Analysis Overview
SHA256
f2ac70d80c13a77d6e2cdb5b1c131f1bb1fa84a2ff093039c70954aed90d1b79
Threat Level: Known bad
The file 1a04a1187c2d9ada362c17c66075c8b5 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 13:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 13:28
Reported
2023-12-31 23:52
Platform
win7-20231215-en
Max time kernel
3s
Max time network
119s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a04a1187c2d9ada362c17c66075c8b5.dll,#1
C:\Users\Admin\AppData\Local\yvB6D\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\yvB6D\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\fVBDqT\BdeUISrv.exe
C:\Users\Admin\AppData\Local\fVBDqT\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\HjJCtE8hU\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\HjJCtE8hU\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
Network
Files
memory/1924-0-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1924-1-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
memory/1196-13-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-24-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-38-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-49-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-57-0x0000000002500000-0x0000000002507000-memory.dmp
memory/1196-60-0x0000000077220000-0x0000000077222000-memory.dmp
memory/1196-59-0x00000000770C1000-0x00000000770C2000-memory.dmp
memory/1196-74-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/2604-90-0x0000000000090000-0x0000000000097000-memory.dmp
memory/1196-69-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-58-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-50-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-48-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-47-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-46-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-45-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-44-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-43-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-42-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-41-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-40-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-39-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-37-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-36-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-35-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-33-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-34-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-32-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-31-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-30-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/2984-113-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1196-29-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-28-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-27-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-26-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-25-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-23-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-22-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-21-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-20-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-19-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-18-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-17-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-16-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-15-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-14-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-12-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-11-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-10-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-9-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1924-8-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-7-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp
memory/1196-151-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 13:28
Reported
2023-12-31 23:52
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
66s
Command Line
Signatures
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a04a1187c2d9ada362c17c66075c8b5.dll,#1
C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\EHr\eudcedit.exe
C:\Users\Admin\AppData\Local\EHr\eudcedit.exe
C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe
C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| IE | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| IE | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
memory/448-2-0x000001918CDB0000-0x000001918CDB7000-memory.dmp
memory/448-1-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/448-0-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-5-0x0000000002F20000-0x0000000002F21000-memory.dmp
memory/3408-13-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-14-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-19-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-18-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-24-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-30-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-35-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-38-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-42-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-43-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-44-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-45-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-48-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-50-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-51-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-52-0x0000000002570000-0x0000000002577000-memory.dmp
memory/3408-59-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-60-0x00007FFA82860000-0x00007FFA82870000-memory.dmp
memory/3408-71-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-69-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-49-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-47-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-46-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-41-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-40-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-39-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-37-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-36-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-34-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-32-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-33-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/1004-81-0x0000000140000000-0x00000001401D8000-memory.dmp
memory/1004-88-0x0000000140000000-0x00000001401D8000-memory.dmp
memory/1004-82-0x000001CCDFFA0000-0x000001CCDFFA7000-memory.dmp
C:\Users\Admin\AppData\Local\EHr\eudcedit.exe
| MD5 | a0bc051fbfe918aa85b77c3d84c1f075 |
| SHA1 | 26a1ecbf95e62124eee4aa6631b6c98d7f9a86a9 |
| SHA256 | cb1d269eeeb3134328fb71f28871b8c07e80481b3b68c0293326b341f562b823 |
| SHA512 | 21a94d82d7a26ea391d3d48b8d021d931f3a6ee9b72ec134f08f056f2f54a04967029786ca159863771118addab2d2bc2e5ead35fd5d69ba127461bf12e0f296 |
memory/1004-80-0x0000000140000000-0x00000001401D8000-memory.dmp
C:\Users\Admin\AppData\Local\EHr\MFC42u.dll
| MD5 | 8932e9ea28f1d329b53dc2ffd9e6fa72 |
| SHA1 | d2a42978b117dfd5a1e8e178db8a5e620e960104 |
| SHA256 | 0e1d46ac7175968a05951f95f0dfb6ebe62e84136211880fd7597241fb368a0b |
| SHA512 | c845b8559bf162d680183a2b780ddad6d45910603238efc4d05b2e8773800d908864b55b6b8ca80bbba6937e816f4fe2d8cf9e1b50f55af7a38b83f14d7c9f80 |
memory/3408-31-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-29-0x0000000140000000-0x00000001401D1000-memory.dmp
C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe
| MD5 | 591a98c65f624c52882c2b238d6cd4c4 |
| SHA1 | c960d08c19d777069cf265dcc281807fbd8502d7 |
| SHA256 | 5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06 |
| SHA512 | 1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074 |
C:\Users\Admin\AppData\Local\oaz\DUI70.dll
| MD5 | 97865a65ab0158d3f5945385a9a3c105 |
| SHA1 | ad146c6dbdd4e679fc369f61a34267c70bbaee11 |
| SHA256 | 1c9e6a633f8ef73fd1293068e383b76ac9a2476c5a6adcfe485bf0f568fb9fad |
| SHA512 | 878ab0ab1bb6de61f8c3977c6652cc0dbf37bf0935ccbeac602dbd39ece806a96f6d554dcfb7f10806c9e6ad067f3c2bfff1476af00f3fd194865b80af2ed6cf |
memory/1636-107-0x0000000140000000-0x0000000140217000-memory.dmp
memory/1636-102-0x000001F801190000-0x000001F801197000-memory.dmp
C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe
| MD5 | f9db5e0570631ee9d5d93faed6e83874 |
| SHA1 | 1ad8809a0eb44b9fc4ab5c959c49f2499e97ae34 |
| SHA256 | 521b87d8c9752741f5c4bc7dd7abc08303bea4073010623dd75166a90a540cf3 |
| SHA512 | f3c7f3fd8f89bd51a475fce6d602fbdd1f9dd8e92940e6e64af0df71c782d9cf4983e86e079159cedfee7abf15ad0d9ed97db0f9045a32dc36d1e3100da1fe34 |
C:\Users\Admin\AppData\Local\4TLC3mXPZ\WTSAPI32.dll
| MD5 | fa7643f87d854529357a10b17a453033 |
| SHA1 | 2e3f03ac3dd988edbf61dd3dde552b2cea8ace5f |
| SHA256 | e73467fd2893fa5430690208a37b89e80aebc867b26208c8c2be409d3260d921 |
| SHA512 | 8e3becf37e24902ccd89774ed92bb2b31c8e5baa75208b9a2c6de405af86ae14ba53e7b71a0190f85a86f396c85fdd868b0ced224d9fe39ababb4d4d5f8bd9bd |
memory/3488-121-0x000001CC47A80000-0x000001CC47A87000-memory.dmp
memory/3488-126-0x0000000140000000-0x00000001401D2000-memory.dmp
C:\Users\Admin\AppData\Local\4TLC3mXPZ\MDMAppInstaller.exe
| MD5 | 5fb969a7cf8ca845a5daec8ba987e47a |
| SHA1 | a450e68a3f6153ae4afd2e71d3de3e7cddbc4181 |
| SHA256 | d5e5465193be672bcd314a4c3a48d98bd540bd4accde9bd52d39edde2ad75f4d |
| SHA512 | 8c7dd693e5fa5e6fb007319eaa48c72d73d3940033b1666d22787994c52386c308e4c0d8b1f070fd02d0939143950c745ab3c2b6d8b5bf14fff8be20c1305473 |
memory/3488-119-0x0000000140000000-0x00000001401D2000-memory.dmp
C:\Users\Admin\AppData\Local\4TLC3mXPZ\WTSAPI32.dll
| MD5 | d8acf8f64112b8f813bce3d419523bfa |
| SHA1 | 3697ab9c55985cf2939095d9124e2fe27e4504a9 |
| SHA256 | d4cf30e7d72029e0253f1cbb7708e39a0bb5f6d814da0cea00e09e642d7145af |
| SHA512 | 709ae10e1a11484e8148c8eeb25ed88e2788a5db2abecc91dac1d14bdead161766d742483c31e27eb533a3e5a882b8a89859d4d0e21e467053f3f979408d5128 |
C:\Users\Admin\AppData\Local\oaz\PasswordOnWakeSettingFlyout.exe
| MD5 | a46f6b4b9f57b1bcc9fb9fee749814ce |
| SHA1 | 6decd7f23c68bdbda5e7f021542e51797d2a25af |
| SHA256 | dcb8812f19428fd69b0e61838c0114283f5a506dc102db1113ce0ba0931e6ca1 |
| SHA512 | 42c87ac363bc80cfa14dd9c1f2d529a3e57774bf84d64d6cf63e4d5ba7f0e7dd1427a1c7fab8fa9f52e4e247ff2605f7e7e815a9599ad1a878705a47181aa697 |
memory/1636-100-0x0000000140000000-0x0000000140217000-memory.dmp
C:\Users\Admin\AppData\Local\oaz\DUI70.dll
| MD5 | d81615a3fc522337d53aa95b754c4ea1 |
| SHA1 | 3596130586b994759c73b95ba0798f617e466fa5 |
| SHA256 | ef955cd093dbfbf13f3d1bd5c0b76882b8521eb3a705325ff136a9d56a99d3d8 |
| SHA512 | d666d25eff8fad5cd0b8291dcf7ef2bcaf80c120fbb6aa45a923d5dda88fa8f154a161dd225b09d5323010218e9d175c5d9a7be404da748e496c24207da364cb |
memory/3408-28-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-27-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-26-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-25-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-23-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-22-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-21-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-20-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-17-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-16-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-15-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-12-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-11-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-10-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/448-9-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-8-0x0000000140000000-0x00000001401D1000-memory.dmp
memory/3408-7-0x00007FFA81CCA000-0x00007FFA81CCB000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk
| MD5 | e6b19fc59b1040647a61e9c24c7bba41 |
| SHA1 | 22340aae6c992698d5125f1b9cc8e12732f830f7 |
| SHA256 | 17f267394d52ce487fe8f5afae4f067ab3515d9a82ee6c955356511d1309e913 |
| SHA512 | 489f3edf1f29d29018206d0255c3d5d20ae4ea84bf1f35ad7b9df0157393e138941b186703ce10c5913bfa461017e4011c52adcf02a36a90fa2220615e2e18c9 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\0aygiPIM\MFC42u.dll
| MD5 | 8ea014efbb027eaa894c44a28901b842 |
| SHA1 | 36d55b8ec4272508ad43d428dfe688b6f3f1b240 |
| SHA256 | 1ac14eedaa468625f6cd97d00c29752f60375e5258a704cca7382950e184bd87 |
| SHA512 | f932ef2f55ac7b64417ee76f87e797e4d9b54136127145e24eb5da24923f37ca9cfa6d10bef519436cc559bbe521416351b8e4518a5e10c4623d7dae3aff7779 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\v2\DUI70.dll
| MD5 | 888d94a1e68e3b21a7b040bd706a1b2b |
| SHA1 | 12e5745192a47dc01365f0f237a9b7db09469514 |
| SHA256 | 2b026c3a2ea2b1f6676096e4d60ce3598f83bbdfa18eb96a56b260dfd77bce46 |
| SHA512 | 60ad4c0b5ba207518b26e1451c0a3b9266954fd892b9cd513ebc81f73bbc2d69a4aa7b56c45f3bc30debf72657aaa46d940b5df4bfe9ab0d489c95b05d910b40 |
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\6aN3gS\WTSAPI32.dll
| MD5 | 98a1e6321ce4d97320ba0a4b4b9ea435 |
| SHA1 | eeba6f20ea495c8c3d4ae0f1faad6cfef3c16b3e |
| SHA256 | 2a0daa2ee90019053a78a25e841a5fe6f84db6199d26fda4a6b28545ea534225 |
| SHA512 | 76c62c086544fe9a387200ac22dc9163dc1c5816d651838f6caabb2e2689fa2ce93baf9a4e9a3b06bfe2d4dcbc77c1ccd61df43f648e8f6c0bdaf302a32e2299 |