Malware Analysis Report

2024-11-30 21:25

Sample ID 231226-cpxp8sfhbm
Target 4c0c037a083e2b1f6b5fcb9c68263c5a
SHA256 7c710407ba8ed2c0d2f970a81715d7982ddd44ad0838bfefdca8119350325bc4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c710407ba8ed2c0d2f970a81715d7982ddd44ad0838bfefdca8119350325bc4

Threat Level: Known bad

The file 4c0c037a083e2b1f6b5fcb9c68263c5a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 02:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 02:15

Reported

2023-12-27 04:13

Platform

win7-20231215-en

Max time kernel

151s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\BVRAXD~1\\DWWIN.EXE" C:\Windows\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\B2E\Netplwiz.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 1896 N/A C:\Windows\explorer.exe C:\Windows\system32\sethc.exe
PID 2896 wrote to memory of 1896 N/A C:\Windows\explorer.exe C:\Windows\system32\sethc.exe
PID 2896 wrote to memory of 1896 N/A C:\Windows\explorer.exe C:\Windows\system32\sethc.exe
PID 2896 wrote to memory of 2244 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe
PID 2896 wrote to memory of 2244 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe
PID 2896 wrote to memory of 2244 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe
PID 2896 wrote to memory of 2372 N/A C:\Windows\explorer.exe C:\Windows\system32\DWWIN.EXE
PID 2896 wrote to memory of 2372 N/A C:\Windows\explorer.exe C:\Windows\system32\DWWIN.EXE
PID 2896 wrote to memory of 2372 N/A C:\Windows\explorer.exe C:\Windows\system32\DWWIN.EXE
PID 2896 wrote to memory of 1360 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE
PID 2896 wrote to memory of 1360 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE
PID 2896 wrote to memory of 1360 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE
PID 2896 wrote to memory of 2368 N/A C:\Windows\explorer.exe C:\Windows\system32\Netplwiz.exe
PID 2896 wrote to memory of 2368 N/A C:\Windows\explorer.exe C:\Windows\system32\Netplwiz.exe
PID 2896 wrote to memory of 2368 N/A C:\Windows\explorer.exe C:\Windows\system32\Netplwiz.exe
PID 2896 wrote to memory of 2288 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\B2E\Netplwiz.exe
PID 2896 wrote to memory of 2288 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\B2E\Netplwiz.exe
PID 2896 wrote to memory of 2288 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\B2E\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe

C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE

C:\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\B2E\Netplwiz.exe

C:\Users\Admin\AppData\Local\B2E\Netplwiz.exe

Network

N/A

Files

memory/1520-1-0x0000000000220000-0x0000000000227000-memory.dmp

memory/1520-0-0x000007FEF6A50000-0x000007FEF6B25000-memory.dmp

memory/1368-3-0x00000000777B6000-0x00000000777B7000-memory.dmp

memory/1368-6-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-12-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-17-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-20-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-19-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-18-0x0000000002760000-0x0000000002767000-memory.dmp

memory/1368-16-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-15-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-14-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-13-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-11-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-10-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-9-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-8-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-7-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/1368-4-0x0000000002780000-0x0000000002781000-memory.dmp

memory/1520-27-0x000007FEF6A50000-0x000007FEF6B25000-memory.dmp

memory/1368-28-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2896-30-0x0000000004260000-0x0000000004261000-memory.dmp

memory/2896-32-0x0000000077750000-0x000000007786F000-memory.dmp

memory/2896-47-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/2896-50-0x00000000047F0000-0x00000000047F7000-memory.dmp

memory/2896-58-0x0000000077B50000-0x0000000077B52000-memory.dmp

memory/2896-57-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/2896-56-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/2896-69-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/2896-67-0x0000000140000000-0x00000001400D5000-memory.dmp

\Users\Admin\AppData\Local\wuyKxiO\sethc.exe

MD5 526924c3f34218a419448b744fadcdea
SHA1 db8b185181de56c223e101e06cf521dcde4f99c9
SHA256 8dc1454e22bf71a457fee6b1ff2518bfde592e7c321276b4cedd89f97ef48f42
SHA512 a8361a18d5e491dbb520a878161eb4ca948a8a6690ee9fc1033dfd65b673a90cc578f5ea04910d76e740a37cf36c2520d343a2468fbf4c55807e7f4e07396966

\Users\Admin\AppData\Local\wuyKxiO\UxTheme.dll

MD5 0863db87b29922d15403a0939089f7e5
SHA1 25fd6c6743c7e2d40c137bcb31acf413ff5fbb02
SHA256 7eaf0f7056462d01a8a95cbe0da22db34d88a2250ca8f8aefff6e72f0ec3c32f
SHA512 3d4d8a6fb88b4057568ea688feb8ba70dae5ec8de193c1e9e3b148f5f955e6d457a6e6509013e44d6bea6e4f9dd7d2ed9df1a0344addfb72ffaa38840ef6065e

memory/2244-85-0x000007FEF6A50000-0x000007FEF6B26000-memory.dmp

memory/2244-86-0x0000000000180000-0x0000000000187000-memory.dmp

memory/2896-84-0x0000000004260000-0x0000000004261000-memory.dmp

C:\Users\Admin\AppData\Local\wuyKxiO\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

memory/2896-95-0x0000000077750000-0x000000007786F000-memory.dmp

\Users\Admin\AppData\Local\WU2HYkr\DWWIN.EXE

MD5 25247e3c4e7a7a73baeea6c0008952b1
SHA1 8087adb7a71a696139ddc5c5abc1a84f817ab688
SHA256 c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050
SHA512 bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

C:\Users\Admin\AppData\Local\WU2HYkr\VERSION.dll

MD5 44e477b53743a23fd57e22462b617b67
SHA1 d3063acf475515c84020619aeec6474719bb5a3c
SHA256 e7871b8464905bcd9de629bcda24eec14cb17f12b1b6413587787e5e15425f79
SHA512 9c98d63158dd796c1d95830920fd3e96ca99b66eaa318b73cb1c1af7163b562393861216366fd60603715f44b661be9656d267245daa3543a7c18471c300777c

memory/1360-103-0x0000000000160000-0x0000000000167000-memory.dmp

\Users\Admin\AppData\Local\B2E\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\B2E\NETPLWIZ.dll

MD5 2921af0f67f1bf496a7b4c4e2358c305
SHA1 0ece311f9e726baca770772f8040dca935879b11
SHA256 0be4db4ad7e7e34f59babe397f08984b57d4d7d6f6ac1e3694059e6bcd44d457
SHA512 3c391a0102966b1b30207ba487125d36e779e712eb0fea0b79223899c731978b335ad0cb90398c73492e52ca3cdeadffa3a6a23613f80bdcdd9bcedaafadd039

\Users\Admin\AppData\Local\B2E\NETPLWIZ.dll

MD5 6d4bc6da4c5fb0eff6253c7d3facc473
SHA1 828e0e7f1e9c85d68893da182c6269c992f21b31
SHA256 e3dcbb8120c48c08bda90c7f24459a80502557562766096a3cc54ab3d43ce56d
SHA512 3f9156f4f0c2c6bb6ce7309aa1f488aef5d1b6b7ce1f7b2423b7f0f4ed466989203924009f43a39338a1282cbd5e53bd87b816bcd88c681af6b9214c7dd45e44

memory/2288-120-0x0000000000070000-0x0000000000077000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 40113533f6adef00575473f0669f8f60
SHA1 10d8cc9c1cb333555cc8a987fad94a2eacbba600
SHA256 da9cb7c743afe41e54bd143f99f367e9e480e0b600ef3ff7bd9758fe61082d85
SHA512 8be040fa4a0f108e111ba8aee2b15721f95961ce4c639045976166663ce96980f679b36825a4341e123ea14bc3d90571f838f528e4c83ab09c04441df718a379

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\NlOVL\UxTheme.dll

MD5 620429ff8eab888c419cf049a274fe5e
SHA1 33491a8fc87a6b36ce44f1f17f61331fd5c5a994
SHA256 0682794738f770371ef3b865b86a34fa608bebdce1f996cf2f6de86d258b0893
SHA512 f4b31f7710c5edf86b7510ed5500901355e306e5d23573e9355d23eeafa0655b16adf6882e835470d66982f14d5a6ba84887898ee0791181e8660f5f70dceabd

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-26 02:15

Reported

2023-12-27 04:13

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\45T68C0\\usocoreworker.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3260 wrote to memory of 5060 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3260 wrote to memory of 5060 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3260 wrote to memory of 3764 N/A N/A C:\Windows\system32\BackgroundTransferHost.exe
PID 3260 wrote to memory of 3764 N/A N/A C:\Windows\system32\BackgroundTransferHost.exe
PID 3260 wrote to memory of 4400 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3260 wrote to memory of 4400 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3260 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exe
PID 3260 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exe
PID 3260 wrote to memory of 5080 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3260 wrote to memory of 5080 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3260 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exe
PID 3260 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4c0c037a083e2b1f6b5fcb9c68263c5a.dll,#1

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\1PI\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\1PI\EhStorAuthn.exe

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\usocoreworker.exe

C:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exe

C:\Users\Admin\AppData\Local\ES0Ap6L\usocoreworker.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\lBF5IK\MDMAppInstaller.exe

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4412-0-0x00007FF993A00000-0x00007FF993AD5000-memory.dmp

memory/4412-1-0x00000264656B0000-0x00000264656B7000-memory.dmp

memory/3260-5-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-11-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-17-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-20-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-19-0x0000000002330000-0x0000000002337000-memory.dmp

memory/3260-18-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-27-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-29-0x00007FF9A2AB0000-0x00007FF9A2AC0000-memory.dmp

memory/3260-38-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-28-0x00007FF9A2AC0000-0x00007FF9A2AD0000-memory.dmp

memory/3260-16-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-15-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-14-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-13-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-12-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-10-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-9-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-8-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-7-0x00007FF9A219A000-0x00007FF9A219B000-memory.dmp

memory/3260-6-0x0000000140000000-0x00000001400D5000-memory.dmp

memory/3260-3-0x0000000002860000-0x0000000002861000-memory.dmp

memory/4412-41-0x00007FF993A00000-0x00007FF993AD5000-memory.dmp

memory/3764-48-0x000001ECA6F40000-0x000001ECA6F47000-memory.dmp

memory/3764-53-0x00007FF984370000-0x00007FF984446000-memory.dmp

memory/3764-49-0x00007FF984370000-0x00007FF984446000-memory.dmp

memory/4468-65-0x00007FF983720000-0x00007FF9837F6000-memory.dmp

memory/4468-69-0x00007FF983720000-0x00007FF9837F6000-memory.dmp

memory/4468-64-0x000002305A6D0000-0x000002305A6D7000-memory.dmp

memory/4904-80-0x0000024000710000-0x0000024000717000-memory.dmp

memory/4904-85-0x00007FF984370000-0x00007FF984446000-memory.dmp