Analysis Overview
SHA256
718a533c6fd5cccfb5c4afd72ad1d850327a0b4e6a37aed68679e7bb4afce5ce
Threat Level: Known bad
The file 70b4e740a07d198ec5ac903eaed6ff43 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 22:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 22:19
Reported
2024-01-23 22:26
Platform
win7-20231215-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Pse2t\WFS.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Pse2t\WFS.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\44URQ43K\\31\\rekeywiz.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Pse2t\WFS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1144 wrote to memory of 2680 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 1144 wrote to memory of 2680 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 1144 wrote to memory of 2680 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 1144 wrote to memory of 1664 | N/A | N/A | C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe |
| PID 1144 wrote to memory of 1664 | N/A | N/A | C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe |
| PID 1144 wrote to memory of 1664 | N/A | N/A | C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe |
| PID 1144 wrote to memory of 1688 | N/A | N/A | C:\Windows\system32\rekeywiz.exe |
| PID 1144 wrote to memory of 1688 | N/A | N/A | C:\Windows\system32\rekeywiz.exe |
| PID 1144 wrote to memory of 1688 | N/A | N/A | C:\Windows\system32\rekeywiz.exe |
| PID 1144 wrote to memory of 2844 | N/A | N/A | C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe |
| PID 1144 wrote to memory of 2844 | N/A | N/A | C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe |
| PID 1144 wrote to memory of 2844 | N/A | N/A | C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe |
| PID 1144 wrote to memory of 280 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1144 wrote to memory of 280 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1144 wrote to memory of 280 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1144 wrote to memory of 1712 | N/A | N/A | C:\Users\Admin\AppData\Local\Pse2t\WFS.exe |
| PID 1144 wrote to memory of 1712 | N/A | N/A | C:\Users\Admin\AppData\Local\Pse2t\WFS.exe |
| PID 1144 wrote to memory of 1712 | N/A | N/A | C:\Users\Admin\AppData\Local\Pse2t\WFS.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
Network
Files
memory/1940-1-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1940-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1144-4-0x00000000775B6000-0x00000000775B7000-memory.dmp
memory/1144-5-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/1144-15-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-14-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-13-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-12-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-11-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-10-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-9-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1940-8-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-7-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-16-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-17-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-20-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-21-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-22-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-26-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-32-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-31-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-30-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-29-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-38-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-37-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-36-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-35-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-34-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-33-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-28-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-27-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-25-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-24-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-23-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-19-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-18-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-40-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-39-0x0000000002DF0000-0x0000000002DF7000-memory.dmp
memory/1144-48-0x00000000776C1000-0x00000000776C2000-memory.dmp
memory/1144-49-0x0000000077820000-0x0000000077822000-memory.dmp
memory/1144-47-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-58-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-63-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-64-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1144-67-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Users\Admin\AppData\Local\2gBC6gHGV\ReAgent.dll
| MD5 | dd4aff5307fbbf2b0cff9363ec608f02 |
| SHA1 | 63a267b1c6acdedfd7dfcc526e3493909538e614 |
| SHA256 | d17543c8a22146f1e9a520bf173f667520a566ad1e81e9bf4c361e3816b0413a |
| SHA512 | a1d5a51d804abc8f10b3de04799cedc2676f6385d8bac0e1b1d869a654f972881f32ca292706d37ce213336b6e292249023e3c1f9206afd8f3c5df5c20b5a37d |
C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
| MD5 | f2f2c9236757972919d937cec1ecd98d |
| SHA1 | 93b815ce93a8b2cdccb8b29ef447ea61bb51ce81 |
| SHA256 | 57f9b6a01bb88737e9314f6ea4b3871269cf9dcd34dee51867549a2ced0f8507 |
| SHA512 | 6800c345efe3054a10b7f105eac83e8c23c11d46ba65a5e8858a17914a1540bcf513c40a70f2aa62479e05f22ee13ead640e394e8548092aed073a7618893f61 |
\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
| MD5 | edcb85cac2d68fb9d1f1e7d11d609767 |
| SHA1 | 01d5fd64707fb339c7443bc46db576b084a157cf |
| SHA256 | e8cc0e80627458de060ffcab82b81371c931c697fbcc38a6f5cf37e4d4e43e69 |
| SHA512 | d6f6071399fb9729f2f51c75e08b341af3a2906264a7b7c3c7164b9283474e158ba09d7ccf2f018d42fe87bff023589f942f9ded73e4be6bdfd00a2c985a93dc |
memory/1664-76-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1664-78-0x0000000000110000-0x0000000000117000-memory.dmp
\Users\Admin\AppData\Local\2gBC6gHGV\ReAgent.dll
| MD5 | 3d074088395502aebb8fcae47a0e51b7 |
| SHA1 | fc7272b5e7d609e909f58010774ea507768f5499 |
| SHA256 | 9bdb22866fa2a398c21fdba7c3e68ee2ff7006ded224f68948618558122f77da |
| SHA512 | b45202ffc0c22fe471e3455fe642a038d8016ffba1d266e6212670322914a7f3e3de8e136288c08e1075e34904ed48e2c291c07f15ee60ac1ac79e0173b4eed2 |
memory/1664-81-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\2gBC6gHGV\sdclt.exe
| MD5 | 5e337a70c60cf4e0227bed0587e394bb |
| SHA1 | fa0635b9b68beefc33b1c9914ce01465c3479bf1 |
| SHA256 | 85d2156a9c549a7e8130b9d95bc7ac29e7731edab93d9d9b03572da69ae3af61 |
| SHA512 | 1e6a220dfe0e4490d1f945b9ebc645fcadc5cb5abf7f08dd7136f5d549241e3523cfa009712028909cbfb7de8b9eac05a3abc90fd2ad4ffe7c52280a9ba28bc3 |
\Users\Admin\AppData\Local\1mE5tc\slc.dll
| MD5 | e2d71330c89a6614be16a986455e4e14 |
| SHA1 | 467b72da16532707892cc3fb0db29d790b997156 |
| SHA256 | 2e366232cfc006093bce3e9a9df813779aa49ccca9a55621c07768f10446fa7c |
| SHA512 | 508e48f75a06c34b0699e6f4117b09dffdd68482058fbe460f0c2330b59d13160998c015d9491d90f74d383aaf302257b57fcc1ffd770ef85db54db49831fb29 |
memory/2844-100-0x0000000000170000-0x0000000000177000-memory.dmp
memory/2844-103-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\1mE5tc\slc.dll
| MD5 | e07858204845210b6f67b04fd69d5dfd |
| SHA1 | 0d79a6e50dc5c579b26825a171189c36f48e67ef |
| SHA256 | e77160f9a8af23cd09f9535184fec47078f7a76c049e152c395b858fabd1ad0d |
| SHA512 | ea7192d3886e01b4a9ff7feff866ed3d62c164c03a27b2a0ac5fc575ec273dd69b8128a3eef2fe3cb661dd2d7f785af922134c345eba136c8514c9334dcfacdf |
C:\Users\Admin\AppData\Local\1mE5tc\rekeywiz.exe
| MD5 | 767c75767b00ccfd41a547bb7b2adfff |
| SHA1 | 91890853a5476def402910e6507417d400c0d3cb |
| SHA256 | bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395 |
| SHA512 | f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\31\rekeywiz.exe
| MD5 | 391b327bc982d40baf2f1e125f230c1f |
| SHA1 | f1e508f3d14f44a5fd2e692c31988c7b416a58b2 |
| SHA256 | ed55034a0ea2b67f1948905a0f79adcb8368dc8539f7d5f9008466e5fb9f29fd |
| SHA512 | 4d3e71cd6c340ecbaf95f4433554ab41bb0d0aad8dfc8c910c299c67dc038ae50dcb03c1b3554f5495f587917010e25e3f163f1b2be093fd623bce3fbf645e4b |
C:\Users\Admin\AppData\Local\Pse2t\WINMM.dll
| MD5 | ed7b90e5848238dab736e50693bc7861 |
| SHA1 | 9aaf8a80dcefbb1bf7021526cf1591394f36dc39 |
| SHA256 | 007c48b87e41be8cbc9697c10abc111716c8e87ed65583edb6a92e050a783eee |
| SHA512 | 8911fa5308ac82687b26023bfb458b3233a67adda9eea17fb8e472e591936fe539e860d952b304b2a92e774c239fc5247d0fd381039b1f4552a1d57b5cd712d4 |
\Users\Admin\AppData\Local\Pse2t\WINMM.dll
| MD5 | ca9c7773818844fad518af7cb09a79d8 |
| SHA1 | 65d2f9a254f4ea74c123c5ae6e358b099165aef9 |
| SHA256 | 6fc660a671b0537486209e029e8220c470c318dde976dbe98905df44b19eaebf |
| SHA512 | b614f76435fe50cd6af2839416b361ffae7ad4fd123507a1d92cb7dbab36736bdd8e9b8dfd77f656958caa6a5d2901dc747867ea11a8d33570102e7a307c1759 |
memory/1712-118-0x0000000000220000-0x0000000000227000-memory.dmp
C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
| MD5 | ed17bfb811bbd973eb8e68f2ce1a3577 |
| SHA1 | 12612dc723d00c7a63afc39df60b5f977cd142a3 |
| SHA256 | 7ab208b039eb4c594b5e2388d528107410b7077336129dc4b930bf2f15f8dd15 |
| SHA512 | 191a792479a97b4f3b1d12fabfa5a41fbf5c2050bfaf48b62aaa74ea5eec2d73da1c6994024ed953fd7a6272cfceead939fdc89d0fd7664bf806ac70c3db87b4 |
\Users\Admin\AppData\Local\Pse2t\WFS.exe
| MD5 | c6891385852a00edce28a47f02ade7ba |
| SHA1 | 865c266e0742d206eebd9fb5cdb38d6b2a425c00 |
| SHA256 | b05fad7dd31d3a7621c9941698ccf186f2195401eef1683c9eefc1fe6ffb3598 |
| SHA512 | 9dbb59ae37b041be482523939659acf32301a40c42c814c2b3960bf8e195ce9cc68c2612c667d05729a29aaef1a341d015311df94f24049637f926de91045ce2 |
C:\Users\Admin\AppData\Local\Pse2t\WFS.exe
| MD5 | 99c81cf4a496f3f7c15675cfaa1084f2 |
| SHA1 | edbf4ec02cc5d1a351c0e375939ac7260b2875b1 |
| SHA256 | b85a848ff829930b536938563100fb26eefc38aa09efef3b7a9cee0bea94a2a3 |
| SHA512 | 7f3fef3b41d5b4dceb54c8aeb10d8e0099547043d2f8a38a325c41dbeb581fe0d488bdf766ce0026bf98a9e76ce520a38740a3622c2a931fad427f202fdbc523 |
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ukCnzcZs\WFS.exe
| MD5 | 8b983c4a7034807392eb6d6750e51e77 |
| SHA1 | a6878f8c8b3677dbe76ba4e96e59de3eb107a28b |
| SHA256 | 6915ad8ea73b50da494129a9fc9ddc9723ce0d04139cf72c4c359224696fc5f9 |
| SHA512 | 865e7a25a6c878a8dfc0ddfb1a206e6be99952f45f45d44665bc2e2979d012ed727efecfdec9ef49f3eae3d934a06425cca68bd5cc69582d1c435fac207d5f98 |
memory/1144-143-0x00000000775B6000-0x00000000775B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk
| MD5 | 8a60736349bdcfdcc152136d6aed71bd |
| SHA1 | 5cc6c138836ace26a6bba30c80f03ab07fd71ac4 |
| SHA256 | ef49f17f0ccf2dfb4cd04d508ecb2ef63e9a1181f83d640560e1b9646210fcbe |
| SHA512 | 2b956b42aa79dd7b15b5ae26bf76e617108c28e51873c8cfeed61cec1ffe125c8166e2a0d108ceaacd3ef0c2378d7024b10235f1d71cc9b2b79def01d592062f |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\r0W0sH\ReAgent.dll
| MD5 | 99eb6ccd39d5985c94ef90d6eac3d4e9 |
| SHA1 | 8d6e7227c55fac5c604a06a337d671cbf168906a |
| SHA256 | aa02869970cdee8a0744c9da2f45d87acb868929241f7f3c245ea1a53a3bc575 |
| SHA512 | 2377e15136b5c52dd394433b036123e68c6c21b661762f2b20edced0d5491e9928168a5615e28d350ef1388534b7be41f172e63852f13528be1e947a76a339a9 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\44URQ43K\31\slc.dll
| MD5 | 1901dbef283abf9de000cc1fb8ff6858 |
| SHA1 | 23af6d74c3fdea5396fb9abb0c73a699b44d1832 |
| SHA256 | 9bee9d7bd8bac17443340a7a4beb3f29ee81ecf7d52eb69ae02d14cbe97d1b0f |
| SHA512 | 4aa4df2e371ed81bef3d76446af25806c737ede95b6ccc205d2a64172072d83b5350bfcd09a69177723ffdb9ac88bd151580fe6718c22c7488da7b337b2632fc |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\ukCnzcZs\WINMM.dll
| MD5 | bff0ec3d31c16c6146034b25d0bbd48a |
| SHA1 | 79ff181c2ae88a3708334b426105dd59f446cb46 |
| SHA256 | f104fdf6052e4e0bef6adc14dc7c9f32e8077598419afdbed7c21551c87a61fb |
| SHA512 | 84f3694ed92e2a8e2fb1cb03379f057b2d40bccb5d32ff9a79d2dd86046c9f8ee8eaca990fcad4611dfe32daa7461560bfc9f80652bc710e1304f7dae4514ca3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 22:19
Reported
2024-01-23 22:26
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\YH\\DISPLA~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3484 wrote to memory of 2760 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 3484 wrote to memory of 2760 | N/A | N/A | C:\Windows\system32\EhStorAuthn.exe |
| PID 3484 wrote to memory of 3016 | N/A | N/A | C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe |
| PID 3484 wrote to memory of 3016 | N/A | N/A | C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe |
| PID 3484 wrote to memory of 3760 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 3484 wrote to memory of 3760 | N/A | N/A | C:\Windows\system32\DisplaySwitch.exe |
| PID 3484 wrote to memory of 2196 | N/A | N/A | C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe |
| PID 3484 wrote to memory of 2196 | N/A | N/A | C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe |
| PID 3484 wrote to memory of 1516 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 3484 wrote to memory of 1516 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 3484 wrote to memory of 4492 | N/A | N/A | C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe |
| PID 3484 wrote to memory of 4492 | N/A | N/A | C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70b4e740a07d198ec5ac903eaed6ff43.dll,#1
C:\Windows\system32\EhStorAuthn.exe
C:\Windows\system32\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe
C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.162.46.104.in-addr.arpa | udp |
Files
memory/1208-0-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1208-1-0x000001F7E9FA0000-0x000001F7E9FA7000-memory.dmp
memory/3484-5-0x00007FFF5FE1A000-0x00007FFF5FE1B000-memory.dmp
memory/3484-4-0x00000000011C0000-0x00000000011C1000-memory.dmp
memory/3484-8-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1208-7-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-9-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-10-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-12-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-13-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-14-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-15-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-11-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-16-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-17-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-18-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-19-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-20-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-21-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-22-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-23-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-25-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-29-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-28-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-27-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-26-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-24-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-30-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-34-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-35-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-38-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-40-0x00000000011D0000-0x00000000011D7000-memory.dmp
memory/3484-39-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-37-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-36-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-33-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-32-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-31-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-47-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-50-0x00007FFF61440000-0x00007FFF61450000-memory.dmp
memory/3484-57-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3484-59-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Users\Admin\AppData\Local\VkS\EhStorAuthn.exe
| MD5 | d45618e58303edb4268a6cca5ec99ecc |
| SHA1 | 1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513 |
| SHA256 | d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c |
| SHA512 | 5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd |
C:\Users\Admin\AppData\Local\VkS\UxTheme.dll
| MD5 | ba418bb8c71b995a4bb720cbfd18cbc8 |
| SHA1 | a5894fe11034def0b8d8a26544fb060ad2542cb7 |
| SHA256 | 53dabed7df35dc900577ca99ce018b184106655e1b98d1032af5fbfbad8537a2 |
| SHA512 | 5f8ac0ae0aa689f956f13e130456268a72270173998186b161d0ad68ad66db8d9f73ad29baafa50db2ed563080996a0d1672bb2aaaac644f22d932493a2ca6b1 |
memory/3016-69-0x0000021B0E9E0000-0x0000021B0E9E7000-memory.dmp
memory/3016-68-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\VkS\UxTheme.dll
| MD5 | f19c295517a2544f0c76fd35367c200e |
| SHA1 | b687df2b1499be9d52119e5aabbee4ad2ff2a12a |
| SHA256 | d99d1066c8a403ea596b117e10551df4f5a609561f8d19efd26d54c1de39fac2 |
| SHA512 | bd07e5134e2c53dc97d0b900d1cb2c20997ac81c67aab0c2e51221eb0c0702134303679d38be70f2c9bdda8ea0a969c3ac8d702b2a2aae60e4c9e3e3dd0536ab |
memory/3016-74-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\N3cxLFj\DUser.dll
| MD5 | 6e1b445fdc95d49a910990b74a810361 |
| SHA1 | c2eb16c1274d667679d612d4fac674c2e30a5134 |
| SHA256 | d6dbe459c91b9347d11973e61eabf1dbe6dee46c33bc85cfe3d36cd46dbcbd50 |
| SHA512 | d2bc77f335e1e0a6a3bd26a06f269f25f4c0c8dddf47e83e63f025b65202618d6c6f8f09ca586e76be4760951f9aa90bf344e81d0af37c6f0b69503a6ebb3de5 |
C:\Users\Admin\AppData\Local\N3cxLFj\DUser.dll
| MD5 | 892bc86121ff29941810ea6850712196 |
| SHA1 | bc11a183354d72bb099dd6fcab66be03ff743765 |
| SHA256 | 816ad33e3627107def478cb9e4c96126792f51e5de362c8d7c432a22f3134529 |
| SHA512 | e6fb7f2e36c7673fa9020b7c08e687ebf0e0c0714311d5354f7633bdc1afaa8c7849e5279ea1b43e73f62ca0e45a740af0d8b2fb31b8756465d17efd0d4f107c |
memory/2196-86-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2196-85-0x0000024D87860000-0x0000024D87867000-memory.dmp
C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
| MD5 | 47d22888c4b9855ec38b6c5d0192d4c5 |
| SHA1 | 4a7100ae1ea332176fdb9b0b35ace23952f8d8b0 |
| SHA256 | 26bc6232758bf094620082c441aab8ae6c9f1f658e4259ef25c6d3da6aa80bd3 |
| SHA512 | 1c7e9fab54f352460aa71b01c3d9530b7e0995e57662eb16933b46a1070e1ea1d611c33139a6cb944b277515a1a9a84137dc727c3a0088a063010e059fdd2131 |
memory/2196-91-0x0000000140000000-0x00000001401FA000-memory.dmp
C:\Users\Admin\AppData\Local\N3cxLFj\DisplaySwitch.exe
| MD5 | 57774c84ab1c462e681f163bd0ec34b2 |
| SHA1 | 8d832a6f708e9c4bc4ed9981ebd5490eca17566b |
| SHA256 | 99c04229c3a4a7dc8065f61ac40d170211140b510c731328fd5bafb7f103690a |
| SHA512 | 372762e8b4eb4f43a4117af2343d74d6c90fe8b995eb14e0f54fb1f275882e7830ddf87e9a43c5633b49be03d781837e1f44fe3fc4b7d64dc49f5f955abd9822 |
C:\Users\Admin\AppData\Local\Yi1lYyLD\ReAgent.dll
| MD5 | 047b3a9325bf1f9c957a70fe85784625 |
| SHA1 | 1e4ff4d52dc4424df44f263ec8160eb83c2d9c1c |
| SHA256 | 6040ff3766bcc7ce674683141273196f9b4ae0f603df3a7cf0b7a2b444c7fdc1 |
| SHA512 | aaa1997275dd2aae6ae3afe8c19eb49161187f1b1e2768180c2abfdc23892c2270b7af38faf54e0202735b1d36fb1b932ab7910145e1acfb1ef96fe4b473bfea |
memory/4492-102-0x000002C3E3410000-0x000002C3E3417000-memory.dmp
C:\Users\Admin\AppData\Local\Yi1lYyLD\ReAgent.dll
| MD5 | bb1e752b02f68738d12685c448e6b504 |
| SHA1 | 0e87e4b96f785a586df169cc6135ede4d0d65b8f |
| SHA256 | 5b67b9cdf78e3d5c1ef5db616f777343969ec29035740bf84e3ed8c2d42dd55d |
| SHA512 | 2da4283cefddeb66e5b00de36a96733ea7c250bc6bd22c89e66d2e33ee524b50ae6fe312f207228024f2dc5ec2b42b1f58be9e709025e12703ef3c98f9796fa6 |
C:\Users\Admin\AppData\Local\Yi1lYyLD\recdisc.exe
| MD5 | 18afee6824c84bf5115bada75ff0a3e7 |
| SHA1 | d10f287a7176f57b3b2b315a5310d25b449795aa |
| SHA256 | 0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e |
| SHA512 | 517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845 |
memory/4492-108-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk
| MD5 | 62878cea522ae4fa8a542e1e69f6a774 |
| SHA1 | 5648faa1df93a0e2fd138e4781b81eae8fe8e916 |
| SHA256 | efe28dee85281e7505f8948b46181a4e21609fca751e28cb11785b9106afe2f8 |
| SHA512 | f9f2a0fc33d866bca56dc594cbdec09a87329a0e4382f43b2cf76ca732b17549fddc2e5178ed7ffd757ad5f48f87e778561bdea95729e0728ab747020755a0aa |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ZM\UxTheme.dll
| MD5 | f27bcccd664dd381f38b2293794ae986 |
| SHA1 | 21c054ad027086551177c14fe9206e943e8ce5cf |
| SHA256 | ff4abbf4680ecb72f085b251f3fc4de867e4d6c61dec24f6f3bb1fd80546146f |
| SHA512 | 58ffa37f2d766b71c28f57e81173c3715ef0008d6c00a69f4708ebb86cd007ec319620baa094661e7974199ffaa085b2282fbf66ad542222ff6e2915c3b7768f |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\YH\DUser.dll
| MD5 | 1ed377af627d161e726bc312332939ee |
| SHA1 | 14bfb3e65a023d356c1a7081a76c51a68859df6f |
| SHA256 | f3a5a198ca08eb31dbe795be2738ad3997f7d4064c8d3ffc92cd663609db1e83 |
| SHA512 | bae97b3b5753fe284615e242d188a7b86ec26fdda8c05d2d2639ff6aac2a8c0cbded987e8f37f508a42f5f65cfa8b312719235aaf1567627305f2cd4b329bee6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\9Cutlz\ReAgent.dll
| MD5 | 32c5cf7c9a788050a2a1b60b86878ad8 |
| SHA1 | d45fbbd392b7155b9b63eff73343d412f13ea3f8 |
| SHA256 | 9f42583af85355acc2b9738b2412ae643c06895363fcb3e77e7e807082c71ec4 |
| SHA512 | ca6546a319e9fa3e208c531ed6b608d5429ff5f4fed53a373bdd636e1bbfb48169827d63f230c180ef0edcf3bb09b5c5e518ab18e3645f5bbdc0cd47598741e4 |