Malware Analysis Report

2024-11-30 21:12

Sample ID 231230-z65hqsahgn
Target 1ccb428e2e749f119f860c9da64a4c12
SHA256 c4749c97c119b38af380d35b50cc2d37e658db9d1acec51142eea3d163b18b52
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4749c97c119b38af380d35b50cc2d37e658db9d1acec51142eea3d163b18b52

Threat Level: Known bad

The file 1ccb428e2e749f119f860c9da64a4c12 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:20

Reported

2024-01-01 05:56

Platform

win7-20231129-en

Max time kernel

3s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ccb428e2e749f119f860c9da64a4c12.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ccb428e2e749f119f860c9da64a4c12.dll,#1

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\17cuN\mmc.exe

C:\Users\Admin\AppData\Local\17cuN\mmc.exe

C:\Users\Admin\AppData\Local\0TSymiQ\dvdupgrd.exe

C:\Users\Admin\AppData\Local\0TSymiQ\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\AwKHwH\SndVol.exe

C:\Users\Admin\AppData\Local\AwKHwH\SndVol.exe

Network

N/A

Files

memory/1476-0-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1476-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1360-4-0x00000000775E6000-0x00000000775E7000-memory.dmp

memory/1360-11-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-20-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-32-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-44-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-45-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-47-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1360-58-0x0000000077850000-0x0000000077852000-memory.dmp

memory/1360-55-0x00000000776F1000-0x00000000776F2000-memory.dmp

memory/1360-54-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-65-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-71-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2480-84-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2480-83-0x0000000140000000-0x0000000140247000-memory.dmp

memory/1360-46-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-43-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-42-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-41-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-40-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-39-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-38-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-37-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-36-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-35-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-34-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-33-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-31-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-30-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-29-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-28-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-27-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-26-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-25-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-24-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-23-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-22-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-21-0x0000000140000000-0x0000000140245000-memory.dmp

memory/2784-107-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1360-19-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-18-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-17-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-16-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-15-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-14-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-13-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-12-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-10-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-9-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1476-8-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-7-0x0000000140000000-0x0000000140245000-memory.dmp

memory/1360-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1360-152-0x00000000775E6000-0x00000000775E7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:20

Reported

2024-01-01 05:58

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ccb428e2e749f119f860c9da64a4c12.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1ccb428e2e749f119f860c9da64a4c12.dll,#1

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\Xzuu\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\Xzuu\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\AvI8o\wextract.exe

C:\Users\Admin\AppData\Local\AvI8o\wextract.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\VaOdyjPP\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\VaOdyjPP\SystemPropertiesAdvanced.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4408-1-0x0000000140000000-0x0000000140245000-memory.dmp

memory/4408-0-0x0000029569010000-0x0000029569017000-memory.dmp

memory/3428-4-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/3428-11-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-16-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-20-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-24-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-28-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-32-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-35-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-38-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-42-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-45-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-47-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-46-0x0000000002F80000-0x0000000002F87000-memory.dmp

memory/3428-54-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-44-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-55-0x00007FFB039A0000-0x00007FFB039B0000-memory.dmp

memory/3428-64-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-43-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-66-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-41-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3164-76-0x0000019CA7AC0000-0x0000019CA7AC7000-memory.dmp

memory/3164-81-0x0000000140000000-0x0000000140246000-memory.dmp

memory/3164-75-0x0000000140000000-0x0000000140246000-memory.dmp

memory/4612-93-0x0000018D3E150000-0x0000018D3E157000-memory.dmp

memory/4268-112-0x000002438FE50000-0x000002438FE57000-memory.dmp

memory/3428-40-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-39-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-37-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-36-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-34-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-33-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-31-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-30-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-29-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-27-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-26-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-25-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-23-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-22-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-21-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-19-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-18-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-17-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-15-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-14-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-13-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-12-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-10-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-9-0x00007FFB01BEA000-0x00007FFB01BEB000-memory.dmp

memory/3428-8-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3428-7-0x0000000140000000-0x0000000140245000-memory.dmp

memory/4408-6-0x0000000140000000-0x0000000140245000-memory.dmp