Analysis Overview
SHA256
c0c69e522ae5c3b3b0dabd843731da4aa1b15dfc5303b0f6befab26d069b0b8b
Threat Level: Known bad
The file 4a2c8efbeaed542cdb2879dac9c2e8bf was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 00:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 00:24
Reported
2024-01-08 00:27
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
107s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a2c8efbeaed542cdb2879dac9c2e8bf.dll,#1
C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe
C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe
C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe
C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe
C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/3176-1-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3176-0-0x0000024D882C0000-0x0000024D882C7000-memory.dmp
memory/3176-8-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-12-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-19-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-26-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-27-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-33-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-40-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-46-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-45-0x0000000000F00000-0x0000000000F07000-memory.dmp
memory/3400-54-0x00007FF84BB20000-0x00007FF84BB30000-memory.dmp
memory/3400-65-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/4172-74-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/4172-80-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/4172-76-0x0000014004940000-0x0000014004947000-memory.dmp
C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe
| MD5 | 78ead097d7e2372f37d7eab1ce1ec2cb |
| SHA1 | 4a3574ff2921ef4d9659a40b7cfd68e45e511b6d |
| SHA256 | 6ae41afe3335aa89e6d8798181013e53d7982fd79a139ca98b2dd54b8637cafa |
| SHA512 | 660ae451e8760855da9729f732729643be4278db0a5e49d4c2a18283dde11208ce511bb569f36a1484c26b7a97ecba433fb59a5da935b7cf09a6bde5825c8f9f |
C:\Users\Admin\AppData\Local\KdrIReL\ACTIVEDS.dll
| MD5 | c6d8d720a628becc87fdeb559979e6fc |
| SHA1 | 38669547086fc8a1bbcffd4495d29bcd4bdf46f8 |
| SHA256 | f29750a847a9d62dc17ec2106249cc6219fd7db623138117f2196f7b13704d1f |
| SHA512 | 05dd0dab30ff35d233c1f71eaeed8091744f0da0004a1760a141bec3d36eb00c7c17095022146fc6d8d60f60556dc8fbbe0d2c26b94c28eb5d008918ff72fd65 |
memory/2988-97-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/2988-94-0x000002B3576D0000-0x000002B3576D7000-memory.dmp
C:\Users\Admin\AppData\Local\Gi1mx\dxgi.dll
| MD5 | 12e2b5efc4b89f1fcb619f49043d3e59 |
| SHA1 | debc9e5830722e866a67d5f9e9799335741fac6b |
| SHA256 | 8f7d802d0d80468b177bb49c8090d60c2bab71479685e79f0e897ed25a25451c |
| SHA512 | d1616dec3cc4309fbb555f555cc8ab2dc98d00525a35c349d0390ca9d6431f321f9ee358dec59eed87fc5ed524a99f109479065a88f45858db2f8531354f5791 |
memory/2092-110-0x0000017E5DE10000-0x0000017E5DE17000-memory.dmp
C:\Users\Admin\AppData\Local\Gi1mx\dxgi.dll
| MD5 | a30cc88d4f7bf9a815b16f093cb78a24 |
| SHA1 | 6ddcbaf51221d979e9e36b33e356c95c8c4130d3 |
| SHA256 | 5c80f91c27adae0cb8d830087962dd5555a94c6055823a36babe6eaec18ffcd6 |
| SHA512 | ed203dfdc589b7967ab88f262f87152590ac38eea960c49304383aee7a4289183d801bdbb68c41793a6a1297d50c29b8cb224379960537f345227c8c93892153 |
C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe
| MD5 | 824ca31aaaf8caeda4dca4c8aa7b5f65 |
| SHA1 | 16f918d4ed08cde72e361cf900c515edb088e71a |
| SHA256 | 6ec72eaf0b677c624b2ec22c793e91bc50fccfea5c5bd9c1cdcd0bdb1c39df59 |
| SHA512 | acf7bb5a7da2ffc6136e043ac3b07d236ce88171532c64041f88334b29f4d12c5b7252bc40dc3847b7fe52a3e9b481821559d7de4321d0a8c76b2af3d53324f1 |
C:\Users\Admin\AppData\Local\Gi1mx\ApplicationFrameHost.exe
| MD5 | ac531772c11c84c462f10c08c618e7c8 |
| SHA1 | adcdfa07656b1704923c409968b058a6a2760bc6 |
| SHA256 | f76ab0d8af75d7d19af4b69496c76cdad7695484be9dab438cf4d3d1b6debff6 |
| SHA512 | 68d6f9866c800313a5b424b8562fefadff6d0722ebe347be55e13d576127458c7a794a6fff4e43652389882c7a28f4f7a16484dc1c122f5466bc35e711b784ee |
C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe
| MD5 | 4ffd66b1fcbf5ea55be435018bf4ad93 |
| SHA1 | 65b54fc924f1a6a46177b05a616f6ea2f3d9b61a |
| SHA256 | 71f702c8449066cb48cda69be03acbd82bf76a1c345e4649de094f0c3bbb81cf |
| SHA512 | 3ba42b6e52f939e7f534e770157b5fdfa87e28cea272215e4d54b7d91c96e04c408cf4219c254287f368cab24978e5aebc465b5817d1e06db3714b0445e4f08b |
C:\Users\Admin\AppData\Local\KdrIReL\ACTIVEDS.dll
| MD5 | 3f004b0b2109f53f949ebe0322d6fc09 |
| SHA1 | 31406670bdbf1d892e5b14ba602a3950088aeaba |
| SHA256 | 621a8f5c2aa71fd3379206ae2acae210eafee0bca40823767b99a2f25e91f259 |
| SHA512 | 6b6ef94ce7f7a86315a8aecb9b9ca7161560d9ae9a47e4a0b04a93c07ef1d87f449a960ae2c19fce724e37b122a20175266bb16198cca96b6c9299d2c1e98dbd |
C:\Users\Admin\AppData\Local\KdrIReL\AgentService.exe
| MD5 | 29628deaf22a8c08feafca16a9eb254b |
| SHA1 | 2f96e08857996f7a716fc9263afb217306b6d703 |
| SHA256 | 7db856bcebb67fe01ba379696418396aa1a7a4d45bd2bef2016b5da580ba73d9 |
| SHA512 | b6043f82048b5d98417485fc20a15fbefbe4d9bda4240d5456c2c64f9b5397d1db6a354c80f44363bd7e68e426761a8bef14155e57d3f4f1cb236394fcc58c64 |
C:\Users\Admin\AppData\Local\SDbszdPs\WTSAPI32.dll
| MD5 | 3b862f8d9520d232f39a97ef56c93da7 |
| SHA1 | 5dbad9d55abfa860a54be80bd83971c01a3ea641 |
| SHA256 | 54c310e80bf6e8cc00adf45ebf4eae0771bdad168dfce999ce5e0e44391099f1 |
| SHA512 | f49300ad276adc399b93610546f7354f1fdd34a168e108bdefae938e6482763eae2b9aeb17e66a584b68aee85b6d4eb8d2bb531b3c2ef9aebfb61a2b63a0be9c |
C:\Users\Admin\AppData\Local\SDbszdPs\WTSAPI32.dll
| MD5 | 09261b9aa93f909a750300c363504127 |
| SHA1 | 81fb027a90dbfb9629e0460d693cf4879bfb3316 |
| SHA256 | 525c238fa753f6f6d5ee3dec3c018a70b7db5d3cfd6bed0226151d86d714dd9a |
| SHA512 | db1c66f0f17c940224036e28e67d875de419eb500c18af564067b7011d3f409ad40f4e4cbb2a29a26f81fa4841995527530b92fe02371fdb8fcb9c5e49cbe1b4 |
C:\Users\Admin\AppData\Local\SDbszdPs\sethc.exe
| MD5 | a3ff60714f82794f5fbec1f4f5e08f96 |
| SHA1 | 3a6122b571bf930124ddfb8f51ace840d02544bb |
| SHA256 | 62f3ed692bf329fca4f991d6bc2266349d6da1a256ddd7bf8aae27e7e83113a6 |
| SHA512 | 926f1d3180c841ddfaf6c5e9d61a88c9280305a6deb8fdfe1239dcea87be24991002776a8a936bd014a98c6b1ff875374081742221881aeecdbb49d9e384f99a |
memory/3400-63-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-53-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-44-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-43-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-42-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-41-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-39-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-38-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-37-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-36-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-35-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-34-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-32-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-31-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-30-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-29-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-28-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-25-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-24-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-23-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-22-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-21-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-20-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-18-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-17-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-16-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-15-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-14-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-13-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-11-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-10-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-9-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-7-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/3400-5-0x00007FF84B5CA000-0x00007FF84B5CB000-memory.dmp
memory/3400-4-0x0000000002DA0000-0x0000000002DA1000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | a65ff9bac6d1be6b5ab6bae2f2633907 |
| SHA1 | 4336d1d0e6806677d5d0b48b6b0ebb815659b572 |
| SHA256 | 410dff3933fd0e19e5a6b222594593745769f918300cc46c8c75ea5b8079867e |
| SHA512 | cce16d10044b17353ae94713061426f9ca1035d8a56606301d149ac748be21deec7c26230f4dcddf6bdfa0f5161881df3a1b60d3cf3d45f85b321166e04a2850 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\ozRQ\WTSAPI32.dll
| MD5 | 082a78b8b1c7a6f3eb7bb4f1cf201420 |
| SHA1 | d0603fb8b174caf922a4863067251eb9fc2179fa |
| SHA256 | b64512ffdb86f55e615862f112858d101a8b86732588790c523becaae9dea1d9 |
| SHA512 | 28f8c0675809177648bfdeabd8969400ed9393527474fa852eb8c624b7829d6bab2d631d2f53121543c801262fda4ce6b555903bb1f5c9982d8b4f10890ed4d7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\XG\ACTIVEDS.dll
| MD5 | baf8dec14e428af5bb4b3e981360fa12 |
| SHA1 | 3045a170bb0b4a7a1a098282dbfd945e61cab41b |
| SHA256 | c32740e53b0e0cf6fa13420d3fac91f5191fbd07312da32c2a550ebfe03d841b |
| SHA512 | 94d2548831347a7ebcd2a6ec2221ba93e9c85421bb0225e1ece8163ccfe911e0a2e90418d4e901c65508e0f44b72e7e5df71616beab3562d52686582563935a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\KCbIPvU8Tp\dxgi.dll
| MD5 | bcea5f740e42b0d488e3f8577dbbba33 |
| SHA1 | 6724684c43fdf0d13bfff9ad47c9456ae03c025d |
| SHA256 | ea8ee7467eeaa13ca0aa1645a34a59fb56b8402970cec62d30c499a789aa908a |
| SHA512 | e5f97960ccad41585ef4af14b32e31d0f1ac02ef58a5d5af6a5d57b717ac9887a39519456daf90f772b4e825929fc549304a91498d42d1a2fc65226e454aaaa6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 00:24
Reported
2024-01-08 00:27
Platform
win7-20231129-en
Max time kernel
3s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a2c8efbeaed542cdb2879dac9c2e8bf.dll,#1
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Users\Admin\AppData\Local\EepN2W49\WFS.exe
C:\Users\Admin\AppData\Local\EepN2W49\WFS.exe
C:\Users\Admin\AppData\Local\3hUWomu\Dxpserver.exe
C:\Users\Admin\AppData\Local\3hUWomu\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\Dxpserver.exe
C:\Windows\system32\fvenotify.exe
C:\Windows\system32\fvenotify.exe
C:\Users\Admin\AppData\Local\On78JpNs\fvenotify.exe
C:\Users\Admin\AppData\Local\On78JpNs\fvenotify.exe
Network
Files
memory/2924-1-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/2924-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1360-4-0x0000000077886000-0x0000000077887000-memory.dmp
memory/1360-12-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-25-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-39-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-52-0x00000000024D0000-0x00000000024D7000-memory.dmp
memory/1360-55-0x0000000077AF0000-0x0000000077AF2000-memory.dmp
memory/1360-54-0x0000000077991000-0x0000000077992000-memory.dmp
memory/1360-64-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-70-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-74-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-53-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-45-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/2848-84-0x0000000000100000-0x0000000000107000-memory.dmp
memory/2848-82-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1360-44-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-43-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-42-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-41-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-40-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-38-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-37-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-36-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-35-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-34-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-33-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-32-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-31-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-30-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-29-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-28-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-27-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-26-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-24-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-23-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-22-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1540-108-0x0000000000220000-0x0000000000227000-memory.dmp
memory/1360-21-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-20-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-19-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-18-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-17-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-16-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-15-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-14-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-13-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-11-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-10-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-9-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/2924-8-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-7-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/1360-5-0x00000000024C0000-0x00000000024C1000-memory.dmp
memory/1360-160-0x0000000077886000-0x0000000077887000-memory.dmp