Analysis Overview
SHA256
9f8c3763244712c98190cd47b908b20c1a3486de99e3cf4b0d9b59b02bcb5f9e
Threat Level: Known bad
The file 023797dc02047e4d9ff5a2192e29df8a was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 19:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 19:48
Reported
2023-12-29 22:15
Platform
win7-20231215-en
Max time kernel
65s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tqepb\spreview.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Tqepb\spreview.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\L4QizKCcnt\\EhStorAuthn.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Tqepb\spreview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 2660 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1204 wrote to memory of 2660 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1204 wrote to memory of 2660 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1204 wrote to memory of 1924 | N/A | N/A | C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe |
| PID 1204 wrote to memory of 1924 | N/A | N/A | C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe |
| PID 1204 wrote to memory of 1924 | N/A | N/A | C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe |
| PID 1204 wrote to memory of 2984 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 1204 wrote to memory of 2984 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 1204 wrote to memory of 2984 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 1204 wrote to memory of 3008 | N/A | N/A | C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe |
| PID 1204 wrote to memory of 3008 | N/A | N/A | C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe |
| PID 1204 wrote to memory of 3008 | N/A | N/A | C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe |
| PID 1204 wrote to memory of 1252 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1204 wrote to memory of 1252 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1204 wrote to memory of 1252 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1204 wrote to memory of 1308 | N/A | N/A | C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe |
| PID 1204 wrote to memory of 1308 | N/A | N/A | C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe |
| PID 1204 wrote to memory of 1308 | N/A | N/A | C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe |
| PID 1204 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\spreview.exe |
| PID 1204 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\spreview.exe |
| PID 1204 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\spreview.exe |
| PID 1204 wrote to memory of 2952 | N/A | N/A | C:\Users\Admin\AppData\Local\Tqepb\spreview.exe |
| PID 1204 wrote to memory of 2952 | N/A | N/A | C:\Users\Admin\AppData\Local\Tqepb\spreview.exe |
| PID 1204 wrote to memory of 2952 | N/A | N/A | C:\Users\Admin\AppData\Local\Tqepb\spreview.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1
C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\Tqepb\spreview.exe
C:\Users\Admin\AppData\Local\Tqepb\spreview.exe
C:\Windows\system32\spreview.exe
C:\Windows\system32\spreview.exe
Network
Files
memory/1872-0-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1872-1-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1204-4-0x00000000776C6000-0x00000000776C7000-memory.dmp
memory/1204-5-0x0000000002E30000-0x0000000002E31000-memory.dmp
memory/1204-9-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-18-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-29-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-37-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-42-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-46-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-47-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-55-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-59-0x0000000077930000-0x0000000077932000-memory.dmp
memory/1204-56-0x00000000777D1000-0x00000000777D2000-memory.dmp
memory/1204-51-0x0000000002E10000-0x0000000002E17000-memory.dmp
memory/1204-66-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-45-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-44-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-43-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-41-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-40-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-39-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-38-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-36-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-35-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-34-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-33-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-32-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-31-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-30-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-28-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-27-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-26-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-25-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-24-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-23-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-22-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-21-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-20-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-19-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-17-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-16-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-15-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-14-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-13-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-12-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-11-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-10-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1872-8-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-7-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-71-0x0000000140000000-0x0000000140248000-memory.dmp
memory/1204-72-0x0000000140000000-0x0000000140248000-memory.dmp
\Users\Admin\AppData\Local\RhTaSE\VERSION.dll
| MD5 | 81732bba72971541eeddf71e39cb206b |
| SHA1 | a84ec3c1a76f237ace52360cd93ac6048ad73682 |
| SHA256 | 496bb8d799ad1b537e92231d8a80f4cefdfe372cefcfe666602ceb7e93a47f29 |
| SHA512 | 99e33675a374e91c06f1619b125e89b420863a19b88d8fd120acf6efc86b38804400504383e296e0f745eb445cd7b300ba9e1fb1a3d628ef2b27940dc121f5ef |
memory/1924-86-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\RhTaSE\VERSION.dll
| MD5 | b749ef8af1c46da616f42a7cb1b511f0 |
| SHA1 | 62aeaca473c3249294124d8d810bcd3443b86752 |
| SHA256 | 58283fdfc30dba7ad0048cf70eee5b5434b9bc4646c62d47b2a31c5bada52f75 |
| SHA512 | 902b8fc797b8dda0e43f692acdf7b74815a467a2e861e389e35f24b5e875272e5efd9390a8ab7676b43f45b0d32b0f3095c20eb869827c3f7856c5d77349ada4 |
C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
| MD5 | 2ef15379cad403b515eeda3024fc582d |
| SHA1 | a13a2775040ea5f007109916d4cbb5a059c2686a |
| SHA256 | cf7606deb64f568ae63eb0e31a58bd9f5b647b6f53a8c7a67bbfd3df7cf952c9 |
| SHA512 | dde73caec9ac9fd1a4e29ad3734e6acad55a1569fecb4223b70b033284a564ed0e5cf097081c957616d2c37b860406cf4503bf1d5f74f08c2ac265b9a9372172 |
\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
| MD5 | ed7b3658c6fedfef6d28bc0597bbf3e4 |
| SHA1 | 21c95eafa87c806b47ec99a29c2891a93e0bec00 |
| SHA256 | b05131f4ef32c511978e3bdb54e6dbf5e5178c316f33dbb1344fc77f39dc17c6 |
| SHA512 | dab70af7b061f5cb4c33c82a3652f05522d30bf7641760f9b8170ccf05cb0f7050864ce96cb2eeac1134f88aa26d4c06303db69826d36973aa20bac22718394d |
C:\Users\Admin\AppData\Local\RhTaSE\iexpress.exe
| MD5 | 7becf6798af32e6ed52e09ddae0f3638 |
| SHA1 | 56c30c16bdf7c65d6f5548d7c8f23e16d34b863b |
| SHA256 | 9952cbb3db723c98baaad7dc191b03d79ac765250169d695771cc5b2f19ed388 |
| SHA512 | b6b2b37ad97f0d7291703c1a22673fe6884c2c4dc1988dc4a88533b10ebed53785e1d7ba6b6eb2639b9b0bbb838bf28b4cc7d1bc49282522315f2037e26b7430 |
\Users\Admin\AppData\Local\ClC5\UxTheme.dll
| MD5 | 15ee7fc73696bbe4f711d623e942e3cd |
| SHA1 | c09076a8da10e188187ad79b62a9833b01ff9e01 |
| SHA256 | 2958ffc50eae2b097c92af4ea20efbddfdde6231afc2a823de5bb7c87af92e69 |
| SHA512 | 0aab112f5c191570ce2622a7e2be83570f1f0b159d0dabf8f96a798e790158829a1bb5236107169a6a58e3201f1dbc3c4c09aa24fcd27c6a47d90286e2e166b1 |
memory/3008-106-0x0000000000090000-0x0000000000097000-memory.dmp
C:\Users\Admin\AppData\Local\ClC5\UxTheme.dll
| MD5 | 4554a7c3f834e4295314a635471c8717 |
| SHA1 | 656252a565f57e836459fe357d7f021ab0bbe3ea |
| SHA256 | 84f1a1bd3493c088560a8114ddd8594d6dad14f4dd832175b813989980be355d |
| SHA512 | 7e2318db565753efcc099ef83a992e4441e032ac3b51cc404ccd6bba00116fc8f6ec6a6b00e239c379f206df2c98e3fd810af2ee30476ecce1541fb8121725ae |
C:\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
| MD5 | 3abe95d92c80dc79707d8e168d79a994 |
| SHA1 | 64b10c17f602d3f21c84954541e7092bc55bb5ab |
| SHA256 | 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad |
| SHA512 | 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c |
\Users\Admin\AppData\Local\ClC5\EhStorAuthn.exe
| MD5 | fdb0c8ca2dfdab29f0228c7174717ba7 |
| SHA1 | 3c9f315b9a473f88e86a7a9a2c74b0ad9a7ea495 |
| SHA256 | 80ec6b7cca8cb46bc3bdc051def1e4999c3989d668e9a553bd83ef6d91595fd5 |
| SHA512 | e644079f38f125edd9268167f6c0250264406837cfe30cf091bec9cbb96a1e11876e2aaee6ac58d528f142d629d171937d32d6e68af1b858316a48a0226d6a3c |
\Users\Admin\AppData\Local\5QUshV5ee\OLEACC.dll
| MD5 | 844361270d9275e521fdd8f56b3e0d94 |
| SHA1 | 4df7da927cf81a29d98e39e4f83f30eead59da55 |
| SHA256 | 9c10d992b7810f6ba1a59ea37c62a419442c086d5b989b60b55f714535d8124f |
| SHA512 | 641e1dd2a3efef8331c34d55f8eb83fbfc5aa335bca0f34dd35d3578dd243a6475b13854c9ad9f640f2e7ea792666439ec31d3ee34b2ea8ab639e65c28c94740 |
C:\Users\Admin\AppData\Local\5QUshV5ee\OLEACC.dll
| MD5 | 71d96c8f73d47bc7919218d2b4be28b1 |
| SHA1 | 2c1efe6e84641e96c8601d9d16f581f1cf9bf7ef |
| SHA256 | 93426c82c023d83a9f9935f3551b0690bf632a09779c0d5637e77584a3d53420 |
| SHA512 | 158f5e6447a0608855c00360303570483b4ebbf0af8b34c0d8ae091343582725b23ba89aa1d25412db28459a79402a8d24605c903e15ca9c095775405a0d8e49 |
C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
| MD5 | 98c6f3c6536b6dbb84fd7f758fd2a663 |
| SHA1 | a2f4bd4512a3bbebabed8cf0e5192e72f6a446d8 |
| SHA256 | c0d1fa5e382b3e4d2786babd3b4d3f571cc7321a9248f3837f05b9e577d96972 |
| SHA512 | a34c7206c1cd85e5043ecd044fe3c20a71934fd5781da9e8cfca6bbc470151937072ad1bfccc679aad4823056465d54b668fd7432f116201c0b1a93269e02160 |
\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
| MD5 | 96680c01171b4be738b407a3fbc24426 |
| SHA1 | 792f7b4bcfa7022515bcebfc6c5c7bef29ee6d0b |
| SHA256 | 398fd8e3d957a1b8b815bab3682b515bb9f9fa0cc8c301cb9fa3d5c944e14d11 |
| SHA512 | e95aec615ba040b77f28fd1a7d593310570d850801975d76252e436d374497d1c8256b6a3385faeac44b49da460186110839f3f4c9242b87334552d73b5a6e0e |
C:\Users\Admin\AppData\Local\5QUshV5ee\psr.exe
| MD5 | f264eff76631ef35d6e44985008935c9 |
| SHA1 | 3e6dd245779a519dd7152a946c72e85284dc9fe2 |
| SHA256 | 5e8c802882e76a071d263b90f70207a03f745d4fadf43ae7d1c0af58a4c8279e |
| SHA512 | 7ebd601ba50edee34070cf17bd6ceee4932766b3f50560a2fe10427102ac7eecea629aa7abf9de610afcf709987c678815bb762487f763e2e6daef6546ca35b6 |
C:\Users\Admin\AppData\Local\Tqepb\VERSION.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Tqepb\VERSION.dll
| MD5 | c209171baf84453a9c1f0a8816bd64cb |
| SHA1 | 415271f15e101de24647259b4cb491b5cc93d898 |
| SHA256 | a43c725c3feb4a7a9eff9b9b8c83043de5963a60f42f57d3966a4bb27c929a5b |
| SHA512 | f8f8bdecb0ee7d75fedd15356b65a85e92ba32354d37e54c7593fbcd5b2ac52f69000d1b25d7c8f4664b0a20e1301121582ccb17b30e667b31946eca92cb8ebd |
C:\Users\Admin\AppData\Local\Tqepb\spreview.exe
| MD5 | f918ad016b81bf932c74927a3a58d7e5 |
| SHA1 | 9fd4df14fb4cb01ff7803cd981bc0c62c689b3b3 |
| SHA256 | bd21fef1fd67d3f8c2b9c70be83161037d507a92f6df850cbcbb471dc56d5531 |
| SHA512 | eefb44c9aa15d08ca5a424dc6e0cdf34e21ec84f0d25deaf654bb41680ae7f0c21f7e15360e76b69e66a9f81adb67ae4afd26fc03e06738647c1b12fa41f1a2e |
\Users\Admin\AppData\Local\Tqepb\spreview.exe
| MD5 | 8b1a3d05e56d223ce7ea011addc808f4 |
| SHA1 | cebf2598950746af32999a3359da5142bf4b5306 |
| SHA256 | f6ce83287a687c7b148398bce3361bf08c2e2b379046e19166ccb537ebf3b958 |
| SHA512 | b9216be6cd7cb1bc6f036a79f8f71079476e59fffc61a24009bc3ae94da4f9665ea8735f244b3afc44937a5d6f72bf13995565c324ca99a70891a109b4e85b61 |
C:\Users\Admin\AppData\Local\Tqepb\spreview.exe
| MD5 | 465eccbf6eecee3f4a69008320be3b4c |
| SHA1 | 601ccfe263f9ecc2bfa22714112861acdd51b7cf |
| SHA256 | 75367ba2a18e669d454abb21b18339f78b316778b77739e80e7443106a2cd894 |
| SHA512 | d4c1ca5221d2e4553f04a5356ebabeb7ae87d80dc5a838265edff3418df8b1cb71ed2f697b11c74396ceccf86bf0d2e6f044272324563ab26fa152a89398a743 |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Q6r\spreview.exe
| MD5 | c4c7048426ccd375de1fee7b0cb8cab9 |
| SHA1 | dff4a99894a50f2c954e9bcdfc7ab0f4175231eb |
| SHA256 | 806566781ce41e8340a9c8d077d8681b1b752c8fc27daa6af4ad853954f5328e |
| SHA512 | e59b0a983d2bb36756d602616e076b4784313b3c2491cf0d2d77efd74dd4c24d25d4abf215af6514ca992676416ddcb01319a7e105efd2b5b925ab877c742c94 |
memory/1204-169-0x00000000776C6000-0x00000000776C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk
| MD5 | da2014bea5e7343ff57ed6cc0aa87076 |
| SHA1 | 39a968dd9647559b001d95f170674285ab6ac437 |
| SHA256 | 58c62e7c803099133e570d0357566f8a0ed452c82c29a1120de5887beed4c490 |
| SHA512 | 69d16a9595c69b787786de685f536fddbc8ada7ad3b927c72802fc5cdaddc455c2dd81156c7d74ec4e369fda3d8c6eca3edf82a57f97b6045949b1f9aaf928c8 |
C:\Users\Admin\AppData\Roaming\Macromedia\vg2KZ2\VERSION.dll
| MD5 | 4c5f88de373d25904f230d85fb2f50d2 |
| SHA1 | 4e7255faf9cb91da1f4d2f647b125419b1aeeec5 |
| SHA256 | 7000614148dc929d1a2759a40709b82aaa8b4aa74d18f720e3489d2a2da333cf |
| SHA512 | 6d9c630f5f09356d52743b61d06dabbb8c70c92722172968d9e7ed92c388f3a801bf5facaedffa5b71447dc337296c64103deef2f5ccbacac9ccce2babf6924a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\L4QizKCcnt\UxTheme.dll
| MD5 | a4cce9f3712598402008ee26642f0495 |
| SHA1 | a2e4da79d3f83711ecf12a21426da0f9584f7f30 |
| SHA256 | d7978b7cda4da6d0235ac82e2dea6e5ba2642e0868131a0bf1050498ef2f4f8b |
| SHA512 | ec22a6a02bf100d420b44e015346cbcee22c7008b84286e543b79719facbe2cb19773ea3a31b26c6385f8c32e0bbfc7009d368e4698dae030053b6b952b0301a |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\Q6r\VERSION.dll
| MD5 | c69348776f573defa00ce71d1c558a21 |
| SHA1 | a17c50ef763901e40416bcdb2134b864c77babcb |
| SHA256 | cc86e0d2696e9ec0b05ac1316932cf2b1bf188c1a4ff321a05f30eff01fd174e |
| SHA512 | da79a4d093b2dad2a356dec21ab30ad2ac77f6502111b7950a61fc17c66fa503bbc20631c4a0bdecebe4774611eeba7255412fe904be5229b98c94b9a6be71eb |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 19:48
Reported
2023-12-29 22:15
Platform
win10v2004-20231215-en
Max time kernel
3s
Max time network
147s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\023797dc02047e4d9ff5a2192e29df8a.dll,#1
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe
C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe
C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe
C:\Users\Admin\AppData\Local\r9IkvDO\dialer.exe
C:\Users\Admin\AppData\Local\r9IkvDO\dialer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.134.221.88.in-addr.arpa | udp |
| NL | 20.103.156.88:443 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4812-1-0x0000029DDA2D0000-0x0000029DDA2D7000-memory.dmp
memory/4812-0-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-5-0x00007FFDC2DFA000-0x00007FFDC2DFB000-memory.dmp
memory/3428-4-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/4812-8-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-12-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-17-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-18-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-22-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-26-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-31-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-30-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-34-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-38-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-39-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-44-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-46-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-48-0x0000000002AF0000-0x0000000002AF7000-memory.dmp
memory/3428-47-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-45-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-55-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-43-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-56-0x00007FFDC4D40000-0x00007FFDC4D50000-memory.dmp
memory/3428-65-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-67-0x0000000140000000-0x0000000140248000-memory.dmp
C:\Users\Admin\AppData\Local\KB5CgUxjh\dialer.exe
| MD5 | b2626bdcf079c6516fc016ac5646df93 |
| SHA1 | 838268205bd97d62a31094d53643c356ea7848a6 |
| SHA256 | e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb |
| SHA512 | 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971 |
C:\Users\Admin\AppData\Local\KB5CgUxjh\TAPI32.dll
| MD5 | 53b19f4741865c00149f7ccd4114443e |
| SHA1 | ef11b91625870aac6d44ee8617e1e4d25ae7f3ad |
| SHA256 | 3aed139ae8d03c9c789b8b73c957b3b09b588d7ee4f97a21f3627fd32522703f |
| SHA512 | 8b0d28956d076b5237761e692123e9dd85ebb4c69db69e6e48da3b5e0c34492300ce1c406e0fcaaba40fa1f7c2cf5dde746897ba579ddd8f2ffb9e4660f547b2 |
memory/716-76-0x000001D670F90000-0x000001D670F97000-memory.dmp
memory/716-82-0x0000000140000000-0x000000014024A000-memory.dmp
memory/716-77-0x0000000140000000-0x000000014024A000-memory.dmp
C:\Users\Admin\AppData\Local\KB5CgUxjh\TAPI32.dll
| MD5 | 63b0450f40216bd8631d96045489b35a |
| SHA1 | 973d8caf21289625a51f3ed5b0ff6379b68a080c |
| SHA256 | bcefa3d6718919dd2759b753d59d06be35dc1871702a6a1bf1a257e5f51bf08c |
| SHA512 | ff3a63637cf6fdf0e583c354afb38bb5567ecbd01105f094003e7e6591b836587340047b5bd68a807fb6e2700f91fbbe3c6ae900fef9479d7a8c202f65323eef |
memory/3428-42-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-41-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-40-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-37-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-36-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-35-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-33-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-32-0x0000000140000000-0x0000000140248000-memory.dmp
memory/4308-93-0x000001CE21600000-0x000001CE21607000-memory.dmp
memory/4308-94-0x0000000140000000-0x000000014028E000-memory.dmp
C:\Users\Admin\AppData\Local\YeJ7\DUI70.dll
| MD5 | 27fc04ca19a90bab9a6822da738f5bae |
| SHA1 | a87ca76a7685f1667cd1fa9bea68ba984b9cdc81 |
| SHA256 | e33f1b0bc286780fec32e49087f411c269d43e0281dec2538ee2db6de9b98d87 |
| SHA512 | 913943a569371ec28551b8bb1874f75ccaeb55bb3cd04444daa6c125385f76c082471afcb28720a35b397b80ac8e0dbc481281388051e0d410115740c2cc217d |
C:\Users\Admin\AppData\Local\YeJ7\DUI70.dll
| MD5 | 6935f8327e12e0621cb0500ea483fb07 |
| SHA1 | dfd9e0ffb9c88f310298b2ed8f586c20334f5218 |
| SHA256 | 241cf89f6bc845ec4161301c51f1959ac4b2b8c54c4974c50e70400838217e51 |
| SHA512 | 867d59d46b7a4ee30946eb6597648b61d509362027a055703b719f000303f1044dcd3a8f9eebcff1a47438142527e966143dbe7539f9c372b512b998cb0b8f82 |
C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe
| MD5 | 5eb2b7f44228a667dd409c347998416f |
| SHA1 | 0ef5465f0a985fb16cdde886d3ad5c91d7d8ef0e |
| SHA256 | 2199746702b0e7b8046dc4d1e8f7881ccef8bbb300065da36dcff34cfd3b8a99 |
| SHA512 | 605df9a6c73c10a0b1c558131ed6356431cf035950f1c2f1624939acafa2eee0c9a7c4894621a20c01b07119f3eafcf275c3d7c4a81193278566508632df6929 |
C:\Users\Admin\AppData\Local\YeJ7\LicensingUI.exe
| MD5 | b7c03d0089301703a6a00188238d99c2 |
| SHA1 | effa01d8c6c52aade41dc62aaefa5fc7c6744749 |
| SHA256 | aa1658de85bf7b7ebb76ff89b9bb1406b84605aac72f814598062a0cabc2de19 |
| SHA512 | 0cc07d16c2f49a9bc906e1caa68bb9d928f650a88ec754f32ec14ff21db9e2d7d6b4fd7ff6fed899ad6d97955538f21699ec7200d9b90f29bece95bd37dd948e |
memory/3428-29-0x0000000140000000-0x0000000140248000-memory.dmp
C:\Users\Admin\AppData\Local\r9IkvDO\TAPI32.dll
| MD5 | 2907587a1274db6cfb96630b29a305eb |
| SHA1 | 4458b6c7516b599dd495533224e22a9a1af802c2 |
| SHA256 | e7b0959d6dd76423baa8e5fa5ca426a8c4b5437d9f563678361d5d51c59bf55d |
| SHA512 | bf422e99feb3f66b294341f921d60584d839d78211be1dc6ffe19be71e225017fa5d65a4489b63161cfe0873b3eb1a72f8b154289751fe65796de17b5f6af50c |
memory/1656-110-0x0000000140000000-0x000000014024A000-memory.dmp
memory/1656-113-0x000001C6E4920000-0x000001C6E4927000-memory.dmp
C:\Users\Admin\AppData\Local\r9IkvDO\TAPI32.dll
| MD5 | a0caa52fb29e049448f12d5b7f43eef5 |
| SHA1 | 15e8dff88427f7315997849de6eabbbae717b5a6 |
| SHA256 | 1717c25a8614e45f86b6e8d8c57ab97659a3f30008091997f88b585321ac1121 |
| SHA512 | eca2e54d24866b7e7aa4b3347010b9ec36f57e0271dbe139f723e6ae988c608852d0ffca37ea264f29dad04e8284c5cc809940c69fe23f8e25471d8068bfc19b |
memory/1656-120-0x0000000140000000-0x000000014024A000-memory.dmp
memory/3428-28-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-27-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-25-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-24-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-23-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-21-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-20-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-19-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-16-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-15-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-14-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-13-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-11-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-10-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-9-0x0000000140000000-0x0000000140248000-memory.dmp
memory/3428-7-0x0000000140000000-0x0000000140248000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk
| MD5 | 36b8766b97d083b60fc22c8f2a0210a1 |
| SHA1 | 1d08d6e13121a572684a2e5bbd668d7b127de7aa |
| SHA256 | 383689f17588b4d90e11c67f31cee386276c3c9bf4b76533e4761457ae711d13 |
| SHA512 | 0128f03989b55bf1e33d38f36f2ba24dcf4b394c569304133f65fcf631be177db14ea6f64d1febcb92975ddb339bef0d3ad5dda6b5adba18e1dec730b98408dc |
C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\f334QZGVhPi\TAPI32.dll
| MD5 | 5596e4bd85f6a8e667e1f9ed7206ed0d |
| SHA1 | 74c5aea666751edbae4ef95cdd7cd9f4bd9cd1fa |
| SHA256 | 711a964371584613d2dcaae383070d9ae5f3c195ed74dfdc8787bd5010701eb5 |
| SHA512 | 60bdda8ba5782c53724a545f21d7f48e500b0ccaaf1dbe466e2bde8b2f607da62caf36247b49120854735f9b25dc5e1ed21d3a73c6034e2579ffaa0fe345e5f9 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\RUUq1Pv\DUI70.dll
| MD5 | a43ac31b698b4e87d1e68ee7f06fcdfa |
| SHA1 | 8f8030d54650e75d392f6f8af28105093138af2b |
| SHA256 | 7d2853c574bc884e0cc243957cd8175ba026b890d5a8814443f2cb9ae953c8cb |
| SHA512 | 4cbc3db213fa4cd588391331d43e4f14c16b09637a6907b23429c54a68f375c656c8100f0ece5e75abedf9b1e8fb37d06f074f7b6cf96e8c09dcc312c9a670a4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\3iOBJ\TAPI32.dll
| MD5 | 3c2a9eb4c98dbbe0e42ef375fa57414b |
| SHA1 | 7e994852adb8e113a8d793a0849fc586c52c7c39 |
| SHA256 | bc49eaf09842a7c3b8a1fa37b94ba51e17f948736417cb4ba3d877738c8f4663 |
| SHA512 | 6a894e3aa9a12a280540a67769072eac518a43dcdc942059117a9664708386c5b80d5ddbf9970113fda7a3c0c0337ef8eacfe091f5618bf2b4c129b415013bba |