Analysis Overview
SHA256
688f0f9ec8429037d5775788166500e6dac955c36caa2eab4e6b16d88c07d370
Threat Level: Known bad
The file e3ddd19537fbfe6e4dd6fd445c3f6e3c was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-22 15:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-22 15:58
Reported
2023-12-24 05:07
Platform
win7-20231215-en
Max time kernel
3s
Max time network
119s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#1
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Users\Admin\AppData\Local\XzGD5YI\dccw.exe
C:\Users\Admin\AppData\Local\XzGD5YI\dccw.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\ySWKfy\psr.exe
C:\Users\Admin\AppData\Local\ySWKfy\psr.exe
C:\Users\Admin\AppData\Local\K58Q\TpmInit.exe
C:\Users\Admin\AppData\Local\K58Q\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Users\Admin\AppData\Local\2Gl6lrSql\msra.exe
C:\Users\Admin\AppData\Local\2Gl6lrSql\msra.exe
C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
Network
Files
memory/816-0-0x0000000140000000-0x0000000140183000-memory.dmp
memory/816-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1208-4-0x0000000077146000-0x0000000077147000-memory.dmp
memory/1208-5-0x0000000003D70000-0x0000000003D71000-memory.dmp
memory/1208-9-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-22-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-39-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-46-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-54-0x0000000002EE0000-0x0000000002EE7000-memory.dmp
memory/1208-57-0x00000000773B0000-0x00000000773B2000-memory.dmp
memory/1208-66-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-72-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1936-86-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1208-75-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-56-0x0000000077251000-0x0000000077252000-memory.dmp
memory/1208-55-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-47-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-45-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-44-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-43-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-42-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-41-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-40-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-38-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-37-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-36-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-35-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-34-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-33-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-32-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-31-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-30-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-29-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-28-0x0000000140000000-0x0000000140183000-memory.dmp
memory/2004-110-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1208-27-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-26-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-25-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-24-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-23-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-21-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-20-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-19-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-18-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-17-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-16-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-15-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-14-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-13-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-12-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-11-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-10-0x0000000140000000-0x0000000140183000-memory.dmp
memory/816-8-0x0000000140000000-0x0000000140183000-memory.dmp
memory/1208-7-0x0000000140000000-0x0000000140183000-memory.dmp
memory/2212-153-0x0000000000180000-0x0000000000187000-memory.dmp
memory/1208-181-0x0000000077146000-0x0000000077147000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-22 15:58
Reported
2023-12-24 05:07
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e3ddd19537fbfe6e4dd6fd445c3f6e3c.dll,#1
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\O8AcsueOC\WMPDMC.exe
C:\Users\Admin\AppData\Local\O8AcsueOC\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
C:\Users\Admin\AppData\Local\UEo\mspaint.exe
C:\Users\Admin\AppData\Local\UEo\mspaint.exe
C:\Users\Admin\AppData\Local\9je6\wermgr.exe
C:\Users\Admin\AppData\Local\9je6\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/996-0-0x000002599ACB0000-0x000002599ACB7000-memory.dmp
memory/996-1-0x0000000140000000-0x0000000140183000-memory.dmp
memory/996-7-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-17-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-25-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-34-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-43-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-46-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-48-0x0000000000AD0000-0x0000000000AD7000-memory.dmp
memory/3416-56-0x00007FFAA9700000-0x00007FFAA9710000-memory.dmp
memory/3416-67-0x0000000140000000-0x0000000140183000-memory.dmp
memory/4816-76-0x00000280139D0000-0x00000280139D7000-memory.dmp
memory/4816-82-0x0000000140000000-0x0000000140185000-memory.dmp
memory/1500-94-0x0000000140000000-0x0000000140184000-memory.dmp
memory/1500-93-0x0000026ED3140000-0x0000026ED3147000-memory.dmp
memory/4816-77-0x0000000140000000-0x0000000140185000-memory.dmp
memory/2856-113-0x00000130771B0000-0x00000130771B7000-memory.dmp
memory/3416-65-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-55-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-47-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-45-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-44-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-42-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-41-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-40-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-39-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-38-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-37-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-36-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-35-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-33-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-32-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-31-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-30-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-29-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-28-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-27-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-26-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-24-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-23-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-22-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-21-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-20-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-19-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-18-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-16-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-15-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-14-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-13-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-12-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-11-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-10-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-9-0x00007FFAA7C4A000-0x00007FFAA7C4B000-memory.dmp
memory/3416-8-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-6-0x0000000140000000-0x0000000140183000-memory.dmp
memory/3416-4-0x0000000002BC0000-0x0000000002BC1000-memory.dmp