Analysis Overview
SHA256
c8b515be222c5ed644a449557d40cadbef722d8e53d0d248856076381400654a
Threat Level: Known bad
The file 1234e30bc5be49344b0f9922d66b9865 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 07:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 07:31
Reported
2023-12-31 05:59
Platform
win10v2004-20231215-en
Max time kernel
3s
Max time network
108s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1234e30bc5be49344b0f9922d66b9865.dll,#1
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Admin\AppData\Local\4Y69FHF\Taskmgr.exe
C:\Users\Admin\AppData\Local\4Y69FHF\Taskmgr.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Users\Admin\AppData\Local\jPoBg\sigverif.exe
C:\Users\Admin\AppData\Local\jPoBg\sigverif.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Windows\system32\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\3NI6\BitLockerWizard.exe
C:\Users\Admin\AppData\Local\3NI6\BitLockerWizard.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tcp | |
| US | 20.242.39.171:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 20.242.39.171:443 | tcp | |
| US | 52.111.229.19:443 | tcp |
Files
memory/3664-0-0x0000028348690000-0x0000028348697000-memory.dmp
memory/3664-1-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-9-0x00007FFC905EA000-0x00007FFC905EB000-memory.dmp
memory/3500-8-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-13-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-14-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-17-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-20-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-23-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-27-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-29-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-31-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-37-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-39-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-41-0x00000000070C0000-0x00000000070C7000-memory.dmp
memory/3500-40-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-38-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-36-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-49-0x00007FFC91240000-0x00007FFC91250000-memory.dmp
memory/3500-48-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-35-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-58-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-60-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-34-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-33-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-32-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-30-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-28-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-26-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-24-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-25-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-21-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-22-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-18-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-19-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-16-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-15-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-12-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-11-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-10-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3664-7-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-6-0x0000000140000000-0x0000000140174000-memory.dmp
memory/3500-4-0x00000000027C0000-0x00000000027C1000-memory.dmp
C:\Users\Admin\AppData\Local\4Y69FHF\credui.dll
| MD5 | 05d899d5bc57411b5e661e27262a8d6f |
| SHA1 | 4d3f1b6ed9b55501c27c1ff6009163477b4e4de3 |
| SHA256 | dc978a42b16613a47e2497da2b2392f4a893d66bd3e8a99f1d5bcc036edb16df |
| SHA512 | 80b686e1bd6b58768ca59981c4d16da61e7f785fb812c6235ca3d0be6c526cd10ff3effb91ea2b2235fa47ac920813c1ffcc09be1e79950ae7ba37557ee426e3 |
memory/636-70-0x0000000140000000-0x0000000140175000-memory.dmp
memory/636-75-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Users\Admin\AppData\Local\4Y69FHF\Taskmgr.exe
| MD5 | dad1b363659d57d4c50b0b4663165bd2 |
| SHA1 | 0a91bfe4c7fc66336b096b9f2c2b39c57bf9b88a |
| SHA256 | 860b0a5a713f30bfa22455cb462c0e2ef5a6a8b4992a3daf35dc04482d2d6bca |
| SHA512 | e3c05ef05d3359dfc0c2827fcdace818a263bb774f254ae4a0b429578866c529fed20b243a3f083b275a32b7f215c0017d3f684021c7af7d9446beea3676713b |
memory/636-69-0x00000146E6210000-0x00000146E6217000-memory.dmp
C:\Users\Admin\AppData\Local\4Y69FHF\credui.dll
| MD5 | 148782e7edfe64771b8ba8fb68dfae3b |
| SHA1 | 98e0b0e953eff5698b414ce10d22c5e627ad647d |
| SHA256 | f99aeb56be2c073062fbbe1bcdec75fcbfb8908f9b9dbbfc78b1c63716096198 |
| SHA512 | cd045f4a7febbac3125969af6e1a002fa4cd47416c8db4842dc84acf5c76c43a25feaae54b66ea1bc8142239cbd96d323dc7e8d7e21ccf4fbab2f38e7b70cb64 |
memory/5048-86-0x000001F9A6030000-0x000001F9A6037000-memory.dmp
memory/5048-92-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Users\Admin\AppData\Local\jPoBg\sigverif.exe
| MD5 | 2151a535274b53ba8a728e542cbc07a8 |
| SHA1 | a2304c0f2616a7d12298540dce459dd9ccf07443 |
| SHA256 | 064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd |
| SHA512 | e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f |
C:\Users\Admin\AppData\Local\3NI6\FVEWIZ.dll
| MD5 | e03a42723a74da51af06c4826d433214 |
| SHA1 | a50f9d4188271cd05f23d79b2474b14a103d72ff |
| SHA256 | 57b24783fe276ce6db2e196ccbd817b590c35bc0e05469980135c49b5f13b2df |
| SHA512 | bfb6764624474439d8472efbd8b7234ce36521c12dec983af7cdbe48c043733ce0ed497a7da385b1257b23940e3fb7905fe6fdff4622fbe4a4fa0f30383ae33c |
C:\Users\Admin\AppData\Local\3NI6\BitLockerWizard.exe
| MD5 | 6d30c96f29f64b34bc98e4c81d9b0ee8 |
| SHA1 | 4a3adc355f02b9c69bdbe391bfb01469dee15cf0 |
| SHA256 | 7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74 |
| SHA512 | 25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8 |
memory/2808-103-0x0000018EC6520000-0x0000018EC6527000-memory.dmp
memory/2808-109-0x0000000140000000-0x0000000140175000-memory.dmp
C:\Users\Admin\AppData\Local\3NI6\FVEWIZ.dll
| MD5 | f23294a4964e9898521a463595c26503 |
| SHA1 | bf2c19a195eb77cfa55bb8853de1e29b1b5bcf75 |
| SHA256 | a9afeea7b6e882262ff89a787464c333f631a13fb4cb898be15a0d09fcd17c9c |
| SHA512 | 05196fbdf07de351d4dc8e989ca0876971290680180ada1dfdc0cc47236da7e2f3ea28ef3f2c902d75877fd1e296ae72db85df4a655bba9827b1c310e4a6ed0e |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 07:31
Reported
2023-12-31 05:58
Platform
win7-20231129-en