Malware Analysis Report

2024-11-30 21:28

Sample ID 240106-megldadgeq
Target 661942dec5f555ea16390ab0b8805570.exe
SHA256 9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b

Threat Level: Known bad

The file 661942dec5f555ea16390ab0b8805570.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Dridex payload

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 10:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 10:22

Reported

2024-01-06 10:25

Platform

win7-20231215-en

Max time kernel

3s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#1

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\M1S\msconfig.exe

C:\Users\Admin\AppData\Local\M1S\msconfig.exe

C:\Users\Admin\AppData\Local\ZMSh1J\TpmInit.exe

C:\Users\Admin\AppData\Local\ZMSh1J\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\tM5G1qq\shrpubw.exe

C:\Users\Admin\AppData\Local\tM5G1qq\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

Network

N/A

Files

memory/1960-2-0x0000000000430000-0x0000000000437000-memory.dmp

memory/1960-0-0x000007FEF6D10000-0x000007FEF6DE4000-memory.dmp

memory/1204-3-0x0000000077576000-0x0000000077577000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-26-0x0000000003B30000-0x0000000003B37000-memory.dmp

memory/1204-29-0x0000000077810000-0x0000000077812000-memory.dmp

memory/1204-39-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-28-0x00000000777E0000-0x00000000777E2000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1204-4-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

memory/1960-43-0x000007FEF6D10000-0x000007FEF6DE4000-memory.dmp

memory/2960-59-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp

memory/2960-57-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2960-55-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp

memory/1204-102-0x0000000077576000-0x0000000077577000-memory.dmp

memory/2900-171-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2900-173-0x000007FEF6760000-0x000007FEF6835000-memory.dmp

memory/2900-169-0x000007FEF6760000-0x000007FEF6835000-memory.dmp

\Users\Admin\AppData\Local\tM5G1qq\srvcli.dll

MD5 15e64f4d02b58fcfbdd521882f43517e
SHA1 7ebec2ce9978f54bc8e649698cfcbfe1ee6d79a2
SHA256 20c9af64d803ed4e44a680f22de1f8f429eedcf7ae9ec86acbe59c7dd6e821c0
SHA512 aa730f2b64897739fb529bb633cd82940890de0cf4d33de6e9c2ace409f3f8359d6b5806eb08e4b2d06ea8046c0d0b9a9c04c9d5411ef9878716af1adf6c0d26

memory/2108-284-0x0000000001AD0000-0x0000000001AD7000-memory.dmp

memory/2108-286-0x000007FEF6190000-0x000007FEF6265000-memory.dmp

memory/2108-282-0x000007FEF6190000-0x000007FEF6265000-memory.dmp

C:\Users\Admin\AppData\Local\tM5G1qq\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 10:22

Reported

2024-01-06 10:25

Platform

win10v2004-20231222-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 227.143.123.92.in-addr.arpa udp

Files

N/A