Malware Analysis Report

2024-11-30 21:17

Sample ID 231230-qv5vpaacal
Target 1a34ce864b2eca01d16f5a46101ad971
SHA256 3a4a7ab3cf76f55ab88d9713d032fd80a755e9bacc997ddcab2d1bd0efae5ab7
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a4a7ab3cf76f55ab88d9713d032fd80a755e9bacc997ddcab2d1bd0efae5ab7

Threat Level: Known bad

The file 1a34ce864b2eca01d16f5a46101ad971 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 13:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 13:35

Reported

2024-01-01 00:13

Platform

win7-20231215-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a34ce864b2eca01d16f5a46101ad971.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a34ce864b2eca01d16f5a46101ad971.dll,#1

C:\Users\Admin\AppData\Local\FgQVK99\notepad.exe

C:\Users\Admin\AppData\Local\FgQVK99\notepad.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe

C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe

C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe

C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

Network

N/A

Files

memory/2288-0-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/2288-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-21-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-32-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-34-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-42-0x00000000770C1000-0x00000000770C2000-memory.dmp

memory/1196-43-0x0000000077220000-0x0000000077222000-memory.dmp

memory/1196-52-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-58-0x0000000140000000-0x00000001401AD000-memory.dmp

\Users\Admin\AppData\Local\FgQVK99\VERSION.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2744-71-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2744-75-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2744-70-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\FgQVK99\notepad.exe

MD5 da6bc4c55c5089a480d8bbeed46b73ae
SHA1 5bc35aa0329a1259b5b47753e2ec5e8f4cd0021d
SHA256 1319542e6c8f15271caded28da5cd4e14fa1dbd4d4543502a76cb844e9edfe65
SHA512 10c5798a18d8e2f8323fe430bb633e07a9b6dbee75d8584d9f81d482bcf62a2022029530b97ab009ac7a91a23ca8ea24397100096b9e545ddf5ad12738462ce0

memory/1196-41-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-33-0x0000000002500000-0x0000000002507000-memory.dmp

memory/1196-31-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-30-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-28-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-29-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-27-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-26-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-25-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-23-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-20-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-19-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-18-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-15-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/2288-8-0x0000000140000000-0x00000001401AD000-memory.dmp

\Users\Admin\AppData\Local\89KJLO6dx\VERSION.dll

MD5 2c60c7a4ca989cce169d9e87e8a56d2e
SHA1 f4d0a6c5dc132a71104586473f685c227387965b
SHA256 94af1d5cadeadae0cf945b758323062649c9256c09ae4cec0f36fa0040da9375
SHA512 df9a6959098c27be02604dc9bc8ead93747e662c9fe0f3de0dab9a3818238db0d496e7f18a5c131011a70e164340de98fb1987bb83dabbaf873816a4a5b38366

memory/1232-96-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1232-99-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\89KJLO6dx\VERSION.dll

MD5 d30523cc4dde53ef64350da67ee76f80
SHA1 4a004ed8cd71434b738e215ea8a579bc47b31f37
SHA256 cbd3c3d783fe1afeb99f0bd71f95f823a85cc38baad80fb8dc528d42a4c701f7
SHA512 04c8c9a9da8b1ef1a34407c8899fc50464dd621fd343f8ac2d66b11a83151b211e0b06430f0b95b4100dca4ba5e5dd1fd4abe4da2666b4ed7a9c6231011c6be2

C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe

MD5 a06833de4f62992f720d55899bff1d82
SHA1 cd679c134b66611cadaeadd7836c89f9f3e8043d
SHA256 fe8703ad60ec50cba59a7d827adb2f5630077482f8e527e07eafad75aa5c676b
SHA512 d967a5dded29dc2f4ab9b9402b76a57549072bca016eb005471ab5bdf353b4278941d71f80cd06bdf74b437fcd0ca40caf05746833d837be431c0a587b126371

C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe

MD5 46f9f73d701f304b24274fb393294c9f
SHA1 c367f171a76f6ec954e3a593df00ca34c44c91c2
SHA256 c65dbb8ed8e200b518b60c7e9b55efe57c2179ed30dd5a28cc124fb8216e2743
SHA512 6d13be424e68aee64d567d8d41bea1243616644b814ec52bdbc0de49b26b442a2b06edad8c61a9100a73fee49175ed1043a52aa963ae75a3496371560539f462

\Users\Admin\AppData\Local\89KJLO6dx\psr.exe

MD5 8a3118111974e9a626589f14a087c71b
SHA1 cf204e2f974dc67f6d50b7c7569f71c180b593cb
SHA256 a30d386ff8f6f1c1d734f22d9bc4cb9db12d7229d34c922257253d7e1db1283b
SHA512 44642713b8eb41434898d3d43686280e15b1ac34959446be88ceeb60d4149141d025b9868f5af9f98567f811e1fc0c6f6e744ed3b0b107ec34d45d72533deec0

memory/1196-7-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp

\Users\Admin\AppData\Local\Zy2cHScvI\slc.dll

MD5 323cfe54b12cd93fd003a9f001443140
SHA1 4acf9976d2f2cb7fe698b5a1f757f5c6c63b00e3
SHA256 7e8fe9fd1dd076093864b5c3aca81a6ec1c1e8a5a16e675cd36fc9a4502b0253
SHA512 2854278df00ec55f2cb39fc1711bcc3a920251b3f83637a8a0e0a2a69251189aa018a86f57cd9e87ecbad8eb1f7b86920504a5e4c16271c6a21ced1ffcfda81c

memory/2832-120-0x0000000000320000-0x0000000000327000-memory.dmp

memory/2832-123-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\Zy2cHScvI\slc.dll

MD5 1e4f3afeb2922fdeec28241bb14334f5
SHA1 f4f49baa16baac2f1d9baf9fd355967bfab4420a
SHA256 c03c7661958a83c998d7b6877a377f658b82379f43ba38297524e98972980aa2
SHA512 4276dcfb883db3f3e8c26169bdaa47d8992764b72778f62804a385e6ad0fb9bb100ec9412c3244d9aa7263d8c9ee20dbcab138659d2bdca2f0b9d108693c7c76

C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe

MD5 b79a96217f382ab5dbd3f6993939f0a7
SHA1 dbebc0db998677675907467d0ffb8eb9b2c2621f
SHA256 55d424c24ef067299d3a029e081942764fbb98326696df4a53ddd3a93d3d4e86
SHA512 0bb8fb5f13d0eaa2f82ee0b2f2d34bce9babcdab183af378c6362f66a9ad5194bef175418e1ee42ff13758e9d5594fb478b5f5df530aab180b281c9248849e4f

C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe

MD5 96099ca885ca88f77d7f62f02e17f2d7
SHA1 31feac54d0361b29f1b62cba8a51123bcde887d2
SHA256 131bde255a7a33bf57d3ef59d5305a59cc74633c470dc4c7296a640de424b16d
SHA512 b90536aa248c87a55f5c95d708507c25c0de687f19aa805e00c63bccde9dda96e28bb7b44526fb8395bfb783eb24685304945cff8d7c19e4b90952b058c00601

\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe

MD5 240397c04beabae695a117874caf26cb
SHA1 6b4de55b93ea258a7a7951d96be7fdf831c025bf
SHA256 9ddfcdd63293d91aec5c9f05e837f0fcd9d2cd8cece46c3852a13787c396a85c
SHA512 8a62d7d2d79839bbb4f5f4d46ad8327b0aa13004a9284ee5a19dd945ee6274e47054b259b262fe198aa849d62dc29efcb53b3426dc99cb7b482c4f6d69b95bd2

\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\sj\mblctr.exe

MD5 ad3f0620a23f54cb8e8850cc15c92179
SHA1 5cebdf8c8d425910c840c8391d77d2421bdc300f
SHA256 40755340ba0d985e8f52e6ced71580ab1b63c7177190767329a07b06a6f19a22
SHA512 1b704f1a3abeaeaf36e76932259cc83ce8ffe2c0f4730e0795da254596338e97e188c7542a27ab236260998739fdac51ed3f77c69a39de77877285ffe802fb61

memory/1196-149-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\ymb\VERSION.dll

MD5 844316961596b9018f7be7b656a14f7e
SHA1 abf0b4044d07fe3e5669cc0dc101aa4771871c0c
SHA256 a5704362f984f49e9db53c5464a6721cec75a2b0e1c94b54596e41bbb4b0afae
SHA512 e78a58c173a24374fb836b634c39954ef8e57d3f7b3c4f903f6dabb74816e6d53258b484b3c1020aefabc2f058dd0a5729bd65a96e0211cac2ead1f2a1746328

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\eKkIliE7MX5\VERSION.dll

MD5 96665bbe84edbbbadd072682405bc2c0
SHA1 156a7d7fa4f822fae855fa759fabada5ec5e0c8b
SHA256 9dee6be7109b418413fd5b56d1a67eca31b85bd0265fdc8c741b3945dc8a4c3c
SHA512 ca493f73f7b39c3233c255ae5ba8863c0a462cf5ddd7783fe40b4a3769f5819581dd31bfa17260a3e89cc078d30e1fc764378f5092cd1464a73354c25094cc10

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 13:35

Reported

2024-01-01 00:14

Platform

win10v2004-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A