Malware Analysis Report

2024-11-30 21:31

Sample ID 231230-18gp5adcb4
Target 1e4195789cfec8640760ab9219a179b8
SHA256 4ebf20e816e316113b4d297346f800c5fb027befcd97ac1f696a8aeea1f16421
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ebf20e816e316113b4d297346f800c5fb027befcd97ac1f696a8aeea1f16421

Threat Level: Known bad

The file 1e4195789cfec8640760ab9219a179b8 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 22:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 22:19

Reported

2024-01-04 16:58

Platform

win10v2004-20231215-en

Max time kernel

173s

Max time network

180s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4195789cfec8640760ab9219a179b8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\eLM N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\eLM\SYSDM.CPL N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\eLM\SystemPropertiesProtection.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\pGtRz\\SystemPropertiesDataExecutionPrevention.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wiogU2GN\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TaiC9g\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ines\SystemPropertiesProtection.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 1472 N/A N/A C:\Windows\system32\Magnify.exe
PID 3448 wrote to memory of 1472 N/A N/A C:\Windows\system32\Magnify.exe
PID 3448 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\wiogU2GN\Magnify.exe
PID 3448 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\wiogU2GN\Magnify.exe
PID 3448 wrote to memory of 1296 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3448 wrote to memory of 1296 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3448 wrote to memory of 4344 N/A N/A C:\Users\Admin\AppData\Local\TaiC9g\SystemPropertiesDataExecutionPrevention.exe
PID 3448 wrote to memory of 4344 N/A N/A C:\Users\Admin\AppData\Local\TaiC9g\SystemPropertiesDataExecutionPrevention.exe
PID 3448 wrote to memory of 2888 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3448 wrote to memory of 2888 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3448 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\ines\SystemPropertiesProtection.exe
PID 3448 wrote to memory of 3084 N/A N/A C:\Users\Admin\AppData\Local\ines\SystemPropertiesProtection.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4195789cfec8640760ab9219a179b8.dll,#1

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\wiogU2GN\Magnify.exe

C:\Users\Admin\AppData\Local\wiogU2GN\Magnify.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\TaiC9g\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\TaiC9g\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\ines\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\ines\SystemPropertiesProtection.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 72.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4688-1-0x0000000140000000-0x0000000140166000-memory.dmp

memory/4688-0-0x000001F0B8FC0000-0x000001F0B8FC7000-memory.dmp

memory/3448-4-0x0000000001460000-0x0000000001461000-memory.dmp

memory/4688-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-6-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-9-0x00007FFA4DC2A000-0x00007FFA4DC2B000-memory.dmp

memory/3448-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-18-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-20-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-22-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-21-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-23-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-24-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-25-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-28-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-27-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-19-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-30-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-31-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-29-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-33-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-32-0x0000000001420000-0x0000000001427000-memory.dmp

memory/3448-40-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-41-0x00007FFA4F420000-0x00007FFA4F430000-memory.dmp

memory/3448-50-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3448-52-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\wiogU2GN\MAGNIFICATION.dll

MD5 e413d691120c73bdfdcbb66123e56965
SHA1 8b8ceff9c9cc1d2a3984e3bfbed5f5a9087634bf
SHA256 6cdd4bed355c61fbf3a4c3307227eb9e9e6e197bf6fd2c6a21ad6163645c965f
SHA512 6f60c67e780830378dd90b9134fdafdf977cfc1b7fa0d9bd6d53c3e670c7f96ade3fe70eec2f85bdd3359fcfb93dc0a00d162f1fb9a23c804394ce92a72a2297

C:\Users\Admin\AppData\Local\wiogU2GN\Magnify.exe

MD5 4029890c147e3b4c6f41dfb5f9834d42
SHA1 10d08b3f6dabe8171ca2dd52e5737e3402951c75
SHA256 57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d
SHA512 dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

C:\Users\Admin\AppData\Local\wiogU2GN\MAGNIFICATION.dll

MD5 620d8b4f6a0533eb16a5ed1423e6c901
SHA1 1c660f98c132e176b619503c606563b83f4230cd
SHA256 f117d2f2101731cc833fcf75cf1b6f7076f03919e93e6bf795562c3bc15836f4
SHA512 31e5c292105444b6af9e0c010723609879a7622b17a54945aae7f599be703c7e17fd5e94a4491e225d14a85ae795201566256bdbf81295154b22a91a55f45f95

memory/1608-62-0x000001DEDF330000-0x000001DEDF337000-memory.dmp

memory/1608-61-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1608-67-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\TaiC9g\SystemPropertiesDataExecutionPrevention.exe

MD5 de58532954c2704f2b2309ffc320651d
SHA1 0a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA256 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512 d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

C:\Users\Admin\AppData\Local\TaiC9g\SYSDM.CPL

MD5 dbddc0306a1d9d193234d80687ca5873
SHA1 c3057c8de6bd70127e7da76f866815594fa8d54b
SHA256 e1b24aa64d35374094d2a9397e0efcf94cf634d8dbf96dbfe827398f5fd2df87
SHA512 f33dfae2ad6db2a6a1b5a7eba66ff251e123c15f707f34ee60d609d88e00af7ea6dbe92447a69a3d90b3d5a4da86576686710bb67334f4031d412079dcad1054

memory/4344-79-0x0000027241D10000-0x0000027241D17000-memory.dmp

memory/4344-84-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\ines\SystemPropertiesProtection.exe

MD5 26640d2d4fa912fc9a354ef6cfe500ff
SHA1 a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256 a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA512 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

C:\Users\Admin\AppData\Local\ines\SYSDM.CPL

MD5 1ce24339b8a38ddcb4aaf6a1357157cd
SHA1 7e6a6c87c3a092defaabb339f2c2c5a7451179af
SHA256 64f9a59c115c6a04ed23f7ce09f548db8950e8feba2a4e4a21492efd825d69b3
SHA512 398935fdb8dd3d2b9c05fbec8c5f99646c33979da61fd14d59e8f8922b5afb8e3674a7f29269f94bf1146141f1ed4ea98e0a3b0b3a366b13e66905123a02a602

C:\Users\Admin\AppData\Local\ines\SYSDM.CPL

MD5 893fc91f6123c04c3a5a1be135759a56
SHA1 3241602b30a6e50b9ebe7b4365bbc442031a4bc1
SHA256 b9a1eec242ebf28d261b5081792f08e9066b02d265340a5b91f0b4e30b857db8
SHA512 714162cad87284f601fb8fffe3c21a3e326f13f5e0f6903743aa7215da6797d5bea1b708ac4fa67a8cf716d3884511f039d451a3cde7a5bbbd6a60dbda7f3f69

memory/3084-113-0x0000023A45850000-0x0000023A45857000-memory.dmp

memory/3084-117-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 cd2be6ef98fc57a8879027c534147c24
SHA1 90da8970f7b857ac98d86cfa2d90feef044f2080
SHA256 8d80b2948dacad01b680668d18bcf61e5d0686da84ab671dfcad469b63ed1c3f
SHA512 8f9ddcf0383861e4a49fe7cd7f177024b55c9eee9125b203c5c92fce500a807bd0088c1a26ad968d0adaa58516970dbb29089eef6ff12eca4b521396f01b676c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZrHJ1zj\MAGNIFICATION.dll

MD5 a9728d33482c141bbfad5bc705888c2a
SHA1 975d92e5732cf69ffd8fac5a281a4276fb12f9d3
SHA256 8b14e29de28405a804ad669e248e2d8aff31a628038834a40d2ed308ddcb4edc
SHA512 cf6dbd1c25d6e9d659ca4531066b3376e41654c1cfe9b15d4e041847b2d5bf6f24d45d350b9f62c920fbe6f1bcb43f56e02c7b464ee03986ff032d6203c692e1

C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\eLM\SYSDM.CPL

MD5 0bd3c57cd8e8f62024e6bac35d628168
SHA1 c2222af034812dd31f086a16a87c1a3e7be14ebf
SHA256 2cf6edfdb91f517b62fd10d126156e479e097803c7579a8d789c2084dee76d15
SHA512 e4d68008a8990e534c558cc026974a423a62f6905f4530bec7e8d854947e266cb891a2641fc65f1e2c355c046aa8a2a4c02cf052613eda9afd436b362f8c10d0

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 22:19

Reported

2024-01-04 16:58

Platform

win7-20231215-en

Max time kernel

157s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4195789cfec8640760ab9219a179b8.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Ov\\PresentationSettings.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2300 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1372 wrote to memory of 2300 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1372 wrote to memory of 2300 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 1372 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE
PID 1372 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE
PID 1372 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE
PID 1372 wrote to memory of 2120 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1372 wrote to memory of 2120 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1372 wrote to memory of 2120 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1372 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe
PID 1372 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe
PID 1372 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe
PID 1372 wrote to memory of 2192 N/A N/A C:\Windows\system32\spinstall.exe
PID 1372 wrote to memory of 2192 N/A N/A C:\Windows\system32\spinstall.exe
PID 1372 wrote to memory of 2192 N/A N/A C:\Windows\system32\spinstall.exe
PID 1372 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe
PID 1372 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe
PID 1372 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e4195789cfec8640760ab9219a179b8.dll,#1

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE

C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe

C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe

C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe

Network

N/A

Files

memory/2780-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2780-1-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-4-0x00000000772B6000-0x00000000772B7000-memory.dmp

memory/1372-5-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2780-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-18-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-20-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-23-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-24-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-25-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-28-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-30-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-31-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-33-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1372-32-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-29-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-27-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-40-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-41-0x00000000774C1000-0x00000000774C2000-memory.dmp

memory/1372-42-0x0000000077620000-0x0000000077622000-memory.dmp

memory/1372-22-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-21-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-19-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-51-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1372-57-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\eo8Cg9wL\VERSION.dll

MD5 72c0681917f3d8e86c6915abacfa7b39
SHA1 967efeb81a44d6cf2fc5b64d74b6b5f175567078
SHA256 80a293d36e20d7ebaad94e7b7034efd6020bf5ab7fcf31b1130043136d1b8a5f
SHA512 c9fe97ef9c698a87a723220c4242c212cdf4ead9b1c979e5d4b52a57d0a90596bb80674140777a05db023dc5b3e9f4cca234d39291d65f5eaf3cb4daebb546e8

\Users\Admin\AppData\Local\eo8Cg9wL\VERSION.dll

MD5 cb3f3eeca14e06f6f41afa011e5c36dc
SHA1 d39b1ab1dd9744a5676eece490df578b01dcf58a
SHA256 9ac6afbda1c5cee6dc21cb5245ee4e070aef4993d6e8ed4db08dbf8033c7dad0
SHA512 f900add373cba623364262bc1ca057910179df9ae5c8d925a784e0fc60e6d5c0613874d2f2841c9d9f00ca77b734bc2aeba7f25ae8c4b159f056858f867fe4ea

C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE

MD5 2070d373934cddafe414519091b7750a
SHA1 f67c6a9ae7aeacdd6db988aa4b77fe10fcb666a7
SHA256 75abd45be215d12961ac682125abae538c927cbd0aba2b2903f82df0706a115e
SHA512 4cb30fb4c6f7740b55675923ac5538d3d9396775b10e8324f705fbd7422c2c0216560f930c68c9b8fab2688705f5cddc53d4929c4c91fe1bbb7ea44b08227059

memory/2568-69-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2568-70-0x0000000140000000-0x0000000140167000-memory.dmp

\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE

MD5 3aac540baba98d66e15a3e0676e2ba5e
SHA1 816d90fb6e5918068d9cde767eaa616258d6db09
SHA256 cd5ecb4835f955364ef62095569eb6615529f5cb3d748468eb41c6a9e04d4ef3
SHA512 add50ee78d50aed6662aef609378e685c816cb8e858e58abea8902155e13f778b3af44590f88e0e7e16b0e615ffbfe89011f33f120b8984356db345cd9db159c

memory/2568-75-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\eo8Cg9wL\DWWIN.EXE

MD5 69865e11b894f40bba77c7bd2929433a
SHA1 fc3ce28c184977dc0913125992bd3ffddb32612b
SHA256 4adc68aea0263b13731089a2733976680f9958b1106f050a9f9bc6a1a6d9290f
SHA512 eb1dbc26a60e2bbe9f1e82978d18a006682be6c0c23df4055e2d678cd17d5c9e42eb5a392c50af883c964af188b9709efc074513acfffa9895d1e576abaeb61d

C:\Users\Admin\AppData\Local\66w\Secur32.dll

MD5 6a401275906c944874019acc1bd62268
SHA1 d19ecb666ed351acfad8fcc413f886bd6e6a8d08
SHA256 77fd8e4910a9b554caa08a1d54c973fa9f7cc8adb39de3a4e2c91819ee0f1c01
SHA512 b470318aeaab93958e6a95b98cd1c15ab78bf1838dc5fbcf814e3e9b3c934b9700f139f7d3b5bb736f795355c5b8e8772b1fd87f6bf162fab940370d9582c55e

C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe

MD5 32721f23332da317b8f08a5b1372a705
SHA1 458fcf9c05d86361abd0788eb69f5f75bc7eac60
SHA256 ae7f847b1cb05e553b9b537ec2e7c3f54136ff2ab0bba8e87d8080844b0f631c
SHA512 7299f781570cf8cb62534eb7b3f2d97b821bd8184de9c72aec0cce9fefb19480faef51f79838fca754f08718b2d9e7f84503557d84ec7ccf5cf6a7955e7ee9b5

\Users\Admin\AppData\Local\66w\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

\Users\Admin\AppData\Local\66w\Secur32.dll

MD5 b00c1d5952b13132046573f5e8e45af4
SHA1 a7ff18334238e914e8f80a6f5ef89c6bc8a20e40
SHA256 bd973b0beca5fc595798ff30e9e08e814c964cd9f5ed70c89fbfac56e4ef9f77
SHA512 8215dd62b2106ae07ca8715c6b6b617b1c6f75985e148ed05ed902a1c55ebf995ecd7d93c8c8c679b44f5b1fb92f4b27ea6b39dc996595f1bbd00f9aee8fda84

memory/528-87-0x0000000000100000-0x0000000000107000-memory.dmp

memory/528-93-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\66w\PresentationSettings.exe

MD5 79369534448aa44f009e7a74972e2c98
SHA1 ef138fffd8301139f17708c4865f36090f152d52
SHA256 2135053548ea8c49d455527fe7101c721dde78b8a18531628d708322cc42192f
SHA512 35d859c884634578e6f1ea7f74987f9b41c5f4a377310ddf10a00e5895398026f8ba1e4f1b22f909775b3fd1fdb3865ed3ac3c1e4dc0905d3f44be882279891e

C:\Users\Admin\AppData\Local\PZOST4\XmlLite.dll

MD5 e2d4212b6375b4847d9e2cf00b29172f
SHA1 3026ee4f7f1dee2e0c3c454fada5f0aa4866752c
SHA256 518ac4bdea623c5cae62770000aa9d4489443e1cfa62a82e47bdee667243e496
SHA512 c1749d8fe94ccaa999bf3a67cb666786cc5a28592a5afbf10bf00526a3c072f348ab49691c90212960addcae5424d3d69714871d6fb585dc0083f15c0bafb14f

C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe

MD5 526267ce7ae317e21294d208a28b1c41
SHA1 c08c7496c6634c2fd70f12ed5324977b925d992d
SHA256 cc12afb2f0a68996e0c734077e27f065da0a7fd56c5b22b1ff2bb6143a7357e7
SHA512 4ae2197bc471510ce584b7c051cc45aa780cdf8b85f4b644f77ad183e0c150a3f729c84571df6f22c01c1411db7727d12e647a3565475b020e98eb240c25d750

\Users\Admin\AppData\Local\PZOST4\spinstall.exe

MD5 3cf3113473d6d85c5c3d61a29ae15f08
SHA1 b604078e74c85e404ffa9592783ebc67aad2d5a2
SHA256 58cd51cb9105b203ae7fdddf59cbf4b10467dcc03a6bc63b254fcdcab96b8d8a
SHA512 07dae1980cb4d7cf92771f2c68c160868270cbb436c58de29c16598d876404893cdb65097493e492ba444235b82f99315a03a48734fd31104390fb8f0ead6fd3

\Users\Admin\AppData\Local\PZOST4\XmlLite.dll

MD5 4ac9c6ed30119d5a4d705a0b1e4c8803
SHA1 bda6ab0412d695db16c5f9b21bc4308ce6f8592b
SHA256 5824faf9b1cf5190ab51309964b18eb1a81bb5fa63d26da6cb3399a6561df900
SHA512 b3053c64acad8a6b8ac5a3ddda579c6ef0dce378e8b8e078ba124592945b26f51f13080fdb3aeba208ab592fa6fe1438e86ae62bbc55eaf2327349f084e24910

memory/1832-105-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1832-111-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\PZOST4\spinstall.exe

MD5 276c32fb04ccd3f0eaebd6ec162fcd06
SHA1 3f5f021a47b26d669ffb620f492699c02aecf0c8
SHA256 76ea35b98d7bdb55fdd8479da686b6957d02a9582b0748b630e90c8605fe9bfb
SHA512 54ad5d112e81e7547dddf1bdebcf3afb914ad5286a33340a80add1f36dd11f516cee33e713ff1973b6d06718f6a30979cfcf1f5f737f59738d4fecd01d855744

\Users\Admin\AppData\Roaming\Microsoft\Credentials\7HexMi\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 2c21df2f8e02950f2ebc7710f338e307
SHA1 68bcd25d9d1b053773abcb91fed3a3d0a8dd4f51
SHA256 073280328730c34d7a3430f79042000046fe3e5f7b61e1fce2aef7e3bae3ebcf
SHA512 fa1bbbae618e70a5517cacc06cdf14a629f40d04b22dd821d90dc1ac34c4ac38d0ce7375c86f0aa01363f8643b9871b262c8c51d01eddabe87ab48303f02b6c8

memory/1372-130-0x00000000772B6000-0x00000000772B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\fes0Zvu\VERSION.dll

MD5 e7b5349839f16b733a6242d6a61573d5
SHA1 f8d8c7b409a7c286a983a09c70b9c5e5ea92a3cd
SHA256 d56da09dbbd54004f3d2b6bd9222acda0b756655fde21ef503ab20f1785077ff
SHA512 e0ec9fa74da7de56d3a9dd2695c3b3c0be72ac7c082163d25e2d577c26098986a5e7e0ce03d09608b7fd5641e51501bdb978b3521a07df2c84b90833b33e2ffb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Ov\Secur32.dll

MD5 ea60307cd904317be3035c4fa260628f
SHA1 2db3a12bf56355dfb0a98de4194c85606fd6886e
SHA256 9bd28d5e9557f4cc2444edf212f316c5a58e58f0e46f5a69eb07162187b340cf
SHA512 122828cb759d8a4b85e0e52c70f47deca5867de3f88506fc3ed37dc23224dd12013cdd0a4f8e40ccde351c1448cc1d24195e028e77aaead09f1cf0593e8a076e

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\7HexMi\XmlLite.dll

MD5 a667671913a747c8b5b10685e6477898
SHA1 5878137d78ae0042246dcac9ea4dce4a27ca4233
SHA256 8d997835bd3a6813dfa331d2f2b7ced6b4f7195dca3c4480f5a8149b72427bb8
SHA512 d7b3d38fb49d8fa4c1a1c928eb9e504a89a109fe77b13aea39d61ce8b44c8e725f78e6a93bc21c0d4f1b854df8710d770635da0a72e282ecc2c325aac04b5750