Analysis Overview
SHA256
44e96f3c81f9089ec61e412623a4f0b474893a9f84acef4e32b318f1d2bbc15e
Threat Level: Known bad
The file 76afafbe9ec4d9c894720599f9812cee was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 06:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 06:57
Reported
2024-01-26 06:57
Platform
win7-20231215-en
Max time kernel
0s
Max time network
2s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 06:57
Reported
2024-01-26 06:59
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\316QUO~1\\Taskmgr.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3480 wrote to memory of 4784 | N/A | N/A | C:\Windows\system32\SndVol.exe |
| PID 3480 wrote to memory of 4784 | N/A | N/A | C:\Windows\system32\SndVol.exe |
| PID 3480 wrote to memory of 5072 | N/A | N/A | C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe |
| PID 3480 wrote to memory of 5072 | N/A | N/A | C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe |
| PID 3480 wrote to memory of 2168 | N/A | N/A | C:\Windows\system32\Taskmgr.exe |
| PID 3480 wrote to memory of 2168 | N/A | N/A | C:\Windows\system32\Taskmgr.exe |
| PID 3480 wrote to memory of 2128 | N/A | N/A | C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe |
| PID 3480 wrote to memory of 2128 | N/A | N/A | C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe |
| PID 3480 wrote to memory of 5080 | N/A | N/A | C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe |
| PID 3480 wrote to memory of 5080 | N/A | N/A | C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\76afafbe9ec4d9c894720599f9812cee.dll,#1
C:\Windows\system32\SndVol.exe
C:\Windows\system32\SndVol.exe
C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe
C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe
C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe
C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/3532-0-0x000001CDEF4F0000-0x000001CDEF4F7000-memory.dmp
memory/3532-1-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-4-0x0000000002FA0000-0x0000000002FA1000-memory.dmp
memory/3480-6-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-8-0x00007FFE914BA000-0x00007FFE914BB000-memory.dmp
memory/3480-7-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-10-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-11-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-12-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-13-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-14-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-9-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3532-15-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-16-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-17-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-18-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-19-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-20-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-22-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-21-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-23-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-25-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-24-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-26-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-27-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-28-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-29-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-30-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-31-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-32-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-33-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-34-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-35-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-36-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-37-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-38-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-39-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-40-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-41-0x0000000001070000-0x0000000001077000-memory.dmp
memory/3480-48-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-51-0x00007FFE93140000-0x00007FFE93150000-memory.dmp
memory/3480-58-0x0000000140000000-0x00000001401FC000-memory.dmp
memory/3480-60-0x0000000140000000-0x00000001401FC000-memory.dmp
C:\Users\Admin\AppData\Local\kTVDvnN\SndVol.exe
| MD5 | c5d939ac3f9d885c8355884199e36433 |
| SHA1 | b8f277549c23953e8683746e225e7af1c193ad70 |
| SHA256 | 68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605 |
| SHA512 | 8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0 |
C:\Users\Admin\AppData\Local\kTVDvnN\dwmapi.dll
| MD5 | f92e8877bb11abf5a9dcd950e5f54fd1 |
| SHA1 | e81d87e4eb930785b80919d3adb2efdcb65ddc69 |
| SHA256 | a98d28ea0275d964c43297da2484b1fd87017a273b68aa36fc2b84216b9a8e14 |
| SHA512 | 6bcf5be17a610cdd4b1470146feb3e990116538863c7b05bd4b6777e135c468d6a2643a8bab6b56076b92161ae7acb6f9f91389ca92f876967ad5d10d3b7fce0 |
memory/5072-70-0x0000029CFA1E0000-0x0000029CFA1E7000-memory.dmp
memory/5072-69-0x0000000140000000-0x00000001401FD000-memory.dmp
memory/5072-75-0x0000000140000000-0x00000001401FD000-memory.dmp
C:\Users\Admin\AppData\Local\3ez\Taskmgr.exe
| MD5 | 58d5bc7895f7f32ee308e34f06f25dd5 |
| SHA1 | 7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4 |
| SHA256 | 4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478 |
| SHA512 | 872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9 |
C:\Users\Admin\AppData\Local\3ez\UxTheme.dll
| MD5 | d198ac7636df150271f4f8958a7d97cb |
| SHA1 | 3ad52d13f8ba452e1a472c16fc63ca3c895a61e5 |
| SHA256 | 6c809f81b32e0847f6f87289731bd0bb89485fda35225c7704571a1374e3bd89 |
| SHA512 | 559b5f873f3bbd10aac85ca2cc020c1715345994c2a730355b7f5853c328ba80d04a8f7f4eda78f86e869b2e41ad5a972eedf25e3a64040fce976161ee231ce3 |
memory/2128-87-0x000002A3C1830000-0x000002A3C1837000-memory.dmp
memory/2128-91-0x0000000140000000-0x00000001401FD000-memory.dmp
C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe
| MD5 | c98c6acb6522abafe9245092cfa8b6cb |
| SHA1 | 1722bb062305c170e9cf4370ad7e5799d6c0e1fe |
| SHA256 | 623dcec2806c69b7a5b5e4b765df9eb6fcd108567bd5a190efd36f7b4601581e |
| SHA512 | f60a97882c4ccff7131736fbc5252bb8101103a8dd321c140f17b7fb0f9bb9b9983e84a1665fb7c19fc73064afe71bc1e569615f1d00d52afab5229154921e12 |
C:\Users\Admin\AppData\Local\vqhiCH42\XmlLite.dll
| MD5 | bed68b881ce0a0b91fc64d9c6fcfa6aa |
| SHA1 | cd8061e25e6acb1259609147b5cd2583b074e07b |
| SHA256 | d73fe5039f8b5ab0a6c0c5d060c9427d82f83e0982138592289c9963b38fbe68 |
| SHA512 | d9128f4e628a8db849a13f3d39cfecc3aa5f4f83bfaa0d896d588d900aafbf8dec788e03e99f36602f9e542486fa92d90fd80ea8b281a79fdf7f2b2077a059ba |
C:\Users\Admin\AppData\Local\vqhiCH42\XmlLite.dll
| MD5 | f1c60684c8dcba059b64a0da6addc5d2 |
| SHA1 | 14259fdd8acfa50e23ef20a922f28d9908c45833 |
| SHA256 | 31eda860e668751895fa9429fe9b8291b0f8bff44d5c4cc100810b5394130e86 |
| SHA512 | 757c1baf1d1987c43838e19a1eb33cf757c1b24e7428201df82fc898eaa69092ec9adf825bba9232095b8968e59a4a2071bfb849afb62c0f6079fd4241f3786c |
memory/5080-104-0x000001D0A1C50000-0x000001D0A1C57000-memory.dmp
memory/5080-109-0x0000000140000000-0x00000001401FD000-memory.dmp
C:\Users\Admin\AppData\Local\vqhiCH42\sppsvc.exe
| MD5 | ec6cef0a81f167668e18fa32f1606fce |
| SHA1 | 6d56837a388ae5573a38a439cee16e6dde5b4de8 |
| SHA256 | 82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8 |
| SHA512 | f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 35bc9e968597de377f592b8dc97f86cf |
| SHA1 | 538eb30c2a0cb31412e9eb3b9bb15f68b3756e04 |
| SHA256 | 5ae7616aa43b21f18420f6b19156bf03637a1cc40c7d34b3d93be0a0b32ec701 |
| SHA512 | 079d89059d08f3b1e2145dd8baa7f2e7a9ef8958d525d4e86d4b94cb9d91e9acaba0daaf1299c4906943cceca79b8bce2a70104265b6bc75e0331d5396ae65dd |