Malware Analysis Report

2024-11-30 21:24

Sample ID 231222-tx31naabc8
Target ef80a26b9b53544e6ece76e1f163edfe
SHA256 3e4452a0f8ad4d71bf7fa8a9f39acd16c2dc8480781308d33208229f188f6540
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3e4452a0f8ad4d71bf7fa8a9f39acd16c2dc8480781308d33208229f188f6540

Threat Level: Known bad

The file ef80a26b9b53544e6ece76e1f163edfe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:27

Reported

2023-12-24 06:40

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eYqf N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eYqf\ACTIVEDS.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eYqf\vmicsvc.exe N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\eYqf\\vmicsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1348 wrote to memory of 1184 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1348 wrote to memory of 1184 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1348 wrote to memory of 1184 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1348 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe
PID 1348 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe
PID 1348 wrote to memory of 1772 N/A N/A C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe
PID 1348 wrote to memory of 1080 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1348 wrote to memory of 1080 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1348 wrote to memory of 1080 N/A N/A C:\Windows\system32\vmicsvc.exe
PID 1348 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe
PID 1348 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe
PID 1348 wrote to memory of 2520 N/A N/A C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe
PID 1348 wrote to memory of 1488 N/A N/A C:\Windows\system32\spinstall.exe
PID 1348 wrote to memory of 1488 N/A N/A C:\Windows\system32\spinstall.exe
PID 1348 wrote to memory of 1488 N/A N/A C:\Windows\system32\spinstall.exe
PID 1348 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe
PID 1348 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe
PID 1348 wrote to memory of 1500 N/A N/A C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe

C:\Users\Admin\AppData\Local\iuLTb\fveprompt.exe

C:\Windows\system32\vmicsvc.exe

C:\Windows\system32\vmicsvc.exe

C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe

C:\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe

C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe

Network

N/A

Files

memory/2032-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2032-1-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-4-0x0000000076C26000-0x0000000076C27000-memory.dmp

memory/1348-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2032-7-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-8-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-9-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-10-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-11-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-12-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-13-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-14-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-15-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-16-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-17-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-18-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-19-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-20-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-21-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-22-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-23-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-24-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-25-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-26-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-27-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-28-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-29-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-30-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-31-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-32-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-33-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-34-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-35-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-36-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-37-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-38-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-40-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-39-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-41-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-42-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-43-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-44-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-45-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-46-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-48-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-47-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-50-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-49-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-51-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-52-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-53-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-54-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-56-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-55-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-57-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-58-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-59-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-60-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-61-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-62-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-63-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-64-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-65-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1348-81-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1348-90-0x0000000076E31000-0x0000000076E32000-memory.dmp

memory/1348-91-0x0000000076F90000-0x0000000076F92000-memory.dmp

\Users\Admin\AppData\Local\iuLTb\fveprompt.exe

MD5 dc2c44a23b2cd52bd53accf389ae14b2
SHA1 e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA256 7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512 ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

C:\Users\Admin\AppData\Local\iuLTb\slc.dll

MD5 328ccef172dc5e8a8c396d36fba2551b
SHA1 9d0b2e41a398c3ab0409b84e92ae35b12775efdf
SHA256 bb2db008dd95d05a6aea5ae9c5574821ab658eb80e7688d6b0b3dc471c0f636b
SHA512 c3dda410bbdc734c0d0702bb818d141b1c5253272684ecce90a2ccae949512ac4cdf13e588e6aa13bcf3a287da1d9c33950e85e984c48d68f39638221a28b56a

memory/1772-119-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\m5ww5z\vmicsvc.exe

MD5 79e14b291ca96a02f1eb22bd721deccd
SHA1 4c8dbff611acd8a92cd2280239f78bebd2a9947e
SHA256 d829166db30923406a025bf33d6a0997be0a3df950114d1f34547a9525b749e8
SHA512 f3d1fa7732b6b027bbaf22530331d27ede85f92c9fd64f940139fd262bd7468211a8a54c835d3934b1974b3d8ecddefa79ea77901b9ef49ab36069963693f988

C:\Users\Admin\AppData\Local\m5ww5z\ACTIVEDS.dll

MD5 309c032f61cb6b6e4f85d083eb6eab2b
SHA1 5efb986efe2112a5cd17c8376ddbae6bd488c23b
SHA256 57f6c5dc7ae4cb8d2b3893cedfa27c68d1492107374e16a5f83408ebf6a5ca91
SHA512 8796eae17928ecbb7fefffacfa4448bc91111aae797fcedfce8af699c1c15174560152639fbbce529e4862cf81d82310558e7ab6bd735f763234cbd26c10ce7a

memory/2520-136-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\DAXqf\spinstall.exe

MD5 6c2f0a55f91dec2b88dd1c42ce6fde72
SHA1 aba5287888d06e844fee88afac434e9bd42a17cf
SHA256 71a4d830171741a1a3009f7ad79b878647aefd1a5edc748480f1a26b409aa88a
SHA512 b46b0d4fb10f98542e089f7b0f6d2f0dc593d48451e7271e05b42973afe2701ff37710f3494c11d71c69afe82416bf8a151752951786ca03b91d27490607abe3

C:\Users\Admin\AppData\Local\DAXqf\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\DAXqf\wer.dll

MD5 78de0b7d33a5cc6198e5dd1827179030
SHA1 3ba19cc89923b3921d311440f45a41f0fd055dab
SHA256 1e8269aa0a7a6ec478ca1b25b6c1c603d5085c760a24ba84419fb477d8609da4
SHA512 0f4379fe7b7b22d90197e5d7f338fdcd5425f9ef3068fdd5aa7eaadba92a8a1bff80fa584a713ad6d2cb452f0b92e9d6304c28b85b453d78cb540351b9988765

memory/1348-158-0x0000000076C26000-0x0000000076C27000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 b22410cba545caa35d03c869f92fbd1e
SHA1 62e50801a38c1be96ff26356899a22e69da74ab6
SHA256 a1fc6344065578caf335ca4181bd69ce0d9e17d639e481acdab41ef18fa77b54
SHA512 bce4263393b4ea4d8f84163fc0da4ecebe90eaffe96e45ff7f53a5eb0601acb5fe223e0e838bf50fae357ef56d42be0ef09adebec8ca9aebae1fb406f9a414fb

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:27

Reported

2023-12-24 06:40

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1232405761-1209240240-3206092754-1000\\uBs\\MoUsoCoreWorker.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 1976 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3396 wrote to memory of 1976 N/A N/A C:\Windows\system32\dxgiadaptercache.exe
PID 3396 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exe
PID 3396 wrote to memory of 1092 N/A N/A C:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exe
PID 3396 wrote to memory of 3932 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3396 wrote to memory of 3932 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3396 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exe
PID 3396 wrote to memory of 4440 N/A N/A C:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exe
PID 3396 wrote to memory of 4676 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3396 wrote to memory of 4676 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3396 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exe
PID 3396 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ef80a26b9b53544e6ece76e1f163edfe.dll

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\dxgiadaptercache.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\hRSYc8\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\YhM\dxgiadaptercache.exe

C:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exe

C:\Users\Admin\AppData\Local\5zk8\FXSCOVER.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/860-1-0x0000000140000000-0x000000014037D000-memory.dmp

memory/860-4-0x0000000000B00000-0x0000000000B07000-memory.dmp

memory/3396-5-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/860-8-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-10-0x00007FFAEC52A000-0x00007FFAEC52B000-memory.dmp

memory/3396-11-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-12-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-9-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-7-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-14-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-18-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-22-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-26-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-29-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-32-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-35-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-37-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-36-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-40-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-43-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-45-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-49-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-53-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-56-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-57-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-59-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-62-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-66-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-65-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-64-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-63-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-61-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-60-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-83-0x00000000010D0000-0x00000000010D7000-memory.dmp

memory/3396-58-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-55-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-54-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-91-0x00007FFAEC960000-0x00007FFAEC970000-memory.dmp

memory/3396-52-0x0000000140000000-0x000000014037D000-memory.dmp

memory/1092-113-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1092-117-0x000001373E8C0000-0x000001373E8C7000-memory.dmp

memory/1092-121-0x0000000140000000-0x000000014037E000-memory.dmp

memory/1092-115-0x000001373D080000-0x000001373D3FE000-memory.dmp

memory/4440-136-0x000001F26ED80000-0x000001F26ED87000-memory.dmp

memory/4440-134-0x0000000140000000-0x000000014037E000-memory.dmp

memory/4440-140-0x0000000140000000-0x000000014037E000-memory.dmp

memory/3396-51-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-50-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-48-0x0000000140000000-0x000000014037D000-memory.dmp

memory/896-152-0x0000000140000000-0x0000000140384000-memory.dmp

memory/896-154-0x0000016B5A570000-0x0000016B5A577000-memory.dmp

memory/896-159-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3396-47-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-46-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-44-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-42-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-41-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-39-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-38-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-34-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-33-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-31-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-30-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-28-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-27-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-24-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-25-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-23-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-21-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-20-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-19-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-17-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-16-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-15-0x0000000140000000-0x000000014037D000-memory.dmp

memory/3396-13-0x0000000140000000-0x000000014037D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\TENySq7mwF2\MFC42u.dll

MD5 83031cf1450e516aedc8c530151c0414
SHA1 7b9809a01920af7a1e452ed16081d9daa38cf019
SHA256 dd3365e977ff2978959f820a75f09a91bd881a45d17dc9f2a509737f98ae7d2e
SHA512 cfbafe2bfda1983bd9a44f065f0a808f471d98244bcbe64bcbeae04a18236b12da9b9b96684b0b1d72ed46836d60d119b487ee54924933938a7d22243ee1b778