Analysis Overview
SHA256
2303cd17c0c377a2c2446c1267c7ff5a772e4cc30c721eddf332fae15489d256
Threat Level: Known bad
The file 875d030c5fc6c9897bd817f84ca43711 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-01 16:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 16:32
Reported
2024-02-01 16:34
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\ZV\\taskmgr.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\taskmgr.exe
C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
Network
Files
memory/1956-1-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1956-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1192-4-0x0000000077A96000-0x0000000077A97000-memory.dmp
memory/1192-5-0x0000000002BE0000-0x0000000002BE1000-memory.dmp
memory/1192-16-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-15-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-14-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-13-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-12-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-11-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-10-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-9-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1956-8-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-7-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-17-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-26-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-25-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-24-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-23-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-22-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-21-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-20-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-19-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-18-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-31-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-32-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-30-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-29-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-28-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-27-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-33-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-34-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-36-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-35-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-37-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-42-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-41-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-45-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-46-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-44-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-43-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-40-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-39-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-38-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-52-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-53-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-51-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-50-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-54-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-55-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-49-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-48-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-47-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-56-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-57-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-58-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-60-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-61-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-59-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-64-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-66-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-65-0x0000000002BB0000-0x0000000002BB7000-memory.dmp
memory/1192-63-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-62-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/1192-75-0x0000000077D00000-0x0000000077D02000-memory.dmp
memory/1192-74-0x0000000077BA1000-0x0000000077BA2000-memory.dmp
C:\Users\Admin\AppData\Local\iOtt4B7I\SYSDM.CPL
| MD5 | 3d4d377d0b4ed3553d3722e383ba5bf4 |
| SHA1 | 1a079675125661fb2ad5991504e54788b0442334 |
| SHA256 | 2650e1ba5e497177131abcd71fd1db0dd857930f7139803e1e32ad2a7f9736ce |
| SHA512 | d33000e4280ed428a4581e7170b488202b91e13da2c89945867bf1dc185c385940098eb6bca076fd541b64a7b59fef3a4c3918db7852e7211345bd2fedf74539 |
\Users\Admin\AppData\Local\iOtt4B7I\SYSDM.CPL
| MD5 | 61f56d0217cd99fef80b72522e61cdc8 |
| SHA1 | 01541821a9135aa4d9bb0f983094072dac47c7fd |
| SHA256 | 2627c384643d7c9f566ce0875c55b274242d309eb06d1491d59d8253e840e569 |
| SHA512 | 15bba337a3d43f43f7117da1b564fef360cea3242bb2c93f747529f53cb3e27bbb6b2978b54a6f4d3a6cbc2b6ccb04c1e15208e7b8ed4393d073a1ac8ed05e19 |
memory/2860-102-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
| MD5 | d0d7ac869aa4e179da2cc333f0440d71 |
| SHA1 | e7b9a58f5bfc1ec321f015641a60978c0c683894 |
| SHA256 | 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a |
| SHA512 | 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7 |
\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
| MD5 | 870c7f902a5eae940c76b5e6bfd7f64b |
| SHA1 | b7a09b41f32b50155a73cf9e6d72c93c0cc57601 |
| SHA256 | b7811b67f57b834483f4c931dfc1b8a402ccfffe4b27c5a511ea9b8cf76a9ce1 |
| SHA512 | 39c3b85f212286929032c348a4b9ae2fdb6e474b546b783897340025ec206c293c9a6a2c4b943f71b79bbb0c333228e21becbda31fe2877436c2fe85b13d694e |
C:\Users\Admin\AppData\Local\iOtt4B7I\SystemPropertiesRemote.exe
| MD5 | 92a04675d1dcf7a229c0709fafc44076 |
| SHA1 | 7f54cc87ceda0510e66ebe7f11e1168438913d71 |
| SHA256 | c9f51f1440b12023acf7e78d83f24b8df88dd51ed969f0faa4e00a5ab1e749c8 |
| SHA512 | 21f0b3194284e86e920082c00acd5c963499cab0f6a8cb82d048b6910affc7f9ff8c23c98b8cfdd03bc73ed72db5c9f92db5f6b9de2a66dad765e2795d892dfb |
C:\Users\Admin\AppData\Local\OfNqYkjn\Secur32.dll
| MD5 | 8929bc89a3ea791715782aa0725e324c |
| SHA1 | ca2242f2beb3ce063467ee5599ea2d2b93375572 |
| SHA256 | 127b932a31c6a04d34b9d8ba2dd51b4aa6706e2a06e3d122db11375f77add746 |
| SHA512 | c2c5251e1d7bac2e8b8eef4e8126fd7e6d73e0d66e9d22ed351ceeb973d6100e6ab9072cca3aa20ae900890bd72339b731c187755b1fea0d4c30abe13d929725 |
\Users\Admin\AppData\Local\OfNqYkjn\Secur32.dll
| MD5 | 176088226afb70ea27aea51a1e3dd8e5 |
| SHA1 | 9d20fa5d31fc1b15a88fee0849cfd6174fe60e7a |
| SHA256 | 6ffd287b878f7f141421f1ea16d77d7254d2a29230422434de2d569832568956 |
| SHA512 | be3ab23f46ed4400887ee416ee986c3de30e7ab9b1029ad8df755ab08969df140960c0f91d74eb23a265049a0267334be45b51d1e26b4aea5e5f602626dc3332 |
C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
| MD5 | a769c6a0e3d070bcc54fc41580a1d007 |
| SHA1 | 2c00277b80c1ca40d77202c4af367384b659bc9b |
| SHA256 | b260d7659bb1a58ea78cfe3e6d7e2bb7819f3a48d5febfd496b24eee45c723c3 |
| SHA512 | 1eba28659888cd19fa2a0ced0094f618bfcbc1148900d2c0a42004ee7aff6244e8deb150353fca27e89817f0cefaa3cb2b9508d5e831d2aa2f1dfadfe0d4a39f |
\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
| MD5 | 2cecc19c537e8a9fc2417ecfbbd432ac |
| SHA1 | 52c1c5fa50f5d96758dd95abc99f4991ba6bfb26 |
| SHA256 | 3a776d16c59ecb35931ede343f9187dc16317bf1a7b14c52975cd5bcf13f10b5 |
| SHA512 | 2733187909e98c19008dd6d771c4d972cf4e6e03b89456dc521a87334c98c5b27acc367d005d1ef44a6176a09dfc1324735445581d502d7232ce340fecc88691 |
C:\Users\Admin\AppData\Local\OfNqYkjn\taskmgr.exe
| MD5 | e93b5e3719ba5f2cd603bd4c3b776932 |
| SHA1 | 382ac9ea7a5fb3b99f2c5b2503e5a8360252497e |
| SHA256 | 2a1a3f46dd61d0105835025c0039872270fc7ac9d234735fd0287316ad6f7fbf |
| SHA512 | a886f533e23c638de84ddcfd92ba2eb7f828d562811e8a236c248335ebc2257e2e773da5ac8211c423130cf3b83aa6bcd5323bc6eec90a55c43e0baee9fd17b2 |
C:\Users\Admin\AppData\Local\8ipY5EaU\VERSION.dll
| MD5 | b6fe94566625c1ba81beceb12b26239e |
| SHA1 | ccc2510eb25dac1d094e6a35d8eda108294be9e4 |
| SHA256 | 7ebbe8b362c73b51e7838c83c10d8f3de872034e258374b844ac93f36e6942be |
| SHA512 | 6887d57d29b789a3f98039a66995eec94c2cdffec784c1c745b4e2547c3448806de8e4c94a9ebc3a46c6b3d1815ec1f1a4c1f5b3a3345858618a281872e607cb |
memory/2464-137-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\8ipY5EaU\VERSION.dll
| MD5 | 73f3c80710ce2e2fd129a1714576fc25 |
| SHA1 | c142e4b8bb7801c89b5a5873409b77eb5df456fb |
| SHA256 | f0c4f11b45bd441ec85d36e8b3de0f82a86d8533865c92e3e74258f68bb8d510 |
| SHA512 | ce4245249dc53edd3b811cda4404ec0049f91bd6818a79a7c432d0526f8736ddc362bde99978e972c1156ec50ff6018c12821cb185bbc44e49b85bcca8fa0b64 |
C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
| MD5 | fee33d1833716e6455071f0392718965 |
| SHA1 | 28b7a1cccb8164c1d3dc6262af4ad8897038a6a1 |
| SHA256 | 5eb2e41c2f4188885231ee6f55d27915424d7238caf70f4611b235a34683d9aa |
| SHA512 | 276672528c1a7e03aa5c522bf44be19de391b3aa83f926b9d755623af93281fda735c34fce7ada529c3519165a4877122beb7d05b9ee8ae06cd9974dcaa7512b |
C:\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
| MD5 | a3ca98a2e443c36714633b14e0a1b91f |
| SHA1 | 33fb287ca151945aaa0726d975d12299081b3ec6 |
| SHA256 | b79e07b142e1214e2f0edcb1dbd542e5b0ed11b862cba624f7314787cee5a462 |
| SHA512 | 1006be53236afb5ba5513ba9dba28b46b3eb55e7c8dc093b7d3e95a9f68bd1730347b4d3f5692bf4c88282d5b2d1097d2f686181e30c34fe59fd7dd515d1a066 |
\Users\Admin\AppData\Local\8ipY5EaU\DWWIN.EXE
| MD5 | af279bf6b2b27ae69b348a7394aa3e8b |
| SHA1 | b115dd9f949a7000fccdee04cff7096835c89a04 |
| SHA256 | 79bd133a40cde72351c3e5e5f7676b0619f0b37c361c8a3fb02cf18f25a8a2ae |
| SHA512 | caabc5069f22fb4a41d5155a48a6e24a6200bea9de0370c7369081d9ae2e651bb7f8b155d1101127dd6c5ab39d23a3152e3d68f571b81657e5aa65a394e45f62 |
\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\idoRtXwx83\DWWIN.EXE
| MD5 | 56d1759d5f13348dbf2b0f48c63d3873 |
| SHA1 | a544b49678354c1292f9938ef1a53dad32a97415 |
| SHA256 | f1ad6ab0642e559ad74c3eadf62083b055c0c9944d93a36889a98a8e4ad54396 |
| SHA512 | 2310d904372fe8fdac4b1f52810679b257335fe1894909f698c133936949cad04051bce46960adfc4e65703c4184452229bd59aa86bb7a9465d1631c10180668 |
memory/1192-157-0x0000000077A96000-0x0000000077A97000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | c375509f66de33365ade0a4ad044f4ee |
| SHA1 | 6fb1d9043c91f8b08c2c02084275351ad5b2c59f |
| SHA256 | e38476a287b8c9d4435a16a8fc390c90e71162029fd3c3543ad9a2c95b45bd70 |
| SHA512 | 5beac96e408a9f7024bd7ccd4ce3c9d063c434b57d6000de9e84b2b98b28a10c921803061ac1818282cf8415c050496eafa2adae015b85d492b4407d708e7104 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HU\SYSDM.CPL
| MD5 | 31d5be96cae9221f64a666bc3e590696 |
| SHA1 | 3c12b9e404447ec8f9a14ace55647db8fe2dbca1 |
| SHA256 | 967097d8be163ff99c0a2233b7c16c582d40c7bda31cd43af1aa15e4c95ef556 |
| SHA512 | 2f9d7943077a2c44c053a83246fd012c33b5c810ed4ea22103d0dc0fe32f0f28220e4689830c0ff9c0599cd326fb9827a9c24f00938f7b8096acbc6c0c040ed6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ZV\Secur32.dll
| MD5 | 7095720ceb241935f055598e0ef9d154 |
| SHA1 | 716c47be9876cccbd91ec6d652bfc5c5da4a9264 |
| SHA256 | f7de773ddacfaed5cf3130a260695fd6a51aa1235e8c3382a66f85f4ee0d2df3 |
| SHA512 | b66c650aca17597ba27d7b9d90bf2d5706fa248c315ac3d238b77b2a86cbfaf4b1f5ce7cdfa17f47a49c2046ff25faa09e0f094449372b2c0e886710e61a4263 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\idoRtXwx83\VERSION.dll
| MD5 | 0c96a0a35ff7d8dd6780237e2e0f1e5e |
| SHA1 | 9a5d3e39186971a57380877b7bab3a94f1f773d2 |
| SHA256 | ee7fe8ceff9102c3a35168b25d385a1caa23077352debf14182f8e51e386f0cb |
| SHA512 | 4230ba09a3146c223ed161465e4327709915acd4bcc44a46bf0abd864e5dd917c030e770b6c8e00f40d1e84e5d948fde1da1303acb7d55afa93412478f3ba0af |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 16:32
Reported
2024-02-01 16:34
Platform
win10v2004-20231222-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aKU\perfmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\aKU\perfmon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\UProof\\AOkJb\\perfmon.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\aKU\perfmon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\875d030c5fc6c9897bd817f84ca43711.dll,#1
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Users\Admin\AppData\Local\aKU\perfmon.exe
C:\Users\Admin\AppData\Local\aKU\perfmon.exe
C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
Files
memory/4792-0-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/4792-1-0x00000279B47C0000-0x00000279B47C7000-memory.dmp
memory/3476-4-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/4792-7-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-6-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-12-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-16-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-19-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-18-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-20-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-17-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-22-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-24-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-30-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-32-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-35-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-37-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-42-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-44-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-47-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-51-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-55-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-57-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-60-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-63-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-64-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-66-0x0000000002D10000-0x0000000002D17000-memory.dmp
memory/3476-65-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-62-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-74-0x00007FF931B60000-0x00007FF931B70000-memory.dmp
memory/3476-61-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-59-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-58-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-56-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-54-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-53-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-52-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-50-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-49-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-48-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-46-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-45-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-43-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-41-0x0000000140000000-0x00000001402DC000-memory.dmp
C:\Users\Admin\AppData\Local\pN8UjZK6U\SYSDM.CPL
| MD5 | e0f222df7b84a9832baaa2d20a2cb3ce |
| SHA1 | 7bf1f284857d55e1e4fcbff5e91641990b070cd8 |
| SHA256 | d170dc3a00e24d1af0d4e935455c5cdb4998f92499e11d56fb13a8e45a3e8285 |
| SHA512 | fb6cc7980d6625fd2e40f4c7a8f367c5f09ebf542d1393df9a79b0a624417e4ace3d90e941c74a2c4111a5c28c1831626a9ca3a778c2df0eb0146692690cd362 |
C:\Users\Admin\AppData\Local\pN8UjZK6U\SYSDM.CPL
| MD5 | 032a00a6cec70c25dab3d7a07d7156d9 |
| SHA1 | 6ba1018ad30743908e6b4dd11aa2fcd140ae3c61 |
| SHA256 | 3f0d10ef9e89208237346f65b687408bf1a4131dadf80f9ae6bcab7c89992aab |
| SHA512 | 5bf896c720a90e5575e990e0874b367d9780e2dc0d96b2cdce51121fb462851c1f21e5e0b619aef40b8841917fa1f5147688564c101cf6b80e55bb35ce9f1b45 |
memory/2108-96-0x0000017810C70000-0x0000017810C77000-memory.dmp
C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
| MD5 | 4a70d5107178e91de8887eb7bf432c0e |
| SHA1 | 083ee63cf469f311c77dd9b17d6a7780813ab29f |
| SHA256 | b351f0efc5bc8d34de7dae95e2e1521147b690e3ce487429178799b7961d313a |
| SHA512 | 282df6d36a2964ccbd3fc7e6b5867b5927c1cded6682d4f35a70d6e6ca65e5a8a7b4148d81a958f94ac36a6abb198d512ae4aa5979fd2c646df76f66751c1a50 |
memory/3476-40-0x0000000140000000-0x00000001402DC000-memory.dmp
C:\Users\Admin\AppData\Local\pN8UjZK6U\SystemPropertiesPerformance.exe
| MD5 | 286000af312605193247bc0f4b1a6f40 |
| SHA1 | 0303ec4a444cb95182cc0e950039d35e67e26f7f |
| SHA256 | 5d2b95c69a7a218f389b33d3e0f795085d63a7e16ec5f1ad66ddf9bfce5a3d71 |
| SHA512 | 6345414821b189afff6860562b29de06977198a17c08346cbe732ee18041368c766bce380f649c7ad23d622fc2e912e6936bec95ec77dc1ea8460f3542dc98ca |
memory/3476-39-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-38-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-36-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-34-0x0000000140000000-0x00000001402DC000-memory.dmp
C:\Users\Admin\AppData\Local\aKU\credui.dll
| MD5 | 314f6c7f16d5fb2716e1522aa9a18820 |
| SHA1 | 872a0560e675a97e3eb2af699a1cd7e00263d31b |
| SHA256 | c49b4a248359597b2e45c46ba7650d2bd6ac220a84cb3e2101c0f43ee7b2fc86 |
| SHA512 | cf1eb185f8770943dca341dea026f84a3536a2a9f0eed3d7414da18d6e4bb9423222bc773f6b77726247d3f533f61facfd4dd12421707cb6ef609f47624fccb6 |
C:\Users\Admin\AppData\Local\aKU\credui.dll
| MD5 | d7dc8eed4044324135c15a3b0514d98d |
| SHA1 | 2f5e0282cd5425681882306356c7bd0207a9895d |
| SHA256 | c949a9d53dc13743462e07e659644dcbc5125680e171a6924e55e872b9e00bac |
| SHA512 | 7879db1f6b9546fe1129d64d595af3da516fda9924f3bb47d19c7950b2aaaa56b8aeb9a79f2da7dc46decef65bd90172930bcd043f82f695170fb539f2a5d5a8 |
memory/4932-113-0x0000025D10830000-0x0000025D10837000-memory.dmp
C:\Users\Admin\AppData\Local\aKU\perfmon.exe
| MD5 | e6fcb021f69f747424d5cae244231d7b |
| SHA1 | 9e498a85ff65b1e68dcc78f0e651de5dd29bbdaf |
| SHA256 | d94d3e2cd29a7bff5798312b800be0760958edbcad1f1881c2c4237b592117e5 |
| SHA512 | c3e14b43e4e0a5692a98398d2d6ba3a3f1da2ccec4d37d10ce958ebdfcabe4fe0a6e0877b5ceaba20f19c1f7901833d0e79d134337e0400d30f730516173b495 |
memory/3476-33-0x0000000140000000-0x00000001402DC000-memory.dmp
C:\Users\Admin\AppData\Local\aKU\perfmon.exe
| MD5 | fd4fe809327ed3aa30e2257f29845fb7 |
| SHA1 | d60dbd95d482b20b09bd093d8d5bc675a5070f46 |
| SHA256 | 39d2138c161977b9e80124f181af493a22a01f571a6477e1aed200ccb6d66120 |
| SHA512 | 1c932b5a130959632d34f63a30ada402cb9c4b0505cf5554d60cfbec42597f0f76f5561273f647717e6bdbed5b1b41baa1a3b026f3dd3fb8bfb3846fbd1f88e8 |
memory/3476-31-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-29-0x0000000140000000-0x00000001402DC000-memory.dmp
C:\Users\Admin\AppData\Local\Gxb4\dwmapi.dll
| MD5 | 949e25ad7091fdc09721ba28aa3217b4 |
| SHA1 | 122b9594d991b31c5f653e7718479157c8417cf7 |
| SHA256 | 41d34657d5cede6c9b325b8d923cf5ef893f633963480461a50cb557143da3de |
| SHA512 | 965fd301f93e09697b5f7e4ac903e4a264739ff25fb09eac84e7e1ef7bab22d6c92db997bce7554930a5bda9c0cc09c79c5536ede530f934bfa4ac14943b4bda |
memory/4804-128-0x00000267F5E70000-0x00000267F5E77000-memory.dmp
C:\Users\Admin\AppData\Local\Gxb4\dwmapi.dll
| MD5 | 2cf6b0e09a31ad97cf6b4b5742dccd5e |
| SHA1 | 6e6f298fdfeb06e63c9079242f52609bff76f045 |
| SHA256 | 1bee8d526438e1a705405fc5b047350fba22848f6d7f5a420e92e97b098d0862 |
| SHA512 | 9222b7c9382ff49f312223abf513a4c769bc484a71d9181b366cc8fa52ea9c41c3a72f7d1e49cb48c8ed214c4e295e444a35dc03305aff79434e72bc416b53fc |
C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
| MD5 | d8d69894d1c8208c1de0a8160ef00b03 |
| SHA1 | bac8472e728de47a79068aa5fa94e7bf7dd1a48d |
| SHA256 | d1f854b6c5686b6bcb5816b63b5a609c5cbba9a00fc52abff7b0ce26d98e95b0 |
| SHA512 | f7595477a4fe9e3807f89a5c0d778ef17fe4162f8b94c65d46e1a4b365406dc6b380eb8805ca8d5d878377b7c2f77783859b01282335e422d2e6e1cb10f1bc35 |
C:\Users\Admin\AppData\Local\Gxb4\rdpinit.exe
| MD5 | 675e58c5c39098da7b62e2d2e2a0ad8d |
| SHA1 | 05e6ac73545584462366c6f2ee01a0bdf718d7a1 |
| SHA256 | eb0051a83c533515346aced55567dd51da28bb51442e64463dcd54fc5b7dba12 |
| SHA512 | 517c7f3db24b74e0f56dd211ad69d5a336996722003ebfca0e250c18bbf3cff2296769a5f7bd941fd9685a23320bd4582451fc1b73fbde4b0fbbd6363079b245 |
memory/3476-28-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-27-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-26-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-25-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-23-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-21-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-15-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-14-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-13-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-11-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-10-0x0000000140000000-0x00000001402DC000-memory.dmp
memory/3476-9-0x00007FF9317DA000-0x00007FF9317DB000-memory.dmp
memory/3476-8-0x0000000140000000-0x00000001402DC000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | 50712ca3160b5a7dec36f0034ea14ad2 |
| SHA1 | adb8f59bf905df10865360325834dee373daa699 |
| SHA256 | 46241544c90c79b13411d6f72a335de136fcfeaac55edf88703081fdd1f8751b |
| SHA512 | 0d16ba5716ec680bab45201c49dfcb85198d019d951190af82c1033988a9797f691db92fcf4c5367015a00451aa0ea9ab1cd90c45eda74e602335a587048d858 |
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\EQt19Hh\SYSDM.CPL
| MD5 | 615bab233249caeb3c60f103fa44a937 |
| SHA1 | 75856f11a63be04eac227f183def37e3af93cb36 |
| SHA256 | 074e6ca2a537ddb30eaec59e1d284803e28add7060c1467b3b22d377b334db87 |
| SHA512 | 46d29771d497371f66e37fce1c6b7ad5d25873ac096c34885a851dadcc13f5c5adbb6dccb533ced5fa837e660acec8149769a9103b5e7fd376e0b834e261a94e |
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\AOkJb\credui.dll
| MD5 | 4000828f80141e667e09fadabb6b1dca |
| SHA1 | fd7addfa2b4ee4ada753e25f300788ee589df16f |
| SHA256 | 2f7a5eae5026ad437e92561fb1f92a69d2d87dce611b0c5a88e8159b1c76380b |
| SHA512 | 3c8d5a952726056e48f29cdf58b914ce38f653697889563e04621ba2bb80198540cdb2f50d5bcc99100021629592f9d8c2c6f3323ba8830be513c1929c16cd5e |
C:\Users\Admin\AppData\Roaming\Sun\ArRkyy4tW\dwmapi.dll
| MD5 | e61a06405aeb928ab6294e54f1aedbb7 |
| SHA1 | 32698792cb2d3c272db080a1481380e6f82c7cdc |
| SHA256 | b58b4f6c40230f8e59f22ef569457b04d9b3ccab32091e4dc676337bc66960a5 |
| SHA512 | fd2e08571c19cc3dca750dc9a309e7c67f4c33872dfe7c10dc8580573ec5bc78df66545b1573b4afdfb94c892c980409ab22a2e8037717cce425e998ee97d8de |