Malware Analysis Report

2024-11-30 21:26

Sample ID 231229-yxd4rahcgn
Target 02a0cd716c96815422f1fc564501caa7
SHA256 03c531f4b15ced54d56d9202a64d3ba2d2f5996c6cc290cc6a5ccf9a777afed4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03c531f4b15ced54d56d9202a64d3ba2d2f5996c6cc290cc6a5ccf9a777afed4

Threat Level: Known bad

The file 02a0cd716c96815422f1fc564501caa7 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 20:09

Reported

2023-12-29 21:58

Platform

win7-20231215-en

Max time kernel

191s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a0cd716c96815422f1fc564501caa7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JlDV\osk.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\DNTException\\Low\\yc\\i7DturZa2\\PresentationSettings.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JlDV\osk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 1088 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1256 wrote to memory of 1088 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1256 wrote to memory of 1088 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1256 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe
PID 1256 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe
PID 1256 wrote to memory of 1416 N/A N/A C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe
PID 1256 wrote to memory of 2120 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1256 wrote to memory of 2120 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1256 wrote to memory of 2120 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1256 wrote to memory of 272 N/A N/A C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe
PID 1256 wrote to memory of 272 N/A N/A C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe
PID 1256 wrote to memory of 272 N/A N/A C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe
PID 1256 wrote to memory of 2064 N/A N/A C:\Windows\system32\osk.exe
PID 1256 wrote to memory of 2064 N/A N/A C:\Windows\system32\osk.exe
PID 1256 wrote to memory of 2064 N/A N/A C:\Windows\system32\osk.exe
PID 1256 wrote to memory of 1068 N/A N/A C:\Users\Admin\AppData\Local\JlDV\osk.exe
PID 1256 wrote to memory of 1068 N/A N/A C:\Users\Admin\AppData\Local\JlDV\osk.exe
PID 1256 wrote to memory of 1068 N/A N/A C:\Users\Admin\AppData\Local\JlDV\osk.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a0cd716c96815422f1fc564501caa7.dll,#1

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe

C:\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\JlDV\osk.exe

C:\Users\Admin\AppData\Local\JlDV\osk.exe

Network

N/A

Files

memory/2888-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/2888-1-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-4-0x0000000077646000-0x0000000077647000-memory.dmp

memory/1256-5-0x00000000038C0000-0x00000000038C1000-memory.dmp

memory/1256-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-35-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-37-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-36-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-38-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-41-0x00000000038A0000-0x00000000038A7000-memory.dmp

memory/1256-40-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-39-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-48-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-49-0x0000000077851000-0x0000000077852000-memory.dmp

memory/1256-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-50-0x00000000779B0000-0x00000000779B2000-memory.dmp

memory/1256-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-9-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2888-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-59-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1256-65-0x0000000140000000-0x00000001401FE000-memory.dmp

\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe

MD5 23bca2c14b67c1f03d12c00b44d790a7
SHA1 ecd59b4e0a749cf2a3f4c6e03f704bb786a8ac98
SHA256 903f094a62d926883b8b8848f243a9a773b77ac8c4975bfe3efb5fafcfdb0c45
SHA512 628607fdb6fc1ecb6fe842cd17d1348be9e8436e970ea39086a0913161c74bd2cd82190e8985055dc87e5925c567ee6f3a9975912a4ff7346d761d2d8021b229

C:\Users\Admin\AppData\Local\7M1fNBN\FVEWIZ.dll

MD5 36aebd2c9844d6e3546768844d261f3f
SHA1 a63870b29cd23d4d3143c8b11bbb89ae00141a96
SHA256 82cc99dba83caf10e7e227cc4a03be6336452c6dfd8265faacfd2098933635d7
SHA512 f191f847b469d24a9332c8f65d0d2db70e07ba2a3ae005a643f06469ce347329a0f8abfd3f30dbf7febb05a89e0999407a2abb3b2f188c94eec0b4b1c6316899

\Users\Admin\AppData\Local\7M1fNBN\FVEWIZ.dll

MD5 79d18bdba56d90b399c7a6f557b62954
SHA1 6fc7a56e5b4574e9e14568efd5af3dd4cb638b7f
SHA256 6d8761bc1d5cc41743c04818525211d7d24dd8d34e8cce8a3a82d4e3bd1a752c
SHA512 51a69f2e98330d62b136feaedb5928732f860cdd9db0b51b72246b3134cc26eb23af4830fa6aef44d26bbac6ba9c35ad00140ab61e276c7b75351c4c35917593

C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe

MD5 bf0863c6d13fef9091a578e8e943a866
SHA1 d7cc7ed7bad9d25c74e08d86b2eeae1a2f063be3
SHA256 50a9928f73b6ee9e695ab8a2077cde13231dc386653af366f5285b789e285437
SHA512 d4efb498e610f73a44cd57f7c264b6529f79cb1668ee9535baffb4acb9d14dc18fb98462cf34c90e829b94a6d38224a7f68206fada79f8642f566475b4562a0e

memory/1416-78-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/1416-83-0x0000000140000000-0x00000001401FF000-memory.dmp

C:\Users\Admin\AppData\Local\7M1fNBN\BitLockerWizardElev.exe

MD5 34cbd85ddf890283ec3ea7e83cc6a4a3
SHA1 7e92ba6f54ad385de578b9a29697e0975c561aee
SHA256 784f274548408191c8964bf224e19d16114be230be927b6241ec3f92c67fb448
SHA512 a2741f3caf45c7cd753a2f6a5ca70daea6c2cc6cad7a0dac822a6788624b096fa10359fc94244226bb79eb5bfbb490be8b3d5f1b06fc2467b57404acb17fb6fb

memory/1416-77-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1256-88-0x0000000077646000-0x0000000077647000-memory.dmp

\Users\Admin\AppData\Local\9QDPHeY\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

C:\Users\Admin\AppData\Local\9QDPHeY\Secur32.dll

MD5 73dc5196872db6d2bec767dfd3e6c405
SHA1 8eaa65f2e895ca69aba164eec729f069c581aa26
SHA256 0d21d3b38c37009ac632d1f70e62255f8e586d2dd3e86c0a9e5fe51b78c1888a
SHA512 772dcce8fb3898ecc83351a60dd55267358d811d4ccff66007acc5d2f6c7f80a926c96287cbaf60f0a4dbcebfd3b4daa3d9ef78b51fd873458b79427f59750ac

memory/272-96-0x0000000000200000-0x0000000000207000-memory.dmp

\Users\Admin\AppData\Local\JlDV\osk.exe

MD5 b918311a8e59fb8ccf613a110024deba
SHA1 a9a64a53d2d1c023d058cfe23db4c9b4fbe59d1b
SHA256 e1f7612086c2d01f15f2e74f1c22bc6abeb56f18e6bda058edce8d780aebb353
SHA512 e3a2480e546bf31509d6e0ffb5ce9dc5da3eb93a1a06d8e89b68165f2dd9ad520edac52af4c485c93fe6028dffaf7fcaadaafb04e524954dd117551afff87cf1

C:\Users\Admin\AppData\Local\JlDV\UxTheme.dll

MD5 57eb3e643bb3eeab75fda3372da001d8
SHA1 4caf837281c263d206ed37db6757db1d0d1040bd
SHA256 cd8ad4130be48827dad1cc119852686df1718ba854df193c22e04a51af9c9737
SHA512 1fa4998989381383f4999cf8ec972a720a87913a83cd1cce712f79b1232647e9d0f40ae4eeec0d013bb33a5dd2efef035bf7a59b949f9363ca3d5dfe86b29633

memory/1068-114-0x0000000000090000-0x0000000000097000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 be6ebf99b4a5a49b27105ca07bf0b609
SHA1 e7f17dcaa688b6dd92572e891c15e7f9b5768b29
SHA256 2fe62e0637d3a6048c0b58f6f7ae49bb72be3cb5a7d5eaa21abf37b5d34d7baf
SHA512 f3ae688e3cf63d1c5fec128beab9d34c8db6b854d1bd33e4d42e0186be2a75f4693c2d59be415a29a3af57a8a9fd7a9a9dc34748598c661f733ec61f62c2d516

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\yc\FVEWIZ.dll

MD5 0873f81d9c5e7930d1ac03420c4a2d1b
SHA1 acf9f790045040d4a1b889b0c428d0654c905fe5
SHA256 f436e6fb8aee25c52dd858da904fab7998fa8c8f29d4e101b4bd43e9416e9639
SHA512 8baf4caa4eaf87c342a80a91cee3a168e1d7f5a0490c04d6b470b89cc0a3a95907ec7e6038019c45b79e8452638031e80974979baa931b539d73ccc9c10ab232

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 20:09

Reported

2023-12-29 21:53

Platform

win10v2004-20231215-en

Max time kernel

30s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a0cd716c96815422f1fc564501caa7.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\IHUzwbt\\DevicePairingWizard.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dAk\SystemPropertiesHardware.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uaWI4\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DjLP32fGd\AgentService.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 2648 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 2648 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\dAk\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\dAk\SystemPropertiesHardware.exe
PID 3556 wrote to memory of 4848 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3556 wrote to memory of 4848 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3556 wrote to memory of 3900 N/A N/A C:\Users\Admin\AppData\Local\uaWI4\DevicePairingWizard.exe
PID 3556 wrote to memory of 3900 N/A N/A C:\Users\Admin\AppData\Local\uaWI4\DevicePairingWizard.exe
PID 3556 wrote to memory of 1328 N/A N/A C:\Windows\system32\AgentService.exe
PID 3556 wrote to memory of 1328 N/A N/A C:\Windows\system32\AgentService.exe
PID 3556 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\DjLP32fGd\AgentService.exe
PID 3556 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\DjLP32fGd\AgentService.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\02a0cd716c96815422f1fc564501caa7.dll,#1

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\dAk\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\dAk\SystemPropertiesHardware.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\DjLP32fGd\AgentService.exe

C:\Users\Admin\AppData\Local\DjLP32fGd\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Users\Admin\AppData\Local\uaWI4\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\uaWI4\DevicePairingWizard.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 185.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 147.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp

Files

memory/3628-0-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3628-1-0x000002D136960000-0x000002D136967000-memory.dmp

memory/3628-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-35-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-40-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-42-0x0000000004DB0000-0x0000000004DB7000-memory.dmp

memory/3556-48-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-60-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1820-71-0x0000022C22430000-0x0000022C22437000-memory.dmp

memory/1820-75-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/1820-69-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/3556-58-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-49-0x00007FFDAF4C0000-0x00007FFDAF4D0000-memory.dmp

memory/3556-39-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-38-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-37-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-36-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3900-86-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3900-92-0x0000000140000000-0x0000000140205000-memory.dmp

memory/2728-109-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/2728-105-0x000001CE85910000-0x000001CE85917000-memory.dmp

memory/3900-88-0x0000020D05BD0000-0x0000020D05BD7000-memory.dmp

memory/3556-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-9-0x00007FFDAD63A000-0x00007FFDAD63B000-memory.dmp

memory/3556-6-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3556-4-0x0000000007CA0000-0x0000000007CA1000-memory.dmp