Analysis Overview
SHA256
35b6b98f2a7c939aaa8b53cef15502beb1feea0d7189fa57ce2e0fb2e0fa1fba
Threat Level: Known bad
The file 2d7d77d1a6ec3527dc27bc5ec2061c58 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 07:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 07:32
Reported
2024-01-03 18:12
Platform
win7-20231215-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 07:32
Reported
2024-01-03 18:13
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
135s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2d7d77d1a6ec3527dc27bc5ec2061c58.dll,#1
C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Users\Admin\AppData\Local\Muww\wermgr.exe
C:\Users\Admin\AppData\Local\Muww\wermgr.exe
C:\Users\Admin\AppData\Local\nbDoWWn\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\nbDoWWn\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\H1Ec\bdechangepin.exe
C:\Users\Admin\AppData\Local\H1Ec\bdechangepin.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| IE | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 20.231.121.79:80 | tcp |
Files
memory/4968-0-0x0000023BEA300000-0x0000023BEA307000-memory.dmp
memory/4968-1-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-5-0x00007FFB4D05A000-0x00007FFB4D05B000-memory.dmp
memory/3456-17-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-24-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-29-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-36-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-45-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-52-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-55-0x0000000001FD0000-0x0000000001FD7000-memory.dmp
memory/3456-53-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-62-0x00007FFB4D280000-0x00007FFB4D290000-memory.dmp
memory/3456-71-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-73-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-61-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-51-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-50-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-49-0x0000000140000000-0x0000000140189000-memory.dmp
C:\Users\Admin\AppData\Local\H1Ec\DUI70.dll
| MD5 | 00cb557172d95a1a9ec90db84c1357df |
| SHA1 | bbc7bd18235c4cd7bd9b6209f786c7e8ce609e53 |
| SHA256 | 78a98e6ead98a9498fa9888649a6918e43abe58203701127fcbc110200c2ff25 |
| SHA512 | 278a5f74aa8385eb36494a0d0228aab62ef8511ccbbaf29b46fb3ec643d6a693c5579199729bdbc1730ba7d751d9a10342dc5900c11cc8a77ca4ad73d95e103f |
memory/212-84-0x000001D706860000-0x000001D706867000-memory.dmp
C:\Users\Admin\AppData\Local\H1Ec\bdechangepin.exe
| MD5 | 601a28eb2d845d729ddd7330cbae6fd6 |
| SHA1 | 5cf9f6f9135c903d42a7756c638333db8621e642 |
| SHA256 | 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6 |
| SHA512 | 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d |
C:\Users\Admin\AppData\Local\nbDoWWn\WINSTA.dll
| MD5 | c75ba0f1e792ae1c78c27e7e1bba2a12 |
| SHA1 | a5cb3c71e5841689b16030245a3f121a58eedbe1 |
| SHA256 | 468c8388e2b4ff0dbc064f5bd0c6be52a9da537d70c4ba3157f7f9b32330c04c |
| SHA512 | 81a55ceb7fd3b2ace08cae981753e95d5b32add977c60c062acb1b0ba3210c3aafcebbb5ef4776e255f80e6779e7a84fd61e61648ff542d8274ac113c74579e8 |
memory/2864-99-0x00000248BD180000-0x00000248BD187000-memory.dmp
C:\Users\Admin\AppData\Local\nbDoWWn\RdpSaUacHelper.exe
| MD5 | 0d5b016ac7e7b6257c069e8bb40845de |
| SHA1 | 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2 |
| SHA256 | 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067 |
| SHA512 | cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e |
C:\Users\Admin\AppData\Local\Muww\wer.dll
| MD5 | 3497c039bb447f4ed3fe21e6f096ff15 |
| SHA1 | d258e47e0a97347e78999a6120abcf3bf35247d4 |
| SHA256 | b4b0460cc5499986d2adb7a4777b1854c4ac6d9bb3058cf3b4e86283a758974a |
| SHA512 | 6c56498be0de05576812d3a0237f2dff80785c820fda9bd6aea178e0f5116c1751269b6c3b353721743359b4d1e6a0aee3d94863a627882e6daf4d348bfc591c |
memory/1824-119-0x000001EA5F400000-0x000001EA5F407000-memory.dmp
C:\Users\Admin\AppData\Local\Muww\wermgr.exe
| MD5 | f7991343cf02ed92cb59f394e8b89f1f |
| SHA1 | 573ad9af63a6a0ab9b209ece518fd582b54cfef5 |
| SHA256 | 1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc |
| SHA512 | fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d |
memory/3456-48-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-47-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-46-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-44-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-43-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-42-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-41-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-40-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-39-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-38-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-37-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-35-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-34-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-33-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-32-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-31-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-30-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-28-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-27-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-26-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-25-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-23-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-22-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-21-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-20-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-19-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-18-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-16-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-15-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-14-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-13-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-12-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-11-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-10-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-9-0x0000000140000000-0x0000000140189000-memory.dmp
memory/4968-8-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-7-0x0000000140000000-0x0000000140189000-memory.dmp
memory/3456-4-0x0000000002020000-0x0000000002021000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk
| MD5 | b60f181dcba58968463eae3638c0d807 |
| SHA1 | 3856936718cf284ef2104edc8e12f689e613563d |
| SHA256 | 60a6ad0026beae6bdcd92c0dd7006d1bed61483c177dcdde2550b49da45d1069 |
| SHA512 | 605ccc57ad3cae36980ab4310363010f0f8fb34627ed99faf47c825e7a70632fcd382bef325e8a45c98d9ef8f1d0b429fdaff4b0aff413cece9cf0de1f82c077 |