Analysis Overview
SHA256
f3ed7cb425c02387b3a3225e2d61444be39193c0ea22674141358e638e537ec8
Threat Level: Known bad
The file 4026cd85c6fc0589fac383abfe0f1982 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-04 06:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-04 06:38
Reported
2024-01-04 06:41
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\BCU\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zbMpD\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rBMp9t8C\javaws.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\BCU\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\zbMpD\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rBMp9t8C\javaws.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\weHqdR2RES\\SystemPropertiesPerformance.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rBMp9t8C\javaws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\BCU\SystemPropertiesComputerName.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\zbMpD\SystemPropertiesPerformance.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4026cd85c6fc0589fac383abfe0f1982.dll,#1
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\BCU\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\BCU\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\zbMpD\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\zbMpD\SystemPropertiesPerformance.exe
C:\Windows\system32\javaws.exe
C:\Windows\system32\javaws.exe
C:\Users\Admin\AppData\Local\rBMp9t8C\javaws.exe
C:\Users\Admin\AppData\Local\rBMp9t8C\javaws.exe
Network
Files
memory/2004-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/2004-1-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-4-0x0000000077616000-0x0000000077617000-memory.dmp
memory/1292-5-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/2004-7-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-8-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-13-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-16-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-21-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-25-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-28-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-29-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-32-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-34-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-39-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-42-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-47-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-49-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-52-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-55-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-57-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-61-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-65-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-64-0x0000000002A60000-0x0000000002A67000-memory.dmp
memory/1292-63-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-62-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-60-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-73-0x0000000077721000-0x0000000077722000-memory.dmp
memory/1292-74-0x0000000077880000-0x0000000077882000-memory.dmp
memory/1292-59-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-58-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-56-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-54-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-53-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-51-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-50-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-48-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-46-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-45-0x0000000140000000-0x0000000140330000-memory.dmp
memory/2824-102-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/1292-44-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-43-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-41-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-40-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-38-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-37-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-36-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-35-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-33-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-31-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-30-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-27-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-26-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-24-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-23-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-22-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-20-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-19-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-18-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-17-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-15-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-14-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-12-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-11-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-10-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1292-9-0x0000000140000000-0x0000000140330000-memory.dmp
memory/2212-119-0x0000000000220000-0x0000000000227000-memory.dmp
memory/1292-164-0x0000000077616000-0x0000000077617000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\kZ6uFw6\SYSDM.CPL
| MD5 | 09c71a09cef9a98a8dea86c121f05a94 |
| SHA1 | a2c5df2227acafd497c3f2caaa531cb1fdf914e0 |
| SHA256 | d719dd6f6fea9ac5a095b105f655c9289bb9de985626f2ae2e86fbd4b7392652 |
| SHA512 | 4bb670976ca5d92d147c95758bfcaa1fd0ce7b56479898f0c90eb8522e6e9cb53fb86b4ffacf3faa2889edf0f28bde90d0b4d6cb7c3dba8df3f087822f4d2380 |
C:\Users\Admin\AppData\Roaming\Adobe\weHqdR2RES\SYSDM.CPL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\iUKo\VERSION.dll
| MD5 | 5c846691f6d01417f9dc44728818c18f |
| SHA1 | 85d11e4e947647cb84b7a50a018ce10cf23862ba |
| SHA256 | 7c00f68bcfd802dcff0635d94311171fcc014a0ea503a7432b1582b3a1c6c04d |
| SHA512 | a853d62879ac2919e915a8558ca560d97e902fea5e63006b695f695580ce60e0999745d6242ef4815bf57ec02aa844d3dbf2cb2a7bd97fd0afeb5e21ef2bf21d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-04 06:38
Reported
2024-01-04 06:41
Platform
win10v2004-20231215-en
Max time kernel
1s
Max time network
139s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4026cd85c6fc0589fac383abfe0f1982.dll,#1
C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\LicensingUI.exe
C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\ProximityUxHost.exe
C:\Windows\system32\PresentationHost.exe
C:\Windows\system32\PresentationHost.exe
C:\Users\Admin\AppData\Local\kBvRKOU\PresentationHost.exe
C:\Users\Admin\AppData\Local\kBvRKOU\PresentationHost.exe
C:\Users\Admin\AppData\Local\5L3w\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\5L3w\ProximityUxHost.exe
C:\Users\Admin\AppData\Local\psroA5Use\LicensingUI.exe
C:\Users\Admin\AppData\Local\psroA5Use\LicensingUI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| IE | 20.223.35.26:443 | tcp | |
| GB | 96.16.110.114:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| GB | 96.16.110.114:80 | tcp | |
| US | 138.91.171.81:80 | tcp |
Files
memory/348-1-0x00000202A5CE0000-0x00000202A5CE7000-memory.dmp
memory/348-0-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-4-0x0000000003550000-0x0000000003551000-memory.dmp
memory/3388-8-0x00007FFF5834A000-0x00007FFF5834B000-memory.dmp
memory/3388-10-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-12-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-15-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-18-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-21-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-24-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-25-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-29-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-34-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-37-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-40-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-44-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-47-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-50-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-53-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-58-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-61-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-63-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-66-0x0000000003530000-0x0000000003537000-memory.dmp
memory/3388-64-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-73-0x00007FFF59DC0000-0x00007FFF59DD0000-memory.dmp
memory/3388-62-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-60-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-59-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-57-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-56-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-55-0x0000000140000000-0x0000000140330000-memory.dmp
memory/1876-95-0x0000026F7F3A0000-0x0000026F7F3A7000-memory.dmp
memory/2864-110-0x0000022B30E90000-0x0000022B30E97000-memory.dmp
memory/3136-129-0x0000027A56E20000-0x0000027A56E27000-memory.dmp
memory/3388-54-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-52-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-51-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-49-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-48-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-46-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-45-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-43-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-41-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-42-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-39-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-38-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-36-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-35-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-33-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-32-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-31-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-30-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-28-0x0000000140000000-0x0000000140330000-memory.dmp
memory/348-27-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-26-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-23-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-22-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-20-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-19-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-17-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-16-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-14-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-13-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-11-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-9-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-6-0x0000000140000000-0x0000000140330000-memory.dmp
memory/3388-7-0x0000000140000000-0x0000000140330000-memory.dmp