Analysis Overview
SHA256
788c8c4c4140e9468f1ee6afb20321a2ce295d495c360f52984467b2b2d827c6
Threat Level: Known bad
The file 498fb42905d2efd2723173ab782824c2.exe was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-07 19:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-07 19:38
Reported
2024-01-07 19:41
Platform
win7-20231215-en
Max time kernel
3s
Max time network
119s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\498fb42905d2efd2723173ab782824c2.dll,#1
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Users\Admin\AppData\Local\pf47\WFS.exe
C:\Users\Admin\AppData\Local\pf47\WFS.exe
C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
C:\Users\Admin\AppData\Local\Dyy\eudcedit.exe
C:\Users\Admin\AppData\Local\Dyy\eudcedit.exe
C:\Users\Admin\AppData\Local\fdKY32bvI\Dxpserver.exe
C:\Users\Admin\AppData\Local\fdKY32bvI\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
Network
Files
memory/1768-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1768-0-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-4-0x00000000770B6000-0x00000000770B7000-memory.dmp
memory/1188-14-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-29-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-38-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-44-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-45-0x0000000002D30000-0x0000000002D37000-memory.dmp
memory/1188-46-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-55-0x0000000077320000-0x0000000077322000-memory.dmp
memory/1188-54-0x00000000771C1000-0x00000000771C2000-memory.dmp
memory/1188-53-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-64-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-73-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-70-0x0000000140000000-0x00000001401C1000-memory.dmp
C:\Users\Admin\AppData\Local\pf47\MFC42u.dll
| MD5 | 5054d2bbffbe43dfbb15d7011b99b20c |
| SHA1 | 10deeca8cb605f79bef3c161cda43fc08d5dcbd7 |
| SHA256 | 0f8d0b529e1b5a5c20aec079a640a790640a2a4f4ffaae25aea670bfdf345780 |
| SHA512 | 567bd0b61d7fc7cd286d34eebe6123077e540ce9cc2be4bdbf7221ebb104d99c4ba813cc05523fe2b3adfe2b6af92fcd34464283c5a2439bcff88d627a7e0571 |
memory/1468-84-0x00000000001B0000-0x00000000001B7000-memory.dmp
memory/1468-82-0x0000000140000000-0x00000001401C8000-memory.dmp
\Users\Admin\AppData\Local\pf47\WFS.exe
| MD5 | a943d670747778c7597987a4b5b9a679 |
| SHA1 | c48b760ff9762205386563b93e8884352645ef40 |
| SHA256 | 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610 |
| SHA512 | 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934 |
memory/1188-43-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-42-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-41-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-40-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-39-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-37-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-36-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-35-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-34-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-33-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-32-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-31-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-30-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-28-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-27-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-26-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-25-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-24-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-23-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-22-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-21-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-20-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-19-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-18-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-17-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1608-106-0x0000000001AB0000-0x0000000001AB7000-memory.dmp
memory/1188-16-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-15-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-13-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-12-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-11-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-10-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-9-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1768-8-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-7-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/1188-5-0x0000000002D50000-0x0000000002D51000-memory.dmp
\Users\Admin\AppData\Local\fdKY32bvI\dwmapi.dll
| MD5 | 638a1a5f6ceae56e71dcde230c4b6a23 |
| SHA1 | 87af92e94a3ec0ef39b6c5531c9ecda9d98999aa |
| SHA256 | f955546ed55cf4cad1a9dc46bcc4ff342dcb70150cfb290de8d34d4176561ebd |
| SHA512 | cff1587008f5d1048808970501ca397b72be39c1ce889133fa7a10d827e72ba230d317a4a78fb687682bb4942c2202d775ff3a5658edc40d073b99249faa932c |
memory/2476-128-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1188-159-0x00000000770B6000-0x00000000770B7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-07 19:38
Reported
2024-01-07 19:42
Platform
win10v2004-20231215-en
Max time kernel
0s
Max time network
144s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\498fb42905d2efd2723173ab782824c2.dll,#1
C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\DevicePairingWizard.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Windows\system32\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\e3jRbu\cmstp.exe
C:\Users\Admin\AppData\Local\e3jRbu\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\DlX1E5sm9\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\DlX1E5sm9\MoUsoCoreWorker.exe
C:\Users\Admin\AppData\Local\lELrzgPm1\DevicePairingWizard.exe
C:\Users\Admin\AppData\Local\lELrzgPm1\DevicePairingWizard.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/2988-2-0x00000157FD5A0000-0x00000157FD5A7000-memory.dmp
memory/2988-1-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/2988-0-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-15-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-22-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-29-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-35-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-42-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-47-0x0000000008EA0000-0x0000000008EA7000-memory.dmp
memory/3480-54-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-55-0x00007FFB321E0000-0x00007FFB321F0000-memory.dmp
memory/3480-66-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-64-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-46-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-45-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-44-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-43-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-41-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-40-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3288-76-0x0000000140000000-0x00000001401C8000-memory.dmp
memory/3288-82-0x0000000140000000-0x00000001401C8000-memory.dmp
memory/4408-100-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3692-120-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3692-115-0x0000020E2BCC0000-0x0000020E2BCC7000-memory.dmp
memory/3692-113-0x0000020E2BCB0000-0x0000020E2BE72000-memory.dmp
memory/4408-96-0x00000179559D0000-0x00000179559D7000-memory.dmp
memory/4408-94-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/4408-93-0x0000000140000000-0x00000001401C2000-memory.dmp
memory/3288-78-0x0000025B291F0000-0x0000025B291F7000-memory.dmp
memory/3288-75-0x0000000140000000-0x00000001401C8000-memory.dmp
memory/3480-39-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-38-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-37-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-36-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-34-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-33-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-32-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-31-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-30-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-28-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-27-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-26-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-25-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-24-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-23-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-21-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-20-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-19-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-18-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-17-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-16-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-14-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-13-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-12-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-11-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-10-0x00007FFB30A7A000-0x00007FFB30A7B000-memory.dmp
memory/3480-9-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/2988-8-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-7-0x0000000140000000-0x00000001401C1000-memory.dmp
memory/3480-5-0x00000000092D0000-0x00000000092D1000-memory.dmp