Analysis Overview
SHA256
574f1ff94f0541c9f61e481da5571b871f08cc353dfd3e7ac3f26db7c48092bd
Threat Level: Known bad
The file 23f9722883a35d597e3c81e25467946e was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 02:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 02:09
Reported
2024-01-05 04:03
Platform
win7-20231215-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tPVJ3\osk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\tPVJ3\osk.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\tnhZ1T\\osk.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\tPVJ3\osk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9722883a35d597e3c81e25467946e.dll,#1
C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\C0ZUD\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\tPVJ3\osk.exe
C:\Users\Admin\AppData\Local\tPVJ3\osk.exe
C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\xhz7\DevicePairingWizard.exe
Network
Files
memory/1684-0-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1684-1-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-4-0x0000000077576000-0x0000000077577000-memory.dmp
memory/1204-5-0x0000000003BA0000-0x0000000003BA1000-memory.dmp
memory/1684-8-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-49-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-58-0x00000000777E0000-0x00000000777E2000-memory.dmp
memory/1204-57-0x0000000077681000-0x0000000077682000-memory.dmp
memory/1204-67-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-72-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2696-87-0x0000000000180000-0x0000000000187000-memory.dmp
memory/1204-76-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-56-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-48-0x0000000003B30000-0x0000000003B37000-memory.dmp
memory/1204-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1868-109-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1204-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-9-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1204-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1556-133-0x0000000000230000-0x0000000000237000-memory.dmp
memory/1204-157-0x0000000077576000-0x0000000077577000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 02:09
Reported
2024-01-05 04:03
Platform
win10v2004-20231222-en
Max time kernel
3s
Max time network
152s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9722883a35d597e3c81e25467946e.dll,#1
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\8cUn95O9O\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\8cUn95O9O\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\jXHH\BdeUISrv.exe
C:\Users\Admin\AppData\Local\jXHH\BdeUISrv.exe
C:\Users\Admin\AppData\Local\2Ex9d5\wlrmdr.exe
C:\Users\Admin\AppData\Local\2Ex9d5\wlrmdr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tcp |
Files
memory/4696-0-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/4696-2-0x0000020EEBEA0000-0x0000020EEBEA7000-memory.dmp
memory/3436-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-48-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-50-0x0000000000F60000-0x0000000000F67000-memory.dmp
memory/3436-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-56-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-57-0x00007FFE990E0000-0x00007FFE990F0000-memory.dmp
memory/3436-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-68-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2344-77-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/2344-78-0x00000172A5F00000-0x00000172A5F07000-memory.dmp
C:\Users\Admin\AppData\Local\8cUn95O9O\SYSDM.CPL
| MD5 | 9e808ed225d34e28d10df34ec73d7b0e |
| SHA1 | 12c05a360e40475b5ff611795129a4d5ba1096d4 |
| SHA256 | cc115559b99e76c3d6a2428b314c176b7dfdba1a2bc1d98a054bbdb59f1407e5 |
| SHA512 | edd72bd01efda4d0dc79c365d2051f126f48225948086767df7fba4f01a5ab8f62d9eb797c4c164f4d81dde466da8b135c8a0feb147df4ee5fe977183114e8d1 |
C:\Users\Admin\AppData\Local\8cUn95O9O\SystemPropertiesDataExecutionPrevention.exe
| MD5 | de58532954c2704f2b2309ffc320651d |
| SHA1 | 0a9fc98f4d47dccb0b231edf9a63309314f68e3b |
| SHA256 | 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3 |
| SHA512 | d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed |
memory/3436-66-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2344-83-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/3436-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-35-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\jXHH\WTSAPI32.dll
| MD5 | 63f58594c3fc344df441728f8954142b |
| SHA1 | 5392b49d41c2feb6cc7146b6375602872e2c3754 |
| SHA256 | ae051b68bf8b35c23e0e009e30b7d4bd374964434a8aa694eb517ca917462aeb |
| SHA512 | bea2b9db9280c155008be31643daba115e5d5580e5a5c34fc18c267b30602040fb198d29a0c04cf0edb33d168bcbb67f09c44b24c5baa1f7ec312767b0798940 |
memory/2792-96-0x0000014045B20000-0x0000014045B27000-memory.dmp
C:\Users\Admin\AppData\Local\jXHH\BdeUISrv.exe
| MD5 | 8595075667ff2c9a9f9e2eebc62d8f53 |
| SHA1 | c48b54e571f05d4e21d015bb3926c2129f19191a |
| SHA256 | 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db |
| SHA512 | 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88 |
memory/3436-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-27-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\2Ex9d5\DUI70.dll
| MD5 | 5778498d28bdd0992e7f14021f31f431 |
| SHA1 | 2e6aa54a115f9bc52337f85db5257c4ff8175969 |
| SHA256 | 087775601141028da6c411938419ab2213b35138ce5e3aca66b3601386b8ae07 |
| SHA512 | 4cd5bc909b3fadeb14be3dbca3c939a63f76e3fd4a40368b943c89e708f858537d3b9f3314edc70a38ba24869bb270548ee8fd3beb3d8f817c972bde4bc5d4bf |
memory/1864-113-0x0000013365AF0000-0x0000013365AF7000-memory.dmp
C:\Users\Admin\AppData\Local\2Ex9d5\wlrmdr.exe
| MD5 | ef9bba7a637a11b224a90bf90a8943ac |
| SHA1 | 4747ec6efd2d41e049159249c2d888189bb33d1d |
| SHA256 | 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1 |
| SHA512 | 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831 |
memory/3436-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-9-0x00007FFE98C3A000-0x00007FFE98C3B000-memory.dmp
memory/3436-8-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/4696-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-6-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3436-4-0x0000000002D80000-0x0000000002D81000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | a7b703ce61296ecad7855ba80484317a |
| SHA1 | 8ed17a4c94b0f4812d50b2273c602bed42dfd71b |
| SHA256 | 75cde7b27755679086aaa4bfb5e08833da5ce90d82aee92d145e1eced70addac |
| SHA512 | ec2130dc0e193141bd9b0a7fb97816cc2c5b192aa2ffd0dc74933de4142197187bcb32f6715f1e391078f28eb96e24025c3458f3f60a3f4033deb3a3c50e7563 |