Malware Analysis Report

2024-11-30 21:41

Sample ID 231231-mc1apsbfcj
Target 326e9995e950dbe5f86a9186b0cc94b4
SHA256 3be4c05419439115faeb1c96b7098c71dd1b5028e04ca0763a45956457927a91
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3be4c05419439115faeb1c96b7098c71dd1b5028e04ca0763a45956457927a91

Threat Level: Known bad

The file 326e9995e950dbe5f86a9186b0cc94b4 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 10:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 10:19

Reported

2024-01-04 05:20

Platform

win10v2004-20231215-en

Max time kernel

144s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\326e9995e950dbe5f86a9186b0cc94b4.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\nItGzhq\\MusNotificationUx.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BTonN2\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\U46\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZD1f\RdpSaUacHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 4508 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3480 wrote to memory of 4508 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3480 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\BTonN2\BitLockerWizardElev.exe
PID 3480 wrote to memory of 4164 N/A N/A C:\Users\Admin\AppData\Local\BTonN2\BitLockerWizardElev.exe
PID 3480 wrote to memory of 1680 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3480 wrote to memory of 1680 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3480 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\U46\MusNotificationUx.exe
PID 3480 wrote to memory of 3952 N/A N/A C:\Users\Admin\AppData\Local\U46\MusNotificationUx.exe
PID 3480 wrote to memory of 2300 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3480 wrote to memory of 2300 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3480 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\ZD1f\RdpSaUacHelper.exe
PID 3480 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\ZD1f\RdpSaUacHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\326e9995e950dbe5f86a9186b0cc94b4.dll,#1

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\BTonN2\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\BTonN2\BitLockerWizardElev.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\U46\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\U46\MusNotificationUx.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\ZD1f\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\ZD1f\RdpSaUacHelper.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2104-1-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2104-0-0x0000018F9AE80000-0x0000018F9AE87000-memory.dmp

memory/3480-4-0x00000000031A0000-0x00000000031A1000-memory.dmp

memory/3480-6-0x00007FFE286FA000-0x00007FFE286FB000-memory.dmp

memory/2104-8-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-9-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-10-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-11-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-12-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-7-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-13-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-14-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-15-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-16-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-17-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-18-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-19-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-20-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-21-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-22-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-23-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-24-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-25-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-26-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-27-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-28-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-29-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-30-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-31-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-32-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-33-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-34-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-35-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-36-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-37-0x0000000001450000-0x0000000001457000-memory.dmp

memory/3480-44-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-47-0x00007FFE289A0000-0x00007FFE289B0000-memory.dmp

memory/3480-54-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/3480-56-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Users\Admin\AppData\Local\BTonN2\BitLockerWizardElev.exe

MD5 8ac5a3a20cf18ae2308c64fd707eeb81
SHA1 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA512 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

C:\Users\Admin\AppData\Local\BTonN2\FVEWIZ.dll

MD5 9fbfc1be8c63ba3db32d51bce4b56292
SHA1 d3bef1b249bf150c13e147b3c280eaea9db50232
SHA256 a7c5c5b06d6445429c5766d2de665e0d2c10e8d60eb3fd4128822cbfda9cd022
SHA512 6d7815bcab181aa67e868e7af32a0c103574ecccac20ae68c4d37eb96d3a64cba7cc25b24a7483c9060169078a498daf1bc4b7dcf20bee099bc9ddb3fdaf701b

memory/4164-65-0x0000028A83EB0000-0x0000028A83EB7000-memory.dmp

memory/4164-66-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/4164-71-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\U46\MusNotificationUx.exe

MD5 869a214114a81712199f3de5d69d9aad
SHA1 be973e4188eff0d53fdf0e9360106e8ad946d89f
SHA256 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361
SHA512 befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

C:\Users\Admin\AppData\Local\U46\XmlLite.dll

MD5 fae16bd8ec2c7c6282738e933fb90d2f
SHA1 23921af047bf10c821d33973a0b057d88d255faf
SHA256 019e8bcd9ac815770d5b97c619250b8e6f671fe92dde36f2ae1f395895235519
SHA512 e2e834868a016a58be41d166513f65422e9b6ff407b6e6d4f74cff98d2d00b716f3f37f79518dd315006ffb71afcff14411d423329a85cd7889b87fd9b9fcebd

memory/3952-84-0x000001F7D6B00000-0x000001F7D6B07000-memory.dmp

memory/3952-90-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\ZD1f\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Local\ZD1f\WINSTA.dll

MD5 d3b046dd9c0fda92d0825fdc01f46225
SHA1 e3f56186d98145c7a00c11209994b4b344223542
SHA256 184846d9d6f7491d947ce7016fea4abde3807f8765385fff1db6714adc373744
SHA512 13c15d4c12c321ba86b21308ea0bdf98abbfdc4ee3b337d36f3f4150434dc7fea240ee336174ccf03130fd17de1264a239566ff4c976d899cebd460dbe278394

memory/456-101-0x0000000140000000-0x00000001401B1000-memory.dmp

memory/456-102-0x0000023251C00000-0x0000023251C07000-memory.dmp

memory/456-107-0x0000000140000000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 99eb3c847175c1458ad85d54d8888294
SHA1 e04a95199aed94ba09e5eb7d8bd1e30eef80a7d2
SHA256 83623c7eec337d68686885462046852f1fce981709df3086bb93bad73abc6fa4
SHA512 9ec1253e5ab7d305139102e2cc372b076a52c303bd1f189505152137fcccced76505c192026f11cf4a71bb65f261d098dd54d0e7d2262626f1f57927d7446001

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 10:19

Reported

2024-01-04 05:20

Platform

win7-20231215-en

Max time kernel

3s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\326e9995e950dbe5f86a9186b0cc94b4.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\326e9995e950dbe5f86a9186b0cc94b4.dll,#1

C:\Users\Admin\AppData\Local\hcOx\lpksetup.exe

C:\Users\Admin\AppData\Local\hcOx\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\FfcmUx\slui.exe

C:\Users\Admin\AppData\Local\FfcmUx\slui.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\Z8u4fmSs\wbengine.exe

C:\Users\Admin\AppData\Local\Z8u4fmSs\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

Network

N/A

Files

memory/2348-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/2348-0-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-4-0x0000000077816000-0x0000000077817000-memory.dmp

memory/1192-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1192-13-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-25-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-35-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-38-0x0000000002600000-0x0000000002607000-memory.dmp

memory/1192-36-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-46-0x0000000077A80000-0x0000000077A82000-memory.dmp

memory/1192-45-0x0000000077921000-0x0000000077922000-memory.dmp

memory/1192-55-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-60-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2572-73-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2572-78-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/2572-75-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1192-64-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-44-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-34-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-33-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-32-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-31-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-30-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-29-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-28-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-27-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-26-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-24-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-23-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-22-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-21-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-20-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-19-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-18-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-17-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-16-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-15-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2924-97-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2924-102-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1192-14-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-12-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-11-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-10-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-9-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2348-8-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-7-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1192-151-0x0000000077816000-0x0000000077817000-memory.dmp