Analysis Overview
SHA256
ac0991bd093102a13f9dc9cd52dc8d339a81ebe551e7ff4079f575be23e2d7c3
Threat Level: Known bad
The file 03c183d59e6ea2fe7b8e65f3e9b3efe0 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 20:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 20:55
Reported
2023-12-30 00:27
Platform
win7-20231215-en
Max time kernel
33s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\l9Q8nX\consent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1Zw8UYam\SystemPropertiesDataExecutionPrevention.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\I57vxtYw\msdt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\l9Q8nX\consent.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1Zw8UYam\SystemPropertiesDataExecutionPrevention.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\I57vxtYw\msdt.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\2Nkv9zaCG\\SystemPropertiesDataExecutionPrevention.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\l9Q8nX\consent.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1Zw8UYam\SystemPropertiesDataExecutionPrevention.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\I57vxtYw\msdt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c183d59e6ea2fe7b8e65f3e9b3efe0.dll,#1
C:\Users\Admin\AppData\Local\l9Q8nX\consent.exe
C:\Users\Admin\AppData\Local\l9Q8nX\consent.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Users\Admin\AppData\Local\1Zw8UYam\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\1Zw8UYam\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\I57vxtYw\msdt.exe
C:\Users\Admin\AppData\Local\I57vxtYw\msdt.exe
C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
Network
Files
memory/2248-0-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2248-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1204-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
memory/1204-5-0x0000000002550000-0x0000000002551000-memory.dmp
memory/1204-9-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-16-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-28-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-39-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-47-0x0000000002530000-0x0000000002537000-memory.dmp
memory/1204-46-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-56-0x0000000077120000-0x0000000077122000-memory.dmp
memory/1204-55-0x0000000076FC1000-0x0000000076FC2000-memory.dmp
memory/1204-65-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-70-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2668-83-0x0000000140000000-0x00000001401C4000-memory.dmp
memory/2668-86-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1204-74-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-54-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-45-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-44-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-43-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-42-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-41-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-40-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-38-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-37-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-36-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-35-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-34-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-32-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-33-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-31-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-30-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-29-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-27-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-26-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-25-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-24-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-23-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-22-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-21-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-20-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-19-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-18-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-17-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-15-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-14-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-13-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-12-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-11-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-10-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2248-8-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/1204-7-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2604-125-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1204-154-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
memory/2668-159-0x0000000000100000-0x0000000000107000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 20:55
Reported
2023-12-30 00:27
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
141s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c183d59e6ea2fe7b8e65f3e9b3efe0.dll,#1
C:\Windows\system32\omadmclient.exe
C:\Windows\system32\omadmclient.exe
C:\Users\Admin\AppData\Local\qixS1\omadmclient.exe
C:\Users\Admin\AppData\Local\qixS1\omadmclient.exe
C:\Users\Admin\AppData\Local\7NIaRg1\GamePanel.exe
C:\Users\Admin\AppData\Local\7NIaRg1\GamePanel.exe
C:\Windows\system32\GamePanel.exe
C:\Windows\system32\GamePanel.exe
C:\Users\Admin\AppData\Local\ufzGyA\wlrmdr.exe
C:\Users\Admin\AppData\Local\ufzGyA\wlrmdr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 137.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 92.123.241.137:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
Files
memory/2676-0-0x00000259307C0000-0x00000259307C7000-memory.dmp
memory/2676-1-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-7-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-15-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-20-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-19-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-23-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-30-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-36-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-39-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-43-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-47-0x00000000076B0000-0x00000000076B7000-memory.dmp
memory/3496-46-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-45-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-44-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-55-0x00007FF831C40000-0x00007FF831C50000-memory.dmp
memory/3496-64-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2772-76-0x000001FB62740000-0x000001FB62747000-memory.dmp
memory/2772-81-0x0000000140000000-0x00000001401C3000-memory.dmp
memory/2772-75-0x0000000140000000-0x00000001401C3000-memory.dmp
memory/1512-94-0x000001B75B520000-0x000001B75B527000-memory.dmp
memory/3496-66-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-54-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-42-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-41-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-40-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-38-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2984-111-0x00000273DD990000-0x00000273DD997000-memory.dmp
memory/3496-37-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-34-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-35-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-33-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-32-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-31-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-29-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-28-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-27-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-26-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-25-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-24-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-22-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-21-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-18-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-17-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-16-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-14-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-13-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-12-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-11-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-10-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-9-0x00007FF83197A000-0x00007FF83197B000-memory.dmp
memory/3496-8-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/2676-6-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3496-4-0x00000000076D0000-0x00000000076D1000-memory.dmp