Analysis Overview
SHA256
f1955ff491cbc147287209b62c378253fc8c4da6123e7d8c45a417e4a3c6552d
Threat Level: Known bad
The file 2784c3aeee9d999aa9b382b604d54037 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 04:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 04:08
Reported
2024-01-02 04:23
Platform
win10v2004-20231215-en
Max time kernel
5s
Max time network
137s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2784c3aeee9d999aa9b382b604d54037.dll,#1
C:\Users\Admin\AppData\Local\jOU74L\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\jOU74L\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
C:\Users\Admin\AppData\Local\k1U\CloudNotifications.exe
C:\Users\Admin\AppData\Local\k1U\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
C:\Users\Admin\AppData\Local\FjinOz\cttune.exe
C:\Users\Admin\AppData\Local\FjinOz\cttune.exe
C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4324-3-0x000002C13C160000-0x000002C13C167000-memory.dmp
memory/4324-1-0x0000000140000000-0x0000000140154000-memory.dmp
memory/4324-0-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-14-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-19-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-27-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-28-0x00007FFB321E0000-0x00007FFB321F0000-memory.dmp
memory/4292-50-0x0000020E09ED0000-0x0000020E09ED7000-memory.dmp
memory/4292-55-0x0000000140000000-0x0000000140155000-memory.dmp
memory/3912-66-0x0000000140000000-0x0000000140155000-memory.dmp
memory/3912-69-0x0000029DFFD90000-0x0000029DFFD97000-memory.dmp
memory/3912-73-0x0000000140000000-0x0000000140155000-memory.dmp
memory/1348-85-0x0000000140000000-0x0000000140155000-memory.dmp
memory/1348-91-0x0000000140000000-0x0000000140155000-memory.dmp
memory/1348-86-0x000001F0E7EF0000-0x000001F0E7EF7000-memory.dmp
memory/4292-49-0x0000000140000000-0x0000000140155000-memory.dmp
memory/4292-48-0x0000000140000000-0x0000000140155000-memory.dmp
memory/3480-39-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-37-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-20-0x0000000001480000-0x0000000001487000-memory.dmp
memory/3480-18-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-17-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-16-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-15-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-13-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-12-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-11-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-10-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-8-0x0000000140000000-0x0000000140154000-memory.dmp
memory/4324-9-0x0000000140000000-0x0000000140154000-memory.dmp
memory/3480-6-0x00007FFB30A7A000-0x00007FFB30A7B000-memory.dmp
memory/3480-5-0x00000000033E0000-0x00000000033E1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 04:08
Reported
2024-01-02 04:24
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\kI\\spinstall.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1244 wrote to memory of 2936 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 1244 wrote to memory of 2936 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 1244 wrote to memory of 2936 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 1244 wrote to memory of 2616 | N/A | N/A | C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe |
| PID 1244 wrote to memory of 2616 | N/A | N/A | C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe |
| PID 1244 wrote to memory of 2616 | N/A | N/A | C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe |
| PID 1244 wrote to memory of 1644 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1244 wrote to memory of 1644 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1244 wrote to memory of 1644 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1244 wrote to memory of 456 | N/A | N/A | C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe |
| PID 1244 wrote to memory of 456 | N/A | N/A | C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe |
| PID 1244 wrote to memory of 456 | N/A | N/A | C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe |
| PID 1244 wrote to memory of 1092 | N/A | N/A | C:\Windows\system32\fvenotify.exe |
| PID 1244 wrote to memory of 1092 | N/A | N/A | C:\Windows\system32\fvenotify.exe |
| PID 1244 wrote to memory of 1092 | N/A | N/A | C:\Windows\system32\fvenotify.exe |
| PID 1244 wrote to memory of 1064 | N/A | N/A | C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe |
| PID 1244 wrote to memory of 1064 | N/A | N/A | C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe |
| PID 1244 wrote to memory of 1064 | N/A | N/A | C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2784c3aeee9d999aa9b382b604d54037.dll,#1
C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe
C:\Users\Admin\AppData\Local\09PqK\dpapimig.exe
C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe
C:\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe
C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe
C:\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe
Network
Files
memory/2932-0-0x0000000140000000-0x0000000140154000-memory.dmp
memory/2932-1-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1244-4-0x0000000077AA6000-0x0000000077AA7000-memory.dmp
memory/1244-5-0x0000000002970000-0x0000000002971000-memory.dmp
memory/1244-7-0x0000000140000000-0x0000000140154000-memory.dmp
memory/2932-8-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-13-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-17-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-18-0x0000000002950000-0x0000000002957000-memory.dmp
memory/1244-19-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-16-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-15-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-14-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-26-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-12-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-27-0x0000000077BB1000-0x0000000077BB2000-memory.dmp
memory/1244-28-0x0000000077D10000-0x0000000077D12000-memory.dmp
memory/1244-11-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-10-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-9-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-37-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-41-0x0000000140000000-0x0000000140154000-memory.dmp
memory/1244-42-0x0000000140000000-0x0000000140154000-memory.dmp
\Users\Admin\AppData\Local\09PqK\dpapimig.exe
| MD5 | 0e8b8abea4e23ddc9a70614f3f651303 |
| SHA1 | 6d332ba4e7a78039f75b211845514ab35ab467b2 |
| SHA256 | 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1 |
| SHA512 | 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc |
C:\Users\Admin\AppData\Local\09PqK\DUI70.dll
| MD5 | 02ca2465456c8b9e46fc772e72676693 |
| SHA1 | e326383de3007758851a860dbc203c9d16e5cc2c |
| SHA256 | bc1bf0222f3341fdf0ee3cfebad5a1d66a8b6be18dc00402b0d47f8ad21c8145 |
| SHA512 | 7f8e9d4d7b953b3a5a213c46030eefe5858a4ef41ca77ee96c87e2aa015be549bf8cb6515ba6d2a54400140f943053d1af51a042adb634ea225a0536d85f3166 |
memory/2616-56-0x0000000140000000-0x0000000140188000-memory.dmp
memory/1244-55-0x0000000077AA6000-0x0000000077AA7000-memory.dmp
memory/2616-57-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2616-61-0x0000000140000000-0x0000000140188000-memory.dmp
\Users\Admin\AppData\Local\BXUFogz3\spinstall.exe
| MD5 | 29c1d5b330b802efa1a8357373bc97fe |
| SHA1 | 90797aaa2c56fc2a667c74475996ea1841bc368f |
| SHA256 | 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f |
| SHA512 | 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee |
C:\Users\Admin\AppData\Local\BXUFogz3\VERSION.dll
| MD5 | 607d952bc201e4afb4b9f16fd95f6441 |
| SHA1 | cab9b943c109dfd06bfe594ec8904a879a7086f2 |
| SHA256 | 74733682de24cd452909a9f68f728a9c6c7ffc3a710bbf636a2e03eb68ac89b6 |
| SHA512 | 5ead3cb37d4695453499803f2337c9d65ef65372bdcc56407339e56e04c71e9c26374a74af55da5e65b8c8e9a1d1a105df4ba46cf27dd9c236261f8fe3e84d10 |
memory/456-74-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/456-79-0x0000000140000000-0x0000000140154000-memory.dmp
\Users\Admin\AppData\Local\0VZL4MAM\fvenotify.exe
| MD5 | e61d644998e07c02f0999388808ac109 |
| SHA1 | 183130ad81ff4c7997582a484e759bf7769592d6 |
| SHA256 | 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa |
| SHA512 | 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272 |
C:\Users\Admin\AppData\Local\0VZL4MAM\slc.dll
| MD5 | 79b3c74471926f77825c8a37c1233632 |
| SHA1 | c1627d73a9095c3ea7c3ab92f21792d4761daa5b |
| SHA256 | f9d02d6f903a4828d36c948fe98b9e3a5113839ab6075cc6e242194371b83c8f |
| SHA512 | b72dbbf41d202fbf9095bd0ae1accddd59c922aaa078776fdb97dda50a3445724be333a4dc98fce70f96db9834b9388f94de831f0b747b41c7d7529efe1dc900 |
memory/1064-91-0x0000000140000000-0x0000000140155000-memory.dmp
memory/1064-96-0x0000000140000000-0x0000000140155000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 1f79c9afacb0e96e99bc517b8e3009cf |
| SHA1 | f422fa40c85f9bdcf23689dcd1085a2c65b91c31 |
| SHA256 | 31d54c0af12850e66ca0ba8493d0092e0b0ab8150e3171cc13d7704c5ddb0685 |
| SHA512 | 2b8b2b7cc61fee587877e3970c8e86907da4c82353d136c3e3147547d7cb833ff11c187d59d4e93b3ec7bad987cd02686e88e6d27d6305d6d81cff5094546d5d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\kI\VERSION.dll
| MD5 | 9737a1aaac29f708d691419064b3fd78 |
| SHA1 | 8d47d19f7d8ee3ec810a43e681c602725523f458 |
| SHA256 | 15cdff749904d733ab5b99b4d4ce7c8f6134aabb64515a02b9fbec85ee6c7ee3 |
| SHA512 | b410bd9cdcdb31212ca287a82ec1e0b8bd195af77f3d1f29d7ae2fff50abf927e7fe905583e0def6e9d9e75fe0c1ee2d943f45d1d8a2185bf4f8a0946b934e67 |