Analysis Overview
SHA256
d26a361401ebe89184426da768ffe65a228680fa72a13e9c29be2c6b40582f17
Threat Level: Known bad
The file 0a0e1c280657815796ae1a6bc531b5ae was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 01:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 01:28
Reported
2023-12-31 03:55
Platform
win7-20231129-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\EULk\lpksetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EULk\lpksetup.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\kI2Wh6G\\tcmsetup.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\EULk\lpksetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1372 wrote to memory of 2188 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1372 wrote to memory of 2188 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1372 wrote to memory of 2188 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1372 wrote to memory of 2436 | N/A | N/A | C:\Users\Admin\AppData\Local\EULk\lpksetup.exe |
| PID 1372 wrote to memory of 2436 | N/A | N/A | C:\Users\Admin\AppData\Local\EULk\lpksetup.exe |
| PID 1372 wrote to memory of 2436 | N/A | N/A | C:\Users\Admin\AppData\Local\EULk\lpksetup.exe |
| PID 1372 wrote to memory of 1192 | N/A | N/A | C:\Windows\system32\tcmsetup.exe |
| PID 1372 wrote to memory of 1192 | N/A | N/A | C:\Windows\system32\tcmsetup.exe |
| PID 1372 wrote to memory of 1192 | N/A | N/A | C:\Windows\system32\tcmsetup.exe |
| PID 1372 wrote to memory of 2024 | N/A | N/A | C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe |
| PID 1372 wrote to memory of 2024 | N/A | N/A | C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe |
| PID 1372 wrote to memory of 2024 | N/A | N/A | C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe |
| PID 1372 wrote to memory of 2040 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1372 wrote to memory of 2040 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1372 wrote to memory of 2040 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 1372 wrote to memory of 2012 | N/A | N/A | C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe |
| PID 1372 wrote to memory of 2012 | N/A | N/A | C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe |
| PID 1372 wrote to memory of 2012 | N/A | N/A | C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a0e1c280657815796ae1a6bc531b5ae.dll,#1
C:\Users\Admin\AppData\Local\EULk\lpksetup.exe
C:\Users\Admin\AppData\Local\EULk\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe
C:\Users\Admin\AppData\Local\0k69aSAi\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\tcmsetup.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\2wt\OptionalFeatures.exe
Network
Files
memory/2960-1-0x0000000140000000-0x0000000140217000-memory.dmp
memory/2960-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1372-4-0x0000000077AD6000-0x0000000077AD7000-memory.dmp
memory/1372-13-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-25-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-36-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-38-0x0000000003BC0000-0x0000000003BC7000-memory.dmp
memory/1372-46-0x0000000077BE1000-0x0000000077BE2000-memory.dmp
memory/1372-50-0x0000000077D40000-0x0000000077D42000-memory.dmp
memory/1372-56-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-45-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-37-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-35-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-34-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-33-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-32-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-31-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-30-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-29-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-28-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-27-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-26-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-24-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-23-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-22-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-21-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-20-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-19-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-18-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-17-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-16-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-15-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-14-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-12-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-11-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-10-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-9-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-8-0x0000000140000000-0x0000000140217000-memory.dmp
memory/2960-7-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-5-0x0000000003BE0000-0x0000000003BE1000-memory.dmp
memory/1372-61-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1372-62-0x0000000140000000-0x0000000140217000-memory.dmp
memory/2436-75-0x0000000140000000-0x0000000140218000-memory.dmp
memory/2436-79-0x0000000140000000-0x0000000140218000-memory.dmp
memory/2436-74-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2024-98-0x0000000140000000-0x0000000140219000-memory.dmp
memory/2024-104-0x0000000140000000-0x0000000140219000-memory.dmp
memory/2024-100-0x0000000001F20000-0x0000000001F27000-memory.dmp
memory/2012-118-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1372-144-0x0000000077AD6000-0x0000000077AD7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 01:28
Reported
2023-12-31 03:55
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
74s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0a0e1c280657815796ae1a6bc531b5ae.dll,#1
C:\Windows\system32\upfc.exe
C:\Windows\system32\upfc.exe
C:\Users\Admin\AppData\Local\CKLdFmSh\rdpinput.exe
C:\Users\Admin\AppData\Local\CKLdFmSh\rdpinput.exe
C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
C:\Users\Admin\AppData\Local\voU94AZ\tabcal.exe
C:\Users\Admin\AppData\Local\voU94AZ\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Users\Admin\AppData\Local\bXGfQ\upfc.exe
C:\Users\Admin\AppData\Local\bXGfQ\upfc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 20.242.39.171:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| GB | 88.221.135.217:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp |
Files
memory/2904-1-0x0000029552430000-0x0000029552437000-memory.dmp
memory/2904-0-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-6-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-11-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-14-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-16-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-20-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-24-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-26-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-31-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-35-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-37-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-38-0x0000000001310000-0x0000000001317000-memory.dmp
memory/3512-46-0x00007FFFED100000-0x00007FFFED110000-memory.dmp
memory/3512-45-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-57-0x0000000140000000-0x0000000140217000-memory.dmp
memory/4420-66-0x0000000140000000-0x0000000140218000-memory.dmp
memory/4420-72-0x0000000140000000-0x0000000140218000-memory.dmp
memory/4676-85-0x0000023336A80000-0x0000023336A87000-memory.dmp
memory/4676-89-0x0000000140000000-0x0000000140218000-memory.dmp
memory/4660-101-0x0000000140000000-0x0000000140219000-memory.dmp
memory/4660-106-0x0000000140000000-0x0000000140219000-memory.dmp
memory/4660-100-0x000002914C320000-0x000002914C327000-memory.dmp
memory/4420-67-0x000002841F4B0000-0x000002841F4B7000-memory.dmp
memory/3512-55-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-36-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-34-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-33-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-32-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-30-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-29-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-28-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-27-0x0000000140000000-0x0000000140217000-memory.dmp
memory/2904-25-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-23-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-22-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-21-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-19-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-18-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-17-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-15-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-12-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-13-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-10-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-9-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-8-0x00007FFFED05A000-0x00007FFFED05B000-memory.dmp
memory/3512-7-0x0000000140000000-0x0000000140217000-memory.dmp
memory/3512-4-0x0000000002D60000-0x0000000002D61000-memory.dmp