Malware Analysis Report

2024-11-30 21:27

Sample ID 231222-twhy4ahfd8
Target edfa77cc042165230bda125457230eff
SHA256 f950e61cdd81d2cf15ee868489a6b5d887fc9a4d3ca4ab69928dda40b131274b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f950e61cdd81d2cf15ee868489a6b5d887fc9a4d3ca4ab69928dda40b131274b

Threat Level: Known bad

The file edfa77cc042165230bda125457230eff was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:24

Reported

2023-12-24 06:24

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\edfa77cc042165230bda125457230eff.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hxU\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6RepiR\dwm.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\vXy2uIWQuY\\RDVGHelper.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hxU\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6RepiR\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 1184 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1388 wrote to memory of 1184 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1388 wrote to memory of 1184 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1388 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\hxU\shrpubw.exe
PID 1388 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\hxU\shrpubw.exe
PID 1388 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\hxU\shrpubw.exe
PID 1388 wrote to memory of 952 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1388 wrote to memory of 952 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1388 wrote to memory of 952 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1388 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe
PID 1388 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe
PID 1388 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe
PID 1388 wrote to memory of 1304 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1388 wrote to memory of 1304 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1388 wrote to memory of 1304 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1388 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe
PID 1388 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe
PID 1388 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe
PID 1388 wrote to memory of 1276 N/A N/A C:\Windows\system32\dwm.exe
PID 1388 wrote to memory of 1276 N/A N/A C:\Windows\system32\dwm.exe
PID 1388 wrote to memory of 1276 N/A N/A C:\Windows\system32\dwm.exe
PID 1388 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\6RepiR\dwm.exe
PID 1388 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\6RepiR\dwm.exe
PID 1388 wrote to memory of 1972 N/A N/A C:\Users\Admin\AppData\Local\6RepiR\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\edfa77cc042165230bda125457230eff.dll,#1

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\hxU\shrpubw.exe

C:\Users\Admin\AppData\Local\hxU\shrpubw.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe

C:\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe

C:\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\6RepiR\dwm.exe

C:\Users\Admin\AppData\Local\6RepiR\dwm.exe

Network

N/A

Files

memory/2624-1-0x0000000140000000-0x0000000140211000-memory.dmp

memory/2624-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1388-4-0x0000000077656000-0x0000000077657000-memory.dmp

memory/1388-5-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1388-7-0x0000000140000000-0x0000000140211000-memory.dmp

memory/2624-8-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-9-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-10-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-12-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-11-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-13-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-14-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-16-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-15-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-17-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-19-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-18-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-20-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-21-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-23-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-22-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-24-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-25-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-26-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-27-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-28-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-29-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-30-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-32-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-31-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-34-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-33-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-35-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-36-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-37-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-38-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-39-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-40-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-41-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-42-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-43-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-44-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-45-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-46-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-47-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-48-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-49-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-51-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-50-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-52-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-54-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-53-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-55-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-56-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-57-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-58-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-59-0x0000000002630000-0x0000000002637000-memory.dmp

memory/1388-66-0x0000000140000000-0x0000000140211000-memory.dmp

memory/1388-67-0x0000000077761000-0x0000000077762000-memory.dmp

memory/1388-68-0x00000000778C0000-0x00000000778C2000-memory.dmp

\Users\Admin\AppData\Local\hxU\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\hxU\ACLUI.dll

MD5 7c5c8545b599de4f5c7a42fca254b37c
SHA1 fc1179597a8e14a1b052c95010dd293d30abfb52
SHA256 a60ad920f4d0575e1be6946001d09f136bafc318626e67457fdd58eb30611759
SHA512 eef99ddbd1fec01da52a525515be40486b5d471bf5a7037d863842fba7d9565222cd88391a0df1620fcc38175f21e83a44e4c6ceed671a2bc3e8b14930bcecd2

memory/1008-95-0x0000000000120000-0x0000000000127000-memory.dmp

\Users\Admin\AppData\Local\nGWnU7c7\SnippingTool.exe

MD5 7633f554eeafde7f144b41c2fcaf5f63
SHA1 44497c3d6fada0066598a6170b90c53e28ddf96c
SHA256 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA512 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

C:\Users\Admin\AppData\Local\nGWnU7c7\UxTheme.dll

MD5 070a87dcaa26b88b5162af4e8a3a39c7
SHA1 cdd94e0d2f63c5613a976c4a10422b8f5b49d71d
SHA256 7b53cf6c53ca97077772426962662a6e85a22d5026ef93a4735786b7df5fa63f
SHA512 88c399d7fea70e658d00b9c65bfbd43d992bfefe38fd2e56f720032d29039bbe9fc8185b81b092d8887089474bf69e9a05549c324450f74ab44d386bb8ece021

\Users\Admin\AppData\Local\nGWnU7c7\UxTheme.dll

MD5 913f6f240f8476ebd53708907f7b9790
SHA1 80cceceeaa76ab2a3c7263182dde628acdac2104
SHA256 61143c17163268c6d0360b32551c94a8f5298bd3a2f71e5ae9d29c3e2a1d1f90
SHA512 5a717741cb9bfad117fe0662a9c70c2139c3ce7fa95f6fdf473ae188c32a5cd5bf4ee8965b372b20b028b38cf540ef9880d4bc0ce52e6b3ea3a10e976b10f0cf

\Users\Admin\AppData\Local\IBl2lv9X9\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

C:\Users\Admin\AppData\Local\IBl2lv9X9\WTSAPI32.dll

MD5 5086ff5eb693644156a1b995127c5708
SHA1 a2da2376b162da168f10e98c9773cbcf141a252e
SHA256 eefb5822fb0cee9a11e37423b843ac08f6f2b25253b9e1c12b209d1a7a61a7f5
SHA512 ba6f967fcc0cb0dd865b9b096e22e4c3ab9fc5f5ab6d67ade39d15ccfd966b3190add5eec4ed6f1c839731e59f6bcefabd4834fed5c65c8ef98a74979f57c4b5

memory/1676-127-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1388-126-0x0000000077656000-0x0000000077657000-memory.dmp

\Users\Admin\AppData\Local\6RepiR\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

C:\Users\Admin\AppData\Local\6RepiR\UxTheme.dll

MD5 43cff4b0205a64187e88df7002240dd3
SHA1 04f36fbef2e8bdcec625466b715512c41e09a77a
SHA256 d991ac20ce927603814ee5d36de39aa25920caaff723016ff1a22353db298f9a
SHA512 361c59c7e9d08e065d3d362a9674b31611a11bb09286d353a1bcc9257a684a6d944ea3af3a691d44cc78fdb19973b39122953f8211aea7bb0e7fe367c9f7dbcd

memory/1972-145-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 37b08f3755771a2ded60145ce76a7aea
SHA1 1d30e1e0533802ca7a19fc281149e7ff98c40509
SHA256 663d43aa9d9cc6d00c05608a6248ffcfdf9b534f63153f97a3d9f1766f8950e4
SHA512 de40cfd7e046b2d89376f64adaf8ff0628e6477b102a6d0cb97033da2987c8d374e3c1008f505935b8f488b6f1f89aeb67cf6486f2c75c7d08339f0f25ad58ef

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:24

Reported

2023-12-24 06:24

Platform

win10v2004-20231215-en

Max time kernel

45s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\edfa77cc042165230bda125457230eff.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\dthsL8W\\BdeUISrv.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3484 wrote to memory of 3028 N/A N/A C:\Windows\system32\isoburn.exe
PID 3484 wrote to memory of 3028 N/A N/A C:\Windows\system32\isoburn.exe
PID 3484 wrote to memory of 4256 N/A N/A C:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exe
PID 3484 wrote to memory of 4256 N/A N/A C:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exe
PID 3484 wrote to memory of 2424 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3484 wrote to memory of 2424 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3484 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exe
PID 3484 wrote to memory of 4220 N/A N/A C:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exe
PID 3484 wrote to memory of 860 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3484 wrote to memory of 860 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3484 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exe
PID 3484 wrote to memory of 4956 N/A N/A C:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\edfa77cc042165230bda125457230eff.dll,#1

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exe

C:\Users\Admin\AppData\Local\lEPRtFIT4\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exe

C:\Users\Admin\AppData\Local\R9t5FTlg\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exe

C:\Users\Admin\AppData\Local\RGOVIeauk\isoburn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2780-0-0x0000000140000000-0x0000000140211000-memory.dmp

memory/2780-1-0x0000000140000000-0x0000000140211000-memory.dmp

memory/2780-3-0x0000026A715B0000-0x0000026A715B7000-memory.dmp

memory/3484-5-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/3484-8-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-10-0x00007FFA8C73A000-0x00007FFA8C73B000-memory.dmp

memory/3484-11-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-12-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-13-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-14-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-9-0x0000000140000000-0x0000000140211000-memory.dmp

memory/2780-7-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-20-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-28-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-32-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-37-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-42-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-45-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-50-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-55-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-60-0x0000000000F50000-0x0000000000F57000-memory.dmp

memory/3484-59-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-58-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-57-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-68-0x00007FFA8E040000-0x00007FFA8E050000-memory.dmp

memory/3484-67-0x0000000140000000-0x0000000140211000-memory.dmp

memory/4256-91-0x000001DE6A4B0000-0x000001DE6A4B7000-memory.dmp

memory/4256-96-0x0000000140000000-0x0000000140212000-memory.dmp

memory/4220-110-0x000001EB28900000-0x000001EB28907000-memory.dmp

memory/4220-115-0x0000000140000000-0x0000000140212000-memory.dmp

memory/4220-108-0x0000000140000000-0x0000000140212000-memory.dmp

memory/4956-129-0x0000016DA64B0000-0x0000016DA66C2000-memory.dmp

memory/4956-132-0x0000016DA66D0000-0x0000016DA68E2000-memory.dmp

memory/4956-138-0x0000016DA64B0000-0x0000016DA66C2000-memory.dmp

memory/4956-134-0x0000016DA66E0000-0x0000016DA66E7000-memory.dmp

memory/4956-133-0x0000016DA64B0000-0x0000016DA66C2000-memory.dmp

memory/4256-88-0x0000000140000000-0x0000000140212000-memory.dmp

memory/3484-56-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-54-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-53-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-52-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-51-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-49-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-48-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-47-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-46-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-43-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-44-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-41-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-40-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-39-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-38-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-36-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-35-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-34-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-33-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-31-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-30-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-29-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-27-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-26-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-25-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-24-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-23-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-22-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-21-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-19-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-18-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-17-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-16-0x0000000140000000-0x0000000140211000-memory.dmp

memory/3484-15-0x0000000140000000-0x0000000140211000-memory.dmp