Analysis Overview
SHA256
ce0ae9daa74e8fa902d050d77e568d060323fbb7a62fd798266508036742bb9e
Threat Level: Known bad
The file 3888e3acac52c686141303c1979fe06f was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 13:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 13:45
Reported
2024-01-05 09:52
Platform
win7-20231215-en
Max time kernel
151s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\pqja\shrpubw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pqja\shrpubw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\jXGBT3y0p\\fveprompt.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pqja\shrpubw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 704 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1200 wrote to memory of 704 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1200 wrote to memory of 704 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1200 wrote to memory of 2624 | N/A | N/A | C:\Users\Admin\AppData\Local\pqja\shrpubw.exe |
| PID 1200 wrote to memory of 2624 | N/A | N/A | C:\Users\Admin\AppData\Local\pqja\shrpubw.exe |
| PID 1200 wrote to memory of 2624 | N/A | N/A | C:\Users\Admin\AppData\Local\pqja\shrpubw.exe |
| PID 1200 wrote to memory of 1996 | N/A | N/A | C:\Windows\system32\fveprompt.exe |
| PID 1200 wrote to memory of 1996 | N/A | N/A | C:\Windows\system32\fveprompt.exe |
| PID 1200 wrote to memory of 1996 | N/A | N/A | C:\Windows\system32\fveprompt.exe |
| PID 1200 wrote to memory of 2888 | N/A | N/A | C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe |
| PID 1200 wrote to memory of 2888 | N/A | N/A | C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe |
| PID 1200 wrote to memory of 2888 | N/A | N/A | C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe |
| PID 1200 wrote to memory of 1976 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 1200 wrote to memory of 1976 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 1200 wrote to memory of 1976 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 1200 wrote to memory of 752 | N/A | N/A | C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe |
| PID 1200 wrote to memory of 752 | N/A | N/A | C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe |
| PID 1200 wrote to memory of 752 | N/A | N/A | C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3888e3acac52c686141303c1979fe06f.dll,#1
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
C:\Windows\system32\fveprompt.exe
C:\Windows\system32\fveprompt.exe
C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe
C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe
Network
Files
memory/2008-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2008-1-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-4-0x0000000077406000-0x0000000077407000-memory.dmp
memory/1200-5-0x0000000003AA0000-0x0000000003AA1000-memory.dmp
memory/1200-8-0x0000000140000000-0x0000000140342000-memory.dmp
memory/2008-7-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-10-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-9-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-11-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-13-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-17-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-18-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-16-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-15-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-14-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-12-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-19-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-20-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-21-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-22-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-23-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-24-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-25-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-26-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-27-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-29-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-30-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-33-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-34-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-32-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-36-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-35-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-38-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-37-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-31-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-39-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-40-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-41-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-42-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-43-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-44-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-28-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-46-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-45-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-47-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-49-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-51-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-50-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-48-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-53-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-52-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-54-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-56-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-55-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-58-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-59-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-60-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-57-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-61-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-65-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-64-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-63-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-74-0x0000000003960000-0x0000000003967000-memory.dmp
memory/1200-62-0x0000000140000000-0x0000000140342000-memory.dmp
memory/1200-83-0x0000000077770000-0x0000000077772000-memory.dmp
memory/1200-82-0x0000000077611000-0x0000000077612000-memory.dmp
C:\Users\Admin\AppData\Local\pqja\MFC42u.dll
| MD5 | c24c452502613080de271f6e5acc2304 |
| SHA1 | 00d8c419dd671d3b389d25464edeb3bf6eceb52f |
| SHA256 | 683c5c1bd3ee0c2a4cffa60bd226725660c81ce3cf97548e7e55488a536cd5d0 |
| SHA512 | 849d2c9b986ed1ad3acb6844eb7810e9a85702aa91f1128a6ab52011c8c4b4e5e32389bf1f45c5a41629f009e108e7c9ee5367a15d9e5f06dec98f5151db415d |
\Users\Admin\AppData\Local\pqja\MFC42u.dll
| MD5 | 9be05c12ec4a7f9925f533f8c83c8b44 |
| SHA1 | 9171d5964b4ce2fc2c6c43bb64135037221e587b |
| SHA256 | e749afa3fa1678d3f1a454eb853edaab9fbeb88f45a63e0c90838e67a4785287 |
| SHA512 | 48bfc15196c020ccd17f638f4b5b78b84a982a83f20cc6728098d907aa9f4c12b3330460f5ee4506fa2fb791379f4ea21e9bcf917c2fbdc66b8e7d22beba4c10 |
C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
| MD5 | 3316fc5587edaabbba28095c9884d0e6 |
| SHA1 | a1ac67c9852cd2b40ac3161bbe66a1d6c6e21b3f |
| SHA256 | ce76a851b563f5ad7f0a7ead815649b9e0e5798b1975886db4c816f269df42e9 |
| SHA512 | 096264e88da07687fb7f344bf0aa8a389207f8b8a9791d83f24b762401e0a81c9e42168f78ea4dee7f02374e46a8526d1803af10fecdcfcb17e6d2cee9ff4135 |
\Users\Admin\AppData\Local\pqja\shrpubw.exe
| MD5 | 2448459423a125256c71e06f0d2bc320 |
| SHA1 | e0a3c526cfeb14454b8d15d997de728e7ef4976f |
| SHA256 | f1e364670216c693b494aca2fa4bcacbff2eb1e335a9b2eefa987f57c7ed6891 |
| SHA512 | 3f15bcb7b8e572c0c8ac46f591b5704a43d5a1a534c5fccae847edc7a47a4de97807c79be77ede284a38a10292b31f29718b0880710f169b72aaac252fba86f6 |
memory/2624-110-0x0000000001B40000-0x0000000001B47000-memory.dmp
C:\Users\Admin\AppData\Local\pqja\shrpubw.exe
| MD5 | ed8a1605f8d22eee61ad10444a4af289 |
| SHA1 | 52a233205f218036f5c53c1188bc6ab514130e3e |
| SHA256 | 0d10de0a238520caeffab8ba6161d214d28ff7d65c27c317e192e9f24ca81c01 |
| SHA512 | 85b94359c5adb97e3ebad60124195ecc07aff7939b9081af745f9638bc88f69f24a260eb41c513443d6cccccd9774f97ce746dfdee89467a646ff3a3cf0f65d8 |
C:\Users\Admin\AppData\Local\ezYP\slc.dll
| MD5 | d7c4e843cdf9fbbd4d54f4288a11b7ed |
| SHA1 | 18779eca5bd724aeabd4d8e16702548989cb8863 |
| SHA256 | 27bf967698eb7321af05c050921be7cdc853fe95a0c73a0a05ed8638c3e59c8c |
| SHA512 | 78453f761fc91f1de0da309b2a1d8ac44a7c815a39c91b94a601af34c1575fce88396e424b2cd6198e1d06cef1ccb2ea0aa873bb7674b03047f9d38417909909 |
C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
| MD5 | a117e463b3f816b6404fe70775c7abc7 |
| SHA1 | 5bbeec3c04bd6f9ab35d862c6ae09b7329f1623c |
| SHA256 | 32b00e424c6bf21576471661a9fac7497ec261f11b0d6a3cb5af45aa25b0ac84 |
| SHA512 | 85fee9516ce8fbc62cb2547c4dcd6c4e63501d448b11a4a54852069923401caa3979ce79577227f3ffb9dcbc558bd5601989c641e912c61cb796dea78d703e1e |
\Users\Admin\AppData\Local\ezYP\fveprompt.exe
| MD5 | d6093ec95ede38de41fc993a4d10cba8 |
| SHA1 | 2eb95a2f15738ff503bdd8a2b1a91d900e6de26e |
| SHA256 | bcce81e763e194c15f6be1d4af3c85afdf420e82417173dd41e8ae01523491a0 |
| SHA512 | 64a7819ec37ce9eccea1b9bf21fb998445582b27b8b787171b42cbf9aefe5afefe088c4994602ef6ea453dd8b3da324b46063c9194cab736ca469df6e8086892 |
\Users\Admin\AppData\Local\ezYP\slc.dll
| MD5 | 4bdbb0615138e13bfe281deb485a9237 |
| SHA1 | 7fee1d99ed2b64e71921d7d210252d03468de57e |
| SHA256 | 0e79aaa4e7c04fd7fccda57568b02be37d7576cdfed3c8986a20e74f3a419c15 |
| SHA512 | 5436135e501325324c87efc6e523a18f22217e8fa46c98380652c848b1afcc538b6877f3dfa4ce5149b62dc808af8bcbd365c58a6ec1835180f0f8133fd76dff |
memory/2888-129-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Local\ezYP\fveprompt.exe
| MD5 | 7afa7147f80d609ef7912206a040c2d2 |
| SHA1 | 3ef4572fd1d2e0b61d13e0cc290ff9942b554a88 |
| SHA256 | 44d193d8b7e13681acd03f1cb7019c02564a9c04ee44618577fd2c28ac11ab94 |
| SHA512 | fc6be7700e7b725e97919f13ac4814abf9298995941eb05cf7a6cdcf480341c15e0d09129c857dfe99f2d3707419ba14fe9d32001fb2a7885b49ff69ca2aa258 |
C:\Users\Admin\AppData\Local\EB9yu\HID.DLL
| MD5 | 0617b24e42d815193231fc336cabe125 |
| SHA1 | 941a0829515b83f87392f8cb5ef9b70de7fb90e2 |
| SHA256 | 2a7154d4d124652dedbc0b5a13af12916096c569ce3d1622e71a64476f054379 |
| SHA512 | d5a9e7eec9607cd6001618599ac1c2fe18715a63c7fb380c07a3cdc20b87bb7bb2edb0075228fd0c4cb2cd4b40b7d2cdd06aa097540b137b888ba9d4b65930ed |
\Users\Admin\AppData\Local\EB9yu\HID.DLL
| MD5 | 3f38f6d9ace85d531cdff387239d8be1 |
| SHA1 | d2483a64cf112af39b5173092af5844902551ab0 |
| SHA256 | e810db9aac6ad837f5f9b78e6f6cda488623f515abfef8c2c7bbfe10fdf9364d |
| SHA512 | a3706cd1478d8319a228a5c8193d74fc30a45bbbd60b907130aea9fa281e2411503fdbeab5860c7a5d719abeefc3955d248b642f22e823fdf946a46e1e5b8a1f |
memory/752-147-0x0000000000170000-0x0000000000177000-memory.dmp
C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe
| MD5 | 0391f3981db4d6b47c411658aec8725a |
| SHA1 | 1cfb9b3fedebfbd685e0bb7f11ce67bca981411a |
| SHA256 | ad8e56201930436f63e417a7319d1d07916b27035015656d387e8651fb531f68 |
| SHA512 | c4d6e4b22e53d00fac0cfe1d5483ec9b8b5a9595f01150afea8916fa82afa56a84cc0c4d8c0d9bdbf19cd5b55eda3084cac83c725cafdb5cc49a8fdcee880946 |
\Users\Admin\AppData\Local\EB9yu\tabcal.exe
| MD5 | 272e63fd45242f5f5afee86a0255ea5a |
| SHA1 | 1ad86fbf47ddce05860c93485770ac9278c5e7a5 |
| SHA256 | 5e69c15ebaadf3246fe3dcbbfcbbd92246e3f18e1ba28a579aa8c8631737a217 |
| SHA512 | 06aa6a61bedd0b5c6dffaf2ad5089c0008f2b90e4d96f2e9c8f6e6cc71e55c0b3aaa40740e0bebc6a83edaadd4bc6b2c33612241693a688e1129a335593dab44 |
C:\Users\Admin\AppData\Local\EB9yu\tabcal.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\36GE4cj\tabcal.exe
| MD5 | 6b71015eb85ca3f5edbc19390d0a5238 |
| SHA1 | 275dd2f6aea5b126375ae07a9e92fd170177819b |
| SHA256 | 75b318e3c117fc152a3fb17d943a7e5e53eaef514e7f4141c918f175de4f00be |
| SHA512 | ce1ea60aca8223ed63d81aa8781c5b08af32b06806b6b9917963c1ddaf89e5931926a492abba1949fbb9cde1cdb5ee8341f36efb8a82d603e1c66cd8a4165466 |
memory/1200-165-0x0000000077406000-0x0000000077407000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 8a4aa8ff1c791121042c497a0efc620a |
| SHA1 | 1c4eaca5be596d7320e33d688681800a70381d37 |
| SHA256 | 550843355f2be04a8a66ebf7acd3c98eeef9d91ff32d72dd20d2c5b40d9d3690 |
| SHA512 | 4aa90aea52fc79f6324bdfe8f2cc376068c42f67a7255900984a8e6ddebf689fa984372cadbeb5047cb6df139440fa98892fd8e92a6bf6af6eb96ca137332379 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\2Spq4Fc\MFC42u.dll
| MD5 | 924baa6abb252af213dc46a875bd4e4a |
| SHA1 | 3090f8eec7cef490cd1cc6af6ec56b1e3259ff2b |
| SHA256 | 549c4f9750e790e480934461c9c23e8adcaac36a778ba3e179fd4d46f7552b1a |
| SHA512 | ad87e0a82682a1ad826e15faa152a2f794697bce35190953795a0bafddd3b992306c9fa373dda522576899db2fd593ba82a211193f25aa90fea057723df18a3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\jXGBT3y0p\slc.dll
| MD5 | a8260950f0eae6b1da44f45528bd74d8 |
| SHA1 | efce0100901ff957fbbd13e60b1897c00fd68fbc |
| SHA256 | 4bebf3321a3cc5a6b194091c6fac3ae52c5d5db27b1c049cd7ba9925e2f4e21b |
| SHA512 | 9fd36db6ad120fc7f5d6574bac877e93df3466e9090b1a94886ab1afaa484a29518bc72026f93acd8ffe727b3dabdb5a5225a12edf2906d706ef2b10b7391273 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\36GE4cj\HID.DLL
| MD5 | 3f499b4610887c63de0efd6792f8b441 |
| SHA1 | 15bc6debf34700631ddcff234060354a13821e36 |
| SHA256 | 9865278df785646cc940c0d0349c06d8e52f4e5da8d3aa712413622901b1488b |
| SHA512 | bd17a0d4aec023536044e4b4d101dab6e1d0e9a79db2fb12e0aa3ea873bf228f6a94492b356b1fbc22d2f68e728bbd0abe6caac37e53f0a0ae943ce7a9713338 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 13:45
Reported
2024-01-05 10:07
Platform
win10v2004-20231222-en
Max time kernel
6s
Max time network
80s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3888e3acac52c686141303c1979fe06f.dll,#1
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Users\Admin\AppData\Local\nn9qq\dccw.exe
C:\Users\Admin\AppData\Local\nn9qq\dccw.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\zf5E\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\zf5E\DisplaySwitch.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\PjLhmJokk\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\PjLhmJokk\SystemPropertiesProtection.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| IE | 20.54.110.119:443 | tcp | |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| GB | 88.221.134.50:80 | tcp | |
| GB | 88.221.134.50:80 | tcp |
Files
memory/316-0-0x0000022752EE0000-0x0000022752EE7000-memory.dmp
memory/316-1-0x0000000140000000-0x0000000140342000-memory.dmp
memory/316-6-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-8-0x00007FF87C87A000-0x00007FF87C87B000-memory.dmp
memory/3496-9-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-13-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-12-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-15-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-16-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-18-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-20-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-22-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-24-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-27-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-29-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-32-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-33-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-36-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-38-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-39-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-40-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-41-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-42-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-43-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-44-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-45-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-47-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-49-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-50-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-51-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-52-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-54-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-56-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-57-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-55-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-58-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-61-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-62-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-65-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-64-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-63-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-74-0x0000000000820000-0x0000000000827000-memory.dmp
memory/3496-60-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-59-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-53-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-82-0x00007FF87E7C0000-0x00007FF87E7D0000-memory.dmp
memory/3496-48-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-46-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-37-0x0000000140000000-0x0000000140342000-memory.dmp
memory/680-102-0x000001DF7BE50000-0x000001DF7BE57000-memory.dmp
memory/3496-35-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-34-0x0000000140000000-0x0000000140342000-memory.dmp
memory/4156-120-0x000001E90F500000-0x000001E90F507000-memory.dmp
memory/3996-138-0x000001E71BD50000-0x000001E71BD57000-memory.dmp
memory/3496-31-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-30-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-28-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-26-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-25-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-23-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-21-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-19-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-17-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-14-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-11-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-10-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-7-0x0000000140000000-0x0000000140342000-memory.dmp
memory/3496-4-0x0000000002690000-0x0000000002691000-memory.dmp