Analysis Overview
SHA256
c6dbca3b4b4801df42431bcf7334245440b49f8af3e2f66af99dcb110079610f
Threat Level: Known bad
The file 33706acbd1f245fe707ff6b8e05edfc7 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 11:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 11:00
Reported
2024-01-04 07:49
Platform
win7-20231215-en
Max time kernel
151s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\52g\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\52g\cmstp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\9QXRAE~1\\DWWIN.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\52g\cmstp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2468 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1264 wrote to memory of 2468 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1264 wrote to memory of 2468 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1264 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\52g\cmstp.exe |
| PID 1264 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\52g\cmstp.exe |
| PID 1264 wrote to memory of 2028 | N/A | N/A | C:\Users\Admin\AppData\Local\52g\cmstp.exe |
| PID 1264 wrote to memory of 2976 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1264 wrote to memory of 2976 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1264 wrote to memory of 2976 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1264 wrote to memory of 1908 | N/A | N/A | C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE |
| PID 1264 wrote to memory of 1908 | N/A | N/A | C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE |
| PID 1264 wrote to memory of 1908 | N/A | N/A | C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE |
| PID 1264 wrote to memory of 1220 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1264 wrote to memory of 1220 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1264 wrote to memory of 1220 | N/A | N/A | C:\Windows\system32\SoundRecorder.exe |
| PID 1264 wrote to memory of 2016 | N/A | N/A | C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe |
| PID 1264 wrote to memory of 2016 | N/A | N/A | C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe |
| PID 1264 wrote to memory of 2016 | N/A | N/A | C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33706acbd1f245fe707ff6b8e05edfc7.dll,#1
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\52g\cmstp.exe
C:\Users\Admin\AppData\Local\52g\cmstp.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
C:\Windows\system32\SoundRecorder.exe
C:\Windows\system32\SoundRecorder.exe
C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
Network
Files
memory/1536-0-0x0000000000390000-0x0000000000397000-memory.dmp
memory/1536-1-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-4-0x0000000077216000-0x0000000077217000-memory.dmp
memory/1264-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/1264-8-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-10-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-11-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-12-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-13-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-14-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-16-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-17-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-19-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-18-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-20-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-21-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-23-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-25-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-27-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-28-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-29-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-30-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-31-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-32-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-33-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-35-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-36-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-38-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-39-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-40-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-42-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-41-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-43-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-44-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-46-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-47-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-48-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-49-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-45-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-51-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-52-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-54-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-55-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-56-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-53-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-57-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-50-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-58-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-37-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-59-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-61-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-60-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-62-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-64-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-66-0x0000000002A20000-0x0000000002A27000-memory.dmp
memory/1264-65-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-63-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-34-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-26-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-24-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-22-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-15-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-9-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1536-7-0x0000000140000000-0x0000000140331000-memory.dmp
memory/1264-74-0x0000000077421000-0x0000000077422000-memory.dmp
memory/1264-75-0x0000000077580000-0x0000000077582000-memory.dmp
C:\Users\Admin\AppData\Local\52g\cmstp.exe
| MD5 | 74c6da5522f420c394ae34b2d3d677e3 |
| SHA1 | ba135738ef1fb2f4c2c6c610be2c4e855a526668 |
| SHA256 | 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6 |
| SHA512 | bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a |
C:\Users\Admin\AppData\Local\52g\VERSION.dll
| MD5 | e8e8a8186e9a98cc931c1425aaf8ed9d |
| SHA1 | 0cb13f6f43a1e55997077846d1d5ecdce5ad089b |
| SHA256 | eb1156bc8cfb7e179e7f2f2f4f11331c53956d3b8467847682dcc3b1e5dfa86f |
| SHA512 | fd969f58f81db33ecdcb2631302a0d07c18d65d5736ff6a68b98cdcae0f82f81b2569abbabaa293856d0ce9b33421cad057d6601e3587642c90b2017a1f0af49 |
\Users\Admin\AppData\Local\52g\VERSION.dll
| MD5 | 39f0bfec53979f68ef6f4713a906cfff |
| SHA1 | d4a80c3b78831e0e183ea5460c4a2a31c28363fd |
| SHA256 | fcc89dcaeb9c0b158d356d7d78534579e8310b1a64cb5a99c2a70a43ccab962c |
| SHA512 | d03d15642f22ca9620b460f9471fbc51484b75a5ef36d816b0082cd06660096ac9d8a7c1ac04e634a4259edbd6387afe319dbd2efe743e3229c30bc1e6a7e51c |
memory/2028-102-0x0000000000310000-0x0000000000317000-memory.dmp
C:\Users\Admin\AppData\Local\52g\cmstp.exe
| MD5 | 9acf35b08d0822cd38a005a6a8b20f12 |
| SHA1 | 97171cb1bcb7ab4bdc8bc2366550abfd1371d426 |
| SHA256 | 2cd601e15e8fc9a509b7636264a3af6e27e1775fa6878b71561eb099a36d912d |
| SHA512 | 5595c06fd83a755edcc8db6e45cc4773a3899e16937efb8e66f47837bccded87c1cf8f858c0707abf67f0b2c953ff67da0576a9c9c429d94e25e77286d162e3e |
memory/1264-113-0x0000000077216000-0x0000000077217000-memory.dmp
\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
| MD5 | 02451a0f87db5d97e54f2aab0839db14 |
| SHA1 | b5d1e29a51b936f2f998294374fc2c5b0adb508e |
| SHA256 | cc8e39e7a46060f50ff92df5962ae2e1870414e15285f9a703959eb647725e67 |
| SHA512 | 6849ec2040582a534f1d6ac3a353be2f7c763db26a404b3a7e60f3030f99ffdcf7b5d9ad6c71d8ca5b8697ab2d0a4a03d1685a36ddbe9a0170e5410ed1dc6d87 |
C:\Users\Admin\AppData\Local\sY7m5\VERSION.dll
| MD5 | 27d186419604edd3335f2950bcde9c02 |
| SHA1 | 0f232aadb5493cd3eed89f1ead2344fb0c821418 |
| SHA256 | c62f62ce696bb1101108df8440d7cafdac2ec327c4275516179815fd9a474da0 |
| SHA512 | c37093c30e2c638471e071a78afdfe96705e6f8977614655492a6ab8815a28a14c7eabc778eb1ca6b70a85ad88a19f30521e1033b30e0d05fbd82c7920e4df3c |
\Users\Admin\AppData\Local\sY7m5\VERSION.dll
| MD5 | 40a3e415d23e2de6cb5ba95c18c7e77f |
| SHA1 | 9b44e4006a2b02a1517df37d98750101710c0e18 |
| SHA256 | eba98dee421b4535047f2a7f4c5e0078304873ac653a0b00243d3e80001812f1 |
| SHA512 | 670ce9a9ecaef1a7a9be75f9b5489fd06f5dba763573795069c351b79c2468eb320f4a25555f89d7efb09601ebbb5acf347135dd00d959c23e9fef57fbc79546 |
memory/1908-121-0x0000000000080000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
| MD5 | d2142a22cd7eb3b950de1d3c0bc9fb20 |
| SHA1 | 6f607adee6683537736c69ef108223840535e28d |
| SHA256 | 5ec7dc539a49175b44484d04b8ecad5891c1a7fbb0bb319ec2e7de0e774c8877 |
| SHA512 | 304551cbd68e3da46bf3a0cee44217effc107d88d1111f57c9017de7c85e2c8d1e4dd1736aaba602e663b9bab2959e182500c22e9f7c06c498bb652b6a002e1a |
C:\Users\Admin\AppData\Local\sY7m5\DWWIN.EXE
| MD5 | 473d2aad3e931822444ef3308ae12d2b |
| SHA1 | 0936557eb9961b8b924f65dcac3e9b4f0f050b8d |
| SHA256 | fd128c1cf5911a2ce2d93b287e55392c6f22304b31d0fcb67370d1e024f17774 |
| SHA512 | a2b75c4483e8bca0deae7dfd917e6145f5be19ddc79b82ce79f671e961f48cbe907bebd73b8faaad4e52526ccf83ec70e68a011ea958592cc42d144eb7ca225a |
\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
| MD5 | b0a7e45e9092919ada852aac345d648b |
| SHA1 | eccff35b310bbf1cc6d5128cc6d16a1f6a8102fe |
| SHA256 | dc13e7ba9fe638ae6190e399c3d80a36c0e94b123dee27e914e8e6ab5d6b3672 |
| SHA512 | 48a22e28afa130e04d872e4fdf25a0dfbe33df1c8f54604d2a1ba8a437de5123a9702989374378fb9436dd8416e1d2425c660b2393fb58098313c40cce40eecb |
C:\Users\Admin\AppData\Local\6cpzBYt\UxTheme.dll
| MD5 | 258e310875bbd525d812c6a485eb2e0f |
| SHA1 | c3a910e3f3c1f26322dbd1e5d443067b44d1651e |
| SHA256 | a4575e9ca01d9a333b08e1d023d34cf79bc200e2eea6fcbad4b59ff47951aa02 |
| SHA512 | 393a296da8529ca7c818c01f120c5fd97c383adc5493f9c355694f84a8e766c51f365b411905a1e211d6f3cce6b9f443b929504ade8f34110edc943dbcb97b80 |
\Users\Admin\AppData\Local\6cpzBYt\UxTheme.dll
| MD5 | fe6ba298fa096f2564a0dacef5382884 |
| SHA1 | 4a8d43a7267c2311d051bc8ee03baf38a465d6b5 |
| SHA256 | a718663424fd8be648e57df2abeb4e1abd4bdb996f96d8072957383670b030d5 |
| SHA512 | 9df5ac17ea89341e6c9a05fb7759777f43dd26da08bd84918799613b4178543a172d9c4aac559745db722f86130791ede5bfdcfc2eb21429b1f1e3702a4019f9 |
memory/2016-144-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
| MD5 | a0765ad14bf3807df9dffdd7adfafbbc |
| SHA1 | 1d4affe71f0560105d6329d8666b788dad1585e4 |
| SHA256 | 2034be3d47138aedfa8b48ab9e8031a70220d4716bf22af08b1cc0911e680916 |
| SHA512 | 9c994de994d551ae7b5bf83b6b7edaa55b8993f7064773121175fac904d9c493205b43734de254b324c0c63d38a1a0d23a83d145840d7374680edd78a94aaa35 |
C:\Users\Admin\AppData\Local\6cpzBYt\SoundRecorder.exe
| MD5 | 399891d65c671db1c826a9d16e6c2dc1 |
| SHA1 | f650763ae3ad94bc966bbe8d8ae29bec1dee8102 |
| SHA256 | 4e1e36e04553aab93f5f2281102fd5f8be78dc9beeb311ea2e6058ce86d978dc |
| SHA512 | 7c2a963973a68e77e7a878b655f1f2c2d8642d1e45fc2b21e68db86f4a4003d323e5e5713d3a7f12aa46f7a1aa8403fd2206a5bd24936ecdd48104256410eb32 |
\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\hRM\SoundRecorder.exe
| MD5 | 69283295b00727b5532f3e3f26930f66 |
| SHA1 | 8d7ca837300d8c25fe9bb8748003c7197bb06845 |
| SHA256 | 404f8c454276fabd4b836747d81316709b599021bb8a9a0d0424156a9bb0987c |
| SHA512 | 2277a68a40cc33675d5ebdcd3f3c09532f4a72e25f5a7bc4271f46234c6a287531b1ab57e15991a95717f55d267f20d7ea2eb87ea3e370701fe3c5fd288ef4b2 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk
| MD5 | 19d379d7ba9e0a29db89269bfa314009 |
| SHA1 | e8c2cced4ad2a487877205533edb195f50138ce1 |
| SHA256 | 610dbf198e2b474aaea18da1015f8d8494ea1e6b4d2a194838041e10fa14af78 |
| SHA512 | 46364802efc1397508f28f80d58dbcdc786a1d01d11c7ced568262937117c3c9907c3968333f37521ecc911e2817ba2d6abb619aa59e40212de50767abc6cb5a |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\O4\VERSION.dll
| MD5 | 338484bd0a6ee39eb33c25f34427289c |
| SHA1 | 51f467498a0f579f3fce98571bacf306fd2d77a6 |
| SHA256 | 47a44736748a14f0152f86ffb0b27c9ba2ef95c8ab8cf23aa0261d1869ae454e |
| SHA512 | 64f2d0e5374d0af1d6c0415bc1c057ceb3be59e20ad32136101a7b496741ee0a4aa7b1c98aa4d1290d62664dfe587f6fb0fe3d4c84708a71bae93aef4d142e02 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\9qxRaEG9dWZ\VERSION.dll
| MD5 | 37d54dc945a3a16eb97258900fbcdd04 |
| SHA1 | f06f3ffadbb643baf5e65606c57664180800d780 |
| SHA256 | fbb0bb67e1bd063b51bd4e7202dcacb932aa2ec723e5d0388aae3b10112a9c83 |
| SHA512 | 5662700a7ae982546723aa247d223c69fd9bf06ddace2ab6babf9115102746e75957df626f42542c83982c951992074b9600c2248eca689e7fab45ccdb74c716 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2444714103-3190537498-3629098939-1000\hRM\UxTheme.dll
| MD5 | 02431285d28b515aba8d1c325d8025f7 |
| SHA1 | a660de36d1dd7ef875c2a850ffb32ee6baaea154 |
| SHA256 | 03bcbdb7f8067f12a1cfe68c9cf3305ad429f3aaf14bc0d9d9445df22f552ea6 |
| SHA512 | 5c4554a2a8e73939ca4cab14d0ce480f623ca4a0de04146d365d5372daa42aea4c6d2bb6acbbbcaa21e0a0df10e3d46cd1e25f423cb98ce895cf7eec73e316f9 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 11:00
Reported
2024-01-04 07:50
Platform
win10v2004-20231215-en
Max time kernel
38s
Max time network
93s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\33706acbd1f245fe707ff6b8e05edfc7.dll,#1
C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
C:\Users\Admin\AppData\Local\TGMs\mstsc.exe
C:\Users\Admin\AppData\Local\TGMs\mstsc.exe
C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\CloudNotifications.exe
C:\Windows\system32\wextract.exe
C:\Windows\system32\wextract.exe
C:\Users\Admin\AppData\Local\5Sw1\CloudNotifications.exe
C:\Users\Admin\AppData\Local\5Sw1\CloudNotifications.exe
C:\Users\Admin\AppData\Local\OP2YMLbr\wextract.exe
C:\Users\Admin\AppData\Local\OP2YMLbr\wextract.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4624-2-0x0000022316D90000-0x0000022316D97000-memory.dmp
memory/4624-0-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-7-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-10-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-13-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-16-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-18-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-21-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-23-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-26-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-28-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-30-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-32-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-35-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-37-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-38-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-39-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-40-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-42-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-43-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-45-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-49-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-51-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-53-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-55-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-58-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-60-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-63-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-65-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-66-0x0000000000770000-0x0000000000777000-memory.dmp
memory/3604-64-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-62-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-61-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-59-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-57-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-74-0x00007FFE7D820000-0x00007FFE7D830000-memory.dmp
memory/3604-56-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-54-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-52-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-50-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-48-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3024-94-0x0000019AAFDB0000-0x0000019AAFDB7000-memory.dmp
memory/3604-47-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-46-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-44-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-41-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-36-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-34-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-33-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-31-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-29-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-27-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-25-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-24-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-22-0x0000000140000000-0x0000000140331000-memory.dmp
memory/2356-111-0x000001F2BB2E0000-0x000001F2BB2E7000-memory.dmp
memory/3604-20-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-19-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-17-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-14-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-15-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-11-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-12-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-9-0x0000000140000000-0x0000000140331000-memory.dmp
memory/4624-8-0x0000000140000000-0x0000000140331000-memory.dmp
memory/3604-5-0x00007FFE7D66A000-0x00007FFE7D66B000-memory.dmp
memory/3604-4-0x0000000002120000-0x0000000002121000-memory.dmp
memory/4648-128-0x000002BEAA950000-0x000002BEAA957000-memory.dmp