Malware Analysis Report

2024-11-30 21:40

Sample ID 240105-gpl1ysfca4
Target 42edeab8523a99674ca91e8a333e600d
SHA256 c0cda8d360a4cdea7bb10b9846172f0d42de37c735f34ce5ca1ace713ad52650
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0cda8d360a4cdea7bb10b9846172f0d42de37c735f34ce5ca1ace713ad52650

Threat Level: Known bad

The file 42edeab8523a99674ca91e8a333e600d was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 05:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 05:58

Reported

2024-01-05 06:47

Platform

win10v2004-20231215-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 05:58

Reported

2024-01-05 06:45

Platform

win7-20231129-en

Max time kernel

3s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\42edeab8523a99674ca91e8a333e600d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\42edeab8523a99674ca91e8a333e600d.dll,#1

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\1fIRs\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\1fIRs\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\ccCrE2\shrpubw.exe

C:\Users\Admin\AppData\Local\ccCrE2\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\Q41zB\sethc.exe

C:\Users\Admin\AppData\Local\Q41zB\sethc.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

Network

N/A

Files

memory/2356-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2356-1-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-4-0x0000000077476000-0x0000000077477000-memory.dmp

memory/1348-10-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-18-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-29-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-33-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-39-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-42-0x0000000002E20000-0x0000000002E27000-memory.dmp

memory/1348-48-0x0000000077581000-0x0000000077582000-memory.dmp

memory/1348-47-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-49-0x00000000776E0000-0x00000000776E2000-memory.dmp

memory/1348-38-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-58-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-37-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-36-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-64-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-35-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-34-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-32-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-31-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-30-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-28-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-27-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-26-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-25-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-24-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-23-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-22-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-21-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-20-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-19-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-17-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-16-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-15-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-14-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-13-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-12-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-11-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-9-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2356-8-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-7-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1348-5-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/2472-76-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/2472-81-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/2472-79-0x0000000000220000-0x0000000000227000-memory.dmp

\Users\Admin\AppData\Local\1fIRs\SYSDM.CPL

MD5 fde734a1878967dedc3b67a72347cb90
SHA1 433e3b243dc08d63e8a0c4b09253ff0a9bc4db87
SHA256 87c71d10cf137fd2e719e91edc64dcbead427cb680da61d6d5c509620b14ab47
SHA512 b5886cc905c882e98595e2e739b21e90ab954f1e9dd924accf48d461077774d7217379b78e2c9f446c8be3a9c3ae759660e20b65c7cfede8d13e93fef7e68dfe

C:\Users\Admin\AppData\Local\1fIRs\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

\Users\Admin\AppData\Local\ccCrE2\ACLUI.dll

MD5 958243567ff18a5b5aefbdd5255a85e7
SHA1 281cb9a921d5cae462f230a34ade4f02daa6f5f8
SHA256 f7d7934c9ba8f5ef61242b8ffb873188393cd172a4b7b9d70498c942e500c113
SHA512 1656a6a698cf08a24a2cb5978553bcf2909f91fcf1912a79d6ce8075876cab4a7fc130513b0168ecde0f2d06f49e2a1f59c91588544da48d887d9182b504dfe4

memory/1900-98-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1900-96-0x00000000001B0000-0x00000000001B7000-memory.dmp

C:\Users\Admin\AppData\Local\ccCrE2\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\Q41zB\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

\Users\Admin\AppData\Local\Q41zB\UxTheme.dll

MD5 4c780d3df44a1c0cad13c332b292f245
SHA1 89a4447db9f8442a4cab1bda59719d00c27b1306
SHA256 41f0d8c27456a085f187cb2f182a9ec535efaf9ec6640cef50ec25b71c7a5d30
SHA512 947c358d62a7e085615a213fb5d501e73371824e022522020b712eb8d04c6cb2e9c2af4d4ad931fbc77487487c477cd30bf8c583f97ecc8e7d04fe08d905bb58

memory/2716-120-0x00000000003A0000-0x00000000003A7000-memory.dmp

memory/1348-139-0x0000000077476000-0x0000000077477000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 6a1642f7f1fe8d45253f00a631a355fd
SHA1 9448e5564ab25efde97e3bc530c8e3effd50815f
SHA256 972729451bc8eb95f13b82b76fd2d63693529dc57af0b67e6e117b03df96392b
SHA512 797b285b6b9a8eba7744d3a5e48464963e9f514226c6a90f9376748f01fc262fc9b64f97353091ddf3049be826d769fe892faef08e3ea079921e24d5df117686