Analysis Overview
SHA256
1903317e5981d4bcf3061801f828458c7528b78298ff2f3ea9614028e932ffdb
Threat Level: Known bad
The file ce7791145ad4da1f59e698c59df311e8 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex payload
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-28 07:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-28 07:08
Reported
2024-01-08 09:26
Platform
win7-20231129-en
Max time kernel
3s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce7791145ad4da1f59e698c59df311e8.dll,#1
C:\Users\Admin\AppData\Local\oWVEA4Lt\dpnsvr.exe
C:\Users\Admin\AppData\Local\oWVEA4Lt\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
C:\Windows\system32\dpnsvr.exe
C:\Users\Admin\AppData\Local\AbRtiqeI2\cttune.exe
C:\Users\Admin\AppData\Local\AbRtiqeI2\cttune.exe
C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
C:\Users\Admin\AppData\Local\2do\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\2do\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
Network
Files
memory/1364-2-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1364-0-0x000007FEF6C60000-0x000007FEF6D4A000-memory.dmp
memory/1372-3-0x0000000077AD6000-0x0000000077AD7000-memory.dmp
memory/1372-12-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-21-0x0000000002A10000-0x0000000002A17000-memory.dmp
memory/1372-24-0x0000000077D70000-0x0000000077D72000-memory.dmp
memory/1372-23-0x0000000077D40000-0x0000000077D42000-memory.dmp
memory/1372-34-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-33-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-22-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-14-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-13-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-11-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-10-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-9-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-8-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-7-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-6-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/1372-4-0x0000000002A30000-0x0000000002A31000-memory.dmp
memory/1364-39-0x000007FEF6C60000-0x000007FEF6D4A000-memory.dmp
\Users\Admin\AppData\Local\oWVEA4Lt\WINMM.dll
| MD5 | f113e62ea2e19a1f566dc104ee66e3bb |
| SHA1 | 573e44c2c1921173ceea6a064f5804794ac616e8 |
| SHA256 | a3c482e7390d29a138dc8631d71b653b0dd3d1430b8c747729ef2e45ed7798ce |
| SHA512 | 1da2fade135aac0883428a725889f8b29a0822a6f965bebae889488c63d6e86546f2a71ec16bbe77e7ae29babbaa9dfa3d2e94583b061a2219c9beb0d8af65dd |
memory/2568-51-0x000007FEF7360000-0x000007FEF744C000-memory.dmp
memory/2568-55-0x000007FEF7360000-0x000007FEF744C000-memory.dmp
C:\Users\Admin\AppData\Local\oWVEA4Lt\dpnsvr.exe
| MD5 | 6806b72978f6bd27aef57899be68b93b |
| SHA1 | 713c246d0b0b8dcc298afaed4f62aed82789951c |
| SHA256 | 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c |
| SHA512 | 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b |
memory/2568-50-0x0000000000280000-0x0000000000287000-memory.dmp
\Users\Admin\AppData\Local\AbRtiqeI2\OLEACC.dll
| MD5 | 87cc0fa03baf0b8b66168ea5e399d3fc |
| SHA1 | 41966d721e78d457bf9474df0150fcd465a361fb |
| SHA256 | 595f77c311e5bf9b88349dc209197549b787180759f3557f948bf2d19b399a59 |
| SHA512 | 35469fd841d8cb8aa95077674106a854cf1e34de36e17ab45692c47f19f3089ace1e0ee58a2e547eb70fb44dab565b599c1059ef3b23cf93ad17d84d65046695 |
memory/2888-68-0x000007FEF6C60000-0x000007FEF6D4B000-memory.dmp
memory/2888-71-0x000007FEF6C60000-0x000007FEF6D4B000-memory.dmp
memory/2888-67-0x00000000000A0000-0x00000000000A7000-memory.dmp
C:\Users\Admin\AppData\Local\AbRtiqeI2\cttune.exe
| MD5 | 7116848fd23e6195fcbbccdf83ce9af4 |
| SHA1 | 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93 |
| SHA256 | 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6 |
| SHA512 | e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894 |
memory/1372-86-0x0000000077AD6000-0x0000000077AD7000-memory.dmp
\Users\Admin\AppData\Local\2do\SYSDM.CPL
| MD5 | 0d9464528c0a50dc502ba544a33dcd59 |
| SHA1 | 4bc5c1d302a83e4bc17f285c301e1816fcda91cf |
| SHA256 | 38e54f202b958d3e4ce1997e971836d24518e290dbf21e8772e1e548266889a8 |
| SHA512 | d6dc85f5c487386d12c48d7ed7908741a56946d5d620f6fe881a1837a9311f32cce5e7a636dc15a896cbc08eb6e1ed523e33f56bf705f5f5ffedf47ea4961a7f |
memory/2004-94-0x0000000000100000-0x0000000000107000-memory.dmp
memory/2004-98-0x000007FEF6C60000-0x000007FEF6D4B000-memory.dmp
C:\Users\Admin\AppData\Local\2do\SystemPropertiesPerformance.exe
| MD5 | 870726cdcc241a92785572628b89cc07 |
| SHA1 | 63d47cc4fe9beb75862add1abca1d8ae8235710a |
| SHA256 | 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6 |
| SHA512 | 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
| MD5 | 1649c174a66c328e8d48e3a6e4a568f4 |
| SHA1 | 6a927d44667fd081ee1fd1f190e72cad9d6da7f4 |
| SHA256 | a4802e288a2ef2b3413be9dea933f30099eea0936104bdf6e06759e3acfba193 |
| SHA512 | 371ac06e60ee20444904cd10aadc6b77312dc1a3bde43407231371bd63dcfb1ff40538bf27b3ab7d5c69cdb97a122437b0cd86a99ccce3be264cc0a57904ed99 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-28 07:08
Reported
2024-01-08 09:26
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
139s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ce7791145ad4da1f59e698c59df311e8.dll,#1
C:\Users\Admin\AppData\Local\ApEXaxp\Utilman.exe
C:\Users\Admin\AppData\Local\ApEXaxp\Utilman.exe
C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
C:\Users\Admin\AppData\Local\3lSW\Magnify.exe
C:\Users\Admin\AppData\Local\3lSW\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\orShz\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\orShz\SystemSettingsAdminFlows.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| GB | 104.91.71.140:80 | tcp | |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.71.91.104.in-addr.arpa | udp |
Files
memory/1004-2-0x000001D444BC0000-0x000001D444BC7000-memory.dmp
memory/1004-0-0x00007FF870060000-0x00007FF87014A000-memory.dmp
memory/3496-14-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-17-0x0000000006C80000-0x0000000006C87000-memory.dmp
memory/3496-24-0x00007FF87E7B0000-0x00007FF87E7C0000-memory.dmp
memory/3496-23-0x00007FF87E7C0000-0x00007FF87E7D0000-memory.dmp
memory/3496-33-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-22-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-13-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-12-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-11-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-10-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-9-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-8-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-7-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-6-0x0000000140000000-0x00000001400EA000-memory.dmp
memory/3496-4-0x00007FF87C87A000-0x00007FF87C87B000-memory.dmp
memory/3496-3-0x0000000006CA0000-0x0000000006CA1000-memory.dmp
memory/1004-36-0x00007FF870060000-0x00007FF87014A000-memory.dmp
memory/2584-43-0x00007FF8602C0000-0x00007FF8603AB000-memory.dmp
memory/2584-48-0x00007FF8602C0000-0x00007FF8603AB000-memory.dmp
memory/2584-45-0x0000024547B70000-0x0000024547B77000-memory.dmp
memory/1440-63-0x00007FF860510000-0x00007FF8605FB000-memory.dmp
memory/1440-61-0x00000204521B0000-0x00000204521B7000-memory.dmp
memory/1440-59-0x00007FF860510000-0x00007FF8605FB000-memory.dmp
memory/1684-72-0x00007FF8603C0000-0x00007FF8604F0000-memory.dmp
memory/1684-77-0x00007FF8603C0000-0x00007FF8604F0000-memory.dmp
memory/1684-74-0x000001E3F0800000-0x000001E3F0807000-memory.dmp