Analysis Overview
SHA256
04f8b7b563f8c811e87762301b7669febc953ab55f9442a6fa62776432765757
Threat Level: Known bad
The file 4e5e6fcb83a84d1976bc6ce0355a4f20 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-26 02:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-26 02:58
Reported
2024-01-02 15:33
Platform
win7-20231215-en
Max time kernel
151s
Max time network
137s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\4x6\iexpress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4x6\iexpress.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\5CVL\\unregmp2.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4x6\iexpress.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1224 wrote to memory of 596 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1224 wrote to memory of 596 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1224 wrote to memory of 596 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1224 wrote to memory of 676 | N/A | N/A | C:\Users\Admin\AppData\Local\4x6\iexpress.exe |
| PID 1224 wrote to memory of 676 | N/A | N/A | C:\Users\Admin\AppData\Local\4x6\iexpress.exe |
| PID 1224 wrote to memory of 676 | N/A | N/A | C:\Users\Admin\AppData\Local\4x6\iexpress.exe |
| PID 1224 wrote to memory of 1836 | N/A | N/A | C:\Windows\system32\unregmp2.exe |
| PID 1224 wrote to memory of 1836 | N/A | N/A | C:\Windows\system32\unregmp2.exe |
| PID 1224 wrote to memory of 1836 | N/A | N/A | C:\Windows\system32\unregmp2.exe |
| PID 1224 wrote to memory of 2248 | N/A | N/A | C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe |
| PID 1224 wrote to memory of 2248 | N/A | N/A | C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe |
| PID 1224 wrote to memory of 2248 | N/A | N/A | C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe |
| PID 1224 wrote to memory of 592 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1224 wrote to memory of 592 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1224 wrote to memory of 592 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 1224 wrote to memory of 1108 | N/A | N/A | C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe |
| PID 1224 wrote to memory of 1108 | N/A | N/A | C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe |
| PID 1224 wrote to memory of 1108 | N/A | N/A | C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e5e6fcb83a84d1976bc6ce0355a4f20.dll,#1
C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
C:\Users\Admin\AppData\Local\4x6\iexpress.exe
C:\Users\Admin\AppData\Local\4x6\iexpress.exe
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe
C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe
C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe
Network
Files
memory/2776-1-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/2776-0-0x00000000001A0000-0x00000000001A7000-memory.dmp
memory/1224-4-0x0000000077306000-0x0000000077307000-memory.dmp
memory/1224-13-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-12-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-14-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-11-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-18-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-17-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-16-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-15-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-10-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-19-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-20-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-9-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-8-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-7-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-5-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/1224-21-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-23-0x0000000002A60000-0x0000000002A67000-memory.dmp
memory/1224-29-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-31-0x00000000776A0000-0x00000000776A2000-memory.dmp
memory/1224-30-0x0000000077511000-0x0000000077512000-memory.dmp
memory/2776-32-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-41-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/1224-43-0x0000000140000000-0x00000001400B4000-memory.dmp
\Users\Admin\AppData\Local\4x6\iexpress.exe
| MD5 | 46fd16f9b1924a2ea8cd5c6716cc654f |
| SHA1 | 99284bc91cf829e9602b4b95811c1d72977700b6 |
| SHA256 | 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3 |
| SHA512 | 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629 |
C:\Users\Admin\AppData\Local\4x6\VERSION.dll
| MD5 | 07556a7d2ef47ea2021db38630b63a8a |
| SHA1 | 2cd87e4b5f5e7d8dd50a7ae1bd4cf48d6ede0c3d |
| SHA256 | b1eda4069391e0b1d1f2be146b6792453f8d89f435cd8f434a9ebd0b811af6a3 |
| SHA512 | 58d3f7c539b515cbdf79b900aad4cf27f10ab774e7e7609712c9320c03f47e397bdffbe3ff411fc036a3c5185d15dfd4f4b6b942b3ead6f0cf503dc7a3d09b79 |
memory/676-58-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/1224-57-0x0000000077306000-0x0000000077307000-memory.dmp
memory/676-59-0x00000000000E0000-0x00000000000E7000-memory.dmp
memory/676-64-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Local\0V3g\unregmp2.exe
| MD5 | 64b328d52dfc8cda123093e3f6e4c37c |
| SHA1 | f68f45b21b911906f3aa982e64504e662a92e5ab |
| SHA256 | 7d6be433ba7dd4a2b8f8b79d7b87055da8daafa3e0404432d40469c39c2040e1 |
| SHA512 | e29fc068532df36f39c86b79392b5c6191de6f69b7beaba28f9ac96a26089b341b770ff29556eca14f57afd1de59a6f3726818482d6861bdd8ac556ae768df00 |
\Users\Admin\AppData\Local\0V3g\VERSION.dll
| MD5 | fa6badd10234749f17b3d208a91f69b6 |
| SHA1 | 7c3a429b882e76a8f7d1df2ccc614236f6abaa9d |
| SHA256 | 39e8cf686be2519487ad7c07cb0eea8684869b21c66fbf299115059439af859d |
| SHA512 | 5262cebe33f6d0585ed32c40ab27565581293e75a256994847596a397502795a60ed58ab47582725bb2855142b263afe7e020eb5f3b6bb09be26baa5e6aa3e26 |
memory/2248-76-0x0000000000160000-0x0000000000167000-memory.dmp
memory/2248-82-0x0000000140000000-0x00000001400B5000-memory.dmp
\Users\Admin\AppData\Local\QGjGe76US\mmc.exe
| MD5 | 94095d9ce56c5f29880c8c53879afec3 |
| SHA1 | 2aacfdd214f0dc6a5d15b244664326eff93092df |
| SHA256 | 8ee8da7793699d2aa4a2c9d51d2412a8316464f81babcb06b4127115cadc7d1b |
| SHA512 | 186cd0cc910624989e166f620de8ed05ab58c22e5042c8f0455234f3afec62ae1bcda641e2c9cfe6b2cf052f252764c37d6232b2e795e7e4b97de94f4022d4b5 |
C:\Users\Admin\AppData\Local\QGjGe76US\mmc.exe
| MD5 | 5916414a3794e9f97eb40e3f256cd5c8 |
| SHA1 | 228b1b88ca8dd3b4e6060d20a0bbf4d5aae02d10 |
| SHA256 | 7ed9ee21acd4f85a53a665721ed7978b3622e1c35e8a6c22b240a4408ceb074a |
| SHA512 | 72c3d5b2933ebe1ccb41f01ebb01917b42097511d5668fce6c2c86cc4f6e642bbfec4e8595d5c9d11fec74502c9f67dda501d9c5d21e46a6c0001002e23664ad |
C:\Users\Admin\AppData\Local\QGjGe76US\DUser.dll
| MD5 | 3a841214408ebada2472b0cd63a82263 |
| SHA1 | bedfe4fed7267b57fedc8e070395736024cab0f1 |
| SHA256 | 4303c49f480c3fba827fdfb4f173313f69201e0def6d8677da893ef76d08c2ce |
| SHA512 | 95a1d1dd826f360d5143c56651d948c3f1943ceb9abcb830286db5d40d94acef3bee5611734667ae44136c99e9e3fb3609406165b4fd4fb113f3f501e5993993 |
\Users\Admin\AppData\Local\QGjGe76US\DUser.dll
| MD5 | cf85ea8a294f28bbaa516a97e341d94b |
| SHA1 | 0da5ae2efd7147847a761e87c7ee36208a167214 |
| SHA256 | b6243e24f356d49210f935d8e575fc310c18238372c2d282fa74519c0bee2d1c |
| SHA512 | 9e80ae67294fbf5adc8c6baffd80ded132ec2a8e99091f4f99c78487288eac2f5e10a1d508fad2da9495c75945b1fe1473c0b7c6b61f9fdfac1da7d07d121932 |
memory/1108-96-0x0000000000150000-0x0000000000157000-memory.dmp
memory/1108-99-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\a5GA51cc\mmc.exe
| MD5 | 9768a6305f0ad95e989bf53085ed15cd |
| SHA1 | c4d2516330cc11e74f11be73b46db9fbbee112a1 |
| SHA256 | 9202a91f7db5346be986914bb611cf2b92f35cff32edb204605593c9da16c489 |
| SHA512 | 6406dc07f2001911cbb9cc90b599b8bed03a5174ec72a24c7ab8e69f5f790204387844cd29014dc69a66c3f4b2d17499d1bd19ca1749eb80b5537512d835f2f8 |
\Users\Admin\AppData\Roaming\Microsoft\Protect\a5GA51cc\mmc.exe
| MD5 | 9fbe7a5605e0e8f0282fc953beca276a |
| SHA1 | 7f27ac99b63a796e940128fdd9c7e3346e2f1269 |
| SHA256 | b4cf312fd110a988632b105643fe0760684b2eaccd0c65ae7de69b05fc108d72 |
| SHA512 | a6547236a2f2a55538bc0060d345e23945108299c93f837e8f498e5d1689cd16a5700e14694f2d5c28dfb4d8c561a64ad52b9867c44b862c7ebf21454f82e5d2 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk
| MD5 | 6d383624d7acf2e6201c10ec938c9677 |
| SHA1 | bebd2f88955ffc3234a271890aa8e096faddd996 |
| SHA256 | fb4e484def8ee2ce5b9628662bb25c7ef0bab04be5b277f7488ed2951fd579f8 |
| SHA512 | 708012ac4614bdfdc698383a7dd2e8e7fef46647ca4931dcd53673768d88a77f83dfc737e72b89ab23eca9e5fcf80d7c688c7ea16205e3460af2dda075b711be |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\a5GA51cc\DUser.dll
| MD5 | f28822a430eb00678a6204a379637e9b |
| SHA1 | ff6164fcf013cc220b68e7e93a3d0764e946f162 |
| SHA256 | 5f9de532bab1ce0a7b9001e32c5b9d9ffc46ea71d147dc1e04845c3f47bfc228 |
| SHA512 | 043c1b4d0563a92facabc4990ec84165abd324bbd51aeb2a755a163f383c6143a56bad4f3b83c093e7e86fc7a6073e8f121b6fe0fb183aaf9dee2a2bb027cb94 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-26 02:58
Reported
2024-01-02 15:33
Platform
win10v2004-20231215-en
Max time kernel
158s
Max time network
170s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ElLHrDh48\SppExtComObj.Exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EZTTpW\msconfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2Ud\SystemPropertiesComputerName.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ElLHrDh48\SppExtComObj.Exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\EZTTpW\msconfig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2Ud\SystemPropertiesComputerName.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\uhYQ9\\msconfig.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ElLHrDh48\SppExtComObj.Exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\EZTTpW\msconfig.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\2Ud\SystemPropertiesComputerName.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\4e5e6fcb83a84d1976bc6ce0355a4f20.dll,#1
C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\ElLHrDh48\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\ElLHrDh48\SppExtComObj.Exe
C:\Windows\system32\msconfig.exe
C:\Windows\system32\msconfig.exe
C:\Users\Admin\AppData\Local\EZTTpW\msconfig.exe
C:\Users\Admin\AppData\Local\EZTTpW\msconfig.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\2Ud\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\2Ud\SystemPropertiesComputerName.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/5008-1-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/5008-0-0x000001C3359B0000-0x000001C3359B7000-memory.dmp
memory/3372-5-0x00007FFC901AA000-0x00007FFC901AB000-memory.dmp
memory/3372-4-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/3372-7-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-8-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-9-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-10-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-11-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-12-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-13-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-15-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-14-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-16-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-18-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-19-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-20-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-17-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-21-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-22-0x0000000001470000-0x0000000001477000-memory.dmp
memory/3372-29-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-32-0x00007FFC912D0000-0x00007FFC912E0000-memory.dmp
memory/5008-39-0x0000000140000000-0x00000001400B4000-memory.dmp
memory/3372-40-0x0000000140000000-0x00000001400B4000-memory.dmp
C:\Users\Admin\AppData\Local\ElLHrDh48\SppExtComObj.Exe
| MD5 | 728a78909aa69ca0e976e94482350700 |
| SHA1 | 6508dfcbf37df25cae8ae68cf1fcd4b78084abb7 |
| SHA256 | 2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c |
| SHA512 | 22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1 |
C:\Users\Admin\AppData\Local\ElLHrDh48\ACTIVEDS.dll
| MD5 | 4123e083b62487be5bfcc5b118d0b25f |
| SHA1 | 0a66a6b2a8f898d1bdc6b9b959ea8755b1719128 |
| SHA256 | af0f8620a9187bc73515c284793010e53678d14ba8b3060fd5b420f8443108c8 |
| SHA512 | 39f6c18cbb0eaf35b6667bc068002da2dbed86c21b5987e2445cbf0dbd21538193baa8f00cd179c5fe5c3878777e44a4b2eb407fa61a2dbd6707cc903b485a65 |
memory/3688-49-0x0000000140000000-0x00000001400B5000-memory.dmp
memory/3688-50-0x00000299857A0000-0x00000299857A7000-memory.dmp
memory/3688-55-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Local\EZTTpW\msconfig.exe
| MD5 | 39009536cafe30c6ef2501fe46c9df5e |
| SHA1 | 6ff7b4d30f31186de899665c704a105227704b72 |
| SHA256 | 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04 |
| SHA512 | 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a |
C:\Users\Admin\AppData\Local\EZTTpW\MFC42u.dll
| MD5 | cf5d88633657d53a80ddd0aeb362ae29 |
| SHA1 | cd4a80150bd910b7dc518471a1da17b86e41b606 |
| SHA256 | 6cd32bb39c68a9b299fc4be45cd308e62273a7df7bfc9b1ad553c60944ea3b25 |
| SHA512 | a68c53edc3731e5f3a75399e0f44669d4991401976ba340be7f4003ad289edb79fcdb1c7876df7aac059ee6681fd3e4eba676c1f18710557d19607ebc698fcde |
memory/932-66-0x0000000140000000-0x00000001400BB000-memory.dmp
memory/932-67-0x0000020861CF0000-0x0000020861CF7000-memory.dmp
memory/932-72-0x0000000140000000-0x00000001400BB000-memory.dmp
C:\Users\Admin\AppData\Local\2Ud\SystemPropertiesComputerName.exe
| MD5 | 6711765f323289f5008a6a2a04b6f264 |
| SHA1 | d8116fdf73608b4b254ad83c74f2232584d24144 |
| SHA256 | bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e |
| SHA512 | 438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8 |
C:\Users\Admin\AppData\Local\2Ud\SYSDM.CPL
| MD5 | 1faf7ff2e59c4872c5fd55b98aaed04f |
| SHA1 | 3cb350d29e2a0948ae9df0a93968f1720b8d50c6 |
| SHA256 | bb95c7e01e7450243f1db199863e1d1c9a86adfb727a917619316793d638ad9e |
| SHA512 | 8ec83b7f5355c35cdcde023586258bc0c2d48915990f477df0ba198c7ba77966176f76e3092fe219fbc509ef84ce84b02a4333997f2b062a9ef5c06e7b0b1a7b |
memory/3664-84-0x0000023443540000-0x0000023443547000-memory.dmp
memory/3664-89-0x0000000140000000-0x00000001400B5000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 88941de170d81d47ab0920c1b3b56e44 |
| SHA1 | dec2512a9a5b3ab744709ced53c1af6474f4098b |
| SHA256 | 86e865a420dc39de249e76fbf9e7f6c5f41b04da0cb66dabdb46c7ee03ca7a29 |
| SHA512 | c9ff7b2acb797485dde8a8782e2bca379ffe318dea14672d971c8f91977720ab4dd62a8157cf36b8f9837be5785ef2963f1a6c33ce6d5de17283f433af547bb2 |