Malware Analysis Report

2024-11-30 21:47

Sample ID 231231-gvmjnscbhq
Target 2b3197daa6254b8cac569fbf4178beab
SHA256 980ad5843ca1815075c76eb854d248b011c3dfeb5116b358fdb479bb11d9eadd
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

980ad5843ca1815075c76eb854d248b011c3dfeb5116b358fdb479bb11d9eadd

Threat Level: Known bad

The file 2b3197daa6254b8cac569fbf4178beab was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 06:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 06:07

Reported

2024-01-02 09:57

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3197daa6254b8cac569fbf4178beab.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3197daa6254b8cac569fbf4178beab.dll,#1

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\ZMoTWsS6\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\ZMoTWsS6\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\j0DAkw\WMPDMC.exe

C:\Users\Admin\AppData\Local\j0DAkw\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Users\Admin\AppData\Local\jl884\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\jl884\SystemSettingsRemoveDevice.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp

Files

memory/4232-0-0x0000020114000000-0x0000020114007000-memory.dmp

memory/4232-1-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-7-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-14-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-19-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-23-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-28-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-34-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-39-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-44-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-47-0x0000000000810000-0x0000000000817000-memory.dmp

memory/3484-46-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-54-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-64-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-66-0x0000000140000000-0x0000000140244000-memory.dmp

memory/4884-78-0x0000013DCB360000-0x0000013DCB367000-memory.dmp

memory/4884-81-0x0000000140000000-0x0000000140245000-memory.dmp

memory/4884-75-0x0000000140000000-0x0000000140245000-memory.dmp

memory/3484-55-0x00007FFF68940000-0x00007FFF68950000-memory.dmp

memory/3484-45-0x0000000140000000-0x0000000140244000-memory.dmp

memory/2652-94-0x000001C90F350000-0x000001C90F357000-memory.dmp

memory/2652-92-0x0000000140000000-0x000000014028A000-memory.dmp

memory/1200-110-0x0000023D36B90000-0x0000023D36B97000-memory.dmp

memory/3484-43-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-42-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-41-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-40-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-38-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-37-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-36-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-35-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-33-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-32-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-31-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-30-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-29-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-27-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-25-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-26-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-24-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-22-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-21-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-20-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-18-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-17-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-16-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-15-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-13-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-12-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-11-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-10-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-9-0x00007FFF6854A000-0x00007FFF6854B000-memory.dmp

memory/3484-8-0x0000000140000000-0x0000000140244000-memory.dmp

memory/4232-6-0x0000000140000000-0x0000000140244000-memory.dmp

memory/3484-4-0x0000000002390000-0x0000000002391000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 976d059e61c09f1e091e1f860797d3b3
SHA1 147ab92e7163e4533f59dd9a2f1da34f8fcab3be
SHA256 3fa4424373a91ac0dfdbeadc8309a9f80ea751c28f5ce84e406df43e6bc118d6
SHA512 9d547243b480d579301e863a942f0a9b154cea87b4b756ddb1b83d62161421dd383ec932ce85f5c77f51bf1e7da1931394be70cd2e6a664e9b6b4870369f8586

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\v16\XmlLite.dll

MD5 d8f21c8ad0c92ef0610adbb4267123cf
SHA1 9d6532703b1150d3c0fd02722b2527bf14f8823b
SHA256 cc9d1a690b4d17e6236312fbb5aaed2095fa137533a38535c69d1b4879f96af2
SHA512 613d9ae6ee416920ffb67302e4401b104805685887f0d9e0fabedea897d583493a7334ee23a05f18e1d6c80bf4ad23f6110f5aa54c1d9973ebc688da8a886dc0

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\Exc\DUI70.dll

MD5 35cdc991f3c0d232c12978d84cf24481
SHA1 5cab6b1567227962705b931b9bf36969fb83de82
SHA256 47e895d4c43a650f815690affb26ce6b1af0759a4ee0858af1c26e5cb1261581
SHA512 7e8664bcbef2b47d4d47461059555faabc4f2a3124eb41ab2ad13c73a4194ca76eba47148c4695b3d4f8ca33527d5aaa38122c540960697ea3ef3cd178f88955

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\vGGJLO\dwmapi.dll

MD5 dde3cb627d8f86de13e8f61bec9fd71e
SHA1 91f47e30ceb51d9987c1c3c952fb39c5fcb4a59b
SHA256 8dc5905f85590baee9d1d7a61524030ad5b04d9ee5a2f10fd03bfc835f6362d0
SHA512 8cc0d2d57e7ef8a1ada28898907d610035a293e67dee8f0531ff9350cafb3150c9533e0948a1624eb273038456f5a6705d442595663b4434d100385be0f3b221

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 06:07

Reported

2024-01-02 09:57

Platform

win7-20231129-en

Max time kernel

3s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3197daa6254b8cac569fbf4178beab.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3197daa6254b8cac569fbf4178beab.dll,#1

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe

C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe

C:\Users\Admin\AppData\Local\ePKLY\sdclt.exe

C:\Users\Admin\AppData\Local\ePKLY\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\QXisop9j\FXSCOVER.exe

C:\Users\Admin\AppData\Local\QXisop9j\FXSCOVER.exe

Network

N/A

Files

memory/2816-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2816-1-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-4-0x0000000077826000-0x0000000077827000-memory.dmp

memory/1376-12-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-23-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-33-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-45-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-47-0x0000000002900000-0x0000000002907000-memory.dmp

memory/1376-55-0x0000000077A31000-0x0000000077A32000-memory.dmp

memory/1376-65-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-58-0x0000000077B90000-0x0000000077B92000-memory.dmp

memory/1376-54-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-71-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-46-0x0000000140000000-0x0000000140244000-memory.dmp

\Users\Admin\AppData\Local\ZzSJ77\WINMM.dll

MD5 7bf739d7c928e837af051dc2339995a2
SHA1 91fa4684d10d2f6c752d90eca5ed3357169df600
SHA256 c8ed79584f998a5f5725a36532179f21cb5821a2ade203496057c62dc4623bc5
SHA512 54d3f75313a4cac7a058cbd3ee23b59c784fafc2f9b8b6098e9b13d6a52c1c46cb4422a251b19596595cbfb082a34b54d9cd990d9600c77250453f76ff9ef495

memory/2476-85-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2476-83-0x0000000140000000-0x0000000140246000-memory.dmp

C:\Users\Admin\AppData\Local\ZzSJ77\WINMM.dll

MD5 1d9e64f01032e2b7a63ede4a5d20bab7
SHA1 803c1c0e5eb934766a1155192aae33d3a36f9630
SHA256 645b0973f8d37a402d5eaf3702899a665602acf62567d6de8dba6676074bd8e0
SHA512 d268085fa5ff979efa736d34fba25d29bd8296a9feb45c6b5fad6cc17b8d060bd322aef6d13411ecbede65b969412e20fa616904fe2b27883ab25e6e5e30b680

C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe

MD5 f63e39506a258bbae7ca84c1c4b62a6a
SHA1 ff9618eac807099bbe5de3395b2db72f27b56493
SHA256 07a74bda54264fe385dbab56b5973d8cf8e2d65ed46d1f1ced18bf6261c7294f
SHA512 0f99312dfb4a606b897262227a248e39155815351919d8cb5a9015eea1c1ebd3eec60edbf7715b169b763eb6ff7d8df67e2a4ea7e890a1d37474a53cdea3be21

C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe

MD5 b8bcd928b4e105213bbe22d96d3b05e3
SHA1 8ea3b4161a70743ed629a39888c9cf6c54ba89a2
SHA256 384a7bcc37f41a15cfa521f66e30a329edc158eca9703150bd58c3b447061e83
SHA512 6480445fbaf70e91f355724eda37f4984c375829c760382e2fd67c572c17e7611346df7c5649490669e4d33938233775d19a97d691af40d5346227403b0d52fa

memory/1376-44-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-43-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-42-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-41-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-40-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-39-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-38-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-37-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-36-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-35-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-34-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-32-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-31-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-30-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-29-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-28-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-27-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-26-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1568-110-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1376-25-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-24-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-22-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-21-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-20-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-19-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-18-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-17-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-16-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-15-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-14-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-13-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-11-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-10-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-9-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-8-0x0000000140000000-0x0000000140244000-memory.dmp

memory/2816-7-0x0000000140000000-0x0000000140244000-memory.dmp

memory/1376-5-0x0000000002920000-0x0000000002921000-memory.dmp

memory/1956-133-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1376-159-0x0000000077826000-0x0000000077827000-memory.dmp