Analysis Overview
SHA256
9fc724df4f2ae0f2d2b3a04540cf737782e0b77e296a03ec25418f3f36f05a6b
Threat Level: Known bad
The file 661942dec5f555ea16390ab0b8805570.exe was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Dridex payload
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-06 10:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-06 10:22
Reported
2024-01-06 10:25
Platform
win7-20231215-en
Max time kernel
3s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dridex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\661942dec5f555ea16390ab0b8805570.dll,#1
C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
C:\Users\Admin\AppData\Local\M1S\msconfig.exe
C:\Users\Admin\AppData\Local\M1S\msconfig.exe
C:\Users\Admin\AppData\Local\ZMSh1J\TpmInit.exe
C:\Users\Admin\AppData\Local\ZMSh1J\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Users\Admin\AppData\Local\tM5G1qq\shrpubw.exe
C:\Users\Admin\AppData\Local\tM5G1qq\shrpubw.exe
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
Network
Files
memory/1960-2-0x0000000000430000-0x0000000000437000-memory.dmp
memory/1960-0-0x000007FEF6D10000-0x000007FEF6DE4000-memory.dmp
memory/1204-3-0x0000000077576000-0x0000000077577000-memory.dmp
memory/1204-17-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-26-0x0000000003B30000-0x0000000003B37000-memory.dmp
memory/1204-29-0x0000000077810000-0x0000000077812000-memory.dmp
memory/1204-39-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-38-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-28-0x00000000777E0000-0x00000000777E2000-memory.dmp
memory/1204-27-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-19-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-18-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-16-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-15-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-14-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-13-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-12-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-11-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-10-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-9-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-8-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-7-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-6-0x0000000140000000-0x00000001400D4000-memory.dmp
memory/1204-4-0x0000000003BA0000-0x0000000003BA1000-memory.dmp
memory/1960-43-0x000007FEF6D10000-0x000007FEF6DE4000-memory.dmp
memory/2960-59-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp
memory/2960-57-0x0000000000190000-0x0000000000197000-memory.dmp
memory/2960-55-0x000007FEF6DF0000-0x000007FEF6ECB000-memory.dmp
memory/1204-102-0x0000000077576000-0x0000000077577000-memory.dmp
memory/2900-171-0x0000000000280000-0x0000000000287000-memory.dmp
memory/2900-173-0x000007FEF6760000-0x000007FEF6835000-memory.dmp
memory/2900-169-0x000007FEF6760000-0x000007FEF6835000-memory.dmp
\Users\Admin\AppData\Local\tM5G1qq\srvcli.dll
| MD5 | 15e64f4d02b58fcfbdd521882f43517e |
| SHA1 | 7ebec2ce9978f54bc8e649698cfcbfe1ee6d79a2 |
| SHA256 | 20c9af64d803ed4e44a680f22de1f8f429eedcf7ae9ec86acbe59c7dd6e821c0 |
| SHA512 | aa730f2b64897739fb529bb633cd82940890de0cf4d33de6e9c2ace409f3f8359d6b5806eb08e4b2d06ea8046c0d0b9a9c04c9d5411ef9878716af1adf6c0d26 |
memory/2108-284-0x0000000001AD0000-0x0000000001AD7000-memory.dmp
memory/2108-286-0x000007FEF6190000-0x000007FEF6265000-memory.dmp
memory/2108-282-0x000007FEF6190000-0x000007FEF6265000-memory.dmp
C:\Users\Admin\AppData\Local\tM5G1qq\shrpubw.exe
| MD5 | 29e6d0016611c8f948db5ea71372f76c |
| SHA1 | 01d007a01020370709cd6580717f9ace049647e8 |
| SHA256 | 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930 |
| SHA512 | 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-06 10:22
Reported
2024-01-06 10:25
Platform
win10v2004-20231222-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.143.123.92.in-addr.arpa | udp |