Malware Analysis Report

2024-11-30 21:13

Sample ID 231230-mm5m6safdk
Target 161726ece301d6ce29288d425e1ed053
SHA256 b2fb416b8bad4ba1aa249c51944177e88fee1616653c01a4b131a2c79aa86ba4
Tags
dridex botnet payload evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2fb416b8bad4ba1aa249c51944177e88fee1616653c01a4b131a2c79aa86ba4

Threat Level: Known bad

The file 161726ece301d6ce29288d425e1ed053 was found to be: Known bad.

Malicious Activity Summary

dridex botnet payload evasion persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 10:35

Reported

2023-12-31 13:28

Platform

win7-20231129-en

Max time kernel

3s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\161726ece301d6ce29288d425e1ed053.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\161726ece301d6ce29288d425e1ed053.dll

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\oRsnE1pbX\Utilman.exe

C:\Users\Admin\AppData\Local\oRsnE1pbX\Utilman.exe

C:\Users\Admin\AppData\Local\hB0xAQ\msdtc.exe

C:\Users\Admin\AppData\Local\hB0xAQ\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\DHZ\icardagt.exe

C:\Users\Admin\AppData\Local\DHZ\icardagt.exe

Network

N/A

Files

memory/1108-0-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1108-1-0x00000000000B0000-0x00000000000B7000-memory.dmp

memory/1380-4-0x00000000774F6000-0x00000000774F7000-memory.dmp

memory/1380-11-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-17-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-26-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-35-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-44-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-46-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-55-0x0000000077760000-0x0000000077762000-memory.dmp

memory/1380-54-0x0000000077601000-0x0000000077602000-memory.dmp

memory/1380-64-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-70-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-73-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-53-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-45-0x0000000002E00000-0x0000000002E07000-memory.dmp

memory/2508-82-0x0000000140000000-0x0000000140239000-memory.dmp

memory/2508-84-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1380-43-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-42-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-41-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-40-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-39-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-38-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-37-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-36-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-34-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-33-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-32-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-31-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-30-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-29-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-28-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-27-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-25-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-24-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-23-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2724-106-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1380-22-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-21-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-20-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-19-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-18-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-16-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-15-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-14-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-13-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-12-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-10-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-9-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1108-8-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-7-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1380-5-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1492-130-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1380-161-0x00000000774F6000-0x00000000774F7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 10:35

Reported

2023-12-31 13:28

Platform

win10v2004-20231215-en

Max time kernel

32s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\161726ece301d6ce29288d425e1ed053.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Proof\\mDPOpJt\\bdeunlock.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Kgi\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uWef2Uw\bdeunlock.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5nQU9\phoneactivate.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 316 N/A N/A C:\Windows\system32\cmstp.exe
PID 3388 wrote to memory of 316 N/A N/A C:\Windows\system32\cmstp.exe
PID 3388 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Kgi\cmstp.exe
PID 3388 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Kgi\cmstp.exe
PID 3388 wrote to memory of 1836 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3388 wrote to memory of 1836 N/A N/A C:\Windows\system32\bdeunlock.exe
PID 3388 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\uWef2Uw\bdeunlock.exe
PID 3388 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\uWef2Uw\bdeunlock.exe
PID 3388 wrote to memory of 644 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3388 wrote to memory of 644 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3388 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\5nQU9\phoneactivate.exe
PID 3388 wrote to memory of 3256 N/A N/A C:\Users\Admin\AppData\Local\5nQU9\phoneactivate.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\161726ece301d6ce29288d425e1ed053.dll

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\bdeunlock.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\uWef2Uw\bdeunlock.exe

C:\Users\Admin\AppData\Local\uWef2Uw\bdeunlock.exe

C:\Users\Admin\AppData\Local\Kgi\cmstp.exe

C:\Users\Admin\AppData\Local\Kgi\cmstp.exe

C:\Users\Admin\AppData\Local\5nQU9\phoneactivate.exe

C:\Users\Admin\AppData\Local\5nQU9\phoneactivate.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
N/A 20.123.104.105:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.165.164.15:443 tcp
US 8.8.8.8:53 udp

Files

memory/2912-1-0x0000000001630000-0x0000000001637000-memory.dmp

memory/2912-0-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-5-0x00007FF9A3FCA000-0x00007FF9A3FCB000-memory.dmp

memory/3388-14-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-21-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-26-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-31-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-36-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-42-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-45-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-46-0x0000000000A70000-0x0000000000A77000-memory.dmp

memory/3388-54-0x00007FF9A4260000-0x00007FF9A4270000-memory.dmp

memory/3388-63-0x0000000140000000-0x0000000140205000-memory.dmp

memory/1152-81-0x0000000140000000-0x0000000140206000-memory.dmp

memory/1152-76-0x000001C68C8A0000-0x000001C68C8A7000-memory.dmp

memory/1152-75-0x0000000140000000-0x0000000140206000-memory.dmp

memory/892-94-0x000002E263C00000-0x000002E263C07000-memory.dmp

memory/892-98-0x0000000140000000-0x000000014024B000-memory.dmp

memory/892-92-0x0000000140000000-0x000000014024B000-memory.dmp

C:\Users\Admin\AppData\Local\5nQU9\DUI70.dll

MD5 288b88106c8986eca96c15c5f4aa20b6
SHA1 58ad37fef5aa28a4fd98ec81c9ea030b0e6d4284
SHA256 c74078af09e5a43bf6acfba3d06e03f164958e8137d3fd7a2cde0b6989a7fc0f
SHA512 8888ec3cb41f0d48da0c1fd84cbc47a1dc390309c7479b29c91b936b8ebfe6e3b678c02adf887697498659b0fdff6d0b9ba7945a9eed8c90f8f6c8c92256f150

memory/3256-111-0x000002825FDD0000-0x000002825FDD7000-memory.dmp

C:\Users\Admin\AppData\Local\5nQU9\phoneactivate.exe

MD5 32c31f06e0b68f349f68afdd08e45f3d
SHA1 e4b642f887e2c1d76b6b4777ade91e3cb3b9e27c
SHA256 cea83eb34233fed5ebeef8745c7c581a8adbefbcfc0e30e2d30a81000c821017
SHA512 fe61764b471465b164c9c2202ed349605117d57ceb0eca75acf8bda44e8744c115767ee0caed0b7feb70ba37b477d00805b3fdf0d0fa879dd4c8e3c1dc1c0d26

memory/3388-65-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-53-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-44-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-43-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-41-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-40-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-39-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-38-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-37-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-35-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-34-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-33-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-32-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-30-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-29-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-28-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-27-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-25-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-24-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-23-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-22-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-20-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-19-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-18-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-17-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-16-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-15-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-13-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-11-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-12-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-10-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-9-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2912-8-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-7-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3388-4-0x0000000002A70000-0x0000000002A71000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

MD5 c4a78d5a681ec7dd194f7be82ab260cb
SHA1 a81325fdaff533da7e2507063e0703f7ce1be8e4
SHA256 58a9b186aaec763c11f321eaa8d36aef0d33539308382d6c27f20eeba8d806e4
SHA512 9ce2b468cde1b01c7256a5b03dad10d9317b1f0278d16e3b91cbbc28c013aaff4c0cf1e600e34115b8af28c2ea31fe7137d5694c0a99162ab5546501e77e3e5f