Malware Analysis Report

2024-11-30 21:31

Sample ID 231231-cq92ysdhfl
Target 243dd63bd9252316a4942318e8f31f89
SHA256 2a7a751ac519f5bac862348ea73def98bad91906fe50cbc9a9507e749d867c86
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a7a751ac519f5bac862348ea73def98bad91906fe50cbc9a9507e749d867c86

Threat Level: Known bad

The file 243dd63bd9252316a4942318e8f31f89 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 02:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 02:18

Reported

2024-01-01 22:29

Platform

win7-20231129-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 02:18

Reported

2024-01-01 22:26

Platform

win10v2004-20231215-en

Max time kernel

72s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\243dd63bd9252316a4942318e8f31f89.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\LMtrvw\\rdpinput.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 3652 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3392 wrote to memory of 3652 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3392 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe
PID 3392 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe
PID 3392 wrote to memory of 228 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3392 wrote to memory of 228 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3392 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe
PID 3392 wrote to memory of 4412 N/A N/A C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe
PID 3392 wrote to memory of 964 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3392 wrote to memory of 964 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3392 wrote to memory of 3976 N/A N/A C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe
PID 3392 wrote to memory of 3976 N/A N/A C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\243dd63bd9252316a4942318e8f31f89.dll,#1

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe

C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe

C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/1976-0-0x000001B4574A0000-0x000001B4574A7000-memory.dmp

memory/1976-1-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-5-0x00007FFF2324A000-0x00007FFF2324B000-memory.dmp

memory/3392-4-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/1976-7-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-9-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-10-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-12-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-13-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-14-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-15-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-16-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-17-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-18-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-19-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-20-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-21-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-22-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-25-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-26-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-28-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-29-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-30-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-27-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-24-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-31-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-32-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-33-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-34-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-35-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-23-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-37-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-41-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-43-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-42-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-44-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-45-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-46-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-40-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-39-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-38-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-36-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-47-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-48-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-50-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-49-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-52-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-51-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-54-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-53-0x0000000002920000-0x0000000002927000-memory.dmp

memory/3392-61-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-62-0x00007FFF244E0000-0x00007FFF244F0000-memory.dmp

memory/3392-71-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3392-73-0x0000000140000000-0x00000001401D2000-memory.dmp

C:\Users\Admin\AppData\Local\VXOraDWQl\MFC42u.dll

MD5 36b4d8096f06743c54473a7f8f3339a7
SHA1 f91ac2aecc358a21fe145ac67e8b889359c13bca
SHA256 b5d3461a6b03863a629d5e7c4938bb43cffd381e381cd1019ded9b23f2da715d
SHA512 0f956431c56719d53d4d3d1bd2edb9940e7ab5a2c89986b8ac1cfa9077be3e87772bd3918447b0bd345bfe18d40b7d925c949871b4a1b49913d77ff532cdfa9c

C:\Users\Admin\AppData\Local\VXOraDWQl\MFC42u.dll

MD5 a7750fd66ae0043925edd321d70897ca
SHA1 4bd7e92a4734fba2b6f0d4763e42a302801ed16e
SHA256 bbdf740a520cd5ebddc9fc89c36d7c16eefbda37001ec09e8026f35235b05b78
SHA512 f274b774d74141955afa251738ad621d3d2af61b0164b237dfcb11a584dfe8dbc670d09b31f5e8d6145163edaff73e93251e897ecc4dab09caaff325834ca5f1

memory/2592-83-0x0000024990700000-0x0000024990707000-memory.dmp

C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe

MD5 7967626de0bb9da102586dab1342719c
SHA1 3f39423b717b9a6a0772dbe32aa30e351d1b972c
SHA256 f1e6b21d0e006dd550d2ca21a03bface4f447008843141febd3a89ef65a82d50
SHA512 0f6dc58b96dea4b4278962381c93c60c900be252442f5aacb47f674fcf07875df16ed21265a8761ea63cc27b78103e757f40f852e175a8aca590ffacf8825151

C:\Users\Admin\AppData\Local\VXOraDWQl\DevicePairingWizard.exe

MD5 d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1 b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA256 2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA512 1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

C:\Users\Admin\AppData\Local\RvwOIXiav\WINSTA.dll

MD5 915f2dc1a95f792eb59f38e3bbd31690
SHA1 e54b0a515201b281f44496c21d1c9fc51da26943
SHA256 ebc002992f86678cef2aa3f3c006f699d62ac44718b66bb1159fe6bed105c3b2
SHA512 da546e1a454b80215425f66d362d8ac8bcfbc67ed1c25ae2612a95dd8c56ecb17d7bfad9d77c1e16562c330ad8b6c1619e8cb459f05bb42dc69829845e27bd7d

C:\Users\Admin\AppData\Local\RvwOIXiav\WINSTA.dll

MD5 6eaf852c24e7be61ab985405fb9354c1
SHA1 739e601214efc05ae478a10ebb30bf7fc1c27462
SHA256 ab2388bcf1c795b7f4c9d8dbda3a5f9d5466037f0285a37dede7e9b3972af91e
SHA512 336d8e180fccb19a2b05342092a2a48579414dcbb825c34f2517941e1d9651df4a6f73c36be73f0bf93f347a79eebe3c48388ec6435c3eaa1ff9bff710eafa00

C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe

MD5 a212f9e2cecde81d68d61b4566746880
SHA1 29d5c890a25d527df3c137c22c577a0db4fa8923
SHA256 b80df1b87b701d47f979edb83d2e5ee7ced731c2336ade39408d5bb60708bb8e
SHA512 4f4d8af45a624e4d872ecd7f377aac6a1b3441969a2581cdaecbe4e031d23657b04df3ee2d916d07d8567500529038642ab0c40929515fb76b5f555c5bd79547

memory/4412-99-0x00000143FB360000-0x00000143FB367000-memory.dmp

C:\Users\Admin\AppData\Local\RvwOIXiav\rdpinput.exe

MD5 0b9d827531ac1ec91528ecab33604c3d
SHA1 306caa373502f2b2fce98605a865090e338edffb
SHA256 1fd4141306903cfadf4c325a1ccb251bc529762c1545e19d4e179907f4cb0693
SHA512 31cd12407f10df0ffee32865bcdfb6876d5a3839e1bb5766c549632a44f2dcced37185af17000b739efcc4feaec5839df0c9bbfc77b259db6d768186516d48c0

C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe

MD5 8e2478ba3ae61e20ac99d66f3b2745b5
SHA1 3f1ce05785c2e5f790ad6c0f0134f72ffe9e9c30
SHA256 c6bc421f8b3c43a60c9f1262efe76f66a6c99e243004fde068435d40317a5669
SHA512 f7a9c34fbfd70b6fa54a907c40f38111a18341c966daf2cbede851c1f3aaf36a405a3544e3d61388fd6b76f8dd31948a07a36499c2e1bcbbce5b222277cf49c9

C:\Users\Admin\AppData\Local\Wgrn\dwmapi.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Wgrn\dwmapi.dll

MD5 8b0ceb9b88e74dcad5e0fd4d239d7a3b
SHA1 2fe1e6c6f666e2dfca9d60646d0a9d362d8da803
SHA256 fd66dc29121c3be24420abe52d9470d58119667aa0787aceb6e5f78c4179d10f
SHA512 91dd2e8f436e8493aba6a68d979b2851c7eb9804e28a2913027f2bc779f39df06b675dfbedff10ee36d601375fcb09c8e486f6039294042da832f72cf25f92d7

memory/3976-116-0x000001A24A310000-0x000001A24A317000-memory.dmp

C:\Users\Admin\AppData\Local\Wgrn\WMPDMC.exe

MD5 66969e97cfcbc0f50567df3543ac5bec
SHA1 222ca1e041900acbf47cc30ede8dd91c383480f4
SHA256 c74b63c0c6560aab1b296a0bab1b73133007b4a1d3aa390ec397dc504ba564d2
SHA512 0cb4740525b7653c6bd42c8881359de610fd782392873fd3ff1e7aa3f8283e47cb343d27c60ad0bf5121fa656e785f5241e062b0c92d4543aca8ea1375678b15

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 ab860fd7dc29c44a35d500c7a71cab85
SHA1 1e4929014dd537219d764359f1759e00249b21d1
SHA256 97940cea0b6482168ba069f7df82d161d25706e1d5f728f0bf8d57ffcfd60736
SHA512 6e7cb6324e563936a4522318e824faf0fb0307a8a6f79f0643b3bb88983432cb7760c55ca68f9316369c7ca8dd38c49a71ef8ec66f25a3138340a385572d0f92

C:\Users\Admin\AppData\Roaming\Sun\RQ\MFC42u.dll

MD5 bacf4ed60f44edca70cc9b2aa9ba9a80
SHA1 088e73dbbf23e0bd54e74c65893ef22a2c710f98
SHA256 8b478aa4aeda8fee9cc78508fcfbd108040bb2c8e8e5a1fb485f18faea4bdb73
SHA512 0a6b50511cd09f39a3469d08cea32b2a1862c77e906f5f7fd3816f8a839a62e378cdddd68934492c08bcc82ca17f4901dbc7ddc5b833e33084273c4f0f6b3231

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\LMtrvw\WINSTA.dll

MD5 a1736c23af939b40305645396cd6ef41
SHA1 9792bf3e83a4de3b17884012aff9161354dc49b0
SHA256 1e6a02e4aba15fc353229ee775399127b60774cf30622c6737444bd22e6edca4
SHA512 1bf896da893c9c110063c7789b07b950923c1954abcdc4dafc2bb62f7be05b11ad2fd8d5068a86a0eb90bf5c77b92437c13ff2a0b0b1f905542224ad24673ad3

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\FsQGKT7dp\dwmapi.dll

MD5 cf8491582deec3811ecb1e351f8deb66
SHA1 d5bb1d5fda505ef3f80494565109195a3d6de53d
SHA256 c64e784d5fcd790eae958d3a2adc67f47b96764a80974c1206f8b86f1078e618
SHA512 6df1294e690b9c466ec1fd73d200901365f6da41e283d7eb5f74b3839b6a5fc51409ec6a7c76ec8ebab35d5449379ee9d70c7ef39215f4671ae67512c5cd1749