Malware Analysis Report

2024-11-30 21:47

Sample ID 231231-bkzhlaccck
Target 229e89b4541d531e884d4500cf7d294a
SHA256 2df64c11861aed86566ab748e048c32572d56ebdde210d8cd5111aeb2a41d993
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2df64c11861aed86566ab748e048c32572d56ebdde210d8cd5111aeb2a41d993

Threat Level: Known bad

The file 229e89b4541d531e884d4500cf7d294a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 01:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 01:12

Reported

2024-01-01 18:03

Platform

win7-20231129-en

Max time kernel

5s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\229e89b4541d531e884d4500cf7d294a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\229e89b4541d531e884d4500cf7d294a.dll,#1

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\nYx12Q\osk.exe

C:\Users\Admin\AppData\Local\nYx12Q\osk.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\oJV\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\oJV\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\2V8uoY7\TpmInit.exe

C:\Users\Admin\AppData\Local\2V8uoY7\TpmInit.exe

Network

N/A

Files

memory/2896-0-0x0000000000340000-0x0000000000347000-memory.dmp

memory/2896-1-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-4-0x0000000077296000-0x0000000077297000-memory.dmp

memory/1252-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/1252-8-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-10-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-12-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-19-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-24-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-29-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-34-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-40-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-45-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-50-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-55-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-60-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-65-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-64-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-72-0x0000000002DC0000-0x0000000002DC7000-memory.dmp

memory/1252-63-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-79-0x00000000773A1000-0x00000000773A2000-memory.dmp

memory/1252-80-0x0000000077500000-0x0000000077502000-memory.dmp

memory/1252-62-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-61-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-59-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-58-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-56-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-57-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-54-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-53-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-52-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-51-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-49-0x0000000140000000-0x000000014037C000-memory.dmp

memory/952-108-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1252-48-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-47-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-46-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-44-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-43-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-42-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-41-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-39-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-38-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-37-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-36-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-35-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-33-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-32-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-31-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-30-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-28-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-27-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-26-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-25-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-22-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-23-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-21-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-20-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-18-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-17-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-16-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-15-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-13-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-14-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-11-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1252-9-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1852-132-0x0000000000320000-0x0000000000327000-memory.dmp

memory/2896-7-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1536-155-0x0000000000380000-0x0000000000387000-memory.dmp

memory/1252-183-0x0000000077296000-0x0000000077297000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 01:12

Reported

2024-01-01 18:03

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\229e89b4541d531e884d4500cf7d294a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\229e89b4541d531e884d4500cf7d294a.dll,#1

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\printfilterpipelinesvc.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\PpHmzOJs\dialer.exe

C:\Users\Admin\AppData\Local\PpHmzOJs\dialer.exe

C:\Users\Admin\AppData\Local\nKOl\osk.exe

C:\Users\Admin\AppData\Local\nKOl\osk.exe

C:\Users\Admin\AppData\Local\dLCi5\printfilterpipelinesvc.exe

C:\Users\Admin\AppData\Local\dLCi5\printfilterpipelinesvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 2.17.5.100:80 tcp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 95.100.246.76:80 tcp
US 95.100.246.76:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
GB 96.17.179.68:80 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp

Files

memory/1568-0-0x00000236FF270000-0x00000236FF277000-memory.dmp

memory/1568-1-0x0000000140000000-0x000000014037C000-memory.dmp

memory/1568-7-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-12-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-16-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-20-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-24-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-27-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-30-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-34-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-36-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-39-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-43-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-46-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-49-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-52-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-56-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-59-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-63-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-65-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-64-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-71-0x00000000032B0000-0x00000000032B7000-memory.dmp

memory/3536-62-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-79-0x00007FFFB0F60000-0x00007FFFB0F70000-memory.dmp

memory/3536-61-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-60-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3504-101-0x000001E9720A0000-0x000001E9720A7000-memory.dmp

memory/3440-118-0x0000025A937E0000-0x0000025A937E7000-memory.dmp

memory/1112-135-0x000001EBF8F00000-0x000001EBF8F07000-memory.dmp

memory/3536-58-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-57-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-55-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-54-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-53-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-51-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-50-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-47-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-48-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-45-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-44-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-42-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-41-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-40-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-38-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-37-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-35-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-33-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-32-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-31-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-29-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-28-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-26-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-25-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-23-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-22-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-21-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-19-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-18-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-17-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-15-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-14-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-13-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-11-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-8-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-10-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-9-0x00007FFFB09AA000-0x00007FFFB09AB000-memory.dmp

memory/3536-6-0x0000000140000000-0x000000014037C000-memory.dmp

memory/3536-4-0x0000000004D00000-0x0000000004D01000-memory.dmp