Malware Analysis Report

2024-11-30 21:30

Sample ID 231229-zfdbkahdf2
Target 0363154b6154c58e1968193a92704afc
SHA256 5828977b2ceed7da8ad59af7255116b6eacb7624a0106f0604bc3ce29e4470be
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5828977b2ceed7da8ad59af7255116b6eacb7624a0106f0604bc3ce29e4470be

Threat Level: Known bad

The file 0363154b6154c58e1968193a92704afc was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-29 20:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-29 20:39

Reported

2023-12-30 02:14

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Sty7\cmstp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Hgj0xJjyBk\\WindowsAnytimeUpgradeResults.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Sty7\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2604 N/A N/A C:\Windows\system32\cmstp.exe
PID 1224 wrote to memory of 2604 N/A N/A C:\Windows\system32\cmstp.exe
PID 1224 wrote to memory of 2604 N/A N/A C:\Windows\system32\cmstp.exe
PID 1224 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
PID 1224 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
PID 1224 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Sty7\cmstp.exe
PID 1224 wrote to memory of 580 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 580 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 580 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 1504 N/A N/A C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 1504 N/A N/A C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 1504 N/A N/A C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe
PID 1224 wrote to memory of 2548 N/A N/A C:\Windows\system32\calc.exe
PID 1224 wrote to memory of 2548 N/A N/A C:\Windows\system32\calc.exe
PID 1224 wrote to memory of 2548 N/A N/A C:\Windows\system32\calc.exe
PID 1224 wrote to memory of 2204 N/A N/A C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
PID 1224 wrote to memory of 2204 N/A N/A C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe
PID 1224 wrote to memory of 2204 N/A N/A C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\Sty7\cmstp.exe

C:\Users\Admin\AppData\Local\Sty7\cmstp.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe

C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe

Network

N/A

Files

memory/1936-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1936-1-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-4-0x0000000077606000-0x0000000077607000-memory.dmp

memory/1224-5-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/1224-7-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1936-8-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-9-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-12-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-11-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-13-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-10-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-14-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-15-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-16-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-17-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-19-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-20-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-24-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-26-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-25-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-23-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-22-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-21-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-18-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-28-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-27-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-33-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-34-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-35-0x0000000002C30000-0x0000000002C37000-memory.dmp

memory/1224-32-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-31-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-30-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-29-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-42-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-43-0x0000000077811000-0x0000000077812000-memory.dmp

memory/1224-47-0x0000000077970000-0x0000000077972000-memory.dmp

memory/1224-53-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/1224-59-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\Sty7\cmstp.exe

MD5 13387444219b21ee9e6f109ac7590db7
SHA1 7ac23cf68d83d5a2f70c3cf8a50352bad59037ef
SHA256 e2d8514882b6306e81dba9476380050ace0d35fe9aac63fb7f9972b5066fe4ea
SHA512 c183e5fe7b7e4acced92e49a29ba1c4b86fd1c8ba8a232a98b61db52fadb4ed73ce5a35643db56e6b005884d4bd5ddf7130175b812a93d3582582e97c0d1f8d6

\Users\Admin\AppData\Local\Sty7\cmstp.exe

MD5 82ff66366bef7167fba789a283e2f0f7
SHA1 822b52d941c3c01c3638862453e8706ff13d544f
SHA256 2971873d9dbeac0e6a89a5481123ba98dc059721268e8e2da000af63d6a84ec9
SHA512 709d8d5f8d7c6176fdb4327c18feedfcc4303eb0b468a3787cb88edc466a2ecf9f1e75d2ff107531d14272b940488c9174169a9648c6e7c74bd3ec095b6d9835

C:\Users\Admin\AppData\Local\Sty7\VERSION.dll

MD5 4d9922b64ec28fe7f5407d029e258a14
SHA1 dc9522de709d2f208f03570f474c462573e6ee0a
SHA256 a30207d8c4afbaf64f618a04235e48983fec117c34da1ebfce38c9872e4f6b01
SHA512 2f885c0b6f54b953b3ee0cd8764f7e2846a65257166e378bf3c2bbcb3e51c28e0bba3ab38d690332f0b3a8367c77484b139ce55768463f07074f0d8dcf39dbfd

\Users\Admin\AppData\Local\Sty7\VERSION.dll

MD5 5f2a3394213ea01e618e9d2d5908b4f7
SHA1 3f2a66bf8c16967dbf903ba7265a0f6c4a297dcb
SHA256 833167991c2efb13c10232f493b2b0dfe7385b7f943f18258ff5ae2c0b419119
SHA512 f4717bd4929db410ce55f7f0a6ae6f45a10daa3e7b52c635276e5be7a1b2b8508b266f1a4e5a7e59593bfe4117b50c428d9ac734ca8a3516f3669325f5665c04

memory/3008-72-0x0000000000080000-0x0000000000087000-memory.dmp

memory/3008-71-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\Sty7\cmstp.exe

MD5 74c6da5522f420c394ae34b2d3d677e3
SHA1 ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA256 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512 bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

memory/3008-97-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/1224-98-0x0000000077606000-0x0000000077607000-memory.dmp

C:\Users\Admin\AppData\Local\b5RKrJx8\WindowsAnytimeUpgradeResults.exe

MD5 6f3f29905f0ec4ce22c1fd8acbf6c6de
SHA1 68bdfefe549dfa6262ad659f1578f3e87d862773
SHA256 e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA512 16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

C:\Users\Admin\AppData\Local\b5RKrJx8\DUI70.dll

MD5 761f682984b464d50dbeb95dc526234e
SHA1 4c52076ce1a248c81050415cd28ca05f1cbb8e88
SHA256 bdf17e5462435eee34b4c16c09db0eb38fe2e91abd9d3f2e364b8e8128ec2b9d
SHA512 6b977fec3e92a21bc628b00cedb448c9a9d877d90507ba14d204db4b6b27ca77f90f07ee7b657e98ed1e7ce07606f35c169ed7aea150c7cdd58b0251e5f2c2d0

\Users\Admin\AppData\Local\b5RKrJx8\DUI70.dll

MD5 6c8562b266a3fcf57236e20a19d12a82
SHA1 3c8239bfa7bcb0256489c5a4d4b2fbc75a93cce6
SHA256 ce042790cabc50b32bef40915203056bb0d3ea990773ed501a88ea1754ded2e9
SHA512 9bbbc4aad04887afe10a0e1ce9e9879318dbd65039ca3a5b39df97e763fa442bd2a7cd32a3b93380f0fabeda257ff51fec1ce84f5884176088ddb34eaa6ab2b1

memory/1504-106-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1504-107-0x0000000140000000-0x000000014022C000-memory.dmp

memory/1504-112-0x0000000140000000-0x000000014022C000-memory.dmp

C:\Users\Admin\AppData\Local\xsrtXrPyV\UxTheme.dll

MD5 35467544c6adc6d1b10000ce905b562f
SHA1 3d0b8eeccf01183025b07f6f2e78122bbbf62c3d
SHA256 782b87ae521b2b414ee354ffc9273deb97d7227c8ec28245924d7379cc6b27db
SHA512 f82b4e807ff87cbf09992116c3dfa4eaa12416dead7d5febda9848b5961f9d9c583a454eb4333caf7845a4496183c57882ffaf31c18d98c905620ee8002af8bd

C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe

MD5 35b387ec3ac1fb60ed5e4c5fa15a6caf
SHA1 adda5a47ac43f08508537350f116fa82f2198030
SHA256 1228dac5cf8a64348864671cb0b3ae69195a60fe306d66c63ec7d9ab5e59b7c6
SHA512 d5bd9df9ef613f8877807d24108d3c8d28da30dce1d21f2c77411a046d89f5c64a11946d53c993a2486e498928f2a5bccd999dc4f896e0e8687d946e41887f11

\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe

MD5 c4a066139b7fd09fcb67bf15f831c30b
SHA1 1669eee39602f14e6ede84372ba935f155a8d5e4
SHA256 14f240b970fc1f24048db1c93d5e322a3a6d76af6990e373cc9bf1d38b727a82
SHA512 46fa0d109581dc88a54b059c3fb0bcc603b532f382f0adbd2ce547d693166932f096e207b1dfc69b305628c800765fd4eb715e1a02c7d197f6e6988bc69edd4e

\Users\Admin\AppData\Local\xsrtXrPyV\UxTheme.dll

MD5 d473ef3adf95e7841e118f142d2b5a31
SHA1 3302f62cb77f1666aef7e9c1999a08c181c066e6
SHA256 618c1791d05e5027650885958af86d169db59e9bf409fc6c29c106d36925f91f
SHA512 1fbfb817f5fc0334e514bb69be787c65e203d713c2ded014daefdc57b24ffd8dd529d45a9f9df970ba1fdf0ea74b7cc37e3021c5072866990b959122465da254

memory/2204-124-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2204-129-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\xsrtXrPyV\calc.exe

MD5 c20ed8d016f30a6541e31a43953c50fb
SHA1 add6547eb739886168ec2f066d6cafe6aebf4937
SHA256 d04da6d5e0778742aa387062c5a47b496237b6a3337ffc4607965e1e0f3392f1
SHA512 8df68eec9a2fe364f9aa598c52809336a263798a825e88e80442c788abadfd8ffefa17a8ce50a0869f203a77e2ace9b3b3041486477db43a6e070e82bd10daa1

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\LWtvG\calc.exe

MD5 4d34b1f99259fae461fc97d5507fc9e6
SHA1 5b183cf7efc6b9be19dadf51bd6b4c0846d83958
SHA256 687ae704c56949c80eb5a340b6ed9e8c4f973a907915bd46c2b2db0d0f2eb36b
SHA512 82e3627d89f0e264b5a728704d17250d1ba412f4e925cd979f7af49a6abda62a98ef79a9167e4cf6ded8edfeeeef71b48c305192921d509cbf9e8c5182c6bbc7

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 e78096cd2d0b380a968f04ab539686e3
SHA1 5eeadaef2e3ae12dcfd7f2dc09c9f427a4b8c9f3
SHA256 d6ca32341bdee0288b09cbf48442b56129b169090038d3a0cf26c683c1c39309
SHA512 88c400b1a63b29cd6e0f941498b48ded6549e409f34e3cfc4813b1fb4e84f8be1e9452d73d790d967bd685d02bd4134d5ca5f73e98e129e374f7d03c289eaabc

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\mErbdODUp\VERSION.dll

MD5 cafcbe227238b930e9d428f6499559d7
SHA1 f285f9b70c26515bbcc2a5b7b164a5eb7b861050
SHA256 c20ab471273f428b31ac6df55ffe591bc94f9254928f442863fdda277a43f4c0
SHA512 7c0131ff191218c6c67a692ca8344274b26295a84ebb21a0f47d0b13c8a1e48717020917792303c4058eee74432a106173ead59133fa9b0188feef7014a8cf57

C:\Users\Admin\AppData\Roaming\Microsoft\Hgj0xJjyBk\DUI70.dll

MD5 e7e7215c0e80334f37467cbc759f78c3
SHA1 c8b5b7c077a6db3c2cbcba824d523c295d766590
SHA256 946072bdca080cf8d7d271954e61e82323db06ef6c7b65607c9ff359ca736538
SHA512 dfda1293565ef07eab5ab4311a8db187994233b39606c453fde80c1bd2ba6694e32a00af7aea51626b026ae3d676837c53f9b9917e333cc93edeedbbebb8f828

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\LWtvG\UxTheme.dll

MD5 2f5df2fd962eb7390740ced51ab94edc
SHA1 7c1ac8c01bfc1c106ea41ee960b5054ec364a446
SHA256 aca94156ac148cda6e6a2a9c8ed7beda4081bde7ce328903af6ec0da431cd30a
SHA512 f88fd3ba81d499a0c01f298bf4e43ba45b9781ee5de068907f3fa44a6e5123beabc5f1dbf956f28a89d3069df116c8780a9d8aea9874d83f1198f62045628d6e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-29 20:39

Reported

2023-12-30 02:14

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\Keys\\S0\\RecoveryDrive.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 3428 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3388 wrote to memory of 3428 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3388 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
PID 3388 wrote to memory of 2400 N/A N/A C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe
PID 3388 wrote to memory of 2880 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3388 wrote to memory of 2880 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3388 wrote to memory of 4416 N/A N/A C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
PID 3388 wrote to memory of 4416 N/A N/A C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe
PID 3388 wrote to memory of 4080 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3388 wrote to memory of 4080 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3388 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe
PID 3388 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0363154b6154c58e1968193a92704afc.dll,#1

C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/924-0-0x000001D3FB4E0000-0x000001D3FB4E7000-memory.dmp

memory/924-1-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-4-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/3388-6-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-9-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-8-0x00007FFD81E2A000-0x00007FFD81E2B000-memory.dmp

memory/924-7-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-10-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-11-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-12-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-13-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-14-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-15-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-16-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-17-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-18-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-19-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-20-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-21-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-22-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-23-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-24-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-25-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-26-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-27-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-30-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-31-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-33-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-32-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-35-0x00000000036E0000-0x00000000036E7000-memory.dmp

memory/3388-34-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-29-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-28-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-42-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-43-0x00007FFD83B60000-0x00007FFD83B70000-memory.dmp

memory/3388-52-0x0000000140000000-0x00000001401F8000-memory.dmp

memory/3388-54-0x0000000140000000-0x00000001401F8000-memory.dmp

C:\Users\Admin\AppData\Local\T12i\WTSAPI32.dll

MD5 3fa0b7885789ab1186f3a43c8f4f9bab
SHA1 09a636f2d4b7462eba81f8a1caffa9ba4cccb334
SHA256 83c3b77e51732759ed40056919fe6efe4ebf107a864b10299ee8f0a1070be40c
SHA512 fccb95e3c9c911fb5bcca0b8128c057dbbd514ab6f84549d79a303c156899993ff00bb0a6faeacd57865316969fcb22851c68066a59baf894c36baf814bb2aec

C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe

MD5 30e978cc6830b04f1e7ed285cccaa746
SHA1 e915147c17e113c676c635e2102bbff90fb7aa52
SHA256 dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512 331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

memory/2400-63-0x0000000140000000-0x00000001401F9000-memory.dmp

memory/2400-69-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\T12i\WTSAPI32.dll

MD5 03b19b3c61bcac1feeca77f069bbd1e5
SHA1 3e9dd661aea282ddd05d061ba542db36fb9bf255
SHA256 d0cfeb1b04176ec5e1179b7230d9c72ab12b9e6b895ed2b01a4ea357b3206af4
SHA512 37b333156e6d98955d0a6f16277087e72ec45e4f1bd3fa60142168d7fff33075ff133cf08da38b111d8594aa7ffbc9cbcbf9758a9d2fa502018cde5f962299a4

memory/2400-64-0x000001FE99730000-0x000001FE99737000-memory.dmp

C:\Users\Admin\AppData\Local\T12i\MDMAppInstaller.exe

MD5 8642ade7f1b6db865b2fc489f509f622
SHA1 9414ac31c33f9c67e1d73da482440b0455902d8b
SHA256 052dd4150d0e7c3e79e5958dacdfc1aee87cc76e1c4ec75dcc071f2473b19a44
SHA512 6fce6477d24481e0ab4002a078329ec95c0a4875918e5183b1a41826907d837f0cce997f2557e107c9aee057a04b447787d30be36353b5099a094cf6716ddf88

C:\Users\Admin\AppData\Local\DiB7SxO4K\ReAgent.dll

MD5 b2e6aa6df3db504b5d79157b7cd09ab4
SHA1 bdd2a3d924cbbaaa867ac91c4495662acbb9b4cf
SHA256 1e0cc051f55c4e93d5b5d19a7517afe804302c6971d40f49d81c9076d1151bb4
SHA512 d8891971ba5c3696ccef5aac92737daf25a4e9fc2e6c6a511c335bb3f483fce824185380ea5d0eef558e0cefdc417ac44697118b7f71f45e758fc70e84e9dae3

memory/4416-80-0x000002BDDBA70000-0x000002BDDBA77000-memory.dmp

C:\Users\Admin\AppData\Local\DiB7SxO4K\ReAgent.dll

MD5 0b5d2c967d288cfd28af7e641f43f7df
SHA1 50a2a3bcba8ec563edd5f6c7eef438ef34dfe788
SHA256 1e006587c028461d9f578e9be4da920d1a51c89080981e38f8307c47cde64712
SHA512 1f6412fae4c314afae3fa6cff6eba25713ffaf82a30a7c1725bf9916e4fb31c35437fc9cddde722ac42b0f7ef065a5a2e77ca51ab9bf6cd6dc70c29be2e6480f

C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe

MD5 39f3931498bcf86baaedbc9b37339f24
SHA1 10778ed0b8989a187a94cce735f05d93942743e2
SHA256 a0124dd2b5748bf50b419cb203928138788addbd91146393b9d56be40fb99223
SHA512 a727201d04c8257ed6f9f8824c93700f56213d71162b45242ce0f5d70fbc2b528f9723683a8ae732a3948d122b8f6395fd87cadd1c852dafc667d04ea5ccf0df

memory/4416-86-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\DiB7SxO4K\RecoveryDrive.exe

MD5 b4170e0267f661f6d8bb2d91f2bf92a0
SHA1 4cae850d79e2ca8ad3adb3d130eb8a070622f622
SHA256 bed0cd1ce22617111543504d1f3c34a7d29a3002b19805407ee2693c8732282c
SHA512 70651a46c86ab1a856cd2d50734ed528d840e052a7a7ab37b4097e1ce075005b1c4ef1fdb05b1f05f6a2f7f0e9fa2d420ff5c754f915e9f9f11dd822f98bdf45

C:\Users\Admin\AppData\Local\ynvUt\appwiz.cpl

MD5 7b9dc495effd6f8b350bda01192d5d38
SHA1 86c4fd9648b22420664aa854665c4274ca2c5bee
SHA256 d3aabcd52cdfc6d3949cf3c6faf614fa5fba663670526c74061ddad23722f052
SHA512 70fb73b75646136b77911399ec889f4c0cd636c8d3b320fca189bcd10fc9cf776e7dd2131caa804d3ee81c53a646d88c57d82c9de8b697dd8a269bf9f755e2ad

C:\Users\Admin\AppData\Local\ynvUt\appwiz.cpl

MD5 8b2e50cd9081acc9e81bcfdf1218a461
SHA1 35488e703a8da322e34ac84e802645db574917e9
SHA256 6e0b7cf8e54d4ccb651d8530a5f3634dc88e348547da15cc72b15f3f231c9669
SHA512 65f6c72c63b5a9e0e02b3daaf264f3c36d3bf844f7213c58cdc1379f56a38bd5b9ca5d934de2c94fa9a9ff28ea570ffcf09b53591429abf6d92c8747cc06e5eb

memory/4760-97-0x000002403D6E0000-0x000002403D6E7000-memory.dmp

memory/4760-103-0x0000000140000000-0x00000001401F9000-memory.dmp

C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

MD5 10f70fbe0067afc89a0a6f2cdc547c80
SHA1 2d39851a8dbc7f49a75b34a1f0e735fae51a996c
SHA256 44ec5b759837632271e8273bc9cc8d2db245651a38ad61983a149bcf3c303341
SHA512 a6bc5a763addbcf415380753a2a86140083df225b3ad449adf757914e53c80f9e70ee0a97bd3dcf029267cd2cb4deb5a896911b70d164632b550f00f04c2cd9f

C:\Users\Admin\AppData\Local\ynvUt\OptionalFeatures.exe

MD5 d6cd8bef71458804dbc33b88ace56372
SHA1 a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256 fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA512 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk

MD5 085d583552d1eb72e1422fc92c69242c
SHA1 6fbfc1bbc9224c111147df9e9594b773791f203b
SHA256 32d006352829aacee3c6cc3da82f93296e56f6ac343fbcf75b7f10dfe620862b
SHA512 3233442b3d70892b41e46fd4cc4894c322cb0106e1a63d028b58d9d8e270f02c8ee859c0a9ea2604e39191e1e2b4135afa7d62ebecb0c6271b323d1a2472ce78

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7FO9lXLVf\WTSAPI32.dll

MD5 5a9b99c4d0575658dfa0c8156609afa3
SHA1 378242aa0f286110e9b4716919310e1a8b4e94d1
SHA256 6802c75118da28d6e0db40eed175205f32f1b3d1b3b1f37884121e800af3bdb2
SHA512 e92bd8246896c2803a832a0bfbe01e077fd913b2e2d3080f2bda413c570173c25f1e9dfc26ffa6ff58533e04bd6916f53c147c1fc4c97faa4b8611cf23e3534f

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\Keys\S0\ReAgent.dll

MD5 03368cacb42d1be38ad6af5c7f08c3ed
SHA1 ecbdb102613bd6d90fc14e5c1a2804fa11c56868
SHA256 e3732f1b5cd7a29876fc285f45c1aed7d9792b84ebe70c0e29f833fd19824d6e
SHA512 9685534ec032e37ff005a0625c64388fd3815c797a03059548b4b13171f4efe6a55b8bdd5986324eb9a98fca54cd0dc8a491095ece446bb9851f40a865ce6c7a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\KUs38Vbc\appwiz.cpl

MD5 04346ed6595d8fbaac2ae155cf02a221
SHA1 a904f217a90183047678e4dfeaf2cc3592fe3caf
SHA256 4a0d9a6fea773ea64be87b3a9efdd3f61afc553a9e55d1a4000d514c90739aba
SHA512 f707f140dfaaa4980183354b9b7718d13514222c9b47f1a0c8cb8eefce249094585558835f1c2383d9a492afddde98bb6bee03dde5b198758f320ff8637645f0