Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-t22y6abbg6
Target f334c05455a23f89ee06fb59f1b9f77f
SHA256 0692471fb02d58c1e50832d9f74be4e0a1155b1de0d434d5c4d38f644abe1d79
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0692471fb02d58c1e50832d9f74be4e0a1155b1de0d434d5c4d38f644abe1d79

Threat Level: Known bad

The file f334c05455a23f89ee06fb59f1b9f77f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:34

Reported

2023-12-24 07:12

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\uOz\\sigverif.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2908 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1380 wrote to memory of 2908 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1380 wrote to memory of 2908 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe
PID 1380 wrote to memory of 2964 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1380 wrote to memory of 2964 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1380 wrote to memory of 2964 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1380 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe
PID 1380 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe
PID 1380 wrote to memory of 1956 N/A N/A C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe
PID 1380 wrote to memory of 916 N/A N/A C:\Windows\system32\sigverif.exe
PID 1380 wrote to memory of 916 N/A N/A C:\Windows\system32\sigverif.exe
PID 1380 wrote to memory of 916 N/A N/A C:\Windows\system32\sigverif.exe
PID 1380 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe
PID 1380 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe
PID 1380 wrote to memory of 928 N/A N/A C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe
PID 1380 wrote to memory of 2156 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1380 wrote to memory of 2156 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1380 wrote to memory of 2156 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1380 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe
PID 1380 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe
PID 1380 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#1

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe

C:\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe

C:\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe

C:\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe

Network

N/A

Files

memory/2424-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2424-1-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-4-0x0000000077296000-0x0000000077297000-memory.dmp

memory/1380-5-0x0000000002650000-0x0000000002651000-memory.dmp

memory/2424-8-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-7-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-9-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-10-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-11-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-12-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-13-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-14-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-15-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-16-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-17-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-18-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-19-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-20-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-21-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-23-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-22-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-24-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-25-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-26-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-27-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-29-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-28-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-30-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-31-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-32-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-33-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-34-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-35-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-36-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-37-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-38-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-39-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-41-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-40-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-42-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-43-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-44-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-45-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-46-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-47-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-48-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-49-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-50-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-51-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-52-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-53-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-54-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-55-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-56-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-57-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-58-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-59-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-60-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-61-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-63-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-62-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-64-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-66-0x0000000002250000-0x0000000002257000-memory.dmp

memory/1380-65-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1380-74-0x00000000774A1000-0x00000000774A2000-memory.dmp

memory/1380-75-0x0000000077600000-0x0000000077602000-memory.dmp

\Users\Admin\AppData\Local\cLsFocb\SnippingTool.exe

MD5 7633f554eeafde7f144b41c2fcaf5f63
SHA1 44497c3d6fada0066598a6170b90c53e28ddf96c
SHA256 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA512 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

C:\Users\Admin\AppData\Local\cLsFocb\OLEACC.dll

MD5 98a0e73843d805b792047f376a59c7af
SHA1 c5796f255c566626c2d224795eb7141ae505cade
SHA256 7ddc75fec7449869b55a16f2e2b97f273969b5e2a10725200e05b989c181d7e7
SHA512 cd2e515544c37c15eacd3d61f3d4b8a75dcade984e37728d07832c4323d7bde6f6e425de7bb55b83aea8a058dfef78975d837bc697fbbc8038a69b117579d7f2

memory/1380-101-0x0000000077296000-0x0000000077297000-memory.dmp

memory/2924-103-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Local\QMJ53\BitLockerWizard.exe

MD5 08a761595ad21d152db2417d6fdb239a
SHA1 d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256 ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA512 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

C:\Users\Admin\AppData\Local\QMJ53\FVEWIZ.dll

MD5 65359269f67fb316fe9484ce959d93f0
SHA1 f8f173bd9a205f69321ea4029cc680488f193cde
SHA256 2b909ad13b0bbcda99df41e89c1a6ddce52d5b5d07812a32d22fed0cb79b4d20
SHA512 2fa7ca59eee70c98baeec75a85a75810e4362638beb4f9ce63b26d5f9f5948dde4fe9ca536ffd9220af8c59070716e01b1ed1097c9bf41f78e5ba4570d6ac1db

memory/1956-117-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\cQIVF7e\sigverif.exe

MD5 e8e95ae5534553fc055051cee99a7f55
SHA1 4e0f668849fd546edd083d5981ed685d02a68df4
SHA256 9e107fd99892d08b15c223ac17c49af75a4cbca41b5e939bb91c9dca9f0d0bec
SHA512 5d3c32d136a264b6d2cfba4602e4d8f75e55ba0e199e0e81d7a515c34d8b9237db29647c10ab79081173010ff8e2c6a59b652c0a9cfa796433aed2d200f02da6

C:\Users\Admin\AppData\Local\cQIVF7e\VERSION.dll

MD5 f43ff900da2ce28117d76e11440d3df0
SHA1 b367e84a2b2b157e9b7d8caa55f28f26dd8129c7
SHA256 e0bde37571c8cd9ce746abd8a3ae82d779f335ca1ae3f1b41c9427574b501fcc
SHA512 28c6b77372ad04bdba9ad51ef2b8ad8c6d7911f2f248e1a1c4152d7cdde5c196aa54894c95dcaedae5e0aa0b8cb55f8354de4fab0c154ec05d28a391d6c89edd

memory/928-135-0x0000000000320000-0x0000000000327000-memory.dmp

\Users\Admin\AppData\Local\PggLtF\dvdupgrd.exe

MD5 75a9b4172eac01d9648c6d2133af952f
SHA1 63c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA256 18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA512 5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

C:\Users\Admin\AppData\Local\PggLtF\VERSION.dll

MD5 6bdba44719d3a934ebff5a49d04d6347
SHA1 b3f29162adaa8eef2617bc4052811523b0c1827e
SHA256 8dffb790ce89316311fc9e641e5e22c9007d897c7e6be67fb83c873de7187cd0
SHA512 0dcf943f35f988acda9675b9678693f304bd328f3699de3734cb9359d8cff34d94b3ea51c090828e313a66ea16903a36945fef2b67f56982dfd0c76337326841

memory/1952-153-0x0000000001B40000-0x0000000001B47000-memory.dmp

\Users\Admin\AppData\Local\PggLtF\VERSION.dll

MD5 aaaebd5837f2d85091c81431c9bbabe8
SHA1 508b5b793f71cacd6924968fc65f270c59d5119f
SHA256 18b029ec15649417b76ae923b40dca7e21a02ad2bb28b4ce7a6332596574b2e4
SHA512 3e2e96889f530d6b1515b9d50e079a8dd2b280b1b1e1c5036e706f2597f7a30a45002c230a5a9c38bd15a0caa18b35acd02247ed631ccd1f2942834ce05bb25a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d154c9b0d95c903fe7fe0299b2cd8bb2
SHA1 aeb7f4642fefcad87f18b82587c3f7e0209f113a
SHA256 bf66068f324347f8e61c489c4680269a9ad2cfea418521f88d1181aa170beeaa
SHA512 d650d105deb1ba3cfc604c02dc693f57c007f0c87ef9385333c8b08588fdfd0f7e4dc2e323eb0ddf8aa67e941c6048ae7f47d9d67f410395f38a610e081fe1eb

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:34

Reported

2023-12-24 07:12

Platform

win10v2004-20231222-en

Max time kernel

106s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3803511929-1339359695-2191195476-1000\\FXVmo\\dwm.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FuNH\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 1924 N/A N/A C:\Windows\system32\dccw.exe
PID 3452 wrote to memory of 1924 N/A N/A C:\Windows\system32\dccw.exe
PID 3452 wrote to memory of 4892 N/A N/A C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe
PID 3452 wrote to memory of 4892 N/A N/A C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe
PID 3452 wrote to memory of 1584 N/A N/A C:\Windows\system32\dwm.exe
PID 3452 wrote to memory of 1584 N/A N/A C:\Windows\system32\dwm.exe
PID 3452 wrote to memory of 2184 N/A N/A C:\Users\Admin\AppData\Local\FuNH\dwm.exe
PID 3452 wrote to memory of 2184 N/A N/A C:\Users\Admin\AppData\Local\FuNH\dwm.exe
PID 3452 wrote to memory of 432 N/A N/A C:\Windows\system32\perfmon.exe
PID 3452 wrote to memory of 432 N/A N/A C:\Windows\system32\perfmon.exe
PID 3452 wrote to memory of 724 N/A N/A C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe
PID 3452 wrote to memory of 724 N/A N/A C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f334c05455a23f89ee06fb59f1b9f77f.dll,#1

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\FuNH\dwm.exe

C:\Users\Admin\AppData\Local\FuNH\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe

C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/3864-0-0x0000020B85AF0000-0x0000020B85AF7000-memory.dmp

memory/3864-1-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-12-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-17-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-22-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-21-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-23-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-26-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-30-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-33-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-36-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-40-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-43-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-45-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-49-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-53-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-57-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-61-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-64-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-65-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-66-0x0000000000E60000-0x0000000000E67000-memory.dmp

memory/3452-63-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-74-0x00007FFE16280000-0x00007FFE16290000-memory.dmp

memory/3452-62-0x0000000140000000-0x000000014037E000-memory.dmp

C:\Users\Admin\AppData\Local\oMxwpW\mscms.dll

MD5 f6f0c7a8d2fa0a2301ec4e9bc29b6fdf
SHA1 acbf608eaf6d5971bff29836557bd335de1f34e8
SHA256 c52175e6fe7f878afa9f3b53dd4b40094b90f26c7c74822f1f85d12623ada18e
SHA512 32c5bd2d531a844bbed5a5db786d89b9b10c7b0e85d0d9991edd1122ebd0f82bed5e2d66f4d92db63f1465d56f5256a2d9fc526b3363d221cfd5403cde0a392a

memory/4892-96-0x00000216163F0000-0x00000216163F7000-memory.dmp

C:\Users\Admin\AppData\Local\oMxwpW\mscms.dll

MD5 10a291f840bea76f7538b14df6fb167d
SHA1 354d4c2c75db3e4441cc7288ee3ea6dafee08c8c
SHA256 59159e7e08abb4712d9f2dcd3532ff6f6397e81256c812d6bf3dad59ffc014bb
SHA512 c29108738f93d93742e5e9f3d594fc9add2c299386a4ca88fa4cf11c0b799c8dbc5849533d00821ca75a91b0e3b3ffe987ba1691d2bbcafcc88cb38305de5508

C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe

MD5 f0da418c420b643ebca8c22fb543a79d
SHA1 05b6a9f8ea0b9841edd90ce1dfc88de518b97791
SHA256 ae02f977727a808ca1718503f8bf5134e99e31a90f097681344fc955478b8e21
SHA512 09eb57c7ebfe249d3db64602345195ad7a4a112dc6447df3b8d1a29c75e166e3699e0be938aa0a510a8652f95f67feec858881bf07402934dd9c3d4b8b54fcdc

C:\Users\Admin\AppData\Local\oMxwpW\dccw.exe

MD5 ed203a282fdde8d2a2f01af16066c2e5
SHA1 a86c77e831a66c9ef86c4582ca11fde33271657a
SHA256 bc4b4c5b0c70df0c5b8845989e4b9c83040d59999aa843c113382d54c4da525e
SHA512 1ea1d57707c11e65e1988ca8a266b83e6e23481df8af6790505e088a80f3e725f3b67620a143f78bf8a4ae29640244acc634c9a96759f1ecaeea62417cd05ce9

C:\Users\Admin\AppData\Local\FuNH\dwm.exe

MD5 ee432ac8ce8357a17be75e03f33f5824
SHA1 41b1b46a31b9b38f8ecb3d17a9f5b79c8f7f57e5
SHA256 1a5f68afb16ce7b7ccd157dad82454ac9070dccd45385f7db881545c927cc734
SHA512 6f7b87c6f2d744d151de656dfcc8de5e64290ab64ed52c527b6eebba36776fed1eb3693d89844b26f799dbc80c4342567abf03f271ab25c0f2cfa2707f4d7d87

C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

MD5 5b8db5b1166fc6d5e2094d5346c3004e
SHA1 01d2b7d159f3f524b2e057e76350e30eedcb5838
SHA256 758fd04d93c2ae42cbe199083f50e53d1379307546c935e740d3c6f79ff505b4
SHA512 da3907c523b4bc4d7351c631a141af348eba531a4011bd759dc948f5b2e81c56c4a4c748100ef50f8b0e4537bf471487b330a21fe4e0aeb4c51f20940627e5a5

memory/2184-116-0x0000018A3D360000-0x0000018A3D367000-memory.dmp

C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

MD5 8e6d9172cab806e327782a658701b31e
SHA1 7ff35129b8a1672653f58b87e93bbaca56afaee0
SHA256 6538516c90b167966743cdc01e2a17729cded982e95945d3280040c401de2f3f
SHA512 4497e865a46f0086bfff40ad5d53d05f9e82a858a7bb2a0c8b9b38422244b722cd8df8150c589a22fa840a1c16f9ccb39109ea35dea6956ab78140439612cec8

C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

MD5 64accc65d094bf1d765d068f42a7c498
SHA1 3e5accdb18a6c7086835257cb89b9a9d6b639fc2
SHA256 7f5a37fe407689fee66d07d5fdebdb82e2e0e3182b9ea0dd8d7386be49258f17
SHA512 cdfb0c5221a778d2b5ac27ed0c5e3e8ad4434bc5e74e8956b9a8dadac03979e02df69520508e224b1896778722e8ea33431c516e1e2bd9da2ec0900ac482dbbb

C:\Users\Admin\AppData\Local\a4Flf1Vek\credui.dll

MD5 8539a82e6b9474c7af3327bdfd972709
SHA1 090b261b858c0a080f4244a0899da1e0103935bf
SHA256 aecda28b8a9d8f393f982add3f6e36b7b19fe3911f1f9127eb519c156672769c
SHA512 a3d53ceaa9a9f3a381792c6768916ab06fa3e5a44fd33686a148dfe5b658c7f861eb13151f6c0ec9d736bd6d60fb83cbfb178cfcad690d3fbc5f3fd727da427c

C:\Users\Admin\AppData\Local\a4Flf1Vek\credui.dll

MD5 51304f1d0ef1847b583e121f97539545
SHA1 5bf989194aed23a2cdb669abe2c4bc36263f400c
SHA256 ee4449456bae0f6cdf3e5683361dc8fb1ff478d522c88e886b3ddb6c5a05961c
SHA512 1c3d8cc5d4559fd042eebfee5a457e2e0eafab4701e398425dc14cfa893e32b48b47b564e3fe63eb4da76a333112c4de6e54233532aad3e34794126334bc64c4

memory/724-129-0x0000026E49C30000-0x0000026E49C37000-memory.dmp

C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

MD5 f8419cdeff04a317015925559f0344ca
SHA1 24d094fd749b95a7a48f4e8325660f5363de1b4e
SHA256 ab5923fb746dc2169195b92a3303277d88f440aa4c4db03e292dfe305e91b3e3
SHA512 a45eddc82e9e58a401c2e2bfe1f4a03aa1a3237e967bf8bcb063018205fa23bdf3b67264bc7061ea312d144b0cb3bccb589124f208052c8e961e9f7aa54ed7b0

C:\Users\Admin\AppData\Local\a4Flf1Vek\perfmon.exe

MD5 d416de97e823a386808de0e6821b8a9e
SHA1 2c30b6c5422dc973438b8116648e515449e7f48e
SHA256 5173f4908382aeb756c17c00d132dd9af40b81288bf828519231b25d7f4aa100
SHA512 605edd65e6182f846fd46e910e027b7b3aed5a558867f6bec49929fbfc5895d9647a3308d50e0adc7e2e161b176ba7859b04970296f04228e9db1f58264a3aa6

C:\Users\Admin\AppData\Local\FuNH\dxgi.dll

MD5 390e0820e5cbef89a8da9fff6204b9e3
SHA1 8159f31b6167646d94346b46ca2fd882a3e08f56
SHA256 eb8c655ceafba69bd62142b1d3e81f562a53659d89bc73fa18b533556ef2b2f8
SHA512 3458cbd3bf94aa787263110e38bfd012421af427518c1e72482550a706dca913f382cb021f7a9bb91bafc31ffee9ae651c1fbfc151624354728c6b66c9bf6de7

C:\Users\Admin\AppData\Local\FuNH\dwm.exe

MD5 5c27608411832c5b39ba04e33d53536c
SHA1 f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA256 0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA512 1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

memory/3452-60-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-59-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-58-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-56-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-55-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-54-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-52-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-51-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-50-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-48-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-47-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-46-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-44-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-42-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-41-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-39-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-38-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-37-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-35-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-34-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-32-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-31-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-29-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-28-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-27-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-25-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-24-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-20-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-19-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-18-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-16-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-15-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-14-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-13-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-11-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-10-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-8-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-9-0x00007FFE1615A000-0x00007FFE1615B000-memory.dmp

memory/3452-7-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3864-6-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3452-4-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\FXVmo\dwm.exe

MD5 a5333ad8504a51ef532e562efc7fce55
SHA1 0f0f8896db7e6fbe61e3b32b9c74f48ffcdcf41e
SHA256 2a482e2943880beae859a603c91fc8e0195d97cde918f830c9f90505fcb14306
SHA512 d2395eb5fbb361cce892d7c955793b1728e5b4ba51c2bae1496aa9ecb89268ad9f0a7913bcfe107111c6fdd7a330586c11d66cbaf2054bc1b8a9a710aa8259cc

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 96a5d54a40a0051f4c109429c2505b2f
SHA1 0988ea4d3fb3976ec19e16e620354783406ec1ff
SHA256 6affe85e951805b51f37d41db32629f85a9cb7874ca2eafb7f8081f7a05155da
SHA512 50e04de36fd7a12e926f608c06ce327edefc937bcaab2829dc7da77ea9e8b035c8eeadec06557f75254025f4a517c099b1900a2db2effcfe2b80ee8d66c4ec0c

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\479gnT\mscms.dll

MD5 3b58c6483a800a71b4d4319b36e77244
SHA1 e235a653a9c8f0e10abb06a64232d1d5f53b4be2
SHA256 7aaf415814e8d2ef5f8b397d8befada376cbd09f255ad64f0a368a1b9a4396ba
SHA512 447f302b0d97d3ba9300f7595934cd4b0090c958479bc59cb226a28fdb482d8404e4de63ae4bb0f6b05463844b63d3924f3aef2953c0ed39ce5fadd5832df45e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3803511929-1339359695-2191195476-1000\FXVmo\dxgi.dll

MD5 cd068fed916674488a8a7a133c5541a2
SHA1 6a5b20f884f6992047131f2b22152da1647e7fb8
SHA256 9add45bff3abcbdbaf767c730e7e8c2af34aa1cba8a913e78c8a9e10702866d7
SHA512 9d0ca3478598a35f3deed6da47300cd5dfd7662498298feb3835b49d7fe48dbc4a7d3d581b1290c2ca2346e3c87322d70390f83eed46a073024e28606859897a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\0SUZ69vg\credui.dll

MD5 3a9c6a07395d1873899a74ee3dbaf3f3
SHA1 b6a3b9cef5dcf2bd6f5fe7bee73fb12d99b32dd8
SHA256 878b4a5826bd5c3f3d2f38af896ed1a7ed28036a19b73663638cc3f9e5b30d0a
SHA512 8e27972eb7acb236835927c42af77e7b2263e288116a255e09a4f516a2c6d412f9a659d85ce008ee8c087c3c0a5dd05f235a961ac30e94f4f643ab469fdc07c4