Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-tngfasggb9
Target eaf0253303d762297bfe8a16d4011c06
SHA256 eee23c7594dadc97d779a835a31eaa189bcbb14273cdffebc64e7fef7e5ff036
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eee23c7594dadc97d779a835a31eaa189bcbb14273cdffebc64e7fef7e5ff036

Threat Level: Known bad

The file eaf0253303d762297bfe8a16d4011c06 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:12

Reported

2023-12-24 06:02

Platform

win7-20231215-en

Max time kernel

155s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaf0253303d762297bfe8a16d4011c06.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\1AsX\\icardagt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2492 N/A N/A C:\Windows\system32\tabcal.exe
PID 1232 wrote to memory of 2492 N/A N/A C:\Windows\system32\tabcal.exe
PID 1232 wrote to memory of 2492 N/A N/A C:\Windows\system32\tabcal.exe
PID 1232 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe
PID 1232 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe
PID 1232 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe
PID 1232 wrote to memory of 1852 N/A N/A C:\Windows\system32\icardagt.exe
PID 1232 wrote to memory of 1852 N/A N/A C:\Windows\system32\icardagt.exe
PID 1232 wrote to memory of 1852 N/A N/A C:\Windows\system32\icardagt.exe
PID 1232 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe
PID 1232 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe
PID 1232 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe
PID 1232 wrote to memory of 2068 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1232 wrote to memory of 2068 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1232 wrote to memory of 2068 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1232 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe
PID 1232 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe
PID 1232 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaf0253303d762297bfe8a16d4011c06.dll,#1

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe

C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe

C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe

Network

N/A

Files

memory/1652-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1652-1-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-4-0x00000000771D6000-0x00000000771D7000-memory.dmp

memory/1232-5-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/1232-12-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-13-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-11-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-10-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-9-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1652-8-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-7-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-15-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-20-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-21-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-19-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-18-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-17-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-25-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-26-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-24-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-23-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-22-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-16-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-14-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-28-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-29-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-32-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-33-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-31-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-30-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-27-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-35-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-36-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-34-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-37-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-38-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-39-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-40-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-43-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-44-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-42-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-41-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-46-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-47-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-50-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-51-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-52-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-49-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-54-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-56-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-55-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-58-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-57-0x0000000002580000-0x0000000002587000-memory.dmp

memory/1232-53-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-48-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-45-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-65-0x0000000140000000-0x0000000140210000-memory.dmp

memory/1232-66-0x00000000773E1000-0x00000000773E2000-memory.dmp

memory/1232-67-0x0000000077540000-0x0000000077542000-memory.dmp

memory/1232-76-0x0000000140000000-0x0000000140210000-memory.dmp

\Users\Admin\AppData\Local\bZSlh83\HID.DLL

MD5 7e1d955148f704ea0ef37d0b8ceb821a
SHA1 9a50ffbdebe75c6876b5753c5102b9e180f504a3
SHA256 ce2821bafd80c27b98a601321cb59351ab56f64493d7cb7b063b968da5849e92
SHA512 92df7a2157d76f33641311b5ca5ee20032f96b0e50478bd48324050830fa28b0393566de4c05efa5d1f9892c3064879db5fd7b15c95419d95a86c25b0914eb39

memory/1644-94-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\bZSlh83\HID.DLL

MD5 d0e79b3b6442b42442c373eb7f09cd54
SHA1 7551bca998b09e2568b1cdcd546edbd243d627fd
SHA256 879901b105d943f1ff13fd245d9e068226c236b4de7ebbfbbc7551b4f66b9751
SHA512 d8f70941b4a904eb0703e3aa108e98c9a67119f6e72a64ca958cf915b46a883199e9d21c28def12d52bc901c0d8b47b6a0da0259a0f47fe60f65fb38d23ee00f

C:\Users\Admin\AppData\Local\bZSlh83\tabcal.exe

MD5 98e7911befe83f76777317ce6905666d
SHA1 2780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA256 3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512 fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

\Users\Admin\AppData\Local\bZSlh83\tabcal.exe

MD5 72267b1d52040f3a585a6db7c1361e70
SHA1 2c30e3e6b9ed18509418c8ee936dab8f841e1319
SHA256 07265146f0a1982a0a99338741a546729ef5d7df0c78e847830a1923cbc93f3c
SHA512 7ae56828806acd9fbdcd75bea531f5235b67ef532fce6c4037ec8ab2f963bf0c91eeb2298b4721523a20c5e3cff56acd65513743c33990a408befe27d1077c39

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\nAnR\tabcal.exe

MD5 99cfe841e9b66c98e703468a43b1d624
SHA1 93b7df909d13facfb682c3b3a8333326ffbc041a
SHA256 c3d9fec2880a63b968976d6f8bf8a4b02d02136ed99ed0c29530bff24ed7f9c3
SHA512 8aa9ed22a8211318b7e7b5e494f6acc0ca99e6105ea125e5fc4c62a2c76df1d53545182a023833c85da9b42759f48a6a0b5ca0a40a1ed681caaab6ef1d4d622e

C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\MISQZKzY\VERSION.dll

MD5 8e0b54df8b66cc931b9109b7ce2286e3
SHA1 59d747b03db49dd0c59a358fc7de483f8703bc74
SHA256 b0164c3fb9077cb87702e10abe0bc2247611121468ef7dc93c4070d250aa9515
SHA512 a0154958417a2b90e6eea53cbaa99a9d92e6cd0b9fb52568eb9bf2408330164947d7652007956c3e03fb6d499f0e77295287ecbbbac9129ccf2389f72e28bd33

C:\Users\Admin\AppData\Local\MISQZKzY\VERSION.dll

MD5 714440345169bcccb70f9d91de07440b
SHA1 2250dd35ee4e2cd001ba4b72a0f7d7fba7bc5c49
SHA256 5b4e29b5389eeb56d8f832cc44b46f83f591e920ca29a84da4e1bbd7cf0c6984
SHA512 f178539f033015b632851f49c28d103a63626ac805faa489d9816f3c7d1cfffb2ffd6072a15e8efe42acb9aece60e5ba90c046a6f4c050508dbea43c50c08583

memory/2580-111-0x0000000000220000-0x0000000000227000-memory.dmp

\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe

MD5 23e7fded8b677ffa978649f5d19316e2
SHA1 d7f2f47decbd212ceb4e2139a9b16bc5c03d0ffa
SHA256 d6ef4138943b3a57c6b35be53fc4b7f855e2c0dd8abe2f05d4e80d2cc77bf363
SHA512 5ffed789e5425dfc149882729c15aeac1a06a95b598c4764419367953038087ffc6b969f21b3a45ee8567665274ebe4cce2b9ef04ba13dba92fc7c630d912fb1

C:\Users\Admin\AppData\Local\MISQZKzY\icardagt.exe

MD5 84610cc10a2fb47041c3a21baef53042
SHA1 0682fd0bc64b863da87959dd7839d022444164b8
SHA256 9c843f63e9831bb6a46d7459b537d7e32822435e422d3e18a5a589541339e31a
SHA512 f4668e57cb3e21bdb8a6175317e4e20a1128fae6b5b5e199fcb098d02acc67fe8413db8a8b719f54e4c359a47b4d1b589a45f2b909c9c8950c44ceb917eaf0aa

C:\Users\Admin\AppData\Local\k5ZvGLujJ\VERSION.dll

MD5 188ae3689bc48d7da6a59037c342b5dc
SHA1 f39f94974e7f25cbfd039c0a71cbf21256133d4d
SHA256 37980903e8ba30f74ba57abe647cfe0205adbb3c61bb46c349679e59531ec3bb
SHA512 0e7b0bbc59b23f2d3d320e3309568f6f9d95991b14a01df2216b451fc124a7195a46a10d5dd6829cf8f5e3ff111ee90dac16864d66080f855b498789f1498f36

C:\Users\Admin\AppData\Local\k5ZvGLujJ\rdrleakdiag.exe

MD5 5e058566af53848541fa23fba4bb5b81
SHA1 769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256 ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512 352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

\Users\Admin\AppData\Local\k5ZvGLujJ\VERSION.dll

MD5 c68bac7ac7363f8876c4bd30137469c2
SHA1 d8c0cd80d8c742d8cf9b36e78c3a9ae52bf78155
SHA256 0930c566789d3c08086385033d6d79be5012fce10bc2b0b75eebd203559becee
SHA512 2a40c1f9f1e70a3d8ff3bab629d727838af9eb46f0993ea77280e4275aa5bb3bcc1a90942d448f4ac15b8f482d562cf54d1ddb7a6ac215d1bf2af2e7652c82b2

memory/2572-135-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1232-157-0x00000000771D6000-0x00000000771D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 59c3e152e5d124ebcbbca72cadba68d3
SHA1 253db94d538db509e860074174912ebb24879ead
SHA256 ca00cffca56e06ebd71cc6a64f68e4d14253163261d8256a8b7439aa4f993f45
SHA512 4c0e816d51d9351f8c298be81d00e50c12ef8d0292ef77c985f2295255f871df5022f5589ded281736eeb15918aed292971921079e02be774d8970a5c5c77a88

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\nAnR\HID.DLL

MD5 e411dd85183edccc26bb1f520239f0c8
SHA1 3fd42a1865957fafdb38d8861385ff2f98c8d28b
SHA256 f01a0985f7b7cc466059ef1b219dd1c2f9d9a016ec2eae7de53765326af170a1
SHA512 62fb37e4f6d4cdf15c268c2e9bd2f09a585d77366e1cd5e3f5785184e563397f51f698bad68aea62e120c6c2c91dde572002d7689ef2de07aafb423ebc3bcdee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\1AsX\VERSION.dll

MD5 445d63017c270fa584b3c80451d0f3cf
SHA1 5a23c8fa537dc11a75f7b81eee9723074e220df2
SHA256 89562abe92940e2a7daa9bdee62dd8048b33cef1072adb3fed0e484ecb9a5ae6
SHA512 e168aec97752ff4d0ce884a2a99ad65d3cc0259f10a8834c3db0563a0a038774634f3eeebc5795344eb8c048d7d2df4139f0a16c67e47d4eeb7dfd24e0cc548f

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\E1yZhYB8ERH\VERSION.dll

MD5 5f173eb311d3c951d1e063a733ec973d
SHA1 874d90e11e426366e1aa345afb44419fb6568ca2
SHA256 3d046c4ec4230295eb98d65d57225b0fdba6d0418d9d6dd9a4f7505318930ff5
SHA512 2a42bb63752e9e0f1404b9b738db47ced2e0d984f9371c8f84ae865c3831dc408e43b672feae66bd4eb2b90486227424111e1dc2633cb17cbcb9c65288994196

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:12

Reported

2023-12-24 06:02

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaf0253303d762297bfe8a16d4011c06.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\079\\shrpubw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 2316 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3444 wrote to memory of 2316 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3444 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exe
PID 3444 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exe
PID 3444 wrote to memory of 952 N/A N/A C:\Windows\system32\shrpubw.exe
PID 3444 wrote to memory of 952 N/A N/A C:\Windows\system32\shrpubw.exe
PID 3444 wrote to memory of 3032 N/A N/A C:\Windows\System32\svchost.exe
PID 3444 wrote to memory of 3032 N/A N/A C:\Windows\System32\svchost.exe
PID 3444 wrote to memory of 3844 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3444 wrote to memory of 3844 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3444 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exe
PID 3444 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\eaf0253303d762297bfe8a16d4011c06.dll,#1

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\Bg7M\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\09WwKjxp\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\wKxM8\shrpubw.exe

C:\Users\Admin\AppData\Local\wKxM8\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.32:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.32:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
N/A 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
N/A 96.16.110.114:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
N/A 96.16.110.114:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
N/A 96.16.110.114:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 88.221.135.217:80 tcp
GB 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.74.47.205:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 88.221.134.18:80 tcp
GB 88.221.134.18:80 tcp

Files

memory/4460-0-0x0000000140000000-0x0000000140210000-memory.dmp

memory/4460-2-0x00000195875C0000-0x00000195875C7000-memory.dmp

memory/3444-15-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-22-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-29-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-35-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-41-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-47-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-52-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-56-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-58-0x0000000000A90000-0x0000000000A97000-memory.dmp

memory/3444-65-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-57-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-75-0x0000000140000000-0x0000000140210000-memory.dmp

memory/4568-86-0x000001DC8A060000-0x000001DC8A067000-memory.dmp

memory/3032-103-0x000002DF18020000-0x000002DF18027000-memory.dmp

memory/2132-120-0x000001CF8C110000-0x000001CF8C117000-memory.dmp

memory/3444-66-0x00007FF915260000-0x00007FF915270000-memory.dmp

memory/3444-55-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-54-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-53-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-51-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-50-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-49-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-48-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-46-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-45-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-44-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-43-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-42-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-40-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-39-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-38-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-37-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-36-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-34-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-33-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-32-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-31-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-30-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-28-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-27-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-26-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-25-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-24-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-23-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-21-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-20-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-19-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-18-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-17-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-16-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-14-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-13-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-12-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-11-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-10-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-9-0x00007FF913FCA000-0x00007FF913FCB000-memory.dmp

memory/3444-8-0x0000000140000000-0x0000000140210000-memory.dmp

memory/4460-7-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-6-0x0000000140000000-0x0000000140210000-memory.dmp

memory/3444-4-0x0000000002470000-0x0000000002471000-memory.dmp