Malware Analysis Report

2024-11-30 21:25

Sample ID 231229-xzf6fscgd5
Target 017476e0432360ddcea82be7784d62c3
SHA256 442c78bea97cb5946f1754ba2e848784a617e377208e3c7f06f3e33b1a5192a1
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

442c78bea97cb5946f1754ba2e848784a617e377208e3c7f06f3e33b1a5192a1

Threat Level: Known bad

The file 017476e0432360ddcea82be7784d62c3 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 19:17

Reported

2023-12-29 19:23

Platform

win7-20231129-en

Max time kernel

3s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe

C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe

C:\Users\Admin\AppData\Local\qStPivP\raserver.exe

C:\Users\Admin\AppData\Local\qStPivP\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

Network

N/A

Files

memory/2088-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2088-0-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-4-0x00000000777B6000-0x00000000777B7000-memory.dmp

memory/1376-12-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-22-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-31-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-33-0x0000000002A80000-0x0000000002A87000-memory.dmp

memory/1376-42-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/1376-41-0x00000000779C1000-0x00000000779C2000-memory.dmp

memory/1376-40-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-32-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-30-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-51-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-29-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-57-0x0000000140000000-0x0000000140126000-memory.dmp

\Users\Admin\AppData\Local\A6gXC0\slc.dll

MD5 426847f2f2ade9f7cd1ae6482785da5b
SHA1 61ae84672592f101ca3da5680d455e19966215f3
SHA256 45daebdc79ada74bb65c1fa350e3a9cd2614a80281543e7c94887e11add82d26
SHA512 7adce6ccbf8f930aa60c5e87436a0a4d25959baf3e623053312ddc3befcdaf8b9d8ae72312a6a74ba8bbe0ca69aa0c4f94c2b8bae77e8414054988f3220d4ca9

memory/2492-71-0x0000000000380000-0x0000000000387000-memory.dmp

memory/2492-74-0x0000000140000000-0x0000000140127000-memory.dmp

memory/2492-69-0x0000000140000000-0x0000000140127000-memory.dmp

C:\Users\Admin\AppData\Local\A6gXC0\slc.dll

MD5 e7aed7bf76e000a08f9c0dca631f955f
SHA1 059d89c62fd9a2ac77e72f84228df6ea67d24a89
SHA256 84ff05ce8dd3ee9e90af1dd94e1367a103a3176b9990b92d0aafe60a71216c73
SHA512 c5494e2693c5c13888036687f51b721c9e5f40824cf5aee2a0df6336d3515c44d1e85cc8cffa0cdcc888772ecf7c052d23f922707b2f397e452de8ebb5ea75eb

C:\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe

MD5 851a7861442df6b3e001570ed7f4aa62
SHA1 7f6700e3c83b09f6fbbc0940226fd3cdc59e2da6
SHA256 5e0dd77b527df8700a841447554b26fcaa3334b7fc2be6c87c723a5e4038bbe4
SHA512 e2b1e5dbb0b6d365baaa0d5b38cac3d82d3de492190f97dea7f70c8797bddea33c448f92a53e05e215b8de999cf0c10183b047eed56a39657b4f190bc7330798

\Users\Admin\AppData\Local\A6gXC0\fvenotify.exe

MD5 908b10eff3f57115ca45c436e372dd0a
SHA1 0459b0d200c3e536a0ccf6ecb13628138ff1c702
SHA256 8e74f21167df8e75f6e5d0c1b6fdee3f4bed3af4811f90ee6cf28acc8e3e71c9
SHA512 9b47619b9e25a2c8b55aba133616ea89884a25b7eca55bd800887e298472b9c39dd58b09fbd6a1deddc741c605fd8e2b4f264c5633e1864f2a79090f1f35cafb

memory/1376-28-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-27-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-26-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-25-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-24-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-23-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-21-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-20-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-19-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-18-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-17-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-16-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-15-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-14-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-13-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-11-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-10-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-9-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-5-0x0000000002AA0000-0x0000000002AA1000-memory.dmp

memory/2088-8-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1376-7-0x0000000140000000-0x0000000140126000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\xyH0FpNM\fvenotify.exe

MD5 efa6660d66cadf088cf6332ddc7b3c47
SHA1 eeac71f013857823de44f2e46045dcddf2ab6b1d
SHA256 24fd6aa1b69b8f1c88e7d7cf9b9cb5d3ef39b6d0ed623aefcb5d09587dfc5420
SHA512 33cea10930c79db2f33f55d90bc1e327f762ed22a0d3213e78910108818b8a7e99ad8e68be04f3a14e382d547e2f5367a6c8190944982904035719851597d5b7

\Users\Admin\AppData\Local\qStPivP\WTSAPI32.dll

MD5 9f5f8c9886bc0312fb14cf81870964c4
SHA1 c08c94c8a6165a431599052d4d45d5411dfde6ca
SHA256 bf86493506c133c5ac89a70d0f233fc79f678d981a82f7ce9e7237305db27459
SHA512 19b9139b9743280dbc26e245b73c3c22bc7b351f4919a37438888c4fcbf4b75218f875752f6ba550d206dd926e88569f2450be4669b9cfd71a4feae348eed531

memory/636-91-0x0000000140000000-0x0000000140127000-memory.dmp

memory/636-88-0x0000000000420000-0x0000000000427000-memory.dmp

C:\Users\Admin\AppData\Local\qStPivP\WTSAPI32.dll

MD5 d6cd9197c1450e2c9f56cc828cc5425e
SHA1 e7a1678b9c0405eefcef5056ef446f048b5c9ddc
SHA256 591bfb171c80c9763d982957c2b44c8e710fe358f1a2c8c239676e60a3722180
SHA512 c5a0f46bbd2680c0732083296a83b4d5e097d4486b62e4f736e0e65e8cad4fd7853e470ed5b0b00d5c542648bab702360466967e184fa6717a083678387c73d3

C:\Users\Admin\AppData\Local\qStPivP\raserver.exe

MD5 94a4bd796518cc17d93ac428169d05d3
SHA1 ede6ba9fb90f6d11c66df5491a958875d1f246d3
SHA256 497a78101ec3db281c8a0f05fd87d1a83ddc37ac3b1d0f387170277015ee21e8
SHA512 550e8e612550c318cc2c33c18701b7050c7d464a8df08a4c0350a82fc0fe2b4d38cf102eba427d187ff3a5dc0ee19a6a507294bae92cc93d16a39877066a6f90

\Users\Admin\AppData\Local\qStPivP\raserver.exe

MD5 5f699aa5c4535998bbfb329cf7b74529
SHA1 3a2f5f87cd883e4eb4aeb250f0ffdf7078175f5c
SHA256 41c0451f7e2a9ef229389d5e5ee05d537132d56d5b8adcfe6d094c8b4dc47e37
SHA512 62712bb005dbb3dbde55b644fb7002c39b1e1a3d4230fbfd4a1856bdc7160993374b1bc242644b2a61fae77b1b6eec3b4b2ba84e1dd88873890e32eb51d09b5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\BjkfbdMMZ\raserver.exe

MD5 427164573ab0ad5cc4cca9714704388b
SHA1 063c6fbf3ca377d4669c5bfc381901fe031877d3
SHA256 0b258282621d0bab48ac6731fd0bf7ef4c2ef1352fd3c69c3ea014b224f23ae0
SHA512 4a658a2628172229a6485536bd1fe72911cd00209f6f22a65cde0ba3c3294e8d8bc22f11c692c3146d631268d5d8391abb144ddc4c10884fe7174ce3645bcff7

\Users\Admin\AppData\Local\vt1FDm\UxTheme.dll

MD5 7e49a31a2abe6ca3ee878b97421f23a3
SHA1 337b081978c310f3dd65bb8838dd4a09d78e35db
SHA256 352e8913f91918c22d9d731ec50ab97658c210acfca1baa06214509f13e5ca77
SHA512 93c07592aa7762b96193b8eff8acaf0770c213f7868dc5a7326b483f08c6681e8d7252752850938ef74669edc930338de20e6cb2c4de1aa756a99415a20d76c0

memory/2772-108-0x0000000140000000-0x0000000140127000-memory.dmp

memory/2772-106-0x00000000000E0000-0x00000000000E7000-memory.dmp

C:\Users\Admin\AppData\Local\vt1FDm\UxTheme.dll

MD5 a491f37f08a8b09f90d7561205dbc690
SHA1 ccd89123981d767442ba26d5f1590c20bc520ecd
SHA256 0d437c11e6e4c24d14f9e9463171fee2dbf80042bcab049a40e7a3694a066a66
SHA512 ac2f2b96a32790947b7bb170bf08e8c5419a13e8f7bfde24423b619d9b03790f6f842655a5852bdc24365ff4a3f00322df2411d1c91dc85d5ef2ee395965b8d6

C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

MD5 56e928c04bfe67fc11252fca637f5908
SHA1 15ce8e79ccb32c3fd5b804b3e9f4dc5c2f47a475
SHA256 3d81e3fc02cd493fef044e7595d2c34a865f149ac90a5c10fd3dd81bf4af438c
SHA512 c29341ce94988cfa75d5b6338ef7b320448c055df5f7b06444d7c6ea9ec7cafe9bca3283bbeb80ec8a55dc45479bbeee300b7e53348c3c45e10cad70af7c601c

C:\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

MD5 a4193ea7fb50ecd2e9753895ea65bdc6
SHA1 a52ca1b631db0b4f927c0821abc709e49ed8310a
SHA256 bb6f0a4d5b29c8394ae098d4ce9b25849f9587fe5820f7f06cca57eef5240920
SHA512 5d5ca7cc6eadce069734eba9ca549bec4463040c0dab4bb4caf1d4199c5fc39892bfd4f6747b5e661609e894105f1e650b22819c81541e2ad3a1d71e03084029

\Users\Admin\AppData\Local\vt1FDm\SndVol.exe

MD5 91d35f998d06e4f0851b403ef9d345ba
SHA1 66cb105defc487f9ce203c86c4fd58e417bea5fc
SHA256 2a251a261d2c43bdbf6a5d79a0f174e7c3ae24f063c804d4a53ef494f4abdf4e
SHA512 62ed3b136157693e43d37a599a018261637c46e5db48edfab6cc4332f212ad0543c72b04f66fb9f33cb0893060e00b9b6dcce6b7ba948f612de76cb2781f7a23

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\QOvPRyNi\SndVol.exe

MD5 324c7d3342a3b0ff363d007ad5774cde
SHA1 adb12faad353b37618778f75a3b3a4a424fa8901
SHA256 31ee212c53d0d3dd2323c4036c761c97e94a22003e4cf7cb10088bd861282d74
SHA512 52ec6d05bef3de55f2d988b58a0cb24c90a397a6388133e5fbf93203edf5c9725744a82191cef6eda79d198b93f06062675d9a0d363f82f280e815119296448c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 c2d86fa691dd94bb1ed6735120394b55
SHA1 9911ea7b9956be6a9143a7f9ac07823070a8d0e4
SHA256 d238712a9aecc2b7216aac1705412addfc2e227549137703446b9e80a8a07c74
SHA512 4349d8b84403994eb1ff2f2c2e282083490d614de332d918449bbb4a0822a373f688fceaab76396818acef6b0c6bd4b1b4f8f4b085893d92cce01e71f478889a

memory/1376-131-0x00000000777B6000-0x00000000777B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\xyH0FpNM\slc.dll

MD5 837198683a145ec0b913664019e83f73
SHA1 a9a81f972b01ac9e7e28fb7f429cf30fc90bc4a5
SHA256 b8a603064a90cfa83fee07db4c06179fca34737f1c18684bd1a1e6d0120b9387
SHA512 d0591d1cbc61dd3f043db61ead37729d15dd86d825c7ece0a6e4202ab39c7d335836cfe15c23aa05f2216fdde087b587606057817776061cebc8e67ca3d4d0e0

memory/2772-141-0x00000000000E0000-0x00000000000E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\BjkfbdMMZ\WTSAPI32.dll

MD5 a0fbf5a93265ef8ae596209113430ebc
SHA1 bb593b6b6fd4f1fb67afd7400606e213063d7fd5
SHA256 5efac9c69975ae0f9f178407490bbffe19dc07ae03ac811d4ac01e5c498c7b46
SHA512 2bcab8a3ce0b10fee86d043dbc6e13ae3a588500c353466ca70f4c37e24828905797836573dc291ce5aab12ec7a2d9f724a87259668274e4ecf472d91709cc6b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\QOvPRyNi\UxTheme.dll

MD5 cb8efb99cb2b75695b596c57d20f7d70
SHA1 f7efe1212b0c1e5675a63fbf6ebdd735bd2ac213
SHA256 13bc85e674d511d5ec35690f42b2fc2617fa77c5460c5a050156474cb14f4ac6
SHA512 24279948da1a18df9b1441323345d94006325ad3a6708d586aeeaa57295c8987044b5e42d063b0427acfa03582d5b7a208ead588367970ea93ab9eff284bcc0b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 19:17

Reported

2023-12-29 19:23

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\mU20k\\IE4USH~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 3092 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3436 wrote to memory of 3092 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3436 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
PID 3436 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe
PID 3436 wrote to memory of 3040 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3436 wrote to memory of 3040 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3436 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
PID 3436 wrote to memory of 3016 N/A N/A C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe
PID 3436 wrote to memory of 384 N/A N/A C:\Windows\system32\dwm.exe
PID 3436 wrote to memory of 384 N/A N/A C:\Windows\system32\dwm.exe
PID 3436 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe
PID 3436 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\017476e0432360ddcea82be7784d62c3.dll,#1

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe

C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/3048-0-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3048-2-0x000001E70CA00000-0x000001E70CA07000-memory.dmp

memory/3436-5-0x00007FFD09E0A000-0x00007FFD09E0B000-memory.dmp

memory/3436-4-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/3436-7-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3048-8-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-9-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-13-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-31-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-33-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-32-0x0000000003280000-0x0000000003287000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-40-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-41-0x00007FFD0B1E0000-0x00007FFD0B1F0000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-50-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3436-52-0x0000000140000000-0x0000000140126000-memory.dmp

C:\Users\Admin\AppData\Local\M0UOXkdys\XmlLite.dll

MD5 6096d8f2691f521c5471e3831f488dee
SHA1 007d807b79a94996687a857d9033439aa35ddacd
SHA256 a306c80116053da01af073f3b8e4110ed508f57ee93defc6526f5323468dedcb
SHA512 3062f62e73b18740eca5386f1e6e3c5c1fb65e29ec938a4848f72f5be66134ca76bed52af2618459b85392f0ec4274d58bcb4585b9480b29f82e0b7516e22faa

C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe

MD5 5798d6e8309c1d87997a7d2b8a256f28
SHA1 f30a2583fd14d2cdf3478f2ee0ac9abc273f12eb
SHA256 8f8a5f82327324df4e30a27bb87dd0da120b9a46f078e360bc68d66e2c07138a
SHA512 9a152df70ff8e03c01d079591b0367bc1148943e521d175303de32cb134956dbcc1d8e961f6a3e370fc36ec78bcc5eab015d69e86e524bbf8c4f11bd478a860b

C:\Users\Admin\AppData\Local\M0UOXkdys\XmlLite.dll

MD5 10a2bc5895c41998ca5fd710990cfd84
SHA1 f8b261cd7242352c67b15c5bb31b832f2d7c11b0
SHA256 548759fe1cfd85af75bf80ad8e8a17277e4ae43dd36160e03c6f0a2757399878
SHA512 5bdc1b2709bd355c0485c18490375d3c3bc8f1a858af113405875afebb56bba9a839370a9fc6bf785ef9c2bf40d1fed926b233419aafb72b48729b3eb9b99d43

memory/4228-62-0x00000237B41F0000-0x00000237B41F7000-memory.dmp

memory/4228-61-0x0000000140000000-0x0000000140127000-memory.dmp

memory/4228-67-0x0000000140000000-0x0000000140127000-memory.dmp

C:\Users\Admin\AppData\Local\M0UOXkdys\MoUsoCoreWorker.exe

MD5 994781cb4455e854e8a56d0d86729418
SHA1 120998cfad2fe8ef6213a3883e4dab288a35bb37
SHA256 048a9900741ff3fa27aa0d47c78202aa19824733ff9800d6cb302c87c2529420
SHA512 a76d895bfca20939fdd3c2092c1d16a334f5ddfb4fafb6283627a9a1b1afa66fe44d59311f10f4ae7acbf1492bfee038e9dbad058c65e2e458003e3d4afdfc22

C:\Users\Admin\AppData\Local\Xmke\VERSION.dll

MD5 afc5d6acf9fe46db2055363762df8cb2
SHA1 098d3185228e3cc9d8f80a83a957aa6983b320d4
SHA256 4d60a60d6b290863176389e6c029cafa4dd03ca07db7c5fd8cf0eee479c372b5
SHA512 0edc56ca9381475b65f38b4bebe09bcb3b26488f316b33db23a20c6d0fe2443fb1e5f7d5decd25bdce61d79ea158ba1b6ef161d58f0859723844ba6a98fc5b23

memory/3016-80-0x000001FAF5D90000-0x000001FAF5D97000-memory.dmp

memory/3016-84-0x0000000140000000-0x0000000140127000-memory.dmp

C:\Users\Admin\AppData\Local\Xmke\VERSION.dll

MD5 8856aa57a9c31bd25ca41fd7e58a3faa
SHA1 a0b667482771a97e269232539c5bb8e25dde2ac4
SHA256 114debababba8166086ef482c0aaf85f62b23aa10cf0516ec1563543a6e8be7e
SHA512 3810c3192f6e9c2b65e2a275191e259868638c9cccdf3fb262028194bc1bb2d1dfc7cf851251bdf86f342e8eb3e9602cba0f4e638396f50d7a04660ba2459546

C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe

MD5 22bbbaea87d84f8ea435d55620d8b903
SHA1 7dfc373050fffd3d2a3d7ce1f718b3e940b0c931
SHA256 55f06d181995eb462551ee1b9538464f08a465bdea10cbf3325338db240d4c21
SHA512 7aabbdbf33096980c5617bf5f0247650cbea3d1ea5f6f7e8924fc5b06379a28e1417b8115df0a7dedc45a36841021f58d6bd4e1da6e93d73f2cc028ae11e09d1

C:\Users\Admin\AppData\Local\Xmke\ie4ushowIE.exe

MD5 20c3e4c84ab7086f24d852bfebc35881
SHA1 067750987872d1b8822b5b93880694cf61fc7968
SHA256 f3b3f537cff90e40986d92aa02865717633ae7406c0e0b9add37292c9a197548
SHA512 89672ac81368de470abfef063632d4c985c963fcf0220894c36d9a06cb4b37cb4c961a0528ab528bcb25eaf06c87f7de722ee063ce202b4d0ba65fa31d04dcc4

C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

MD5 21514a7f978d38c6841800dedbd4f69e
SHA1 9ce6d8337b669ba8a179ed77276a25222d783205
SHA256 95e6ff2d8a8b922c9fc03f149db07f8a0fa91ecad6f30c6da67534ca45cf8afe
SHA512 ae40682596ccf15269a8f9e884d7bdcd27e6c515c7c58fe368661e7629e92e08f7fca7a52ade82fba71ea31a7033294c29626623bb032280376923b8bcd99697

C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

MD5 b0d16ec2fd98c9bdeb0fe2fd889e9a46
SHA1 2648b5cb2db0c93cf83e46e1831503df96d21bf0
SHA256 2d0e9de7d2f3cad063edc19daa5418cd3930932eac7128b2da19d43806904da7
SHA512 a17ce379b2011cc6d59280f4280b211860c9bfbf930ebc4efebb5830840f16993b10c915cc5ea3ac6ea00b8a1de00ece0c4f46aac12071796c4a7bfde81ae022

C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

MD5 6585b45da54640f428d6ee10032658f0
SHA1 1bba686537e5b535fb719d63553f540bc4613578
SHA256 5e67dd45e731676f365be0f9cca039ce53adaef4a624f54bc1685dc801620b20
SHA512 2070b74c7c457a39aa56447a166863f6db9d09d80690cc71f5295e36a70c2d254963b97a8a06fb5ac354d6246589112a3d926563b5d6587a59cb7d5ded3410fd

C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

MD5 c091d844941b361df762c89e57920116
SHA1 8d29420979ba0a787dd15d68d6af07a9dd2db2e4
SHA256 a91781d29c6c30a430514991fbb0df808d28a75bbf9a0325bd6be9f843ade3aa
SHA512 101b999888019a17cd1a2b74ff722eb77cebe4b58b97d28757cf4c088be9d4e80e22a71de39574e72f18844b0e831035f7e98e62fd84ba0f03d5544c475a5b2d

memory/4468-103-0x0000000140000000-0x0000000140127000-memory.dmp

memory/4468-99-0x000001F469B70000-0x000001F469B77000-memory.dmp

C:\Users\Admin\AppData\Local\urv5ZMZ0\dxgi.dll

MD5 c4b41df8931b6353ddf2da18ddc76e9e
SHA1 269a7ae60cb1bfdc2378e3845d6c3261052dc12f
SHA256 6f68ddf53c7d90f40ce7e1446e6a72fd97ca36f62f6eea38d5a331a563e9d4b2
SHA512 88c01cc49c46beab8ff9c3fbf58bc31b4621efee754df31302605859e0c2e671127c4f1c2bb9d3c00f001a5bce531777e2a6f948c05c70cac508510f596c6467

C:\Users\Admin\AppData\Local\urv5ZMZ0\dwm.exe

MD5 5c27608411832c5b39ba04e33d53536c
SHA1 f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA256 0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA512 1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\wfZbTn\dwm.exe

MD5 c50ea7490866ff7e7ae4256eb55f0261
SHA1 3cbdb8cc6415e847670bb28cfdf45076551c0f0e
SHA256 50ea683500d42c02ea7c42e047a6f3b77fc3d09bbe50144e04d176627256b184
SHA512 ba96a75e4a54f682943999c51550044edf8c99f846a2363d54d7c0bdc444038bce2183769539c6562fbe27ae86343c3a542b59c16cf58eb9627e8e2c22332194

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 536baf1f96d7ada7018620ea51441c5b
SHA1 6aad011d42375eb68faa60e3b0e901596529eef7
SHA256 990379399172149d9842b416eddaddfc521d25a8870ebc7b07f9ac987ca90983
SHA512 d40a0bf91b8e2073190f12f7460417c0fd66bed36d39b52ad1260c8d7567f1445b13479381c3580c80d35a9f691f9834a6aa0a6302a393d84fd7d1ddc7eefe96

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\fOqG4CXzx\XmlLite.dll

MD5 9ad373dec65387a0f825167ac6f53011
SHA1 9af6f90f439eb9a1c5382e4108def543d54ba004
SHA256 690345c90bcb5668f1d4d64b779b722e654d4d5b665ba21157c80b6aac942314
SHA512 3892e8a8c5644d1c3f9215b3a3311a6882b70e988c1e4e83adbb9a422b003105c1dc62a7a24ddbd16eac3f7cce46226a9b2182dd29eca1b5eaf6e0d0048defed

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\mU20k\VERSION.dll

MD5 16a74b844d1f3277d1b75490a853a28a
SHA1 b950e2fe55ed18e89b6717866024e26d3a8876e7
SHA256 78296eeff56307a35478ddea5902a6fd8e3794635dcb7d718809545680a83623
SHA512 b08ccc7b9f7354255aa45c43bae16a705bea89c2f1ac9904b541799f22afa7c801d04905cf52a43fc8f1a25c5de21dccce98a7ac15c5660a5d2d2c774f1bcf9d

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\wfZbTn\dxgi.dll

MD5 44a884e87359dfe3b64dfb2f511d2f64
SHA1 bdff65ff64c46b86aa1d64625ac9608cbf465e70
SHA256 228b12016dfb6a383206a73d6dd8a15b79081aa59f300f91bde748e2cc34f0d6
SHA512 eeb5025de4af3758d8bc795ad558a454890dedee60e037f6e61723c69bb3a23bed60051dba0aa96041fce94e338d8970a519b73b269bd88283c9050475ede0fd