Malware Analysis Report

2024-11-30 21:29

Sample ID 240107-ycsreadfe2
Target 498fb42905d2efd2723173ab782824c2.exe
SHA256 788c8c4c4140e9468f1ee6afb20321a2ce295d495c360f52984467b2b2d827c6
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

788c8c4c4140e9468f1ee6afb20321a2ce295d495c360f52984467b2b2d827c6

Threat Level: Known bad

The file 498fb42905d2efd2723173ab782824c2.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 19:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 19:38

Reported

2024-01-07 19:41

Platform

win7-20231215-en

Max time kernel

3s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\498fb42905d2efd2723173ab782824c2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\498fb42905d2efd2723173ab782824c2.dll,#1

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\pf47\WFS.exe

C:\Users\Admin\AppData\Local\pf47\WFS.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\Dyy\eudcedit.exe

C:\Users\Admin\AppData\Local\Dyy\eudcedit.exe

C:\Users\Admin\AppData\Local\fdKY32bvI\Dxpserver.exe

C:\Users\Admin\AppData\Local\fdKY32bvI\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

Network

N/A

Files

memory/1768-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1768-0-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-4-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/1188-14-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-29-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-38-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-44-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-45-0x0000000002D30000-0x0000000002D37000-memory.dmp

memory/1188-46-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-55-0x0000000077320000-0x0000000077322000-memory.dmp

memory/1188-54-0x00000000771C1000-0x00000000771C2000-memory.dmp

memory/1188-53-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-64-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-73-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-70-0x0000000140000000-0x00000001401C1000-memory.dmp

C:\Users\Admin\AppData\Local\pf47\MFC42u.dll

MD5 5054d2bbffbe43dfbb15d7011b99b20c
SHA1 10deeca8cb605f79bef3c161cda43fc08d5dcbd7
SHA256 0f8d0b529e1b5a5c20aec079a640a790640a2a4f4ffaae25aea670bfdf345780
SHA512 567bd0b61d7fc7cd286d34eebe6123077e540ce9cc2be4bdbf7221ebb104d99c4ba813cc05523fe2b3adfe2b6af92fcd34464283c5a2439bcff88d627a7e0571

memory/1468-84-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1468-82-0x0000000140000000-0x00000001401C8000-memory.dmp

\Users\Admin\AppData\Local\pf47\WFS.exe

MD5 a943d670747778c7597987a4b5b9a679
SHA1 c48b760ff9762205386563b93e8884352645ef40
SHA256 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA512 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

memory/1188-43-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-42-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-41-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-40-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-39-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-37-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-36-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-35-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-34-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-33-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-32-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-31-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-30-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-28-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-27-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-26-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-25-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-24-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-23-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-22-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-21-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-20-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-19-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-18-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-17-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1608-106-0x0000000001AB0000-0x0000000001AB7000-memory.dmp

memory/1188-16-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-15-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-13-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-12-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-11-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-10-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-9-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1768-8-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-7-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/1188-5-0x0000000002D50000-0x0000000002D51000-memory.dmp

\Users\Admin\AppData\Local\fdKY32bvI\dwmapi.dll

MD5 638a1a5f6ceae56e71dcde230c4b6a23
SHA1 87af92e94a3ec0ef39b6c5531c9ecda9d98999aa
SHA256 f955546ed55cf4cad1a9dc46bcc4ff342dcb70150cfb290de8d34d4176561ebd
SHA512 cff1587008f5d1048808970501ca397b72be39c1ce889133fa7a10d827e72ba230d317a4a78fb687682bb4942c2202d775ff3a5658edc40d073b99249faa932c

memory/2476-128-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1188-159-0x00000000770B6000-0x00000000770B7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 19:38

Reported

2024-01-07 19:42

Platform

win10v2004-20231215-en

Max time kernel

0s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\498fb42905d2efd2723173ab782824c2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\498fb42905d2efd2723173ab782824c2.dll,#1

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\e3jRbu\cmstp.exe

C:\Users\Admin\AppData\Local\e3jRbu\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\DlX1E5sm9\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\DlX1E5sm9\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\lELrzgPm1\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\lELrzgPm1\DevicePairingWizard.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 56.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2988-2-0x00000157FD5A0000-0x00000157FD5A7000-memory.dmp

memory/2988-1-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/2988-0-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-15-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-22-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-29-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-35-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-42-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-47-0x0000000008EA0000-0x0000000008EA7000-memory.dmp

memory/3480-54-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-55-0x00007FFB321E0000-0x00007FFB321F0000-memory.dmp

memory/3480-66-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-64-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-46-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-45-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-44-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-43-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-41-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-40-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3288-76-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3288-82-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/4408-100-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3692-120-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3692-115-0x0000020E2BCC0000-0x0000020E2BCC7000-memory.dmp

memory/3692-113-0x0000020E2BCB0000-0x0000020E2BE72000-memory.dmp

memory/4408-96-0x00000179559D0000-0x00000179559D7000-memory.dmp

memory/4408-94-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4408-93-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3288-78-0x0000025B291F0000-0x0000025B291F7000-memory.dmp

memory/3288-75-0x0000000140000000-0x00000001401C8000-memory.dmp

memory/3480-39-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-38-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-37-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-36-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-34-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-33-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-32-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-31-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-30-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-28-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-27-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-26-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-25-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-24-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-23-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-21-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-20-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-19-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-18-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-17-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-16-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-14-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-13-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-12-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-11-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-10-0x00007FFB30A7A000-0x00007FFB30A7B000-memory.dmp

memory/3480-9-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/2988-8-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-7-0x0000000140000000-0x00000001401C1000-memory.dmp

memory/3480-5-0x00000000092D0000-0x00000000092D1000-memory.dmp