Analysis Overview
SHA256
1476d58e91f48e2f1a549b08316ea6a465b85edd954d01b4d33a8c86ac56898e
Threat Level: Known bad
The file 76ab58fddc3a0bfc0befb9c1840e58c0 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 06:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 06:47
Reported
2024-01-26 06:49
Platform
win7-20231215-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\TiX\cttune.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\TiX\cttune.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\lO47FAabQ\\winlogon.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\TiX\cttune.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1136 wrote to memory of 2616 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1136 wrote to memory of 2616 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1136 wrote to memory of 2616 | N/A | N/A | C:\Windows\system32\cttune.exe |
| PID 1136 wrote to memory of 2644 | N/A | N/A | C:\Users\Admin\AppData\Local\TiX\cttune.exe |
| PID 1136 wrote to memory of 2644 | N/A | N/A | C:\Users\Admin\AppData\Local\TiX\cttune.exe |
| PID 1136 wrote to memory of 2644 | N/A | N/A | C:\Users\Admin\AppData\Local\TiX\cttune.exe |
| PID 1136 wrote to memory of 844 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1136 wrote to memory of 844 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1136 wrote to memory of 844 | N/A | N/A | C:\Windows\system32\winlogon.exe |
| PID 1136 wrote to memory of 2544 | N/A | N/A | C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe |
| PID 1136 wrote to memory of 2544 | N/A | N/A | C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe |
| PID 1136 wrote to memory of 2544 | N/A | N/A | C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe |
| PID 1136 wrote to memory of 2128 | N/A | N/A | C:\Windows\system32\mblctr.exe |
| PID 1136 wrote to memory of 2128 | N/A | N/A | C:\Windows\system32\mblctr.exe |
| PID 1136 wrote to memory of 2128 | N/A | N/A | C:\Windows\system32\mblctr.exe |
| PID 1136 wrote to memory of 2096 | N/A | N/A | C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe |
| PID 1136 wrote to memory of 2096 | N/A | N/A | C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe |
| PID 1136 wrote to memory of 2096 | N/A | N/A | C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1
C:\Windows\system32\cttune.exe
C:\Windows\system32\cttune.exe
C:\Users\Admin\AppData\Local\TiX\cttune.exe
C:\Users\Admin\AppData\Local\TiX\cttune.exe
C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe
C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
Network
Files
memory/3012-2-0x0000000000110000-0x0000000000117000-memory.dmp
memory/3012-0-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-4-0x00000000772B6000-0x00000000772B7000-memory.dmp
memory/1136-5-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/1136-10-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-16-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-23-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-29-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-33-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-35-0x0000000002DA0000-0x0000000002DA7000-memory.dmp
memory/1136-34-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-32-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-31-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-42-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-30-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-44-0x0000000077620000-0x0000000077622000-memory.dmp
memory/1136-43-0x00000000774C1000-0x00000000774C2000-memory.dmp
memory/1136-28-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-27-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-53-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-59-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-58-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-26-0x0000000140000000-0x00000001401F9000-memory.dmp
\Users\Admin\AppData\Local\TiX\UxTheme.dll
| MD5 | 0d409848b9584d57c06be49afd8180db |
| SHA1 | 0bf53f74cd8b68afa3decfddea6900e85e906115 |
| SHA256 | f1ab500955c1cc1c4d6b47eeb06ecfc26484bd163909bbb43c9df486255e52fb |
| SHA512 | 5e510fbeec88c2cf40a9d6d4d7d7b4fefee416c7671d9e92d024f23984cdaefbe906bc6173f861ce2940872e6d8b62d50d432040abad3323fe41ab015d9f7302 |
C:\Users\Admin\AppData\Local\TiX\UxTheme.dll
| MD5 | 1b6ec3f2058d3415c516de33c94b513d |
| SHA1 | 6ec0de533519894ae575ece478927c252615153d |
| SHA256 | aefbb5edcb48fef2ec95b024efddd15900aca347f84359640708edfb7eafc280 |
| SHA512 | ea69938041d65cfdd5d3aded737fffe4a7e749c4309b6922a4d5c84c225ce8faadf530366bb27d0c9e714abfbd700f62ac1295ccfc6b480c72d1205e8c80f4f3 |
C:\Users\Admin\AppData\Local\TiX\cttune.exe
| MD5 | 44befea0f5aaa8cd40f2de96b23e9267 |
| SHA1 | 7b34d5d3b663a09cac8121a1e92b5774bc46f585 |
| SHA256 | 5692265cc46b170529c3a3ceefa20ab51fcba4f0796783f7d0c17ef30a856bae |
| SHA512 | 816dead7477c04ebafff367705ef93364dab1f09bd9b003492abf4dceb830dda06e498be2ad4598af3b9e378f8e600ddad4c72f50fa53bfdf9fdf3ae5acb21b1 |
\Users\Admin\AppData\Local\TiX\cttune.exe
| MD5 | 7116848fd23e6195fcbbccdf83ce9af4 |
| SHA1 | 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93 |
| SHA256 | 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6 |
| SHA512 | e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894 |
memory/1136-25-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-24-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-22-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-21-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/2644-71-0x0000000000180000-0x0000000000187000-memory.dmp
memory/2644-72-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2644-76-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/1136-20-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-19-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-18-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-17-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-15-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-14-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-13-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-12-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-11-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-9-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3012-8-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1136-7-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\H4wcV14ff\cttune.exe
| MD5 | bb1fd1e5f83fd78003860ec0eb221082 |
| SHA1 | d59363615c899085f7cdfab86265816ebc2d0795 |
| SHA256 | baaf6c28b879064918c1af4b8e9e8ed247d56dd9d7c75f18341b72aa1a2436f2 |
| SHA512 | daa488ccd8312b47a288513b8857867f94e0ad99ed099284c66334914617293f2a4dfbeb8d014f795819137679bd0558bfb6d7edfe357cf6b158fa20f7c74b3c |
C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
| MD5 | 9323900374eaa65fbcee7eab34cadea7 |
| SHA1 | b8b32d0fc17a987c867b85dce1b668f25685d2f8 |
| SHA256 | 4dc21d12954e9d5277078bf283f6070b875ed58ac67ab3dc2a9e2ee4733389c8 |
| SHA512 | a504c0443ef6cd80cf54dbecb2dff416bf4c5c5d036bb4484dc9ede0682fc6e71ccaf6b2aa2079f6e48d642f3fa37fd5cdb01533210c68f33005e3300449c37d |
\Users\Admin\AppData\Local\jA2dBf8\WINSTA.dll
| MD5 | 3dba63b890aa64c43a045b2dafb1dd4b |
| SHA1 | 124816b8d125a648c629c59f04e86e4bed5b920b |
| SHA256 | c73cd0b9832eccd67e41a57431ad17a06118ebe4757e843554bb1073b653eeae |
| SHA512 | 9e60c15fe919b1ca3748a7481622eea44caa37c46b25f70fff1fa8a2c4a34457568b9fec87edc10e84267508b629bba3d2d5b15ba896234916112a4df4fb7f6e |
memory/2544-88-0x0000000140000000-0x00000001401FB000-memory.dmp
memory/2544-93-0x0000000140000000-0x00000001401FB000-memory.dmp
memory/2544-90-0x0000000000200000-0x0000000000207000-memory.dmp
C:\Users\Admin\AppData\Local\jA2dBf8\WINSTA.dll
| MD5 | c96360e6e05f05eeadbb8eae0266f609 |
| SHA1 | 9341b1a0fb611b385ea81bf37d8b05f8f7862c6c |
| SHA256 | eb334135b0505b07318554972d74c7ea53be69538ffb2d129cadd4d1abd61b9a |
| SHA512 | 339b9c56d96353992c93b359923bea5503cb3a5da30f835b4abefb98f0be3bd9a3e7e0911defda0fac3902ff6d7b7a3e7f44311f3f8bc7c468c0361b98766e66 |
\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
| MD5 | d31d5a29863c6c2db208360ba1ebf98f |
| SHA1 | 47176cd3ccfd2da11d96e4b1cd9f8d1d1c1c52ee |
| SHA256 | 3a8c5658c4e775702f2aa285cf91434eae26ba7d697625400edb3c36cafd732b |
| SHA512 | b08d4659ed78d8f2eed9db58801fbcf64c8417c443fe349f481aca3ee2c51ea6660f807516d351d0ca1f5c7472ae503396c98a426e0029b68de3a5d5e01ab221 |
C:\Users\Admin\AppData\Local\jA2dBf8\winlogon.exe
| MD5 | 57191c528425ddd52233a5d6d6786fcb |
| SHA1 | ba77b08547b2ea187d558adfc4c90c39e7088277 |
| SHA256 | 637e3fa140dd87926ab0f71269160d2e7b41d094ae276666330b102a250ab3a3 |
| SHA512 | 9947f8173188d2159667773ca1def6ee548dbcda030e26cf9f24b70bfed5bd716c98c356cde94a03bb00f94c6edf000bb34caa20234073a93d5fb8b7bc7273bd |
\Users\Admin\AppData\Local\bfo9Gpgv\UxTheme.dll
| MD5 | a79a56d0be7a15528e71c6e5e1a04211 |
| SHA1 | feb9cb7bbd168183d0ed928e2eea4fe8a19e4662 |
| SHA256 | f180e706211d2b755a94cfea322d6692bd6ca05dfae5b547a9d9cd6f4f75cc2b |
| SHA512 | cea0d44f145298de0f5a7400b4741ce6507434f78d508c48e0a5522c1811148c7d04ae59ddbd75c0b67f4c43a98119547c0e8d473e2d56d26ec46778fb0c2004 |
memory/2096-112-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/2096-107-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\bfo9Gpgv\UxTheme.dll
| MD5 | 072d5235099a241a32aba0bb0b0a21a3 |
| SHA1 | 1d6a4196032f6c1f8832acf87e876f64c936849e |
| SHA256 | e019e4274f035e14d2b65eeeed7f8ebe57bcf40a8f94d3e860d743c28dbf0d9f |
| SHA512 | 64d0ec0a84747ce13b0d8370c7e828ee3f77acf3bf29f862029e6d1a3264fc8efa260e731ce9c67aa0bfff75459228871aada016215c171c8b643aa28b812dfe |
C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
| MD5 | 844d6807a09af61035e815d74b735fe7 |
| SHA1 | a31a2deca0621e931e8cdb124f521449de40de47 |
| SHA256 | d1ddda41776efbe954dd50a0533c7f5b0757065395c7829bdfe04fa7f026ace9 |
| SHA512 | 4c6a8e6d7b376fb0d315606cec83e087799c093e6e9bf331dd89ce15d5c79c3407b8d52cc5e08b29cb671c2a47c8bbd3cb34f71aeada0789fb01e550ff702818 |
C:\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
| MD5 | b7345aa83f5d30dc4f26945b08051a63 |
| SHA1 | 1e61be248a98505b2007a91afcfa69aa856487df |
| SHA256 | c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735 |
| SHA512 | 76e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd |
\Users\Admin\AppData\Local\bfo9Gpgv\mblctr.exe
| MD5 | 99d79c3e9be254c678f92b5eb96fda5b |
| SHA1 | a4cf8c2615b7a5cba2113b51c2579a4ed876fa63 |
| SHA256 | 5dad20631948b1028e782361dc9373d280ce393b562960b9efd120b400b8e4bb |
| SHA512 | a26d34ad6ece2d6abc92721c422595fe31def90f3ea576748549f54206e0824db0a3c8547f495125ca438afd0f50eddb4a2dfabafd78b10eedbc6e8a9b2797b2 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\2r9LtEnVR\mblctr.exe
| MD5 | fcdeff5e3f432c5b2eb3f6e5963c8c9f |
| SHA1 | 5fcd8a390143b12ccb97ed49513c231bbb097b07 |
| SHA256 | d79ef8c29f7412343f44551b2d4b17d9209b52a4732aab27957b64f4c2ebc07d |
| SHA512 | 2dc0c27b1e57566ba611b45596eb4edaea8a45d54de5863f69ef23f7f6e402196cd50bc61e222e2aee8e8d62236a7e55e2cde8f10c3c75ef10c9223f1cd9f3cc |
memory/1136-135-0x00000000772B6000-0x00000000772B7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk
| MD5 | bf98aa7d4839e56d3ccf3f2fad838d5e |
| SHA1 | 414e271e52a71c35fcd22c04c4f4d47be4fbb2c2 |
| SHA256 | 65e78437569d637b61aab4b9ae1bea0c4f1333627dca3331afaecb199e45c33f |
| SHA512 | 2e7f8f31d7ac4734174efb79caa5faf1e91e924894cc64d5815c288df5f72fd0fb67f03298868e199929743d5a17cbc4cf6f3cc73dfe0563535260d3a0d23394 |
C:\Users\Admin\AppData\Roaming\Mozilla\H4wcV14ff\UxTheme.dll
| MD5 | 3270731020a6bf5f7e857d317b7011ac |
| SHA1 | 219798b9f3f7bf3ac792f26206a96a7e711d41db |
| SHA256 | f87f1fa30faaff0c45828c2ee08cfdb712f1053b15942bbb8aa6734fb3f881de |
| SHA512 | e3de5b86d293b8fb068738795eec07a742bf52f79b24c6f6c08cc132fd3325827c32fe19357c405ffd8fa2dadc14ffa8ea65f86dc38663ea6c04c1dbd6ebb693 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\lO47FAabQ\WINSTA.dll
| MD5 | d320497321e8f24ba027347416da2f88 |
| SHA1 | 700b0bb714da82d373443862d3fdb33da91222ee |
| SHA256 | f77bc99f2ca480d561eeb621c6df89fa06dc199199135d38042f2b36052d564a |
| SHA512 | 1fc289fd7b55230b4773563f2837dda825a8bb3d39a1043b0658a4dd9109c6b2b5549228a55b533281595ca2bf12fa9453ef150ce92b324f1e4f696d58ceeea8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\2r9LtEnVR\UxTheme.dll
| MD5 | df29c4eb083b47bb14333c66ec7defa1 |
| SHA1 | 290aebc4d055c0f205f8d005ecbe1cb9b009c991 |
| SHA256 | f4447b5a498232610195dd5b4624ab522b6b9ae9b6e8b9d90ec6e504f013b0b3 |
| SHA512 | ef9da61e10174b9e4d95fbcf1d2c4850c04f51d278f41c9d3a1c8d0990402b3dfaf64428bd0101e4f90b257c10cd3268a970def51adc398c46a8a491f66b3c05 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 06:47
Reported
2024-01-26 06:49
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZJE\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZJE\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\YoSD0KT\\sdclt.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ZJE\Magnify.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3600 wrote to memory of 4196 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 3600 wrote to memory of 4196 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 3600 wrote to memory of 4276 | N/A | N/A | C:\Users\Admin\AppData\Local\ZJE\Magnify.exe |
| PID 3600 wrote to memory of 4276 | N/A | N/A | C:\Users\Admin\AppData\Local\ZJE\Magnify.exe |
| PID 3600 wrote to memory of 4868 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 3600 wrote to memory of 4868 | N/A | N/A | C:\Windows\system32\sdclt.exe |
| PID 3600 wrote to memory of 1088 | N/A | N/A | C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe |
| PID 3600 wrote to memory of 1088 | N/A | N/A | C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe |
| PID 3600 wrote to memory of 2828 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 3600 wrote to memory of 2828 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 3600 wrote to memory of 2708 | N/A | N/A | C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe |
| PID 3600 wrote to memory of 2708 | N/A | N/A | C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76ab58fddc3a0bfc0befb9c1840e58c0.dll,#1
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\sdclt.exe
C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
Files
memory/1568-0-0x0000026E08C20000-0x0000026E08C27000-memory.dmp
memory/1568-1-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-5-0x00007FF8899BA000-0x00007FF8899BB000-memory.dmp
memory/3600-4-0x0000000003070000-0x0000000003071000-memory.dmp
memory/1568-8-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-7-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-11-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-12-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-13-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-14-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-15-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-16-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-10-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-17-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-9-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-18-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-19-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-20-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-21-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-22-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-25-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-30-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-33-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-32-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-31-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-35-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-34-0x0000000000E80000-0x0000000000E87000-memory.dmp
memory/3600-29-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-28-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-27-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-26-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-24-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-23-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-43-0x00007FF88A5C0000-0x00007FF88A5D0000-memory.dmp
memory/3600-42-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-52-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/3600-54-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\ZJE\dwmapi.dll
| MD5 | 95beb85ebb3d9feecfc5fd2e0eed5884 |
| SHA1 | 454a35c9d1e44f53d3e16eadbfacc055adecd697 |
| SHA256 | 4770f8c5b23b07bf72b7944da99731922b28ad3ed08a2b2a98515d091c0ae019 |
| SHA512 | bb5624f85f367af7b328bc89dbdf7c3bf835e975a3cc45fcbceca1f229d2029df2a9fd1b1496b841ecba71cbbcce9cd5d498b3cde33d822679ea7c69ef7ede11 |
C:\Users\Admin\AppData\Local\ZJE\dwmapi.dll
| MD5 | 2287a38a76fdaa3ccb60ade49f67d862 |
| SHA1 | f85f513abd19d9b4569cb54c6767ec03a1d0d0d1 |
| SHA256 | 47fbd9ec6608008ae27e3f50e7e46f6ead13416bd80ac02278cf0ebeae3fdf8a |
| SHA512 | 93fb74f26f220b2a487736ccabef3836cb9fcf234ab8c841dae41788a497c562939d5813fe1b12d05b6cc24d51d7195b2314ff4b1b3558dabc4a1e290e244335 |
C:\Users\Admin\AppData\Local\ZJE\Magnify.exe
| MD5 | 915851f133bd9c0e431e73b1cbd21550 |
| SHA1 | 24c0cf0aecbf709ec0a178006ebd05ed560f582f |
| SHA256 | 07f5b6960262f063136e017384557643df57e073d7d8c7bdb812af09da64140c |
| SHA512 | ee67b1913ec5d92316b0106be2b089d34797af158c7266fb6205885438c79e390e9f269152ccf31a26d375f4bbc52f9e26224bd8090c47fbac2af5931f498e8a |
memory/4276-63-0x00000202468E0000-0x00000202468E7000-memory.dmp
memory/4276-64-0x0000000140000000-0x00000001401FA000-memory.dmp
memory/4276-69-0x0000000140000000-0x00000001401FA000-memory.dmp
C:\Users\Admin\AppData\Local\vs1F3kfd\WTSAPI32.dll
| MD5 | 5994182c37adc884cccbc50f16e5bcd2 |
| SHA1 | 653452f3bfc779492258e1f763d56a855ef66e9f |
| SHA256 | 76bb5136a60f8b38417ef1b59f9d21904c3bbdc2d1dc6bdd40acb6553ee50772 |
| SHA512 | cfa2a2b283964b2a2f8676cf8c2bb2b58800ce7644e8cf2273c841baccdb4d91cab3ef99ebf7c8da40a2cba4c89570ddb0b7cd4b4141145ad101aa825d60a7d5 |
memory/1088-86-0x0000000140000000-0x00000001401FA000-memory.dmp
C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
| MD5 | dfa53879ba72970e4d284b6d5f8a50e1 |
| SHA1 | 81d25825f1fc03052ca177cce6f9da5a307c0405 |
| SHA256 | d044b2b516a51f1288e4ff126831b5072c0e5413bfc59d85de5c0e3f8f7f1eb7 |
| SHA512 | 65b0d99f69c16112e6611d69d88ed65998c3c5d58b262221bf0a46ee7e74bbdb3149a6f43daa865acccd89bd6f54b5d505f532cbeea55f620758683aea43fc72 |
memory/1088-83-0x0000028CF1EE0000-0x0000028CF1EE7000-memory.dmp
C:\Users\Admin\AppData\Local\vs1F3kfd\WTSAPI32.dll
| MD5 | 35196c56a058582ccad07a996ed9b024 |
| SHA1 | abd05efff5c91a1c6fbd7476c9a1f57322486f60 |
| SHA256 | 9d7111bb2c827c08535978d480d115939a78ca19c4a804c887b37c349a41cbc2 |
| SHA512 | 560f44495b84136d873836eb47ce30d2f989f7294680a2f0ada77f202354efd4a503429ec583c1e20a47e4a57f1cd5030b3f81bc57ae29cb84026980f4916b03 |
C:\Users\Admin\AppData\Local\vs1F3kfd\sdclt.exe
| MD5 | 46f63a256874f0851cb07386ce5c43e2 |
| SHA1 | 1dc73fa9e6771df0ac20ff10e3e64a3abd369dd7 |
| SHA256 | a55e6266f8477403232f160134ea9d399b93b9da17e4582e1ccf83d2c6eef113 |
| SHA512 | bf53443044ddaf6491472120799963925a87d31e92b6a0c53892953e9ab40ed0f1522356d631abd4556ab16f14ed88fb59876721f22e911bccea77bd2858a438 |
memory/2708-97-0x0000013391F50000-0x0000013391F57000-memory.dmp
C:\Users\Admin\AppData\Local\rYGJ\SLC.dll
| MD5 | b913937015b92cbde1ad3b0471a76b28 |
| SHA1 | 33272e40934a81e62d5a9813633042ff1fd731b6 |
| SHA256 | 5c88d69b72e77eca7fcb7b77c896d5c2880737147f2880b58b5f153c3e29760f |
| SHA512 | f7b8ef56e64c95d526264f6499b42c9081a60ee0019794471d8d9f31436729f921a1e64746f022ac4de7730e161bbc123f13c2eca333277e8bd5d6e3a6d20572 |
C:\Users\Admin\AppData\Local\rYGJ\SLC.dll
| MD5 | be301255ab82f72a9acc9b65fe784ab6 |
| SHA1 | db0ebba36a4685b08542eb201926f52ac5fb112a |
| SHA256 | dfc7b330c65ec66cfc9413eff06ac5bd7fd0ef7d88e76a3e9882b22af1dabd32 |
| SHA512 | f77e1c407963725ca8b2a611fb4ca73b44d30b765e6eec450d2bd1d8cdba0c6dc6aca57377e0df7740256588a52d4ee80a075dee666089a5f21beca25d1b5c89 |
memory/2708-103-0x0000000140000000-0x00000001401FA000-memory.dmp
C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
| MD5 | ee7c92dbb5f2c94e227637dec29c4f0a |
| SHA1 | 2de6d2c2b6c3f0bb6779a7b60b20fe6da8a119a5 |
| SHA256 | e034865d69650c30f02c0054b594207d35ff72358ac479503d08aa829f505e74 |
| SHA512 | b7d484994f7cc42e7f01c7c92b4cca154a0ba049298b17cd5e644e18a16f52758ad22c548df6aeaf6a2fbd59af490f85688080677d0499f8ecdf9ea387803aca |
C:\Users\Admin\AppData\Local\rYGJ\msinfo32.exe
| MD5 | 54501828e12542a579b8b18e238401f8 |
| SHA1 | e09586b324df680ba85ac31fc757556df8b5555e |
| SHA256 | 0a8864c458a49fa0c01c3c257726ddd30182ceaed7a1714884213922975f49bb |
| SHA512 | 39f36ddf4481255f4bfee933e2cd748e7245a487e688ff36877b8ddb01c635be827f2a280f78392ffd842428cf342be725cb1481a2cf06a4ef087813c99250b3 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk
| MD5 | 6909f4fe13b480ed47992f0309f9ccb7 |
| SHA1 | f0d4cedc0ef187449bcd071b71bc04e0841c7319 |
| SHA256 | 0fde514a5ec438f487a507930265f48d171749f2d6b73eda03fc0adab6b55e20 |
| SHA512 | 38a1eeece6f63b4a8b1abad3ee3bc7c4f3905bf61a17abff3fe268d2ba466685fc529ca7c399dac76bb242e41042ae735c3e5a42ba7c309d5a325fbb9acc1f7b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\2uWbturT1qt\dwmapi.dll
| MD5 | 567f432979d582531f403ca45bd5f6f3 |
| SHA1 | b8568ca8bba311fff33aa90f636800e44eb5e14c |
| SHA256 | cbd61e6a2b6a2815d38e7f48e7f97012215ac10509657ad6c30752e1c24397fd |
| SHA512 | 741362cffd484a51864e12bb1a51b4e33de6af649f580ac11f250cfb215f5339346bd47b2db0497ad59208c7c98a2f8980a289de69e843fa7fa82cc4d154d3bb |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\YoSD0KT\WTSAPI32.dll
| MD5 | 6f36a8cb34f492831b93691b1ade1ab6 |
| SHA1 | df71e34d69f116d16b626542a0239474568aa05d |
| SHA256 | 5e37e9525728379d5987677e8cf73091d43ec9f8538c95512bbe0f7598893824 |
| SHA512 | a00d71b8163ecc9e40c2bf9ba3f05cb51dc3f614510390427f4dcc4e4a44e3a627ceb0ddf63af74d98d06aaed6230a210c8d3c692da4461ce9cf1ba490dd5ed7 |
C:\Users\Admin\AppData\Roaming\Sun\Java\O0L1lh\SLC.dll
| MD5 | 0b1e6a95de1b74c3c47c54ef2efc10e1 |
| SHA1 | f72e212a29b2fd16c0bf3ee52266d43f19b5599c |
| SHA256 | 20a3e395b16491cc0bc177f786144edf93a991c5415d08d1c4aa8d17ea96644a |
| SHA512 | 54e4b5e432b35809b7f69364e316d0c61b88ff76c06c92da996b91ecabe4a6dd46609117c38981aafc1984284fbba16ea1cce5180b19c6b0603c3ca56444c97b |