Malware Analysis Report

2024-11-30 21:12

Sample ID 231230-f2e8hadbfp
Target 0fe25a00394d1eaf4e182704b924fd54
SHA256 4ba3c5dd250ef9b7afbd8968e20eef9be70988e415d4e8bb7480ac3f5ffb159c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ba3c5dd250ef9b7afbd8968e20eef9be70988e415d4e8bb7480ac3f5ffb159c

Threat Level: Known bad

The file 0fe25a00394d1eaf4e182704b924fd54 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 05:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 05:21

Reported

2023-12-31 00:46

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wD7\raserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\oA6prJUCy\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wD7\raserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2616 N/A N/A C:\Windows\system32\raserver.exe
PID 1264 wrote to memory of 2616 N/A N/A C:\Windows\system32\raserver.exe
PID 1264 wrote to memory of 2616 N/A N/A C:\Windows\system32\raserver.exe
PID 1264 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\wD7\raserver.exe
PID 1264 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\wD7\raserver.exe
PID 1264 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\wD7\raserver.exe
PID 1264 wrote to memory of 1920 N/A N/A C:\Windows\system32\isoburn.exe
PID 1264 wrote to memory of 1920 N/A N/A C:\Windows\system32\isoburn.exe
PID 1264 wrote to memory of 1920 N/A N/A C:\Windows\system32\isoburn.exe
PID 1264 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe
PID 1264 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe
PID 1264 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe
PID 1264 wrote to memory of 2936 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1264 wrote to memory of 2936 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1264 wrote to memory of 2936 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1264 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe
PID 1264 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe
PID 1264 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\wD7\raserver.exe

C:\Users\Admin\AppData\Local\wD7\raserver.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe

C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe

Network

N/A

Files

memory/776-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/776-1-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-4-0x0000000077806000-0x0000000077807000-memory.dmp

memory/1264-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1264-9-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-12-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-11-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-10-0x0000000140000000-0x0000000140216000-memory.dmp

memory/776-8-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-7-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-13-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-15-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-14-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-21-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-20-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-19-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-18-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-17-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-16-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-22-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-23-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-24-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-25-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-27-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-26-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-29-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-28-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-30-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-31-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-32-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-33-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-34-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-35-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-36-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-37-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-40-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-38-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-39-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-42-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-41-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-43-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-49-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-48-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-47-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-46-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-45-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-44-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-51-0x00000000029A0000-0x00000000029A7000-memory.dmp

memory/1264-50-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-58-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-63-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1264-62-0x0000000077911000-0x0000000077912000-memory.dmp

memory/1264-69-0x0000000140000000-0x0000000140216000-memory.dmp

memory/1264-75-0x0000000140000000-0x0000000140216000-memory.dmp

\Users\Admin\AppData\Local\wD7\raserver.exe

MD5 cd0bc0b6b8d219808aea3ecd4e889b19
SHA1 9f8f4071ce2484008e36fdfd963378f4ebad703f
SHA256 16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c
SHA512 84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

C:\Users\Admin\AppData\Local\wD7\WTSAPI32.dll

MD5 03a499490d7a6cc8a74430ac8ec4586c
SHA1 60b61164ccbf137f2ad57e575cd8993de1cb27fc
SHA256 a2d4475b67052bad51f39f1f7e698bbab98069e1fe6ab5f6fae8161afe764f42
SHA512 19276795714945ca480f91dc93c807ddfc8ea8363ac4dad2cea2712ee248660a4adfe17bb808bdb4cf3ca5f106fe5aa84424b8f077065b958e3ae8d0f2f2e02a

memory/1200-87-0x0000000000220000-0x0000000000227000-memory.dmp

\Users\Admin\AppData\Local\wD7\WTSAPI32.dll

MD5 661f67d2bb4ae42591569768a6e788db
SHA1 0f3bcfc356a5ac687e7d957656da00c75a331aca
SHA256 df12010a3acd528cf221fb24572e18a5cdc0feb62801a9ec2c1f81f67bfd624b
SHA512 d623de91dd5f57f1b912363ff4926f7881abf27acdf2f7a6639d8b9663e0a2ee2a264c9952bb3df6e8632f233f633ddec82ea20730d21ed072521f3cb84d0d60

\Users\Admin\AppData\Local\S1G6u\isoburn.exe

MD5 f8051f06e1c4aa3f2efe4402af5919b1
SHA1 bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA256 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA512 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

C:\Users\Admin\AppData\Local\S1G6u\UxTheme.dll

MD5 c070a464999249496fa4440e1b661aea
SHA1 7be194282fb4dd365d6a904affeac221718bb7a3
SHA256 6e68d541b5ecd18253df54bbb179be5a18190012bd8bcf50fef7138f20487708
SHA512 3ce3e4a92e1e7303ae68aff1b3a0145f6037b500bcb2412b787695eb3176bc4dace759ad159af5a9d985559df1505ec4fe8f1e846b5e074d614960fb8490fb0f

memory/844-105-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe

MD5 9728725678f32e84575e0cd2d2c58e9b
SHA1 dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256 d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512 a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

C:\Users\Admin\AppData\Local\JFC7h\MFC42u.dll

MD5 eb5fa18cb862b39867955dee3b722652
SHA1 22c70dcd137be63601c9657edb763eac15a6f09c
SHA256 fc19f6a99292b5b4fcbdfd2c5bfa6cd5e8bac679a4ded62c9da6865a88d73837
SHA512 77ad238f4fd137d1a863d21201dba841de8651a047d355b7446ed8dd737dea15099a415263e2debe6a5b2211b796a7b26b92123b1ea7b892619d9bee3a101214

memory/1968-124-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1264-145-0x0000000077806000-0x0000000077807000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 41338688a03f3c3fd88bf947b664cfb6
SHA1 24d607e242bf58652dcefc89c71cb0420b0f2a93
SHA256 e674d30df9de532c92f411c1173053a8b73741b093359638695274b63fa89805
SHA512 2f5d51917800cb44f23f25dfd2caec02ff82ebd357cc1d4e3af56980a9381116bbce68ad21ced6970e83c3457f970d7d013f6166a3987558ac4282c8268db87e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 05:21

Reported

2023-12-31 00:47

Platform

win10v2004-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A