Malware Analysis Report

2024-11-30 21:29

Sample ID 231231-fs7amaaddp
Target 296a2250a008d8375c71618e83b83856
SHA256 640feca0cfd525acbbd9ab57d743c4017d7812b9742b2e7f4fca34d7b8979fde
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

640feca0cfd525acbbd9ab57d743c4017d7812b9742b2e7f4fca34d7b8979fde

Threat Level: Known bad

The file 296a2250a008d8375c71618e83b83856 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 05:09

Reported

2024-01-02 07:12

Platform

win7-20231215-en

Max time kernel

3s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\296a2250a008d8375c71618e83b83856.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\296a2250a008d8375c71618e83b83856.dll,#1

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\57BnW\dpnsvr.exe

C:\Users\Admin\AppData\Local\57BnW\dpnsvr.exe

C:\Users\Admin\AppData\Local\VRhBCApp\UI0Detect.exe

C:\Users\Admin\AppData\Local\VRhBCApp\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\XgU6tTpAn\osk.exe

C:\Users\Admin\AppData\Local\XgU6tTpAn\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

Network

N/A

Files

memory/2076-0-0x0000000140000000-0x0000000140203000-memory.dmp

memory/2076-2-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/1200-4-0x0000000077936000-0x0000000077937000-memory.dmp

memory/1200-13-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-20-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-32-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-49-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-51-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-50-0x00000000029F0000-0x00000000029F7000-memory.dmp

memory/1200-58-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-59-0x0000000077A41000-0x0000000077A42000-memory.dmp

memory/1200-69-0x0000000140000000-0x0000000140203000-memory.dmp

memory/2416-89-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1200-75-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-62-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1200-48-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-47-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-46-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-45-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-44-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-43-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-42-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-41-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-40-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-39-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-38-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-37-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-36-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-35-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-34-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-33-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-31-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-30-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1676-107-0x0000000000200000-0x0000000000207000-memory.dmp

memory/1200-29-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-28-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-27-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-26-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-25-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-24-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-23-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-22-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-21-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-19-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-18-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-17-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-16-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-15-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-14-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-12-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-11-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1844-125-0x0000000000150000-0x0000000000157000-memory.dmp

memory/1200-10-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-9-0x0000000140000000-0x0000000140203000-memory.dmp

memory/2076-8-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-7-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1200-151-0x0000000077936000-0x0000000077937000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 05:09

Reported

2024-01-02 07:11

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\296a2250a008d8375c71618e83b83856.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\296a2250a008d8375c71618e83b83856.dll,#1

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\Fu5t3rY\cmstp.exe

C:\Users\Admin\AppData\Local\Fu5t3rY\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\eilQDto\dpapimig.exe

C:\Users\Admin\AppData\Local\eilQDto\dpapimig.exe

C:\Users\Admin\AppData\Local\SJo\msinfo32.exe

C:\Users\Admin\AppData\Local\SJo\msinfo32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/1864-1-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1864-0-0x00000275F9600000-0x00000275F9607000-memory.dmp

memory/1864-7-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-14-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-21-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-29-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-35-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-40-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-44-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-48-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-50-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-51-0x0000000000B70000-0x0000000000B77000-memory.dmp

memory/3500-59-0x00007FFD76F60000-0x00007FFD76F70000-memory.dmp

memory/3500-68-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-70-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-58-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-49-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-47-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-46-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-45-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-43-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-42-0x0000000140000000-0x0000000140203000-memory.dmp

memory/4156-81-0x000001F75F150000-0x000001F75F157000-memory.dmp

memory/4156-79-0x0000000140000000-0x000000014020A000-memory.dmp

memory/3476-99-0x0000015ADCCA0000-0x0000015ADCCA7000-memory.dmp

memory/2352-116-0x0000020F048B0000-0x0000020F048B7000-memory.dmp

memory/3500-41-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-39-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-38-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-37-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-36-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-34-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-33-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-32-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-31-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-30-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-28-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-27-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-26-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-25-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-24-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-23-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-22-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-20-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-19-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-18-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-17-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-16-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-15-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-13-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-12-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-11-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-10-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-9-0x00007FFD765DA000-0x00007FFD765DB000-memory.dmp

memory/3500-8-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-6-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3500-4-0x0000000002F70000-0x0000000002F71000-memory.dmp