Analysis Overview
SHA256
bd76a02a02d4a0c8c7837fe4c4985ace8f6249f11e0a71ed9ffa55e8f4639be6
Threat Level: Known bad
The file 6e701a6565714d75f57e4ac97c8b92cc was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 02:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 02:08
Reported
2024-01-22 02:11
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Q9P\cttune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Q9P\cttune.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\c2\\cttune.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Q9P\cttune.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 2456 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1352 wrote to memory of 2456 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1352 wrote to memory of 2456 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1352 wrote to memory of 2492 | N/A | N/A | C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe |
| PID 1352 wrote to memory of 2492 | N/A | N/A | C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe |
| PID 1352 wrote to memory of 2492 | N/A | N/A | C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe |
| PID 1352 wrote to memory of 2088 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1352 wrote to memory of 2088 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1352 wrote to memory of 2088 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1352 wrote to memory of 2424 | N/A | N/A | C:\Users\Admin\AppData\Local\Q9P\cttune.exe |
| PID 1352 wrote to memory of 2424 | N/A | N/A | C:\Users\Admin\AppData\Local\Q9P\cttune.exe |
| PID 1352 wrote to memory of 2424 | N/A | N/A | C:\Users\Admin\AppData\Local\Q9P\cttune.exe |
| PID 1352 wrote to memory of 908 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1352 wrote to memory of 908 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1352 wrote to memory of 908 | N/A | N/A | C:\Windows\system32\msra.exe |
| PID 1352 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe |
| PID 1352 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe |
| PID 1352 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll
C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
C:\Users\Admin\AppData\Local\Q9P\cttune.exe
C:\Users\Admin\AppData\Local\Q9P\cttune.exe
C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
C:\Windows\system32\msra.exe
C:\Windows\system32\msra.exe
Network
Files
memory/2324-1-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/2324-0-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-4-0x0000000077716000-0x0000000077717000-memory.dmp
memory/1352-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/1352-10-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-17-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-23-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-30-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-36-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-44-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-43-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-42-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-46-0x0000000002D40000-0x0000000002D47000-memory.dmp
memory/1352-45-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-41-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-53-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-40-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-39-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-38-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-54-0x0000000077921000-0x0000000077922000-memory.dmp
memory/1352-55-0x0000000077A80000-0x0000000077A82000-memory.dmp
memory/1352-37-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-64-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-70-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-72-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-35-0x0000000140000000-0x000000014018C000-memory.dmp
\Users\Admin\AppData\Local\ve93MSX\OLEACC.dll
| MD5 | d29b3f13c7c69551767b77abcad4125e |
| SHA1 | a9b279b870b45a58c1eac409147fd33a4646dcae |
| SHA256 | d9c6ca875da779818afd6b2dbb205d5fd0e8490f22b5775a4708d4f991e1071d |
| SHA512 | b60bf43b8520d5bd8298f142db75b8ad1d1da405c5c1153a142bbbab0252c264d3a2a79c7d5fc8db4deadb2e2980bfd1c51c482dca2844600ae53762b8df4669 |
C:\Users\Admin\AppData\Local\ve93MSX\OLEACC.dll
| MD5 | d2fa98ad090b909b45b85e954dada722 |
| SHA1 | d25dcd5a4cf0fe9489606acb2af9addef107137f |
| SHA256 | f610159f859e99638acf379b7e66c1510c4e0869a5fe6e06c4eddd72a7a9a89b |
| SHA512 | f77005db07a07477260e112e7f50320f0c9ac21d44688be90ff52ecb861568741c338da0d4b32c068f4ce07f5e3935352852b9a50008db83d0dad548432ab5d9 |
memory/2492-84-0x0000000000330000-0x0000000000337000-memory.dmp
memory/2492-82-0x0000000140000000-0x000000014018D000-memory.dmp
C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
| MD5 | 44c3a38325752df5ee0d885f26e7b545 |
| SHA1 | a9261793401898ff86e0cf65cf47b70a2997794e |
| SHA256 | 10cc1b4430e82e7ab9ee72c494bf6d91b284ebe30f24ad9e48430be303c527cb |
| SHA512 | 2f41483506faaca0dd067bd79eeee2f875a8bef175a81db0dd08822fbe1c77feb4f9d818efc14d92fcb30ba4a98d5a6ddbbecdfbb9f0e438fcbd1199b22bb6e1 |
\Users\Admin\AppData\Local\ve93MSX\cttune.exe
| MD5 | 2d601a6850c3ea535280c828ce7fb76b |
| SHA1 | f9bb659886a6f3e35b377c4e197694f72edd1968 |
| SHA256 | 0e2ccbf8f819dffea21ed3f0413cf85dd315ff497203818e94a6e229a5aade9a |
| SHA512 | 9f5fd75406597951dad4486afe5e48270ed9ba97279cc775124978ba306660d343f3169f76825af53842c6d6762104cb8c90171ce309d14dd37e2fde5f85bff8 |
memory/1352-34-0x0000000140000000-0x000000014018C000-memory.dmp
C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
| MD5 | 616858298155b77fb0d6bbb26a5cd1ba |
| SHA1 | 0e606db0dd24ec59c0c9112b10b50e2b99716e9d |
| SHA256 | 75a65e15de76118ad573bff1e6b3344cfd25ce9e196641103f66a23f7d0f0245 |
| SHA512 | 1ad858b96a779698714c3687b7a0867fa33f8e8b1951144dfcaaf979c587a927f9ef6769ac24816701fb960884b0dac91fe0ffb43cf4da6fb02c02ce4af5acb5 |
memory/1352-33-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-32-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-31-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-29-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-28-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-27-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-26-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-25-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-24-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-22-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-21-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-20-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-19-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-18-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-16-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-15-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-14-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-13-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-12-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-11-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-9-0x0000000140000000-0x000000014018C000-memory.dmp
memory/2324-8-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1352-7-0x0000000140000000-0x000000014018C000-memory.dmp
\Users\Admin\AppData\Local\Q9P\UxTheme.dll
| MD5 | a25cf12a1f79cdc9676aca0a0ad6ddb6 |
| SHA1 | a2c409091408a83b3b9e516ba3e68c7990185480 |
| SHA256 | fbce1218619839b4565b7a25d201dea01b74ecb7525fe3043b15a4582527e8d5 |
| SHA512 | 8cb770e0d50cde26e386c6460b6cd8946ff47de23af91ebc03a6d665b5e1fa4aadebfd91726c05bf11d218799ff89c735a69666e5744150da349c6658391606d |
memory/2424-103-0x0000000000220000-0x0000000000227000-memory.dmp
C:\Users\Admin\AppData\Local\Q9P\UxTheme.dll
| MD5 | b5d1885a2177af486ce85408de4526ec |
| SHA1 | d336d19263c463ac017b3054c4b2e70c639e5291 |
| SHA256 | 50fda92dcf2753b304ae2728f9d04e9e110950ca882d4e85ff2eef22bcd8a0d6 |
| SHA512 | ee7c4b1bd5bf98dbaba7951e836cf1cff485cf0253d968d4d0633ebd2d7fd1414e3be9eaff440546f3a957c1965cf42a6105c94d8b49966bef9b0a6d4fba5bd9 |
C:\Users\Admin\AppData\Local\Q9P\cttune.exe
| MD5 | d1e20b16b60b6803510caef8881e1194 |
| SHA1 | 93ccf27e3d3bea286447bd6ec675876048ed8e77 |
| SHA256 | b23e106251aa6f3311980f271ef823a14b27bd27631984969d219f768a435b89 |
| SHA512 | f556765774622c2fe8e15e4054b3a074cfe5d9c281142821b35513864c1de1438799c8a2e7cfdd3a4a5e89f70695cbbd871c4754909526dbdf1ef7d38101f4d5 |
\Users\Admin\AppData\Local\Q9P\cttune.exe
| MD5 | aa31ed5c61cfa7d5e5c2f635372ba429 |
| SHA1 | 4424e6e7b36353e3b16903f8f438bd2dcdf89ebe |
| SHA256 | 7ee79d8602a1905d3ba50c84374490952be8c7bde744bf1915e5b02503df1a6d |
| SHA512 | 1b371e0e69e26e04dfcd881f5e142406c09f2a36e3534721d6a359b5c69c2e7ef2c24d2e618de4b39a29e39256a12b1cceb59fa83a3afaa47d1db7eb6fca061d |
C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
| MD5 | d58052adf867cf1cee08b892fb092b1d |
| SHA1 | b74c7a8e8d212f1f4f4cb82362f44e7643394d05 |
| SHA256 | 8653f9ab8986534f1b33eb01142a4442ff3192d784a894d00519e14197db4da2 |
| SHA512 | 4420ab69c9b09467d6d15e2f302f39ad8c0954af5646f4fa2fc858b6f1e43d03a95a7e3e9529f1b5c704d8bba456ea484bee69cd5d205739d93c9bca48878468 |
\Users\Admin\AppData\Local\5tU0cUbmK\UxTheme.dll
| MD5 | c9f4655e2e65c349ea4d21556b7097af |
| SHA1 | 37bafdbc9109b9ec8a9017443960e9cc0edf4cac |
| SHA256 | 7b06676b80dbb6ac703c158914ec912b41f782fafd9fdfdff4206ee22c050232 |
| SHA512 | daf3de69239017a76af00842ff1c86f65bf6d4b04bb058d75ebd6ba8a0c90b4248229dc618749797f0959047d2043f8153bb227fe458ce7673d07f6090490828 |
memory/2712-120-0x0000000000290000-0x0000000000297000-memory.dmp
C:\Users\Admin\AppData\Local\5tU0cUbmK\UxTheme.dll
| MD5 | af23e57e9f12570ae71a028da8e9f8b1 |
| SHA1 | d98c021043ddacbf2e6a39ece38681350af11ee0 |
| SHA256 | 45d9dc9ff8b4b6d6936c916df570e3ef0e7363744b389cece4adc6652d7a3ba8 |
| SHA512 | ed5e7c5f27b838624b101d765b375e02b7a93f9d8149e6c169cd0e8575dc4af65df9283fd0e93b98573b4cf573a45dbb370972d419b5338549c86f8f8e47c21d |
\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
| MD5 | acf25c1de82564b6517868ff6835d541 |
| SHA1 | d4e326eba523e7e7b47408d8aae1292a483d662d |
| SHA256 | d06a5fc49b5e66e88bc685d83c271eb7019a6f17703034b37d3a4338aef639eb |
| SHA512 | c71d575fb8eb80bc67279d8f5c067fceffeff5b13823cd0359ce73afbe37f00642de9f3e622054bc1299e6a6e7d022ebf2e7f37bd8bef67d269facb0c5bd411a |
C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
| MD5 | f01c9d4555780b277c81718890ffc42f |
| SHA1 | 534cd3d56c599a2a126f11ec5b07169909ff0b10 |
| SHA256 | 111398c6afa943d141fd7ebd62f0f1ff156f1a0b4faf9a370a771657f0a61927 |
| SHA512 | 53f1924058da9d808c02c64d8a8ffc39cbcd6990acbaba57752f8972b8f20ef2ea727a2ff91220ca7a0744a780c1e17854ca09c85d8a1605b54ff30396fa06c9 |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\qq\msra.exe
| MD5 | 794a278db74270984297b38c7d03e4d1 |
| SHA1 | adbc0ac6b6f1f3d2eaa081895e43e9873cf594d5 |
| SHA256 | 3d229681ccdd324aea62113153e43c09ffe593bcd332e4fe165ddeaca286d619 |
| SHA512 | b24e4ae5f5103cdf84ed8714a46a45e6f48dd0eb33b7f1eb73904814cff79db861ac6ae8520be37248e438b100f670032d77ff56a2e37ed65dab65c7dce4eb47 |
memory/1352-140-0x0000000077716000-0x0000000077717000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk
| MD5 | f3ca7089aadc220a5ae1b2ff2c97308b |
| SHA1 | 64b0d34c9af83edbe143ec190fe7f5582055b87d |
| SHA256 | 458035737261cfb51044c12dbc5806146f99a2be94936097782026423a5dddec |
| SHA512 | 6f7b894a8a8eec21d12d120a2bc38596f8c617d25bb6a5e212e281f00fecd47a4d9c1dfc5501fec1c71edefe0c7c3619ca04578c6650d58e744632a091788892 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\SXtSm77\OLEACC.dll
| MD5 | 7e7d055d97ce50462c911ba380bde4ba |
| SHA1 | a41e20cbdbde6b4aee6f9da95d5be6ad469d2c23 |
| SHA256 | 3f2a5f31ffa7bd2ae37dc9f31f79fbbab7810544fad6fd1afd2167bad01ac7fa |
| SHA512 | 3bd788451db22b6d9beecf84c310dc975b743ae420985b2543a5c20c7fb632496135162754e416b531c154a15cd0636dcc30762957937c4170147bd1f510f568 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\c2\UxTheme.dll
| MD5 | 386d206dfadbb216e26fee868466afb9 |
| SHA1 | 5b9f741f2f72d97f48f9df97c14ed041ea8ae935 |
| SHA256 | 0059b4b865c99b2ceb402aa45ab339aef29ca57fc6aa0b51075d2b8b204c247e |
| SHA512 | f7f680af7ce1e9000107599a6c20a6566897101eb2a624876d8fd6b4558e508ed47e5597af76dfe91d1408b41312c19f2b2a2de82da715c47acdc3e8cb5fa983 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\qq\UxTheme.dll
| MD5 | 772fb215aabbe4e188ee8ab76f4dcb7c |
| SHA1 | faf90ccaf93b95e166371e509d4549a44a67fc2f |
| SHA256 | 2948b756f13042294114378cb6bf1600728c93489b33703b87d636e74cbea516 |
| SHA512 | 57ae1952d42ca74bebca4550ceeec29ca07b895083e74fdd878441484deaa0676846f5903a47dd46fb8d9e463df90b2b316f08ed9d8d3e05479d22f3b951dcc8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 02:08
Reported
2024-01-22 02:11
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\p7u\\cmstp.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll
C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe
C:\Windows\system32\Narrator.exe
C:\Windows\system32\Narrator.exe
C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe
C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe
C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe
C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.111.78.13.in-addr.arpa | udp |
Files
memory/1000-0-0x0000000002640000-0x0000000002647000-memory.dmp
memory/1000-1-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-4-0x0000000006F30000-0x0000000006F31000-memory.dmp
memory/3580-6-0x0000000140000000-0x000000014018C000-memory.dmp
memory/1000-7-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-8-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-10-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-11-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-12-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-9-0x00007FF93046A000-0x00007FF93046B000-memory.dmp
memory/3580-13-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-14-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-15-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-16-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-17-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-18-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-19-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-20-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-21-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-22-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-23-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-24-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-25-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-26-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-27-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-28-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-29-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-30-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-31-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-33-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-32-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-35-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-34-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-36-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-37-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-38-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-40-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-39-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-41-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-43-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-42-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-44-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-46-0x0000000002270000-0x0000000002277000-memory.dmp
memory/3580-45-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-53-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-54-0x00007FF930500000-0x00007FF930510000-memory.dmp
memory/3580-63-0x0000000140000000-0x000000014018C000-memory.dmp
memory/3580-65-0x0000000140000000-0x000000014018C000-memory.dmp
C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe
| MD5 | 8ac5a3a20cf18ae2308c64fd707eeb81 |
| SHA1 | 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544 |
| SHA256 | 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5 |
| SHA512 | 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b |
C:\Users\Admin\AppData\Local\Ue2\FVEWIZ.dll
| MD5 | 54b0b224124254de976220ace8e81a88 |
| SHA1 | 2947bba6da35591058c811e779e1ca6500fb1374 |
| SHA256 | 3582d8247b3dddb340250a0d5cebc1ab8dd918f81c07398c0792cbc83495f493 |
| SHA512 | 6272b6dacc3427b0bce983f11757dae8e7644f697275018ffc288a606f04b6170c7fe359fef78d63029b4092fe7a569bc346c18e70971ce3a701445783dcf676 |
memory/1716-75-0x000001C0B55C0000-0x000001C0B55C7000-memory.dmp
memory/1716-74-0x0000000140000000-0x000000014018D000-memory.dmp
memory/1716-80-0x0000000140000000-0x000000014018D000-memory.dmp
C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe
| MD5 | d92defaa4d346278480d2780325d8d18 |
| SHA1 | 6494d55b2e5064ffe8add579edfcd13c3e69fffe |
| SHA256 | 69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83 |
| SHA512 | b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5 |
C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe
| MD5 | 4cc43fe4d397ff79fa69f397e016df52 |
| SHA1 | 8fd6cf81ad40c9b123cd75611860a8b95c72869c |
| SHA256 | f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c |
| SHA512 | 851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157 |
C:\Users\Admin\AppData\Local\iMthGw27\VERSION.dll
| MD5 | 83f6fba7aaa05a8381a6802d95648bd5 |
| SHA1 | 60f4ab00b7d0c34e4b01c2e79b7098c507aeb6cf |
| SHA256 | 2e07be93d86813adad8ae6bf64fc6a511fa62660ba9633073a60fe99a3f61409 |
| SHA512 | 4a9f3fb9bb60bb39ce735b48010646e43de55e13767e475019e9f786ecff39143776304cc0fec602547babfe41b86e6ea873551c636a9ee41f8e06d25f625917 |
memory/4656-102-0x000001E964CC0000-0x000001E964CC7000-memory.dmp
memory/4656-107-0x0000000140000000-0x000000014018D000-memory.dmp
C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe
| MD5 | de58532954c2704f2b2309ffc320651d |
| SHA1 | 0a9fc98f4d47dccb0b231edf9a63309314f68e3b |
| SHA256 | 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3 |
| SHA512 | d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed |
C:\Users\Admin\AppData\Local\rrkeYruM\SYSDM.CPL
| MD5 | 38f9d586bdedd52efecbd860891e2dcb |
| SHA1 | d24ff785f7d172f3a929af386c9ea1d9b57d9725 |
| SHA256 | 6aa9b56466562eb33f0ecc2ee68cd9a5d2cb3633528d8f45363333cedd51b249 |
| SHA512 | 29e694e9793907e7bd977551586084c5ae9a06f1d5437ceaea173ec15e2499d8decda26301f99990761f5d4df149f3d97dc9741d4e0c8baf61b98654d964ab83 |
memory/1300-119-0x000001FCF4140000-0x000001FCF4147000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 37d5eb0bed06ca1b72bb550d07087061 |
| SHA1 | d0a37643101696e6ff1b3e0b2419836dcf0246fa |
| SHA256 | 257558f1698a04fc8eabe128d0de7eba6d72af2e2ada64604b7565eeb06ed0ff |
| SHA512 | ac567c179ca4b7a51a63cef1f9eb26284bd6c34167686aaf26c323bf89943dfb197ca959543e55b6b2e27100a0327fef4aa698993fb3d5b8f7ca8b0fa128f512 |