Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-hqyxkshfan
Target 76afafbe9ec4d9c894720599f9812cee
SHA256 44e96f3c81f9089ec61e412623a4f0b474893a9f84acef4e32b318f1d2bbc15e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44e96f3c81f9089ec61e412623a4f0b474893a9f84acef4e32b318f1d2bbc15e

Threat Level: Known bad

The file 76afafbe9ec4d9c894720599f9812cee was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 06:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 06:57

Reported

2024-01-26 06:57

Platform

win7-20231215-en

Max time kernel

0s

Max time network

2s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 06:57

Reported

2024-01-26 06:59

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\316QUO~1\\Taskmgr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 4784 N/A N/A C:\Windows\system32\SndVol.exe
PID 3480 wrote to memory of 4784 N/A N/A C:\Windows\system32\SndVol.exe
PID 3480 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe
PID 3480 wrote to memory of 5072 N/A N/A C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe
PID 3480 wrote to memory of 2168 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3480 wrote to memory of 2168 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3480 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe
PID 3480 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe
PID 3480 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe
PID 3480 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#1

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe

C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe

C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe

C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/3532-0-0x000001CDEF4F0000-0x000001CDEF4F7000-memory.dmp

memory/3532-1-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-4-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/3480-6-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-8-0x00007FFE914BA000-0x00007FFE914BB000-memory.dmp

memory/3480-7-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-10-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-11-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-12-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-13-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-14-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-9-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3532-15-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-16-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-17-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-18-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-19-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-20-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-22-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-21-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-23-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-25-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-24-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-26-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-27-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-28-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-29-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-30-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-31-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-32-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-33-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-34-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-35-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-36-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-37-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-38-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-39-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-40-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-41-0x0000000001070000-0x0000000001077000-memory.dmp

memory/3480-48-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-51-0x00007FFE93140000-0x00007FFE93150000-memory.dmp

memory/3480-58-0x0000000140000000-0x00000001401FC000-memory.dmp

memory/3480-60-0x0000000140000000-0x00000001401FC000-memory.dmp

C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe

MD5 c5d939ac3f9d885c8355884199e36433
SHA1 b8f277549c23953e8683746e225e7af1c193ad70
SHA256 68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605
SHA512 8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

C:\Users\Admin\AppData\Local\kTVDvnN\dwmapi.dll

MD5 f92e8877bb11abf5a9dcd950e5f54fd1
SHA1 e81d87e4eb930785b80919d3adb2efdcb65ddc69
SHA256 a98d28ea0275d964c43297da2484b1fd87017a273b68aa36fc2b84216b9a8e14
SHA512 6bcf5be17a610cdd4b1470146feb3e990116538863c7b05bd4b6777e135c468d6a2643a8bab6b56076b92161ae7acb6f9f91389ca92f876967ad5d10d3b7fce0

memory/5072-70-0x0000029CFA1E0000-0x0000029CFA1E7000-memory.dmp

memory/5072-69-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/5072-75-0x0000000140000000-0x00000001401FD000-memory.dmp

C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe

MD5 58d5bc7895f7f32ee308e34f06f25dd5
SHA1 7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4
SHA256 4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478
SHA512 872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

C:\Users\Admin\AppData\Local\3ez\UxTheme.dll

MD5 d198ac7636df150271f4f8958a7d97cb
SHA1 3ad52d13f8ba452e1a472c16fc63ca3c895a61e5
SHA256 6c809f81b32e0847f6f87289731bd0bb89485fda35225c7704571a1374e3bd89
SHA512 559b5f873f3bbd10aac85ca2cc020c1715345994c2a730355b7f5853c328ba80d04a8f7f4eda78f86e869b2e41ad5a972eedf25e3a64040fce976161ee231ce3

memory/2128-87-0x000002A3C1830000-0x000002A3C1837000-memory.dmp

memory/2128-91-0x0000000140000000-0x00000001401FD000-memory.dmp

C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe

MD5 c98c6acb6522abafe9245092cfa8b6cb
SHA1 1722bb062305c170e9cf4370ad7e5799d6c0e1fe
SHA256 623dcec2806c69b7a5b5e4b765df9eb6fcd108567bd5a190efd36f7b4601581e
SHA512 f60a97882c4ccff7131736fbc5252bb8101103a8dd321c140f17b7fb0f9bb9b9983e84a1665fb7c19fc73064afe71bc1e569615f1d00d52afab5229154921e12

C:\Users\Admin\AppData\Local\vqhiCH42\XmlLite.dll

MD5 bed68b881ce0a0b91fc64d9c6fcfa6aa
SHA1 cd8061e25e6acb1259609147b5cd2583b074e07b
SHA256 d73fe5039f8b5ab0a6c0c5d060c9427d82f83e0982138592289c9963b38fbe68
SHA512 d9128f4e628a8db849a13f3d39cfecc3aa5f4f83bfaa0d896d588d900aafbf8dec788e03e99f36602f9e542486fa92d90fd80ea8b281a79fdf7f2b2077a059ba

C:\Users\Admin\AppData\Local\vqhiCH42\XmlLite.dll

MD5 f1c60684c8dcba059b64a0da6addc5d2
SHA1 14259fdd8acfa50e23ef20a922f28d9908c45833
SHA256 31eda860e668751895fa9429fe9b8291b0f8bff44d5c4cc100810b5394130e86
SHA512 757c1baf1d1987c43838e19a1eb33cf757c1b24e7428201df82fc898eaa69092ec9adf825bba9232095b8968e59a4a2071bfb849afb62c0f6079fd4241f3786c

memory/5080-104-0x000001D0A1C50000-0x000001D0A1C57000-memory.dmp

memory/5080-109-0x0000000140000000-0x00000001401FD000-memory.dmp

C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe

MD5 ec6cef0a81f167668e18fa32f1606fce
SHA1 6d56837a388ae5573a38a439cee16e6dde5b4de8
SHA256 82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8
SHA512 f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 35bc9e968597de377f592b8dc97f86cf
SHA1 538eb30c2a0cb31412e9eb3b9bb15f68b3756e04
SHA256 5ae7616aa43b21f18420f6b19156bf03637a1cc40c7d34b3d93be0a0b32ec701
SHA512 079d89059d08f3b1e2145dd8baa7f2e7a9ef8958d525d4e86d4b94cb9d91e9acaba0daaf1299c4906943cceca79b8bce2a70104265b6bc75e0331d5396ae65dd