Malware Analysis Report

2024-11-30 21:43

Sample ID 231230-aq6nesghek
Target 08813f878cb82d72137f676d7e09709d
SHA256 d019c751d5e32cf0c6ae6a66e17f3c47b9ab46b76eea50f8d5e450841060c8ac
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d019c751d5e32cf0c6ae6a66e17f3c47b9ab46b76eea50f8d5e450841060c8ac

Threat Level: Known bad

The file 08813f878cb82d72137f676d7e09709d was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 00:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 00:26

Reported

2023-12-30 10:32

Platform

win7-20231129-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\08813f878cb82d72137f676d7e09709d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\08813f878cb82d72137f676d7e09709d.dll,#1

C:\Users\Admin\AppData\Local\tpr\TpmInit.exe

C:\Users\Admin\AppData\Local\tpr\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\J6uajT5\shrpubw.exe

C:\Users\Admin\AppData\Local\J6uajT5\shrpubw.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\wYvObBc\dpapimig.exe

C:\Users\Admin\AppData\Local\wYvObBc\dpapimig.exe

Network

N/A

Files

memory/2216-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2216-0-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/2216-8-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-12-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-19-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-24-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-29-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-34-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-36-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-38-0x0000000002E40000-0x0000000002E47000-memory.dmp

memory/1400-46-0x00000000770C1000-0x00000000770C2000-memory.dmp

memory/1400-50-0x0000000077220000-0x0000000077222000-memory.dmp

memory/1400-56-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-45-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-62-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-65-0x0000000140000000-0x0000000140280000-memory.dmp

memory/2500-74-0x0000000140000000-0x0000000140281000-memory.dmp

memory/2500-79-0x0000000140000000-0x0000000140281000-memory.dmp

memory/2500-76-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1400-37-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-35-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-33-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-32-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-31-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-30-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-28-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-27-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-26-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-25-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-23-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-22-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-21-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-20-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-18-0x0000000140000000-0x0000000140280000-memory.dmp

memory/2228-103-0x0000000140000000-0x0000000140281000-memory.dmp

memory/2228-100-0x00000000002B0000-0x00000000002B7000-memory.dmp

memory/1400-17-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-16-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-15-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-14-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-13-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-11-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-10-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-9-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-7-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1400-5-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/2248-122-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2248-123-0x0000000140000000-0x00000001402B4000-memory.dmp

memory/1400-143-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 00:26

Reported

2023-12-30 10:32

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\08813f878cb82d72137f676d7e09709d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\08813f878cb82d72137f676d7e09709d.dll,#1

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\KNl5pWS\SnippingTool.exe

C:\Users\Admin\AppData\Local\KNl5pWS\SnippingTool.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\scNI\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\scNI\SystemPropertiesPerformance.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\M0Yq9A0LP\WFS.exe

C:\Users\Admin\AppData\Local\M0Yq9A0LP\WFS.exe

C:\Users\Admin\AppData\Local\v3WX0c\rdpshell.exe

C:\Users\Admin\AppData\Local\v3WX0c\rdpshell.exe

C:\Windows\system32\rdpshell.exe

C:\Windows\system32\rdpshell.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp

Files

memory/1268-0-0x0000000140000000-0x0000000140280000-memory.dmp

memory/1268-2-0x000001EDE4750000-0x000001EDE4757000-memory.dmp

memory/3560-6-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-14-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-20-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-24-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-29-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-35-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-37-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-38-0x0000000001F70000-0x0000000001F77000-memory.dmp

memory/3560-45-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-57-0x0000000140000000-0x0000000140280000-memory.dmp

C:\Users\Admin\AppData\Local\KNl5pWS\UxTheme.dll

MD5 efb660c46eabf1839d56a247b76eb486
SHA1 28f5a8401ea50912ab78960c9ac0782ce50e876b
SHA256 b7f5bc51aeae152db7860ad5eb1be113f908a4ec586c9a9ab3e773d1cc2def06
SHA512 0b9736c7abb12457598bb78fd312b7a7a216ed42b36261d5cb505b656cb182d666d67174db4c69300ecb25f34fa1f45fd8f72d1e9ba0257d6e3f78efa65b3b32

C:\Users\Admin\AppData\Local\KNl5pWS\SnippingTool.exe

MD5 f06d69f2fdd4d6a4e16f55769b7dccc1
SHA1 735eb9b032d924b59a8767b9d49bdb88bed05220
SHA256 83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d
SHA512 ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

memory/3560-55-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-46-0x00007FFCCE120000-0x00007FFCCE130000-memory.dmp

memory/3560-36-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-34-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-33-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-32-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-31-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-30-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-28-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-27-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-26-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-25-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-23-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-22-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-21-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-19-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-18-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-17-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-16-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-15-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-13-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-12-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-11-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-10-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-9-0x00007FFCCDECA000-0x00007FFCCDECB000-memory.dmp

memory/1268-7-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-8-0x0000000140000000-0x0000000140280000-memory.dmp

memory/3560-4-0x0000000002700000-0x0000000002701000-memory.dmp

C:\Users\Admin\AppData\Local\v3WX0c\WINSTA.dll

MD5 281f5c6b3f8604b2a89f75d82072d3bf
SHA1 e5cfb1b1efa4f4043fc27c5f1bc34711bc1a4325
SHA256 c6c78ae89fe5715b713859b6789c3a601104a6ccb36303addd0829c94b8e401a
SHA512 0cf401348549e0b43338e95f8b426cd2ba7122db7428076baca0f87809dc099fdedb53f65f1b29d4ef5a8c8dcd332a41a2b839ceb5bf74cd544550ca6eacf7b7

memory/1412-78-0x0000017087CE0000-0x0000017087CE7000-memory.dmp

memory/1412-82-0x0000000140000000-0x0000000140282000-memory.dmp

C:\Users\Admin\AppData\Local\v3WX0c\rdpshell.exe

MD5 428066713f225bb8431340fa670671d4
SHA1 47f6878ff33317c3fc09c494df729a463bda174c
SHA256 da6c395a2018d3439ad580a19e6a1ca5ff29ef9074411ee9f9f1b0a6365dfebd
SHA512 292aad2762ae4dc519c69411aa114a29894f60ffac103813db4946f2fac4f5a166f66523c421529d6847c0882d8ab467392ee8da1e3a4fca0d6d4e6ebda5b737

memory/3124-93-0x0000000140000000-0x0000000140281000-memory.dmp

memory/3124-99-0x0000000140000000-0x0000000140281000-memory.dmp

memory/3124-95-0x0000018CB5F50000-0x0000018CB5F57000-memory.dmp

C:\Users\Admin\AppData\Local\M0Yq9A0LP\WINMM.dll

MD5 ffa29a0f8976cfd0978359816ac1ceef
SHA1 19bbf883dade99f5b8aa9aa6a905ff715407489b
SHA256 ad0a9b592c828be50149228eca0a24c348590c082333a7d72a4347e1415d6f98
SHA512 948d243a46ebd239f562552a858a21464d22b4e0b9a2f6aa25d28b56d40aa6e229bbc2e7ba40f2242c9485e54bc15fde3f0747f4f8be7d4ad0a6122e7f3bdcd3

memory/3760-110-0x000001B1E1260000-0x000001B1E1267000-memory.dmp

memory/3760-116-0x0000000140000000-0x0000000140282000-memory.dmp

C:\Users\Admin\AppData\Local\M0Yq9A0LP\WFS.exe

MD5 3cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1 e74f794d86196e3bbb852522479946cceeed7e01
SHA256 e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA512 26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

C:\Users\Admin\AppData\Local\scNI\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

C:\Users\Admin\AppData\Local\scNI\SYSDM.CPL

MD5 01c83aec0f436727c461955e4ce5a073
SHA1 33b2c4420dd10b80cc4ca69fb83f9020ea4d7da1
SHA256 ad09755a40e452d57b913485173a69228fa102e6c444066234dc1cfa44a8fa1a
SHA512 4bc10e985d2f80f449a5036fb1a4a0c0659ca08f266b5c8b0febb737f16aa54877ec4f7da0ccf8c3614616c7fc7ca5bdc8bd8524a16059c52c1b98ef16d75b9b

memory/1412-76-0x0000000140000000-0x0000000140282000-memory.dmp