Analysis Overview
SHA256
8fd540d8ddd32217d844155363837a0364436b0ed7ec69f206446f29e0650332
Threat Level: Known bad
The file 0d22c81b42302e2112892de0c0d6a36b was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 03:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 03:35
Reported
2023-12-31 16:03
Platform
win10v2004-20231215-en
Max time kernel
2s
Max time network
5s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d22c81b42302e2112892de0c0d6a36b.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 03:35
Reported
2023-12-31 15:55
Platform
win7-20231215-en
Max time kernel
151s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\MEDIAC~1\\axPA\\VAULTS~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0d22c81b42302e2112892de0c0d6a36b.dll,#1
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe
C:\Windows\system32\VaultSysUi.exe
C:\Windows\system32\VaultSysUi.exe
C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
Network
Files
memory/1104-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1104-1-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-4-0x0000000076E86000-0x0000000076E87000-memory.dmp
memory/1264-5-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/1104-8-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-11-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-9-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-12-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-14-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-18-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-20-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-21-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-22-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-25-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-26-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-27-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-30-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-33-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-32-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-31-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-35-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-37-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-39-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-42-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-43-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-44-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-45-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-47-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-48-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-49-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-51-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-52-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-54-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-55-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-57-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-58-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-59-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-60-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-62-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-63-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-64-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-61-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-65-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-56-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-68-0x0000000002670000-0x0000000002677000-memory.dmp
memory/1264-53-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-50-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-46-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-41-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-40-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-38-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-76-0x0000000076F91000-0x0000000076F92000-memory.dmp
memory/1264-36-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-34-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-77-0x00000000770F0000-0x00000000770F2000-memory.dmp
memory/1264-28-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-29-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-24-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-23-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-19-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-17-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-16-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-15-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-13-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-10-0x0000000140000000-0x000000014033A000-memory.dmp
memory/1264-7-0x0000000140000000-0x000000014033A000-memory.dmp
C:\Users\Admin\AppData\Local\MgrThq\SYSDM.CPL
| MD5 | b4b4d8fe488fb8b3172301755abcb3b1 |
| SHA1 | e82210a03f74146dfbfd9d2f8bb7fb95a6c3237d |
| SHA256 | abca673b6c79c80382bd1ab164172d147b5a7dc65eea80c7340c75b9da3c1d4c |
| SHA512 | f308a44ec2453745347c63dc96fdc12876847bdc7c9dcbfbf3b40c216413c92dc8d5d712e23414af348d780fb8955aa30bab29142ff48126608a2fbc6b75d7cf |
\Users\Admin\AppData\Local\MgrThq\SYSDM.CPL
| MD5 | 11885312c055e478d274a4b1dc331708 |
| SHA1 | 02c12633069fb71f143e77ee33806aec4d4cb92c |
| SHA256 | 81201b69ad402403551e9b0758f472f34a185da1c0237aea9b8e52235ab3fac6 |
| SHA512 | 307b37cdccdf948dfa69fc83dc7f4287def056dd02e62b6c244d284b49d6c63750c76d323ac8dac25219bd752ebeaa58659e100b03acac660c981e296fa4fa46 |
C:\Users\Admin\AppData\Local\MgrThq\SystemPropertiesRemote.exe
| MD5 | d0d7ac869aa4e179da2cc333f0440d71 |
| SHA1 | e7b9a58f5bfc1ec321f015641a60978c0c683894 |
| SHA256 | 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a |
| SHA512 | 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7 |
memory/284-104-0x0000000000080000-0x0000000000087000-memory.dmp
memory/1264-115-0x0000000076E86000-0x0000000076E87000-memory.dmp
C:\Users\Admin\AppData\Local\bIH1lsfZ\credui.dll
| MD5 | fc207db8d23a2eb6f0b012171c86abff |
| SHA1 | eaee10e4b3edd3175b199578791513b0da6ac629 |
| SHA256 | 6b51ea96dc53044e2d8a934cd4e7a55b1cfc7a1b82f3458b015ab1575e43a3ed |
| SHA512 | fc846244e2cba3f0cc01b88937890e06c3ee3db9c75c070e217a379c35fdcbbef60fcbfa8a54e44db26e84ee6d9c86d2ff7e104b3e8336c669b176720f594a5d |
\Users\Admin\AppData\Local\bIH1lsfZ\credui.dll
| MD5 | 03b64cc2eda213f0261e67497a75dd87 |
| SHA1 | 9516b023b8d357b080413ec35782d8562202cf77 |
| SHA256 | a899efe91c07ee8c8e682f9adc4ec2445b53e6a9600642967c7a76880bc13316 |
| SHA512 | 0ba9469faa0127f583bb3c1f2bddf3e38df03bafa6bef6e8af922cdb30f873adb4403d961c43422bcf0763fbf7441689dd6a4835ff49212cf6c1dc20251dc612 |
C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
| MD5 | f40ef105d94350d36c799ee23f7fec0f |
| SHA1 | ee3a5cfe8b807e1c1718a27eb97fa134360816e3 |
| SHA256 | eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2 |
| SHA512 | f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1 |
memory/2908-126-0x0000000000070000-0x0000000000077000-memory.dmp
C:\Users\Admin\AppData\Local\bIH1lsfZ\VaultSysUi.exe
| MD5 | fd1649c9d7d7ea6910fdaf3fd3e13bb8 |
| SHA1 | 86b53528d0624501c55ceacaf9fded8d24de1f1f |
| SHA256 | cd6d586a703147741559b5cc1c63b54b947a2d047f735084981e3ba6f9eefa7c |
| SHA512 | b33909ec42273c08a56dd60ecf9679e1b080b5a0c8e2df0331a3168b8e09f6002e257d89f80fc71a56e1692fe44e5dbfad5275387e33c2674a460822181104a3 |
C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
| MD5 | a638ab38064591c43b223cbd9cef44f4 |
| SHA1 | da31c71b849f48e6d1d7fbc330b4507bba320690 |
| SHA256 | 1344bcfd90e81ed91d45384b70563a1634cdfcbb86d65aaf1f92ab4dc9eb1be5 |
| SHA512 | def00428190628610e1c0903a26f8d841b2ad477d52fcc3f1b59e9bfbced3ac3cf3bf1ff8cfcf36c0a5ad8f3db8a2d0d8bd963df77dac7a1810c99424032af4f |
\Users\Admin\AppData\Local\Xh7axlA0\WTSAPI32.dll
| MD5 | f53cd996c6847ea6281816652b845421 |
| SHA1 | e21e6bc76aa81bb87894c74f6641b6f718af0c16 |
| SHA256 | 68fd081866747a0f03df82391d7d7fce82199bf4b4271b0dee33d2f26f12cee7 |
| SHA512 | abf346a211ae8575517ceaafa6c0c791faa1f107e3d6b8adc928c0fd0a01a109e533e7334b39f219da63a38282c339d3cac4c82e9b9a06a3d2a54ead93f6ea5d |
C:\Users\Admin\AppData\Local\Xh7axlA0\WTSAPI32.dll
| MD5 | 383bfcec3da9c932f1e6a919827b324b |
| SHA1 | ecf539d7394467389a392a71bc85766cdf54b5d1 |
| SHA256 | abd82e71344ef35a57b276340ebccff2ae27c5127e8e0c42c014dd770373164c |
| SHA512 | 22706a949bc771afb5ce105a31dac1a634247dff273ef45881b571724f6afe9968d0a1a7f9a41410ab06f033579c44cbbfecaa589a3b1eb916104988cd990022 |
memory/1112-144-0x0000000000620000-0x0000000000627000-memory.dmp
\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
| MD5 | 92a751f078245fd104f08045780134d5 |
| SHA1 | d279a0737ce6faaf0e87a87198bc09e8b50bc950 |
| SHA256 | 756c5de2de10061389c13e183b6c36e851202b637fb55fafcccd7ab6938eb844 |
| SHA512 | b50644a8da6a8c5ab622e6a0eaaf1fc838781fac57e8f5d15c53171058a2a941b4f3858aa02f3712fdd93dd9f3cd70d46e266bd2144f4d7ec48251207f3f51cd |
C:\Users\Admin\AppData\Local\Xh7axlA0\psr.exe
| MD5 | a5a27a7a9e4379370ad63dbfa475c25c |
| SHA1 | de512d11b54d21a88af2419453de5c81ffc67919 |
| SHA256 | 5083dddafc302eaf63e678bc9e245ea2333f5ec7130ab209a8e094ab09e3f308 |
| SHA512 | bf135a0cc2aa3e7fca3e52eed6fbe4064a05365f6f02a373c9b4378b5a081601a581991f350a8e1a57aa2a3eac46c0d385ddb7ac8d9babeb275b3619e33ca7a4 |
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YH21QU4FEx8\psr.exe
| MD5 | c4b3674dcf4e60aaaf7aa58c3c3f3b1a |
| SHA1 | 1f4e71dc190fe2172830d0ae8872fab90ed9e81c |
| SHA256 | 77dbdc0f28bf6361d278f04f4d35a1a95807f12d32e48e84ab4049ad8214c758 |
| SHA512 | fe51caa5af79510bcbbc69ea8c042968458f9b8e86c159c3ba3391f3eca39b4721c288f0ad16788962508dba4f1efa306eb685904586007dc3daa026f8f79efe |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 1b3f3e02412a7231dcdb1a98bf56bb39 |
| SHA1 | 58cb801c4647607e05a1f9da4ed8193a96d42d06 |
| SHA256 | 45ee52f01c07226aab1ca38c32e4ee7299e04325ebee34f36cd06ad5cf054458 |
| SHA512 | 9ca29f2d898efd51c730536f5c551ecdcb4f855ba9c2cc1fbac21cd37e5032fdd4be4eb1611b7a82e8ab8c1d9c8113c2261b533368f6246b775c9f6805f07957 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\34IllC2S\SYSDM.CPL
| MD5 | 99cfea0bfde424dcafbd9ca676886345 |
| SHA1 | f06ceda32dcf2c2282db2bb1e4442135183c09ba |
| SHA256 | dde3ae5631b8677c6d263f0fca8c958010e60953ef76a88719a84d3a38cbfa6f |
| SHA512 | 1cb4c493b330ab2e207a7984537621252f7d0a88580d73e482cf7b85afa25a84d2f15a0acf59e50cd3a1fe545a5bd5f806975b3854bcfc4fc32b83cd95111d5b |
C:\Users\Admin\AppData\Roaming\Media Center Programs\axPA\credui.dll
| MD5 | 33e141243bd476b2f9ca4dd6a1c110cd |
| SHA1 | 1e44c2f1107925ac9c759cb64a50adae5a3d6d22 |
| SHA256 | 5b00eadf4b0d5fa5c5dcb49001a9770b5b48585efc51fe798feb94bdd5414e4a |
| SHA512 | 17cc53f0df9fe853e68c877bc7f6fdffc12fe1f287521bb3e79234eabeef03d9aa0ed4091d696e0b935ceae7939b18c67ac6a93c00a00b0a516b37467b58dd06 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YH21QU4FEx8\WTSAPI32.dll
| MD5 | fe38ec9c988469ff42a6e808c556e1d9 |
| SHA1 | 6aeea29ac71fd551d39eb76122e21289315a4abf |
| SHA256 | 0778a46a87b02e8b9a797a44c2ee2d38a147f1f3b1a5c1704316523077b6605c |
| SHA512 | 2dcd248928e6273d6cc4177d5e0a6c104ee39b24d910b4b3f873f9df006c8d619cce96a7ffc2ef263a821d99802271c2e0c444a4aab61e4dcc0def1e48be529a |