Malware Analysis Report

2024-11-30 21:43

Sample ID 231229-2kascaace6
Target 05d5ad4c105b1d204e13f22223735561
SHA256 4e4a988ee3a66c26d26526cbfc8a31c64ca77cba567a8979b3893a2374d8eb98
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e4a988ee3a66c26d26526cbfc8a31c64ca77cba567a8979b3893a2374d8eb98

Threat Level: Known bad

The file 05d5ad4c105b1d204e13f22223735561 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 22:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 22:37

Reported

2023-12-30 10:51

Platform

win7-20231215-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\05d5ad4c105b1d204e13f22223735561.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\05d5ad4c105b1d204e13f22223735561.dll,#1

C:\Users\Admin\AppData\Local\7tb\rdpinit.exe

C:\Users\Admin\AppData\Local\7tb\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\q7Aht72Q6\dpnsvr.exe

C:\Users\Admin\AppData\Local\q7Aht72Q6\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\shfTTTxC\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\shfTTTxC\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

Network

N/A

Files

memory/2532-1-0x0000000000230000-0x0000000000237000-memory.dmp

memory/2532-0-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-4-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1216-10-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-18-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-27-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-40-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-48-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-50-0x0000000002D90000-0x0000000002D97000-memory.dmp

memory/1216-61-0x0000000077D00000-0x0000000077D02000-memory.dmp

memory/1216-58-0x0000000077BA1000-0x0000000077BA2000-memory.dmp

memory/1216-68-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-73-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/2660-86-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1216-57-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-49-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-47-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-46-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-45-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-44-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-43-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-42-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-41-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-39-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-38-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-37-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-36-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-35-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-34-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-33-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-32-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-31-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-30-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-29-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3032-110-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1216-28-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-26-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-25-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-24-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-22-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-23-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-21-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-20-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-19-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-17-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-16-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-15-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-14-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-13-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-12-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-11-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-9-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/2532-8-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1972-130-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1216-7-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/1216-5-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/1216-152-0x0000000077996000-0x0000000077997000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 22:37

Reported

2023-12-30 10:51

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

87s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\05d5ad4c105b1d204e13f22223735561.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\05d5ad4c105b1d204e13f22223735561.dll,#1

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Users\Admin\AppData\Local\BUCGWpI\wextract.exe

C:\Users\Admin\AppData\Local\BUCGWpI\wextract.exe

C:\Users\Admin\AppData\Local\HohSqP\upfc.exe

C:\Users\Admin\AppData\Local\HohSqP\upfc.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\upfc.exe

C:\Users\Admin\AppData\Local\tz3KP033\perfmon.exe

C:\Users\Admin\AppData\Local\tz3KP033\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 92.123.241.104:80 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
GB 88.221.135.211:80 tcp
US 20.231.121.79:80 tcp
GB 88.221.135.211:80 tcp

Files

memory/3832-1-0x000001D3D43C0000-0x000001D3D43C7000-memory.dmp

memory/3832-0-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-21-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-26-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-30-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-36-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-42-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-46-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-51-0x0000000002EC0000-0x0000000002EC7000-memory.dmp

memory/3500-49-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-58-0x00007FFD76F60000-0x00007FFD76F70000-memory.dmp

memory/3500-67-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/4124-78-0x00000210646B0000-0x00000210646B7000-memory.dmp

memory/4124-84-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/4124-79-0x0000000140000000-0x00000001401F1000-memory.dmp

memory/1420-95-0x000001F235FC0000-0x000001F235FC7000-memory.dmp

memory/1712-114-0x0000028F21FB0000-0x0000028F21FB7000-memory.dmp

memory/3500-69-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-57-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-47-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-48-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-45-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-44-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-43-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-41-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-40-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-39-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-38-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-37-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-35-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-34-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-33-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-31-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-32-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-29-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-28-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-27-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-25-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-24-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-23-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-22-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-20-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-19-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-18-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-17-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-16-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-15-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-12-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-10-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-11-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-9-0x00007FFD765DA000-0x00007FFD765DB000-memory.dmp

memory/3500-8-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3832-7-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-6-0x0000000140000000-0x00000001401F0000-memory.dmp

memory/3500-4-0x0000000002F80000-0x0000000002F81000-memory.dmp