Malware Analysis Report

2024-11-30 21:21

Sample ID 231230-jcqjqabfar
Target 1234e30bc5be49344b0f9922d66b9865
SHA256 c8b515be222c5ed644a449557d40cadbef722d8e53d0d248856076381400654a
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c8b515be222c5ed644a449557d40cadbef722d8e53d0d248856076381400654a

Threat Level: Known bad

The file 1234e30bc5be49344b0f9922d66b9865 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 07:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 07:31

Reported

2023-12-31 05:59

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1234e30bc5be49344b0f9922d66b9865.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1234e30bc5be49344b0f9922d66b9865.dll,#1

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\4Y69FHF\Taskmgr.exe

C:\Users\Admin\AppData\Local\4Y69FHF\Taskmgr.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\jPoBg\sigverif.exe

C:\Users\Admin\AppData\Local\jPoBg\sigverif.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\3NI6\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\3NI6\BitLockerWizard.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 tcp
US 20.242.39.171:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 20.242.39.171:443 tcp
US 52.111.229.19:443 tcp

Files

memory/3664-0-0x0000028348690000-0x0000028348697000-memory.dmp

memory/3664-1-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-9-0x00007FFC905EA000-0x00007FFC905EB000-memory.dmp

memory/3500-8-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-13-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-14-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-17-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-20-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-23-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-27-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-29-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-31-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-37-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-39-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-41-0x00000000070C0000-0x00000000070C7000-memory.dmp

memory/3500-40-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-38-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-36-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-49-0x00007FFC91240000-0x00007FFC91250000-memory.dmp

memory/3500-48-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-35-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-58-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-60-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-34-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-33-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-32-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-30-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-28-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-26-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-24-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-25-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-21-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-22-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-18-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-19-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-16-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-15-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-12-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-11-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-10-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3664-7-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-6-0x0000000140000000-0x0000000140174000-memory.dmp

memory/3500-4-0x00000000027C0000-0x00000000027C1000-memory.dmp

C:\Users\Admin\AppData\Local\4Y69FHF\credui.dll

MD5 05d899d5bc57411b5e661e27262a8d6f
SHA1 4d3f1b6ed9b55501c27c1ff6009163477b4e4de3
SHA256 dc978a42b16613a47e2497da2b2392f4a893d66bd3e8a99f1d5bcc036edb16df
SHA512 80b686e1bd6b58768ca59981c4d16da61e7f785fb812c6235ca3d0be6c526cd10ff3effb91ea2b2235fa47ac920813c1ffcc09be1e79950ae7ba37557ee426e3

memory/636-70-0x0000000140000000-0x0000000140175000-memory.dmp

memory/636-75-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Users\Admin\AppData\Local\4Y69FHF\Taskmgr.exe

MD5 dad1b363659d57d4c50b0b4663165bd2
SHA1 0a91bfe4c7fc66336b096b9f2c2b39c57bf9b88a
SHA256 860b0a5a713f30bfa22455cb462c0e2ef5a6a8b4992a3daf35dc04482d2d6bca
SHA512 e3c05ef05d3359dfc0c2827fcdace818a263bb774f254ae4a0b429578866c529fed20b243a3f083b275a32b7f215c0017d3f684021c7af7d9446beea3676713b

memory/636-69-0x00000146E6210000-0x00000146E6217000-memory.dmp

C:\Users\Admin\AppData\Local\4Y69FHF\credui.dll

MD5 148782e7edfe64771b8ba8fb68dfae3b
SHA1 98e0b0e953eff5698b414ce10d22c5e627ad647d
SHA256 f99aeb56be2c073062fbbe1bcdec75fcbfb8908f9b9dbbfc78b1c63716096198
SHA512 cd045f4a7febbac3125969af6e1a002fa4cd47416c8db4842dc84acf5c76c43a25feaae54b66ea1bc8142239cbd96d323dc7e8d7e21ccf4fbab2f38e7b70cb64

memory/5048-86-0x000001F9A6030000-0x000001F9A6037000-memory.dmp

memory/5048-92-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Users\Admin\AppData\Local\jPoBg\sigverif.exe

MD5 2151a535274b53ba8a728e542cbc07a8
SHA1 a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256 064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512 e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

C:\Users\Admin\AppData\Local\3NI6\FVEWIZ.dll

MD5 e03a42723a74da51af06c4826d433214
SHA1 a50f9d4188271cd05f23d79b2474b14a103d72ff
SHA256 57b24783fe276ce6db2e196ccbd817b590c35bc0e05469980135c49b5f13b2df
SHA512 bfb6764624474439d8472efbd8b7234ce36521c12dec983af7cdbe48c043733ce0ed497a7da385b1257b23940e3fb7905fe6fdff4622fbe4a4fa0f30383ae33c

C:\Users\Admin\AppData\Local\3NI6\BitLockerWizard.exe

MD5 6d30c96f29f64b34bc98e4c81d9b0ee8
SHA1 4a3adc355f02b9c69bdbe391bfb01469dee15cf0
SHA256 7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74
SHA512 25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

memory/2808-103-0x0000018EC6520000-0x0000018EC6527000-memory.dmp

memory/2808-109-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Users\Admin\AppData\Local\3NI6\FVEWIZ.dll

MD5 f23294a4964e9898521a463595c26503
SHA1 bf2c19a195eb77cfa55bb8853de1e29b1b5bcf75
SHA256 a9afeea7b6e882262ff89a787464c333f631a13fb4cb898be15a0d09fcd17c9c
SHA512 05196fbdf07de351d4dc8e989ca0876971290680180ada1dfdc0cc47236da7e2f3ea28ef3f2c902d75877fd1e296ae72db85df4a655bba9827b1c310e4a6ed0e

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 07:31

Reported

2023-12-31 05:58

Platform

win7-20231129-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A