Analysis Overview
SHA256
7c001fa46c93bc6147cf0e2fafbbf52213c1ec82788aa9bba51c89bb12cfe90f
Threat Level: Known bad
The file 679f5677802f338adc80c1c2058b5f66 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-19 12:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-19 12:26
Reported
2024-01-19 12:29
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\cNk17rkA1\\rdpshell.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 2588 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1256 wrote to memory of 2588 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1256 wrote to memory of 2588 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1256 wrote to memory of 2632 | N/A | N/A | C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe |
| PID 1256 wrote to memory of 2632 | N/A | N/A | C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe |
| PID 1256 wrote to memory of 2632 | N/A | N/A | C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe |
| PID 1256 wrote to memory of 476 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1256 wrote to memory of 476 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1256 wrote to memory of 476 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 1256 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe |
| PID 1256 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe |
| PID 1256 wrote to memory of 1484 | N/A | N/A | C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe |
| PID 1256 wrote to memory of 2912 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1256 wrote to memory of 2912 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1256 wrote to memory of 2912 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 1256 wrote to memory of 2596 | N/A | N/A | C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE |
| PID 1256 wrote to memory of 2596 | N/A | N/A | C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE |
| PID 1256 wrote to memory of 2596 | N/A | N/A | C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\679f5677802f338adc80c1c2058b5f66.dll,#1
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE
C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE
Network
Files
memory/1700-0-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1700-1-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-4-0x00000000773A6000-0x00000000773A7000-memory.dmp
memory/1256-5-0x00000000029A0000-0x00000000029A1000-memory.dmp
memory/1700-12-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-15-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-18-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-20-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-23-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-22-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-24-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-29-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-32-0x0000000001CD0000-0x0000000001CD7000-memory.dmp
memory/1256-31-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-30-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-28-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-27-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-26-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-25-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-21-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-41-0x0000000077710000-0x0000000077712000-memory.dmp
memory/1256-40-0x00000000775B1000-0x00000000775B2000-memory.dmp
memory/1256-39-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-19-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-17-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-16-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-14-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-13-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-11-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-50-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-56-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-10-0x0000000140000000-0x000000014016A000-memory.dmp
\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
| MD5 | 2b49d7a773b5bb08e31c56e849d7cdc2 |
| SHA1 | 436483053909dd1125a45dcec3a2d9ade77e8600 |
| SHA256 | 2bc0a0b3e5cf75831bad4055f4201fc59b9a293f1971b1d1d4e3bac53fc3e9ea |
| SHA512 | 427087c3fc497236e05c70de84cd848d227cb7415b67a1daab717e80027a9d92690765ce371d744aaf7fdb6d657883339b308f66412a162e640b37536615b9c6 |
C:\Users\Admin\AppData\Local\MV9PFCsb\VERSION.dll
| MD5 | 0ed3fa6e52776eb7028ebee97e05eba2 |
| SHA1 | f6b913e04b3d129c32e43b6278b1b849c1c58d34 |
| SHA256 | ef5a59e45bdcfd212ae07018d30a1be7ad71bbf27dfc9148867f09b8395acd4a |
| SHA512 | 3244ca4a90c75a005dffc7446f19e8c64e08f027b59f725a382bddae8e04dd5417d9348976ebf6806c55fb12bc695190459d24498c609c1f13fee840dfb57456 |
\Users\Admin\AppData\Local\MV9PFCsb\VERSION.dll
| MD5 | 32f8774a09ab9250133235037718eea5 |
| SHA1 | 301f49f0a86b69bbe7fca85b23aa32c15a370160 |
| SHA256 | d45ce5dc62519739f1ddde8d57f17cfd4408a877b35dc839b1c300aad81ff377 |
| SHA512 | 5f96b34e46b5a2b73e2c37fa83bedf27f1908322101e37a51086de92662fe4d408b364eec7931fd1304a9cb1eabce21703a14d2adb122f4bcdb3f8e1b856f971 |
C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
| MD5 | 38382d1273b37fbcf2ef43d20df39013 |
| SHA1 | 68a68ac5f3cd728e417e0e58d226f95d6b52c473 |
| SHA256 | 79ef84b0b50cd965742335555aaea1cf0f91e725c4034351b0895f76e84213cf |
| SHA512 | 53fa597cffcb481099b5fc72537cef7a3cb04e79dac7fcb540453a603a038f4fc639b302c1dd7d3284569f5e36cf91d22292c94648ff7246f38d263a29b67992 |
memory/2632-68-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2632-69-0x0000000140000000-0x000000014016B000-memory.dmp
memory/2632-73-0x0000000140000000-0x000000014016B000-memory.dmp
memory/1256-9-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-8-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1256-7-0x0000000140000000-0x000000014016A000-memory.dmp
C:\Users\Admin\AppData\Local\MV9PFCsb\psr.exe
| MD5 | 51a63d55e43f4dc5655d271a18c1f7e3 |
| SHA1 | 3034875b78e06a0ea7096031c22a2d5051f7522f |
| SHA256 | 1dc000cc391ac33ead458c91c4c6521c38f6552dd11ee4a3114f3d2f70194a8e |
| SHA512 | b5feb2599e60ab1c4f60430dd2dfde4db84efb4ea87c9170af9ceabe7e9ac5e87c40c81933b2d49a363ece3527ca4b4df40b015a4e59e873ec004f594051f068 |
\Users\Admin\AppData\Local\rROJpS\WTSAPI32.dll
| MD5 | c2b92f11a11f174629d9fc04f2ea7eac |
| SHA1 | 3920473b698ed74413e5ee898955b53c6f8c5318 |
| SHA256 | 433f4411b019ffb962dafaf42aa68c7be6a4f27c3819ba1bcdf6729e833e9136 |
| SHA512 | bb7c1df8112a0cf27e17bcd0fcd60be54af9eeb00c90be84ce232f642feaf9e272861d180a88f7644356497fcaa5ae6434f2bab74dfea2a7888c69e0f1636e0b |
memory/1484-92-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/1484-97-0x0000000140000000-0x000000014016B000-memory.dmp
C:\Users\Admin\AppData\Local\rROJpS\WTSAPI32.dll
| MD5 | be21b393717f06dbc9d05d1f77a2cfef |
| SHA1 | 649c0a10797212e0c6c648c7bb5c7998538a1acd |
| SHA256 | 21949c94bfdd978e7beb433143b95d5bbc2c4792735cf8707a3b83bc527838fa |
| SHA512 | 40301687134b4f0f369b371692ebe3f87187017194b2744db86778e9a0c7a2fd3f0c20797870b173001968cd663daf7d9a08c5342df7f4ff23149cbb3cd9be22 |
C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
| MD5 | 754f7871ad9feabbafb79db819faad77 |
| SHA1 | 9d2478c0128ef07a2100226294fa67a8639a4ac4 |
| SHA256 | 98cbd1418286dc9c46031a5dd0391d820dba55eb8cfcb57d23ff6762bd642986 |
| SHA512 | fa2e2c9423a62c595893b325b85f0315fc8ac7e1086e22bbc12b2f24467db8800f7ccbb67a2cf6257bbc79df19df79cf7c4aad172551c6bdf9503beccbfd04f2 |
\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
| MD5 | b6c2251539732cabcac4402bedd804ec |
| SHA1 | 8baf7dc7cb7316066e59856f7928ba0b1de5bf84 |
| SHA256 | 0199d976bbddeb1b16afbf85c6168301ddc4fb167cb3c3c4ec33e07f793a55a7 |
| SHA512 | 529126a3507db4cef14f1021c8212f3d72a1f932a0f33ab637b300bc98894c478631a76312fcb4724ede4c8f00303dc037da78e7f44eb6eb86c3cf503c9ef2df |
C:\Users\Admin\AppData\Local\rROJpS\rdpshell.exe
| MD5 | a262e4b1669a85e0ba25a03a4039bab0 |
| SHA1 | 6f08df16ff05ee4da069d1cc9089a02b95bf5a0d |
| SHA256 | 169faa2a633af682fdf36f3cfb193019df8028922fd3a6de18cb25128d26318c |
| SHA512 | d6de0bddeb9015e387ce4744822e66adfee7fdb25b78c6fe995f02d87ba64d1881c5a7a633ea152a9b9d368334da50ee68e367c18873c04589f42f185f25c10f |
C:\Users\Admin\AppData\Local\8KCIv\VERSION.dll
| MD5 | 6064b8f30bcd7072a98f9773e44c4035 |
| SHA1 | 909f8c53d7db15c3a8e532ffb4770ff9e087904e |
| SHA256 | 87ff8d061e4ce447dff6893482f911a98945ce7525f3a052571a14526249f938 |
| SHA512 | 0d6f2bc53525c4b1834a1c885a5cd5685364bb6604bd36c24131d7a8645da094878932b3f4a41386a93932f3a66018f8540c7b09c3ed0ee2a77bcf58c11d4bfd |
\Users\Admin\AppData\Local\8KCIv\VERSION.dll
| MD5 | c25d0beb1bc99e68fbf790d7348e8e5e |
| SHA1 | bc857c15b0c42429962979f01a937d1ef4c31c47 |
| SHA256 | 5db0d61aee0b175106e67c26967b34b465ea67acc472992c46216a621f838baf |
| SHA512 | 1ec3d60496fe4b2005d36fac89fc82615f8eb239760dd24085738267ce7d4142dfd9d17803039e88b7b1219a939906bf14e1eeaa91b8f206eb19ece79daf1cb4 |
memory/2596-115-0x0000000140000000-0x000000014016B000-memory.dmp
memory/2596-112-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE
| MD5 | c40e3ac357d53db3e87cd9550d7f5673 |
| SHA1 | 6838f08269981e8c2e9d1128bd8afe8ada1f69e2 |
| SHA256 | c9fe84f54804c39845ba0b0668a1cc713569f05cc9f2d1f3e7fc3efa12d64ee6 |
| SHA512 | 7c15e2303e27b0d6b8ec56a40780510d99723d45f0739fb702dfb4330331cf6b3a8c5138e9bc91b9533ef6f829da6ca9edd7e86a2191fdacc872fc33ea15f704 |
\Users\Admin\AppData\Local\8KCIv\DWWIN.EXE
| MD5 | cc593e93a39b5fb69a63c0f1793b49f4 |
| SHA1 | 0b9f87865f469caabc5beaaa4b175f780ffa1104 |
| SHA256 | aeea8a47dcaa3d5e73a41e8d006319e9df51e1e5f983b2a6d91c7b8dd96e63a2 |
| SHA512 | 885a70812880e4fad456606d2967fe05e9b4c55b0cc3028d5592555f28711e68cdd842f859753aa2a34d7823a0480537fb9230397f81a9a1e31dd07cde281f95 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\DWWIN.EXE
| MD5 | 4d2171ba2993a7ad8ec778440920eb31 |
| SHA1 | 20c34afda8ca4eae382c104e01f9d851d0410370 |
| SHA256 | a48c64a3e9c55b5b07345f27463dba1819e8d152706f059c3c7ce31f18286da3 |
| SHA512 | 49313d05abc8539d6988df3ea7ac8de08142a0dbc9205039f7b3e2e15dca15db1b411acc5a74215ca9188953f3590f0d3818947d509569804103131e65118389 |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\DWWIN.EXE
| MD5 | b81e20c086a21134104235aa45ca2623 |
| SHA1 | 605f12cdf34813c6de77f8122d24fdf32eb9ef35 |
| SHA256 | 4faafad24207b0a5320ee1ef71c25aaf9517542af0608d7f3c91103414fffcce |
| SHA512 | aba1cb2b6261f59307d616b1429351178b611bbaa57d71c2c49a3e12bb499717bcdb9badf2a01e6c2ad13ae6b2d1871874dcc7d77d8ccbb11ea40d826f6a128c |
memory/1256-131-0x00000000773A6000-0x00000000773A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | f54832099084270f768a19b48b99b60a |
| SHA1 | 966a5a0917163e3433be36474b08a0209c5fad3c |
| SHA256 | b92bc3831c873696b358d8bd962aa114d60d76f130f771463f268eb3ae21a3ca |
| SHA512 | 41183cb36af3b0970225010b6209ffa130f04cefeea91ebc378ddfb8c306311e08a327d7262893c2a83a2eb52623848efee3c5688c6cdf2e6762b015460f6ce5 |
C:\Users\Admin\AppData\Roaming\Identities\pWjIq\VERSION.dll
| MD5 | 76aed4a94b23acfdbf3282514aec5d5b |
| SHA1 | 85ccd29984bb1c65a7dadda5d4bfde710b776bdd |
| SHA256 | 71029c3bfe02745f049d22ae406b62bccec443ab40f0e16fb9d5c7b13bf57c89 |
| SHA512 | af12ee34091aa7a68c2556d0d2a70f0d30cb40b29e7ca6bb981fb34e0f6e13a7ae088281f71058ab0c5b45e55b9e563194e808a65280907b7a67fe5e48707388 |
C:\Users\Admin\AppData\Roaming\Identities\cNk17rkA1\WTSAPI32.dll
| MD5 | d33238f17c7a871f8682c5593648a75d |
| SHA1 | 34eb2c0af8fc7b52e216f3251acdcea63d985006 |
| SHA256 | 867f41b788727d482622e3c67c68c0473e743dc17d2ca71843a2b2fd526f6dd7 |
| SHA512 | 4a72a6b1de4d69cd84cd4886d8d4028712ae414f4fbdd76c85298192f09326920b207b60b3479f646a2836600a8d27316019ae09cbbace76a8fb227a0df4fc06 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\GYjwXoax4EI\VERSION.dll
| MD5 | 3177bb54df3646e4820b31b9a53fb954 |
| SHA1 | 8aeaddfeee5a443918e5b72d12508ee442f321a4 |
| SHA256 | 4134fb688470ae345d6ed2b277793d38b5225f5968dd8ffe13479b4d4f987451 |
| SHA512 | adf893bb3d39edd58fae53490c48a036f7cf577baf6d1b54c1adda23689240251673369b474174c0461413f6e4b1b2466fe612914786e71db3da4e22ed8f7df0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-19 12:26
Reported
2024-01-19 12:29
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HTwag5\sethc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HTwag5\sethc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\aEo3fsR\\tabcal.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\HTwag5\sethc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\679f5677802f338adc80c1c2058b5f66.dll,#1
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe
C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe
C:\Windows\system32\sethc.exe
C:\Windows\system32\sethc.exe
C:\Users\Admin\AppData\Local\HTwag5\sethc.exe
C:\Users\Admin\AppData\Local\HTwag5\sethc.exe
C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe
C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/1464-1-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1464-0-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1464-2-0x000002362FB10000-0x000002362FB17000-memory.dmp
memory/3440-10-0x00007FFE284FA000-0x00007FFE284FB000-memory.dmp
memory/3440-12-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-18-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-21-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-30-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-31-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-32-0x0000000002410000-0x0000000002417000-memory.dmp
memory/3440-29-0x0000000140000000-0x000000014016A000-memory.dmp
memory/1464-36-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-40-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-41-0x00007FFE287C0000-0x00007FFE287D0000-memory.dmp
memory/3440-28-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-27-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-52-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-50-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-26-0x0000000140000000-0x000000014016A000-memory.dmp
C:\Users\Admin\AppData\Local\QNNvZfuco\ACTIVEDS.dll
| MD5 | da7d1f1dc3aaab1f000783953c8aa08f |
| SHA1 | 7ea8732f4ab4997c8c87a5142df97fe585db8bde |
| SHA256 | 4289e1cc5f2531d603aad24d3027c3f777f8620eef5d4ea80ce532c1b76a32da |
| SHA512 | 50826711bd164718f09bc0450560ef088d34347bd27a77d3fcf7513aeebd658c269e89e88be695b6159a44c965dca369d61b3c22b7945b1294a82524288d8cc6 |
memory/3412-61-0x0000000140000000-0x000000014016B000-memory.dmp
memory/3412-67-0x0000000140000000-0x000000014016B000-memory.dmp
memory/3412-64-0x000001CF89580000-0x000001CF89587000-memory.dmp
C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe
| MD5 | 3f27b721c7e7870cb40c1ec0f997224c |
| SHA1 | f8a78cf1938152c4df78454b8a1a389ce0411ca9 |
| SHA256 | 034f998ac524218d17b86bf81e892966447092244d7ed30cebd4848d42b2c899 |
| SHA512 | c828a9c44fe3d869adcc23f46ea2d907333701f6e1c4233f2855ea5cad68790dc563b6cc8b143603f0eb5991e68ba078fddc3e9b2af1728691d67decdea6697b |
C:\Users\Admin\AppData\Local\QNNvZfuco\ACTIVEDS.dll
| MD5 | 325fa416133e1e14fe5441f075a35cc1 |
| SHA1 | 54b24f13f59071c63d9fcc1d912606e4a7a21967 |
| SHA256 | a9ac63f061321e3e413e91f77090ac7e87b031d1d77caef63c946b517fe8b367 |
| SHA512 | 58ebd959eaa0d5824e2f213787e7e3c308b1722286f44d0b062f924e22dcdc7d126d1bf425af81c4dfcfbc280b272c6ee5233e3c9a2d75128464d6ec8c40e3f3 |
C:\Users\Admin\AppData\Local\QNNvZfuco\ApplySettingsTemplateCatalog.exe
| MD5 | 316bbaa0117d44ce14e7cd4c000d2428 |
| SHA1 | ef66833c7330c7729d368d110634d1f76c74b998 |
| SHA256 | 4128e5563e8b4ce9a6a30328d71d2a4f238a277daf45ae082d0d18752a9b69f4 |
| SHA512 | eb1b1388f63a36e9ae2e424a5242bb4d0a6ac9de485f9043ebda761c20d12e5c941dc2dd57c09a237827a85e1b88fd81cd8875ad978d66d8c675ce7232d9d0d4 |
memory/3440-25-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-24-0x0000000140000000-0x000000014016A000-memory.dmp
C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe
| MD5 | e75adfa2851fbf03872b1a9a03a8b1d2 |
| SHA1 | 9c034b78c38d5d427fddda86add013d42ee9a2a5 |
| SHA256 | ab09bc72563a36c18530b352635d2fb5f9ed9fae441fae2beb6dd43094296d89 |
| SHA512 | f699f0aa9330ef83f2c2a9ff58f8316cf9995cca5cf631dd4d34d0463872a84a34c37c66ebc00148a49038573c3a68ccf604fed0ccbcf02b3fcd7d182f36f8d4 |
memory/2632-80-0x0000000140000000-0x000000014016B000-memory.dmp
memory/2632-83-0x0000024ED4960000-0x0000024ED4967000-memory.dmp
memory/2632-87-0x0000000140000000-0x000000014016B000-memory.dmp
C:\Users\Admin\AppData\Local\en22fNB\tabcal.exe
| MD5 | 5ea1c4b6483e5aee6814b0c618d44198 |
| SHA1 | d69cd6ca1f87b187c1086636ad973f9f2c2bf59b |
| SHA256 | 0571d4f3c324c77001e5cadd0edeb67dac9b6e2e76df706dc5c56a8d3c8d0b42 |
| SHA512 | b120ed6c8c4fcfacfb18c3d9db7d915b14eeb50330828af80e4d550b34dd9b9472f496cb0989bfc6920e562c8220efff1f986b4809738198071baf7749757bf2 |
C:\Users\Admin\AppData\Local\HTwag5\WTSAPI32.dll
| MD5 | 4c75ac5aa4a75031a82271edce2eef6c |
| SHA1 | e75379bfaf1f878db99fd4c82dddbe3df22788b5 |
| SHA256 | 59e9399a6b29085e52b49da9bfcf62281d7c60b8d92796099781f07542249ebe |
| SHA512 | 5af000cbc9f3a437b91bb28c61f1220bff1f180e7d9a1deba5ab9c233486cc2da980a00942ee19b9d1f5fb6454024340a5ddba0681c9dec1c66208e35de1d5b5 |
memory/2728-100-0x0000023F77B70000-0x0000023F77B77000-memory.dmp
memory/2728-105-0x0000000140000000-0x000000014016B000-memory.dmp
C:\Users\Admin\AppData\Local\HTwag5\sethc.exe
| MD5 | aba93ed9e6da337d5caee9e9f80f29be |
| SHA1 | a335c586269150fd3d29e0cd171cd5691d705e15 |
| SHA256 | 8e4fbe4538ebd10c2c89086a402c47f06c4adfd4e7ddc0017e3ea7d510f905dd |
| SHA512 | 05d65a609b44ecc911136c7dcb82e2268c4efbafaf7da82380c28c40321319598f09b403ea88a31e82f472fc430ffd3eb40a0ff38f75bb6675045fccd255b452 |
memory/2728-98-0x0000000140000000-0x000000014016B000-memory.dmp
C:\Users\Admin\AppData\Local\HTwag5\sethc.exe
| MD5 | 8ba3a9702a3f1799431cad6a290223a6 |
| SHA1 | 9c7dc9b6830297c8f759d1f46c8b36664e26c031 |
| SHA256 | 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8 |
| SHA512 | 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746 |
C:\Users\Admin\AppData\Local\HTwag5\WTSAPI32.dll
| MD5 | 1c1107814d82a3f3ba82ba95d9c60eca |
| SHA1 | 66bf60f13c3ded04fb23eb168e3a771419b74442 |
| SHA256 | b5bec599c8da823e2af5c087c8699082e626517873a3dab44444d9fbf0373118 |
| SHA512 | aea7e47beb949643dbbc25312a3b9c5af10749518d06a4fd1219ddde5a8824c2f6af67b518868da6565631a70d45d0a638242be107627eeaee0367527f39eaeb |
C:\Users\Admin\AppData\Local\en22fNB\HID.DLL
| MD5 | f6017d0075d381999cf42698e11c002d |
| SHA1 | d9a9b6d72a860dfae96a2a7b16c28e39afef0a5d |
| SHA256 | d12f226e9ac69176db6d11832bfcb84dab8f9beb88c176bb96f04014433acffe |
| SHA512 | da07e0978435134a18b8a9fd4d13b40d41c7b97825ad16c45e52757a2e3d2b5f5646a809388930941314afd5bdf893ccb7cb5bb733bfb4f7f1f07e4c2134958b |
C:\Users\Admin\AppData\Local\en22fNB\HID.DLL
| MD5 | 4322fcf6c9a23e0b889f976174f5c015 |
| SHA1 | 9e02717c3832e9e9aba1626b439d0326ece7c4a6 |
| SHA256 | eefa1811c620649000235ef56e13656b65a28e6f96b21e501f15b2775f0a3810 |
| SHA512 | f7bab958d67685d7bb5f0b6b6066c02659184ae0c8c5b3639fc7df66c606c17e1e176d81c5c8e540e1153c7368424899e5ec4c810698877abae749f3d209abc8 |
memory/3440-23-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-22-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-20-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-19-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-17-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-16-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-15-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-14-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-13-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-11-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-9-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-8-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-7-0x0000000140000000-0x000000014016A000-memory.dmp
memory/3440-5-0x0000000003EB0000-0x0000000003EB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk
| MD5 | 14b38ccacc7f0b5b4b3bb3bcd377c140 |
| SHA1 | d6e5e0d4479be673fea4156bce156a6b0c5482d9 |
| SHA256 | 48d9850121b5fabf4e39e5475e2b2fbed8a104c4587ed5d2ede2536ba4add6c6 |
| SHA512 | cec918f4a515c2c5d7ad53190fa1b18c2bff5e08576e1195c1c2689a8f9c538a4621367f0e0635297a2a4a9b14971b4a7fad7abe5420ef1eb9c50c8d2ea22e0c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\pAs2YrOylhZ\ACTIVEDS.dll
| MD5 | 36c62a133f4e01088753797f2f22d2f6 |
| SHA1 | 79ac7f6096a91f8a76b769dc36a584c804f7c418 |
| SHA256 | dfdbd24d6dc6e3a6d4817bf268caf22862c72381fc2cb3a69d200bdadb713fef |
| SHA512 | 70d69d1e2a0eb45a1dee73557064270a4c4893a01aa4e7fb9f5d8fda5ff06ebdfd337c2439186b66fb0bc2ef1770aa612929f36a52a347a72fb7fa305d50cd3f |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\aEo3fsR\HID.DLL
| MD5 | 56536a0576a6ab9e746b4c822289e737 |
| SHA1 | 5118f82864fa704b10ac70665f18032a44896e2f |
| SHA256 | 053006215532c7ab560c1dd64516627dcfa818c6da8161dcc4a66cbd680b4973 |
| SHA512 | acbdf51de02ec85d98770ba479e14834a5dcab7e665cbc24039822a9cf90ef4228187e01e1157856ab2d1768659c111a57340f058ea4fc2204c49b2dc903b939 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\mnePMDrjDP\WTSAPI32.dll
| MD5 | 82917f9e379775da1e30fe09c399295e |
| SHA1 | cafa98ba66f58b7ae9260581e6c051449b60ad20 |
| SHA256 | 6bea71b8a2923305d1f9e51c73e368cd4d3bad173939807106b8579089dfb45d |
| SHA512 | 3727ea0fbed3806ea9e890daf088c86cc51686c8fa589b0ac7d23f408c5f286254c516623fd31bd0976dc8e90295feef585c3b1a6fc8117a5bbab8f7fb96539e |