Analysis Overview
SHA256
5828977b2ceed7da8ad59af7255116b6eacb7624a0106f0604bc3ce29e4470be
Threat Level: Known bad
The file 0363154b6154c58e1968193a92704afc was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-29 20:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-29 20:39
Reported
2023-12-30 02:14
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sty7\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Sty7\cmstp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Hgj0xJjyBk\\WindowsAnytimeUpgradeResults.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Sty7\cmstp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
Network
Files
memory/1936-0-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1936-1-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-4-0x0000000077606000-0x0000000077607000-memory.dmp
memory/1224-5-0x0000000002C50000-0x0000000002C51000-memory.dmp
memory/1224-7-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1936-8-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-9-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-12-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-11-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-13-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-10-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-14-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-15-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-16-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-17-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-19-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-20-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-24-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-26-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-25-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-23-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-22-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-21-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-18-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-28-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-27-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-33-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-34-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-35-0x0000000002C30000-0x0000000002C37000-memory.dmp
memory/1224-32-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-31-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-30-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-29-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-42-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-43-0x0000000077811000-0x0000000077812000-memory.dmp
memory/1224-47-0x0000000077970000-0x0000000077972000-memory.dmp
memory/1224-53-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/1224-59-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
| MD5 | 13387444219b21ee9e6f109ac7590db7 |
| SHA1 | 7ac23cf68d83d5a2f70c3cf8a50352bad59037ef |
| SHA256 | e2d8514882b6306e81dba9476380050ace0d35fe9aac63fb7f9972b5066fe4ea |
| SHA512 | c183e5fe7b7e4acced92e49a29ba1c4b86fd1c8ba8a232a98b61db52fadb4ed73ce5a35643db56e6b005884d4bd5ddf7130175b812a93d3582582e97c0d1f8d6 |
\Users\Admin\AppData\Local\Sty7\cmstp.exe
| MD5 | 82ff66366bef7167fba789a283e2f0f7 |
| SHA1 | 822b52d941c3c01c3638862453e8706ff13d544f |
| SHA256 | 2971873d9dbeac0e6a89a5481123ba98dc059721268e8e2da000af63d6a84ec9 |
| SHA512 | 709d8d5f8d7c6176fdb4327c18feedfcc4303eb0b468a3787cb88edc466a2ecf9f1e75d2ff107531d14272b940488c9174169a9648c6e7c74bd3ec095b6d9835 |
C:\Users\Admin\AppData\Local\Sty7\VERSION.dll
| MD5 | 4d9922b64ec28fe7f5407d029e258a14 |
| SHA1 | dc9522de709d2f208f03570f474c462573e6ee0a |
| SHA256 | a30207d8c4afbaf64f618a04235e48983fec117c34da1ebfce38c9872e4f6b01 |
| SHA512 | 2f885c0b6f54b953b3ee0cd8764f7e2846a65257166e378bf3c2bbcb3e51c28e0bba3ab38d690332f0b3a8367c77484b139ce55768463f07074f0d8dcf39dbfd |
\Users\Admin\AppData\Local\Sty7\VERSION.dll
| MD5 | 5f2a3394213ea01e618e9d2d5908b4f7 |
| SHA1 | 3f2a66bf8c16967dbf903ba7265a0f6c4a297dcb |
| SHA256 | 833167991c2efb13c10232f493b2b0dfe7385b7f943f18258ff5ae2c0b419119 |
| SHA512 | f4717bd4929db410ce55f7f0a6ae6f45a10daa3e7b52c635276e5be7a1b2b8508b266f1a4e5a7e59593bfe4117b50c428d9ac734ca8a3516f3669325f5665c04 |
memory/3008-72-0x0000000000080000-0x0000000000087000-memory.dmp
memory/3008-71-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
| MD5 | 74c6da5522f420c394ae34b2d3d677e3 |
| SHA1 | ba135738ef1fb2f4c2c6c610be2c4e855a526668 |
| SHA256 | 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6 |
| SHA512 | bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a |
memory/3008-97-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/1224-98-0x0000000077606000-0x0000000077607000-memory.dmp
C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe
| MD5 | 6f3f29905f0ec4ce22c1fd8acbf6c6de |
| SHA1 | 68bdfefe549dfa6262ad659f1578f3e87d862773 |
| SHA256 | e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b |
| SHA512 | 16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e |
C:\Users\Admin\AppData\Local\b5RKrJx8\DUI70.dll
| MD5 | 761f682984b464d50dbeb95dc526234e |
| SHA1 | 4c52076ce1a248c81050415cd28ca05f1cbb8e88 |
| SHA256 | bdf17e5462435eee34b4c16c09db0eb38fe2e91abd9d3f2e364b8e8128ec2b9d |
| SHA512 | 6b977fec3e92a21bc628b00cedb448c9a9d877d90507ba14d204db4b6b27ca77f90f07ee7b657e98ed1e7ce07606f35c169ed7aea150c7cdd58b0251e5f2c2d0 |
\Users\Admin\AppData\Local\b5RKrJx8\DUI70.dll
| MD5 | 6c8562b266a3fcf57236e20a19d12a82 |
| SHA1 | 3c8239bfa7bcb0256489c5a4d4b2fbc75a93cce6 |
| SHA256 | ce042790cabc50b32bef40915203056bb0d3ea990773ed501a88ea1754ded2e9 |
| SHA512 | 9bbbc4aad04887afe10a0e1ce9e9879318dbd65039ca3a5b39df97e763fa442bd2a7cd32a3b93380f0fabeda257ff51fec1ce84f5884176088ddb34eaa6ab2b1 |
memory/1504-106-0x0000000000310000-0x0000000000317000-memory.dmp
memory/1504-107-0x0000000140000000-0x000000014022C000-memory.dmp
memory/1504-112-0x0000000140000000-0x000000014022C000-memory.dmp
C:\Users\Admin\AppData\Local\xsrtXrPyV\UxTheme.dll
| MD5 | 35467544c6adc6d1b10000ce905b562f |
| SHA1 | 3d0b8eeccf01183025b07f6f2e78122bbbf62c3d |
| SHA256 | 782b87ae521b2b414ee354ffc9273deb97d7227c8ec28245924d7379cc6b27db |
| SHA512 | f82b4e807ff87cbf09992116c3dfa4eaa12416dead7d5febda9848b5961f9d9c583a454eb4333caf7845a4496183c57882ffaf31c18d98c905620ee8002af8bd |
C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
| MD5 | 35b387ec3ac1fb60ed5e4c5fa15a6caf |
| SHA1 | adda5a47ac43f08508537350f116fa82f2198030 |
| SHA256 | 1228dac5cf8a64348864671cb0b3ae69195a60fe306d66c63ec7d9ab5e59b7c6 |
| SHA512 | d5bd9df9ef613f8877807d24108d3c8d28da30dce1d21f2c77411a046d89f5c64a11946d53c993a2486e498928f2a5bccd999dc4f896e0e8687d946e41887f11 |
\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
| MD5 | c4a066139b7fd09fcb67bf15f831c30b |
| SHA1 | 1669eee39602f14e6ede84372ba935f155a8d5e4 |
| SHA256 | 14f240b970fc1f24048db1c93d5e322a3a6d76af6990e373cc9bf1d38b727a82 |
| SHA512 | 46fa0d109581dc88a54b059c3fb0bcc603b532f382f0adbd2ce547d693166932f096e207b1dfc69b305628c800765fd4eb715e1a02c7d197f6e6988bc69edd4e |
\Users\Admin\AppData\Local\xsrtXrPyV\UxTheme.dll
| MD5 | d473ef3adf95e7841e118f142d2b5a31 |
| SHA1 | 3302f62cb77f1666aef7e9c1999a08c181c066e6 |
| SHA256 | 618c1791d05e5027650885958af86d169db59e9bf409fc6c29c106d36925f91f |
| SHA512 | 1fbfb817f5fc0334e514bb69be787c65e203d713c2ded014daefdc57b24ffd8dd529d45a9f9df970ba1fdf0ea74b7cc37e3021c5072866990b959122465da254 |
memory/2204-124-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/2204-129-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
| MD5 | c20ed8d016f30a6541e31a43953c50fb |
| SHA1 | add6547eb739886168ec2f066d6cafe6aebf4937 |
| SHA256 | d04da6d5e0778742aa387062c5a47b496237b6a3337ffc4607965e1e0f3392f1 |
| SHA512 | 8df68eec9a2fe364f9aa598c52809336a263798a825e88e80442c788abadfd8ffefa17a8ce50a0869f203a77e2ace9b3b3041486477db43a6e070e82bd10daa1 |
\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\LWtvG\calc.exe
| MD5 | 4d34b1f99259fae461fc97d5507fc9e6 |
| SHA1 | 5b183cf7efc6b9be19dadf51bd6b4c0846d83958 |
| SHA256 | 687ae704c56949c80eb5a340b6ed9e8c4f973a907915bd46c2b2db0d0f2eb36b |
| SHA512 | 82e3627d89f0e264b5a728704d17250d1ba412f4e925cd979f7af49a6abda62a98ef79a9167e4cf6ded8edfeeeef71b48c305192921d509cbf9e8c5182c6bbc7 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | e78096cd2d0b380a968f04ab539686e3 |
| SHA1 | 5eeadaef2e3ae12dcfd7f2dc09c9f427a4b8c9f3 |
| SHA256 | d6ca32341bdee0288b09cbf48442b56129b169090038d3a0cf26c683c1c39309 |
| SHA512 | 88c400b1a63b29cd6e0f941498b48ded6549e409f34e3cfc4813b1fb4e84f8be1e9452d73d790d967bd685d02bd4134d5ca5f73e98e129e374f7d03c289eaabc |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\mErbdODUp\VERSION.dll
| MD5 | cafcbe227238b930e9d428f6499559d7 |
| SHA1 | f285f9b70c26515bbcc2a5b7b164a5eb7b861050 |
| SHA256 | c20ab471273f428b31ac6df55ffe591bc94f9254928f442863fdda277a43f4c0 |
| SHA512 | 7c0131ff191218c6c67a692ca8344274b26295a84ebb21a0f47d0b13c8a1e48717020917792303c4058eee74432a106173ead59133fa9b0188feef7014a8cf57 |
C:\Users\Admin\AppData\Roaming\Microsoft\Hgj0xJjyBk\DUI70.dll
| MD5 | e7e7215c0e80334f37467cbc759f78c3 |
| SHA1 | c8b5b7c077a6db3c2cbcba824d523c295d766590 |
| SHA256 | 946072bdca080cf8d7d271954e61e82323db06ef6c7b65607c9ff359ca736538 |
| SHA512 | dfda1293565ef07eab5ab4311a8db187994233b39606c453fde80c1bd2ba6694e32a00af7aea51626b026ae3d676837c53f9b9917e333cc93edeedbbebb8f828 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\LWtvG\UxTheme.dll
| MD5 | 2f5df2fd962eb7390740ced51ab94edc |
| SHA1 | 7c1ac8c01bfc1c106ea41ee960b5054ec364a446 |
| SHA256 | aca94156ac148cda6e6a2a9c8ed7beda4081bde7ce328903af6ec0da431cd30a |
| SHA512 | f88fd3ba81d499a0c01f298bf4e43ba45b9781ee5de068907f3fa44a6e5123beabc5f1dbf956f28a89d3069df116c8780a9d8aea9874d83f1198f62045628d6e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-29 20:39
Reported
2023-12-30 02:14
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\S0\\RecoveryDrive.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1
C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\MDMAppInstaller.exe
C:\Windows\system32\RecoveryDrive.exe
C:\Windows\system32\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
Files
memory/924-0-0x000001D3FB4E0000-0x000001D3FB4E7000-memory.dmp
memory/924-1-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-4-0x0000000002F80000-0x0000000002F81000-memory.dmp
memory/3388-6-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-9-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-8-0x00007FFD81E2A000-0x00007FFD81E2B000-memory.dmp
memory/924-7-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-10-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-11-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-12-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-13-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-14-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-15-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-16-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-17-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-18-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-19-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-20-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-21-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-22-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-23-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-24-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-25-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-26-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-27-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-30-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-31-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-33-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-32-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-35-0x00000000036E0000-0x00000000036E7000-memory.dmp
memory/3388-34-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-29-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-28-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-42-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-43-0x00007FFD83B60000-0x00007FFD83B70000-memory.dmp
memory/3388-52-0x0000000140000000-0x00000001401F8000-memory.dmp
memory/3388-54-0x0000000140000000-0x00000001401F8000-memory.dmp
C:\Users\Admin\AppData\Local\T12i\WTSAPI32.dll
| MD5 | 3fa0b7885789ab1186f3a43c8f4f9bab |
| SHA1 | 09a636f2d4b7462eba81f8a1caffa9ba4cccb334 |
| SHA256 | 83c3b77e51732759ed40056919fe6efe4ebf107a864b10299ee8f0a1070be40c |
| SHA512 | fccb95e3c9c911fb5bcca0b8128c057dbbd514ab6f84549d79a303c156899993ff00bb0a6faeacd57865316969fcb22851c68066a59baf894c36baf814bb2aec |
C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
| MD5 | 30e978cc6830b04f1e7ed285cccaa746 |
| SHA1 | e915147c17e113c676c635e2102bbff90fb7aa52 |
| SHA256 | dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766 |
| SHA512 | 331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214 |
memory/2400-63-0x0000000140000000-0x00000001401F9000-memory.dmp
memory/2400-69-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\T12i\WTSAPI32.dll
| MD5 | 03b19b3c61bcac1feeca77f069bbd1e5 |
| SHA1 | 3e9dd661aea282ddd05d061ba542db36fb9bf255 |
| SHA256 | d0cfeb1b04176ec5e1179b7230d9c72ab12b9e6b895ed2b01a4ea357b3206af4 |
| SHA512 | 37b333156e6d98955d0a6f16277087e72ec45e4f1bd3fa60142168d7fff33075ff133cf08da38b111d8594aa7ffbc9cbcbf9758a9d2fa502018cde5f962299a4 |
memory/2400-64-0x000001FE99730000-0x000001FE99737000-memory.dmp
C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
| MD5 | 8642ade7f1b6db865b2fc489f509f622 |
| SHA1 | 9414ac31c33f9c67e1d73da482440b0455902d8b |
| SHA256 | 052dd4150d0e7c3e79e5958dacdfc1aee87cc76e1c4ec75dcc071f2473b19a44 |
| SHA512 | 6fce6477d24481e0ab4002a078329ec95c0a4875918e5183b1a41826907d837f0cce997f2557e107c9aee057a04b447787d30be36353b5099a094cf6716ddf88 |
C:\Users\Admin\AppData\Local\DiB7SxO4K\ReAgent.dll
| MD5 | b2e6aa6df3db504b5d79157b7cd09ab4 |
| SHA1 | bdd2a3d924cbbaaa867ac91c4495662acbb9b4cf |
| SHA256 | 1e0cc051f55c4e93d5b5d19a7517afe804302c6971d40f49d81c9076d1151bb4 |
| SHA512 | d8891971ba5c3696ccef5aac92737daf25a4e9fc2e6c6a511c335bb3f483fce824185380ea5d0eef558e0cefdc417ac44697118b7f71f45e758fc70e84e9dae3 |
memory/4416-80-0x000002BDDBA70000-0x000002BDDBA77000-memory.dmp
C:\Users\Admin\AppData\Local\DiB7SxO4K\ReAgent.dll
| MD5 | 0b5d2c967d288cfd28af7e641f43f7df |
| SHA1 | 50a2a3bcba8ec563edd5f6c7eef438ef34dfe788 |
| SHA256 | 1e006587c028461d9f578e9be4da920d1a51c89080981e38f8307c47cde64712 |
| SHA512 | 1f6412fae4c314afae3fa6cff6eba25713ffaf82a30a7c1725bf9916e4fb31c35437fc9cddde722ac42b0f7ef065a5a2e77ca51ab9bf6cd6dc70c29be2e6480f |
C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
| MD5 | 39f3931498bcf86baaedbc9b37339f24 |
| SHA1 | 10778ed0b8989a187a94cce735f05d93942743e2 |
| SHA256 | a0124dd2b5748bf50b419cb203928138788addbd91146393b9d56be40fb99223 |
| SHA512 | a727201d04c8257ed6f9f8824c93700f56213d71162b45242ce0f5d70fbc2b528f9723683a8ae732a3948d122b8f6395fd87cadd1c852dafc667d04ea5ccf0df |
memory/4416-86-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
| MD5 | b4170e0267f661f6d8bb2d91f2bf92a0 |
| SHA1 | 4cae850d79e2ca8ad3adb3d130eb8a070622f622 |
| SHA256 | bed0cd1ce22617111543504d1f3c34a7d29a3002b19805407ee2693c8732282c |
| SHA512 | 70651a46c86ab1a856cd2d50734ed528d840e052a7a7ab37b4097e1ce075005b1c4ef1fdb05b1f05f6a2f7f0e9fa2d420ff5c754f915e9f9f11dd822f98bdf45 |
C:\Users\Admin\AppData\Local\ynvUt\appwiz.cpl
| MD5 | 7b9dc495effd6f8b350bda01192d5d38 |
| SHA1 | 86c4fd9648b22420664aa854665c4274ca2c5bee |
| SHA256 | d3aabcd52cdfc6d3949cf3c6faf614fa5fba663670526c74061ddad23722f052 |
| SHA512 | 70fb73b75646136b77911399ec889f4c0cd636c8d3b320fca189bcd10fc9cf776e7dd2131caa804d3ee81c53a646d88c57d82c9de8b697dd8a269bf9f755e2ad |
C:\Users\Admin\AppData\Local\ynvUt\appwiz.cpl
| MD5 | 8b2e50cd9081acc9e81bcfdf1218a461 |
| SHA1 | 35488e703a8da322e34ac84e802645db574917e9 |
| SHA256 | 6e0b7cf8e54d4ccb651d8530a5f3634dc88e348547da15cc72b15f3f231c9669 |
| SHA512 | 65f6c72c63b5a9e0e02b3daaf264f3c36d3bf844f7213c58cdc1379f56a38bd5b9ca5d934de2c94fa9a9ff28ea570ffcf09b53591429abf6d92c8747cc06e5eb |
memory/4760-97-0x000002403D6E0000-0x000002403D6E7000-memory.dmp
memory/4760-103-0x0000000140000000-0x00000001401F9000-memory.dmp
C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
| MD5 | 10f70fbe0067afc89a0a6f2cdc547c80 |
| SHA1 | 2d39851a8dbc7f49a75b34a1f0e735fae51a996c |
| SHA256 | 44ec5b759837632271e8273bc9cc8d2db245651a38ad61983a149bcf3c303341 |
| SHA512 | a6bc5a763addbcf415380753a2a86140083df225b3ad449adf757914e53c80f9e70ee0a97bd3dcf029267cd2cb4deb5a896911b70d164632b550f00f04c2cd9f |
C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
| MD5 | d6cd8bef71458804dbc33b88ace56372 |
| SHA1 | a18b58445be2492c5d37abad69b5aa0d29416a60 |
| SHA256 | fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8 |
| SHA512 | 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk
| MD5 | 085d583552d1eb72e1422fc92c69242c |
| SHA1 | 6fbfc1bbc9224c111147df9e9594b773791f203b |
| SHA256 | 32d006352829aacee3c6cc3da82f93296e56f6ac343fbcf75b7f10dfe620862b |
| SHA512 | 3233442b3d70892b41e46fd4cc4894c322cb0106e1a63d028b58d9d8e270f02c8ee859c0a9ea2604e39191e1e2b4135afa7d62ebecb0c6271b323d1a2472ce78 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7FO9lXLVf\WTSAPI32.dll
| MD5 | 5a9b99c4d0575658dfa0c8156609afa3 |
| SHA1 | 378242aa0f286110e9b4716919310e1a8b4e94d1 |
| SHA256 | 6802c75118da28d6e0db40eed175205f32f1b3d1b3b1f37884121e800af3bdb2 |
| SHA512 | e92bd8246896c2803a832a0bfbe01e077fd913b2e2d3080f2bda413c570173c25f1e9dfc26ffa6ff58533e04bd6916f53c147c1fc4c97faa4b8611cf23e3534f |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\S0\ReAgent.dll
| MD5 | 03368cacb42d1be38ad6af5c7f08c3ed |
| SHA1 | ecbdb102613bd6d90fc14e5c1a2804fa11c56868 |
| SHA256 | e3732f1b5cd7a29876fc285f45c1aed7d9792b84ebe70c0e29f833fd19824d6e |
| SHA512 | 9685534ec032e37ff005a0625c64388fd3815c797a03059548b4b13171f4efe6a55b8bdd5986324eb9a98fca54cd0dc8a491095ece446bb9851f40a865ce6c7a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\KUs38Vbc\appwiz.cpl
| MD5 | 04346ed6595d8fbaac2ae155cf02a221 |
| SHA1 | a904f217a90183047678e4dfeaf2cc3592fe3caf |
| SHA256 | 4a0d9a6fea773ea64be87b3a9efdd3f61afc553a9e55d1a4000d514c90739aba |
| SHA512 | f707f140dfaaa4980183354b9b7718d13514222c9b47f1a0c8cb8eefce249094585558835f1c2383d9a492afddde98bb6bee03dde5b198758f320ff8637645f0 |