Malware Analysis Report

2024-11-30 21:31

Sample ID 231231-ep85dafhhk
Target 2784c3aeee9d999aa9b382b604d54037
SHA256 f1955ff491cbc147287209b62c378253fc8c4da6123e7d8c45a417e4a3c6552d
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f1955ff491cbc147287209b62c378253fc8c4da6123e7d8c45a417e4a3c6552d

Threat Level: Known bad

The file 2784c3aeee9d999aa9b382b604d54037 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 04:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 04:08

Reported

2024-01-02 04:23

Platform

win10v2004-20231215-en

Max time kernel

5s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2784c3aeee9d999aa9b382b604d54037.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2784c3aeee9d999aa9b382b604d54037.dll,#1

C:\Users\Admin\AppData\Local\jOU74L\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\jOU74L\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\k1U\CloudNotifications.exe

C:\Users\Admin\AppData\Local\k1U\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Windows\system32\CloudNotifications.exe

C:\Users\Admin\AppData\Local\FjinOz\cttune.exe

C:\Users\Admin\AppData\Local\FjinOz\cttune.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4324-3-0x000002C13C160000-0x000002C13C167000-memory.dmp

memory/4324-1-0x0000000140000000-0x0000000140154000-memory.dmp

memory/4324-0-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-14-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-19-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-27-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-28-0x00007FFB321E0000-0x00007FFB321F0000-memory.dmp

memory/4292-50-0x0000020E09ED0000-0x0000020E09ED7000-memory.dmp

memory/4292-55-0x0000000140000000-0x0000000140155000-memory.dmp

memory/3912-66-0x0000000140000000-0x0000000140155000-memory.dmp

memory/3912-69-0x0000029DFFD90000-0x0000029DFFD97000-memory.dmp

memory/3912-73-0x0000000140000000-0x0000000140155000-memory.dmp

memory/1348-85-0x0000000140000000-0x0000000140155000-memory.dmp

memory/1348-91-0x0000000140000000-0x0000000140155000-memory.dmp

memory/1348-86-0x000001F0E7EF0000-0x000001F0E7EF7000-memory.dmp

memory/4292-49-0x0000000140000000-0x0000000140155000-memory.dmp

memory/4292-48-0x0000000140000000-0x0000000140155000-memory.dmp

memory/3480-39-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-37-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-20-0x0000000001480000-0x0000000001487000-memory.dmp

memory/3480-18-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-17-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-16-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-15-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-13-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-12-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-11-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-10-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-8-0x0000000140000000-0x0000000140154000-memory.dmp

memory/4324-9-0x0000000140000000-0x0000000140154000-memory.dmp

memory/3480-6-0x00007FFB30A7A000-0x00007FFB30A7B000-memory.dmp

memory/3480-5-0x00000000033E0000-0x00000000033E1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 04:08

Reported

2024-01-02 04:24

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2784c3aeee9d999aa9b382b604d54037.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\kI\\spinstall.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2936 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1244 wrote to memory of 2936 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1244 wrote to memory of 2936 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe
PID 1244 wrote to memory of 1644 N/A N/A C:\Windows\system32\spinstall.exe
PID 1244 wrote to memory of 1644 N/A N/A C:\Windows\system32\spinstall.exe
PID 1244 wrote to memory of 1644 N/A N/A C:\Windows\system32\spinstall.exe
PID 1244 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe
PID 1244 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe
PID 1244 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe
PID 1244 wrote to memory of 1092 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1244 wrote to memory of 1092 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1244 wrote to memory of 1092 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1244 wrote to memory of 1064 N/A N/A C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe
PID 1244 wrote to memory of 1064 N/A N/A C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe
PID 1244 wrote to memory of 1064 N/A N/A C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2784c3aeee9d999aa9b382b604d54037.dll,#1

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe

C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe

C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe

C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe

Network

N/A

Files

memory/2932-0-0x0000000140000000-0x0000000140154000-memory.dmp

memory/2932-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1244-4-0x0000000077AA6000-0x0000000077AA7000-memory.dmp

memory/1244-5-0x0000000002970000-0x0000000002971000-memory.dmp

memory/1244-7-0x0000000140000000-0x0000000140154000-memory.dmp

memory/2932-8-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-13-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-17-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-18-0x0000000002950000-0x0000000002957000-memory.dmp

memory/1244-19-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-16-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-15-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-14-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-26-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-12-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-27-0x0000000077BB1000-0x0000000077BB2000-memory.dmp

memory/1244-28-0x0000000077D10000-0x0000000077D12000-memory.dmp

memory/1244-11-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-10-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-9-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-37-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-41-0x0000000140000000-0x0000000140154000-memory.dmp

memory/1244-42-0x0000000140000000-0x0000000140154000-memory.dmp

\Users\Admin\AppData\Local\09PqK\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

C:\Users\Admin\AppData\Local\09PqK\DUI70.dll

MD5 02ca2465456c8b9e46fc772e72676693
SHA1 e326383de3007758851a860dbc203c9d16e5cc2c
SHA256 bc1bf0222f3341fdf0ee3cfebad5a1d66a8b6be18dc00402b0d47f8ad21c8145
SHA512 7f8e9d4d7b953b3a5a213c46030eefe5858a4ef41ca77ee96c87e2aa015be549bf8cb6515ba6d2a54400140f943053d1af51a042adb634ea225a0536d85f3166

memory/2616-56-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1244-55-0x0000000077AA6000-0x0000000077AA7000-memory.dmp

memory/2616-57-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2616-61-0x0000000140000000-0x0000000140188000-memory.dmp

\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\BXUFogz3\VERSION.dll

MD5 607d952bc201e4afb4b9f16fd95f6441
SHA1 cab9b943c109dfd06bfe594ec8904a879a7086f2
SHA256 74733682de24cd452909a9f68f728a9c6c7ffc3a710bbf636a2e03eb68ac89b6
SHA512 5ead3cb37d4695453499803f2337c9d65ef65372bdcc56407339e56e04c71e9c26374a74af55da5e65b8c8e9a1d1a105df4ba46cf27dd9c236261f8fe3e84d10

memory/456-74-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/456-79-0x0000000140000000-0x0000000140154000-memory.dmp

\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe

MD5 e61d644998e07c02f0999388808ac109
SHA1 183130ad81ff4c7997582a484e759bf7769592d6
SHA256 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

C:\Users\Admin\AppData\Local\0VZL4MAM\slc.dll

MD5 79b3c74471926f77825c8a37c1233632
SHA1 c1627d73a9095c3ea7c3ab92f21792d4761daa5b
SHA256 f9d02d6f903a4828d36c948fe98b9e3a5113839ab6075cc6e242194371b83c8f
SHA512 b72dbbf41d202fbf9095bd0ae1accddd59c922aaa078776fdb97dda50a3445724be333a4dc98fce70f96db9834b9388f94de831f0b747b41c7d7529efe1dc900

memory/1064-91-0x0000000140000000-0x0000000140155000-memory.dmp

memory/1064-96-0x0000000140000000-0x0000000140155000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 1f79c9afacb0e96e99bc517b8e3009cf
SHA1 f422fa40c85f9bdcf23689dcd1085a2c65b91c31
SHA256 31d54c0af12850e66ca0ba8493d0092e0b0ab8150e3171cc13d7704c5ddb0685
SHA512 2b8b2b7cc61fee587877e3970c8e86907da4c82353d136c3e3147547d7cb833ff11c187d59d4e93b3ec7bad987cd02686e88e6d27d6305d6d81cff5094546d5d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\kI\VERSION.dll

MD5 9737a1aaac29f708d691419064b3fd78
SHA1 8d47d19f7d8ee3ec810a43e681c602725523f458
SHA256 15cdff749904d733ab5b99b4d4ce7c8f6134aabb64515a02b9fbec85ee6c7ee3
SHA512 b410bd9cdcdb31212ca287a82ec1e0b8bd195af77f3d1f29d7ae2fff50abf927e7fe905583e0def6e9d9e75fe0c1ee2d943f45d1d8a2185bf4f8a0946b934e67