Malware Analysis Report

2024-11-30 21:29

Sample ID 231228-x1m1dscebl
Target f1ef2c7b7bd2a2324eb6f6a7000904d2
SHA256 85276985d1a45e22149784e2fcf0064ca7c158e5f4dd629389f759fb82727bb1
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85276985d1a45e22149784e2fcf0064ca7c158e5f4dd629389f759fb82727bb1

Threat Level: Known bad

The file f1ef2c7b7bd2a2324eb6f6a7000904d2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-28 19:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-28 19:19

Reported

2024-01-03 09:18

Platform

win7-20231215-en

Max time kernel

150s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ef2c7b7bd2a2324eb6f6a7000904d2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\gtv\\AdapterTroubleshooter.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2592 N/A N/A C:\Windows\system32\sdclt.exe
PID 1240 wrote to memory of 2592 N/A N/A C:\Windows\system32\sdclt.exe
PID 1240 wrote to memory of 2592 N/A N/A C:\Windows\system32\sdclt.exe
PID 1240 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe
PID 1240 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe
PID 1240 wrote to memory of 2268 N/A N/A C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe
PID 1240 wrote to memory of 1664 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1664 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1664 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1708 N/A N/A C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1708 N/A N/A C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1708 N/A N/A C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe
PID 1240 wrote to memory of 1776 N/A N/A C:\Windows\system32\msdt.exe
PID 1240 wrote to memory of 1776 N/A N/A C:\Windows\system32\msdt.exe
PID 1240 wrote to memory of 1776 N/A N/A C:\Windows\system32\msdt.exe
PID 1240 wrote to memory of 1812 N/A N/A C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe
PID 1240 wrote to memory of 1812 N/A N/A C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe
PID 1240 wrote to memory of 1812 N/A N/A C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ef2c7b7bd2a2324eb6f6a7000904d2.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe

C:\Users\Admin\AppData\Local\V3chypE\sdclt.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe

C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe

Network

N/A

Files

memory/2480-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2480-1-0x000007FEF6AD0000-0x000007FEF6BA4000-memory.dmp

memory/1240-3-0x00000000773A6000-0x00000000773A7000-memory.dmp

memory/1240-4-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/1240-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-7-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-26-0x00000000029F0000-0x00000000029F7000-memory.dmp

memory/1240-18-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-29-0x0000000077640000-0x0000000077642000-memory.dmp

memory/1240-28-0x0000000077610000-0x0000000077612000-memory.dmp

memory/1240-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-39-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/1240-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/2480-47-0x000007FEF6AD0000-0x000007FEF6BA4000-memory.dmp

\Users\Admin\AppData\Local\V3chypE\sdclt.exe

MD5 cdebd55ffbda3889aa2a8ce52b9dc097
SHA1 4b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA256 61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA512 2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

C:\Users\Admin\AppData\Local\V3chypE\ReAgent.dll

MD5 511318368c091454f9c34d3205a6a93f
SHA1 7626efb9b108c9ce3025fb3f8279814088f8d048
SHA256 6d4e552155a0e568fd06735a5a990cb740376ca2621b05dd4f67d4c83495c990
SHA512 6ed398392f857bcc29ec60a8d14314752f66959bdfe48faad42d3f562de9ecc2ae095519037208fe879944132ec0e2faf4f139a0fd74f62f4fb100049ea04441

memory/2268-56-0x000007FEF6BB0000-0x000007FEF6C85000-memory.dmp

memory/1240-55-0x00000000773A6000-0x00000000773A7000-memory.dmp

memory/2268-57-0x0000000000260000-0x0000000000267000-memory.dmp

memory/2268-61-0x000007FEF6BB0000-0x000007FEF6C85000-memory.dmp

\Users\Admin\AppData\Local\DhnWJRy6\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

C:\Users\Admin\AppData\Local\DhnWJRy6\d3d9.dll

MD5 2a5e7d3cbfee8ddfc9fc89a990c6d94c
SHA1 c909f3f7ec1d373815bc3593d3f3787572f97aae
SHA256 467cd7be9de10829bb8e088c2d8a78a1ed59d3c912061755c9c3391cdb87e82a
SHA512 dc252731c3d64bbf3542ae3c77072b9b079ceb43d318a34a8cd47d928bbc59e15302b80d11041bb9e5bef2fa08f523f932857e00c325ad88e4f7de79a920a6b3

\Users\Admin\AppData\Local\DhnWJRy6\d3d9.dll

MD5 29687fcc9da808f32430db41753d8184
SHA1 4ba8f09676f7c3f48526654fbdbd4f05f03b66e5
SHA256 ae3c429ae565c37f2f40c65c650f0e74c71ac6ba8b06eac8ee847062395c5de1
SHA512 cb15d96df37bf6b69a6b118176bc7d254b7c3ab307bf35e2c69bc579c2e4238dce7c7a9f82d71671c6b9ab260793315c53ebb28d7cdae606af804e7b0ca2d1c1

memory/1708-73-0x000007FEF63D0000-0x000007FEF64A5000-memory.dmp

memory/1708-75-0x00000000002F0000-0x00000000002F7000-memory.dmp

memory/1708-78-0x000007FEF63D0000-0x000007FEF64A5000-memory.dmp

\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe

MD5 aecb7b09566b1f83f61d5a4b44ae9c7e
SHA1 3a4a2338c6b5ac833dc87497e04fe89c5481e289
SHA256 fbdbe7a2027cab237c4635ef71c1a93cf7afc4b79d56b63a119b7f8e3029ccf5
SHA512 6e14200262e0729ebcab2226c3eac729ab5af2a4c6f4f9c3e2950cc203387d9a0a447cf38665c724d4397353931fd10064dc067e043a3579538a6144e33e4746

C:\Users\Admin\AppData\Local\WDDqfXGv\UxTheme.dll

MD5 b96e4d23906d70db917330bb7798e590
SHA1 2bb6720417ff6167aa29cdaeebb2a2f05488a567
SHA256 576f00a4c57438ecb80b4d2cace051ffdaa065e89d1afb833ff2a3ed78c2b0a1
SHA512 d328c98d769b6f650021bd4e38165f43394e184620d30b67c1c3fcc4f4e90b32813fa9597a16374037c503a4cc1e560df1d31647837ef6c362c869d5fe81504a

memory/1812-91-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1812-95-0x000007FEF63D0000-0x000007FEF64A5000-memory.dmp

C:\Users\Admin\AppData\Local\WDDqfXGv\msdt.exe

MD5 24458a6c36b8ac4e5e316c6fbde87170
SHA1 5b786f73be2377c70142524460d31688c160fc12
SHA256 c16c474ced75cff696d5a9b6f64831b003aab2f53f8d5bbea20234854bb9ddf5
SHA512 ea896c9cde563828acbc7914ac8e35dd50e374479b3a3626c6d88eef8dbfac3b981375909a8235168e1d691e7f3b4ae013eec0e88ace27a4f5ffec02ac3c9a65

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 b113977dfb9c48a770f5bd231b6405a8
SHA1 1fa1a9921b0dbc6eed0ac935fcc1a8697bb131b2
SHA256 41dca7e8b6b10f821269534f3f874a0be27a92f1a5422d0bfeee3a1aa8a6f86c
SHA512 e5efdb0c0cb10f8e2fde42ff16f6d646c8299d6c9a0907439c825bf1377bd49a6965af233745f1147888d387fc6a024b989b5ccab2c126d500671a9da5e7506b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\9Vyd\UxTheme.dll

MD5 2afc67d587af4e3d8c140c0a23ab01ff
SHA1 2c5c94d7dfea1c019211a4dbf43e90ac9585b4b7
SHA256 5b19c1dc50aba465afd143b1d27211dc490feb159c312931e55d33f310f591de
SHA512 a288acbfe56e7f16760079805efd61e347e13308114afb99ebc88b3396348bb7dc143bc0ac846c5634e0b477ec3743e1cca3f3050b5ec9c43017f2b14a261432

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-28 19:19

Reported

2024-01-03 09:17

Platform

win10v2004-20231215-en

Max time kernel

155s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ef2c7b7bd2a2324eb6f6a7000904d2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\QtT2\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vqbUOBLB\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7KhAX\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gO7P\cttune.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 2112 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 2112 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 4936 N/A N/A C:\Users\Admin\AppData\Local\vqbUOBLB\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 4936 N/A N/A C:\Users\Admin\AppData\Local\vqbUOBLB\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 5016 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 5016 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\7KhAX\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 3044 N/A N/A C:\Users\Admin\AppData\Local\7KhAX\SystemPropertiesComputerName.exe
PID 3416 wrote to memory of 1316 N/A N/A C:\Windows\system32\cttune.exe
PID 3416 wrote to memory of 1316 N/A N/A C:\Windows\system32\cttune.exe
PID 3416 wrote to memory of 4108 N/A N/A C:\Users\Admin\AppData\Local\gO7P\cttune.exe
PID 3416 wrote to memory of 4108 N/A N/A C:\Users\Admin\AppData\Local\gO7P\cttune.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ef2c7b7bd2a2324eb6f6a7000904d2.dll,#1

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\vqbUOBLB\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\vqbUOBLB\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\7KhAX\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\7KhAX\SystemPropertiesComputerName.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\gO7P\cttune.exe

C:\Users\Admin\AppData\Local\gO7P\cttune.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4844-0-0x00007FFA5E350000-0x00007FFA5E424000-memory.dmp

memory/4844-1-0x000001F14FC40000-0x000001F14FC47000-memory.dmp

memory/3416-3-0x0000000003350000-0x0000000003351000-memory.dmp

memory/3416-5-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-6-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-8-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-7-0x00007FFA6C8CA000-0x00007FFA6C8CB000-memory.dmp

memory/3416-9-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-10-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-11-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-12-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-13-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-14-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-16-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-17-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-15-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-19-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-18-0x0000000003330000-0x0000000003337000-memory.dmp

memory/3416-20-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-27-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/3416-29-0x00007FFA6CE30000-0x00007FFA6CE40000-memory.dmp

memory/3416-28-0x00007FFA6CE40000-0x00007FFA6CE50000-memory.dmp

memory/3416-38-0x0000000140000000-0x00000001400D4000-memory.dmp

memory/4844-41-0x00007FFA5E350000-0x00007FFA5E424000-memory.dmp

C:\Users\Admin\AppData\Local\vqbUOBLB\SystemPropertiesComputerName.exe

MD5 6711765f323289f5008a6a2a04b6f264
SHA1 d8116fdf73608b4b254ad83c74f2232584d24144
SHA256 bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512 438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

C:\Users\Admin\AppData\Local\vqbUOBLB\SYSDM.CPL

MD5 2fac73c65d9a5d33418712ad8d843f57
SHA1 30696c273c06e80fd47234c7db68fffe40b0808e
SHA256 ee0a483b6aca0fa3bd49c500c2535f94a1f46dacfb89238ebe26a08a081ef6dc
SHA512 4d59700f77269a8cfe8d91518659b3aceabc0b862be2efa8ca0089f0ff6e5c2df6bdcc648f78ce85e61874e9d9ee807403c898d02cc00a00c9b21b9d6ff75ea7

C:\Users\Admin\AppData\Local\vqbUOBLB\SYSDM.CPL

MD5 e2632dd83a251403a1dd172a1af69b7b
SHA1 648b091fe967af225e6d8c0020f0cbd41788f576
SHA256 f80079590d56e052e02c87ff142a5625c310c30dc30707f27426b242ac8d55c0
SHA512 87a6aa2822d53c3caa6bae0c265ab74a4d3249d11fb728f066a36d392fecd3819514bd812915f73dd1ffb55ed98a665cc11270ff9beaab0ca18b26ec8c17ee01

memory/4936-48-0x000001D96EAC0000-0x000001D96EAC7000-memory.dmp

memory/4936-49-0x00007FFA4EE00000-0x00007FFA4EED5000-memory.dmp

memory/4936-53-0x00007FFA4EE00000-0x00007FFA4EED5000-memory.dmp

C:\Users\Admin\AppData\Local\7KhAX\SYSDM.CPL

MD5 619def2762df315b6cae6690e59da34d
SHA1 3a37cf779abc70bf0025cef16e99588768e15772
SHA256 4e78e380abdeb8c5cb223df6bf9b1f73bb5b8a529b1e0fcc08e24e7be96b9d41
SHA512 5649fd4c2dfc493edc861ec13a4e7a687e8bc76d075e7e44b26f0f7b930d931b2bc1199a09c15f9394ac63356ffcaf956caadfca8baffa839e2dee2a1f745430

C:\Users\Admin\AppData\Local\7KhAX\SYSDM.CPL

MD5 da416d66b493fee32b754942d813ea21
SHA1 65cb204b014d03152fbaeb69e56bdb669cd6b094
SHA256 afd4c8805bd78f058b27a7a8e43f52eecaa00d97667483bb1aa0825e5f54d721
SHA512 1e3c588669b696d8f2403b5d098fdc7dd510a53b79266dc8708d39e0839fb1947143b33ad3e2205681cb07088fd2ffa11df608bd6e7099e730694dab444a1120

memory/3044-66-0x000001F9FD2A0000-0x000001F9FD2A7000-memory.dmp

memory/3044-64-0x00007FFA4EDB0000-0x00007FFA4EE85000-memory.dmp

memory/3044-69-0x00007FFA4EDB0000-0x00007FFA4EE85000-memory.dmp

C:\Users\Admin\AppData\Local\gO7P\cttune.exe

MD5 fa924465a33833f41c1a39f6221ba460
SHA1 801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256 de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512 eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

C:\Users\Admin\AppData\Local\gO7P\UxTheme.dll

MD5 db5c3df54241b1a9e36409827f725b7e
SHA1 1a80c436189a836db6e935ae034b516b0a34bd25
SHA256 1356f9090ba40f51897e00eb620803bbff096209b884d9c1259fad8437dca812
SHA512 4577ddf08969d651faa105ad173f54b1a42d7b60e02e8b2526ddcf1721926ee3a86536b1ffbea076d14456433e8c819e8d9a097544893b5935df3fed11ab665f

memory/4108-80-0x00007FFA5E000000-0x00007FFA5E0D5000-memory.dmp

memory/4108-81-0x000001EAD60C0000-0x000001EAD60C7000-memory.dmp

memory/4108-85-0x00007FFA5E000000-0x00007FFA5E0D5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\uWiY9uguN\SYSDM.CPL

MD5 6f8d078fca10446d616b4036764ac125
SHA1 a10d80a9517745143ee18662ec96a32d66dd77fe
SHA256 0f0d6f3cd50ba74d0c2e17189f77a55a7c4d65511c20a742b6a176bce66cb1b1
SHA512 7728e0b561869f8ea665c12b04e3d4362579defb9105079e6d35b8bf68628a55294144904a93c49ef3af4de7a48a5b94a48529ee9bbeab0da478a7795fd0f7aa

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 d2e64088cb6b648456de49323a9dacb0
SHA1 7e4c162c05a51927810aa048de85a7cf8af0845b
SHA256 828d6ad73ac4481254d0da87f2f33e4d414e2d57e1fb574e7aa75bd99deeab1b
SHA512 ba69088e1164ec94c37f98972a5e070f4a12c5d87c3c59bf2588384a7ad303b70f31e68040fe693279474de9e00262b7ec994012ff0218213fbbd4dd3898c473