Malware Analysis Report

2024-11-30 21:25

Sample ID 231222-tyj9yaacb7
Target efedcd108046b223d56049091b408298
SHA256 1f4c47d15d65d51f2b6dd680a7318d3639e0cfbcad702ba30e93a4a301d1ac06
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f4c47d15d65d51f2b6dd680a7318d3639e0cfbcad702ba30e93a4a301d1ac06

Threat Level: Known bad

The file efedcd108046b223d56049091b408298 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 16:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 16:27

Reported

2023-12-24 06:43

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\bMv4n1\\StikyNot.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2012 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1264 wrote to memory of 2012 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1264 wrote to memory of 2012 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1264 wrote to memory of 1160 N/A N/A C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe
PID 1264 wrote to memory of 1160 N/A N/A C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe
PID 1264 wrote to memory of 1160 N/A N/A C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe
PID 1264 wrote to memory of 2784 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1264 wrote to memory of 2784 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1264 wrote to memory of 2784 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1264 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe
PID 1264 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe
PID 1264 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe
PID 1264 wrote to memory of 2268 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1264 wrote to memory of 2268 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1264 wrote to memory of 2268 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1264 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE
PID 1264 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE
PID 1264 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#1

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe

C:\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

Network

N/A

Files

memory/2364-0-0x0000000140000000-0x0000000140176000-memory.dmp

memory/2364-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1264-4-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

memory/1264-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/2364-8-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-10-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-11-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-13-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-15-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-17-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-16-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-20-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-23-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-25-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-26-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-29-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-31-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-30-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-36-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-38-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-37-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-35-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-39-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-41-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-40-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-42-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-43-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-45-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-46-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1264-44-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-34-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-32-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-33-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-53-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-55-0x0000000076F60000-0x0000000076F62000-memory.dmp

memory/1264-54-0x0000000076E01000-0x0000000076E02000-memory.dmp

memory/1264-28-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-27-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-64-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-24-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-22-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-21-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-19-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-68-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-18-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-14-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-12-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-73-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-9-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1264-7-0x0000000140000000-0x0000000140176000-memory.dmp

\Users\Admin\AppData\Local\xNIThL\rrinstaller.exe

MD5 0d3a73b0b30252680b383532f1758649
SHA1 9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931
SHA256 fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc
SHA512 a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

C:\Users\Admin\AppData\Local\xNIThL\MFPlat.DLL

MD5 3a6e988fa8c86c700b8f7b1dcc477e79
SHA1 13d7bac29d69c61c66aeb87d6de55df5327eceed
SHA256 428745065ec5613706cc571e42552dbb6c9385cf37707ce8c0912cb39a1b3695
SHA512 acff45c6eadc71c6c53422cc81e37d188297a1414cd21f3cf43b313893790f1f20b09f092efadb943b6ecbb6bc2c63a024d5d43b694c819e8472bb9c3bf57dc7

\Users\Admin\AppData\Local\xNIThL\MFPlat.DLL

MD5 688e308b194a8502cd52a647321c1af8
SHA1 3b053bd9e1f67e12677be1dfb6b8ee595ac9a698
SHA256 d1ca10f09b35a9d11d6eb47e1a32687bd9235dd162c30848fcc335c0adabdde9
SHA512 a6fa34a7b097fe30e260971a9eb19695cb526c7b21f8558df86552c9439ed9bf35467ddf4cb508602cd442d070362739e027766d74c14cca2375b77bccd0465a

memory/1160-82-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1160-83-0x0000000140000000-0x0000000140178000-memory.dmp

C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

MD5 b9833dcb6190910b20fca10dc3fb3d00
SHA1 7e8844054d0f391bf28d65580ecc46e338c3f5bb
SHA256 bd87e10ab8f3aeb14dfd07ce905a6bc4cba92804027362b75a1b5b1d77e40852
SHA512 1b57d662c78beda945bf68e4f8340b6fad23ec2722679345f4717574da21c491255d919f4d70a62f83908b6f45df395ca4ba9ce68d27106cfe6928c00003cef4

\Users\Admin\AppData\Local\KfEscQo\DUI70.dll

MD5 4224abf5bd86e95e2915a69160f45d91
SHA1 d19061902a086bc98a22d9a2e839d01c05586208
SHA256 bc8432059efeef395c10e762663a92c36a3ffdc2eb2bf83c49fb2c9033aabca9
SHA512 d9334a57c7e965b7b4ee1ce3b2734b9a2094eb9e284933582004dfc93e241736951210f495cde4e91f7614cf9b2735ad84dd417a237a4ca66bc6b84ae843c9f5

C:\Users\Admin\AppData\Local\KfEscQo\DUI70.dll

MD5 96f5725b3f0abfa035459df34b31f995
SHA1 b21d41b41c5b2541b7aae98227bbee8311f03028
SHA256 c46e5139d8826c3b6a512d2e56c2d61c2bd9e63c932019b15f7cb5471b995a2f
SHA512 ae4a9ab9026f33d66e6611485e84e1d3be77b4ed9cbce1eb094aed6fa5a052160950675b12f11b712473ea0fd9b37739d4caf8734445ab5f13ee54a8422ee844

\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

MD5 b22cb67919ebad88b0e8bb9cda446010
SHA1 423a794d26d96d9f812d76d75fa89bffdc07d468
SHA256 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512 f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

C:\Users\Admin\AppData\Local\KfEscQo\StikyNot.exe

MD5 f7069cdec41e5f744ebb82db29304fbd
SHA1 6ec6ca11d62a9a779e28df81ea8393f679917eda
SHA256 eb498493eeb3cd763cff3d7fcfcecf9be76fff5db4e0a84c413864e86f61729f
SHA512 4e8f29ee76fa59e507fe48fb916b538580c7260d8bc9aa58b4f9d94a2487f7dcf8e18e0967f115e1d9a5bcdbcd2f677b3fbd4bbf446385314d49922b5145f424

\Users\Admin\AppData\Local\jXoyCGCgT\wer.dll

MD5 6fe27e23025cb80c2406a1227624badb
SHA1 7649c7cd730f6114baec544ddd2e16b9ceb57452
SHA256 f9fb0428bb413d555bbba473c5da92cf4269adc6b7603af5e69b92449276d9e8
SHA512 13a54988f8e62be3b6f39589dbe271e711e75729812576d271f7d3083ac65a99865210a40027b9132cd032dd04caadb098d58c085c82337f09727c88a5e0edf7

C:\Users\Admin\AppData\Local\jXoyCGCgT\wer.dll

MD5 5d7fdb9d935b6c84431f4a9e206f2d73
SHA1 4b85ef432716e35fc556a323b2837528daa54720
SHA256 11f4a94bce0520fe17649fc7993730284a79ed4fa45f934d05cfe25a0ab0390a
SHA512 2e45d78943048515a86d82784c3d54a8822c53d9ee68d0bd703fbff6cb956e4bf92180e0f02175a94cac25f41ca35db4fec2f05e7d450b847134ba358fc063f1

C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

MD5 b089ca67f9aea4f61912323a36c4f652
SHA1 6376236e715aff2f5ef6f352b7d5c103812ef07a
SHA256 fae1fd9b58c102477bd133d9c5cd06c1e211426e10e72791f22539510189e4e3
SHA512 14e22372395995c2e9790fd944c2ff9f69a6c0c3d00a19fced770d8ee62e2353a33ba2537cefda913f6e48a099aa71e68eb5c007234d84ee6f45d6b49517ef19

memory/1764-117-0x0000000000270000-0x0000000000277000-memory.dmp

\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

MD5 c944803fb67e2456172f78363aeb2aaa
SHA1 6a286cb48b49cef6f75e6c62a79c3f7c1be4a9ab
SHA256 ea00fd1f1c6c01f9bd9c97ce0aa59a22aa6b0bed4d5cedc180f4fbb4a046daac
SHA512 21183c1cf2e09da972b47498da3a5593c5b5467db19c6ff10a3adcc5c23f3541f0913ad46f7fb307635b206bf47c25b4b405199fbb049d04bff23081ee1a4677

C:\Users\Admin\AppData\Local\jXoyCGCgT\DWWIN.EXE

MD5 f2395d6ff3b0a9243a1aff7ed14fc837
SHA1 a7aecf8d6bc354cad9519b071ffdb988650ddb73
SHA256 4a100031b7afff96c533b23c26fe356ab117d48394ebecda8514e09ba635aff2
SHA512 6e1d0da3b6ffe246bbc6d7b6126bcc2e04847baec482286e0b31955e69816d57d125e6acff5e3c63e255c616bc8c47a8be2c152e7a41e5d79803b6af794c930d

\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\tIKFeICP\DWWIN.EXE

MD5 25247e3c4e7a7a73baeea6c0008952b1
SHA1 8087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256 c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512 bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

memory/1264-139-0x0000000076CF6000-0x0000000076CF7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 f9e97c908859b30bd88896e1e9918dd2
SHA1 d21494bab680dcb2d448b9fdc9e50f39ee6418fc
SHA256 669e0420d8fada0282759fbdeb1b3bc7a69c0b2af29beee728c3a1ea26a2f636
SHA512 179a9a2450eb874c4aad21bf0c64057d743bf3cb8216ccb6ed87fea0670a26b5c204ba20fb10289be0ed85e2ff2eb00678ff1e2f3d29c6e933a242a93f03325f

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\2U7v7yng\MFPlat.DLL

MD5 aa3ece9bec1c908f714833d1daabf793
SHA1 61c14204e59faae01e925c936a4837068462035a
SHA256 f552160b7e3286f0d9c752744172ecbab5adb7ec93230d5e53b2e30b78473b80
SHA512 4e5bbbf749520daca4c435c5485f5a3f32b8ed92bce38b39d94e798250698a05901d24cf8e740c7122434b6fc8b3d74214acb9fc6a7903ca2c320d185869997f

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\bMv4n1\DUI70.dll

MD5 17ba4c786c3d7c73ebbd8e576b124405
SHA1 8b8974edb0d7fb71e8d0baa59ad3201b5d1fc314
SHA256 421804beb73bea937a3e56289c594746389101f4d7a779de898797fee6e8d97d
SHA512 38e73dea39623843929a600c43df4985ab922e701c5809b03191ba75663405bb1910d27a0e54d74a5e7b13e7d077723d89c5e07d4620f34ab5b01438a1567cc3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\tIKFeICP\wer.dll

MD5 78b8b474fada782935cff719f0abbf0a
SHA1 2b22aaae3a3a82c66160db655a484b4c42399e15
SHA256 c8780523d763b99857c84704f47d12d312003379f0a15817573dbf247e1eb071
SHA512 e8c9fee0a0458bfe1805d5699fcc45b85d6c3c235791e87ade7feec7bda104140a04acc7988bfe9d5e3dbbd4fbc1ac095b13a60f4ad24ac43c95a304b78cda8c

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 16:27

Reported

2023-12-24 06:43

Platform

win10v2004-20231215-en

Max time kernel

112s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\dHPI5R8WWrB\\cmstp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\G6u9N\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Po1\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 740 N/A N/A C:\Windows\system32\psr.exe
PID 3592 wrote to memory of 740 N/A N/A C:\Windows\system32\psr.exe
PID 3592 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\G6u9N\psr.exe
PID 3592 wrote to memory of 1764 N/A N/A C:\Users\Admin\AppData\Local\G6u9N\psr.exe
PID 3592 wrote to memory of 4596 N/A N/A C:\Windows\system32\consent.exe
PID 3592 wrote to memory of 4596 N/A N/A C:\Windows\system32\consent.exe
PID 3592 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\sXDkX4\consent.exe
PID 3592 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\sXDkX4\consent.exe
PID 3592 wrote to memory of 1908 N/A N/A C:\Windows\system32\cmstp.exe
PID 3592 wrote to memory of 1908 N/A N/A C:\Windows\system32\cmstp.exe
PID 3592 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\Po1\cmstp.exe
PID 3592 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\Po1\cmstp.exe
PID 3592 wrote to memory of 3572 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3592 wrote to memory of 3572 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3592 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exe
PID 3592 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\efedcd108046b223d56049091b408298.dll,#1

C:\Users\Admin\AppData\Local\G6u9N\psr.exe

C:\Users\Admin\AppData\Local\G6u9N\psr.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exe

C:\Users\Admin\AppData\Local\nyjLiKKi\WMPDMC.exe

C:\Users\Admin\AppData\Local\Po1\cmstp.exe

C:\Users\Admin\AppData\Local\Po1\cmstp.exe

C:\Users\Admin\AppData\Local\sXDkX4\consent.exe

C:\Users\Admin\AppData\Local\sXDkX4\consent.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4296-0-0x0000016587EE0000-0x0000016587EE7000-memory.dmp

memory/4296-1-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-14-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-18-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-23-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-27-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-32-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-36-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-40-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-43-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-44-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-46-0x0000000000D00000-0x0000000000D07000-memory.dmp

memory/3592-45-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-42-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-41-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-39-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-53-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-38-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-54-0x00007FFC8DC60000-0x00007FFC8DC70000-memory.dmp

memory/3592-37-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-35-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-65-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-63-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-34-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-33-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1764-75-0x000002871AAC0000-0x000002871AAC7000-memory.dmp

memory/1764-80-0x0000000140000000-0x0000000140177000-memory.dmp

memory/1764-74-0x0000000140000000-0x0000000140177000-memory.dmp

memory/3592-31-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-30-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-29-0x0000000140000000-0x0000000140176000-memory.dmp

memory/4212-100-0x000002237F4E0000-0x000002237F4E7000-memory.dmp

memory/4212-106-0x0000000140000000-0x0000000140177000-memory.dmp

memory/1868-117-0x000002A7FD500000-0x000002A7FD507000-memory.dmp

memory/3592-28-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-26-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-25-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-24-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-22-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-21-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-19-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-20-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-17-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-16-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-15-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-13-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-12-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-11-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-10-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-8-0x0000000140000000-0x0000000140176000-memory.dmp

memory/4296-7-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-9-0x00007FFC8D66A000-0x00007FFC8D66B000-memory.dmp

memory/3592-6-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3592-4-0x0000000002840000-0x0000000002841000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 5c24e5c416b6464e9adfd2ef9d01dfa3
SHA1 4cc4394a157a4f05f1dfe50798f039e12b92e098
SHA256 0073789a4c5f98836fa5c6aa23bdfb52bca5ee4cf225e136f9ed69f0f560c494
SHA512 9729639a659a86010e4e6bd790611c839844091efee25793ecaa723486245670cff20cab1237a577c47317de9498b477e0314b05122ff06a546a75f39cb4c86a

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\T1vER\XmlLite.dll

MD5 3241a80ef412b683e95bc61c2c435566
SHA1 68785fc1cb12f130868ba47810045ed5aa275bd4
SHA256 aabe43d3ec4514fc3db5e032b3b241c5a5e2aa7b641a907e997380d1a3186b46
SHA512 8b9ab43f84bacea22d26afdc8f519e7c301d7e1c47e94bd3da55151c4589262012763b81def64fa266c5b10f1fbecb90130f1ec58ff44b192bb444e935670529

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\dHPI5R8WWrB\VERSION.dll

MD5 873d7c7365bf9d16f87288d53486c55a
SHA1 3d650722ae3a768e16ddf92c6f8414f5750a2ecf
SHA256 5170c71d21d18b619a818fd5757a239121d2fea4599c0e7cb66744b926aed809
SHA512 53e95bbd69a6d628863509d3c095f981fc61e5ec901712d3c51c7fee700e06431bcdfb3cb7ed9217d88f08e878064a8e30e1df359f0334bdb94f814740c4fe3f

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\RwC\dwmapi.dll

MD5 c2aee7fa9af9979c0685facb8299592e
SHA1 77467de9dce252b3269b2dde2de1dd93cd430054
SHA256 53bd034cb1037dd238a0330c8bac414b7b56aa67d43fd359b6b13b785e8869a3
SHA512 f601d278e8c8ab9178894460b5cd6c53636018c40db87eea9ec5094f303303c778d319973f67b07e8f56a8fb0db3b5280996c3ce716ef827b1be5a715c29042e