Analysis Overview
SHA256
9ddd12552dc5850ed10c847816d6e5f80272a66117d765587662065ede3435c5
Threat Level: Known bad
The file 820d38a0c687ab0b550fe547c7bb1d6a was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 09:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 09:15
Reported
2024-01-30 09:18
Platform
win7-20231215-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{EE07B9B8-79CB-4B35-87AB-D4E1BF99C984}\\N25vjPXg\\xpsrchvw.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1252 wrote to memory of 1412 | N/A | N/A | C:\Windows\system32\msdtc.exe |
| PID 1252 wrote to memory of 1412 | N/A | N/A | C:\Windows\system32\msdtc.exe |
| PID 1252 wrote to memory of 1412 | N/A | N/A | C:\Windows\system32\msdtc.exe |
| PID 1252 wrote to memory of 2076 | N/A | N/A | C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe |
| PID 1252 wrote to memory of 2076 | N/A | N/A | C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe |
| PID 1252 wrote to memory of 2076 | N/A | N/A | C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe |
| PID 1252 wrote to memory of 2960 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1252 wrote to memory of 2960 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1252 wrote to memory of 2960 | N/A | N/A | C:\Windows\system32\xpsrchvw.exe |
| PID 1252 wrote to memory of 1632 | N/A | N/A | C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe |
| PID 1252 wrote to memory of 1632 | N/A | N/A | C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe |
| PID 1252 wrote to memory of 1632 | N/A | N/A | C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe |
| PID 1252 wrote to memory of 2188 | N/A | N/A | C:\Windows\system32\dvdupgrd.exe |
| PID 1252 wrote to memory of 2188 | N/A | N/A | C:\Windows\system32\dvdupgrd.exe |
| PID 1252 wrote to memory of 2188 | N/A | N/A | C:\Windows\system32\dvdupgrd.exe |
| PID 1252 wrote to memory of 1732 | N/A | N/A | C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe |
| PID 1252 wrote to memory of 1732 | N/A | N/A | C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe |
| PID 1252 wrote to memory of 1732 | N/A | N/A | C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#1
C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
C:\Windows\system32\msdtc.exe
C:\Windows\system32\msdtc.exe
C:\Windows\system32\xpsrchvw.exe
C:\Windows\system32\xpsrchvw.exe
C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
C:\Windows\system32\dvdupgrd.exe
C:\Windows\system32\dvdupgrd.exe
C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe
C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe
Network
Files
memory/2088-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2088-1-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-4-0x0000000077256000-0x0000000077257000-memory.dmp
memory/1252-5-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/1252-9-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-10-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-17-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-20-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-21-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-30-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-34-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-36-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-35-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-37-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-39-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-40-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-42-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-44-0x0000000002600000-0x0000000002607000-memory.dmp
memory/1252-41-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-38-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-32-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-33-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-31-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-29-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-51-0x0000000077361000-0x0000000077362000-memory.dmp
memory/1252-50-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-52-0x00000000774C0000-0x00000000774C2000-memory.dmp
memory/1252-28-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-27-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-26-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-24-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-25-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-22-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-61-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-23-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-19-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-18-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-65-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-16-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-15-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-13-0x0000000140000000-0x00000001401B5000-memory.dmp
C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
| MD5 | 8d0d0b42476449211e2ea9c4aed1b16f |
| SHA1 | de9b4f5cf5bf5a975da5f343791a264e152c4e2d |
| SHA256 | 9d70f548379eaf1916fbfb5b3c04a05419885a8c0078027ff196e7fd921a9c83 |
| SHA512 | 877b59c824e648a990700c2f0449feaacaf25d2c3284fcca2b3ebad0d5607c04a2d80195a637a6750a92ed1c3ec0399e2573c56ec1c11a6de3a67fd8ab256eb0 |
C:\Users\Admin\AppData\Local\rmMTk\VERSION.dll
| MD5 | 52f8a5a54b41ca32c40a6916e73197ce |
| SHA1 | 01ef11397d73f279faf22addedc73eadb900d45f |
| SHA256 | bc567c5f7a0fdc576b562168def556bd7edaa09c2cd64cbc4d923cfa9dc7f944 |
| SHA512 | aa54d1e7f4727ae0420821baa9c83cc12a21582072b44acb460eb71f479cda3329a167685fcc8584785a3d44264ec007c547545283ef62cdee83691f7ea98786 |
memory/2076-79-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/2076-80-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/2076-85-0x0000000140000000-0x00000001401B6000-memory.dmp
C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
| MD5 | 04f9770f8c428db3a7c5fd5024e2e773 |
| SHA1 | 779a87a6359532e8efcb4d73937a665e953f2237 |
| SHA256 | 81a24f85a8e976c180ebc8a17d332a0d3f96a315e649dedf0e5651fad85f5d5d |
| SHA512 | c0d8ae404c5fc85890c68b5e53b1c530626a03cc4c7a63e35b22d5b8b99d282345d530ba2709b45cb0b0a52087f94c38afe4d3aab86b9c4182439178cbee2f12 |
\Users\Admin\AppData\Local\rmMTk\VERSION.dll
| MD5 | e8a4711c70110f534df903f74c385d43 |
| SHA1 | a2a38c864830d40e48a6c133174e362bf7a3800d |
| SHA256 | 2a94850ec9f9e20a70de062a634a75196899aad6c2c5da660f19b36462f43c91 |
| SHA512 | 21954e66782bc2e66be77dc194a5bbeaabd36c28ad5997b2ceb3823fdb5d3dc299f14c5292cfa7143a75c6aafa86f4b99412062b5a63de15168839d83ef8a3cd |
\Users\Admin\AppData\Local\rmMTk\msdtc.exe
| MD5 | de0ece52236cfa3ed2dbfc03f28253a8 |
| SHA1 | 84bbd2495c1809fcd19b535d41114e4fb101466c |
| SHA256 | 2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3 |
| SHA512 | 69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3 |
memory/1252-70-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-14-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-12-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-11-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/1252-7-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/2088-8-0x0000000140000000-0x00000001401B5000-memory.dmp
\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
| MD5 | 84c667411eb48a55d85110ccfa8b66e3 |
| SHA1 | eab28a3548c6b8d9363d2ab0229331cb75d93b33 |
| SHA256 | c45c4a1ccaa0f70bc30fa7d5f95a8ea5c22520b0bfad6a365b8913d805a61279 |
| SHA512 | fa490be19eb18dc52913623a86eaa547fb46dcde6f6b2e773a8af94cf0852c80f380e8e55f2d726849f001d3dd15ff405ef07d056ed5616777696dda7e3536c1 |
\Users\Admin\AppData\Local\bDxi\WINMM.dll
| MD5 | ea3d8c37c78f2a613539f3dcceb68282 |
| SHA1 | 1a44a18cb4fec329cfb4dcf0074712c693e583da |
| SHA256 | 428a724f11082b06ee0e0377cf512dada65e1405966a7b4f7cabe1a702377c05 |
| SHA512 | 9c3fa5aa16b271b29616d49025f3313a46064e0dd1582d9ee3c1d8b61d10468f83264f85940a10cd6b6a80ba1c520f6109a49729e16e3b79a195f8d7f3c814b2 |
memory/1632-97-0x0000000000320000-0x0000000000327000-memory.dmp
memory/1632-98-0x0000000140000000-0x00000001401B7000-memory.dmp
C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
| MD5 | 8a338de9707bf3074d52792f3a4f63f7 |
| SHA1 | c881b28391d8356aec51e921bdddfb6e9d0ce10d |
| SHA256 | 9d510d9cb87dd7715e6c7d23ae6263d42acbbe1cc8ac0af73c2c094ed41bb5e2 |
| SHA512 | 57c91bacc0190f48efe616804318e0689b5e14980c9d206197aa2758294e669e729074a8b5d6594a723674948a4e87981280f9c5a681a610eb50a2a87d615421 |
C:\Users\Admin\AppData\Local\bDxi\WINMM.dll
| MD5 | 6444714a86acf918262446a41b131b98 |
| SHA1 | 3945fc27b26fc68dbadeaaf8a4d59dd7135329df |
| SHA256 | 26c0b88b4fc45448fa9d4b96524aeea0dd81c6f95024a3a204bae605dc851d80 |
| SHA512 | 3351fd7637243929beb4be3acf4a75656624426d0061e9271dc3bccaad098d1a851f69c450d49a9eeeae140676d509b647574fe957056e21d0da5c4d48972bc4 |
C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
| MD5 | 3e2646f3d1a868e0774bdd6bf0e3fdbb |
| SHA1 | a4ad399a09cbec61d66bd54fddef7c746d06b331 |
| SHA256 | b93ce0e56607aca153204c2f5818bccef6b06281de99af7edbc11b15afbd5b21 |
| SHA512 | ae262b118eaeb06798d45f1f609ddf4f5c678f441cd48f71e3bb4b457a03c41fdd0ca5813d7a75a4ed1a70bd6bec97edd8c47f64fe5e372be2116ef71dc79536 |
\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe
| MD5 | 75a9b4172eac01d9648c6d2133af952f |
| SHA1 | 63c7e1af762d2b584e9cc841e8b0100f2a482b81 |
| SHA256 | 18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736 |
| SHA512 | 5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769 |
\Users\Admin\AppData\Local\HeBC\VERSION.dll
| MD5 | fdc0988d1be75ecf8ca94637eafb9d17 |
| SHA1 | 259e4c5b15ebbf6c2bd1c32e67659e71d1e02950 |
| SHA256 | ab7d21de90a43de9723ad062e26326690ce8b72d5768e6583318dc6ec384a5ff |
| SHA512 | b6c1c69eb81968fcb4cc4948b6580d753d88be552875d82a6f3d1159997210a68ac3e9f541e6b43165135e0eaf8ad7c332d3ba886908efc7014babfbe101a7de |
memory/1732-121-0x0000000000220000-0x0000000000227000-memory.dmp
C:\Users\Admin\AppData\Local\HeBC\VERSION.dll
| MD5 | 58cbfac6abadc2d92aff1c5c5aa86879 |
| SHA1 | c160e19ac173df690ec73da52922ea6abd395833 |
| SHA256 | f0db1da855ef94cb20981108b374d4320d84461c62caf2071dd0a4562f7fad41 |
| SHA512 | 32d05690c639377cab09b7edc1f1ee365257f6efffc8b18cfc7576bd69ebb9302ec57a45e358eaa2daffd04774f85664bbba0cfed23446428ba971ffcf192373 |
\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\vR\dvdupgrd.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | 444afa9370f304f2a7246432a51b8188 |
| SHA1 | 15964e83c411589d86c480cb86b34bad1765bd57 |
| SHA256 | d6c054ca01e14f68363dca9d7dd448211d1b4bd92ace134fd9f12d3d4579046d |
| SHA512 | e19cc76999cca62a6be62fb207ef8fdf62327cb5df468844b66fa33c7e24399979b04550b4ca7c3fd56523fe8c90752f8bde0fffa38edd107a538e63286dbe6a |
memory/1252-146-0x0000000077256000-0x0000000077257000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\BtuQfAZZER\VERSION.dll
| MD5 | 30ee7c135b5e11f6d07a50f7fad01ee1 |
| SHA1 | 3913fd92a91185fbe731a3b8bea5eb68edf91cb2 |
| SHA256 | 67956266b4948bf6e3cf27746b5522a6f22a809c5c660004798212c2ce2ba843 |
| SHA512 | 7bf8d139fb7a685b08c667cacf4d1a599f597c08b657fa027a530a865a9e0cfda3af1e84bc3ff38e0c17184145425cbf2311a0af7e2f6970e956cfd7cde8d7ca |
C:\Users\Admin\AppData\Roaming\Identities\{EE07B9B8-79CB-4B35-87AB-D4E1BF99C984}\N25vjPXg\WINMM.dll
| MD5 | c6a8780b9094a4c9e576f25e0f203808 |
| SHA1 | 726b0512a2118a0c08e68cc1e6f5eeffb1cf0008 |
| SHA256 | 4ab0fa46684644ea21357747ea3d115d76e0e38808fb4ecc52da49a9058338ec |
| SHA512 | 1f0dbc64709a895a36303cda98e3fdaa617d0bdde582cf797993aa62ce2be16e53ec1c14f0fe1ff667dbcccbf4f2a4bbd070ab407bcc6bd09bd44015c2f84c24 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\vR\VERSION.dll
| MD5 | 62c6aa0a49457b866379408ba07e52a2 |
| SHA1 | 06a5034b12012e61359a8b8afee1ef21daa26067 |
| SHA256 | 3d68c0a1a91c9fa7dcd896d239922995d78d8c23d79ce249557d769ced376bd1 |
| SHA512 | 20a6948f44d5c10bbbc012b3d162173443496ad98757561474df4fae95be1dc730f30e1f1963a17dde14bbb49ea3584bb1e8708493951d44a82da96ef127c8f9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 09:15
Reported
2024-01-30 09:18
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
149s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3073191680-435865314-2862784915-1000\\iyIaUtBpiiz\\dccw.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3444 wrote to memory of 3884 | N/A | N/A | C:\Windows\system32\sessionmsg.exe |
| PID 3444 wrote to memory of 3884 | N/A | N/A | C:\Windows\system32\sessionmsg.exe |
| PID 3444 wrote to memory of 4576 | N/A | N/A | C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe |
| PID 3444 wrote to memory of 4576 | N/A | N/A | C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe |
| PID 3444 wrote to memory of 1824 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 3444 wrote to memory of 1824 | N/A | N/A | C:\Windows\system32\dccw.exe |
| PID 3444 wrote to memory of 4332 | N/A | N/A | C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe |
| PID 3444 wrote to memory of 4332 | N/A | N/A | C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe |
| PID 3444 wrote to memory of 5048 | N/A | N/A | C:\Windows\system32\MDMAppInstaller.exe |
| PID 3444 wrote to memory of 5048 | N/A | N/A | C:\Windows\system32\MDMAppInstaller.exe |
| PID 3444 wrote to memory of 1260 | N/A | N/A | C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe |
| PID 3444 wrote to memory of 1260 | N/A | N/A | C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#1
C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe
C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe
C:\Windows\system32\dccw.exe
C:\Windows\system32\dccw.exe
C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe
C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
memory/808-1-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/808-0-0x000001EC62F40000-0x000001EC62F47000-memory.dmp
memory/3444-4-0x0000000001080000-0x0000000001081000-memory.dmp
memory/808-8-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-6-0x00007FFB68C7A000-0x00007FFB68C7B000-memory.dmp
memory/3444-10-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-7-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-9-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-11-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-12-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-13-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-14-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-15-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-16-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-17-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-18-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-19-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-20-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-21-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-22-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-23-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-25-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-24-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-27-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-28-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-29-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-30-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-26-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-31-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-32-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-33-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-34-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-35-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-36-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-37-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-38-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-40-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-41-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-39-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-43-0x0000000000E00000-0x0000000000E07000-memory.dmp
memory/3444-42-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-50-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-51-0x00007FFB69840000-0x00007FFB69850000-memory.dmp
memory/3444-60-0x0000000140000000-0x00000001401B5000-memory.dmp
memory/3444-62-0x0000000140000000-0x00000001401B5000-memory.dmp
C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe
| MD5 | 480f710806b68dfe478ca1ec7d7e79cc |
| SHA1 | b4fc97fed2dbff9c4874cb65ede7b50699db37cd |
| SHA256 | 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc |
| SHA512 | 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db |
C:\Users\Admin\AppData\Local\wpn\DUI70.dll
| MD5 | 8ce13a32b1bc8d8bb19d1981b63cc083 |
| SHA1 | 61f2d66a79d35dcda913dfcb9878011e2b07d95f |
| SHA256 | be23c8c28d6e2930f67e78af7230c2dfaf40219e2f6e7d982abb82981b8b4d34 |
| SHA512 | 7e2136aa018c06703e0d35dab08796419d3859202651836c42cac033234cb67238c535966c280eadd5edb0a9e8b891023a74e195a97b3165ab3319c3db289ff8 |
memory/4576-72-0x000001E5DDCE0000-0x000001E5DDCE7000-memory.dmp
memory/4576-71-0x0000000140000000-0x00000001401FB000-memory.dmp
memory/4576-77-0x0000000140000000-0x00000001401FB000-memory.dmp
C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe
| MD5 | cb9374911bf5237179785c739a322c0f |
| SHA1 | 3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9 |
| SHA256 | f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845 |
| SHA512 | 9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be |
C:\Users\Admin\AppData\Local\R1h0gsZFF\mscms.dll
| MD5 | 8032a92f3ede3f3542a8802771de4d7e |
| SHA1 | 300a1d579bd19d70d0a4d199fa99b63d422207f9 |
| SHA256 | 21b8c24ffc372558361325d00e4525b8d51c52d0354019b9ef2e7297566f003f |
| SHA512 | 8331352ae78bb534e52d16fbc4b4825e61f0fb8c1803a29a878ff92c9d2c26033ae70cd2a872296646f7067c557ce49f53322d55f4d90c6e6db3f9bbb11b3602 |
memory/4332-88-0x000001C649DB0000-0x000001C649DB7000-memory.dmp
memory/4332-89-0x0000000140000000-0x00000001401B7000-memory.dmp
memory/4332-94-0x0000000140000000-0x00000001401B7000-memory.dmp
C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe
| MD5 | 30e978cc6830b04f1e7ed285cccaa746 |
| SHA1 | e915147c17e113c676c635e2102bbff90fb7aa52 |
| SHA256 | dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766 |
| SHA512 | 331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214 |
C:\Users\Admin\AppData\Local\qVQpmj3\WTSAPI32.dll
| MD5 | e75203ab9f762c9852de779891c2ddca |
| SHA1 | 7c9001ab6b7dba99c54fe1a352a54c6676666155 |
| SHA256 | 9c75e61519315306935d5b3f0173cfd82ebe89144a19ec7c45f5096532c481a0 |
| SHA512 | bd234c922234dc86eee62588537a09662f675414a3340c29d7cd5b92a45f217e093a5dedc03d71fdaccc9f1eaa0f2c1862d64199ab8456e0f441a0a0dbbb21e1 |
memory/1260-107-0x0000000140000000-0x00000001401B6000-memory.dmp
memory/1260-108-0x00000181E0100000-0x00000181E0107000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 550d3b2e73425dba59bbd3a29ce1ec65 |
| SHA1 | 154f363d646ca05959bafec385ef3b480fa8f2b0 |
| SHA256 | e706e5d87e304e17747815909027c76296b61f63d477e33e2627dbca187e3194 |
| SHA512 | 183c416b9ac67dddc11379bce8578eda851a56ce8f29cc02281a55029428185d23c617083ec2b2cd1a8d5e0b069ee09ff21d93039d4509f206f6724eae0e4c65 |