Malware Analysis Report

2024-11-30 21:07

Sample ID 231230-kvlh6addhk
Target 13d90e1b8ddda68fa897813f073ba521
SHA256 45fe64048c39ba964359cc11aed7e5da0bcac95115eebfafad445e548246b8fc
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45fe64048c39ba964359cc11aed7e5da0bcac95115eebfafad445e548246b8fc

Threat Level: Known bad

The file 13d90e1b8ddda68fa897813f073ba521 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 08:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 08:55

Reported

2023-12-31 09:15

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d90e1b8ddda68fa897813f073ba521.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\g7V\msra.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\MjFZ\\UI0DET~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\g7V\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 2524 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1388 wrote to memory of 2524 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1388 wrote to memory of 2524 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1388 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe
PID 1388 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe
PID 1388 wrote to memory of 856 N/A N/A C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe
PID 1388 wrote to memory of 2300 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1388 wrote to memory of 2300 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1388 wrote to memory of 2300 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1388 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe
PID 1388 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe
PID 1388 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe
PID 1388 wrote to memory of 1524 N/A N/A C:\Windows\system32\msra.exe
PID 1388 wrote to memory of 1524 N/A N/A C:\Windows\system32\msra.exe
PID 1388 wrote to memory of 1524 N/A N/A C:\Windows\system32\msra.exe
PID 1388 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\g7V\msra.exe
PID 1388 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\g7V\msra.exe
PID 1388 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\g7V\msra.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d90e1b8ddda68fa897813f073ba521.dll

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe

C:\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\g7V\msra.exe

C:\Users\Admin\AppData\Local\g7V\msra.exe

Network

N/A

Files

memory/2624-0-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2624-1-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-4-0x0000000077656000-0x0000000077657000-memory.dmp

memory/1388-5-0x0000000003920000-0x0000000003921000-memory.dmp

memory/1388-8-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-9-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-10-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-11-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-14-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-12-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-15-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-13-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-17-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-18-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-19-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-20-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-21-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-23-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-25-0x0000000003900000-0x0000000003907000-memory.dmp

memory/1388-22-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-16-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-7-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-31-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-32-0x0000000077761000-0x0000000077762000-memory.dmp

memory/1388-33-0x00000000778F0000-0x00000000778F2000-memory.dmp

memory/1388-42-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1388-44-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/2624-49-0x0000000140000000-0x00000001400B6000-memory.dmp

\Users\Admin\AppData\Local\LL0\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

C:\Users\Admin\AppData\Local\LL0\appwiz.cpl

MD5 af09c3c6b446dcb27835fc030c33c08a
SHA1 58aef224250f191691e6f75c5a58b673feafbe38
SHA256 7860aff5f026ab346a3279f480cb2833f06f4b744f509cde494a2bb55da5b314
SHA512 2e1919a2517dd48657615987a765088ac1884a2500074c2ed57ac8effa2d5b9d40cbe010d0cc348690e66bbb305183e932f07b1d9cd1d0a54dddedfb131bdf58

memory/856-59-0x0000000140000000-0x00000001400B7000-memory.dmp

memory/1388-60-0x0000000077656000-0x0000000077657000-memory.dmp

memory/856-63-0x0000000001B20000-0x0000000001B27000-memory.dmp

memory/856-66-0x0000000140000000-0x00000001400B7000-memory.dmp

\Users\Admin\AppData\Local\xNtFTh5g\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

C:\Users\Admin\AppData\Local\xNtFTh5g\VERSION.dll

MD5 d361fcc3cf64f0f50757f8e4c684e727
SHA1 f6243b04b9b75859a2be8690c829a5fb313e99e4
SHA256 fed2288d70345c496f9009e4cb2a508654569cce2d6e3a32ca764c0a04808ee5
SHA512 1cd16fe033b0b6ca3622ec3ed68c9448366250c72f940453b89c8e7b43604b8161caa46c137a59b035d2bae5ae848f7252dffdffd4d66543a341b23c378b95c4

memory/2420-80-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2420-84-0x0000000140000000-0x00000001400B7000-memory.dmp

\Users\Admin\AppData\Local\g7V\msra.exe

MD5 e79df53bad587e24b3cf965a5746c7b6
SHA1 87a97ec159a3fc1db211f3c2c62e4d60810e7a70
SHA256 4e7c22648acf664ab13dfeb2dc062ae90af1e6c621186981f395fb279bbc9b9d
SHA512 9a329c39ce0bc5aede01e96c4190cc7ccd17729fbc3a2b6df73057be8efaa3fa92cfef6e26a25bde6f7f94f64f6d6d0e4c5459aef2aead367e43178dd275acfb

C:\Users\Admin\AppData\Local\g7V\NDFAPI.DLL

MD5 ff649db3b51521d9fcf06978b8852a56
SHA1 d534d877193c61d6693b46f032e3c18b61b2ee26
SHA256 3a54f8b70a466437393eb71563e969ae9a29c0c4f6fd75e7e35870c7bfcf7f43
SHA512 5189eadaceb89be8a61e012ba1270513a9ccc66eee6a27c41420052b1d04a1c79f54ab22d4def5093e0516d85dcf933d771608d099c195efef0b194fc75f197d

memory/2448-97-0x0000000000260000-0x0000000000267000-memory.dmp

memory/2448-102-0x0000000140000000-0x00000001400B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d8e0da9e370e85d1ade5e9d5b03ebd64
SHA1 a21e94bc931cbe4e0d92fb97217bbc9b73d3ad3e
SHA256 617a4ed8c2e2d9bdb85a805dd641bb88939516d23979bef9d1603c50af1e85ec
SHA512 f53c5c25acc1cf90c48ba7f35e20db13903c5a5d907323cc601cb44e004848a4ecfaef518aa7995dc2d3ad07d96594fc32e0d92e253712661707f28232e6c526

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 08:55

Reported

2023-12-31 09:15

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

126s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d90e1b8ddda68fa897813f073ba521.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\13d90e1b8ddda68fa897813f073ba521.dll

C:\Users\Admin\AppData\Local\8dDbY7\rstrui.exe

C:\Users\Admin\AppData\Local\8dDbY7\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\2xbAwnj5\consent.exe

C:\Users\Admin\AppData\Local\2xbAwnj5\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\4UAEZo5\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\4UAEZo5\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\u1m41W0v\wusa.exe

C:\Users\Admin\AppData\Local\u1m41W0v\wusa.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1208-1-0x00000000011C0000-0x00000000011C7000-memory.dmp

memory/1208-0-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-7-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-8-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-22-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-26-0x0000000008040000-0x0000000008047000-memory.dmp

memory/3492-31-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-32-0x00007FFFD5F70000-0x00007FFFD5F80000-memory.dmp

memory/3492-41-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-23-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-21-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-20-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-19-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-18-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-17-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-16-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-15-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-14-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-13-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-12-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-11-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-10-0x00007FFFD5D1A000-0x00007FFFD5D1B000-memory.dmp

memory/3492-9-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-6-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/3492-4-0x0000000008060000-0x0000000008061000-memory.dmp

memory/1208-44-0x0000000140000000-0x00000001400B6000-memory.dmp

memory/1128-60-0x0000000140000000-0x00000001400B7000-memory.dmp

memory/1128-66-0x0000000140000000-0x00000001400B7000-memory.dmp

memory/1128-63-0x000002BFFD110000-0x000002BFFD117000-memory.dmp

memory/3308-83-0x0000000140000000-0x00000001400B7000-memory.dmp

memory/3308-78-0x000002A358F00000-0x000002A358F07000-memory.dmp

memory/1036-96-0x000001EA7B730000-0x000001EA7B737000-memory.dmp

memory/1036-100-0x0000000140000000-0x00000001400B7000-memory.dmp