Malware Analysis Report

2024-11-30 21:27

Sample ID 240108-aqhatshaek
Target 4a2c8efbeaed542cdb2879dac9c2e8bf
SHA256 c0c69e522ae5c3b3b0dabd843731da4aa1b15dfc5303b0f6befab26d069b0b8b
Tags
dridex botnet evasion payload trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0c69e522ae5c3b3b0dabd843731da4aa1b15dfc5303b0f6befab26d069b0b8b

Threat Level: Known bad

The file 4a2c8efbeaed542cdb2879dac9c2e8bf was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan

Dridex

Dridex Shellcode

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 00:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 00:24

Reported

2024-01-08 00:27

Platform

win10v2004-20231222-en

Max time kernel

0s

Max time network

107s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a2c8efbeaed542cdb2879dac9c2e8bf.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a2c8efbeaed542cdb2879dac9c2e8bf.dll,#1

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe

C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe

C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3176-1-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3176-0-0x0000024D882C0000-0x0000024D882C7000-memory.dmp

memory/3176-8-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-12-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-19-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-26-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-27-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-33-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-40-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-46-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-45-0x0000000000F00000-0x0000000000F07000-memory.dmp

memory/3400-54-0x00007FF84BB20000-0x00007FF84BB30000-memory.dmp

memory/3400-65-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/4172-74-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/4172-80-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/4172-76-0x0000014004940000-0x0000014004947000-memory.dmp

C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe

MD5 78ead097d7e2372f37d7eab1ce1ec2cb
SHA1 4a3574ff2921ef4d9659a40b7cfd68e45e511b6d
SHA256 6ae41afe3335aa89e6d8798181013e53d7982fd79a139ca98b2dd54b8637cafa
SHA512 660ae451e8760855da9729f732729643be4278db0a5e49d4c2a18283dde11208ce511bb569f36a1484c26b7a97ecba433fb59a5da935b7cf09a6bde5825c8f9f

C:\Users\Admin\AppData\Local\KdrIReL\ACTIVEDS.dll

MD5 c6d8d720a628becc87fdeb559979e6fc
SHA1 38669547086fc8a1bbcffd4495d29bcd4bdf46f8
SHA256 f29750a847a9d62dc17ec2106249cc6219fd7db623138117f2196f7b13704d1f
SHA512 05dd0dab30ff35d233c1f71eaeed8091744f0da0004a1760a141bec3d36eb00c7c17095022146fc6d8d60f60556dc8fbbe0d2c26b94c28eb5d008918ff72fd65

memory/2988-97-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2988-94-0x000002B3576D0000-0x000002B3576D7000-memory.dmp

C:\Users\Admin\AppData\Local\Gi1mx\dxgi.dll

MD5 12e2b5efc4b89f1fcb619f49043d3e59
SHA1 debc9e5830722e866a67d5f9e9799335741fac6b
SHA256 8f7d802d0d80468b177bb49c8090d60c2bab71479685e79f0e897ed25a25451c
SHA512 d1616dec3cc4309fbb555f555cc8ab2dc98d00525a35c349d0390ca9d6431f321f9ee358dec59eed87fc5ed524a99f109479065a88f45858db2f8531354f5791

memory/2092-110-0x0000017E5DE10000-0x0000017E5DE17000-memory.dmp

C:\Users\Admin\AppData\Local\Gi1mx\dxgi.dll

MD5 a30cc88d4f7bf9a815b16f093cb78a24
SHA1 6ddcbaf51221d979e9e36b33e356c95c8c4130d3
SHA256 5c80f91c27adae0cb8d830087962dd5555a94c6055823a36babe6eaec18ffcd6
SHA512 ed203dfdc589b7967ab88f262f87152590ac38eea960c49304383aee7a4289183d801bdbb68c41793a6a1297d50c29b8cb224379960537f345227c8c93892153

C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe

MD5 824ca31aaaf8caeda4dca4c8aa7b5f65
SHA1 16f918d4ed08cde72e361cf900c515edb088e71a
SHA256 6ec72eaf0b677c624b2ec22c793e91bc50fccfea5c5bd9c1cdcd0bdb1c39df59
SHA512 acf7bb5a7da2ffc6136e043ac3b07d236ce88171532c64041f88334b29f4d12c5b7252bc40dc3847b7fe52a3e9b481821559d7de4321d0a8c76b2af3d53324f1

C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe

MD5 ac531772c11c84c462f10c08c618e7c8
SHA1 adcdfa07656b1704923c409968b058a6a2760bc6
SHA256 f76ab0d8af75d7d19af4b69496c76cdad7695484be9dab438cf4d3d1b6debff6
SHA512 68d6f9866c800313a5b424b8562fefadff6d0722ebe347be55e13d576127458c7a794a6fff4e43652389882c7a28f4f7a16484dc1c122f5466bc35e711b784ee

C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe

MD5 4ffd66b1fcbf5ea55be435018bf4ad93
SHA1 65b54fc924f1a6a46177b05a616f6ea2f3d9b61a
SHA256 71f702c8449066cb48cda69be03acbd82bf76a1c345e4649de094f0c3bbb81cf
SHA512 3ba42b6e52f939e7f534e770157b5fdfa87e28cea272215e4d54b7d91c96e04c408cf4219c254287f368cab24978e5aebc465b5817d1e06db3714b0445e4f08b

C:\Users\Admin\AppData\Local\KdrIReL\ACTIVEDS.dll

MD5 3f004b0b2109f53f949ebe0322d6fc09
SHA1 31406670bdbf1d892e5b14ba602a3950088aeaba
SHA256 621a8f5c2aa71fd3379206ae2acae210eafee0bca40823767b99a2f25e91f259
SHA512 6b6ef94ce7f7a86315a8aecb9b9ca7161560d9ae9a47e4a0b04a93c07ef1d87f449a960ae2c19fce724e37b122a20175266bb16198cca96b6c9299d2c1e98dbd

C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe

MD5 29628deaf22a8c08feafca16a9eb254b
SHA1 2f96e08857996f7a716fc9263afb217306b6d703
SHA256 7db856bcebb67fe01ba379696418396aa1a7a4d45bd2bef2016b5da580ba73d9
SHA512 b6043f82048b5d98417485fc20a15fbefbe4d9bda4240d5456c2c64f9b5397d1db6a354c80f44363bd7e68e426761a8bef14155e57d3f4f1cb236394fcc58c64

C:\Users\Admin\AppData\Local\SDbszdPs\WTSAPI32.dll

MD5 3b862f8d9520d232f39a97ef56c93da7
SHA1 5dbad9d55abfa860a54be80bd83971c01a3ea641
SHA256 54c310e80bf6e8cc00adf45ebf4eae0771bdad168dfce999ce5e0e44391099f1
SHA512 f49300ad276adc399b93610546f7354f1fdd34a168e108bdefae938e6482763eae2b9aeb17e66a584b68aee85b6d4eb8d2bb531b3c2ef9aebfb61a2b63a0be9c

C:\Users\Admin\AppData\Local\SDbszdPs\WTSAPI32.dll

MD5 09261b9aa93f909a750300c363504127
SHA1 81fb027a90dbfb9629e0460d693cf4879bfb3316
SHA256 525c238fa753f6f6d5ee3dec3c018a70b7db5d3cfd6bed0226151d86d714dd9a
SHA512 db1c66f0f17c940224036e28e67d875de419eb500c18af564067b7011d3f409ad40f4e4cbb2a29a26f81fa4841995527530b92fe02371fdb8fcb9c5e49cbe1b4

C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe

MD5 a3ff60714f82794f5fbec1f4f5e08f96
SHA1 3a6122b571bf930124ddfb8f51ace840d02544bb
SHA256 62f3ed692bf329fca4f991d6bc2266349d6da1a256ddd7bf8aae27e7e83113a6
SHA512 926f1d3180c841ddfaf6c5e9d61a88c9280305a6deb8fdfe1239dcea87be24991002776a8a936bd014a98c6b1ff875374081742221881aeecdbb49d9e384f99a

memory/3400-63-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-53-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-44-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-43-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-42-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-41-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-39-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-38-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-37-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-36-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-35-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-34-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-32-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-31-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-30-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-29-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-28-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-25-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-24-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-23-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-22-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-21-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-20-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-18-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-17-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-16-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-15-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-14-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-13-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-11-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-10-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-9-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-7-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3400-5-0x00007FF84B5CA000-0x00007FF84B5CB000-memory.dmp

memory/3400-4-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 a65ff9bac6d1be6b5ab6bae2f2633907
SHA1 4336d1d0e6806677d5d0b48b6b0ebb815659b572
SHA256 410dff3933fd0e19e5a6b222594593745769f918300cc46c8c75ea5b8079867e
SHA512 cce16d10044b17353ae94713061426f9ca1035d8a56606301d149ac748be21deec7c26230f4dcddf6bdfa0f5161881df3a1b60d3cf3d45f85b321166e04a2850

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\ozRQ\WTSAPI32.dll

MD5 082a78b8b1c7a6f3eb7bb4f1cf201420
SHA1 d0603fb8b174caf922a4863067251eb9fc2179fa
SHA256 b64512ffdb86f55e615862f112858d101a8b86732588790c523becaae9dea1d9
SHA512 28f8c0675809177648bfdeabd8969400ed9393527474fa852eb8c624b7829d6bab2d631d2f53121543c801262fda4ce6b555903bb1f5c9982d8b4f10890ed4d7

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\XG\ACTIVEDS.dll

MD5 baf8dec14e428af5bb4b3e981360fa12
SHA1 3045a170bb0b4a7a1a098282dbfd945e61cab41b
SHA256 c32740e53b0e0cf6fa13420d3fac91f5191fbd07312da32c2a550ebfe03d841b
SHA512 94d2548831347a7ebcd2a6ec2221ba93e9c85421bb0225e1ece8163ccfe911e0a2e90418d4e901c65508e0f44b72e7e5df71616beab3562d52686582563935a7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\KCbIPvU8Tp\dxgi.dll

MD5 bcea5f740e42b0d488e3f8577dbbba33
SHA1 6724684c43fdf0d13bfff9ad47c9456ae03c025d
SHA256 ea8ee7467eeaa13ca0aa1645a34a59fb56b8402970cec62d30c499a789aa908a
SHA512 e5f97960ccad41585ef4af14b32e31d0f1ac02ef58a5d5af6a5d57b717ac9887a39519456daf90f772b4e825929fc549304a91498d42d1a2fc65226e454aaaa6

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 00:24

Reported

2024-01-08 00:27

Platform

win7-20231129-en

Max time kernel

3s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a2c8efbeaed542cdb2879dac9c2e8bf.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a2c8efbeaed542cdb2879dac9c2e8bf.dll,#1

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\EepN2W49\WFS.exe

C:\Users\Admin\AppData\Local\EepN2W49\WFS.exe

C:\Users\Admin\AppData\Local\3hUWomu\Dxpserver.exe

C:\Users\Admin\AppData\Local\3hUWomu\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\On78JpNs\fvenotify.exe

C:\Users\Admin\AppData\Local\On78JpNs\fvenotify.exe

Network

N/A

Files

memory/2924-1-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/2924-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1360-4-0x0000000077886000-0x0000000077887000-memory.dmp

memory/1360-12-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-25-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-39-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-52-0x00000000024D0000-0x00000000024D7000-memory.dmp

memory/1360-55-0x0000000077AF0000-0x0000000077AF2000-memory.dmp

memory/1360-54-0x0000000077991000-0x0000000077992000-memory.dmp

memory/1360-64-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-70-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-74-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-53-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-45-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/2848-84-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2848-82-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1360-44-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-43-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-42-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-41-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-40-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-38-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-37-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-36-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-35-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-34-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-33-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-32-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-31-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-30-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-29-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-28-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-27-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-26-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-24-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-23-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-22-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1540-108-0x0000000000220000-0x0000000000227000-memory.dmp

memory/1360-21-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-20-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-19-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-18-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-17-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-16-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-15-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-14-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-13-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-11-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-10-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-9-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/2924-8-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-7-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/1360-5-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/1360-160-0x0000000077886000-0x0000000077887000-memory.dmp