Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-tm9epagff4
Target eac2738515d0292a80e97bdd871ae3f8
SHA256 96761af2af2e82740682729fe36feb508fc90cdc60771957e4583f853a873709
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96761af2af2e82740682729fe36feb508fc90cdc60771957e4583f853a873709

Threat Level: Known bad

The file eac2738515d0292a80e97bdd871ae3f8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:11

Reported

2023-12-24 05:59

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\lG5H\\wlrmdr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 2284 N/A N/A C:\Windows\system32\SppExtComObj.Exe
PID 3204 wrote to memory of 2284 N/A N/A C:\Windows\system32\SppExtComObj.Exe
PID 3204 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe
PID 3204 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe
PID 3204 wrote to memory of 3552 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3204 wrote to memory of 3552 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3204 wrote to memory of 1012 N/A N/A C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe
PID 3204 wrote to memory of 1012 N/A N/A C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe
PID 3204 wrote to memory of 1408 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3204 wrote to memory of 1408 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3204 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe
PID 3204 wrote to memory of 2420 N/A N/A C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#1

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\usocoreworker.exe

C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe

C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe

C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/1484-1-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1484-3-0x00000191C1230000-0x00000191C1237000-memory.dmp

memory/1484-0-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-6-0x00007FFE8020A000-0x00007FFE8020B000-memory.dmp

memory/3204-5-0x0000000002450000-0x0000000002451000-memory.dmp

memory/1484-9-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-10-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-11-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-12-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-15-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-13-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-14-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-16-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-17-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-8-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-18-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-19-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-20-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-21-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-22-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-24-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-23-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-26-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-31-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-35-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-34-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-33-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-32-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-30-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-29-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-28-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-27-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-25-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-37-0x0000000000540000-0x0000000000547000-memory.dmp

memory/3204-36-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-44-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-45-0x00007FFE81520000-0x00007FFE81530000-memory.dmp

memory/3204-54-0x0000000140000000-0x000000014016A000-memory.dmp

memory/3204-56-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1352-65-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1352-68-0x00000295F39E0000-0x00000295F39E7000-memory.dmp

memory/1352-66-0x0000000140000000-0x000000014016B000-memory.dmp

memory/1352-71-0x0000000140000000-0x000000014016B000-memory.dmp

C:\Users\Admin\AppData\Local\IzGAuc6\ACTIVEDS.dll

MD5 a83af39f7e14225220b04ff766f57bd2
SHA1 4e02da7198a644c162041680b54461a21d3c1063
SHA256 03cbd6f92b49ad1d84c4f012c55621682abd9f33bd0a3d1b29a547fdfc3b49d4
SHA512 6dd9e83da86f85a6d7603e762c172ea31d04e7b11973d617b9ee0b3781b8cd562c8f4c3879cae43202d08618a60dc93f08278011055e041c7a7bc3627261846a

C:\Users\Admin\AppData\Local\IzGAuc6\ACTIVEDS.dll

MD5 a318feb17d6a84e54464e6689737e388
SHA1 47df28fc9ca2bd5713950ec6fcb93e881c07cc7a
SHA256 97e75c5c2e6354fde18c9fe524bedae5862cb6e25b02c590531f74f5d7431a5e
SHA512 b76df3850a7096f4cfa056c19f5156e0cbd20e0a83a849942f981424b1cfded2ed7e6004736a95dade04c1c718ecf83672fdb6e52b3faae6755a61826ea9ee6f

C:\Users\Admin\AppData\Local\IzGAuc6\SppExtComObj.Exe

MD5 f59c74622079feed96bc0185097fcc01
SHA1 f04b1fd0ac2aec018f8f49e61403c838e2cef766
SHA256 af4056f97747b613f348a46268d8902fc43ced13c8d9c1bde7d21882548fa459
SHA512 daee87e8f2bd4d90c8af669a22f7773cd83ecdb0ebbdceca4315f4ca0b5159467e6473c87adbcfa1c00e3803a480205d0a6116e1e25b8f3858a8a30df9c67d62

C:\Users\Admin\AppData\Roaming\Microsoft\aWpHcBl\SppExtComObj.Exe

MD5 80f0961b215c40fe96860564b134c644
SHA1 b8e81bd87fd6450c146c13da2aca016a930b601c
SHA256 870f9d8d3392c70919a61074af4b51e7e76958b6db9d40df15e3be85cc77f637
SHA512 47877e273efa82ead0117141f520dbad9bfe7dda03e620b7b240e2f8195db3ab66cfece3ddbf69dc7f784be1e7a7bd1dcb423ff24ffc918480ae1c9dc6cd83a7

C:\Users\Admin\AppData\Local\rwLmv\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

C:\Users\Admin\AppData\Local\rwLmv\DUI70.dll

MD5 4e58b00f69ebea2fb721b4d0635f6326
SHA1 310242008b32131fb79a82da91533714799b5c7f
SHA256 d66947e0eec4084df0a2f4175fe25f361866b18dbcbf20dd9eb2901351099bf6
SHA512 3117c56b1d24051b729acb84ca8f7a571074f08ec466db3b673b4e401d127e1436903663e5bc3ed47d746967bcf09ccb55188cc2842893ec04a19ddd773860e1

memory/1012-82-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1012-84-0x000001A6C24E0000-0x000001A6C24E7000-memory.dmp

memory/1012-89-0x0000000140000000-0x00000001401B0000-memory.dmp

memory/1012-83-0x0000000140000000-0x00000001401B0000-memory.dmp

C:\Users\Admin\AppData\Local\rwLmv\DUI70.dll

MD5 5f383cb710878712b04682956991cbca
SHA1 ff1ed7c0be94d2ef1d20d7768841a8e90a7a3547
SHA256 b6eae8e6f9ade312d526c59a376254e95bd314fe7dbc46c338c3fd5addc0c968
SHA512 514a83a4d225dc8c68401cc4d2d68280254cf0e265d5d9e37e9b7f637cba8ee346514a99d4f0aa0c01390928a117e74511aa0886e33b06bb17026ad1745a78af

C:\Users\Admin\AppData\Local\aIXs\XmlLite.dll

MD5 49e2d90487ec20ae7f700b4270cf8f38
SHA1 d71db232ff51823bcb3e31cfc865edaf57332a76
SHA256 f238087a1f0683c2342b74ac2dbfce96b534e70b2a68b88e8093945d4461ce6e
SHA512 a85b2d24da46ab508478a667ca350504c746f4a7583439cfed8d5db2b253d68602e3c42edb891295320ffddb46aff4480c91c588dcac92d03b5e29d94cb51c4d

C:\Users\Admin\AppData\Local\aIXs\XmlLite.dll

MD5 8dcd0ed7ab6b2b3926588309af6afe51
SHA1 403e646863b87a23acfdf4c7419f1a71231a9b0c
SHA256 83a6173ec62628d29981bfc39328427a3b540dded5ab7add727029e452ab7adf
SHA512 becd1e38f5b473b49228214006ff59b02da39f0e219349f4005863408a3bc95020ae909bb5f405d60c8e7cfc515ae4a92e20172e292eb8a4faf04ac86851fd25

memory/2420-103-0x000001CC90010000-0x000001CC90017000-memory.dmp

memory/2420-107-0x0000000140000000-0x000000014016B000-memory.dmp

memory/2420-101-0x0000000140000000-0x000000014016B000-memory.dmp

C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

MD5 716c09394203f418654b40117379572d
SHA1 a399b13966a70ab9705d96e81f00d73085d9b46c
SHA256 1b8643affc82517b07a15e7bf2cbbe4747e55b20e214de8e0e5bf34125c4d5fc
SHA512 998ccbdb27a07d1a7ce1aaca29c3f3138081ecfce00c3e6ec3697a5dceec0c70f00dfb4ce99d8c20b1aa88e088542990d27edafdfac340e336213973a42a50df

C:\Users\Admin\AppData\Local\aIXs\usocoreworker.exe

MD5 5c6e2cecd1f16c40f57013b98504163b
SHA1 aacf975a6c58e6fd96e6c05bd77868277cb36b42
SHA256 4bc67989fb7a5bcf5975d9c7aebd56e4cd266e26793c88e2ee32a3279f1fad48
SHA512 cd2d84e554d1c2b6b213f9992de6c13ec0bfc0f10264958bbe0d3be213e144b703f4e5e5ae97d50c8f9d5027bf0cfcdc16c9a1b518c2f402736d56dee0a09c75

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 f139298ff33ba64bdfb68696aebc68de
SHA1 3d12e811cec64a05171da5e21a9ed2090544ea78
SHA256 e39039899c531517947ce43585965a1540b99f03ad578bc7aeb45c50424bef1a
SHA512 6e509becc31cb153be744c76fa81e3da32696b918df3a9a7eba9ec2dbe4085369b9e203e8e23dc6b095746f84640c06f1e0bad1db7ae7f1dcc3f78e8bd492d78

C:\Users\Admin\AppData\Roaming\Microsoft\aWpHcBl\ACTIVEDS.dll

MD5 b8fe45c4f23902cec11c760e8c5a1235
SHA1 6fc433bc822009294d0d531591137c2494486969
SHA256 16c96d3f6d5828eeeb58ede2b7744ac907e56fd09f39e867d40632593a220481
SHA512 4da4fd3991e6bf240f996001943573cda38826b347dedeefb5e8b693a485646da282e34a78c748f9372077384ad742985302ecb531fe8f8a999e858007d42ac9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\lG5H\DUI70.dll

MD5 261b4e979e0bada275f257bb59c6f96b
SHA1 1060f6892f7d690b0aa6312edc21c05fd98592c8
SHA256 9853b7cee55b639113e3ac2e064d7bf2ae94924b760660dbbd36f25e510ed3c8
SHA512 7f5edb4076dc9a79a2920d9e5b92cfa868448b8f389dc2004c2e36a6388dc94be7b00ab8be4fddfbec95e93696e29d30f41070ef9575dfc39dd61351d81c3fee

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\oZzEI4w\XmlLite.dll

MD5 8ec9398de90aef60a32b5ad9d7abee3e
SHA1 3ae78d31dabee8fd949ffc918c2ffb16d426bc75
SHA256 964019b78622fb75a3d8fe111efdeb6c22a45358e6f35288f124b9ad1b8ed310
SHA512 f51d1a822bd8ad62b2d8a6b03e399926ac8f344de2be5c598f699d2a94ea7651207161ab4530448bd6950b784c38b0978b1a06e2b35ea8a21fe8a9b0f0dc1f4a

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:11

Reported

2023-12-24 05:59

Platform

win7-20231129-en

Max time kernel

146s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BoH\calc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\8fjLlLS\\calc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BoH\calc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2812 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1360 wrote to memory of 2812 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1360 wrote to memory of 2812 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1360 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe
PID 1360 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe
PID 1360 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe
PID 1360 wrote to memory of 2120 N/A N/A C:\Windows\system32\calc.exe
PID 1360 wrote to memory of 2120 N/A N/A C:\Windows\system32\calc.exe
PID 1360 wrote to memory of 2120 N/A N/A C:\Windows\system32\calc.exe
PID 1360 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\BoH\calc.exe
PID 1360 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\BoH\calc.exe
PID 1360 wrote to memory of 2152 N/A N/A C:\Users\Admin\AppData\Local\BoH\calc.exe
PID 1360 wrote to memory of 1960 N/A N/A C:\Windows\system32\cmstp.exe
PID 1360 wrote to memory of 1960 N/A N/A C:\Windows\system32\cmstp.exe
PID 1360 wrote to memory of 1960 N/A N/A C:\Windows\system32\cmstp.exe
PID 1360 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe
PID 1360 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe
PID 1360 wrote to memory of 2756 N/A N/A C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eac2738515d0292a80e97bdd871ae3f8.dll,#1

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe

C:\Users\Admin\AppData\Local\cM1j4\msinfo32.exe

C:\Users\Admin\AppData\Local\BoH\calc.exe

C:\Users\Admin\AppData\Local\BoH\calc.exe

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe

C:\Users\Admin\AppData\Local\qeTlzB\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

Network

N/A

Files

memory/1764-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1764-1-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-4-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/1360-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1360-9-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-15-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-31-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-42-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1360-45-0x0000000077420000-0x0000000077422000-memory.dmp

memory/1360-44-0x00000000772C1000-0x00000000772C2000-memory.dmp

memory/1360-43-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-54-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-63-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-60-0x0000000140000000-0x000000014016A000-memory.dmp

memory/2620-72-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2620-77-0x0000000140000000-0x0000000140171000-memory.dmp

memory/2620-73-0x0000000140000000-0x0000000140171000-memory.dmp

memory/1360-35-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-34-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-33-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-32-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-30-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-29-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-28-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-27-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-26-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-25-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-24-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-23-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-22-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-21-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-20-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-19-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-18-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-17-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-16-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-14-0x0000000140000000-0x000000014016A000-memory.dmp

memory/2152-96-0x0000000140000000-0x000000014016B000-memory.dmp

memory/2152-101-0x0000000140000000-0x000000014016B000-memory.dmp

memory/2152-99-0x0000000000420000-0x0000000000427000-memory.dmp

memory/1360-13-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-12-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-11-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-10-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1764-8-0x0000000140000000-0x000000014016A000-memory.dmp

memory/1360-7-0x0000000140000000-0x000000014016A000-memory.dmp

memory/2756-125-0x0000000140000000-0x000000014016B000-memory.dmp

memory/2756-122-0x0000000000090000-0x0000000000097000-memory.dmp

memory/1360-145-0x00000000770B6000-0x00000000770B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\8fjLlLS\UxTheme.dll

MD5 1c7d843e641a9de9a7141569c55f5969
SHA1 43e5a3bea21e6dabb4617bf0276f2feb51282261
SHA256 1147e8241f901954a6515e9304cd00b64c942244971c54caeddba9727ffb2129
SHA512 d7977347b33cdef1bd93623281397c5c0be6d0b0e3ce70891e594d358ca38cef0179685048527bab54e7eef98ec4a634f21b4426d2334a33fa8722dffce87bcb

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\jqH\VERSION.dll

MD5 3a5e21b46e1772eccc1be463ecef31ef
SHA1 4a4d196683a88cb966b9eb6a3e429a4849a5b2b2
SHA256 9197b03a1d002005ba8fa73b05a0efdd46fdc0910eedc15c9b4fb1c8ed96a7b3
SHA512 c96962b4401baed60ff48ded1588fe7f323c8cd508544261403e697a6bb9656acd56f98fb209262e75881d8072bd01721c0e51f8535d91b511ebc9ddc3cb6bc8