Malware Analysis Report

2024-11-30 21:34

Sample ID 240105-jfwj5sgeg2
Target 431fd3c7422063241701cfc315eb2bf2
SHA256 b0dd5691185e78d04a4e84060c37f4f4ff77cb3c0efe9cae03e19f172e91bd87
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0dd5691185e78d04a4e84060c37f4f4ff77cb3c0efe9cae03e19f172e91bd87

Threat Level: Known bad

The file 431fd3c7422063241701cfc315eb2bf2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 07:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 07:37

Reported

2024-01-05 07:40

Platform

win7-20231215-en

Max time kernel

150s

Max time network

128s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\431fd3c7422063241701cfc315eb2bf2.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\F1e\msinfo32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pkp\msdt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\ysmqlthutIC\\spinstall.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\F1e\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pkp\msdt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 3056 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1188 wrote to memory of 3056 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1188 wrote to memory of 3056 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1188 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\F1e\msinfo32.exe
PID 1188 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\F1e\msinfo32.exe
PID 1188 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\F1e\msinfo32.exe
PID 1188 wrote to memory of 1636 N/A N/A C:\Windows\system32\spinstall.exe
PID 1188 wrote to memory of 1636 N/A N/A C:\Windows\system32\spinstall.exe
PID 1188 wrote to memory of 1636 N/A N/A C:\Windows\system32\spinstall.exe
PID 1188 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe
PID 1188 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe
PID 1188 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe
PID 1188 wrote to memory of 2960 N/A N/A C:\Windows\system32\msdt.exe
PID 1188 wrote to memory of 2960 N/A N/A C:\Windows\system32\msdt.exe
PID 1188 wrote to memory of 2960 N/A N/A C:\Windows\system32\msdt.exe
PID 1188 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\pkp\msdt.exe
PID 1188 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\pkp\msdt.exe
PID 1188 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\pkp\msdt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\431fd3c7422063241701cfc315eb2bf2.dll

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\F1e\msinfo32.exe

C:\Users\Admin\AppData\Local\F1e\msinfo32.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe

C:\Users\Admin\AppData\Local\IZ4z\spinstall.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\pkp\msdt.exe

C:\Users\Admin\AppData\Local\pkp\msdt.exe

Network

N/A

Files

memory/2108-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2108-1-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-4-0x00000000773A6000-0x00000000773A7000-memory.dmp

memory/1188-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1188-12-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-11-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-10-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-9-0x0000000140000000-0x0000000140238000-memory.dmp

memory/2108-8-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-7-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-16-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-17-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-15-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-14-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-13-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-18-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-19-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-20-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-26-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-27-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-25-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-24-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-23-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-22-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-21-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-28-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-29-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-30-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-31-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-38-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-39-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-37-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-36-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-35-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-34-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-33-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-32-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-40-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-41-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-42-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-46-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-45-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-44-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-43-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-48-0x0000000002A50000-0x0000000002A57000-memory.dmp

memory/1188-47-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-55-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-56-0x00000000775B1000-0x00000000775B2000-memory.dmp

memory/1188-57-0x0000000077710000-0x0000000077712000-memory.dmp

memory/1188-66-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-70-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-71-0x0000000140000000-0x0000000140238000-memory.dmp

memory/1188-75-0x0000000140000000-0x0000000140238000-memory.dmp

C:\Users\Admin\AppData\Local\F1e\MFC42u.dll

MD5 908197edbd91ba50e284a0c3e9780e89
SHA1 f51d2fb287968bac53e5838a578e28a67232ca52
SHA256 e16efc981050398cadf7c6acbb11332f4083f1138629115f324d2ccdaacba983
SHA512 af641d977c3d805993fed14a154014b4ae0fc545af01849190d159e4cb836dc0f33e413a14f81e49f8051675b2dc46d6c7116a827cf7697943a8685d9ea0e7eb

C:\Users\Admin\AppData\Local\F1e\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

memory/1616-84-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\IZ4z\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\IZ4z\WTSAPI32.dll

MD5 986b61dc86acaea4fbc79f0dce9f8c4b
SHA1 a06dccbf5b9b31ee194c53c628a2be05ee4e744f
SHA256 69ef19eb3314340c0002bed325823ed5293005ec884498d6e00671903a6972db
SHA512 882ceb00c90bf71ed2c1d2808233e4cb422159c42e8de8335ca63f4a0e362dc2b946b39f4d7a3c4527e88a49a672e828175abd07e978fafa43d934596e6e6466

memory/584-102-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\pkp\msdt.exe

MD5 aecb7b09566b1f83f61d5a4b44ae9c7e
SHA1 3a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256 fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA512 6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

\Users\Admin\AppData\Local\pkp\Secur32.dll

MD5 a98501baf95cf4af561c5762b10f4a0d
SHA1 17f8b8e878778291b062aef8beae0b4751c75e65
SHA256 9bd05146c6f5006c01c6e45d0f6d94226a8611184a2d9aef9b18b8da75dea026
SHA512 1b045b05da2f2c2013c4358f58625975a5f0a8b62d1037b14c030964ffe9269554bad34bb8ec698251165f769f2227c59962a84ca404e663d51a2d621b152759

memory/2616-120-0x00000000002D0000-0x00000000002D7000-memory.dmp

memory/1188-140-0x00000000773A6000-0x00000000773A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 59c1fd0121e76347f591f70f5d82b96c
SHA1 14055e3d1d5afcca1a8e6fa5ff02907ab52e64cb
SHA256 f2cbdac01aac0014f17a969589e95e12e6ab9cc18936972fd0bdb85754c851fa
SHA512 c168c7571c37a147a2addc462328115ed8d038507d0b845d7713d152fd5ce10c91ffbf0fa7a7a4ed4a2b3db172b74e3ac32af24ef7f32d6b8f5bece15393bcc7

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 07:37

Reported

2024-01-05 07:40

Platform

win10v2004-20231215-en

Max time network

101s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 23.44.234.16:80 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp

Files

N/A