Analysis Overview
SHA256
9dfe843a61c3bd78c30380d5c132273913dcd3872a2a8649ffe93b4d43ed3445
Threat Level: Known bad
The file 044a52b7c4b41c9724c7abef08920300 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 21:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 21:19
Reported
2023-12-30 05:27
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\cEywN5uYGt9\\mspaint.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\044a52b7c4b41c9724c7abef08920300.dll,#1
C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe
C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe
C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
Network
Files
memory/2520-0-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/2520-3-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1256-4-0x00000000778E6000-0x00000000778E7000-memory.dmp
memory/1256-5-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/1256-13-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-18-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-19-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-26-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-25-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-24-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-23-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-38-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-39-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-40-0x00000000025D0000-0x00000000025D7000-memory.dmp
memory/1256-47-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-51-0x0000000077B50000-0x0000000077B52000-memory.dmp
memory/1256-48-0x00000000779F1000-0x00000000779F2000-memory.dmp
memory/1256-58-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-37-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-64-0x0000000140000000-0x00000001401B9000-memory.dmp
C:\Users\Admin\AppData\Local\wrLuVnFL4\XmlLite.dll
| MD5 | 5d280fed9beb03af7d8740d332d4026c |
| SHA1 | 7402636ceffdb01673fe79973d7fbd137a6e6522 |
| SHA256 | 2921a4a967d88614370bb5249ff069c304b463d804f3bb9401e914ed8600a1ae |
| SHA512 | b60abde3e31923eb04457f89a6d7f9807740539cec8366c3117fc83b0ba962602be2755d56f332385f9fc5e8de094a925f9fd1a3b0acea9bd46e3e6e2b9367e8 |
memory/2480-77-0x0000000000380000-0x0000000000387000-memory.dmp
memory/2480-81-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/2480-76-0x0000000140000000-0x00000001401BA000-memory.dmp
\Users\Admin\AppData\Local\wrLuVnFL4\XmlLite.dll
| MD5 | d13177d65892d21a28470f80b830b198 |
| SHA1 | 743f58a3655ad0d10eda865e9174d78e2b3bf550 |
| SHA256 | 6a24d136d754eea9c618ba55dc39e437f27369bc546f40d8323e21a700d7e255 |
| SHA512 | a800a907a6447f66a3c03e84f1248309a5345dae898df261a9e3f0876782ac51b213efffff11c5085a9caabf7bd37ced52270ea0d5c0d867b8435112ae71fe13 |
C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe
| MD5 | e0c7183bd79a367e2fee037d6deb1dc0 |
| SHA1 | a07be57d29212bb8449b5f78ace6a4858e276b3b |
| SHA256 | 7ca60029c03db80dbaffda45c6414ecadfd5b6637110a73136da88b415075eb9 |
| SHA512 | ed1cb16603bf497e30c1c24327d9d1541ea0f3384fb91ddff44d1a72555b11b33033985a8fca56133b3e3fb9010a7fe8c61a199277b71397271701ece741214b |
C:\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe
| MD5 | 75e92e16080e5c1bb668462fd0bc067b |
| SHA1 | 2923fd40b3d2248f99d9b6a8439b7a116c80c49b |
| SHA256 | e3e07a39d359413ec49a0aa57c77c0552cfe7667cf5e5ceea99c5ed9c839f678 |
| SHA512 | 24d8bc23f67587bf9dd7b19e3cb2dc52e9799708633b651500f6c3ffb8eb6e76e8885a593ba13aa0deaa61aad658fb734155b66198753051e334db3e752c5847 |
\Users\Admin\AppData\Local\wrLuVnFL4\wbengine.exe
| MD5 | 7986637f34f8dd84371415b56c413a78 |
| SHA1 | 6075c4d4b3db1c53dcd3061c603d3b6dec0456f9 |
| SHA256 | ac30dbd513b6909264d960622914407d1a22869c14fc0f443b23eedf1cc47b96 |
| SHA512 | 82f0d16ec98f0fa281aae9ec2a04ffa581346e71e7a8f3aa1b9e4e79e286aeebdc8c02b59c02f51cc61fdc84d01a43ddc5a3a38cfdba2756c30245a6564c9b70 |
memory/1256-36-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-35-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-34-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-33-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-32-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-31-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-30-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-29-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-28-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-27-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-22-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-21-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-20-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-17-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-16-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-15-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-14-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-12-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-11-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-10-0x0000000140000000-0x00000001401B9000-memory.dmp
C:\Users\Admin\AppData\Local\pzGsQB23\VERSION.dll
| MD5 | f60fb1dccf8903dcfc3923a0bc92d01d |
| SHA1 | 9ed13c6c611c0ee4981cfa2c55d27bbe28b46599 |
| SHA256 | 9bf546c771e3ec8a7c0913cdffb23cce0a4237d99ce680d17d0d5f6ebb4affed |
| SHA512 | 9b6ca1a0733f0fe467daf38e94399de7c0621819d6ed1c4cbe2ab2b42877123fba4a35040ba550d220357945bae5298971ef301fff51b76dcf40ac23a4fd9e49 |
\Users\Admin\AppData\Local\pzGsQB23\VERSION.dll
| MD5 | fd12c6d6a5dd23600200dc799bb3c603 |
| SHA1 | 24cd273398d2c405536af5ce4d86a112ed689096 |
| SHA256 | 314030cb358bf2c6d438a19d9c0eb45987eb306655ec7fc05a835dec9533307c |
| SHA512 | f311c47b545838b651e8f824a5fd8d0836ec62c6c4aa6daba4954a1ba43a84083955e896ae128efc7a98705f4d3730a4facd1687479fd08c3fd7107d04bb8aae |
memory/2056-100-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/2056-105-0x0000000140000000-0x00000001401BA000-memory.dmp
C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe
| MD5 | 3cbfa96d6235191a14af0346a0c04cf4 |
| SHA1 | b2f723f864da1d8f669c46e13fa26741a7c595ae |
| SHA256 | 31c898c5ccc43604d8c678df364c900b5737cd578fd7966dcc83fa1a38c9fc66 |
| SHA512 | 30d463b7f47361919b0ab01a3fc3239afa3b9c46bc01e498081274ce1136c7fdeabbd6ecbd5c92d1503e30fbc2cad55ac38e6cba29723b130e3e92ebd499f33b |
\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe
| MD5 | 3bfca312db57e667cbb45e7cffeb47f6 |
| SHA1 | 5ec8428bb1c186f74588dfe39b25ef6617945242 |
| SHA256 | 0def40f188f8a69cb4fd4f18bd4ba7484d074a90b77e7b0ffda593232502cf3e |
| SHA512 | c71f36bff177523f54e0eeb94e6c170fe4ca292ae71d5c2bc342d79ee17e153333173b758f8e9c80c6cc4905780e1d1a6d5f99b7c0ab68ec4336a56561ea79af |
C:\Users\Admin\AppData\Local\pzGsQB23\mspaint.exe
| MD5 | 940cc4a1be43db028b8068b122765394 |
| SHA1 | 4529f8a772af8e26d73c3984b50c0ac6b8c672cd |
| SHA256 | 3dd058b65501b82304fc1768602896c3e70cd66f31dd496ccc21b714768b882f |
| SHA512 | 1d4014f7dbaf5dc357ade6f7a80fe42f742fa8c51f1418668573779a611d75788bc76f0e057da10de2235149374e4724cd7516b7e33748bc9555821b16389d6a |
memory/1256-9-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/2520-8-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/1256-7-0x0000000140000000-0x00000001401B9000-memory.dmp
C:\Users\Admin\AppData\Local\SutzP4d5\XmlLite.dll
| MD5 | 4259cab06977e37063bb89f2664eee59 |
| SHA1 | fbac8d1e70fda03f3edc9cbf931ef0e412dd63b1 |
| SHA256 | c48e023bd0ab917fca0d5e462055d5429e788449b39ef49f3b341e7162529091 |
| SHA512 | 05631c302a8da79edc61061057c7ff7b058ef66747f4488a78ea0a982dca89927b0315b260e65603bd4726b3077d98df7a47753576dc8db5026b1adce8d00c96 |
\Users\Admin\AppData\Local\SutzP4d5\XmlLite.dll
| MD5 | 4bd976d651cc5ff6d14022d77c5c3ce9 |
| SHA1 | 1420967513f4033418d48af5f2fbd4b9cfd025fd |
| SHA256 | e359ad11090a07638fefbe8a983f484f32bbc084b7377113d239a903c93f6867 |
| SHA512 | a349874040718612b62f2a6b8905a6109890b6a18c58b0c0a0fc4db1ed596df73502369f7554d683c29603d4b9af9886f8d5e7e7d5dad4ce3d6cb0006c72fd12 |
memory/1184-124-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe
| MD5 | 7e2eb3a4ae11190ef4c8a9b9a9123234 |
| SHA1 | 72e98687a8d28614e2131c300403c2822856e865 |
| SHA256 | 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0 |
| SHA512 | 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf |
\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe
| MD5 | 6d62ba678ba3a9a08f7988b24370a293 |
| SHA1 | 2887ded83dfefd93a87fd3bfb07e4273e4bc38e0 |
| SHA256 | 3526d468fd2b73042132a8b64e1d2ceea999ffa72283281d7d40075433fe76ed |
| SHA512 | 319b87dd3ad1e04fa36ffcc4917b6a34b2939d195a022d2c5491222b6ce73aad3a19bcb02993731bf3f5126f8ae19ed3a3596f695dc7acc247af2ae56f63784a |
C:\Users\Admin\AppData\Local\SutzP4d5\DeviceDisplayObjectProvider.exe
| MD5 | c08a3d80d2301228c77e5d91038bf015 |
| SHA1 | 6f26075238948c164fcdcd710c424bb5449d1173 |
| SHA256 | 1ee863e9cd47e378869cc8579dd8c5f41d10e3facc6b1f6de8c0b8a83c3d67a2 |
| SHA512 | 919db9d6a4e90d0125973a35c12b23d6d46b6e15846dbe8eb027e198a4606e100fdc541a87f8a8dd9faa2de169380a5242bc3cdd71bd0912153ada146ee8df33 |
\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\cEywN5uYGt9\UuG9O\DeviceDisplayObjectProvider.exe
| MD5 | 94a0489aa504481b4a63fd8af79b8944 |
| SHA1 | cd716c694567e38830d089ef90b92a9a7f894f9a |
| SHA256 | 847424e0b6c0c8827b502d8938360ff06b778289ee079497e99779266cf6818e |
| SHA512 | ce63a955c9f8f3f49af1c70b642712272e51b250bbab47203a79a623443fa089dfa09297a665ec160e8805510f94414b3f56f0ea4e4986789106a9ea3dc93936 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk
| MD5 | 183c7bfa1914ed580cb0979b647c71a8 |
| SHA1 | a3ac844b1498bb7078da91a72fa59c4716ce52d7 |
| SHA256 | 1402f641651af9d22a20d4ee5bfd91a38784aed591fa26d788453d6a755ce1f7 |
| SHA512 | 634b0dce879fd7bbb88d3a06c921d6a4e3337ca682613be884f838093fa36076cf7f540cc63c55bbbe756f5b466fda98d6879cc57c7e52becddfb9cf9eb49356 |
memory/1256-149-0x00000000778E6000-0x00000000778E7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-3470981204-343661084-3367201002-1000\2v\XmlLite.dll
| MD5 | c08098db6d1ea63dda13c25010c24155 |
| SHA1 | c585c53f7c9071544011ec14b5b952fdfb907993 |
| SHA256 | 59469bb679db7ca4e54ba9c42e39afda40ccf985a29cce597dfa636080258b52 |
| SHA512 | 8674c17180ccdbc0ad8322310dd5f98c1bff969e392b862136a6383550af66fbcc03538fdb1aab6c20ed4dde1c2771f01f2288c47e5a4e6dcc5d70abb8855b4a |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\cEywN5uYGt9\VERSION.dll
| MD5 | 16c0e4752e41c65b449c551593a92775 |
| SHA1 | 65c276bfb86067fa94e6891d90516e82aca5abd9 |
| SHA256 | 56f16bf4d3757dd2e66efb69b6915bcb62f01ea7802f70c827c2e945d024d982 |
| SHA512 | 6fb915d2da16ca214627275b6890f9eed54e16de198a76ce4bd020541d206730769bb0bc63686d51848f1eb19f75f19bbefbecada1d5112c04b054eeea6ee528 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\cEywN5uYGt9\UuG9O\XmlLite.dll
| MD5 | a7de03fb91ec679f783bd4a34babf16e |
| SHA1 | f951b91e6d15654a0f06986a7264733f6048557e |
| SHA256 | 15c715fd2c91c8c0baec031b60421ba98927e7ddea90f8e23730a69e2fe4ad5a |
| SHA512 | 3b6c26302443e58e909cc8684d708e0198f03f1157414a136da782b5981cbf8d44a07ea757898ca6809a4f2e80a000c7f136265f5d3966fdd7098d4b34e8fea2 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 21:19
Reported
2023-12-30 05:27
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\bRu\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\bRu\mfpmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Vault\\3vwN2tiAMAf\\msdt.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\bRu\mfpmp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3364 wrote to memory of 4120 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 3364 wrote to memory of 4120 | N/A | N/A | C:\Windows\system32\mfpmp.exe |
| PID 3364 wrote to memory of 3912 | N/A | N/A | C:\Users\Admin\AppData\Local\bRu\mfpmp.exe |
| PID 3364 wrote to memory of 3912 | N/A | N/A | C:\Users\Admin\AppData\Local\bRu\mfpmp.exe |
| PID 3364 wrote to memory of 4544 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 3364 wrote to memory of 4544 | N/A | N/A | C:\Windows\system32\msdt.exe |
| PID 3364 wrote to memory of 4864 | N/A | N/A | C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe |
| PID 3364 wrote to memory of 4864 | N/A | N/A | C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe |
| PID 3364 wrote to memory of 3992 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 3364 wrote to memory of 3992 | N/A | N/A | C:\Windows\system32\SystemPropertiesAdvanced.exe |
| PID 3364 wrote to memory of 2992 | N/A | N/A | C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe |
| PID 3364 wrote to memory of 2992 | N/A | N/A | C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\044a52b7c4b41c9724c7abef08920300.dll,#1
C:\Windows\system32\msdt.exe
C:\Windows\system32\msdt.exe
C:\Users\Admin\AppData\Local\bRu\mfpmp.exe
C:\Users\Admin\AppData\Local\bRu\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\mfpmp.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\idfnX4Ny\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe
C:\Users\Admin\AppData\Local\MBTvBe\msdt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
Files
memory/4920-0-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/4920-1-0x000002117D4E0000-0x000002117D4E7000-memory.dmp
memory/3364-4-0x0000000002F70000-0x0000000002F71000-memory.dmp
memory/4920-7-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-8-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-6-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-18-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-25-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-32-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-39-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-40-0x0000000002F50000-0x0000000002F57000-memory.dmp
memory/3364-47-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-48-0x00007FFF70720000-0x00007FFF70730000-memory.dmp
memory/3364-57-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-59-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3912-68-0x0000000140000000-0x00000001401BB000-memory.dmp
memory/3912-74-0x0000000140000000-0x00000001401BB000-memory.dmp
memory/3912-70-0x0000029B18DE0000-0x0000029B18DE7000-memory.dmp
memory/4864-88-0x0000022DB3B00000-0x0000022DB3B07000-memory.dmp
memory/4864-91-0x0000000140000000-0x00000001401FF000-memory.dmp
memory/2992-105-0x0000023FA4FE0000-0x0000023FA4FE7000-memory.dmp
memory/2992-108-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/2992-102-0x0000000140000000-0x00000001401BA000-memory.dmp
memory/4864-85-0x0000000140000000-0x00000001401FF000-memory.dmp
memory/3364-38-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-37-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-36-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-35-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-34-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-33-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-31-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-30-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-29-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-28-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-27-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-26-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-24-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-23-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-22-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-21-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-20-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-19-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-17-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-16-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-15-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-14-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-13-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-12-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-11-0x0000000140000000-0x00000001401B9000-memory.dmp
memory/3364-9-0x00007FFF6E88A000-0x00007FFF6E88B000-memory.dmp
memory/3364-10-0x0000000140000000-0x00000001401B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\Ui2YAWytl\MFPlat.DLL
| MD5 | 2cc5329b04c58dbe82f9e74db823dad9 |
| SHA1 | 4fe06b00b59901664d2d7a64c2eaf62ecb1b2fc9 |
| SHA256 | a3860495038d21f02cb2f823ba1127591ece5f35995effb02f21ea97f0260786 |
| SHA512 | 5050e4f5e696ae6df71bd522f21548d18aa42965b82ad97b8e15e9b7a99a92dc497f45aaca3e6dd12be741defd92a8d5645195d290b62fddb7dcc2fdb6bfa7c8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Vault\3vwN2tiAMAf\DUI70.dll
| MD5 | 533b215cc6ec1ef25762ab5b7074f352 |
| SHA1 | d354138b3c72f5130733824bcf3df31ae7c69231 |
| SHA256 | 1369def94b7ff0171320c60dd68bb04a5e6389e697d24a9e182eca52423cd7d3 |
| SHA512 | a3bc810ad6cdf6c3d35267d381680ff50e61bf6e53144de1773dc6686fbfcca061f86c3d3716cb457a0e5fbf439c7a7d2cd58475a89f54a5e6703488efedd0b0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\TQgpskiO\SYSDM.CPL
| MD5 | 6c432773d1fb43322f688af16066bd17 |
| SHA1 | 8c9c30a95887286166b54ba464cbcdae78db6e94 |
| SHA256 | de2ea0a4e5f78ebe413467c361b2889f8431d000833f2d8c1c0315035d8f72cc |
| SHA512 | 18c4d621a8bf2da7b7f4d613e7cae490e85004cf5d13d55c76b4290a8faa6d94627ff162b646bc0fa0d34835e51fe4f512d303f55ed19cf03562fe4f15ad43ce |