Analysis Overview
SHA256
250de592c42aea8b2531d46e8e62c48005c259abee9658d1ba1fd73202e18507
Threat Level: Known bad
The file 988a665960686e93f6e271c55e56873c was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Dridex payload
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-27 00:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-27 00:18
Reported
2024-01-07 08:44
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\W2S1\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\W2S1\Magnify.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\oP1R62\\Magnify.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\W2S1\Magnify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1420 wrote to memory of 2896 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1420 wrote to memory of 2896 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1420 wrote to memory of 2896 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1420 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe |
| PID 1420 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe |
| PID 1420 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe |
| PID 1420 wrote to memory of 1476 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 1420 wrote to memory of 1476 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 1420 wrote to memory of 1476 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 1420 wrote to memory of 1656 | N/A | N/A | C:\Users\Admin\AppData\Local\W2S1\Magnify.exe |
| PID 1420 wrote to memory of 1656 | N/A | N/A | C:\Users\Admin\AppData\Local\W2S1\Magnify.exe |
| PID 1420 wrote to memory of 1656 | N/A | N/A | C:\Users\Admin\AppData\Local\W2S1\Magnify.exe |
| PID 1420 wrote to memory of 2872 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 1420 wrote to memory of 2872 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 1420 wrote to memory of 2872 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 1420 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe |
| PID 1420 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe |
| PID 1420 wrote to memory of 2776 | N/A | N/A | C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\988a665960686e93f6e271c55e56873c.dll,#1
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe
C:\Users\Admin\AppData\Local\9JSNPZm\psr.exe
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Users\Admin\AppData\Local\W2S1\Magnify.exe
C:\Users\Admin\AppData\Local\W2S1\Magnify.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe
Network
Files
memory/2640-0-0x000007FEF6720000-0x000007FEF67F4000-memory.dmp
memory/2640-1-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1420-3-0x0000000077536000-0x0000000077537000-memory.dmp
memory/1420-4-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/1420-7-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-8-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-9-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-11-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-12-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-14-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-15-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-17-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-19-0x0000000002590000-0x0000000002597000-memory.dmp
memory/1420-20-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-18-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-16-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-13-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-10-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-6-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-27-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-29-0x00000000777D0000-0x00000000777D2000-memory.dmp
memory/1420-28-0x00000000777A0000-0x00000000777A2000-memory.dmp
memory/1420-38-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1420-39-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/2640-47-0x000007FEF6720000-0x000007FEF67F4000-memory.dmp
\Users\Admin\AppData\Local\9JSNPZm\psr.exe
| MD5 | a80527109d75cba125d940b007eea151 |
| SHA1 | facf32a9ede6abfaa09368bfdfcfec8554107272 |
| SHA256 | 68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495 |
| SHA512 | 77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774 |
\Users\Admin\AppData\Local\9JSNPZm\OLEACC.dll
| MD5 | a9c8ce24c1ede34b65340a6e65a8805b |
| SHA1 | 29d0cb900db2e28fd7b3a0ef315344548dfdf430 |
| SHA256 | ec40bed6364c6a441d5b0b2896555c89e098f4bf5fd6023d57cfa05ddbd7fb5b |
| SHA512 | fecf8fca4702377fd4f813beef5b2628392ee69a01e2d9531d58de6f44b1907edeaa63e93a22c33ca68c33aa08ead5d321baf82136976123dff415643336ec5c |
memory/2608-55-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/2608-56-0x000007FEF6D80000-0x000007FEF6E55000-memory.dmp
memory/2608-60-0x000007FEF6D80000-0x000007FEF6E55000-memory.dmp
\Users\Admin\AppData\Local\W2S1\Magnify.exe
| MD5 | 233b45ddf77bd45e53872881cff1839b |
| SHA1 | d4b8cafce4664bb339859a90a9dd1506f831756d |
| SHA256 | adfd109ec03cd57e44dbd5fd1c4d8c47f8f58f887f690ba3c92f744b670fd75a |
| SHA512 | 6fb5f730633bfb2d063e6bc8cf37a7624bdcde2bd1d0c92b6b9a557484e7acf5d3a2be354808cade751f7ac5c5fe936e765f6494ef54b4fdb2725179f0d0fe39 |
C:\Users\Admin\AppData\Local\W2S1\DUI70.dll
| MD5 | 6ffcabb661851536ad9a796c4329afd9 |
| SHA1 | b496c6e7772d36354502043d8933287936e7f4cb |
| SHA256 | 7f07bc4008e7c1e996999ebcf63734b054c00f6a1199e7b39ae15957d3249410 |
| SHA512 | 66dc7114be8edd52dff4803847ca73a739b1605cc10af3e6a65fd54446202784189a18e1a34d6a570ba4e89d534affd02555b934c119133ff6ab3dc63746eccd |
memory/1656-73-0x000007FEF66F0000-0x000007FEF67F8000-memory.dmp
memory/1420-72-0x0000000077536000-0x0000000077537000-memory.dmp
memory/1656-76-0x000007FEF66F0000-0x000007FEF67F8000-memory.dmp
\Users\Admin\AppData\Local\8qNqH\EhStorAuthn.exe
| MD5 | 3abe95d92c80dc79707d8e168d79a994 |
| SHA1 | 64b10c17f602d3f21c84954541e7092bc55bb5ab |
| SHA256 | 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad |
| SHA512 | 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c |
C:\Users\Admin\AppData\Local\8qNqH\UxTheme.dll
| MD5 | 4429a3f1f2f991b1bd83cbda8762ef85 |
| SHA1 | ce17840032e17dc141ddafaf8cbcc713a05c8e10 |
| SHA256 | b88e9291b51854d734e42f685714779f22277c43394f71f220554fac8d01975e |
| SHA512 | e564ae664e95e45d6fd66ed07e38bc44cd8a00e54e5f86245b93a36f6b1587320b365d6d5a9940880bc7f286b103a8fe978c29126edb4946272dfd66d7599213 |
memory/2776-86-0x000007FEF6720000-0x000007FEF67F5000-memory.dmp
memory/2776-88-0x0000000001B30000-0x0000000001B37000-memory.dmp
memory/2776-91-0x000007FEF6720000-0x000007FEF67F5000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 00719e193c2f9c8957ae3d0e897e445f |
| SHA1 | 19a9425c7c8e91c018f6c4554b800a5ffd8c8e86 |
| SHA256 | c2ae505eb5227ebe51efd006522571317cec98a0cd9d0b5a27302d6b0d5cafb0 |
| SHA512 | aceea434e7fa3adb72009ff65f06bc760cc987fa678ddc433077447451ec4e3dcee83c0960a4c68ab1849158bcfc27e1c04a32c0459767fd545210bf2ae89c30 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-27 00:18
Reported
2024-01-07 08:44
Platform
win10v2004-20231222-en