Malware Analysis Report

2024-11-30 21:28

Sample ID 231226-l6hr3sdeh8
Target 661942dec5f555ea16390ab0b8805570
SHA256 9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b

Threat Level: Known bad

The file 661942dec5f555ea16390ab0b8805570 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Dridex payload

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 10:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 10:08

Reported

2024-01-06 09:18

Platform

win7-20231129-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#1

C:\Users\Admin\AppData\Local\rFn9vaV0\SndVol.exe

C:\Users\Admin\AppData\Local\rFn9vaV0\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\vulzP\javaws.exe

C:\Users\Admin\AppData\Local\vulzP\javaws.exe

C:\Windows\system32\javaws.exe

C:\Windows\system32\javaws.exe

C:\Users\Admin\AppData\Local\QAov2UlH\rdpclip.exe

C:\Users\Admin\AppData\Local\QAov2UlH\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

Network

N/A

Files

memory/2232-1-0x0000000000420000-0x0000000000427000-memory.dmp

memory/2232-0-0x000007FEF68E0000-0x000007FEF69B4000-memory.dmp

memory/1360-3-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/1360-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-29-0x0000000077450000-0x0000000077452000-memory.dmp

memory/1360-28-0x0000000077420000-0x0000000077422000-memory.dmp

memory/1360-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-39-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-19-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1360-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1360-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2232-47-0x000007FEF68E0000-0x000007FEF69B4000-memory.dmp

memory/2552-59-0x000007FEF69C0000-0x000007FEF6A95000-memory.dmp

memory/2552-56-0x000007FEF69C0000-0x000007FEF6A95000-memory.dmp

memory/2552-55-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1360-123-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/936-173-0x000007FEF63C0000-0x000007FEF6495000-memory.dmp

memory/936-171-0x00000000001E0000-0x00000000001E7000-memory.dmp

memory/936-169-0x000007FEF63C0000-0x000007FEF6495000-memory.dmp

memory/2280-286-0x000007FEF63C0000-0x000007FEF6495000-memory.dmp

memory/2280-284-0x0000000000180000-0x0000000000187000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 10:08

Reported

2024-01-06 09:19

Platform

win10v2004-20231222-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A