Analysis Overview
SHA256
5605ec07c6ea613c100f2ffc1826c312358df6dff2362b5c7877fc99f5ba901d
Threat Level: Known bad
The file 3644686431d56a0d0ea6ba5a3192f266 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 12:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 12:32
Reported
2024-01-04 14:50
Platform
win7-20231215-en
Max time kernel
6s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\68pEF\osk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\68pEF\osk.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\BseC\\Dxpserver.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\68pEF\osk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1188 wrote to memory of 2672 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 1188 wrote to memory of 2672 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 1188 wrote to memory of 2672 | N/A | N/A | C:\Windows\system32\osk.exe |
| PID 1188 wrote to memory of 2984 | N/A | N/A | C:\Users\Admin\AppData\Local\68pEF\osk.exe |
| PID 1188 wrote to memory of 2984 | N/A | N/A | C:\Users\Admin\AppData\Local\68pEF\osk.exe |
| PID 1188 wrote to memory of 2984 | N/A | N/A | C:\Users\Admin\AppData\Local\68pEF\osk.exe |
| PID 1188 wrote to memory of 2608 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1188 wrote to memory of 2608 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1188 wrote to memory of 2608 | N/A | N/A | C:\Windows\system32\Dxpserver.exe |
| PID 1188 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe |
| PID 1188 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe |
| PID 1188 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe |
| PID 1188 wrote to memory of 764 | N/A | N/A | C:\Windows\system32\eudcedit.exe |
| PID 1188 wrote to memory of 764 | N/A | N/A | C:\Windows\system32\eudcedit.exe |
| PID 1188 wrote to memory of 764 | N/A | N/A | C:\Windows\system32\eudcedit.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3644686431d56a0d0ea6ba5a3192f266.dll,#1
C:\Users\Admin\AppData\Local\68pEF\osk.exe
C:\Users\Admin\AppData\Local\68pEF\osk.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe
C:\Users\Admin\AppData\Local\JJut\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
C:\Users\Admin\AppData\Local\c24QZCGxt\eudcedit.exe
C:\Users\Admin\AppData\Local\c24QZCGxt\eudcedit.exe
Network
Files
memory/1936-1-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1936-0-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-4-0x0000000077206000-0x0000000077207000-memory.dmp
memory/1936-8-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-13-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-18-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-34-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-38-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-45-0x0000000002500000-0x0000000002507000-memory.dmp
memory/1188-48-0x0000000077570000-0x0000000077572000-memory.dmp
memory/1188-57-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-47-0x0000000077411000-0x0000000077412000-memory.dmp
memory/1188-63-0x0000000140000000-0x0000000140241000-memory.dmp
memory/2984-75-0x0000000140000000-0x0000000140242000-memory.dmp
memory/2984-80-0x0000000140000000-0x0000000140242000-memory.dmp
memory/2984-77-0x00000000002D0000-0x00000000002D7000-memory.dmp
memory/1188-66-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-46-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-37-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-36-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-35-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-33-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-32-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-31-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-30-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-29-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-28-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-27-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-26-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-25-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-24-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-23-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-22-0x0000000140000000-0x0000000140241000-memory.dmp
memory/2640-104-0x0000000140000000-0x0000000140242000-memory.dmp
memory/2640-101-0x0000000000380000-0x0000000000387000-memory.dmp
memory/1188-21-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-20-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-19-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-17-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-16-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-15-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-14-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-12-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-11-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-10-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-9-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-7-0x0000000140000000-0x0000000140241000-memory.dmp
memory/1188-5-0x0000000002520000-0x0000000002521000-memory.dmp
memory/548-124-0x0000000140000000-0x0000000140248000-memory.dmp
memory/548-123-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1188-154-0x0000000077206000-0x0000000077207000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 12:32
Reported
2024-01-04 15:02
Platform
win10v2004-20231215-en
Max time kernel
33s
Max time network
57s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3644686431d56a0d0ea6ba5a3192f266.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp |