Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-s6v6qsdbh5
Target df0708fcf553fdf7b27a1591a96257db
SHA256 6dffce1ea68f5480f850e4b067f15d5950bca8d75f8d1a4b70059e11c0e02445
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dffce1ea68f5480f850e4b067f15d5950bca8d75f8d1a4b70059e11c0e02445

Threat Level: Known bad

The file df0708fcf553fdf7b27a1591a96257db was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:44

Reported

2023-12-24 04:31

Platform

win7-20231215-en

Max time kernel

150s

Max time network

128s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\UId\\mblctr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2812 N/A N/A C:\Windows\system32\msconfig.exe
PID 1212 wrote to memory of 2812 N/A N/A C:\Windows\system32\msconfig.exe
PID 1212 wrote to memory of 2812 N/A N/A C:\Windows\system32\msconfig.exe
PID 1212 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe
PID 1212 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe
PID 1212 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe
PID 1212 wrote to memory of 2884 N/A N/A C:\Windows\system32\mblctr.exe
PID 1212 wrote to memory of 2884 N/A N/A C:\Windows\system32\mblctr.exe
PID 1212 wrote to memory of 2884 N/A N/A C:\Windows\system32\mblctr.exe
PID 1212 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe
PID 1212 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe
PID 1212 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe
PID 1212 wrote to memory of 2784 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1212 wrote to memory of 2784 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1212 wrote to memory of 2784 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1212 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe
PID 1212 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe
PID 1212 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe

C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe

Network

N/A

Files

memory/2044-1-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2044-0-0x00000000004B0000-0x00000000004B7000-memory.dmp

memory/1212-4-0x0000000076F66000-0x0000000076F67000-memory.dmp

memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1212-11-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-12-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-10-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-9-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2044-8-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-7-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-19-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-25-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-30-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-32-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-34-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-33-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/1212-31-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-43-0x00000000771D0000-0x00000000771D2000-memory.dmp

memory/1212-42-0x0000000077071000-0x0000000077072000-memory.dmp

memory/1212-41-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-52-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-29-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-58-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-61-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-28-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-27-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-26-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-24-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-23-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-22-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-21-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-20-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-18-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-17-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-16-0x0000000140000000-0x00000001401F7000-memory.dmp

C:\Users\Admin\AppData\Local\5Thf1kxi\MFC42u.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

MD5 cb557015032697289408d0eb7c85dba2
SHA1 1951fa5aa8e69165daa792b40d9ab0abf33afe34
SHA256 5253a4c6f0c186db473b0c3c81be6d4b8a7eb0da71eaf572b67ec8199b2eb46c
SHA512 5941d9d6085f6a337ede461326a229c842c9ebdcb376e74f821ce1322376681d8d275290b197761f9a961728ec4f8ceba4298b15397a4460ec2549130807bae3

\Users\Admin\AppData\Local\5Thf1kxi\MFC42u.dll

MD5 40dc107b24a9d73b3b34bb00ab9ad43a
SHA1 40d7f9fb1630f615449c1dc04d27fe0688fd1cd3
SHA256 36298f61cec6810d23b0acddaec5cf9d4116de9bee3585de886d20a04a0e18fb
SHA512 089ff96f86ba232dfba98d8f12dd68c8699faa5625d9313adde5baadafdc9ec015441e4ee57a4c9c35d184e960e33b195d3056a8a83dc3a93047e142c30aa9b8

memory/2620-71-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2620-75-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2620-70-0x0000000000270000-0x0000000000277000-memory.dmp

\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

MD5 028ea2065ba5e788bc41461da8093a74
SHA1 ddfe32b5cd7575d5c1cf2643a02950dcdc226f60
SHA256 88012febc84cae83b37865a7463fa9e3a055515a6df5004635bcac43ab02ce26
SHA512 671056a45ce67895f8f63678fa60f7a663a5e8ae73b1a92be8d2e74ca60fd51885366be9609c2d76b178f521e0cbef4320c486e05dececd2a10258315f5c6e07

C:\Users\Admin\AppData\Local\5Thf1kxi\msconfig.exe

MD5 92ed19f8f1ba819b7758a9ae0ea8ff40
SHA1 cc012031585c35ed054920460c171efd424f96f0
SHA256 b88d336ba69571de72f949f6d5b07836345eeff6dad077fd3ea8bc96bb3c6053
SHA512 3ef87db59e6418f4c140bc9f537adffc0eca19fd61b82e5ec8896a88870dcb8accf76ed357a2d75060fde7fbe45e8aef0b73b8535ef4e639fce3b7abc2124e03

memory/1212-15-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-14-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/1212-13-0x0000000140000000-0x00000001401F7000-memory.dmp

\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe

MD5 13fd77c1bba8d8880e3791c9a3b4cdc6
SHA1 66f331f558c9c23e009599185d0947915d2e8187
SHA256 b4de5a043304d12a8a62fdd02fbbfc4f51537744309284811ef8392ad3ea1178
SHA512 8397990ed95b9e21039b10e8f76fc01334cfd12df81bff2fcdcd11b554302ffbe1da0f94830e895be4731b46b4067dcc052c3e8ab597bf069a0d9a72add3149d

C:\Users\Admin\AppData\Local\Q6vgZ9\dwmapi.dll

MD5 626cbb4f428f1f3f34e942d4ecd894fc
SHA1 c66280c4fd71f0b3026303f0883d8bfa0d87e2cf
SHA256 aa484e22a8de6109d08a9b13aa757d0de8e5585bf9782c73bed76f5c09210a56
SHA512 fdcb21efa81dad222feacf0f40a514fd0a1642cdd9950eb714c900afa5f9f7fd2483b836d89344d03721605755295e6eb47cdf2804e7892b318686eef63a67db

C:\Users\Admin\AppData\Local\Q6vgZ9\mblctr.exe

MD5 b7345aa83f5d30dc4f26945b08051a63
SHA1 1e61be248a98505b2007a91afcfa69aa856487df
SHA256 c6e27232e43bab71261f3bb36c8a4a51dfbb33ab068c2defc8e1e23bc6d19735
SHA512 76e6205f3a97e7a9981a42256bbd7596ce16018d7ce701b01ba29f46467de5105536cf96711a5b7a7918271bf29773a627016fcc803db12ed1b44c1c69ce3fcd

\Users\Admin\AppData\Local\Q6vgZ9\dwmapi.dll

MD5 b83b0bc79339d2332db64a9c9e6b7f04
SHA1 e73562899f217ead516289cfe169b813e0f8dab0
SHA256 6503a998aa1ae5343bd218615a8057a9be333b06f3a61660b16e697a2b058583
SHA512 b616986a0b74e8531a21c7b09c2a62528531d013a30c033a5df91362029687cd9b2828207ce0b4b4e1a88ec56a4669ca3590d90620d9e6f7dacf46d87af2818d

memory/592-95-0x0000000000080000-0x0000000000087000-memory.dmp

memory/592-100-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/592-96-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/2940-120-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\pXBHn3G4e\OptionalFeatures.exe

MD5 23ff9b897f560c459f3a4203d8a6b957
SHA1 cbd7c34554aea09a8c70e88d6e5314a8b9c1e3c0
SHA256 f54f0da3968d734a123bdf5ddf042597bef765fb1ca148e4ad393d03fa2438b6
SHA512 44c7f62c8614206f8feed98562ee6eb38e70db54bf8ecdcaa4979c24901a51bb4291b4f793fd769029c4d24db87930df9e0114b7ecbf3abde9c5e9bfb11bf1e7

memory/2940-124-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 c9f457cbe2c1cac83ac310666dddc046
SHA1 f7e8fdf3b5516f148c07fc0eaa1312e04f8b372f
SHA256 27c1d175e58e74c490fba42b1f9553e0bf6a00dee0be718a56f6036af9ddb12b
SHA512 35394b244f5c59df299d0a266f4c04ea71756dc89ddcd1f7558ab15af769fc339812a804a52c424dae521461aad279231c147c0bef404de50ca07ab70de13632

memory/1212-150-0x0000000076F66000-0x0000000076F67000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\QSHn3RCP\MFC42u.dll

MD5 505ea6da480b671b9120644f05f4d507
SHA1 4acf7ce35414eceb070aba66b7c8b462e967630f
SHA256 addb52970376323fa60010c1fb5ba8eb75fbbe749f0e873675d4bbeb453eba8c
SHA512 8402201099b61d10e385b257949aaee8eb8e2c7a4b0a1a61028248aa861a65796cc9eb16a4f076b665c239d9bf872ff439415452d3671ae808a5099231680ae7

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\UId\dwmapi.dll

MD5 db2a0c4f8b3b34a67c2b5d29cb4d146d
SHA1 8b39526cb57d8c5737983e917e326445a4dcf809
SHA256 45f6bd52669fa654ad9468150d62866407b986969476ff7b81677128e0cdb189
SHA512 ed0f393ac825a1ae3b35e9fbc9a705a9c25e2407f13ea41d0e45c3f2d9143390efaf536050efa17370ddbb22c2117bc58e23242323bc20ba3e7d36b473e2d75b

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\XmQkeku\appwiz.cpl

MD5 20f66e98be35c5986bf6a464a65388d6
SHA1 8f0fa737849b65cfb65fc237ef9194b02f24cec7
SHA256 24a0a70c87d531810640453ead68397ac639f67b83ddb1d2b8ad8d7462ad1146
SHA512 5a112e87bcbfeb9d66ecae41f4522a8dbef8bf56a75fd028160d095f9acf4ec1823deebcf29d9f124e15251cb0a704d93b5982d2bc0e877105f62b833251160d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:44

Reported

2023-12-24 04:31

Platform

win10v2004-20231215-en

Max time kernel

107s

Max time network

152s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\DnIua\\SESSIO~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BfR\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oKit\sessionmsg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 4588 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3412 wrote to memory of 4588 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3412 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\BfR\rdpinit.exe
PID 3412 wrote to memory of 2976 N/A N/A C:\Users\Admin\AppData\Local\BfR\rdpinit.exe
PID 3412 wrote to memory of 3404 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3412 wrote to memory of 3404 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3412 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\oKit\sessionmsg.exe
PID 3412 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\oKit\sessionmsg.exe
PID 3412 wrote to memory of 2096 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3412 wrote to memory of 2096 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3412 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exe
PID 3412 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\df0708fcf553fdf7b27a1591a96257db.dll

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\BfR\rdpinit.exe

C:\Users\Admin\AppData\Local\BfR\rdpinit.exe

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\oKit\sessionmsg.exe

C:\Users\Admin\AppData\Local\oKit\sessionmsg.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exe

C:\Users\Admin\AppData\Local\wDwAK7eTt\rdpclip.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4052-1-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/4052-0-0x00000000009C0000-0x00000000009C7000-memory.dmp

memory/3412-4-0x0000000001560000-0x0000000001561000-memory.dmp

memory/3412-6-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-8-0x00007FFEF411A000-0x00007FFEF411B000-memory.dmp

memory/3412-9-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-10-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-14-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-18-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-21-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-24-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-27-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-31-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-34-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-33-0x00000000013D0000-0x00000000013D7000-memory.dmp

memory/3412-41-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-32-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-42-0x00007FFEF4640000-0x00007FFEF4650000-memory.dmp

memory/3412-30-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-28-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-29-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-26-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-25-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-23-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-22-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-20-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-19-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-17-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-16-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-15-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-12-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-13-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-11-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/4052-7-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-53-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/3412-51-0x0000000140000000-0x00000001401F7000-memory.dmp

memory/2976-63-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/2976-68-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/2976-62-0x000002A411720000-0x000002A411727000-memory.dmp

memory/4576-80-0x000001716F6B0000-0x000001716F6B7000-memory.dmp

memory/4576-85-0x0000000140000000-0x000000014023D000-memory.dmp

memory/4576-79-0x0000000140000000-0x000000014023D000-memory.dmp

memory/3552-96-0x00000155C2000000-0x00000155C2007000-memory.dmp

memory/3552-97-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3552-102-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 9c5846b2ef41404ebe9bc92f7d44ec88
SHA1 81c091f00fc271ed09447203dbb076aa052f81aa
SHA256 9e46888e3cafde71a2844fddf7c1133641848ba53c664b1e35b78dcabfee6806
SHA512 f5f7490bd79753deb66becf21c037c1043b9fd73ee482e47f0e6cd68496d08727c5ca946176b22caae01798ee5f0585497e5c8ec99292a5b7dfd4c29e0f490ff

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\XX\WINSTA.dll

MD5 1dc4773c79706f31955fec51b6659738
SHA1 79ae74552b413b0d589b04dc4b96eb614bed2a54
SHA256 22bb5fd5c14406ee26c5165109d0ac94d546f38142f43b56139b61a2bc5cffc7
SHA512 7c25d5e4277662005ce8aa60f464ed3551cb92c087bb4e7462b171934dbc827f2323a7f426f6449fce6e740fefe5a2434753dddf5226605b1c1e31b679293f5c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DnIua\DUI70.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\dcsjF\WTSAPI32.dll

MD5 e57944510f4c8b095dfa0c68d8666e76
SHA1 3e2b9ce9b3e7989d71f27bc4983e56fc3394bf78
SHA256 a70bacb1497a441cfd9121608c2a312f93d3663374890934d8f321424ca83638
SHA512 fa2db2ff7c5caf78bf690fab72e8a17ec7a93760da86167364924952e68a1fc19222b7c4c430bb808ecee0a706423d82396629d48a2a661c43523d510e93e60a