Malware Analysis Report

2024-11-30 21:15

Sample ID 231230-dzdksabham
Target 0ce95ebf131e91dbf0073b92f8412db5
SHA256 b9816e734f5583ed6e74f7fbd75dfe772fab8d14c81be28d79d77130015c4d40
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b9816e734f5583ed6e74f7fbd75dfe772fab8d14c81be28d79d77130015c4d40

Threat Level: Known bad

The file 0ce95ebf131e91dbf0073b92f8412db5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 03:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 03:26

Reported

2023-12-30 19:06

Platform

win7-20231129-en

Max time kernel

132s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce95ebf131e91dbf0073b92f8412db5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\XPTONQ~1\\wscript.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2632 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1204 wrote to memory of 2632 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1204 wrote to memory of 2632 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1204 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe
PID 1204 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe
PID 1204 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe
PID 1204 wrote to memory of 1924 N/A N/A C:\Windows\system32\wscript.exe
PID 1204 wrote to memory of 1924 N/A N/A C:\Windows\system32\wscript.exe
PID 1204 wrote to memory of 1924 N/A N/A C:\Windows\system32\wscript.exe
PID 1204 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe
PID 1204 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe
PID 1204 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe
PID 1204 wrote to memory of 1448 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1204 wrote to memory of 1448 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1204 wrote to memory of 1448 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1204 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe
PID 1204 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe
PID 1204 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce95ebf131e91dbf0073b92f8412db5.dll,#1

C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe

C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe

C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe

Network

N/A

Files

memory/3016-0-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3016-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1204-4-0x0000000077226000-0x0000000077227000-memory.dmp

memory/1204-5-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-28-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-33-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-32-0x0000000002D50000-0x0000000002D57000-memory.dmp

memory/1204-42-0x0000000077590000-0x0000000077592000-memory.dmp

memory/1204-41-0x0000000077431000-0x0000000077432000-memory.dmp

memory/1204-51-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-57-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2580-69-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2580-74-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2580-70-0x0000000140000000-0x0000000140235000-memory.dmp

memory/1204-56-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-31-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-30-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-29-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-26-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-25-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-24-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-23-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-22-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-21-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-19-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-15-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140234000-memory.dmp

memory/1204-8-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3016-7-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2312-94-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2312-91-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2812-118-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2812-115-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1204-144-0x0000000077226000-0x0000000077227000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\XPtonQjNAvZ\VERSION.dll

MD5 952c626d7967419f5b0b682ae3749814
SHA1 70d081c433aecc3d8454c3f4d49e2c7046b757dd
SHA256 43ed736bc51828543a60714f7c58ac1942a4cade6c5f86850a11059e36cd341c
SHA512 88b60ba2d46018213889f625d459f2ddb414049cae0728031653ac437d28d8f6bdb9741b57f6b91cf389622d00f388268c88c43fe7cab4dcdde088a2d468e3d2

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\76RVLVYY\kocM\ACTIVEDS.dll

MD5 e29aa7be4ba53f4546dc53e8052bd87e
SHA1 f7aed57aa4a1e3c435f1d5d5a5739aa2ba1574a2
SHA256 7b8c8c541493566acfdfa329e37040dd055a6cb9e67416c0ae1b427e8a859c8f
SHA512 cfd4d518574560cd05eb5b7ca9ba427ae4afef984fd5931bd98744077e764bbc087cbdb2332c613394c1766e0a31eb8a94000de77136edc29cfb67a058eaeefd

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 03:26

Reported

2023-12-30 19:06

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

78s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce95ebf131e91dbf0073b92f8412db5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce95ebf131e91dbf0073b92f8412db5.dll,#1

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\celaO\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\celaO\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\ekbD1\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\ekbD1\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\SrToPzUu\mspaint.exe

C:\Users\Admin\AppData\Local\SrToPzUu\mspaint.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/3328-0-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3328-1-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3328-3-0x0000026709920000-0x0000026709927000-memory.dmp

memory/3328-8-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-14-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-15-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-16-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-23-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-29-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-33-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-41-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-34-0x0000000004C50000-0x0000000004C57000-memory.dmp

memory/3420-32-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-31-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-51-0x00007FFEC0120000-0x00007FFEC0130000-memory.dmp

memory/3420-53-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-50-0x0000000140000000-0x0000000140234000-memory.dmp

memory/2928-65-0x00000264DD340000-0x00000264DD347000-memory.dmp

memory/2928-68-0x0000000140000000-0x0000000140235000-memory.dmp

memory/2928-62-0x0000000140000000-0x0000000140235000-memory.dmp

memory/4312-82-0x0000020A4AB20000-0x0000020A4AB27000-memory.dmp

memory/4312-86-0x0000000140000000-0x000000014027A000-memory.dmp

memory/4312-80-0x0000000140000000-0x000000014027A000-memory.dmp

memory/3420-30-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-28-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-27-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-26-0x0000000140000000-0x0000000140234000-memory.dmp

memory/836-101-0x0000023A62D10000-0x0000023A62D17000-memory.dmp

memory/836-99-0x0000000140000000-0x000000014023B000-memory.dmp

memory/836-98-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3420-25-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-24-0x0000000140000000-0x0000000140234000-memory.dmp

memory/836-103-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3420-22-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-21-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-20-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-19-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-18-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-17-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-13-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-12-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-11-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-10-0x00007FFEBF8BA000-0x00007FFEBF8BB000-memory.dmp

memory/3420-9-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-7-0x0000000140000000-0x0000000140234000-memory.dmp

memory/3420-5-0x0000000004C70000-0x0000000004C71000-memory.dmp