Analysis Overview
SHA256
4ba3c5dd250ef9b7afbd8968e20eef9be70988e415d4e8bb7480ac3f5ffb159c
Threat Level: Known bad
The file 0fe25a00394d1eaf4e182704b924fd54 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 05:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 05:21
Reported
2023-12-31 00:46
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wD7\raserver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wD7\raserver.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\oA6prJUCy\\isoburn.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wD7\raserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2616 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1264 wrote to memory of 2616 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1264 wrote to memory of 2616 | N/A | N/A | C:\Windows\system32\raserver.exe |
| PID 1264 wrote to memory of 1200 | N/A | N/A | C:\Users\Admin\AppData\Local\wD7\raserver.exe |
| PID 1264 wrote to memory of 1200 | N/A | N/A | C:\Users\Admin\AppData\Local\wD7\raserver.exe |
| PID 1264 wrote to memory of 1200 | N/A | N/A | C:\Users\Admin\AppData\Local\wD7\raserver.exe |
| PID 1264 wrote to memory of 1920 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 1264 wrote to memory of 1920 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 1264 wrote to memory of 1920 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 1264 wrote to memory of 844 | N/A | N/A | C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe |
| PID 1264 wrote to memory of 844 | N/A | N/A | C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe |
| PID 1264 wrote to memory of 844 | N/A | N/A | C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe |
| PID 1264 wrote to memory of 2936 | N/A | N/A | C:\Windows\system32\DevicePairingWizard.exe |
| PID 1264 wrote to memory of 2936 | N/A | N/A | C:\Windows\system32\DevicePairingWizard.exe |
| PID 1264 wrote to memory of 2936 | N/A | N/A | C:\Windows\system32\DevicePairingWizard.exe |
| PID 1264 wrote to memory of 1968 | N/A | N/A | C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe |
| PID 1264 wrote to memory of 1968 | N/A | N/A | C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe |
| PID 1264 wrote to memory of 1968 | N/A | N/A | C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0fe25a00394d1eaf4e182704b924fd54.dll
C:\Windows\system32\raserver.exe
C:\Windows\system32\raserver.exe
C:\Users\Admin\AppData\Local\wD7\raserver.exe
C:\Users\Admin\AppData\Local\wD7\raserver.exe
C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe
C:\Users\Admin\AppData\Local\S1G6u\isoburn.exe
C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe
Network
Files
memory/776-0-0x0000000000120000-0x0000000000127000-memory.dmp
memory/776-1-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-4-0x0000000077806000-0x0000000077807000-memory.dmp
memory/1264-5-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/1264-9-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-12-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-11-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-10-0x0000000140000000-0x0000000140216000-memory.dmp
memory/776-8-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-7-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-13-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-15-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-14-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-21-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-20-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-19-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-18-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-17-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-16-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-22-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-23-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-24-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-25-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-27-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-26-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-29-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-28-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-30-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-31-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-32-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-33-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-34-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-35-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-36-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-37-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-40-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-38-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-39-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-42-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-41-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-43-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-49-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-48-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-47-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-46-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-45-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-44-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-51-0x00000000029A0000-0x00000000029A7000-memory.dmp
memory/1264-50-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-58-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-63-0x0000000077A70000-0x0000000077A72000-memory.dmp
memory/1264-62-0x0000000077911000-0x0000000077912000-memory.dmp
memory/1264-69-0x0000000140000000-0x0000000140216000-memory.dmp
memory/1264-75-0x0000000140000000-0x0000000140216000-memory.dmp
\Users\Admin\AppData\Local\wD7\raserver.exe
| MD5 | cd0bc0b6b8d219808aea3ecd4e889b19 |
| SHA1 | 9f8f4071ce2484008e36fdfd963378f4ebad703f |
| SHA256 | 16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c |
| SHA512 | 84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac |
C:\Users\Admin\AppData\Local\wD7\WTSAPI32.dll
| MD5 | 03a499490d7a6cc8a74430ac8ec4586c |
| SHA1 | 60b61164ccbf137f2ad57e575cd8993de1cb27fc |
| SHA256 | a2d4475b67052bad51f39f1f7e698bbab98069e1fe6ab5f6fae8161afe764f42 |
| SHA512 | 19276795714945ca480f91dc93c807ddfc8ea8363ac4dad2cea2712ee248660a4adfe17bb808bdb4cf3ca5f106fe5aa84424b8f077065b958e3ae8d0f2f2e02a |
memory/1200-87-0x0000000000220000-0x0000000000227000-memory.dmp
\Users\Admin\AppData\Local\wD7\WTSAPI32.dll
| MD5 | 661f67d2bb4ae42591569768a6e788db |
| SHA1 | 0f3bcfc356a5ac687e7d957656da00c75a331aca |
| SHA256 | df12010a3acd528cf221fb24572e18a5cdc0feb62801a9ec2c1f81f67bfd624b |
| SHA512 | d623de91dd5f57f1b912363ff4926f7881abf27acdf2f7a6639d8b9663e0a2ee2a264c9952bb3df6e8632f233f633ddec82ea20730d21ed072521f3cb84d0d60 |
\Users\Admin\AppData\Local\S1G6u\isoburn.exe
| MD5 | f8051f06e1c4aa3f2efe4402af5919b1 |
| SHA1 | bbcf3711501dfb22b04b1a6f356d95a6d5998790 |
| SHA256 | 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a |
| SHA512 | 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa |
C:\Users\Admin\AppData\Local\S1G6u\UxTheme.dll
| MD5 | c070a464999249496fa4440e1b661aea |
| SHA1 | 7be194282fb4dd365d6a904affeac221718bb7a3 |
| SHA256 | 6e68d541b5ecd18253df54bbb179be5a18190012bd8bcf50fef7138f20487708 |
| SHA512 | 3ce3e4a92e1e7303ae68aff1b3a0145f6037b500bcb2412b787695eb3176bc4dace759ad159af5a9d985559df1505ec4fe8f1e846b5e074d614960fb8490fb0f |
memory/844-105-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\JFC7h\DevicePairingWizard.exe
| MD5 | 9728725678f32e84575e0cd2d2c58e9b |
| SHA1 | dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c |
| SHA256 | d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544 |
| SHA512 | a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377 |
C:\Users\Admin\AppData\Local\JFC7h\MFC42u.dll
| MD5 | eb5fa18cb862b39867955dee3b722652 |
| SHA1 | 22c70dcd137be63601c9657edb763eac15a6f09c |
| SHA256 | fc19f6a99292b5b4fcbdfd2c5bfa6cd5e8bac679a4ded62c9da6865a88d73837 |
| SHA512 | 77ad238f4fd137d1a863d21201dba841de8651a047d355b7446ed8dd737dea15099a415263e2debe6a5b2211b796a7b26b92123b1ea7b892619d9bee3a101214 |
memory/1968-124-0x0000000000080000-0x0000000000087000-memory.dmp
memory/1264-145-0x0000000077806000-0x0000000077807000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 41338688a03f3c3fd88bf947b664cfb6 |
| SHA1 | 24d607e242bf58652dcefc89c71cb0420b0f2a93 |
| SHA256 | e674d30df9de532c92f411c1173053a8b73741b093359638695274b63fa89805 |
| SHA512 | 2f5d51917800cb44f23f25dfd2caec02ff82ebd357cc1d4e3af56980a9381116bbce68ad21ced6970e83c3457f970d7d013f6166a3987558ac4282c8268db87e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 05:21
Reported
2023-12-31 00:47
Platform
win10v2004-20231215-en