Malware Analysis Report

2024-11-30 21:30

Sample ID 231231-jcxm2agfdr
Target 2d7d77d1a6ec3527dc27bc5ec2061c58
SHA256 35b6b98f2a7c939aaa8b53cef15502beb1feea0d7189fa57ce2e0fb2e0fa1fba
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35b6b98f2a7c939aaa8b53cef15502beb1feea0d7189fa57ce2e0fb2e0fa1fba

Threat Level: Known bad

The file 2d7d77d1a6ec3527dc27bc5ec2061c58 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 07:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 07:32

Reported

2024-01-03 18:12

Platform

win7-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 07:32

Reported

2024-01-03 18:13

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d7d77d1a6ec3527dc27bc5ec2061c58.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d7d77d1a6ec3527dc27bc5ec2061c58.dll,#1

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\Muww\wermgr.exe

C:\Users\Admin\AppData\Local\Muww\wermgr.exe

C:\Users\Admin\AppData\Local\nbDoWWn\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\nbDoWWn\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\H1Ec\bdechangepin.exe

C:\Users\Admin\AppData\Local\H1Ec\bdechangepin.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 227.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
IE 20.166.126.56:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 93.184.221.240:80 tcp
US 20.231.121.79:80 tcp

Files

memory/4968-0-0x0000023BEA300000-0x0000023BEA307000-memory.dmp

memory/4968-1-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-5-0x00007FFB4D05A000-0x00007FFB4D05B000-memory.dmp

memory/3456-17-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-24-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-29-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-36-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-45-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-52-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-55-0x0000000001FD0000-0x0000000001FD7000-memory.dmp

memory/3456-53-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-62-0x00007FFB4D280000-0x00007FFB4D290000-memory.dmp

memory/3456-71-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-73-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-61-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-51-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-50-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-49-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Local\H1Ec\DUI70.dll

MD5 00cb557172d95a1a9ec90db84c1357df
SHA1 bbc7bd18235c4cd7bd9b6209f786c7e8ce609e53
SHA256 78a98e6ead98a9498fa9888649a6918e43abe58203701127fcbc110200c2ff25
SHA512 278a5f74aa8385eb36494a0d0228aab62ef8511ccbbaf29b46fb3ec643d6a693c5579199729bdbc1730ba7d751d9a10342dc5900c11cc8a77ca4ad73d95e103f

memory/212-84-0x000001D706860000-0x000001D706867000-memory.dmp

C:\Users\Admin\AppData\Local\H1Ec\bdechangepin.exe

MD5 601a28eb2d845d729ddd7330cbae6fd6
SHA1 5cf9f6f9135c903d42a7756c638333db8621e642
SHA256 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA512 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

C:\Users\Admin\AppData\Local\nbDoWWn\WINSTA.dll

MD5 c75ba0f1e792ae1c78c27e7e1bba2a12
SHA1 a5cb3c71e5841689b16030245a3f121a58eedbe1
SHA256 468c8388e2b4ff0dbc064f5bd0c6be52a9da537d70c4ba3157f7f9b32330c04c
SHA512 81a55ceb7fd3b2ace08cae981753e95d5b32add977c60c062acb1b0ba3210c3aafcebbb5ef4776e255f80e6779e7a84fd61e61648ff542d8274ac113c74579e8

memory/2864-99-0x00000248BD180000-0x00000248BD187000-memory.dmp

C:\Users\Admin\AppData\Local\nbDoWWn\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Local\Muww\wer.dll

MD5 3497c039bb447f4ed3fe21e6f096ff15
SHA1 d258e47e0a97347e78999a6120abcf3bf35247d4
SHA256 b4b0460cc5499986d2adb7a4777b1854c4ac6d9bb3058cf3b4e86283a758974a
SHA512 6c56498be0de05576812d3a0237f2dff80785c820fda9bd6aea178e0f5116c1751269b6c3b353721743359b4d1e6a0aee3d94863a627882e6daf4d348bfc591c

memory/1824-119-0x000001EA5F400000-0x000001EA5F407000-memory.dmp

C:\Users\Admin\AppData\Local\Muww\wermgr.exe

MD5 f7991343cf02ed92cb59f394e8b89f1f
SHA1 573ad9af63a6a0ab9b209ece518fd582b54cfef5
SHA256 1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc
SHA512 fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

memory/3456-48-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-47-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-46-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-44-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-43-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-42-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-41-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-40-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-39-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-38-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-37-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-35-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-34-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-33-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-32-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-31-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-30-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-28-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-27-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-26-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-25-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-23-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-22-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-21-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-20-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-19-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-18-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-16-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-15-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-14-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-13-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-12-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-11-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-10-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-9-0x0000000140000000-0x0000000140189000-memory.dmp

memory/4968-8-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-7-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3456-4-0x0000000002020000-0x0000000002021000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 b60f181dcba58968463eae3638c0d807
SHA1 3856936718cf284ef2104edc8e12f689e613563d
SHA256 60a6ad0026beae6bdcd92c0dd7006d1bed61483c177dcdde2550b49da45d1069
SHA512 605ccc57ad3cae36980ab4310363010f0f8fb34627ed99faf47c825e7a70632fcd382bef325e8a45c98d9ef8f1d0b429fdaff4b0aff413cece9cf0de1f82c077