Analysis Overview
SHA256
95675ed8705063e78d6feec16544b7d5bbe62b4bc34b13462280c0ec046f0d71
Threat Level: Known bad
The file 72069f253d65873ca37d22ed502e1911 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 10:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 10:46
Reported
2024-01-24 10:48
Platform
win7-20231215-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3EzN\WFS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3EzN\WFS.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\j0cb\\WFS.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3EzN\WFS.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1272 wrote to memory of 2756 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1272 wrote to memory of 2756 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1272 wrote to memory of 2756 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 1272 wrote to memory of 2932 | N/A | N/A | C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe |
| PID 1272 wrote to memory of 2932 | N/A | N/A | C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe |
| PID 1272 wrote to memory of 2932 | N/A | N/A | C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe |
| PID 1272 wrote to memory of 1324 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1272 wrote to memory of 1324 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1272 wrote to memory of 1324 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1272 wrote to memory of 1624 | N/A | N/A | C:\Users\Admin\AppData\Local\3EzN\WFS.exe |
| PID 1272 wrote to memory of 1624 | N/A | N/A | C:\Users\Admin\AppData\Local\3EzN\WFS.exe |
| PID 1272 wrote to memory of 1624 | N/A | N/A | C:\Users\Admin\AppData\Local\3EzN\WFS.exe |
| PID 1272 wrote to memory of 2740 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1272 wrote to memory of 2740 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1272 wrote to memory of 2740 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1272 wrote to memory of 660 | N/A | N/A | C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe |
| PID 1272 wrote to memory of 660 | N/A | N/A | C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe |
| PID 1272 wrote to memory of 660 | N/A | N/A | C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Users\Admin\AppData\Local\3EzN\WFS.exe
C:\Users\Admin\AppData\Local\3EzN\WFS.exe
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
Network
Files
memory/3000-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/3000-1-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-4-0x0000000076DA6000-0x0000000076DA7000-memory.dmp
memory/1272-5-0x00000000026E0000-0x00000000026E1000-memory.dmp
memory/1272-8-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3000-7-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-9-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-10-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-11-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-14-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-15-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-16-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-18-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-19-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-17-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-12-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-20-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-23-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-22-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-24-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-21-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-25-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-26-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-27-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-28-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-30-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-29-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-13-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-31-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-32-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-33-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-34-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-35-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-36-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-37-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-38-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-40-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-39-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-41-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-42-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-44-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-45-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-47-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-49-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-50-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-51-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-53-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-52-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-48-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-46-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-54-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-57-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-58-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-59-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-60-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-61-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-56-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-64-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-65-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-62-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-63-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-70-0x00000000026B0000-0x00000000026B7000-memory.dmp
memory/1272-55-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-43-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/1272-78-0x0000000076EB1000-0x0000000076EB2000-memory.dmp
memory/1272-79-0x0000000077010000-0x0000000077012000-memory.dmp
C:\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
| MD5 | d526dab478969eb6fab7a82d4be6cb59 |
| SHA1 | 200f04e2a2fb2f04d12775cd9fe40b40f76db705 |
| SHA256 | bb5ff742ef3ac2a5f08e2cb8b3e5e62fcb0afa4ce9012ac720192de11e228bdf |
| SHA512 | 252803d5f46b721d3f0bb082dde3058f0414e71ec5ee9cc327c8b21981acd8c99e960c85d0e793d6dfefe67726e1483f87ca0897b4aac04c318f81967712f951 |
\Users\Admin\AppData\Local\vO6mC\BdeUISrv.exe
| MD5 | 1da6b19be5d4949c868a264bc5e74206 |
| SHA1 | d5ee86ba03a03ef8c93d93accafe40461084c839 |
| SHA256 | 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c |
| SHA512 | 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6 |
C:\Users\Admin\AppData\Local\vO6mC\WTSAPI32.dll
| MD5 | 441810deb20a0beeaca793e5dd68b04d |
| SHA1 | f07bb853f68fc07b61f98aa462fb3495ee7faeed |
| SHA256 | 4997997f49f99e9150f448064918a848933a787d3956f6bfa7ec37bd9bbbf0a4 |
| SHA512 | 8e732739e4e0e2aebcd65475230f6edaea2effa611e90c5fae2d7e6744d4874eb4ae60d5fb3c6897a92c68d55c0a4365af60456e14821d316e75315737fa54ec |
\Users\Admin\AppData\Local\vO6mC\WTSAPI32.dll
| MD5 | 75de1f25a2b37fdc4646176b9aaa244a |
| SHA1 | f92fbeef48bf85b229e1ebe52652bb9847aeb5be |
| SHA256 | f50ff03137ad126614e76dc9b9faa367ff89e2a6ca62b3530ca1ab023aaa2608 |
| SHA512 | 60d86e9eb4c35f4ac12f3cf9cbb6ae272c34b056b7b9be689ae3133a5fcbccbc94c8bc62b6f88e6623d47955a024ec6caf0e91f1b7c0f90ba00bbf2243503fa5 |
memory/2932-102-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\3EzN\WINMM.dll
| MD5 | 116b328d5248bdc6f56ea5688f35521d |
| SHA1 | 725b240e1320140154ee684f2ef3977ddbf6bc99 |
| SHA256 | d97f86c6d79d4bbe54a30b649a85a1e05f211e94cc3fdb285f3c80c6a35506cc |
| SHA512 | 685a7176014d8e94d7e101e7701dbfc402882d5609afe9d0838260ef6996e4ae95423a48ee4d50a247aaf439c6b121f305863170b605d1a63919982ee4d1af9d |
\Users\Admin\AppData\Local\3EzN\WINMM.dll
| MD5 | ef7f4cf6bb53de0de186f4ac52832f7b |
| SHA1 | 515772aad7d2a5dc0a12b5ae61b5aead5cd5781b |
| SHA256 | 46fba5763a98cb8116c953cf31ac7fcb8d461ad9ba091942025fe87412497875 |
| SHA512 | 561ca1233e9fb2ed306af632feba40505963c2e76f716b0fadf1963b02aa6388b902d8c4f0386b94edb40c6923c0e209a596392ef20c8d9739bc95230a99a22a |
memory/1624-120-0x0000000000120000-0x0000000000127000-memory.dmp
C:\Users\Admin\AppData\Local\3EzN\WFS.exe
| MD5 | 8f20249758d6982a016560c01f3a26ab |
| SHA1 | 8044eb22f0c30289071c1bda3899694eb8f4520e |
| SHA256 | ac2c57348bffd7f2e3bffd2d46fdc206ea8171cab049212da4177308ace73268 |
| SHA512 | a580f7725de17c59097fc8682ab6a746bf8db2938c6559111390f30b4eee199626b4b62855f8eb07af52cf9f6cfeca0b9ce3d3f3761d236123898ef9682d840b |
\Users\Admin\AppData\Local\3EzN\WFS.exe
| MD5 | 6be99cac1629ad7ca4b8c9769d911bbf |
| SHA1 | bb54c3ec95988430922f5458c7f99abd2dede7f8 |
| SHA256 | 1897d88db026b4244cc123923ce052dbf03d9d633420b987e8b6de9674893672 |
| SHA512 | 5bd152044d151459af4912f6556eed34236f754235c705bc81f6a62bef25adbb5177f21c6f59d53bdf1fb99c76670c8194e0d4efac695f530bd8d9b34575a736 |
C:\Users\Admin\AppData\Local\3EzN\WFS.exe
| MD5 | 2700cf7fad30f650eb8bae4ad14cd789 |
| SHA1 | 7ae736913d0e5e653fb9ecf78db728cc02e8c7c5 |
| SHA256 | b0a605836be4d3363df0083660f6ce5e506ae67261b4767db8c2f57b0a33f3ce |
| SHA512 | 24a1ec8f70cfe69906a1429d059e1b7dce57eeef0d5076d205fed2be300d7e194e04cd09719fa6f12be1a8e50898f7bbc9c5a5ca282c0d07896c3a41c637a12c |
C:\Users\Admin\AppData\Local\eSnT4YjY\WINMM.dll
| MD5 | ff112775613be272d655da374e7b72c3 |
| SHA1 | 3a270c68d61b9b14465b70619dc304bf2126d781 |
| SHA256 | 6d3a99dd94ad5a62c0d654ab4c6b17df78babe3d447a8a47bcfef372671f1fba |
| SHA512 | 350594b9e647253d2e52ebc04115d7952c282b592537195fc753f8d747721ce9c3cb3012d887739b4a9b0358d9af0b4a0c8b55838e34a3348bbfc7abbb1007ca |
\Users\Admin\AppData\Local\eSnT4YjY\WINMM.dll
| MD5 | b404e8598944c13f6a6330bb1f7bfa92 |
| SHA1 | 217f43354732856ac64382197f5fabf7ab75b48b |
| SHA256 | d9bd9a5b86c21500ec39b3976468176d6a3455214917da8397e96e168703b9a8 |
| SHA512 | 86f1995710c7cb6579a63b9646122e242672be81be63d426284bd564dfbe24d793f666370bb04934fedc7b6ee851d840d0ad8255829777edce08039665195834 |
C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
| MD5 | a419b97ad08f24d52700575f506b202a |
| SHA1 | 54b87b9becf67ad9e3c03815f6d304bc6e363eb2 |
| SHA256 | acdc1947e48ff26eeed7f945795fd5293d66609449b22e75574db1c5218e7c99 |
| SHA512 | 61a9afb5828e5e037d5a220a7bc573ea431ff222ccc59aa045bb4ca47591acf464bd77a898f26fe4edf1f479ea3a91391a84c05421e7ce439f97ebc9914c3914 |
memory/660-144-0x0000000000090000-0x0000000000097000-memory.dmp
\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
| MD5 | 022d3a08d08f0cc6508db0c2dcdcfeb8 |
| SHA1 | 361df50887884b1f3b7b4d2f2b31b1d3dea6c14a |
| SHA256 | 2708846d8a4bf5e77722970c16431cc33e1d5548d85fd98e64a498e9c77a3325 |
| SHA512 | 205e3f1a9ccda9fe7ad3ebe5a7e9e04bcbd7a4191c1818241364a3c3ef0ec524da242c36c1f5e7316358553e69970e4a64dbe63da3e360d9d1ba132ed7925100 |
C:\Users\Admin\AppData\Local\eSnT4YjY\xpsrchvw.exe
| MD5 | 0fbaab96ccc53e466d3adf7a39d45037 |
| SHA1 | 480c2bb23feaef2d04fa77f6ffb48eacab1fa3b1 |
| SHA256 | 072b253815d41b57f78ff31783eef94200233209ad30ee1d99ccb398f8dcff0e |
| SHA512 | 0fd2b4a3e57b02f9baa15b5a8fd76d726f6cce71452812562e821cb549731b3486863c69f29d994b1f89f9fdfe3fa2495b27cd62c65a87f537d51586cf72d08b |
\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\srvnYygizj\xpsrchvw.exe
| MD5 | cba607de4b3afd201441ef1b57d86c9d |
| SHA1 | 540a2e7a476e21ea601304465a60022b57f9615c |
| SHA256 | 4135a4fba1fea5f603355105b3442592276928f60fae2a5c1fc1413ab3978ebd |
| SHA512 | d7243eaec1b5e6fe88d601681b1e1cf50b7e507744ffbdacad83d1a55370ddf4c369f2a44839020225e8750e92c527fdb688b0730dca47864190688585d1b45b |
memory/1272-170-0x0000000076DA6000-0x0000000076DA7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | 708be9c3e850df602c1d752162510606 |
| SHA1 | 3d48f749f90966c3cd64a1e13d4b6711e5724034 |
| SHA256 | dd367f316b6bf89cfccecc636a6cda7ee0502864472b6a19666757d6ee160893 |
| SHA512 | 756274739b4032a04f755aa835ef06206a99a88b9d3d24125317323e130a4913bed0d10e3c2cf781de5d34df78882f83451e5a173feee288b4dbe661e7a95db3 |
C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\v8Pt7S7N\WTSAPI32.dll
| MD5 | 2bf2f71bab5cad10b47031fc14915362 |
| SHA1 | 2fff2c6089aed41d9ca06d8956f7ddeaf3a449fd |
| SHA256 | a104192f8299b6cf53f3595e3a0d7d7beb3a2521473b72feef84507b6513c249 |
| SHA512 | e38cfcc75b1a2ed1564dde7479824b6f5cc9a84d506468b46c7abaeb686e429a7f77b69b1bc68771e122b3b456949a3220fcd7933484d574ed42ac7e0eb2c56c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\j0cb\WINMM.dll
| MD5 | ebde81d3a266a0ef0db55de7edc758f1 |
| SHA1 | a369b667a31b5eeb6f89e3266c8fa7e7f0f7cafc |
| SHA256 | c3d7d968a01ac0a154091ee646dedc9f33979d9d1c9753ad75b3107e06804465 |
| SHA512 | 818ef28b6be26847cfe5b86061ae4bfac4d9fb5979ad5aaad0574fbcca049033e6731fb3c71a5074cd14786275f1436f0aa696b47a02723686cd0829bc1faac0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\srvnYygizj\WINMM.dll
| MD5 | 92568ffe50d507281f62ab24bd01ee14 |
| SHA1 | 4e4c552b664118b7e7726c013c3214315d0f6d9a |
| SHA256 | a11f1e009014e9d75227f6d200d12b9ba0ae409287ac0b9a4832d53ac4ee3807 |
| SHA512 | 4430fa89f22c62d2ab5718acb203674b2a76fb8873b256a7d22bc00d117d52bb54cc24786367ec1e65c8e78b42bbc8ed439c6b83460655927b71faa646ed87b8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 10:46
Reported
2024-01-24 10:48
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
145s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pvrwm\psr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pvrwm\psr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\Oj03\\mstsc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pvrwm\psr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 1016 | N/A | N/A | C:\Windows\system32\bdeunlock.exe |
| PID 3532 wrote to memory of 1016 | N/A | N/A | C:\Windows\system32\bdeunlock.exe |
| PID 3532 wrote to memory of 2664 | N/A | N/A | C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe |
| PID 3532 wrote to memory of 2664 | N/A | N/A | C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe |
| PID 3532 wrote to memory of 2612 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 3532 wrote to memory of 2612 | N/A | N/A | C:\Windows\system32\mstsc.exe |
| PID 3532 wrote to memory of 4136 | N/A | N/A | C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe |
| PID 3532 wrote to memory of 4136 | N/A | N/A | C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe |
| PID 3532 wrote to memory of 2668 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 3532 wrote to memory of 2668 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 3532 wrote to memory of 1408 | N/A | N/A | C:\Users\Admin\AppData\Local\pvrwm\psr.exe |
| PID 3532 wrote to memory of 1408 | N/A | N/A | C:\Users\Admin\AppData\Local\pvrwm\psr.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\72069f253d65873ca37d22ed502e1911.dll,#1
C:\Windows\system32\bdeunlock.exe
C:\Windows\system32\bdeunlock.exe
C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe
C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe
C:\Windows\system32\mstsc.exe
C:\Windows\system32\mstsc.exe
C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe
C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\pvrwm\psr.exe
C:\Users\Admin\AppData\Local\pvrwm\psr.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/3880-1-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3880-0-0x000001DC38E40000-0x000001DC38E47000-memory.dmp
memory/3532-4-0x0000000003290000-0x0000000003291000-memory.dmp
memory/3532-7-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-8-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-6-0x00007FFCEFC8A000-0x00007FFCEFC8B000-memory.dmp
memory/3532-9-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-10-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-12-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-11-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-13-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-14-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-15-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-16-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-17-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-19-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-20-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3880-18-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-21-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-22-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-23-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-24-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-25-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-26-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-27-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-28-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-29-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-30-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-31-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-32-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-33-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-34-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-35-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-36-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-37-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-38-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-39-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-40-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-41-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-42-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-43-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-44-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-46-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-47-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-45-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-48-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-49-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-50-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-51-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-52-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-53-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-54-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-55-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-56-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-57-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-58-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-59-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-60-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-61-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-62-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-63-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-64-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-65-0x0000000140000000-0x00000001403BF000-memory.dmp
memory/3532-70-0x0000000001460000-0x0000000001467000-memory.dmp
memory/3532-78-0x00007FFCF0B80000-0x00007FFCF0B90000-memory.dmp
C:\Users\Admin\AppData\Local\xW0\bdeunlock.exe
| MD5 | fef5d67150c249db3c1f4b30a2a5a22e |
| SHA1 | 41ca037b0229be9338da4d78244b4f0ea5a3d5f3 |
| SHA256 | dcfdd67bf3244ff86cadaaea50b43cce5479014ea2021c0c2fb40b7c856e5603 |
| SHA512 | 4ded9ca87d9d30c31ab2baededaa6e26681741ea1742d80c318173536c643a01bc049e03a03c3b45b3cb8860464a855830e12e87670503e65eedcdd5e9b2d1e7 |
C:\Users\Admin\AppData\Local\xW0\DUI70.dll
| MD5 | 684cce04b25930b040dbf691f6ff580b |
| SHA1 | ba17ae8cbf0893bd298169e0e6928d237211ec19 |
| SHA256 | 202e8fcf040fae82f7a4444ba2d7d2163b1e1fd24a373815746c051d66342e15 |
| SHA512 | 912df62be718a70c60d9d49e97595f6bdfb07ee8d005d99a29d9d6088a8d26ca8771f84290d2b9d4bdc2d8b8d2ce7917cc9ee4c78b0f9bf5c308fb56a088bf94 |
memory/2664-99-0x000002942D390000-0x000002942D397000-memory.dmp
C:\Users\Admin\AppData\Local\CkXWAn\mstsc.exe
| MD5 | 3a26640414cee37ff5b36154b1a0b261 |
| SHA1 | e0c28b5fdf53a202a7543b67bbc97214bad490ed |
| SHA256 | 1d1b6b2edac7ac6494c9eecda3afb804f679d7190f4d1a80929380e85743823f |
| SHA512 | 76fc70ead57ddacd3dbcec1a4772bd46924d30b30018a36b13052d2f7272cc86b63bf85d5e4ec04aac08630d4b2637ca6e7d35c08ce6b675d63ed011f7d95ba2 |
C:\Users\Admin\AppData\Local\CkXWAn\VERSION.dll
| MD5 | 8bb25105d9d5636041ccf2ca13433658 |
| SHA1 | 88470fc4fbfb1f4556606f5450147445f2fc2b85 |
| SHA256 | 8d0df2b516e3ed11d8e79855e9df02f354ca679d2b9c5b0ef19a980d993bf213 |
| SHA512 | 33a5e5f6e053c0215f804d62743fc12e990d1c3f3e04eb1a891fd8bad7380c37c91d56927bb51f7d8c212e864ac18cc431eebdc8eecdd6a3dedc597d8c7f5639 |
memory/4136-116-0x000001CE9E4B0000-0x000001CE9E4B7000-memory.dmp
C:\Users\Admin\AppData\Local\pvrwm\psr.exe
| MD5 | ad53ead5379985081b7c3f1f357e545a |
| SHA1 | 6f5aa32c1d15fbf073558fadafd046d97b60184e |
| SHA256 | 4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f |
| SHA512 | 433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0 |
C:\Users\Admin\AppData\Local\pvrwm\XmlLite.dll
| MD5 | 381797e980c95b8424c041050d038876 |
| SHA1 | 7b1bba3615385706886afc863ebdd56e891bfd5f |
| SHA256 | 795e0cbd6ca8a2e7de9c73ced032b6626be2765a991eefc56894ed61a7cd3b28 |
| SHA512 | f7f39f1de9c268e2df962b9c2c4ce159952176687be8b9f9242ae01ef557761256ec4791abad6481c9db4da3ea556a72a5daaf2f9935526645c18c534e993c70 |
memory/1408-134-0x000001CD913C0000-0x000001CD913C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 517a498ad016bf4c1bd8bdb48099201b |
| SHA1 | ad784f8544fdc339a0deeb22f5fd4c4649e7648a |
| SHA256 | 9283110c19063c935b355035646970db45652b7d5435f8bc0fde24b7c753bc02 |
| SHA512 | bb47da33c6bea430ba27ec32d90835adba7a5543bff106625a5bb073cde01e5d13fb4dd65303ca68bcf25897971e2fd80635a4d678ba56f8533cf115fd32633a |