Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-sz8s9abhb4
Target da5e3cb85be5b54edb1e3b5ff9d733a2
SHA256 e441dc66366d37c4598e91b6779169dcbc71f386ca494b9d6c9d8137b45233f7
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e441dc66366d37c4598e91b6779169dcbc71f386ca494b9d6c9d8137b45233f7

Threat Level: Known bad

The file da5e3cb85be5b54edb1e3b5ff9d733a2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 15:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 15:34

Reported

2023-12-24 03:46

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\gL9Gr7N\\jX0qkGq\\dpnsvr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 3012 N/A N/A C:\Windows\system32\tabcal.exe
PID 1192 wrote to memory of 3012 N/A N/A C:\Windows\system32\tabcal.exe
PID 1192 wrote to memory of 3012 N/A N/A C:\Windows\system32\tabcal.exe
PID 1192 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe
PID 1192 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe
PID 1192 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe
PID 1192 wrote to memory of 524 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1192 wrote to memory of 524 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1192 wrote to memory of 524 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1192 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe
PID 1192 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe
PID 1192 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe
PID 1192 wrote to memory of 1664 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 1664 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 1664 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe
PID 1192 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#1

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe

C:\Users\Admin\AppData\Local\gD4S\dpnsvr.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe

Network

N/A

Files

memory/2296-1-0x0000000140000000-0x0000000140323000-memory.dmp

memory/2296-0-0x0000000001B60000-0x0000000001B67000-memory.dmp

memory/1192-4-0x0000000076D86000-0x0000000076D87000-memory.dmp

memory/1192-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1192-12-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-11-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-10-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-9-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-14-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-15-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-13-0x0000000140000000-0x0000000140323000-memory.dmp

memory/2296-8-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-7-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-18-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-17-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-16-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-20-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-19-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-21-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-23-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-22-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-25-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-24-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-27-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-26-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-28-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-29-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-30-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-32-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-31-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-34-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-33-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-36-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-37-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-35-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-38-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-39-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-42-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-41-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-40-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-46-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-45-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-44-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-43-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-47-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-49-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-50-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-48-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-51-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-52-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-53-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-61-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-60-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-59-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-64-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-65-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-63-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-62-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-58-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-57-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-56-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-55-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-54-0x0000000140000000-0x0000000140323000-memory.dmp

memory/1192-68-0x00000000029B0000-0x00000000029B7000-memory.dmp

memory/1192-76-0x0000000076E91000-0x0000000076E92000-memory.dmp

memory/1192-77-0x0000000076FF0000-0x0000000076FF2000-memory.dmp

C:\Users\Admin\AppData\Local\oXYk8tF\HID.DLL

MD5 8e6eb2c8c9c0d0e3f0bc1350c8f3a86f
SHA1 4712a31ad4a7bb50b76282083dd21565752adad6
SHA256 4153ce1e942c93aa1983a973d2359361cc69748706477523ed60c31cb2aacdb2
SHA512 ebabdea2085658f879c979199289f2e5f6485a39a42bc4b416b2fc15a87dcffd6f5aa47a89d28f39796bc0b82be505783a4c96297397ac43843f30efd1cb1b67

\Users\Admin\AppData\Local\oXYk8tF\HID.DLL

MD5 2f457fb6d3dee00266721055c40e5343
SHA1 7f2716c36667219f28697b844e29d7f7c6c2f8f7
SHA256 dd3dfde1c0738c443ffe66a9df434812a5cd7ac1e7b2963cee51abc262c2d20d
SHA512 5db9742eec66e3ae75e74979099823919daf3e6b668b3b9a33ecd821486a4cb12fde25d45dc7989fdfbea3a4d9471e4f7c25027c58d9b1ddbde9acc368b05b87

C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

MD5 b3c72b28e07f3f742ff6aa0426fec6e7
SHA1 fe71de6002c0efede6cb17374b83bde0d694add8
SHA256 f9073bf77382a9a62f7895185c5152eb8381b9aae1978dcf7325bcde02543ec3
SHA512 a1c616f7aad1ccbb7f268b7e2feca0f9933779389641fc7032b0199b44befeba2d323d64d5dcc7e412f5ad8c476b98d0b32b40b8e4c2c513c96f39182842e746

memory/1668-104-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

MD5 633d5773e99bfd0ca90c67045e3be81c
SHA1 96915b689e2a7d4010fef4c3cec7c93c447fb165
SHA256 ca86412221a6d96e93ef8111f55eb9d165ebe62487976ddc8c91b641e9a48c52
SHA512 81c38181f47b181fe0c251735e07ff11787d6ac9b9370db1b473dac292c879311fa970f913b1bcbd9d4dcaf600181fe06c0ddf979a3ed0ce3eefd50789c6a267

C:\Users\Admin\AppData\Local\oXYk8tF\tabcal.exe

MD5 2b69b69d48b35982a0787d1b113975a1
SHA1 b6bfcfab4c908d618d6a18b0b7a04fa2df8eb7a6
SHA256 9e993b122e3b9ad80870a436de7faf97d1bdb56ddd407e2a27b54ed3137dd894
SHA512 7421c2c9b5ba49f5f64ee9c4ff3bd4d651a71819d4c6a6759cd787b0dc80b062324ac65502bbcd0c1ad560d743e35d9a423f9df00fc19ce4f7f147b78adf6d7e

memory/1192-115-0x0000000076D86000-0x0000000076D87000-memory.dmp

\Users\Admin\AppData\Local\gD4S\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

C:\Users\Admin\AppData\Local\gD4S\WINMM.dll

MD5 072b04e6776057474fc519aeb3d8b12a
SHA1 7cf332a81bc22e37c66cd9bb06ef169274050011
SHA256 5245485248efa5729a881f980bd1245b6747a3864ba6af3e4d35271402955737
SHA512 569aac00250e46bd04ec3e1e79193c4dcd3016d1ec5362f6fa4a6a5c5264235a77b565cf6abb0cb3a7a55d4c036d08c3526d1b6e2850f178c1c4ca4999b679d9

\Users\Admin\AppData\Local\NO5MhWON\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

C:\Users\Admin\AppData\Local\NO5MhWON\SYSDM.CPL

MD5 1250db6ac1f80e45ce1726ba98793343
SHA1 eb021697afca15898dd7bb1ba53d512dac78830c
SHA256 19f54da06b319e7b5ddd37ff7e5403d4573c4986f1a69d97acda7b1a0d1fc214
SHA512 f54124419765a1b61c30b549ad32453173efdc6e79972dc55a7b4af0219492686f2583b3e3e3177d284d24c36cf24ea2576968f7d1c4b1b4ab0ecc855968b08c

memory/1696-140-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\NO5MhWON\SYSDM.CPL

MD5 c73758b3f03ab17fe2a91b9507674c45
SHA1 aaf3dd30dcbfc2390615720ed5235fa667d5a97e
SHA256 7b50c0af29415a4af44dc4c4b291a165f98b548420f4b3c8e53afb83d2e9c45b
SHA512 af524821dd26b2324875864bfd02aad6d74e89d475797e2304a23fa49725790944cbc7c0d8bf82041a29fc53aea9ce86dd425acd0774d246b1c7c2cb520762ff

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 5cc627bad2cbc7106c0bc92a6aa624bb
SHA1 4456bc5d974d14fc7b87708dc62436c49677bd4e
SHA256 7fa583800a791102333db04b0eacf12709a9f8dcf2ff6ffd7abcdd200e3adbdd
SHA512 e27684d3ff3696adf895faeb4b6f7593e5c6275d50c141d07177eeafb7fabe0ebb6ccc6660f982efdb2c9c2db83577a1c69ce8a0a8627263c5949993a192f1a8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\gL9Gr7N\HID.DLL

MD5 ae43e5f6f5c66979c219bf5a7d6ec421
SHA1 10bf8fa2186bbf1ded89e64156b64ce4b2091a65
SHA256 f8dd8ee2ae90c37a26fee41b8fb9d27ac1f0946f48efefc6d3c6815c7975da4e
SHA512 bc424839b141902e26af8a8273ad2ab905620d3205801c09b3d1b462d7779d93f77742b0dcb2c333f621159de168e417e61495fd69bbd1543a81461ca3a76553

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\ElHsIedO\SYSDM.CPL

MD5 9ab2835b115a98cccfa4d62ab8da6463
SHA1 c105c41f0cc8bb1ce146b50d2b44350a6aa92ee8
SHA256 45f882b528ec7be6e43e46fce5f2176bc832dc577c918c2942d9ab7630fcce6c
SHA512 5160dc55ce37677c438af6196435dd9923ebf66919811445bdc19a337e8e5f8a94e7a05c89ba136523e71c350e3d71476c812018f778cfe0e1f5f84a0420cc16

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 15:34

Reported

2023-12-24 03:46

Platform

win10v2004-20231215-en

Max time kernel

71s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\sd\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\noEX\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\woR\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 1672 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3592 wrote to memory of 1672 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3592 wrote to memory of 1448 N/A N/A C:\Users\Admin\AppData\Local\noEX\eudcedit.exe
PID 3592 wrote to memory of 1448 N/A N/A C:\Users\Admin\AppData\Local\noEX\eudcedit.exe
PID 3592 wrote to memory of 680 N/A N/A C:\Windows\system32\rstrui.exe
PID 3592 wrote to memory of 680 N/A N/A C:\Windows\system32\rstrui.exe
PID 3592 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\woR\rstrui.exe
PID 3592 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\woR\rstrui.exe
PID 3592 wrote to memory of 2880 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3592 wrote to memory of 2880 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3592 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe
PID 3592 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\da5e3cb85be5b54edb1e3b5ff9d733a2.dll,#1

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\noEX\eudcedit.exe

C:\Users\Admin\AppData\Local\noEX\eudcedit.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\woR\rstrui.exe

C:\Users\Admin\AppData\Local\woR\rstrui.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe

C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 20.231.121.79:80 tcp
GB 87.248.205.0:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
GB 88.221.134.32:80 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/4280-0-0x00000239DA040000-0x00000239DA047000-memory.dmp

memory/4280-1-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-5-0x00007FFC8D66A000-0x00007FFC8D66B000-memory.dmp

memory/3592-4-0x0000000002840000-0x0000000002841000-memory.dmp

memory/4280-7-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-8-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-9-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-11-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-13-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-16-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-17-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-18-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-20-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-21-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-23-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-25-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-28-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-29-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-31-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-34-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-36-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-37-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-39-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-40-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-42-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-44-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-45-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-48-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-49-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-51-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-50-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-52-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-54-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-53-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-56-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-58-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-60-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-61-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-63-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-65-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-64-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-62-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-59-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-57-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-55-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-47-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-46-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-43-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-67-0x0000000000D00000-0x0000000000D07000-memory.dmp

memory/3592-41-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-38-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-35-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-33-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-32-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-30-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-27-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-26-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-76-0x00007FFC8DC60000-0x00007FFC8DC70000-memory.dmp

memory/3592-24-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-22-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-19-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-15-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-14-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-12-0x0000000140000000-0x0000000140323000-memory.dmp

memory/3592-10-0x0000000140000000-0x0000000140323000-memory.dmp

C:\Users\Admin\AppData\Local\noEX\eudcedit.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1448-97-0x00000249C4FF0000-0x00000249C4FF7000-memory.dmp

C:\Users\Admin\AppData\Local\noEX\eudcedit.exe

MD5 cfe8884f2d0581ecf0024a61196d410f
SHA1 ad38edf91c18c60189f8fc8cafd8e62cac3fed6d
SHA256 b3268b3f733bdeafd0c838eb7810d76bca805c5b6e7d5c1eb35fcacd3afc1230
SHA512 7c34f66b35209e3dd3b2e110241ff70cf06e8a76b691b5c248b2d8438207eb44444057430602fbcaf4b8a9622e49be0c19c3c8fa1b568648a43a50b7865f4429

C:\Users\Admin\AppData\Local\woR\rstrui.exe

MD5 b8d4c96c38905c4ed333cedc14d72abf
SHA1 20c895abbaa3b6e095382b9c9d3ad4019443af60
SHA256 761c61a695a47670f8cba59e5eba92d247e41d4fa00eb5589526be0d3b52c5b7
SHA512 a8f9f8e322c389a59e0e414b57347ef96510f77ab317ce2511907b365172d76ff954159c9a54d35cb95fab6fd80e567677001c4cc80ec6d0479a96cef2115467

C:\Users\Admin\AppData\Local\woR\SRCORE.dll

MD5 b2e70143e96ca258fe509de8c0bd5252
SHA1 9a99cf3eabec3d150f9d89b5babf957f0dbaba4e
SHA256 329ae169b853c63cfde285654e7250fab309a5c3ff56b56a263b7094c20011f3
SHA512 2b26046f2c57bce7407e5f0a652af24781d1b8b616b47896a51044ba3d2e4e0e2903359cfd4ee4616267f1c5cfa8c9b9c3bcb3bf4364596d781af9677196bd2a

C:\Users\Admin\AppData\Local\woR\SRCORE.dll

MD5 c93e8ec9692e480cc64cd6259821d14c
SHA1 eb143813ab8f9ad6b54437be11440c9d8deef817
SHA256 24c25a652e51d0a278456f597607c7ca2b4bbc03f6400b19cbe859a680dcb593
SHA512 629b87c391d33fec4d4ede16452342569ba926d12907882a71478dc98ca86cc97c3eae1e1f977abba3577574e499a6427b97fe033a4d6845dfb31bc56d3ef160

memory/4752-113-0x000002BCA4160000-0x000002BCA4167000-memory.dmp

C:\Users\Admin\AppData\Local\woR\rstrui.exe

MD5 095a5605e9bbad4c76d802aa64155c26
SHA1 77a8fae3e7d46891214a4f63418ba84017e358d1
SHA256 5dfce9bb5edf4df92dc0ce90834e8955f91a721dafb043d86091933c95d23758
SHA512 21e79263bfda2e72efe130a359d4ef199429b6ee357c9724dba129ab267ec93fcc2a6caf7fa47fdf201e11657d5661661d52e079ecbe84963086edc54246322e

C:\Users\Admin\AppData\Local\WQwAmR\MFC42u.dll

MD5 13dfab471f8eae58a30844196c8ca24e
SHA1 a3f8115cc7b8a4223eb0574a5ebbb3847432f9f9
SHA256 a2a29c6788c1b183213aca51284ef230f2bd1cfbd0b17456ef7a2ded802db4b3
SHA512 720df1e62fb49b9240e8ebdbe42d5fb76d2f1cc4291fe4346d503fced77eee6e20d7301de1feaaea1da68c76c498c6e7c9f7c298fa35131e369ccf2a9b384780

memory/4900-130-0x0000027DF6890000-0x0000027DF6897000-memory.dmp

C:\Users\Admin\AppData\Local\WQwAmR\MFC42u.dll

MD5 b2d4a1b709b522de5f766fdd6b766114
SHA1 cd40cecdda37254dd0d52a0b4a6ded6bb8dcc381
SHA256 d2c54c5e4f6e0186245f69b623ce1cd247151115c84e80165e577e5cdae54fc1
SHA512 a36063f05fa05faec3ff965861513a67774fbb0c171ade7a335a629273849c0ca7ec9711ff54304de8f5c4659b0337abdc551cbaae90a963e6b97ae56e68d696

C:\Users\Admin\AppData\Local\WQwAmR\eudcedit.exe

MD5 d141d882718adaa3f18bdf7a1af8cd95
SHA1 cd888c8ef54afe88f8eb99911aba9a1d573e9920
SHA256 a4d055f651b3392dc396048cf9b6a41b642d2484c56286368229cfff9d8dd9da
SHA512 7ad71697542bc2fd192631574604948eb3ea1ef922df40340055827688919295239b7a61dd2253c122796d94a203651167d8a3808f0008b3f072299392672ca4

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 063e22842275df69be0a388c7e873f05
SHA1 1391e203eb80389796fae5ff4d4a7c6b2011d796
SHA256 3634416a117c2450e29ad35f46a137ce8ca757fd1d9cc106f5c5683eef35f117
SHA512 df1d7d4fd910532cb3a9c5b194165d84fae44291a9680535326ebda7981e3b42996b8279d0e08ae0d40bdef8a64fc884967e7582fb8007f5ad5071d4e1987fed

C:\Users\Admin\AppData\Roaming\Microsoft\Vault\O0xma7cm\MFC42u.dll

MD5 9c89e2bee3ec7b4ab2b1016f31002865
SHA1 ee79dd89a2ce9605419d322daac3bbec487ca72b
SHA256 43c8441cd33e20c1deea2e49aaf2f6e61c7f021cb79436b683c105a37b75eb73
SHA512 5de06f72f929821a04b62977337d97e74ced5c8b0096c9e823d1a5d086b7946bce073a9fa865ed6c909a024b81504bf6244bd4b3385fddf819760c62fff30dd7

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\sd\SRCORE.dll

MD5 3a36da183cb988bc13c0b692f2418b97
SHA1 6991621db676efcaf1947e32a3c5d881ffba5322
SHA256 04d728650db03e69b90d652d35d74e3ecb758396ebf874be71dc5b123176a96f
SHA512 a3462eb5f25ac6e3da1b7dcd49a5a240e69ab538aecf0227aaa3839ccdeeb23310db090472fdb5daa46a4ccd6bf8e7f8ac700fa8480f0494fda2ff00cce74ebb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\O45n\MFC42u.dll

MD5 c2837e78c070ce6901faf62ff922e200
SHA1 21a6da721f522237c588e52d81371aff97fb974e
SHA256 9223012600d279faafd29d2948b5ae06d9a5da6f2d14864c93c837ba2a0cc597
SHA512 bd0df03afc86ed23233eb4eee051131dcb7e0273ae9dae956d7e840659164dc00298f82fc6df7f36576e17d4645f3dc59a421332e64bf9ca7b7346cf0d254745