Analysis Overview
SHA256
a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0
Threat Level: Known bad
The file 87f4ff988b3efc9a3e0d996f68db1be0 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-01 23:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 23:34
Reported
2024-02-01 23:37
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\UWEFXB~1\\ddodiag.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 2276 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1204 wrote to memory of 2276 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1204 wrote to memory of 2276 | N/A | N/A | C:\Windows\system32\shrpubw.exe |
| PID 1204 wrote to memory of 832 | N/A | N/A | C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe |
| PID 1204 wrote to memory of 832 | N/A | N/A | C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe |
| PID 1204 wrote to memory of 832 | N/A | N/A | C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe |
| PID 1204 wrote to memory of 2964 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 1204 wrote to memory of 2964 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 1204 wrote to memory of 2964 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 1204 wrote to memory of 3020 | N/A | N/A | C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe |
| PID 1204 wrote to memory of 3020 | N/A | N/A | C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe |
| PID 1204 wrote to memory of 3020 | N/A | N/A | C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe |
| PID 1204 wrote to memory of 2252 | N/A | N/A | C:\Windows\system32\unregmp2.exe |
| PID 1204 wrote to memory of 2252 | N/A | N/A | C:\Windows\system32\unregmp2.exe |
| PID 1204 wrote to memory of 2252 | N/A | N/A | C:\Windows\system32\unregmp2.exe |
| PID 1204 wrote to memory of 292 | N/A | N/A | C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe |
| PID 1204 wrote to memory of 292 | N/A | N/A | C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe |
| PID 1204 wrote to memory of 292 | N/A | N/A | C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1
C:\Windows\system32\shrpubw.exe
C:\Windows\system32\shrpubw.exe
C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
Network
Files
memory/2532-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2532-0-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-4-0x0000000076FB6000-0x0000000076FB7000-memory.dmp
memory/1204-5-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/1204-8-0x0000000140000000-0x0000000140204000-memory.dmp
memory/2532-7-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-9-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-10-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-11-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-12-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-13-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-14-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-16-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-15-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-18-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-17-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-24-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-25-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-23-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-22-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-30-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-31-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-29-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-28-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-27-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-33-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-32-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-26-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-21-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-20-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-19-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-34-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-36-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-37-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-38-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-39-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-41-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-45-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-44-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-43-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-42-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-40-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-35-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-46-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-47-0x0000000002990000-0x0000000002997000-memory.dmp
memory/1204-54-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-55-0x00000000771C1000-0x00000000771C2000-memory.dmp
memory/1204-56-0x0000000077320000-0x0000000077322000-memory.dmp
memory/1204-65-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-69-0x0000000140000000-0x0000000140204000-memory.dmp
memory/1204-74-0x0000000140000000-0x0000000140204000-memory.dmp
C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
| MD5 | 2d73937b3735925ebcacd04151459500 |
| SHA1 | 115aaaccd01d1c8beaba6fd84fe30dbd84210597 |
| SHA256 | d05cf222f7fb9b6dd72b0ce7f13b0ce273a4a603ac390134273cca4664e746cd |
| SHA512 | a34c7286f49c79b0e5ab63e5735c9f886641b7bf09138186f15145ef7e3e7ae5a32f21243d473d546ee4e5a3e80dc78de60460b61acf7d313553a1d24534a6d9 |
C:\Users\Admin\AppData\Local\9uWbol3Cc\ACLUI.dll
| MD5 | 539ddddf6797759e820854ec54adf82e |
| SHA1 | fec486d6e9a38a54963e01ac18b370c5173aaeee |
| SHA256 | b59c25b7f8fa161e2ab78507dbe258e6b2c281d028790ebd1d321ce285186afc |
| SHA512 | 633d9b735144bbc79016e211a248830d6ef57bc232cd7de7c4d62934e0345b45218c233120ba5a61e9dfbbed572b4cafbfecc102ff35edcedf6aebbb2cefacb2 |
\Users\Admin\AppData\Local\9uWbol3Cc\ACLUI.dll
| MD5 | 217e248ccbce89e478d531cf3bd89ae3 |
| SHA1 | 332e074da0c9e44153bad6988c85e59987ea3a42 |
| SHA256 | 70d14772f74b1868c75578c94f8ca43d091c14661ac1309c9b347a2baa1239ac |
| SHA512 | 7d27c4e15d13b0181a9f645d845234e4a164078c56e7603c5a7a9079760024dd26e05b09618338ec17d33d62648bb7ef90faf1b24164c81221657170248b0f0f |
memory/832-83-0x0000000000120000-0x0000000000127000-memory.dmp
memory/832-84-0x0000000140000000-0x0000000140205000-memory.dmp
\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
| MD5 | 088a1f2fbdcaf68235232d1ae12cdf77 |
| SHA1 | 51a2569da0d9d567347b4a3e7dcbf07bc67a29fd |
| SHA256 | 08311273a69d5617aa35e6673f20aabcc8522acfdb300621ba3960157d827d15 |
| SHA512 | 137f09863e717be1f997aa5c61752186beb1be858912745fc88df62bee35c497c924ab2367fb17865e0020efff49e8740cee0203dc57e4a38e422c2aa5e676cb |
C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
| MD5 | d19b9de6ac49b9604059136f3957d5b9 |
| SHA1 | 28d8cd6ec45b553f529189989f2c85a78b615e3f |
| SHA256 | b6100cbdd7bbf827653bcc69019cf33ad8c23ed1aa5fdd0a86c62a85f0bee760 |
| SHA512 | d3395863c6cf348b47583b606756f3fbc13cbff3151cce936cbb785f3e5283c16db4e17db99e61c33e05a89f86e18f8682f900304ebc52ddf0fde40ab8fb3b40 |
\Users\Admin\AppData\Local\wjfo\ddodiag.exe
| MD5 | 509f9513ca16ba2f2047f5227a05d1a8 |
| SHA1 | fe8d63259cb9afa17da7b7b8ede4e75081071b1a |
| SHA256 | ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e |
| SHA512 | ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862 |
\Users\Admin\AppData\Local\wjfo\XmlLite.dll
| MD5 | 0a18d673623d33e7746048d8f39a530d |
| SHA1 | eab8bae2e4b0ef310de0e71b9321af1bee7b0dea |
| SHA256 | d8772a41cc5d00bd518c1b88d8f9a278f586c4b8d6634a71d65f52653eac364b |
| SHA512 | aeecb3b26e74fa4cadac3c36fda5b6588554b86a531944cd216fc82b1a78c99d32630be928e257b539bfc0a5be636bc159b6aa8fbd8230a6c729f6d405ac53ed |
C:\Users\Admin\AppData\Local\wjfo\XmlLite.dll
| MD5 | 1ac402c5cb88c684287132abae86623c |
| SHA1 | 4d0c6cfb802c2aeb03b4ae5772eb0f88e5d510d3 |
| SHA256 | 00beee083fc2f58969734d7ae1a9a9bcf14e331c489a0a65107b66b02b14dec7 |
| SHA512 | 5d7e84b1ee1c9d1ede22795dd2c251c667f8969945fe66a3af165b2b97cb2aeb28e9e66fdf1efdb28afa9d881fef78fe6234c491b735c96f12f2de799247c8f6 |
memory/3020-102-0x0000000000080000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\oVUV0nDe\slc.dll
| MD5 | 15d41c9aa88d3a13c880b4d7a6772477 |
| SHA1 | 40597f28624a1976da21dfccb3ef4d3801e176e7 |
| SHA256 | a45125550d80a397a6472fefed0c3bca25daa7cd7951b840405723e7a85f6128 |
| SHA512 | 46f287574c0aff8dd94156132a575332836eb04b201da5b3a8b14ab0a49613136c411b3e2a168d3fe1f16582872be268bb8309d46dfdf264a2d3081df3862ddf |
\Users\Admin\AppData\Local\oVUV0nDe\slc.dll
| MD5 | dbf594cb79d5fe4dcbfc41626a471e96 |
| SHA1 | d19b0f5606c9341235d74a324a2ba7480197cdf7 |
| SHA256 | 6989166e3283c2d2053edafd2e5f441568a5a6135efe0294597aed5931a82b43 |
| SHA512 | bd8e0ed21d5620e1c649cabdb22beaa82bd0e2f331c9997b8b807fbc343497ef5f3491f7d30e217c6006a659e0c607fca8d5d821ca0db4d82334f41c922c42a5 |
memory/292-120-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
| MD5 | 9121740ff1acfa9ac5f33b9dfdc1a8f5 |
| SHA1 | db47b4adc72371cd0978c0892fe3aeefc07de047 |
| SHA256 | 9e29665d3b2d6c1b7f374875b79b304f89da162b41741c80db1eb4f25be1a6da |
| SHA512 | b3df5c42edaa2f86ac0415f97979bebda7ae70d4e7c971e423dd85040f79d6e199324c4588367994f7a5a7584be83565c08bf1153a699b34be41fd4a4e5efb81 |
\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
| MD5 | 4de9c366740815e266defc61b23092a3 |
| SHA1 | 76a790f158e3f10a3ba1ec7ef33f70c1b118386e |
| SHA256 | 160b65c63f2947e074d69224d66ab0d599c6a87df6a8dd03267fb77d23bf9639 |
| SHA512 | 6374c50e9c0a1620604cfc8643ac5917bc22e4dccfb0797f89301c70b961d806659a740829ccda79a78b02fdd305cb2a3d9ca52bc18d93e6343b5ffbfb33740c |
C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
| MD5 | 32b97eb34f4b8fa296839cc4f4c48377 |
| SHA1 | 24ef8a039ecd35ea1780e17197ae37583869226b |
| SHA256 | 688c823234f46b7a264c8c2252a2b303239d42d751480f67bdc67e0d7c8bcd04 |
| SHA512 | 3eef44c1ea009ba89a3351d0865028ef7e75e43679568585eda8161d76798f774a9e51816c0099f92907d40db906f2e187a40512bef20ec36803d56bf2273068 |
\Users\Admin\AppData\Roaming\Mozilla\Extensions\NpA\unregmp2.exe
| MD5 | 5e2143090655d160d69119f6e2d39ff1 |
| SHA1 | fb804416a0809c27c137bbf51b14ff47bbb19ff5 |
| SHA256 | 321bb5328e335b783df753413d2c26d18f4d057c7223d702d25606fdf44a1df0 |
| SHA512 | 930543cb84e9060616238995bb8803ad3319030f648c74feba8effe5571c3a10c51c0f3b3835a564086eb768cb2b576851b32cc16a691b0a3420df5c351d86d8 |
memory/1204-143-0x0000000076FB6000-0x0000000076FB7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | 82fba99901a34346a60d2876f5b7a1a1 |
| SHA1 | 66ab939671763a5b745686b15ab109fe5c058d05 |
| SHA256 | 6a2727bd99e05e6077da6f64c32d714892528edfccc1f8e8af9295359eefb083 |
| SHA512 | 3df32f426ab3664c9b9ba1a3b2662f9ba987def014d6976976bb860d289a257b8b3d23180ae84442be60e94937d9326a33ba676588dea40482be5319a3eecb9d |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6EPRn84PObd\ACLUI.dll
| MD5 | 989e7e42fbd0fb346e45ac17b0f81a2d |
| SHA1 | 97b4f4d3aae15b65f3d4500e83ed8eb06caeece2 |
| SHA256 | 4c27c652dd1fff3259ed15a82827ad7744a4a67dc4cf7318cc02c09e255e23bb |
| SHA512 | bb4873fabcf501d77ac61882f5d43188ddb447bba7fc4e84febe0502978e12f1562765bf75ada90f9fb457a4018102ff2a9cc9d171ff35fab33c47bf7c058a06 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\uWefXBYPLRC\XmlLite.dll
| MD5 | 791ea65fad082e86db609282b5472023 |
| SHA1 | 937ab541f9b4cfb1b25e07fa0ca617c9dec417c8 |
| SHA256 | e61ed85b57d053eaf57d06274a08ab0de01d506ffe07ca1e94b9841bd539e5d2 |
| SHA512 | 22f20a61d91d7b57e2c5d2e61690082e1aab4e83bb5b9c59003892d7a53e31e5a17fe99299b84c4527f24f8e67d13dea7eac024820cc626af6682cf46b11afec |
C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\NpA\slc.dll
| MD5 | 06b9dabd4677f9cbbf4c2b939c3f02f5 |
| SHA1 | adf61f5258063be5b97c2db0e4b6110db837ba2b |
| SHA256 | d7c4e74c36629172139c9f1538287c2ffae6b04037955bd7a971df4376290d26 |
| SHA512 | 07958b61765c885efdc13b3681a120b9960d2656064b4593572e1a77e9b03ec301a33af653ae5ad32e9254f8ae19c23adb365bf0d4cda00af1d825a00ee927b5 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 23:34
Reported
2024-02-01 23:37
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
143s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xfp\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xfp\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\jpAhVM\\sigverif.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xfp\sigverif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 4380 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 3512 wrote to memory of 4380 | N/A | N/A | C:\Windows\system32\recdisc.exe |
| PID 3512 wrote to memory of 3916 | N/A | N/A | C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe |
| PID 3512 wrote to memory of 3916 | N/A | N/A | C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe |
| PID 3512 wrote to memory of 2256 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 3512 wrote to memory of 2256 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 3512 wrote to memory of 2232 | N/A | N/A | C:\Users\Admin\AppData\Local\xfp\sigverif.exe |
| PID 3512 wrote to memory of 2232 | N/A | N/A | C:\Users\Admin\AppData\Local\xfp\sigverif.exe |
| PID 3512 wrote to memory of 3228 | N/A | N/A | C:\Windows\system32\RecoveryDrive.exe |
| PID 3512 wrote to memory of 3228 | N/A | N/A | C:\Windows\system32\RecoveryDrive.exe |
| PID 3512 wrote to memory of 1756 | N/A | N/A | C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe |
| PID 3512 wrote to memory of 1756 | N/A | N/A | C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1
C:\Windows\system32\recdisc.exe
C:\Windows\system32\recdisc.exe
C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Users\Admin\AppData\Local\xfp\sigverif.exe
C:\Users\Admin\AppData\Local\xfp\sigverif.exe
C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
Files
memory/4528-1-0x0000000140000000-0x0000000140204000-memory.dmp
memory/4528-0-0x0000025B2A520000-0x0000025B2A527000-memory.dmp
memory/3512-4-0x00000000021C0000-0x00000000021C1000-memory.dmp
memory/3512-6-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-8-0x00007FF9D3F0A000-0x00007FF9D3F0B000-memory.dmp
memory/3512-7-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-9-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-10-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-11-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-13-0x0000000140000000-0x0000000140204000-memory.dmp
memory/4528-12-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-14-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-15-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-16-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-17-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-18-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-19-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-20-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-21-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-23-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-24-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-25-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-26-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-27-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-28-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-22-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-29-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-30-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-31-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-32-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-33-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-34-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-35-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-36-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-37-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-38-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-39-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-40-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-41-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-42-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-43-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-44-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-45-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-46-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-47-0x00000000006F0000-0x00000000006F7000-memory.dmp
memory/3512-54-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-57-0x00007FF9D5180000-0x00007FF9D5190000-memory.dmp
memory/3512-64-0x0000000140000000-0x0000000140204000-memory.dmp
memory/3512-66-0x0000000140000000-0x0000000140204000-memory.dmp
C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
| MD5 | 18afee6824c84bf5115bada75ff0a3e7 |
| SHA1 | d10f287a7176f57b3b2b315a5310d25b449795aa |
| SHA256 | 0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e |
| SHA512 | 517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845 |
C:\Users\Admin\AppData\Local\LktVSnhJ\ReAgent.dll
| MD5 | 1fc3dab81aeebf591611ed194b253474 |
| SHA1 | acf6e6675e2eae91e1f2a2af5cc072041096e191 |
| SHA256 | ff6d0d7c75c5a24c55c1b66d8b2a57bb0e9a02bda73bf25cfcf3de878fec2999 |
| SHA512 | 68671b46e86a18928b81617fc6340842a8b955377a2c4878b81ad31278de5a7ea6aafe50a41b5c7f85b602e2675f72d097e3450106e77489cc5ad4a18a941fab |
memory/3916-76-0x00000167698D0000-0x00000167698D7000-memory.dmp
memory/3916-75-0x0000000140000000-0x0000000140205000-memory.dmp
memory/3916-81-0x0000000140000000-0x0000000140205000-memory.dmp
C:\Users\Admin\AppData\Local\xfp\sigverif.exe
| MD5 | 2151a535274b53ba8a728e542cbc07a8 |
| SHA1 | a2304c0f2616a7d12298540dce459dd9ccf07443 |
| SHA256 | 064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd |
| SHA512 | e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f |
C:\Users\Admin\AppData\Local\xfp\VERSION.dll
| MD5 | 7c913b1bdd914f5095423d140cfdb629 |
| SHA1 | f5ad9fc8c9ca0c0cc64948a50c7bd211de27c7bf |
| SHA256 | 65fadb8fc3668ab38b06e9023936e1ef21d1dbffb297405f40f28ac0046bcd55 |
| SHA512 | 5a0dfce14dabd72d6ec81f1efdf73923421be552d2c44bd12eca2529054b698a45f4c64d19dfa3e0115ae0f24485550bb54139d4f85159d0a00a94a959abc96c |
memory/2232-92-0x000001F8DD560000-0x000001F8DD567000-memory.dmp
C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe
| MD5 | b9b3dc6f2eb89e41ff27400952602c74 |
| SHA1 | 24ae07e0db3ace0809d08bbd039db3a9d533e81b |
| SHA256 | 630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4 |
| SHA512 | 7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe |
C:\Users\Admin\AppData\Local\GxkBE1a\UxTheme.dll
| MD5 | a7187e1b01918bdf95ebec459e683e77 |
| SHA1 | b8771c819a730929bc9dfc29939c4ed94fc665a5 |
| SHA256 | 9c8d0ca9065004ee29451ae723c400bb6de7981d255a1e2b3e25bb9b0da63f11 |
| SHA512 | 180c8acdf15cf575e766eaebcb3c96abe524e6282a32a3b6760359383775c2d01bad24357e154ce43953cfe23e91f4dda5534e778e27290ed475f1e2fcaa44a9 |
memory/1756-110-0x0000028AA7AD0000-0x0000028AA7AD7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 7882f51af209ebc104f8a198599e7841 |
| SHA1 | 3bc43e7f92aa7aea9f8e5eee81b4d157fbf6b7e5 |
| SHA256 | 2a32c2a6814b97c911cf1a48a4719106178bc128edda4f5442035d3e04ed7252 |
| SHA512 | e5bb24d8dd73002bdc991a726d2ce3f4b95ecbcc4b69bf0167be9910665549be9c435d21681c7d0cd461de63ca4ba14dd5ec91a3474949f7fba1911e5ef4b820 |