Malware Analysis Report

2024-11-30 21:20

Sample ID 231230-jzfyssgagk
Target 12fb02d69d7ecf23d540bc1411dc0a75
SHA256 c23a41a38e5507b244f392a70f1fbf39fffc203a69321417336bedf408871992
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c23a41a38e5507b244f392a70f1fbf39fffc203a69321417336bedf408871992

Threat Level: Known bad

The file 12fb02d69d7ecf23d540bc1411dc0a75 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 08:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 08:06

Reported

2023-12-31 07:31

Platform

win7-20231129-en

Max time kernel

3s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12fb02d69d7ecf23d540bc1411dc0a75.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12fb02d69d7ecf23d540bc1411dc0a75.dll,#1

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\U8CY04\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\U8CY04\SystemPropertiesHardware.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\4TDIO8Rz\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\4TDIO8Rz\DisplaySwitch.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\0q1Rh\eudcedit.exe

C:\Users\Admin\AppData\Local\0q1Rh\eudcedit.exe

Network

N/A

Files

memory/2872-1-0x0000000140000000-0x0000000140236000-memory.dmp

memory/2872-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1380-4-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

memory/1380-10-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-17-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-27-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-36-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-44-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-49-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-51-0x0000000002E80000-0x0000000002E87000-memory.dmp

memory/1380-58-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-60-0x0000000077E50000-0x0000000077E52000-memory.dmp

memory/1380-59-0x0000000077CF1000-0x0000000077CF2000-memory.dmp

memory/1380-69-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-50-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-75-0x0000000140000000-0x0000000140236000-memory.dmp

memory/2960-88-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1380-48-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-46-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-47-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-45-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-43-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-42-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-41-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-40-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-39-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-38-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-37-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-35-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-34-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-33-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-31-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-32-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-30-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-29-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-28-0x0000000140000000-0x0000000140236000-memory.dmp

memory/308-106-0x0000000000280000-0x0000000000287000-memory.dmp

memory/1380-26-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-25-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-24-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-23-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-21-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-22-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-20-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-19-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-18-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-16-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-15-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-14-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-13-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-12-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-11-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-7-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-9-0x0000000140000000-0x0000000140236000-memory.dmp

memory/2872-8-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1380-5-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1692-128-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1380-159-0x0000000077AE6000-0x0000000077AE7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 08:06

Reported

2023-12-31 07:32

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

84s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12fb02d69d7ecf23d540bc1411dc0a75.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12fb02d69d7ecf23d540bc1411dc0a75.dll,#1

C:\Users\Admin\AppData\Local\ozNIuHi\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\ozNIuHi\SystemPropertiesComputerName.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\HkrCuuWfg\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\HkrCuuWfg\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\QsT6e\PresentationHost.exe

C:\Users\Admin\AppData\Local\QsT6e\PresentationHost.exe

C:\Windows\system32\PresentationHost.exe

C:\Windows\system32\PresentationHost.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
US 20.231.121.79:80 tcp
GB 88.221.134.32:80 tcp

Files

memory/1824-0-0x0000000140000000-0x0000000140236000-memory.dmp

memory/1824-3-0x0000011B5CCA0000-0x0000011B5CCA7000-memory.dmp

memory/1824-7-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-9-0x00007FF95542A000-0x00007FF95542B000-memory.dmp

memory/3636-14-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-19-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-23-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-27-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-31-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-36-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-41-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-44-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-51-0x0000000002590000-0x0000000002597000-memory.dmp

memory/3636-50-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-59-0x00007FF956960000-0x00007FF956970000-memory.dmp

memory/3636-68-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-70-0x0000000140000000-0x0000000140236000-memory.dmp

memory/4488-81-0x000001B050190000-0x000001B050197000-memory.dmp

memory/4488-79-0x0000000140000000-0x0000000140237000-memory.dmp

memory/4292-99-0x000001DBBADC0000-0x000001DBBADC7000-memory.dmp

memory/1212-114-0x000002AD38C40000-0x000002AD38C47000-memory.dmp

memory/3636-58-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-49-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-48-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-47-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-46-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-45-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-43-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-42-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-40-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-39-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-38-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-37-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-35-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-34-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-33-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-32-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-30-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-29-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-28-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-26-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-25-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-24-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-22-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-21-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-20-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-18-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-17-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-16-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-15-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-13-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-12-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-11-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-8-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-10-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-6-0x0000000140000000-0x0000000140236000-memory.dmp

memory/3636-4-0x0000000002580000-0x0000000002581000-memory.dmp