Malware Analysis Report

2024-11-30 21:31

Sample ID 231231-ha2crsfeep
Target 2bcec1e43ba5360ab26a35c9c13db2ba
SHA256 22576f3db99ab75085f5365de9f92df76c42cee7a73124d42d207fe7d56775cd
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22576f3db99ab75085f5365de9f92df76c42cee7a73124d42d207fe7d56775cd

Threat Level: Known bad

The file 2bcec1e43ba5360ab26a35c9c13db2ba was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 06:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 06:32

Reported

2024-01-02 10:52

Platform

win7-20231215-en

Max time kernel

3s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcec1e43ba5360ab26a35c9c13db2ba.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcec1e43ba5360ab26a35c9c13db2ba.dll,#1

C:\Users\Admin\AppData\Local\KLd\dpnsvr.exe

C:\Users\Admin\AppData\Local\KLd\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\Y7flg\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\Y7flg\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\wmQOwK\irftp.exe

C:\Users\Admin\AppData\Local\wmQOwK\irftp.exe

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

Network

N/A

Files

memory/2688-1-0x0000000000340000-0x0000000000347000-memory.dmp

memory/2688-0-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-4-0x0000000077536000-0x0000000077537000-memory.dmp

memory/1212-13-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-26-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-31-0x00000000025E0000-0x00000000025E7000-memory.dmp

memory/1212-40-0x00000000778A0000-0x00000000778A2000-memory.dmp

memory/1212-39-0x0000000077741000-0x0000000077742000-memory.dmp

memory/1212-49-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-54-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/2668-73-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/2668-68-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/2668-67-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1212-58-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-38-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-30-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-29-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-28-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-27-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-25-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-24-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-23-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-22-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-21-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-20-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-19-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-18-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-17-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-16-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-15-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-14-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/2864-85-0x0000000140000000-0x00000001401EF000-memory.dmp

memory/2864-89-0x0000000140000000-0x00000001401EF000-memory.dmp

memory/1212-12-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-11-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-10-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-9-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/2688-8-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-7-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1212-5-0x0000000002600000-0x0000000002601000-memory.dmp

memory/1832-106-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1832-101-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1212-132-0x0000000077536000-0x0000000077537000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 06:32

Reported

2024-01-02 10:52

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcec1e43ba5360ab26a35c9c13db2ba.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\JBQCQF~1\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZdXfloJ\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rPY\ProximityUxHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JQSqOAORl\unregmp2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 4872 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3580 wrote to memory of 4872 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3580 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\JQSqOAORl\unregmp2.exe
PID 3580 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\JQSqOAORl\unregmp2.exe
PID 3580 wrote to memory of 3212 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3580 wrote to memory of 3212 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3580 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\ZdXfloJ\SystemPropertiesComputerName.exe
PID 3580 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\ZdXfloJ\SystemPropertiesComputerName.exe
PID 3580 wrote to memory of 1064 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3580 wrote to memory of 1064 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3580 wrote to memory of 4336 N/A N/A C:\Users\Admin\AppData\Local\rPY\ProximityUxHost.exe
PID 3580 wrote to memory of 4336 N/A N/A C:\Users\Admin\AppData\Local\rPY\ProximityUxHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2bcec1e43ba5360ab26a35c9c13db2ba.dll,#1

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\JQSqOAORl\unregmp2.exe

C:\Users\Admin\AppData\Local\JQSqOAORl\unregmp2.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\ZdXfloJ\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\ZdXfloJ\SystemPropertiesComputerName.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\rPY\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\rPY\ProximityUxHost.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1208-1-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/1208-0-0x00000268064C0000-0x00000268064C7000-memory.dmp

memory/1208-8-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-9-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-10-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-11-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-12-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-7-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-13-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-14-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-5-0x00007FF93046A000-0x00007FF93046B000-memory.dmp

memory/3580-4-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/3580-15-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-16-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-17-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-18-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-20-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-21-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-22-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-24-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-19-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-23-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-25-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-26-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-27-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-28-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-29-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-31-0x0000000002A30000-0x0000000002A37000-memory.dmp

memory/3580-30-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-38-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-39-0x00007FF930500000-0x00007FF930510000-memory.dmp

memory/3580-48-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/3580-50-0x0000000140000000-0x00000001401EE000-memory.dmp

C:\Users\Admin\AppData\Local\JQSqOAORl\unregmp2.exe

MD5 a6fc8ce566dec7c5873cb9d02d7b874e
SHA1 a30040967f75df85a1e3927bdce159b102011a61
SHA256 21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512 f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

C:\Users\Admin\AppData\Local\JQSqOAORl\VERSION.dll

MD5 73cfaf8fc14ad846a4e1f911a0343dd1
SHA1 5417dee1fe6d4bbba7c175ac2c17ef1285ec9115
SHA256 77d2d195b020812204c4e6d6339f65d260d3440bc270380b382c61e47e41ba3a
SHA512 68c48c66e9e31f78f3e806f9b133b6a083c0c87ab277525f868b708053c2e4211e704137322d054541bcba963c727b832eef1c5f70b13fbf4c8088806e6d4ebf

memory/2788-60-0x0000023FB3D50000-0x0000023FB3D57000-memory.dmp

memory/2788-59-0x0000000140000000-0x00000001401EF000-memory.dmp

memory/2788-65-0x0000000140000000-0x00000001401EF000-memory.dmp

C:\Users\Admin\AppData\Local\ZdXfloJ\SystemPropertiesComputerName.exe

MD5 6711765f323289f5008a6a2a04b6f264
SHA1 d8116fdf73608b4b254ad83c74f2232584d24144
SHA256 bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512 438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

C:\Users\Admin\AppData\Local\ZdXfloJ\SYSDM.CPL

MD5 a20bade2535baeba011db2b941680a9d
SHA1 535019bd200486834c03bc2a823f9096ff30c4c8
SHA256 f99612a92bea6215eba2c78943ea3786f8968e24112d67fd3172de83505a0121
SHA512 4447b3ad54026e59b48ee217921835fb345ef283ff662d6c50ecdaeaeda04f2e7f3a7a4bb69e21f60a8c724b08ad69d5d9da47cd8ba01b139efc2ef50db07d70

memory/944-79-0x000001C5D96C0000-0x000001C5D96C7000-memory.dmp

memory/944-84-0x0000000140000000-0x00000001401EF000-memory.dmp

C:\Users\Admin\AppData\Local\rPY\ProximityUxHost.exe

MD5 9ea326415b83d77295c70a35feb75577
SHA1 f8fc6a4f7f97b242f35066f61d305e278155b8a8
SHA256 192bfde77bf280e48f92d1eceacdc7ec4bf31cda46f7d577c7d7c3ec3ac89d8f
SHA512 2b1943600f97abcd18778101e33eac00c2bd360a3eff62fef65f668a084d8fa38c3bbdedfc6c2b7e8410aa7c9c3df2734705dc502b4754259121adc9198c3692

C:\Users\Admin\AppData\Local\rPY\DUI70.dll

MD5 7536f414bb75a8afec5d9e14421a3e65
SHA1 2595469b3555a49fd3b1132bd4616b67c240b915
SHA256 0425da785545cd57355ac8c1ce26cc81f8f820842110426cf178549e562edc3c
SHA512 cab8f49bf52fee2d6df56d80a2d4b67f729de37ca32f41cb268e81e51f2b5da1b7a014db62fd96e4cc59238065687772ea057285db7380b8b4eb20699546dc40

memory/4336-97-0x0000000140000000-0x0000000140234000-memory.dmp

memory/4336-98-0x0000022448960000-0x0000022448967000-memory.dmp

memory/4336-103-0x0000000140000000-0x0000000140234000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 9922f130e9c1cf910fa73856baf3b62b
SHA1 875b5de91d1bf54357c4511b0c983336753ba817
SHA256 ff517b49a12343abcbb2819cd2b64f02b0de34c35c82881f5f219c8e9071b017
SHA512 8933d5847cb144e6783f73eace80e830ea0431d6bd7d6c853a75c8c219a3cf5a98ce40a2bcee8e23054346a48c1c5e864628a9e75048833aa07fe6eb679255a0