Analysis Overview
SHA256
3a4a7ab3cf76f55ab88d9713d032fd80a755e9bacc997ddcab2d1bd0efae5ab7
Threat Level: Known bad
The file 1a34ce864b2eca01d16f5a46101ad971 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 13:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 13:35
Reported
2024-01-01 00:13
Platform
win7-20231215-en
Max time kernel
3s
Max time network
119s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a34ce864b2eca01d16f5a46101ad971.dll,#1
C:\Users\Admin\AppData\Local\FgQVK99\notepad.exe
C:\Users\Admin\AppData\Local\FgQVK99\notepad.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe
C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe
C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe
C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe
C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
Network
Files
memory/2288-0-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/2288-1-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
memory/1196-11-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-21-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-32-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-34-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-42-0x00000000770C1000-0x00000000770C2000-memory.dmp
memory/1196-43-0x0000000077220000-0x0000000077222000-memory.dmp
memory/1196-52-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-58-0x0000000140000000-0x00000001401AD000-memory.dmp
\Users\Admin\AppData\Local\FgQVK99\VERSION.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2744-71-0x0000000140000000-0x00000001401AE000-memory.dmp
memory/2744-75-0x0000000140000000-0x00000001401AE000-memory.dmp
memory/2744-70-0x0000000000190000-0x0000000000197000-memory.dmp
C:\Users\Admin\AppData\Local\FgQVK99\notepad.exe
| MD5 | da6bc4c55c5089a480d8bbeed46b73ae |
| SHA1 | 5bc35aa0329a1259b5b47753e2ec5e8f4cd0021d |
| SHA256 | 1319542e6c8f15271caded28da5cd4e14fa1dbd4d4543502a76cb844e9edfe65 |
| SHA512 | 10c5798a18d8e2f8323fe430bb633e07a9b6dbee75d8584d9f81d482bcf62a2022029530b97ab009ac7a91a23ca8ea24397100096b9e545ddf5ad12738462ce0 |
memory/1196-41-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-33-0x0000000002500000-0x0000000002507000-memory.dmp
memory/1196-31-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-30-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-28-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-29-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-27-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-26-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-25-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-24-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-23-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-22-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-20-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-19-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-18-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-17-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-16-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-14-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-15-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-13-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-12-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-10-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-9-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/2288-8-0x0000000140000000-0x00000001401AD000-memory.dmp
\Users\Admin\AppData\Local\89KJLO6dx\VERSION.dll
| MD5 | 2c60c7a4ca989cce169d9e87e8a56d2e |
| SHA1 | f4d0a6c5dc132a71104586473f685c227387965b |
| SHA256 | 94af1d5cadeadae0cf945b758323062649c9256c09ae4cec0f36fa0040da9375 |
| SHA512 | df9a6959098c27be02604dc9bc8ead93747e662c9fe0f3de0dab9a3818238db0d496e7f18a5c131011a70e164340de98fb1987bb83dabbaf873816a4a5b38366 |
memory/1232-96-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1232-99-0x0000000140000000-0x00000001401AE000-memory.dmp
C:\Users\Admin\AppData\Local\89KJLO6dx\VERSION.dll
| MD5 | d30523cc4dde53ef64350da67ee76f80 |
| SHA1 | 4a004ed8cd71434b738e215ea8a579bc47b31f37 |
| SHA256 | cbd3c3d783fe1afeb99f0bd71f95f823a85cc38baad80fb8dc528d42a4c701f7 |
| SHA512 | 04c8c9a9da8b1ef1a34407c8899fc50464dd621fd343f8ac2d66b11a83151b211e0b06430f0b95b4100dca4ba5e5dd1fd4abe4da2666b4ed7a9c6231011c6be2 |
C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe
| MD5 | a06833de4f62992f720d55899bff1d82 |
| SHA1 | cd679c134b66611cadaeadd7836c89f9f3e8043d |
| SHA256 | fe8703ad60ec50cba59a7d827adb2f5630077482f8e527e07eafad75aa5c676b |
| SHA512 | d967a5dded29dc2f4ab9b9402b76a57549072bca016eb005471ab5bdf353b4278941d71f80cd06bdf74b437fcd0ca40caf05746833d837be431c0a587b126371 |
C:\Users\Admin\AppData\Local\89KJLO6dx\psr.exe
| MD5 | 46f9f73d701f304b24274fb393294c9f |
| SHA1 | c367f171a76f6ec954e3a593df00ca34c44c91c2 |
| SHA256 | c65dbb8ed8e200b518b60c7e9b55efe57c2179ed30dd5a28cc124fb8216e2743 |
| SHA512 | 6d13be424e68aee64d567d8d41bea1243616644b814ec52bdbc0de49b26b442a2b06edad8c61a9100a73fee49175ed1043a52aa963ae75a3496371560539f462 |
\Users\Admin\AppData\Local\89KJLO6dx\psr.exe
| MD5 | 8a3118111974e9a626589f14a087c71b |
| SHA1 | cf204e2f974dc67f6d50b7c7569f71c180b593cb |
| SHA256 | a30d386ff8f6f1c1d734f22d9bc4cb9db12d7229d34c922257253d7e1db1283b |
| SHA512 | 44642713b8eb41434898d3d43686280e15b1ac34959446be88ceeb60d4149141d025b9868f5af9f98567f811e1fc0c6f6e744ed3b0b107ec34d45d72533deec0 |
memory/1196-7-0x0000000140000000-0x00000001401AD000-memory.dmp
memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp
\Users\Admin\AppData\Local\Zy2cHScvI\slc.dll
| MD5 | 323cfe54b12cd93fd003a9f001443140 |
| SHA1 | 4acf9976d2f2cb7fe698b5a1f757f5c6c63b00e3 |
| SHA256 | 7e8fe9fd1dd076093864b5c3aca81a6ec1c1e8a5a16e675cd36fc9a4502b0253 |
| SHA512 | 2854278df00ec55f2cb39fc1711bcc3a920251b3f83637a8a0e0a2a69251189aa018a86f57cd9e87ecbad8eb1f7b86920504a5e4c16271c6a21ced1ffcfda81c |
memory/2832-120-0x0000000000320000-0x0000000000327000-memory.dmp
memory/2832-123-0x0000000140000000-0x00000001401AE000-memory.dmp
C:\Users\Admin\AppData\Local\Zy2cHScvI\slc.dll
| MD5 | 1e4f3afeb2922fdeec28241bb14334f5 |
| SHA1 | f4f49baa16baac2f1d9baf9fd355967bfab4420a |
| SHA256 | c03c7661958a83c998d7b6877a377f658b82379f43ba38297524e98972980aa2 |
| SHA512 | 4276dcfb883db3f3e8c26169bdaa47d8992764b72778f62804a385e6ad0fb9bb100ec9412c3244d9aa7263d8c9ee20dbcab138659d2bdca2f0b9d108693c7c76 |
C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe
| MD5 | b79a96217f382ab5dbd3f6993939f0a7 |
| SHA1 | dbebc0db998677675907467d0ffb8eb9b2c2621f |
| SHA256 | 55d424c24ef067299d3a029e081942764fbb98326696df4a53ddd3a93d3d4e86 |
| SHA512 | 0bb8fb5f13d0eaa2f82ee0b2f2d34bce9babcdab183af378c6362f66a9ad5194bef175418e1ee42ff13758e9d5594fb478b5f5df530aab180b281c9248849e4f |
C:\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe
| MD5 | 96099ca885ca88f77d7f62f02e17f2d7 |
| SHA1 | 31feac54d0361b29f1b62cba8a51123bcde887d2 |
| SHA256 | 131bde255a7a33bf57d3ef59d5305a59cc74633c470dc4c7296a640de424b16d |
| SHA512 | b90536aa248c87a55f5c95d708507c25c0de687f19aa805e00c63bccde9dda96e28bb7b44526fb8395bfb783eb24685304945cff8d7c19e4b90952b058c00601 |
\Users\Admin\AppData\Local\Zy2cHScvI\mblctr.exe
| MD5 | 240397c04beabae695a117874caf26cb |
| SHA1 | 6b4de55b93ea258a7a7951d96be7fdf831c025bf |
| SHA256 | 9ddfcdd63293d91aec5c9f05e837f0fcd9d2cd8cece46c3852a13787c396a85c |
| SHA512 | 8a62d7d2d79839bbb4f5f4d46ad8327b0aa13004a9284ee5a19dd945ee6274e47054b259b262fe198aa849d62dc29efcb53b3426dc99cb7b482c4f6d69b95bd2 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\sj\mblctr.exe
| MD5 | ad3f0620a23f54cb8e8850cc15c92179 |
| SHA1 | 5cebdf8c8d425910c840c8391d77d2421bdc300f |
| SHA256 | 40755340ba0d985e8f52e6ced71580ab1b63c7177190767329a07b06a6f19a22 |
| SHA512 | 1b704f1a3abeaeaf36e76932259cc83ce8ffe2c0f4730e0795da254596338e97e188c7542a27ab236260998739fdac51ed3f77c69a39de77877285ffe802fb61 |
memory/1196-149-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\ymb\VERSION.dll
| MD5 | 844316961596b9018f7be7b656a14f7e |
| SHA1 | abf0b4044d07fe3e5669cc0dc101aa4771871c0c |
| SHA256 | a5704362f984f49e9db53c5464a6721cec75a2b0e1c94b54596e41bbb4b0afae |
| SHA512 | e78a58c173a24374fb836b634c39954ef8e57d3f7b3c4f903f6dabb74816e6d53258b484b3c1020aefabc2f058dd0a5729bd65a96e0211cac2ead1f2a1746328 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\eKkIliE7MX5\VERSION.dll
| MD5 | 96665bbe84edbbbadd072682405bc2c0 |
| SHA1 | 156a7d7fa4f822fae855fa759fabada5ec5e0c8b |
| SHA256 | 9dee6be7109b418413fd5b56d1a67eca31b85bd0265fdc8c741b3945dc8a4c3c |
| SHA512 | ca493f73f7b39c3233c255ae5ba8863c0a462cf5ddd7783fe40b4a3769f5819581dd31bfa17260a3e89cc078d30e1fc764378f5092cd1464a73354c25094cc10 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 13:35
Reported
2024-01-01 00:14
Platform
win10v2004-20231215-en