Analysis Overview
SHA256
b9816e734f5583ed6e74f7fbd75dfe772fab8d14c81be28d79d77130015c4d40
Threat Level: Known bad
The file 0ce95ebf131e91dbf0073b92f8412db5 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 03:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 03:26
Reported
2023-12-30 19:06
Platform
win7-20231129-en
Max time kernel
132s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\XPTONQ~1\\wscript.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce95ebf131e91dbf0073b92f8412db5.dll,#1
C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\uBqx7QE\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe
C:\Users\Admin\AppData\Local\GKW0HZ3qH\wscript.exe
C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe
C:\Users\Admin\AppData\Local\zlnAOdeV\TpmInit.exe
Network
Files
memory/3016-0-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3016-1-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1204-4-0x0000000077226000-0x0000000077227000-memory.dmp
memory/1204-5-0x0000000002D70000-0x0000000002D71000-memory.dmp
memory/1204-9-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-16-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-28-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-33-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-32-0x0000000002D50000-0x0000000002D57000-memory.dmp
memory/1204-42-0x0000000077590000-0x0000000077592000-memory.dmp
memory/1204-41-0x0000000077431000-0x0000000077432000-memory.dmp
memory/1204-51-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-57-0x0000000140000000-0x0000000140234000-memory.dmp
memory/2580-69-0x0000000000280000-0x0000000000287000-memory.dmp
memory/2580-74-0x0000000140000000-0x0000000140235000-memory.dmp
memory/2580-70-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1204-56-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-40-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-31-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-30-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-29-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-27-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-26-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-25-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-24-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-23-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-22-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-21-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-20-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-19-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-18-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-17-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-15-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-14-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-13-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-12-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-11-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-10-0x0000000140000000-0x0000000140234000-memory.dmp
memory/1204-8-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3016-7-0x0000000140000000-0x0000000140234000-memory.dmp
memory/2312-94-0x0000000140000000-0x0000000140235000-memory.dmp
memory/2312-91-0x0000000000180000-0x0000000000187000-memory.dmp
memory/2812-118-0x0000000140000000-0x0000000140235000-memory.dmp
memory/2812-115-0x0000000000120000-0x0000000000127000-memory.dmp
memory/1204-144-0x0000000077226000-0x0000000077227000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\XPtonQjNAvZ\VERSION.dll
| MD5 | 952c626d7967419f5b0b682ae3749814 |
| SHA1 | 70d081c433aecc3d8454c3f4d49e2c7046b757dd |
| SHA256 | 43ed736bc51828543a60714f7c58ac1942a4cade6c5f86850a11059e36cd341c |
| SHA512 | 88b60ba2d46018213889f625d459f2ddb414049cae0728031653ac437d28d8f6bdb9741b57f6b91cf389622d00f388268c88c43fe7cab4dcdde088a2d468e3d2 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\76RVLVYY\kocM\ACTIVEDS.dll
| MD5 | e29aa7be4ba53f4546dc53e8052bd87e |
| SHA1 | f7aed57aa4a1e3c435f1d5d5a5739aa2ba1574a2 |
| SHA256 | 7b8c8c541493566acfdfa329e37040dd055a6cb9e67416c0ae1b427e8a859c8f |
| SHA512 | cfd4d518574560cd05eb5b7ca9ba427ae4afef984fd5931bd98744077e764bbc087cbdb2332c613394c1766e0a31eb8a94000de77136edc29cfb67a058eaeefd |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 03:26
Reported
2023-12-30 19:06
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
78s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0ce95ebf131e91dbf0073b92f8412db5.dll,#1
C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\celaO\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\celaO\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\ekbD1\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\ekbD1\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\SrToPzUu\mspaint.exe
C:\Users\Admin\AppData\Local\SrToPzUu\mspaint.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
memory/3328-0-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3328-1-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3328-3-0x0000026709920000-0x0000026709927000-memory.dmp
memory/3328-8-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-14-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-15-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-16-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-23-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-29-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-33-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-41-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-34-0x0000000004C50000-0x0000000004C57000-memory.dmp
memory/3420-32-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-31-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-51-0x00007FFEC0120000-0x00007FFEC0130000-memory.dmp
memory/3420-53-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-50-0x0000000140000000-0x0000000140234000-memory.dmp
memory/2928-65-0x00000264DD340000-0x00000264DD347000-memory.dmp
memory/2928-68-0x0000000140000000-0x0000000140235000-memory.dmp
memory/2928-62-0x0000000140000000-0x0000000140235000-memory.dmp
memory/4312-82-0x0000020A4AB20000-0x0000020A4AB27000-memory.dmp
memory/4312-86-0x0000000140000000-0x000000014027A000-memory.dmp
memory/4312-80-0x0000000140000000-0x000000014027A000-memory.dmp
memory/3420-30-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-28-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-27-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-26-0x0000000140000000-0x0000000140234000-memory.dmp
memory/836-101-0x0000023A62D10000-0x0000023A62D17000-memory.dmp
memory/836-99-0x0000000140000000-0x000000014023B000-memory.dmp
memory/836-98-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3420-25-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-24-0x0000000140000000-0x0000000140234000-memory.dmp
memory/836-103-0x0000000140000000-0x000000014023B000-memory.dmp
memory/3420-22-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-21-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-20-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-19-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-18-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-17-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-13-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-12-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-11-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-10-0x00007FFEBF8BA000-0x00007FFEBF8BB000-memory.dmp
memory/3420-9-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-7-0x0000000140000000-0x0000000140234000-memory.dmp
memory/3420-5-0x0000000004C70000-0x0000000004C71000-memory.dmp