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-22-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-21-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-20-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-26-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-25-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-28-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-27-0x00000000029B0000-0x00000000029B7000-memory.dmp

memory/1264-35-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-36-0x0000000077911000-0x0000000077912000-memory.dmp

memory/1264-37-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1264-46-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-52-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1264-55-0x0000000140000000-0x0000000140119000-memory.dmp

C:\Users\Admin\AppData\Local\mRdfqV\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

C:\Users\Admin\AppData\Local\mRdfqV\Secur32.dll

MD5 5743d461e8c377fc979e9a4a3b605389
SHA1 d86b492e19b101041ee42649e75ddb48bf388a09
SHA256 8e834d6ec2ea814d47978e5889ac648f9bb6e630d91c31cff4cb0e63142cd1bd
SHA512 1f02e5879971031da673f9fb30942e9a598f1f0d1a61f7c69598c0db7f290e21d91ebcfccc8940f5e08f453bbc9419c8968ad66f87b778569ff6076d01c44233

memory/2572-65-0x0000000140000000-0x000000014011A000-memory.dmp

memory/2572-64-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2572-70-0x0000000140000000-0x000000014011A000-memory.dmp

C:\Users\Admin\AppData\Local\5bW5BHmSj\MFC42u.dll

MD5 24b0c255d6bf30527ce762ea3157d553
SHA1 1eb679792dc0198a16fff7fac3160f1df2631904
SHA256 7829981b36959ebbdb95f70c7e35449bb9ba3fb95535d24c07fe8b6516ee1a78
SHA512 4d7272bdb2c972231e2b4008e36cfb81d864a48cdb499e7a4a85d20578e10be963f7d3d87bbe6ed6706998672124dc30a4a8dce18063c20352b0048304f81ff8

C:\Users\Admin\AppData\Local\5bW5BHmSj\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

memory/1032-82-0x0000000140000000-0x0000000140120000-memory.dmp

memory/1032-85-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1032-88-0x0000000140000000-0x0000000140120000-memory.dmp

\Users\Admin\AppData\Local\XdTcEm\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\XdTcEm\wer.dll

MD5 11de05760c8c7da43eade77ec5d91f61
SHA1 11264ddc96db35e1c9bb396f33ffae97baa293df
SHA256 112cd01abd54e5aa8f2580a739b21d23cd692068dd9e6fd7dc729fda0170d011
SHA512 dcbb0f69661e422b29a8df10d85f0cc948c49efb9e3e4f4ccd6ade382be3ef276d02e2379922d71dbf38bb3533d60cff39bcdb81d359660f7b71d6d42f880b4e

\Users\Admin\AppData\Local\XdTcEm\wer.dll

MD5 06514740a94ece421752bd8f7346b572
SHA1 a76fe4242968cf0e14b1ea8202c9259d8ac67a38
SHA256 5089ef43da1cbda5527c46c00ca406a48c88f9186194579490ab334bf9c26490
SHA512 e2c1cf3066dc616b72f1c1ff17ff1d551d087aeae07fd7f365e557dd3749619c12d8ee2ecbbe9c3daf4d20412c020b37ecc154d116895d827610b42e7aa036db

memory/660-100-0x0000000000310000-0x0000000000317000-memory.dmp

memory/660-106-0x0000000140000000-0x000000014011A000-memory.dmp

memory/1264-122-0x0000000077806000-0x0000000077807000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 76808c98966f7267843a5d6284a6fdf5
SHA1 3565ce1aebc55c8da0b7bf24a18bd52fe3c3a3f4
SHA256 aecbea5165d6cfecbf294b4338163d201bceff7ec354d68cd2519deaf61bb106
SHA512 905fdf3b3971a860ad635fc2f90a99a1c2bafe832e2054e19716937cab9988ca2805e7a0aef12000c861f8376da7d1871b4f2b2e0383b50f2f3e7f44b6bb0cd8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 22:20

Reported

2024-01-01 08:47

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e48aa406f99b4d46aef4b07a2d523a7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e48aa406f99b4d46aef4b07a2d523a7.dll,#1

C:\Users\Admin\AppData\Local\Yn1TLe\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\Yn1TLe\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\iGE\mstsc.exe

C:\Users\Admin\AppData\Local\iGE\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\E882m\WFS.exe

C:\Users\Admin\AppData\Local\E882m\WFS.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/4980-0-0x0000000140000000-0x0000000140119000-memory.dmp

memory/4980-3-0x0000017BCE770000-0x0000017BCE777000-memory.dmp

memory/4980-1-0x0000000140000000-0x0000000140119000-memory.dmp

memory/4980-8-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-17-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-24-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-31-0x0000000002F00000-0x0000000002F07000-memory.dmp

memory/3408-36-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-37-0x00007FFA82860000-0x00007FFA82870000-memory.dmp

memory/3408-48-0x0000000140000000-0x0000000140119000-memory.dmp

memory/1616-57-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1616-64-0x0000000140000000-0x000000014011B000-memory.dmp

memory/1616-60-0x000002B463C50000-0x000002B463C57000-memory.dmp

memory/3464-76-0x0000000140000000-0x000000014011A000-memory.dmp

memory/3464-82-0x0000000140000000-0x000000014011A000-memory.dmp

memory/912-99-0x0000000140000000-0x000000014011A000-memory.dmp

memory/912-95-0x000001DD1B150000-0x000001DD1B157000-memory.dmp

memory/3464-78-0x00000195E6A20000-0x00000195E6A27000-memory.dmp

memory/1616-58-0x0000000140000000-0x000000014011B000-memory.dmp

memory/3408-46-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-28-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-27-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-26-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-25-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-23-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-22-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-21-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-20-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-19-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-18-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-16-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-15-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-14-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-13-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-12-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-11-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-10-0x00007FFA81CCA000-0x00007FFA81CCB000-memory.dmp

memory/3408-9-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-7-0x0000000140000000-0x0000000140119000-memory.dmp

memory/3408-5-0x0000000002F20000-0x0000000002F21000-memory.dmp