Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-smdscaacg3
Target d5124b4f11f73e615ab6573dc5bb02cf
SHA256 9b64a70112f7e8f285ac2c020036d4fa5d3cc529daf0fbbfefab39630ec50a2b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b64a70112f7e8f285ac2c020036d4fa5d3cc529daf0fbbfefab39630ec50a2b

Threat Level: Known bad

The file d5124b4f11f73e615ab6573dc5bb02cf was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:14

Reported

2023-12-24 02:58

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\2yB3kZj\\dvdupgrd.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 2396 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1296 wrote to memory of 2396 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1296 wrote to memory of 2396 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1296 wrote to memory of 1720 N/A N/A C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe
PID 1296 wrote to memory of 1720 N/A N/A C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe
PID 1296 wrote to memory of 1720 N/A N/A C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe
PID 1296 wrote to memory of 2760 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1296 wrote to memory of 2760 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1296 wrote to memory of 2760 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1296 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe
PID 1296 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe
PID 1296 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe
PID 1296 wrote to memory of 1772 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1296 wrote to memory of 1772 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1296 wrote to memory of 1772 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1296 wrote to memory of 1768 N/A N/A C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe
PID 1296 wrote to memory of 1768 N/A N/A C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe
PID 1296 wrote to memory of 1768 N/A N/A C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll

C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe

C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

Network

N/A

Files

memory/2892-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2892-1-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-4-0x00000000777C6000-0x00000000777C7000-memory.dmp

memory/1296-5-0x0000000002950000-0x0000000002951000-memory.dmp

memory/1296-11-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-12-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-10-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-9-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/2892-8-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-7-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-14-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-15-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-13-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-19-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-20-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-22-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-21-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-18-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-17-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-16-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-24-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-23-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-25-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-26-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-27-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-30-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-29-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-28-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-32-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-33-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-34-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-31-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-35-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-36-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-38-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-40-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-39-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-41-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-37-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-42-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-43-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-44-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-45-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-46-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-47-0x0000000002930000-0x0000000002937000-memory.dmp

memory/1296-48-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-55-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-57-0x0000000077B30000-0x0000000077B32000-memory.dmp

memory/1296-56-0x00000000779D1000-0x00000000779D2000-memory.dmp

memory/1296-66-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-71-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1296-72-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Users\Admin\AppData\Local\23W8pEv0d\dwmapi.dll

MD5 25ac540676b8725738d2ec816c3fa5a0
SHA1 dae4883c054655e5120f022c683955415e4ba26f
SHA256 5774b6490f9270233f77b27d7e1e76b8edd3f04a9d88c8ff70d89278a9045bb8
SHA512 800d5e19136e2598ab3f90d75e54e91d3e838ddb1909464575681e4030fc1a9163a3abd0f35e057f5488f991e74202dd43b059e1942333665f2dc55147cf12fb

\Users\Admin\AppData\Local\23W8pEv0d\dwmapi.dll

MD5 5f1f6b7685c47f28f195aaab4945f49a
SHA1 090e977f9122c6dfc3ba7691140e58d406c38183
SHA256 4705b824e6b5712b915d48a9a56b566da8d56fbf035736496cc0eb045d5da483
SHA512 92f153fd7dc02978813f8495301353ba2ac8c2a8c5147cf9d6911566a632543090fd1d8030cbe2ea44fe37d1aa9a6fc5d932fdc440f34f3ec6f6ad2cda3599e4

memory/1720-84-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

MD5 426b0fb43500a70d8260e125bf9a7d6c
SHA1 baf92e8e83510ca718713461d0071bd66e118b07
SHA256 c7099f6c26c5e8a08af48451c103312e10e38bf05138c2f19fc82bcd7ce71901
SHA512 8850059611c415edd63b7342e2cd5c9c2a235636654e927f522f2d5a0528cfa10e64d92807f464ea6c83d94c5f1a9956a60e1f7583fc98aeef330d05c27f36a5

\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

MD5 4d38389fb92e43c77a524fd96dbafd21
SHA1 08014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA512 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

memory/1296-75-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Users\Admin\AppData\Local\23W8pEv0d\Dxpserver.exe

MD5 b2b90d4bae34d66b93f5ae8bc827d365
SHA1 171e1f36a3bf11a52256658373b96f92b866765b
SHA256 0ac538393b0db5fdf98630af57ed5cbd970f2645768a9a9e01b65ca62d27453d
SHA512 4805a815d537772a15fb4616cb145f1eaea7ec2f0cb8f7f3e64cc47a24511bdae10e29406d21b36126ba0ca90f08c1c4e4cd70f185a795b46c2966d2840f43dc

C:\Users\Admin\AppData\Local\cO4z\VERSION.dll

MD5 a042e35cc4686adc0ea3a97f10b73b31
SHA1 af5a86e2fe561100a6dfa021482b17e99f7a12f9
SHA256 32a55a992705fadf2619e094ec654a4e1f1de037dbd4ee3fdfab2f9eaab74890
SHA512 d203bc6cd1062277df375faa92f1846d15d31ed6b9d56f4e5f1cb7069466691a73324617fe2461412a5b87fef80b353fb6b8a89decc7a076028f576af3e8c69b

\Users\Admin\AppData\Local\cO4z\VERSION.dll

MD5 9bc1a90180d3db43f2560b2393df03a6
SHA1 fc26125acfa598979d42c9b51304107423903e83
SHA256 17ed74bbe143f69de2d042c2a239cae89733608d4beca467f5cd65610267028e
SHA512 9e1d89acd15de106129477d64150ff583de28c1434caf77a3f14b530ac169bb05c49ad02911eeb78bd823403967e6ce7e537990316a664b0984ce3cf32012039

C:\Users\Admin\AppData\Local\cO4z\dvdupgrd.exe

MD5 75a9b4172eac01d9648c6d2133af952f
SHA1 63c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA256 18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA512 5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

MD5 08a761595ad21d152db2417d6fdb239a
SHA1 d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256 ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA512 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

\Users\Admin\AppData\Local\G6zUAd\FVEWIZ.dll

MD5 9153724d22ed91c487eb4fd2de22dfd5
SHA1 8b6c50d603676352db208a2e0b2d581e450fe3d4
SHA256 de2822595b29f813e06e2a4e9aae300c9a476211a3a26e22a288e4ab6c0e4e1c
SHA512 8d6bbb007f45dd3ffcf3254096255a603596a3aaf5b694b0223b4a182f7f61f33e6efa5cbca9ec642ea64e01c792bcf1db1ff60e7c2fda60c10de2d4005554a1

C:\Users\Admin\AppData\Local\G6zUAd\FVEWIZ.dll

MD5 a9eaedc4895d58e66199d7d3461b6209
SHA1 7d635d5b75bed7abfdf5ed54cb57f68c977e4c54
SHA256 ee69ccf0a7d3c43d103f54919e8cd098dbcc6e889744f0a5e2298217795230c5
SHA512 2ab4117e37103287fbed7ee58f86a3c5e537695a8ec59aae034147eed27d28eeb794605fde9d31848d8181b3b7e747db3994d2286cd037b11738b202ca97b358

C:\Users\Admin\AppData\Local\G6zUAd\BitLockerWizard.exe

MD5 1e10dd1d9e5d049b1b031d750c01d62c
SHA1 c0abaf35d883b10305cf5f4c6ee45160c33f460b
SHA256 4ca18c78dd9fb03ee3569ad6943aa8e4c421c330f70412d0c8396a822d8623cc
SHA512 d9a50f95605001669a7e24aafdcad2483a81e09099afa7aa629e83b1e2ec35ba2d38435f77e4199b8855ce3efd148b9b9481a826ddc6eb18f65048d1cbfb5de4

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 27eb2c175b21f439a1342e8b6723ff6c
SHA1 a226a5d631e2e7fab2ddb77d43a3ca7ea272ae33
SHA256 6251b1f13936005111a5fb2a3f9c79d666295619a4f83c72df041cb1e28e4463
SHA512 906eb981cd97698f6b782f375e9da0d2d81ef5dc806551b090e9f3bcde1a2a48e326ca845c36936b888e5d8d7e0c72a5d6412c82ff33b934304682fa61f39581

memory/1296-143-0x00000000777C6000-0x00000000777C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\KQGmUSXkiA\dwmapi.dll

MD5 4397de773759859c95f80e8d25d2b3cc
SHA1 59f742995abbf7f27a4cb516e8dc9313ed6fa587
SHA256 da2a9d149952b2a2d3c79d2a4f7ba3003c50ec56224b7bdc980f9614b000c136
SHA512 b7725478a8e992ff6b32ab8e2cdf4218e7e0325bad0477b5cbe768abfdc68d8829009f18b3b6d095ade12a2b6fdc2c793503e3abd547917ce9c39ae2d5dcf226

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\2yB3kZj\VERSION.dll

MD5 649926126233964cafde5f3afca42a67
SHA1 1db6fd459354aec8a44382bfec2ecd58f82ec8d7
SHA256 7708a063f9aa86ca02cd98bd9e3da7a81a91cd0483852a9d190ca66595323b3b
SHA512 e3b7a20ab8eb915beae5415eb5a3d7570d8197a3b92840fe72a69924c8a2e96a02b9e402a34d2f26060e7f1c57e9d3c56f0391d9a7724389be2208d8c78f2420

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-452311807-3713411997-1028535425-1000\rnc\FVEWIZ.dll

MD5 e062cafbddee4f91b0b6cb16a1f1f3e3
SHA1 a238a0063b4740c65ee2b9f3fe77233b8342dde9
SHA256 f464f8bd7a6cb24ca5b46242414ab34e824159990f5a41c5613151c71dc6c80e
SHA512 ba603954963df7d05983ad1cf735598d42699c8dccfcec6ffff337fb30cc239aa11614eab6f84bb3c51520310cc45bf31fde46fa2e17da1dc5282aa7987f331d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:14

Reported

2023-12-24 02:58

Platform

win10v2004-20231215-en

Max time kernel

132s

Max time network

170s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\nHb5\\wusa.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S7gSC6\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\n7k6haF\wbengine.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3540 wrote to memory of 3580 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3540 wrote to memory of 3580 N/A N/A C:\Windows\system32\ProximityUxHost.exe
PID 3540 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exe
PID 3540 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exe
PID 3540 wrote to memory of 2500 N/A N/A C:\Windows\system32\wusa.exe
PID 3540 wrote to memory of 2500 N/A N/A C:\Windows\system32\wusa.exe
PID 3540 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\S7gSC6\wusa.exe
PID 3540 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\S7gSC6\wusa.exe
PID 3540 wrote to memory of 3516 N/A N/A C:\Windows\system32\wbengine.exe
PID 3540 wrote to memory of 3516 N/A N/A C:\Windows\system32\wbengine.exe
PID 3540 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\n7k6haF\wbengine.exe
PID 3540 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\n7k6haF\wbengine.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d5124b4f11f73e615ab6573dc5bb02cf.dll

C:\Windows\system32\ProximityUxHost.exe

C:\Windows\system32\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exe

C:\Users\Admin\AppData\Local\6Hc\ProximityUxHost.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\n7k6haF\wbengine.exe

C:\Users\Admin\AppData\Local\n7k6haF\wbengine.exe

C:\Users\Admin\AppData\Local\S7gSC6\wusa.exe

C:\Users\Admin\AppData\Local\S7gSC6\wusa.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.16.110.114:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

memory/1092-1-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1092-0-0x0000000000B00000-0x0000000000B07000-memory.dmp

memory/3540-4-0x0000000002050000-0x0000000002051000-memory.dmp

memory/3540-6-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/1092-7-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-9-0x00007FFD0F4DA000-0x00007FFD0F4DB000-memory.dmp

memory/3540-10-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-8-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-14-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-19-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-23-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-24-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-25-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-27-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-28-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-29-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-31-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-34-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-35-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-36-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-39-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-43-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-46-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-48-0x0000000001FF0000-0x0000000001FF7000-memory.dmp

memory/3540-47-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-45-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-55-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-56-0x00007FFD10760000-0x00007FFD10770000-memory.dmp

memory/3540-44-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-67-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-65-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/696-77-0x0000000140000000-0x00000001401EF000-memory.dmp

memory/696-82-0x0000000140000000-0x00000001401EF000-memory.dmp

memory/696-76-0x0000022049460000-0x0000022049467000-memory.dmp

memory/3540-42-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-41-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-40-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/4880-94-0x0000012753A20000-0x0000012753A27000-memory.dmp

memory/4880-93-0x0000000140000000-0x00000001401EE000-memory.dmp

memory/412-111-0x0000024E2DB00000-0x0000024E2DB07000-memory.dmp

memory/3540-38-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-37-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-33-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-32-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-30-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-26-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-22-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-21-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-20-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-18-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-17-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-16-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-15-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-13-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-12-0x0000000140000000-0x00000001401ED000-memory.dmp

memory/3540-11-0x0000000140000000-0x00000001401ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 652fcdef80b39a9d1cd509a1cb00bb20
SHA1 40e67d0f558c19b01c0679c1d46cc54dc8fbd324
SHA256 4c60f836a04256ef9a80ee937f06389779ff9bca785a72afd658b28598456110
SHA512 309aa692df7224e71861be8b3d0005c9577f116de3a1cba1947788d2f7bcd0ccbf13dcf71968261bdc6902e02702047c45c8401aff6ecd6f8a1786e8c6482508

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\X5\WINMM.dll

MD5 a660813d06e7e2292c96fc9bb13e8959
SHA1 3bf5c0a56c40192dc6d776a95dc9c5e883cd6d10
SHA256 c5e9408408dd2e67113824e2615eaf92365502be73867d20fd1747cd4ea3aa5a
SHA512 161cd0eb8877c2a65f4f3eaa5a05b8ff2685febf2d64325ce13e9d071d7dfab2aae69897a45bb3baf354912b2a5490ef7a27b27b4426d0fd22d1f3403897813f

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\nHb5\dpx.dll

MD5 b6a93ec51b0536a7566dca777213709d
SHA1 3af4759225446c9061a551633929fbda86a62b14
SHA256 1c5e9fa19f7f55c6960dca8a1890c712931b7c52492ed33057f76477ed69fc1e
SHA512 146229aa4a190868dd18c1f829de6e6d4dca18b6801b0ff3b7a8761175ee38c96405810b87dc0faaa7af7b624aa38c97274a643edce8570ed814c9adff618ba1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\tz4p\SPP.dll

MD5 4f2fb7eb689f8c15ead53f9454586c97
SHA1 b9994397f9d6ad3bc9b3d6925c2c82149e8220fb
SHA256 253a7336f0641bd938211640b2a4c997a9fb45ba05803239e563ee7a35164046
SHA512 fca80f9fad9da9f0828d14e543da1d597b4f90429dcf6927015e6add97dee7635adc010978946bf3001a2580af83f1bbeedb560ee93634e3279964480ee69b56