Analysis Overview
SHA256
d0716107ad0161ef0ad0627f82753053e722ed2ecff1498cad509ce16459069d
Threat Level: Known bad
The file 22fcf9040c27944c1d46cdcd9998ea24 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 01:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 01:35
Reported
2024-01-01 18:55
Platform
win10v2004-20231222-en
Max time kernel
3s
Max time network
138s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22fcf9040c27944c1d46cdcd9998ea24.dll
C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
C:\Users\Admin\AppData\Local\mFeIKTMYB\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\mFeIKTMYB\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\Fl8m\cmstp.exe
C:\Users\Admin\AppData\Local\Fl8m\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\qWW\sethc.exe
C:\Users\Admin\AppData\Local\qWW\sethc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3924-0-0x0000000000A70000-0x0000000000A77000-memory.dmp
memory/3924-1-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3924-7-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-14-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-20-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-25-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-30-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-31-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-32-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-34-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-38-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-43-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-46-0x0000000001210000-0x0000000001217000-memory.dmp
memory/3528-45-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-53-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-65-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-63-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-54-0x00007FF95A700000-0x00007FF95A710000-memory.dmp
memory/3528-44-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-42-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-41-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1060-74-0x0000000140000000-0x000000014024F000-memory.dmp
memory/1060-80-0x0000000140000000-0x000000014024F000-memory.dmp
memory/1060-76-0x00000243A6230000-0x00000243A6237000-memory.dmp
memory/1524-94-0x00000210B0C40000-0x00000210B0C47000-memory.dmp
memory/1524-92-0x0000000140000000-0x000000014020A000-memory.dmp
memory/1524-98-0x0000000140000000-0x000000014020A000-memory.dmp
memory/4492-112-0x0000021D6B790000-0x0000021D6B797000-memory.dmp
memory/3528-40-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-39-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-37-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-36-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-35-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-33-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-29-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-28-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-27-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-26-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-24-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-23-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-22-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-21-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-19-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-18-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-17-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-16-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-15-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-13-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-12-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-11-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-10-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-9-0x00007FF95885A000-0x00007FF95885B000-memory.dmp
memory/3528-8-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-6-0x0000000140000000-0x0000000140209000-memory.dmp
memory/3528-4-0x0000000003140000-0x0000000003141000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 01:35
Reported
2024-01-01 18:56
Platform
win7-20231215-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\fX7yEAUkx\\rdpshell.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 2600 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1200 wrote to memory of 2600 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1200 wrote to memory of 2600 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1200 wrote to memory of 2644 | N/A | N/A | C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe |
| PID 1200 wrote to memory of 2644 | N/A | N/A | C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe |
| PID 1200 wrote to memory of 2644 | N/A | N/A | C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe |
| PID 1200 wrote to memory of 2888 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1200 wrote to memory of 2888 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1200 wrote to memory of 2888 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1200 wrote to memory of 2892 | N/A | N/A | C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe |
| PID 1200 wrote to memory of 2892 | N/A | N/A | C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe |
| PID 1200 wrote to memory of 2892 | N/A | N/A | C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe |
| PID 1200 wrote to memory of 332 | N/A | N/A | C:\Windows\system32\icardagt.exe |
| PID 1200 wrote to memory of 332 | N/A | N/A | C:\Windows\system32\icardagt.exe |
| PID 1200 wrote to memory of 332 | N/A | N/A | C:\Windows\system32\icardagt.exe |
| PID 1200 wrote to memory of 1648 | N/A | N/A | C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe |
| PID 1200 wrote to memory of 1648 | N/A | N/A | C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe |
| PID 1200 wrote to memory of 1648 | N/A | N/A | C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\22fcf9040c27944c1d46cdcd9998ea24.dll
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe
C:\Users\Admin\AppData\Local\eS7l7B\xpsrchvw.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe
C:\Users\Admin\AppData\Local\3boEIrq\rdpshell.exe
C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe
C:\Users\Admin\AppData\Local\tvnSWOju\icardagt.exe
C:\Windows\system32\icardagt.exe
C:\Windows\system32\icardagt.exe
Network
Files
memory/2108-0-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2108-1-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1200-4-0x0000000077756000-0x0000000077757000-memory.dmp
memory/1200-5-0x0000000003A20000-0x0000000003A21000-memory.dmp
memory/2108-8-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-15-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-28-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-37-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-44-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-46-0x0000000003050000-0x0000000003057000-memory.dmp
memory/1200-55-0x0000000077AC0000-0x0000000077AC2000-memory.dmp
memory/1200-54-0x0000000077961000-0x0000000077962000-memory.dmp
memory/1200-64-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-53-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-45-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-43-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-70-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2644-84-0x0000000000280000-0x0000000000287000-memory.dmp
memory/2644-82-0x0000000140000000-0x000000014020B000-memory.dmp
memory/1200-74-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-42-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-41-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-40-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-39-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-38-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-36-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-35-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-34-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-33-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-32-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-31-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-30-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-29-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-27-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-26-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-25-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-24-0x0000000140000000-0x0000000140209000-memory.dmp
memory/2892-109-0x0000000001F20000-0x0000000001F27000-memory.dmp
memory/1200-23-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-22-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-21-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-20-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-19-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-18-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-17-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-16-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-14-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-13-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-12-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-11-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-9-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-10-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1200-7-0x0000000140000000-0x0000000140209000-memory.dmp
memory/1648-132-0x00000000003D0000-0x00000000003D7000-memory.dmp
memory/1200-161-0x0000000077756000-0x0000000077757000-memory.dmp