Malware Analysis Report

2024-11-30 21:30

Sample ID 231229-2rqgdahccq
Target 06194ae42efb4403b501d255e4ee8a4e
SHA256 3c710eec70ecf93ecdf44c999dafdab9edc3552a0c7a546116441691499be7b7
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c710eec70ecf93ecdf44c999dafdab9edc3552a0c7a546116441691499be7b7

Threat Level: Known bad

The file 06194ae42efb4403b501d255e4ee8a4e was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 22:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 22:49

Reported

2023-12-30 05:33

Platform

win7-20231215-en

Max time kernel

14s

Max time network

29s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#1

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe

C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe

Network

N/A

Files

memory/2216-1-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/2216-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1220-4-0x0000000077376000-0x0000000077377000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-16-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-20-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-23-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-26-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-29-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-32-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-35-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-37-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-40-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-43-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-45-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-47-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-48-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-50-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-52-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-56-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-58-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-61-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-64-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-65-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-63-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-70-0x00000000029E0000-0x00000000029E7000-memory.dmp

memory/1220-62-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-60-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-78-0x0000000077581000-0x0000000077582000-memory.dmp

memory/1220-79-0x00000000776E0000-0x00000000776E2000-memory.dmp

memory/1220-59-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-57-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-55-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-54-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-53-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-51-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-49-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-46-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-44-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-42-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-41-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-39-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-38-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-36-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-34-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-33-0x0000000140000000-0x00000001402E0000-memory.dmp

C:\Users\Admin\AppData\Local\nVENOP6\SYSDM.CPL

MD5 9b350d7503908265a154b47a86345b07
SHA1 1d2284776d1e6012f4fcc29f158ff7ff1070110a
SHA256 b263cda02f09f8697d35b40c5e57b2a37982739c7f895ba067c15c9d492be300
SHA512 35e86331f51f8b7d46acee13a2803bd62a705cc5202620906e265b34a120ed159f475ce5384bdb2310ce2bf3739268243dcc926278a0f201b12e70a35d1f9c1b

\Users\Admin\AppData\Local\nVENOP6\SYSDM.CPL

MD5 ceff312d77ba782d8e2797573c994c2a
SHA1 625081b6a87cf683c98fac4d028d0e5e74c4a81d
SHA256 45d936c1cb11c236f8b8987f676ff0a70c328620285b1aba9dbfd4248fe2483b
SHA512 566cc2a39fced1ef25277c42c5927cdacd48cffc3e56b480b8721b2f617396dab81ab1603823e0d62a5f0ef8f4e5d3ce938e220abe24ce7a72cf0b236058bf5e

C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

MD5 6d1fa6ea29440c4bdbd46221a3a44f2c
SHA1 20e3b306b37639ee19d1768bad0532789be03f95
SHA256 345f5285ca213160f522c3fe056e123bbc9443bf49641df8e7d841f999cd9bff
SHA512 7f7a656dfb73b5bd83ed54536a5fb1127e54b974698c4f21dae63b5a1ba92a6b20c6d03370c21f2cf970e3de8adb9a1193586af0e1165f39b8e61df964da6517

memory/2928-106-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

MD5 03e3076ddc7cd2192d08d8afb6404114
SHA1 0d1229e4298b1050028bd0f06bdee3fca23e9c27
SHA256 27d95401d42bf8988a2e84b7fe18efa4fe635a5ab293f42fe965dfb2bca70ebb
SHA512 cc2e6c7e81f9ed125feb32365665ed11357dc7a0902dfa9852081d9051a63dd0849cfffe483fd66a9f041be1daeea1933738c5fd832256860da0dcbf6344678e

memory/1220-31-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-30-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-28-0x0000000140000000-0x00000001402E0000-memory.dmp

C:\Users\Admin\AppData\Local\nVENOP6\SystemPropertiesRemote.exe

MD5 c0a3f16a87082bc6c206b9c672291c51
SHA1 c39a6960fc55efa770f65b7ddd2b87e1f15144b7
SHA256 c73b1d233b97cc85ddda8e9dcaf59caf343b88c95821fbd6fd09b37d1f6092d2
SHA512 7ff97c023b6f0bc229c098efb6fb3020a126b9fcb3b89896ec8fd00000cb7016a08ed879da08141ce6abc812cb490b139b2a835cbd6f135769fa6216331d85d7

memory/1220-27-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-25-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-24-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-22-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-21-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-19-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-18-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-17-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-14-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/2216-8-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-7-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/1220-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

C:\Users\Admin\AppData\Local\HsHEoIOt\WINMM.dll

MD5 d63f012429a572ecf304be3128fa48b2
SHA1 240d51bd1afae65286c155417b7b8c66d5339e9e
SHA256 1c2fbc2a0378965adc0822534561fee6a56df0ef6cfefa1ce8d3f0b956b23af7
SHA512 691d098f2d9495b2317bdc6839847ff565799cce6a2271411624b8ff80a0a18c0b24f9596e7bb641dd6b0387a94ad67e85e58d8d16db7139a8968c7ae5a67a89

C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

MD5 e2405f02b089b396abcf8e4a934ae6ce
SHA1 bf373f04d83ae82b62242ca914572eb773de820f
SHA256 9aa8525c8a80710480b0a0e4c84ed423451810dda879da6142da3463f974ec9d
SHA512 938bda52d28d2eacd482a8a7617d36261ca9e7e134811128c2fbb79becff662c62569c86fa80d81895c1b45984d2ff5db3cdd0f5f39f55f768d69db7b4b9bb93

\Users\Admin\AppData\Local\HsHEoIOt\WINMM.dll

MD5 3c9449697bdf87d8ba458d18602c33e7
SHA1 bc97a1843028b508ef98d07e99bbf2c54e83e3f6
SHA256 46074f83fc78e7f921a911f2b8a3e174a59ed9737dbc6466fb42372faf8cd61b
SHA512 1465e4eb504bbb7db0a704d1c4ebf939153591e76875993e3f14250168fb9501aaa1f52b5ab9628130ca59b382063356d829ae9aef8454acefe04b0ed7024b44

memory/2032-124-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

MD5 122ad10f0ac43029d94373388acaa6ae
SHA1 2da9c6e57a73979292863e546c285a56d18999cc
SHA256 5389fee1c97cd9338b953e42c7e532025ff85860cdb75ab3753fbc2903cb0528
SHA512 244301dd553fd1c014d67d4724d9e845c8cda2fec26a267786c0118d53ad531e4c9ca83af67bde6c367a2a8672162cace91b77917953d3bf7a8aeb0cbeb203b4

C:\Users\Admin\AppData\Local\HsHEoIOt\mblctr.exe

MD5 d23dbdf459b919b2f57f4bc65f5a2f2a
SHA1 a2ddb5b1119f9bc4e30cf3658fac6605203b7ade
SHA256 49b3c27489c93c9e8d68a872a3a9da30544ebeda83e858176b8e6956830d4acc
SHA512 02bd54f19b2bbeeb4cdf9dfded07d570f27bd7580f60351adb824f64fa39067efcecf4a84142b133c20d0d4e5437c38435f28e56576348df5d49211594be9bca

\Users\Admin\AppData\Local\cVcIHm\spreview.exe

MD5 a80eaf6005b3b2e5bb482459d5a7ad93
SHA1 c25169efc10c0e866689f96b3493e65cb019e681
SHA256 84e23a78ec26922b0d509be66ab8969ebc267d9ed2d8f0d5ad82480e388b54f4
SHA512 2a82b4e0efeac04350714f6d0148b53efb6dbbc70971b2f42ac29c5f9c4be467c5a4201bac08e1ef9bbcd3bb19501333561de15c10fe4c82b1e608ad954c02b7

C:\Users\Admin\AppData\Local\cVcIHm\sqmapi.dll

MD5 620b7f54d33545822801e7fbd907d257
SHA1 9b668ab07c43e381fbe721de9388df729a587732
SHA256 d9d8908a829e27a644ff8848db5679e875acd46bf5935d7be13622f157c8da6b
SHA512 d75d45e20b32169dff0bfff5077dd6a6be7b82619ec055492d87f0f40dfcccea665744511e119f4d93a84d832921db45fc90b4f56e171ee8683acd434d24bad2

\Users\Admin\AppData\Local\cVcIHm\sqmapi.dll

MD5 8175040c62a7688ddb35ef888ff0c469
SHA1 b4698e7733d12b21df5ca04c3aa6db20923e7381
SHA256 b4ea29d81135db7891a8e5f9da9a2a07f72272fea3dc8e5284d25fc2f825fd17
SHA512 2f5b528cbd033bcc36dd1ce644e524505beed13c87563882eb7723eede8fe9cc4c5c4da8c3c25eec62dbbb42fe9990eb71c525ece351ef1d0a0df32d5422c04a

memory/320-148-0x0000000000380000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe

MD5 6cec599d3319d3c9aa062708de3ea645
SHA1 bd3eb26e40692424d28b65c5754fe8f1f442361a
SHA256 7f6f6baed15e7f1a8e07cce3166efe95b1422595a66a17a21504da7dceecf4f2
SHA512 2f0b3723266c717a351b2e59e8e6ce2bdebe09657919b5914079ab72515b483d4ee8522a75b02a4a7ef9b3b1523f7a95367224cdb5ca3cd8778a95a0a11e374e

C:\Users\Admin\AppData\Local\cVcIHm\spreview.exe

MD5 36a3ac541f4aa4215dc06b61f8110ddd
SHA1 a881dcf2cde16fd9e703a19b90172fb1b704bb59
SHA256 c2348c600af4a907b4b65a121a8f5a1852f4d0f1b5478227836fab85c24d318c
SHA512 b86e2325d10bfd5e553abffc77ea202aa83fc771da86a424c89bf244d248ac8fc42a9f12f4ce3828af533ec4ebd16fb728ceb6f3be11cbfb82abdd030e129fbf

\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\NbrratlK8d0\spreview.exe

MD5 eaa499deb3bec72b3d51fb149ffb9310
SHA1 54f4b0cd85ade3de0b917a91612bc4eb99a24d76
SHA256 d77d63dd7dff52d1196b70156e081d2f878a523409d4535d91343397a4cc67e4
SHA512 9b98705591a82cd66d35634508b086dc243bb68556a15c681277cb98b005213f3606ea72dddf715c44cf518f6b6db0f28e781805fc23795005fa91a0087bb326

memory/1220-169-0x0000000077376000-0x0000000077377000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 950bc70858795a7415c82993942da0f5
SHA1 730c31588c6c4e11607a449cdbce07bfb0d3a58c
SHA256 6c65e58f55ac8ead5a9ba150c389299bb71bf6333386bf32dd597d33e304ebb0
SHA512 0792381cef6e7ecd38972351a4b9b1ac50220c4771c509d8913171e9d41d32fb72ef2e48ac25b02462995243d2013aaedf306679e6d9245fd862a23211d777ea

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\2q1cwLw7\SYSDM.CPL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\y2x8\WINMM.dll

MD5 9de9c1d4c3e3e7c69c0e4ee671f9571b
SHA1 a02a21b15139ef773542cc7c1f873fdaa3fcb969
SHA256 dea2f77c3f5cdb542da97e91c786ca1cf9176da5aacab4314797dfcb9daf7417
SHA512 35aaf88bb06a62cd5ae5732f87a1425f870270318bf819217508e02b30d809a959b7e7988ccecdd88865c3331cc9a88d8803581f2567f999bf0c69e33e2b50bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\NbrratlK8d0\sqmapi.dll

MD5 42c6271b1037471ac8ded3d43045e3c9
SHA1 cf977c241f4359ad28a932ec544c2c8350260ec4
SHA256 6ac80942a610a7eb6b24618702c05380dfed7bdcaec8852da9fc148c1de19b41
SHA512 bb5799eb06264d59a01a93e11879e7cb143e7241aa30f8baa989e881fd20be2b7532ca21b147e076077e86e46b41c4672022268fc7e20416cb8c1df9ee417d1d

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 22:49

Reported

2023-12-30 05:35

Platform

win10v2004-20231215-en

Max time kernel

177s

Max time network

198s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\7qU\\ApplicationFrameHost.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 4880 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3392 wrote to memory of 4880 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3392 wrote to memory of 1264 N/A N/A C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe
PID 3392 wrote to memory of 1264 N/A N/A C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe
PID 3392 wrote to memory of 4560 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3392 wrote to memory of 4560 N/A N/A C:\Windows\system32\ApplicationFrameHost.exe
PID 3392 wrote to memory of 4088 N/A N/A C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe
PID 3392 wrote to memory of 4088 N/A N/A C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe
PID 3392 wrote to memory of 4020 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3392 wrote to memory of 4020 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3392 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe
PID 3392 wrote to memory of 4872 N/A N/A C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\06194ae42efb4403b501d255e4ee8a4e.dll,#1

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe

C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe

C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp

Files

memory/4680-0-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/4680-2-0x0000019DB24D0000-0x0000019DB24D7000-memory.dmp

memory/3392-4-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/3392-7-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/4680-6-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-9-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-10-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-11-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-12-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-13-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-14-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-8-0x00007FF8C5A7A000-0x00007FF8C5A7B000-memory.dmp

memory/3392-15-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-17-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-19-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-18-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-20-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-21-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-16-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-22-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-24-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-27-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-26-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-25-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-23-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-28-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-29-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-30-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-31-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-32-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-33-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-35-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-34-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-38-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-39-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-37-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-36-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-40-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-42-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-43-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-41-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-45-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-46-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-48-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-51-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-52-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-50-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-53-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-56-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-59-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-63-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-64-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-65-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-62-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-70-0x0000000000B40000-0x0000000000B47000-memory.dmp

memory/3392-61-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-60-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-58-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-78-0x00007FF8C5D20000-0x00007FF8C5D30000-memory.dmp

memory/3392-57-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-55-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-54-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-49-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-47-0x0000000140000000-0x00000001402E0000-memory.dmp

memory/3392-44-0x0000000140000000-0x00000001402E0000-memory.dmp

C:\Users\Admin\AppData\Local\qmAdyM\UxTheme.dll

MD5 e2bc315fe93a548a5bc091ae9c3e4dd4
SHA1 40361fee1dd75b0cc2539cc01cfc1e729312ff22
SHA256 a870e2f978dfef59ae232c67dc99e3dc9c211e74cd47ab1b4c7388c446cceb84
SHA512 0315cc6ec5173825df02acb1948db7e9ff9507135e59e50356042e7d2474be11842aefd87cc05716263ee244ca3dfae954c9554dfd0402ebabc8a4ab30fa18be

C:\Users\Admin\AppData\Local\qmAdyM\UxTheme.dll

MD5 3eed248130b0f1def63d2ada10f78e5f
SHA1 27c85e8e39923bc1764c220b41873c8343dba9b2
SHA256 c9ceb24db21d96a73ed7926f7d43dbeeea3c52f3b1281c5cf7d91377ffa6dd4d
SHA512 2d19f48c31e4d961bd3d9b2e97fefcdf2e6c7d92175a885b23e186c70a78942c5370d4577ff0d757c0474434a7434fd62c260e6d3919c3c8566baca2d087fecd

memory/1264-98-0x00000178765C0000-0x00000178765C7000-memory.dmp

C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe

MD5 d45618e58303edb4268a6cca5ec99ecc
SHA1 1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256 d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA512 5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

C:\Users\Admin\AppData\Local\qmAdyM\EhStorAuthn.exe

MD5 d5dd933f87f85da9a49cc8eaf960dac1
SHA1 68dbd76bdc407bc3c030adbdc7a784799f1a7f49
SHA256 7750e4b587d621fe7460beba02bd3dd7042e90f387b77519548f88bfaafb6805
SHA512 2c76115ee52d7a008eee3a342eb21292a4b0ecfa48b0e6989972ceba7afd9e924a06364243de32632c828081c2af6e392cb36003add59abc2abf05df3e009cc5

C:\Users\Admin\AppData\Local\vQmiFV1Lw\dxgi.dll

MD5 44fb402e4f32c6868321de7f46d41b73
SHA1 eef643e30df9ad7c72e98da479566e5218107997
SHA256 2ba814d9a055618db133e4233aedb571ee2b2720fd6631953a6c81567a1402b6
SHA512 8a0c8627e8407e7ae5a58f24d94bc6b0e85587d1eb48328910f4cab2ef09e7ca8cf47971513cc6eaec37f69c91dd06dba89285b9f48e2fd187cdac4f0ddd5f8b

C:\Users\Admin\AppData\Local\vQmiFV1Lw\dxgi.dll

MD5 de947c40ca30bfd7d9f388afa5215aa0
SHA1 743e567ac597208da85fe1da01920f94ec8664cf
SHA256 899dd0d8859f16e47bb2f85aee89255422c78d180cfaf50b2729dafd6e084dc6
SHA512 d06f30c727f664ccdc99bef82dd599f294298238762857cc3864796091f094bb14433135e10fb31882f1a6b8239bc216b09f23ba0c3f4e4dcf20a9bb6b485b61

memory/4088-128-0x00000200A56D0000-0x00000200A56D7000-memory.dmp

C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe

MD5 df8444700ff72bd5ccf27e1d53482417
SHA1 dd0ac516981738a7fd1ddfc569e08dd654e6dc25
SHA256 f6f82258b7b5d2f11ae28785da7bd6977b6dc1dc602e099c678a88ee5ea1f4fd
SHA512 727e0b609b15d5f866850d1569169e9d10dc5f03d3bf2c358274801cf4c52390ba17e96865e611e92f6061f764c01b2adfdc518364b94a001171030d90e45e22

C:\Users\Admin\AppData\Local\vQmiFV1Lw\ApplicationFrameHost.exe

MD5 31b1fb3d888cce11106938d665b7961b
SHA1 1e50131d9d0f251063d1101cdccc0a05a4807d2d
SHA256 132c41b280166439ae97d722563199c27a704a007f37ae98d03772c1027a6d11
SHA512 dd5ac4281d06c6f6dd38bb639de6248730909ce191745406ec15ad9a79ec737bbe87ccd225483bcb13da81bd674ace8134ef402d77ad540850ae729aec4f209a

C:\Users\Admin\AppData\Local\8lAFZBk\MFPlat.DLL

MD5 3e992f0f68c795140c61100a7fd0080d
SHA1 41aacf759ef77d997d1776e4bbb00d1a4cf9ab46
SHA256 ee88848b89ff36325e41a0f8c4026d41d8c49bbfc2305f1eff59d9210bb0a540
SHA512 db92325858c6dc06a55117a1f09c71990d04a0030d4d9d9a4f76226c12244dfeeed2fb4727485741667f53d6041ec0b5480e0e2c81d2cf2e5ed089e3b2946e7a

C:\Users\Admin\AppData\Local\8lAFZBk\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

C:\Users\Admin\AppData\Local\8lAFZBk\MFPlat.DLL

MD5 1e5bd3f7c36cbb84c41ff517d1ff7514
SHA1 dd98f08d7e5bd5765a10a6f60c76db8e28b08e7e
SHA256 8b3716af27bd0286565cf50a01d343ec682fdfd7a4ffde135ac8076ce1dbac9f
SHA512 d3b7fdc47009be255ea802f6bc8e8b79969f8868048d78ee747061782db9a427d22270021899bd8d32d365d26dec81bfeb6a2c60759823a47d61d1d6a3b8421e

memory/4872-144-0x000001C1118D0000-0x000001C1118D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 445bc00b13cdff20d8d04d0a8abd3b32
SHA1 ca9c9b76613af939f7ade8fcf74f78442dad292f
SHA256 4ea2619be6e686e7ab2d545ff1697e1d96b246f8e9afe4365a50abb148584cae
SHA512 16a9167938d41d6d7d8ed7473749642698f5d6ebf69d443204b23e1ef6ed58dbc4ce7a74b82ecf499aec5018752753022d4f8c3c5c3488ee2d28dacd4232f3aa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\XPTfrDzHkx\UxTheme.dll

MD5 c96141c20681f65ddf0512bdc444e583
SHA1 35df2daf2cc9d137e2d51656c3296e9a9cf2a83f
SHA256 f5d328585fa70be47339ca5979822314ad15c7b81c177618d8c79dfe98c4231e
SHA512 1eac86a805636c646a5f27b08a52549d18ba6734b26482487390bba1ad404749171367095fc667a14d62949e2e77c4496f5cbcc26218a439748d355a884bbcb3

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\7qU\dxgi.dll

MD5 1f57124fd5fdeec75f0fe7c1835f821b
SHA1 b675fbc70dcfacb8369af153d1af0081ae41d850
SHA256 d0e73ad86e08777a01ada69cb3cc5874b7c22bfc252d0a5ecc5a63bda9383ce2
SHA512 015f28072be2cfba4cbec29a8f541f996dd230253d3813b8cc1077c488e3542afb59182074f08571ee2775f5dd55ea966bf1fe7d55aab0d7fcafce96f0a6ba68

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\QVIr\MFPlat.DLL

MD5 f97a43b370fcda37b3d958d1b1805f45
SHA1 429980224fd6bb0d7d5b91c2754c05ab840ad755
SHA256 198a9fe5b810ae5546b4f0da3ef3fdfcdb03d14edd3f37c711b50d8d2408eee3
SHA512 0dd975a440d74162d12a60e4040e95b287c4deceecf341acf76701664752a52b805a2264b7ae2147b2b038ba11604722d0d4b704b01eb5f460eb681d5375d74b