Analysis Overview
SHA256
3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d
Threat Level: Known bad
The file 837792f925aca842eba981ebc7aff9a1 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-31 04:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-31 04:39
Reported
2024-01-31 04:42
Platform
win7-20231215-en
Max time kernel
150s
Max time network
117s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{4C0CEA03-C988-4067-9D42-5D4466084111}\\rgxk6\\rstrui.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1192 wrote to memory of 2672 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1192 wrote to memory of 2672 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1192 wrote to memory of 2672 | N/A | N/A | C:\Windows\system32\rdrleakdiag.exe |
| PID 1192 wrote to memory of 2016 | N/A | N/A | C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe |
| PID 1192 wrote to memory of 2016 | N/A | N/A | C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe |
| PID 1192 wrote to memory of 2016 | N/A | N/A | C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe |
| PID 1192 wrote to memory of 3068 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 1192 wrote to memory of 3068 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 1192 wrote to memory of 3068 | N/A | N/A | C:\Windows\system32\rstrui.exe |
| PID 1192 wrote to memory of 3064 | N/A | N/A | C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe |
| PID 1192 wrote to memory of 3064 | N/A | N/A | C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe |
| PID 1192 wrote to memory of 3064 | N/A | N/A | C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe |
| PID 1192 wrote to memory of 1324 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1192 wrote to memory of 1324 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1192 wrote to memory of 1324 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1192 wrote to memory of 1964 | N/A | N/A | C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe |
| PID 1192 wrote to memory of 1964 | N/A | N/A | C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe |
| PID 1192 wrote to memory of 1964 | N/A | N/A | C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll
C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rdrleakdiag.exe
C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
Network
Files
memory/2356-0-0x0000000140000000-0x0000000140232000-memory.dmp
memory/2356-1-0x0000000000120000-0x0000000000127000-memory.dmp
memory/1192-4-0x0000000077816000-0x0000000077817000-memory.dmp
memory/1192-5-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/1192-10-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-16-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-25-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-29-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-33-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-36-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-40-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-46-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-48-0x0000000002600000-0x0000000002607000-memory.dmp
memory/1192-47-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-55-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-45-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-44-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-56-0x0000000077921000-0x0000000077922000-memory.dmp
memory/1192-57-0x0000000077A80000-0x0000000077A82000-memory.dmp
memory/1192-43-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-42-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-41-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-39-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-66-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-38-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-37-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-35-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-72-0x0000000140000000-0x0000000140232000-memory.dmp
C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
| MD5 | 5e058566af53848541fa23fba4bb5b81 |
| SHA1 | 769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6 |
| SHA256 | ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409 |
| SHA512 | 352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0 |
\Users\Admin\AppData\Local\yPjURgvo6\wer.dll
| MD5 | 55b0050601f5e48c71ef3ccc9000d7e4 |
| SHA1 | 7d468eb2a47ef93550512e4aee6886fa85bd8132 |
| SHA256 | 263c52c98c6e717607226bfb14339a21fd59c516b93d0a26c8add64c99302c4d |
| SHA512 | bb95138798343abefa6d6deb0403b7e6079f705a91b443828ab6857c31c631afb6d0d32a231e923960f6d19055bd84947fd104eed5e91239e47b2c48427a3243 |
memory/2016-86-0x0000000000110000-0x0000000000117000-memory.dmp
C:\Users\Admin\AppData\Local\yPjURgvo6\wer.dll
| MD5 | 2686c9396a088eea4b32aa99962b1e1b |
| SHA1 | 638c3b7ed5684850f4addb2135de6b1a0a463b89 |
| SHA256 | cf2ae1d19d6aba263670301bba650a3388293a946e9a58bc147383d5cdfdac44 |
| SHA512 | 5125607cfa4672218964ba9662b3d11c929aafca92b3187e058eeaf06ff619aefa414132ebd8e6f496f808f855fdb05853df1129bfd93ee59ebf7a898beb00a1 |
memory/1192-34-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-32-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-31-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-30-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-28-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-27-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-26-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-24-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-23-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-22-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-21-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-20-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-19-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-18-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-17-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-15-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-14-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-13-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-12-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-11-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-9-0x0000000140000000-0x0000000140232000-memory.dmp
memory/2356-8-0x0000000140000000-0x0000000140232000-memory.dmp
memory/1192-7-0x0000000140000000-0x0000000140232000-memory.dmp
\Users\Admin\AppData\Local\8a8gkC\SPP.dll
| MD5 | 9e561f93c460125756daa7c9deb8c9e7 |
| SHA1 | d5d011008ce9da528b916743de29fb773cbc146f |
| SHA256 | d278861ba638523ef5e56cf3737d16fc930ce920f439ca8ca81143667629433f |
| SHA512 | 6e8324203c5a816e4131b3f1421ea8e1626ac510c7ce772eeda01e7122b4fa7d555cbe8658c10e63b1cb65660e9f8cb6541c9b91e4bd7480de70c1b71a2dd68f |
memory/3064-102-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Local\8a8gkC\SPP.dll
| MD5 | 42d899924a17323b75cda36df53d4dfc |
| SHA1 | a06a41885a9a5b5307a4e3ea4ee78e0832bf5582 |
| SHA256 | 4d49673083ef17dcc4fdaa0b640e46fa88146e66a83b4b3446a4f36be32e93ab |
| SHA512 | e51c7252131618a84932dda59a69e62cc2b81fb749a94003cc847976bcb4a29175635e311e48fae6d2d9babae3fb7763fafc17ea2bedf85213bb235407342715 |
C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
| MD5 | 1c1c92ef23e19b28f74e05ca617c83d2 |
| SHA1 | ff03ffef96bb5bf7b84a9cc4bceea19e7b3dcca3 |
| SHA256 | 2f34c4041e2e2a9573fbf8b5295475a79361421bc0bcf1454d73df975fd6dc35 |
| SHA512 | 1bfc5f3c6698ebaa55ccf1a0db7f3c07bcef39f9296f8e57c0b6893195593c605a597a46b1d325674650394265ebd5aa20ce30bc49205d866d090cd18ecf9fbe |
\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
| MD5 | a16075a2e705d64dd3d545f6d0551a59 |
| SHA1 | ee4783e097bd1a2514655641deddcd175d444504 |
| SHA256 | 1eac6f17f0e2390869e3ab3497b8263b58b8f3ad1ec473fd1a6b9d18a860b0ef |
| SHA512 | b1a8a75bc280bd38446aa2605c0a0272d05bb0e7c22523b36cefae00cca98bc22ba01366217900c0b8f8b4dcb9bceb09f71064707a3eac892b02d0b1556e807d |
C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
| MD5 | 88eb800b34f2965fb1df4cb085f2da45 |
| SHA1 | c067887129f61141843ac71e3737bd013b3956d6 |
| SHA256 | 5dc34600ea837e257e8ea75ade466b6258fa2c408768edee83fa588ed4770f5e |
| SHA512 | cc889953b6d9a038891a95679585dd4be1ff9d293a6a540eb77281eb3c07165d45c6ff30893fd5020a955862785c2c2c812f2c2b6f3290540807e0952606d572 |
\Users\Admin\AppData\Local\dfCDb\dwmapi.dll
| MD5 | 488228ac5bdc124ad457ae32bf412f5b |
| SHA1 | 36feb33fb14cb1a47369d289050275b3ef2ed234 |
| SHA256 | bfcfc9953d1026bd1d7930601e98786039318f6050596b3e225a114c9daf79a3 |
| SHA512 | a404903074de56bc40b25ef296f15e3b49726632c4cda1f6db9b07abfaf88f40c03e22e81a2a7696b71b467cf7773f3372d2a9b8217a47c24efe89df06ca6db5 |
memory/1964-125-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\dfCDb\dwmapi.dll
| MD5 | 006181c98ffbc7ed2d934bf50261d91b |
| SHA1 | e7d2acbca480a9fb47e077dc61a9fc00a4d70331 |
| SHA256 | 36aca031bdc1e1788a9cd83f3ea5ec4701e030ce362e036fe2f62c259d4944ca |
| SHA512 | ffe8dfab5a449fc926bb503c6c44bc7abb73567cc6903f032d872d7a7967bb01fd021173473b99b2fa41dd138fe0895a9ff06f7a72476f1967c4178f9fb8e36d |
C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
| MD5 | 8c88510b28fe119238eef0a004ec439a |
| SHA1 | 2f32df5e48de99babd13c83be9e5a56c13917268 |
| SHA256 | eee46a51c223a0d3b82662e1260d196a55160d6895166f541e9348554c8198db |
| SHA512 | 4fb3e4b23e6c4ce61e26014f4c2f66dbee345ab7db9959bd4b75eb717bea59b85940c775a3e4aeb8a571437fbd0fdfc551927597977a9b25446bd2eeb5b0cd50 |
\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
| MD5 | 53fda4af81e7c4895357a50e848b7cfe |
| SHA1 | 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f |
| SHA256 | 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038 |
| SHA512 | dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\s6Y\RDVGHelper.exe
| MD5 | 5b5434ab98c4f17f0b2dfdb09bbc91aa |
| SHA1 | a117d43262a7bb84c96de5fc2bc91b2b41f3052e |
| SHA256 | 7bead478f9498447c09499abf4efaa8f66db1a51ab92c5a9d2bed7640b045e06 |
| SHA512 | 9c6af6232df433ca023d8c82355fbb3689d6c0970ec53073ee3a7d85dd6bf31ed5e7f4a2403a94b3676ea0bb10d94b40df36221170fdd8af6147ddf420c9fb91 |
memory/1192-144-0x0000000077816000-0x0000000077817000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk
| MD5 | ef3f2daa69b28e0b0899db4634cde7b6 |
| SHA1 | f36d2d417a463e60dbfab41c7e79717fbe185b06 |
| SHA256 | 7a00961f23a759984f1a9fee4392381ab5ae54fe055dd568e3348026113069ca |
| SHA512 | 4ef8eedbea537f0b41b04eaf45c106be915a5398ddd93dcc5c05703e91cc492ea47065a7ecc5878200470e4b2b7166b47a82f10ed954d2a4d5b59ad1cbda95fc |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\H07\wer.dll
| MD5 | 8f1a0a7921b468e13a5dca68f85853d3 |
| SHA1 | ca217f92ea3e19997da953b1cedc110b708e8b6e |
| SHA256 | 39cc768724dd38096e1d32dc01d138df6dfecbb017c2f24089a478191a6f1232 |
| SHA512 | 803a031d984200e06683f76bbf374365561d085685b2f527ea13e12640a48ba17b9e2eb6e0aa5690ab3cf929bab8e264a9c2ac48ae2da006871fa2332b5b344e |
C:\Users\Admin\AppData\Roaming\Identities\{4C0CEA03-C988-4067-9D42-5D4466084111}\rgxk6\SPP.dll
| MD5 | 31b8815efeae55cd850c1016d46c2b03 |
| SHA1 | bc81712cab24ac15cabc5a185deb1e93dbcc2cf3 |
| SHA256 | 7daa06831fc98560f8945f156c49652be554b9caf1861693560d255ad87e9503 |
| SHA512 | 97148967cfc57d686affc5511a8764f30fe7ba904f665322fe79a7e60564696f12562ff5acd7ec7d80eec6e3a5b60a31e9af6eed5b1871df9397a17bfb642ac7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\s6Y\dwmapi.dll
| MD5 | 1f26c5135ed449ef1af1a05b8a9999e4 |
| SHA1 | 4de81a0cb9ff22195aecfd700eb45383398c4dcc |
| SHA256 | e5aec39fa5f0ec235db7c635ffe40aabf0655232fbbf9f3717969bba7b364fbd |
| SHA512 | 02f7f0aa9d77a9877eb4950b99973310c25ed158736115520fe80f5876cb2c0a8ec9184a03ce18fe534555b82d47486385d19f9dfe0f63561ea4e466e69c9ad2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-31 04:39
Reported
2024-01-31 04:42
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
148s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\H9db\\MUSNOT~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3480 wrote to memory of 656 | N/A | N/A | C:\Windows\system32\quickassist.exe |
| PID 3480 wrote to memory of 656 | N/A | N/A | C:\Windows\system32\quickassist.exe |
| PID 3480 wrote to memory of 4832 | N/A | N/A | C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe |
| PID 3480 wrote to memory of 4832 | N/A | N/A | C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe |
| PID 3480 wrote to memory of 4224 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3480 wrote to memory of 4224 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3480 wrote to memory of 4408 | N/A | N/A | C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe |
| PID 3480 wrote to memory of 4408 | N/A | N/A | C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe |
| PID 3480 wrote to memory of 2316 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 3480 wrote to memory of 2316 | N/A | N/A | C:\Windows\system32\isoburn.exe |
| PID 3480 wrote to memory of 1008 | N/A | N/A | C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe |
| PID 3480 wrote to memory of 1008 | N/A | N/A | C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll
C:\Windows\system32\quickassist.exe
C:\Windows\system32\quickassist.exe
C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
C:\Windows\system32\isoburn.exe
C:\Windows\system32\isoburn.exe
C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe
C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
memory/3904-0-0x0000000000810000-0x0000000000817000-memory.dmp
memory/3904-1-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-4-0x0000000001350000-0x0000000001351000-memory.dmp
memory/3480-6-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3904-7-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-9-0x00007FFE914BA000-0x00007FFE914BB000-memory.dmp
memory/3480-8-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-10-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-11-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-12-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-13-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-14-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-15-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-16-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-18-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-19-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-20-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-17-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-22-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-23-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-24-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-25-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-26-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-21-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-27-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-28-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-29-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-30-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-33-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-32-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-31-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-34-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-35-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-36-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-37-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-38-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-39-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-40-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-41-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-42-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-43-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-44-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-45-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-46-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-48-0x0000000001310000-0x0000000001317000-memory.dmp
memory/3480-47-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-55-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-58-0x00007FFE93140000-0x00007FFE93150000-memory.dmp
memory/3480-65-0x0000000140000000-0x0000000140232000-memory.dmp
memory/3480-67-0x0000000140000000-0x0000000140232000-memory.dmp
C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
| MD5 | d1216f9b9a64fd943539cc2b0ddfa439 |
| SHA1 | 6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c |
| SHA256 | c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2 |
| SHA512 | c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567 |
C:\Users\Admin\AppData\Local\4cnzpoY\UxTheme.dll
| MD5 | ed5bf30ce05e3cff7854bf9ffaca08f5 |
| SHA1 | f5daaa1b33a039c224500c083bf8146eba59e97d |
| SHA256 | d42eb85ce48c35c3da642ea90ca87df59c7986ce45c09c475303af8d9ed0a11f |
| SHA512 | ff75b84b15328b5f5eb693c3fb0e75d673096701584aeb024f7302d2c02c675a97259911d92c5f0b3a0d2b0a16a14fb2c65261928402e41b0ebbe8502716f05c |
memory/4832-77-0x00000253A2F40000-0x00000253A2F47000-memory.dmp
memory/4832-76-0x0000000140000000-0x0000000140233000-memory.dmp
memory/4832-82-0x0000000140000000-0x0000000140233000-memory.dmp
C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
| MD5 | 869a214114a81712199f3de5d69d9aad |
| SHA1 | be973e4188eff0d53fdf0e9360106e8ad946d89f |
| SHA256 | 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361 |
| SHA512 | befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012 |
C:\Users\Admin\AppData\Local\3J8wl4c\XmlLite.dll
| MD5 | dd3443ca746d2de4ad3fb6c39214650b |
| SHA1 | b09b644b86a0ab18eaaaf942fdcb8b3f159baac5 |
| SHA256 | 98cfdffaf902883364b3a625be4506ff6256507583b02fba5fc03071b775f517 |
| SHA512 | 6830ea76c35d5ccacc7de010244be71c8c76cea870ddb15990b036d9fb1b980d5ab719e331e2512faeacdde30868b4e44f88c47b4c6ecadc3a38f98b4c618c4e |
memory/4408-93-0x00000280567B0000-0x00000280567B7000-memory.dmp
C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe
| MD5 | 68078583d028a4873399ae7f25f64bad |
| SHA1 | a3c928fe57856a10aed7fee17670627fe663e6fe |
| SHA256 | 9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567 |
| SHA512 | 25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1 |
C:\Users\Admin\AppData\Local\3ZobJ\UxTheme.dll
| MD5 | eb00165aadcb47d6bee4a5d9dc587744 |
| SHA1 | 3691011d5cb6bddc6f9a7f4d2e274b30fcb829ad |
| SHA256 | 86f8d6993e9a48698cd8cc161b443172a2ed10aef2608b0f1ccdf53f2c18f544 |
| SHA512 | c3699499943108e72e10f021b289c2d20d411c88f7ddfad4d01a2d85f8cc507c2cc914d1e28a761174cb0b34c57bbf958f2e1438c2c55d1d20732cdcf19194bc |
memory/1008-111-0x0000026180B40000-0x0000026180B47000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | f1f71ccfe60d089abd759eb656643c89 |
| SHA1 | fb2aeecbf68609fa06fd80c529b72003d7a4a798 |
| SHA256 | 74005608bb7afc7bbdd14824ea760fd2282855943f740147c3b1263a8332fb9e |
| SHA512 | ee55544874138a3ff3a5b594d2ab3f639b730b87eab4ffa61412ffea2ef5f0a61576b09173eb5fdd4f29f488e45c17cfcbee4a4cc719bd485685dda77c188d4f |