File name:	Scan-005678207.pdf.exe
Full analysis:	https://app.any.run/tasks/78310b36-cf3f-46e5-b6b7-c4079a37cc63
Verdict:	Malicious activity
Threats:	Dridex is a very evasive and technically complex banking trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 19, 2019, 10:35:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	trojan dridex
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (console) Intel 80386, for MS Windows
MD5:	38856839FBA47E234EA86F3D8F456F0E
SHA1:	4AC1CA93ABC92E1DBCB447C1A3F4C3D8B70A24C3
SHA256:	FD27A4FD9BFE3675A89FF0CEB77F8738A7661EA4FC4644DED554A8DEB66987C2
SSDEEP:	6144:5IkjQinemPaRNf/wVNLsD7nDc5rwWElkDZG:KmS3fI5GnDoctkDZG

.dll	\|	Win32 Dynamic Link Library (generic) (43.5)
.exe	\|	Win32 Executable (generic) (29.8)
.exe	\|	Generic Win/DOS Executable (13.2)
.exe	\|	DOS Executable Generic (13.2)

Subsystem:	Windows command line
SubsystemVersion:	5.1
ImageVersion:	5
OSVersion:	5
EntryPoint:	0x3380
UninitializedDataSize:	-
InitializedDataSize:	94208
CodeSize:	12288
LinkerVersion:	15.2
PEType:	PE32
TimeStamp:	2002:09:18 01:43:10+02:00
MachineType:	Intel 386 or later, and compatibles

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:	17-Sep-2002 23:43:10

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000C8

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	7
Time date stamp:	17-Sep-2002 23:43:10
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00002CC8	0x00003000	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	5.45366
.idata	0x00018000	0x000002AA	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	1.21655
.data	0x00012000	0x00005EEA	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	6.30177
qeWSV	0x00019000	0x0000F8EB	0x00010000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.93372
qrQym	0x00029000	0x0000042F	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	1.06365
.reloc	0x0002A000	0x000003D8	0x00001000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	2.11198

PID	CMD	Path	Indicators	Parent process
2832	"C:\Users\admin\Desktop\Scan-005678207.pdf.exe"	C:\Users\admin\Desktop\Scan-005678207.pdf.exe		explorer.exe
User: admin Company: Citrix Systems, Inc. Integrity Level: MEDIUM Description: SSOnChecker Version: 4.12.0.18016


(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000007D000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2832) Scan-005678207.pdf.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\73\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

PID	Process	Filename		Type
2832	Scan-005678207.pdf.exe	C:\Users\admin\AppData\Local\Temp\Cab132D.tmp		—
		MD5:—	SHA256:—
2832	Scan-005678207.pdf.exe	C:\Users\admin\AppData\Local\Temp\Tar132E.tmp		—
		MD5:—	SHA256:—
2832	Scan-005678207.pdf.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:93871E1433144C58CAB0DEDDD1D46925	SHA256:3193F3035A4F457D66BAB3048880AAC2EB8557027F6373E606D4621609AF1068
2832	Scan-005678207.pdf.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:F2A7A1793656BD57AF54834F00B9CD57	SHA256:EABA8C0ACA7A5F9E29D41398905A8A6A7885007EB2E40EBE99ABF39D7D64CBA4


KERNEL32.dll
OLEAUT32.dll
USER32.dll
WINSPOOL.DRV

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2832	Scan-005678207.pdf.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3cc62b98af28c14d	US	compressed	57.0 Kb	whitelisted
2832	Scan-005678207.pdf.exe	POST	403	185.14.148.34:443	https://185.14.148.34/	PL	text	9 b	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
2832	Scan-005678207.pdf.exe	70.57.239.89:3389	—	Qwest Communications Company, LLC	US	malicious
2832	Scan-005678207.pdf.exe	185.14.148.34:443	—	Terra Telekom Sp. Z O.o.	PL	malicious
2832	Scan-005678207.pdf.exe	93.184.221.240:80	ctldl.windowsupdate.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

PID	Process	Class	Message
2832	Scan-005678207.pdf.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)
2832	Scan-005678207.pdf.exe	A Network Trojan was detected	ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex)

Process	Message
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...
Scan-005678207.pdf.exe	Installing...

General Info

Scan-005678207.pdf.exe

38856839FBA47E234EA86F3D8F456F0E

4AC1CA93ABC92E1DBCB447C1A3F4C3D8B70A24C3

FD27A4FD9BFE3675A89FF0CEB77F8738A7661EA4FC4644DED554A8DEB66987C2

6144:5IkjQinemPaRNf/wVNLsD7nDc5rwWElkDZG:KmS3fI5GnDoctkDZG

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

SUSPICIOUS

Connects to unusual port

Connects to server without host name

INFO

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings