Malware Analysis Report

2024-11-30 21:27

Sample ID 231222-texqxsefa7
Target e3ddd19537fbfe6e4dd6fd445c3f6e3c
SHA256 688f0f9ec8429037d5775788166500e6dac955c36caa2eab4e6b16d88c07d370
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

688f0f9ec8429037d5775788166500e6dac955c36caa2eab4e6b16d88c07d370

Threat Level: Known bad

The file e3ddd19537fbfe6e4dd6fd445c3f6e3c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:58

Reported

2023-12-24 05:07

Platform

win7-20231215-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Users\Admin\AppData\Local\XzGD5YI\dccw.exe

C:\Users\Admin\AppData\Local\XzGD5YI\dccw.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\ySWKfy\psr.exe

C:\Users\Admin\AppData\Local\ySWKfy\psr.exe

C:\Users\Admin\AppData\Local\K58Q\TpmInit.exe

C:\Users\Admin\AppData\Local\K58Q\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\2Gl6lrSql\msra.exe

C:\Users\Admin\AppData\Local\2Gl6lrSql\msra.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

Network

N/A

Files

memory/816-0-0x0000000140000000-0x0000000140183000-memory.dmp

memory/816-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1208-4-0x0000000077146000-0x0000000077147000-memory.dmp

memory/1208-5-0x0000000003D70000-0x0000000003D71000-memory.dmp

memory/1208-9-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-22-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-39-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-46-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-54-0x0000000002EE0000-0x0000000002EE7000-memory.dmp

memory/1208-57-0x00000000773B0000-0x00000000773B2000-memory.dmp

memory/1208-66-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-72-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1936-86-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1208-75-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-56-0x0000000077251000-0x0000000077252000-memory.dmp

memory/1208-55-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-47-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-45-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-44-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-43-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-42-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-41-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-40-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-38-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-37-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-36-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-35-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-34-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-33-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-32-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-31-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-30-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-29-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-28-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2004-110-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1208-27-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-26-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-25-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-24-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-23-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-21-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-20-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-19-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-18-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-17-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-16-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-15-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-14-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-13-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-12-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-11-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-10-0x0000000140000000-0x0000000140183000-memory.dmp

memory/816-8-0x0000000140000000-0x0000000140183000-memory.dmp

memory/1208-7-0x0000000140000000-0x0000000140183000-memory.dmp

memory/2212-153-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1208-181-0x0000000077146000-0x0000000077147000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:58

Reported

2023-12-24 05:07

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\O8AcsueOC\WMPDMC.exe

C:\Users\Admin\AppData\Local\O8AcsueOC\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Users\Admin\AppData\Local\UEo\mspaint.exe

C:\Users\Admin\AppData\Local\UEo\mspaint.exe

C:\Users\Admin\AppData\Local\9je6\wermgr.exe

C:\Users\Admin\AppData\Local\9je6\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

memory/996-0-0x000002599ACB0000-0x000002599ACB7000-memory.dmp

memory/996-1-0x0000000140000000-0x0000000140183000-memory.dmp

memory/996-7-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-17-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-25-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-34-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-43-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-46-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-48-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

memory/3416-56-0x00007FFAA9700000-0x00007FFAA9710000-memory.dmp

memory/3416-67-0x0000000140000000-0x0000000140183000-memory.dmp

memory/4816-76-0x00000280139D0000-0x00000280139D7000-memory.dmp

memory/4816-82-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1500-94-0x0000000140000000-0x0000000140184000-memory.dmp

memory/1500-93-0x0000026ED3140000-0x0000026ED3147000-memory.dmp

memory/4816-77-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2856-113-0x00000130771B0000-0x00000130771B7000-memory.dmp

memory/3416-65-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-55-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-47-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-45-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-44-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-42-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-41-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-40-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-39-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-38-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-37-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-36-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-35-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-33-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-32-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-31-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-30-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-29-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-28-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-27-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-26-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-24-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-23-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-22-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-21-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-20-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-19-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-18-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-16-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-15-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-14-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-13-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-12-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-11-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-10-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-9-0x00007FFAA7C4A000-0x00007FFAA7C4B000-memory.dmp

memory/3416-8-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-6-0x0000000140000000-0x0000000140183000-memory.dmp

memory/3416-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp