Malware Analysis Report

2024-11-30 21:06

Sample ID 231230-qqxnhshbfr
Target 1a04a1187c2d9ada362c17c66075c8b5
SHA256 f2ac70d80c13a77d6e2cdb5b1c131f1bb1fa84a2ff093039c70954aed90d1b79
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2ac70d80c13a77d6e2cdb5b1c131f1bb1fa84a2ff093039c70954aed90d1b79

Threat Level: Known bad

The file 1a04a1187c2d9ada362c17c66075c8b5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 13:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 13:28

Reported

2023-12-31 23:52

Platform

win7-20231215-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a04a1187c2d9ada362c17c66075c8b5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a04a1187c2d9ada362c17c66075c8b5.dll,#1

C:\Users\Admin\AppData\Local\yvB6D\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\yvB6D\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\fVBDqT\BdeUISrv.exe

C:\Users\Admin\AppData\Local\fVBDqT\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\HjJCtE8hU\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\HjJCtE8hU\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

Network

N/A

Files

memory/1924-0-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1924-1-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-38-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-49-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-57-0x0000000002500000-0x0000000002507000-memory.dmp

memory/1196-60-0x0000000077220000-0x0000000077222000-memory.dmp

memory/1196-59-0x00000000770C1000-0x00000000770C2000-memory.dmp

memory/1196-74-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/2604-90-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1196-69-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-58-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-50-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-48-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-47-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-46-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-45-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-44-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-43-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-42-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-41-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-40-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-39-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-37-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-36-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-35-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-33-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-34-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-32-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-31-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-30-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/2984-113-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1196-29-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-28-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-27-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-26-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-25-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-23-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-21-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-20-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-19-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-18-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-15-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1924-8-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1196-151-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 13:28

Reported

2023-12-31 23:52

Platform

win10v2004-20231215-en

Max time kernel

1s

Max time network

66s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a04a1187c2d9ada362c17c66075c8b5.dll,#1

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a04a1187c2d9ada362c17c66075c8b5.dll,#1

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\EHr\eudcedit.exe

C:\Users\Admin\AppData\Local\EHr\eudcedit.exe

C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
IE 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
IE 20.166.126.56:443 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/448-2-0x000001918CDB0000-0x000001918CDB7000-memory.dmp

memory/448-1-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/448-0-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-5-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/3408-13-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-14-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-19-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-18-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-24-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-30-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-35-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-38-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-42-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-43-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-44-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-45-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-48-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-50-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-51-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-52-0x0000000002570000-0x0000000002577000-memory.dmp

memory/3408-59-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-60-0x00007FFA82860000-0x00007FFA82870000-memory.dmp

memory/3408-71-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-69-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-49-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-47-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-46-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-41-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-40-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-39-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-37-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-36-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-34-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-32-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-33-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1004-81-0x0000000140000000-0x00000001401D8000-memory.dmp

memory/1004-88-0x0000000140000000-0x00000001401D8000-memory.dmp

memory/1004-82-0x000001CCDFFA0000-0x000001CCDFFA7000-memory.dmp

C:\Users\Admin\AppData\Local\EHr\eudcedit.exe

MD5 a0bc051fbfe918aa85b77c3d84c1f075
SHA1 26a1ecbf95e62124eee4aa6631b6c98d7f9a86a9
SHA256 cb1d269eeeb3134328fb71f28871b8c07e80481b3b68c0293326b341f562b823
SHA512 21a94d82d7a26ea391d3d48b8d021d931f3a6ee9b72ec134f08f056f2f54a04967029786ca159863771118addab2d2bc2e5ead35fd5d69ba127461bf12e0f296

memory/1004-80-0x0000000140000000-0x00000001401D8000-memory.dmp

C:\Users\Admin\AppData\Local\EHr\MFC42u.dll

MD5 8932e9ea28f1d329b53dc2ffd9e6fa72
SHA1 d2a42978b117dfd5a1e8e178db8a5e620e960104
SHA256 0e1d46ac7175968a05951f95f0dfb6ebe62e84136211880fd7597241fb368a0b
SHA512 c845b8559bf162d680183a2b780ddad6d45910603238efc4d05b2e8773800d908864b55b6b8ca80bbba6937e816f4fe2d8cf9e1b50f55af7a38b83f14d7c9f80

memory/3408-31-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-29-0x0000000140000000-0x00000001401D1000-memory.dmp

C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe

MD5 591a98c65f624c52882c2b238d6cd4c4
SHA1 c960d08c19d777069cf265dcc281807fbd8502d7
SHA256 5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA512 1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

C:\Users\Admin\AppData\Local\oaz\DUI70.dll

MD5 97865a65ab0158d3f5945385a9a3c105
SHA1 ad146c6dbdd4e679fc369f61a34267c70bbaee11
SHA256 1c9e6a633f8ef73fd1293068e383b76ac9a2476c5a6adcfe485bf0f568fb9fad
SHA512 878ab0ab1bb6de61f8c3977c6652cc0dbf37bf0935ccbeac602dbd39ece806a96f6d554dcfb7f10806c9e6ad067f3c2bfff1476af00f3fd194865b80af2ed6cf

memory/1636-107-0x0000000140000000-0x0000000140217000-memory.dmp

memory/1636-102-0x000001F801190000-0x000001F801197000-memory.dmp

C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe

MD5 f9db5e0570631ee9d5d93faed6e83874
SHA1 1ad8809a0eb44b9fc4ab5c959c49f2499e97ae34
SHA256 521b87d8c9752741f5c4bc7dd7abc08303bea4073010623dd75166a90a540cf3
SHA512 f3c7f3fd8f89bd51a475fce6d602fbdd1f9dd8e92940e6e64af0df71c782d9cf4983e86e079159cedfee7abf15ad0d9ed97db0f9045a32dc36d1e3100da1fe34

C:\Users\Admin\AppData\Local\4TLC3mXPZ\WTSAPI32.dll

MD5 fa7643f87d854529357a10b17a453033
SHA1 2e3f03ac3dd988edbf61dd3dde552b2cea8ace5f
SHA256 e73467fd2893fa5430690208a37b89e80aebc867b26208c8c2be409d3260d921
SHA512 8e3becf37e24902ccd89774ed92bb2b31c8e5baa75208b9a2c6de405af86ae14ba53e7b71a0190f85a86f396c85fdd868b0ced224d9fe39ababb4d4d5f8bd9bd

memory/3488-121-0x000001CC47A80000-0x000001CC47A87000-memory.dmp

memory/3488-126-0x0000000140000000-0x00000001401D2000-memory.dmp

C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe

MD5 5fb969a7cf8ca845a5daec8ba987e47a
SHA1 a450e68a3f6153ae4afd2e71d3de3e7cddbc4181
SHA256 d5e5465193be672bcd314a4c3a48d98bd540bd4accde9bd52d39edde2ad75f4d
SHA512 8c7dd693e5fa5e6fb007319eaa48c72d73d3940033b1666d22787994c52386c308e4c0d8b1f070fd02d0939143950c745ab3c2b6d8b5bf14fff8be20c1305473

memory/3488-119-0x0000000140000000-0x00000001401D2000-memory.dmp

C:\Users\Admin\AppData\Local\4TLC3mXPZ\WTSAPI32.dll

MD5 d8acf8f64112b8f813bce3d419523bfa
SHA1 3697ab9c55985cf2939095d9124e2fe27e4504a9
SHA256 d4cf30e7d72029e0253f1cbb7708e39a0bb5f6d814da0cea00e09e642d7145af
SHA512 709ae10e1a11484e8148c8eeb25ed88e2788a5db2abecc91dac1d14bdead161766d742483c31e27eb533a3e5a882b8a89859d4d0e21e467053f3f979408d5128

C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe

MD5 a46f6b4b9f57b1bcc9fb9fee749814ce
SHA1 6decd7f23c68bdbda5e7f021542e51797d2a25af
SHA256 dcb8812f19428fd69b0e61838c0114283f5a506dc102db1113ce0ba0931e6ca1
SHA512 42c87ac363bc80cfa14dd9c1f2d529a3e57774bf84d64d6cf63e4d5ba7f0e7dd1427a1c7fab8fa9f52e4e247ff2605f7e7e815a9599ad1a878705a47181aa697

memory/1636-100-0x0000000140000000-0x0000000140217000-memory.dmp

C:\Users\Admin\AppData\Local\oaz\DUI70.dll

MD5 d81615a3fc522337d53aa95b754c4ea1
SHA1 3596130586b994759c73b95ba0798f617e466fa5
SHA256 ef955cd093dbfbf13f3d1bd5c0b76882b8521eb3a705325ff136a9d56a99d3d8
SHA512 d666d25eff8fad5cd0b8291dcf7ef2bcaf80c120fbb6aa45a923d5dda88fa8f154a161dd225b09d5323010218e9d175c5d9a7be404da748e496c24207da364cb

memory/3408-28-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-27-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-26-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-25-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-23-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-22-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-21-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-20-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-17-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-16-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-15-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-12-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-11-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-10-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/448-9-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-8-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3408-7-0x00007FFA81CCA000-0x00007FFA81CCB000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 e6b19fc59b1040647a61e9c24c7bba41
SHA1 22340aae6c992698d5125f1b9cc8e12732f830f7
SHA256 17f267394d52ce487fe8f5afae4f067ab3515d9a82ee6c955356511d1309e913
SHA512 489f3edf1f29d29018206d0255c3d5d20ae4ea84bf1f35ad7b9df0157393e138941b186703ce10c5913bfa461017e4011c52adcf02a36a90fa2220615e2e18c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\0aygiPIM\MFC42u.dll

MD5 8ea014efbb027eaa894c44a28901b842
SHA1 36d55b8ec4272508ad43d428dfe688b6f3f1b240
SHA256 1ac14eedaa468625f6cd97d00c29752f60375e5258a704cca7382950e184bd87
SHA512 f932ef2f55ac7b64417ee76f87e797e4d9b54136127145e24eb5da24923f37ca9cfa6d10bef519436cc559bbe521416351b8e4518a5e10c4623d7dae3aff7779

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\v2\DUI70.dll

MD5 888d94a1e68e3b21a7b040bd706a1b2b
SHA1 12e5745192a47dc01365f0f237a9b7db09469514
SHA256 2b026c3a2ea2b1f6676096e4d60ce3598f83bbdfa18eb96a56b260dfd77bce46
SHA512 60ad4c0b5ba207518b26e1451c0a3b9266954fd892b9cd513ebc81f73bbc2d69a4aa7b56c45f3bc30debf72657aaa46d940b5df4bfe9ab0d489c95b05d910b40

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\6aN3gS\WTSAPI32.dll

MD5 98a1e6321ce4d97320ba0a4b4b9ea435
SHA1 eeba6f20ea495c8c3d4ae0f1faad6cfef3c16b3e
SHA256 2a0daa2ee90019053a78a25e841a5fe6f84db6199d26fda4a6b28545ea534225
SHA512 76c62c086544fe9a387200ac22dc9163dc1c5816d651838f6caabb2e2689fa2ce93baf9a4e9a3b06bfe2d4dcbc77c1ccd61df43f648e8f6c0bdaf302a32e2299