Analysis Overview
SHA256
980ad5843ca1815075c76eb854d248b011c3dfeb5116b358fdb479bb11d9eadd
Threat Level: Known bad
The file 2b3197daa6254b8cac569fbf4178beab was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 06:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 06:07
Reported
2024-01-02 09:57
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
97s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3197daa6254b8cac569fbf4178beab.dll,#1
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Windows\system32\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\ZMoTWsS6\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\ZMoTWsS6\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\j0DAkw\WMPDMC.exe
C:\Users\Admin\AppData\Local\j0DAkw\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
C:\Windows\system32\WMPDMC.exe
C:\Users\Admin\AppData\Local\jl884\SystemSettingsRemoveDevice.exe
C:\Users\Admin\AppData\Local\jl884\SystemSettingsRemoveDevice.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
Files
memory/4232-0-0x0000020114000000-0x0000020114007000-memory.dmp
memory/4232-1-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-7-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-14-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-19-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-23-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-28-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-34-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-39-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-44-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-47-0x0000000000810000-0x0000000000817000-memory.dmp
memory/3484-46-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-54-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-64-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-66-0x0000000140000000-0x0000000140244000-memory.dmp
memory/4884-78-0x0000013DCB360000-0x0000013DCB367000-memory.dmp
memory/4884-81-0x0000000140000000-0x0000000140245000-memory.dmp
memory/4884-75-0x0000000140000000-0x0000000140245000-memory.dmp
memory/3484-55-0x00007FFF68940000-0x00007FFF68950000-memory.dmp
memory/3484-45-0x0000000140000000-0x0000000140244000-memory.dmp
memory/2652-94-0x000001C90F350000-0x000001C90F357000-memory.dmp
memory/2652-92-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1200-110-0x0000023D36B90000-0x0000023D36B97000-memory.dmp
memory/3484-43-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-42-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-41-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-40-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-38-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-37-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-36-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-35-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-33-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-32-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-31-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-30-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-29-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-27-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-25-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-26-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-24-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-22-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-21-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-20-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-18-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-17-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-16-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-15-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-13-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-12-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-11-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-10-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-9-0x00007FFF6854A000-0x00007FFF6854B000-memory.dmp
memory/3484-8-0x0000000140000000-0x0000000140244000-memory.dmp
memory/4232-6-0x0000000140000000-0x0000000140244000-memory.dmp
memory/3484-4-0x0000000002390000-0x0000000002391000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk
| MD5 | 976d059e61c09f1e091e1f860797d3b3 |
| SHA1 | 147ab92e7163e4533f59dd9a2f1da34f8fcab3be |
| SHA256 | 3fa4424373a91ac0dfdbeadc8309a9f80ea751c28f5ce84e406df43e6bc118d6 |
| SHA512 | 9d547243b480d579301e863a942f0a9b154cea87b4b756ddb1b83d62161421dd383ec932ce85f5c77f51bf1e7da1931394be70cd2e6a664e9b6b4870369f8586 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\v16\XmlLite.dll
| MD5 | d8f21c8ad0c92ef0610adbb4267123cf |
| SHA1 | 9d6532703b1150d3c0fd02722b2527bf14f8823b |
| SHA256 | cc9d1a690b4d17e6236312fbb5aaed2095fa137533a38535c69d1b4879f96af2 |
| SHA512 | 613d9ae6ee416920ffb67302e4401b104805685887f0d9e0fabedea897d583493a7334ee23a05f18e1d6c80bf4ad23f6110f5aa54c1d9973ebc688da8a886dc0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\Exc\DUI70.dll
| MD5 | 35cdc991f3c0d232c12978d84cf24481 |
| SHA1 | 5cab6b1567227962705b931b9bf36969fb83de82 |
| SHA256 | 47e895d4c43a650f815690affb26ce6b1af0759a4ee0858af1c26e5cb1261581 |
| SHA512 | 7e8664bcbef2b47d4d47461059555faabc4f2a3124eb41ab2ad13c73a4194ca76eba47148c4695b3d4f8ca33527d5aaa38122c540960697ea3ef3cd178f88955 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\vGGJLO\dwmapi.dll
| MD5 | dde3cb627d8f86de13e8f61bec9fd71e |
| SHA1 | 91f47e30ceb51d9987c1c3c952fb39c5fcb4a59b |
| SHA256 | 8dc5905f85590baee9d1d7a61524030ad5b04d9ee5a2f10fd03bfc835f6362d0 |
| SHA512 | 8cc0d2d57e7ef8a1ada28898907d610035a293e67dee8f0531ff9350cafb3150c9533e0948a1624eb273038456f5a6705d442595663b4434d100385be0f3b221 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 06:07
Reported
2024-01-02 09:57
Platform
win7-20231129-en
Max time kernel
3s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2b3197daa6254b8cac569fbf4178beab.dll,#1
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe
C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe
C:\Users\Admin\AppData\Local\ePKLY\sdclt.exe
C:\Users\Admin\AppData\Local\ePKLY\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\FXSCOVER.exe
C:\Windows\system32\FXSCOVER.exe
C:\Users\Admin\AppData\Local\QXisop9j\FXSCOVER.exe
C:\Users\Admin\AppData\Local\QXisop9j\FXSCOVER.exe
Network
Files
memory/2816-0-0x0000000000330000-0x0000000000337000-memory.dmp
memory/2816-1-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-4-0x0000000077826000-0x0000000077827000-memory.dmp
memory/1376-12-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-23-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-33-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-45-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-47-0x0000000002900000-0x0000000002907000-memory.dmp
memory/1376-55-0x0000000077A31000-0x0000000077A32000-memory.dmp
memory/1376-65-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-58-0x0000000077B90000-0x0000000077B92000-memory.dmp
memory/1376-54-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-71-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-46-0x0000000140000000-0x0000000140244000-memory.dmp
\Users\Admin\AppData\Local\ZzSJ77\WINMM.dll
| MD5 | 7bf739d7c928e837af051dc2339995a2 |
| SHA1 | 91fa4684d10d2f6c752d90eca5ed3357169df600 |
| SHA256 | c8ed79584f998a5f5725a36532179f21cb5821a2ade203496057c62dc4623bc5 |
| SHA512 | 54d3f75313a4cac7a058cbd3ee23b59c784fafc2f9b8b6098e9b13d6a52c1c46cb4422a251b19596595cbfb082a34b54d9cd990d9600c77250453f76ff9ef495 |
memory/2476-85-0x0000000000120000-0x0000000000127000-memory.dmp
memory/2476-83-0x0000000140000000-0x0000000140246000-memory.dmp
C:\Users\Admin\AppData\Local\ZzSJ77\WINMM.dll
| MD5 | 1d9e64f01032e2b7a63ede4a5d20bab7 |
| SHA1 | 803c1c0e5eb934766a1155192aae33d3a36f9630 |
| SHA256 | 645b0973f8d37a402d5eaf3702899a665602acf62567d6de8dba6676074bd8e0 |
| SHA512 | d268085fa5ff979efa736d34fba25d29bd8296a9feb45c6b5fad6cc17b8d060bd322aef6d13411ecbede65b969412e20fa616904fe2b27883ab25e6e5e30b680 |
C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe
| MD5 | f63e39506a258bbae7ca84c1c4b62a6a |
| SHA1 | ff9618eac807099bbe5de3395b2db72f27b56493 |
| SHA256 | 07a74bda54264fe385dbab56b5973d8cf8e2d65ed46d1f1ced18bf6261c7294f |
| SHA512 | 0f99312dfb4a606b897262227a248e39155815351919d8cb5a9015eea1c1ebd3eec60edbf7715b169b763eb6ff7d8df67e2a4ea7e890a1d37474a53cdea3be21 |
C:\Users\Admin\AppData\Local\ZzSJ77\mspaint.exe
| MD5 | b8bcd928b4e105213bbe22d96d3b05e3 |
| SHA1 | 8ea3b4161a70743ed629a39888c9cf6c54ba89a2 |
| SHA256 | 384a7bcc37f41a15cfa521f66e30a329edc158eca9703150bd58c3b447061e83 |
| SHA512 | 6480445fbaf70e91f355724eda37f4984c375829c760382e2fd67c572c17e7611346df7c5649490669e4d33938233775d19a97d691af40d5346227403b0d52fa |
memory/1376-44-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-43-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-42-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-41-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-40-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-39-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-38-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-37-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-36-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-35-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-34-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-32-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-31-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-30-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-29-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-28-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-27-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-26-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1568-110-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1376-25-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-24-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-22-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-21-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-20-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-19-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-18-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-17-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-16-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-15-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-14-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-13-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-11-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-10-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-9-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-8-0x0000000140000000-0x0000000140244000-memory.dmp
memory/2816-7-0x0000000140000000-0x0000000140244000-memory.dmp
memory/1376-5-0x0000000002920000-0x0000000002921000-memory.dmp
memory/1956-133-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1376-159-0x0000000077826000-0x0000000077827000-memory.dmp