Malware Analysis Report

2024-11-30 21:29

Sample ID 231228-hygm9seba5
Target ce7791145ad4da1f59e698c59df311e8
SHA256 1903317e5981d4bcf3061801f828458c7528b78298ff2f3ea9614028e932ffdb
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1903317e5981d4bcf3061801f828458c7528b78298ff2f3ea9614028e932ffdb

Threat Level: Known bad

The file ce7791145ad4da1f59e698c59df311e8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex payload

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 07:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 07:08

Reported

2024-01-08 09:26

Platform

win7-20231129-en

Max time kernel

3s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce7791145ad4da1f59e698c59df311e8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce7791145ad4da1f59e698c59df311e8.dll,#1

C:\Users\Admin\AppData\Local\oWVEA4Lt\dpnsvr.exe

C:\Users\Admin\AppData\Local\oWVEA4Lt\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\AbRtiqeI2\cttune.exe

C:\Users\Admin\AppData\Local\AbRtiqeI2\cttune.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\2do\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\2do\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

Network

N/A

Files

memory/1364-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1364-0-0x000007FEF6C60000-0x000007FEF6D4A000-memory.dmp

memory/1372-3-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

memory/1372-12-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-21-0x0000000002A10000-0x0000000002A17000-memory.dmp

memory/1372-24-0x0000000077D70000-0x0000000077D72000-memory.dmp

memory/1372-23-0x0000000077D40000-0x0000000077D42000-memory.dmp

memory/1372-34-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-33-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-22-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-14-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-13-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-11-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-10-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-9-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-8-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-7-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-6-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/1372-4-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/1364-39-0x000007FEF6C60000-0x000007FEF6D4A000-memory.dmp

\Users\Admin\AppData\Local\oWVEA4Lt\WINMM.dll

MD5 f113e62ea2e19a1f566dc104ee66e3bb
SHA1 573e44c2c1921173ceea6a064f5804794ac616e8
SHA256 a3c482e7390d29a138dc8631d71b653b0dd3d1430b8c747729ef2e45ed7798ce
SHA512 1da2fade135aac0883428a725889f8b29a0822a6f965bebae889488c63d6e86546f2a71ec16bbe77e7ae29babbaa9dfa3d2e94583b061a2219c9beb0d8af65dd

memory/2568-51-0x000007FEF7360000-0x000007FEF744C000-memory.dmp

memory/2568-55-0x000007FEF7360000-0x000007FEF744C000-memory.dmp

C:\Users\Admin\AppData\Local\oWVEA4Lt\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

memory/2568-50-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Local\AbRtiqeI2\OLEACC.dll

MD5 87cc0fa03baf0b8b66168ea5e399d3fc
SHA1 41966d721e78d457bf9474df0150fcd465a361fb
SHA256 595f77c311e5bf9b88349dc209197549b787180759f3557f948bf2d19b399a59
SHA512 35469fd841d8cb8aa95077674106a854cf1e34de36e17ab45692c47f19f3089ace1e0ee58a2e547eb70fb44dab565b599c1059ef3b23cf93ad17d84d65046695

memory/2888-68-0x000007FEF6C60000-0x000007FEF6D4B000-memory.dmp

memory/2888-71-0x000007FEF6C60000-0x000007FEF6D4B000-memory.dmp

memory/2888-67-0x00000000000A0000-0x00000000000A7000-memory.dmp

C:\Users\Admin\AppData\Local\AbRtiqeI2\cttune.exe

MD5 7116848fd23e6195fcbbccdf83ce9af4
SHA1 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA256 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512 e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

memory/1372-86-0x0000000077AD6000-0x0000000077AD7000-memory.dmp

\Users\Admin\AppData\Local\2do\SYSDM.CPL

MD5 0d9464528c0a50dc502ba544a33dcd59
SHA1 4bc5c1d302a83e4bc17f285c301e1816fcda91cf
SHA256 38e54f202b958d3e4ce1997e971836d24518e290dbf21e8772e1e548266889a8
SHA512 d6dc85f5c487386d12c48d7ed7908741a56946d5d620f6fe881a1837a9311f32cce5e7a636dc15a896cbc08eb6e1ed523e33f56bf705f5f5ffedf47ea4961a7f

memory/2004-94-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2004-98-0x000007FEF6C60000-0x000007FEF6D4B000-memory.dmp

C:\Users\Admin\AppData\Local\2do\SystemPropertiesPerformance.exe

MD5 870726cdcc241a92785572628b89cc07
SHA1 63d47cc4fe9beb75862add1abca1d8ae8235710a
SHA256 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA512 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 1649c174a66c328e8d48e3a6e4a568f4
SHA1 6a927d44667fd081ee1fd1f190e72cad9d6da7f4
SHA256 a4802e288a2ef2b3413be9dea933f30099eea0936104bdf6e06759e3acfba193
SHA512 371ac06e60ee20444904cd10aadc6b77312dc1a3bde43407231371bd63dcfb1ff40538bf27b3ab7d5c69cdb97a122437b0cd86a99ccce3be264cc0a57904ed99

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 07:08

Reported

2024-01-08 09:26

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce7791145ad4da1f59e698c59df311e8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce7791145ad4da1f59e698c59df311e8.dll,#1

C:\Users\Admin\AppData\Local\ApEXaxp\Utilman.exe

C:\Users\Admin\AppData\Local\ApEXaxp\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\3lSW\Magnify.exe

C:\Users\Admin\AppData\Local\3lSW\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\orShz\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\orShz\SystemSettingsAdminFlows.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 104.91.71.140:80 tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 90.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp

Files

memory/1004-2-0x000001D444BC0000-0x000001D444BC7000-memory.dmp

memory/1004-0-0x00007FF870060000-0x00007FF87014A000-memory.dmp

memory/3496-14-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-17-0x0000000006C80000-0x0000000006C87000-memory.dmp

memory/3496-24-0x00007FF87E7B0000-0x00007FF87E7C0000-memory.dmp

memory/3496-23-0x00007FF87E7C0000-0x00007FF87E7D0000-memory.dmp

memory/3496-33-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-22-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-13-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-12-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-11-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-10-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-9-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-8-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-7-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-6-0x0000000140000000-0x00000001400EA000-memory.dmp

memory/3496-4-0x00007FF87C87A000-0x00007FF87C87B000-memory.dmp

memory/3496-3-0x0000000006CA0000-0x0000000006CA1000-memory.dmp

memory/1004-36-0x00007FF870060000-0x00007FF87014A000-memory.dmp

memory/2584-43-0x00007FF8602C0000-0x00007FF8603AB000-memory.dmp

memory/2584-48-0x00007FF8602C0000-0x00007FF8603AB000-memory.dmp

memory/2584-45-0x0000024547B70000-0x0000024547B77000-memory.dmp

memory/1440-63-0x00007FF860510000-0x00007FF8605FB000-memory.dmp

memory/1440-61-0x00000204521B0000-0x00000204521B7000-memory.dmp

memory/1440-59-0x00007FF860510000-0x00007FF8605FB000-memory.dmp

memory/1684-72-0x00007FF8603C0000-0x00007FF8604F0000-memory.dmp

memory/1684-77-0x00007FF8603C0000-0x00007FF8604F0000-memory.dmp

memory/1684-74-0x000001E3F0800000-0x000001E3F0807000-memory.dmp