Analysis Overview
SHA256
4d93807b1a4ad7968dde1724378be12ea66fc5a4dc525b5c8e87f4dbba362c29
Threat Level: Known bad
The file 1d2d2319bece5591fb091367e4515364 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 21:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 21:35
Reported
2024-01-04 12:36
Platform
win7-20231215-en
Max time kernel
149s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\9iH\TpmInit.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\nts\irftp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\nts\irftp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\EXHESW~1\\SYSTEM~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\nts\irftp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d2d2319bece5591fb091367e4515364.dll,#1
C:\Users\Admin\AppData\Local\9iH\TpmInit.exe
C:\Users\Admin\AppData\Local\9iH\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\irftp.exe
C:\Windows\system32\irftp.exe
C:\Users\Admin\AppData\Local\nts\irftp.exe
C:\Users\Admin\AppData\Local\nts\irftp.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Windows\system32\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe
C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
Network
Files
memory/536-0-0x0000000140000000-0x000000014015B000-memory.dmp
memory/536-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1296-4-0x0000000077956000-0x0000000077957000-memory.dmp
memory/1296-5-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/536-8-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-10-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-16-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-22-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-24-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-31-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-35-0x0000000077CC0000-0x0000000077CC2000-memory.dmp
memory/1296-32-0x0000000077B61000-0x0000000077B62000-memory.dmp
memory/1296-23-0x00000000029B0000-0x00000000029B7000-memory.dmp
memory/1296-21-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-20-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-19-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-42-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-48-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-51-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-18-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-17-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-15-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-14-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-13-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-12-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-11-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-9-0x0000000140000000-0x000000014015B000-memory.dmp
memory/1296-7-0x0000000140000000-0x000000014015B000-memory.dmp
C:\Users\Admin\AppData\Local\9iH\ACTIVEDS.dll
| MD5 | b2120b1201ac195387b65a2774ad5cfd |
| SHA1 | 07e0313c765f7671e6ce64eeb0d8197f62634401 |
| SHA256 | a228dcfd92493504d1ad2a82f77d2f0a89897aaebac35b87ef856a57c9d02ee1 |
| SHA512 | 0998048d1708170466f8be35ab879ea1a54eaff8909ad34dfb720e7765d7b82af04c659e27ae867ef4dacc126f981e6dfa642acd138a573f894670c5e0855c7a |
C:\Users\Admin\AppData\Local\9iH\TpmInit.exe
| MD5 | 8b5eb38e08a678afa129e23129ca1e6d |
| SHA1 | a27d30bb04f9fabdb5c92d5150661a75c5c7bc42 |
| SHA256 | 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c |
| SHA512 | a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d |
\Users\Admin\AppData\Local\nts\irftp.exe
| MD5 | 0cae1fb725c56d260bfd6feba7ae9a75 |
| SHA1 | 102ac676a1de3ec3d56401f8efd518c31c8b0b80 |
| SHA256 | 312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d |
| SHA512 | db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec |
C:\Users\Admin\AppData\Local\nts\WINMM.dll
| MD5 | a8e2218d621fcfdc062993271b5ad9b8 |
| SHA1 | 2f7ef4f8c326c0aa4d3dc7271c65b607fa80fa18 |
| SHA256 | 881a0fa78ddeb18253e4cef08790fa2031574770dd1f88037e417f9ac382e73d |
| SHA512 | cf92f6ce52aa5c265ca5ddad71cf00b2dc22784905369b832e8918e70ae36a7710b30f43198abd3f31538ae4c3f65bbfa4a03216fb22aa8ce15a6a90ae23a2ab |
\Users\Admin\AppData\Local\nts\WINMM.dll
| MD5 | 12b1ac40018046d151909b74a3898e20 |
| SHA1 | fec57d99e77544165aa619fbcf50c3aebe359dff |
| SHA256 | ae6a271846dc917525ada0715cd4dc241fb8af39cf9130479cb89908fc557d9e |
| SHA512 | fb1c009f8a6b8270573bf53e9c80401aa5ac86dbf03aeced6252c310cca5bf2f63f39e9b6418733ab17256966e1d1538a34ccd174509833e8fee9a2eb086578e |
memory/2936-70-0x0000000000190000-0x0000000000197000-memory.dmp
memory/2936-71-0x0000000140000000-0x000000014015D000-memory.dmp
memory/2936-76-0x0000000140000000-0x000000014015D000-memory.dmp
C:\Users\Admin\AppData\Local\nts\irftp.exe
| MD5 | 793d6d39534af6db72b613e7e18e3b67 |
| SHA1 | 81bbbaa4cb431f359385e0bee5fa1aeff73e4ef7 |
| SHA256 | 1a26304cb644b0649b494f3972dbc4ec43c1a32b985eda78d2a387173bd5f441 |
| SHA512 | 3a3b9beee87b44c263d6f05f0b6575ab1db9894e983149a8e9b246ccdaaf8a8490576d953feefffe61e8055c302341de881f8407296cd568ace52cbefa7537a6 |
\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe
| MD5 | d0d7ac869aa4e179da2cc333f0440d71 |
| SHA1 | e7b9a58f5bfc1ec321f015641a60978c0c683894 |
| SHA256 | 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a |
| SHA512 | 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7 |
C:\Users\Admin\AppData\Local\OM1r\SYSDM.CPL
| MD5 | 5e66ce1ed8a3a846c256c9fdc4fd973b |
| SHA1 | b92e0ed0db174841fb9ac5d964f10728c63ca78b |
| SHA256 | 516305fd02701139108f1a5d247ae12142be087bcd5ddfc40d9a41557cd9d64a |
| SHA512 | 58bd981047ee29e7669b8a9d1f58e00f08caee42c62dd66827eaedca3de90a5488e90ebd70c9549af93ec72ed9f50408641c3d927ef22fedac1a8c5b7deaf3a8 |
\Users\Admin\AppData\Local\OM1r\SYSDM.CPL
| MD5 | ad092cb7458dd5bcd5efda0b1b2320b9 |
| SHA1 | daeacedf0e26d37c53113f3599916d6a3cb0eded |
| SHA256 | 1a453a0033f58c097ed7406ec99db9bc4c6359ddaa8d16ab796fb18e321e142b |
| SHA512 | c8db394ea6d1be27d1636e57109a365c376c3801fdd8f4b5ec36ad82f0d5a58a40fe62c569d245965fa55cf2182331ee3756c09dea5f6c7c9e4947c176e2e033 |
memory/344-88-0x00000000000F0000-0x00000000000F7000-memory.dmp
memory/344-89-0x0000000140000000-0x000000014015C000-memory.dmp
memory/344-94-0x0000000140000000-0x000000014015C000-memory.dmp
C:\Users\Admin\AppData\Local\r0HBcNs\SYSDM.CPL
| MD5 | 3ec58cfdefb65a2cb030f94d124b53d3 |
| SHA1 | 286991af40bb463252a68b488632feb7a8ce689a |
| SHA256 | 403d032d7ea61edbc4f9eeec33b442d53669e566409c108a20815d27cd13111e |
| SHA512 | e77681a29351015e443562379c918212547500f84105358e67c93c0bafdf9b9a6b8f32263b2cced925e18f3ef659fb8cf1499d9933c8d7e036dbfd191c147797 |
\Users\Admin\AppData\Local\r0HBcNs\SYSDM.CPL
| MD5 | 62a58073cdd65038f8d7552035fe0a6c |
| SHA1 | 6b68e6b0e2727ec4d3eb9af8df66da33bb1220e4 |
| SHA256 | 3b84081b0a11f1a136e55b090186b3304bce3a8be478a1f687d50828793f92da |
| SHA512 | 217da8d47887a73a39a5faa4b2bdb02ca01d6358bf4eedd78d6e35db3eaace8cf2d7e679200d6d29dca1b012770410e9444f98eb45649cc522bf167a8aff1e14 |
memory/2888-106-0x0000000000270000-0x0000000000277000-memory.dmp
memory/2888-111-0x0000000140000000-0x000000014015C000-memory.dmp
C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe
| MD5 | bd889683916aa93e84e1a75802918acf |
| SHA1 | 5ee66571359178613a4256a7470c2c3e6dd93cfa |
| SHA256 | 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf |
| SHA512 | 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk
| MD5 | 878eb1841d0098143fa8e689a647e4ba |
| SHA1 | 8bbfcb4e15bd7f0bc3fecd7bd404b902c0cfb4a9 |
| SHA256 | e84bcf06181512cdb69aad8cb28c1f352cc611c52ae54607b496067e7324f423 |
| SHA512 | 18170cc2a80ddf07878680cf3c8db63d2843e09b9abe0cb0df950d693e856a846ccd320c73ae04f01c8b7d6a78e23890c62db128400de67ec12d3d99ff0a2960 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\rJFljd\WINMM.dll
| MD5 | 1fb5be36769495e89a5f5b68306ffc36 |
| SHA1 | ffc31755591a41562b4b27d5ed32011548128c86 |
| SHA256 | 8cc0b3bbe8377965f8fffa0cf5101c7eeca6975fc2befdc660a1b0b40e1a4ccd |
| SHA512 | 08381840cf6d8f1979100999ad4767ec9f301fc4c9e30582d2fd278566a17185da8db4cd6c01ea22f90c138eb8948bfae45784c51444f35069425eddc3d5d939 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\exhesWIdQi8\SYSDM.CPL
| MD5 | 6cad38c017c548e69720fb2d7c048844 |
| SHA1 | 9ef55f724e5558c2a595a146387b2a5ea7eb5918 |
| SHA256 | 6d0039458f06f1b03a53fba3d6c0a04bdcf78ac6e56283b880bcac059a28bfb0 |
| SHA512 | 8307814e606a090c41f6ae9a0fab8d6e5aed4f484d7530fb457625b538fbcfc6efab119df8865d682628af6dc8f4d267d3bd07c10e370ee09bf03b0c016bf77b |
C:\Users\Admin\AppData\Roaming\Mozilla\ckvqo51H6LQ\SYSDM.CPL
| MD5 | d4815b4ebb9034c9c011f086a42e1d27 |
| SHA1 | 61466d2e4941b4e102fa61dc187bae099b4152a8 |
| SHA256 | 421c90c3948f9a28ac1a505a88a65cad15d65715e96ab6efcb496525bd689dd8 |
| SHA512 | e0251c2ee0198fe6188e969e95c31ca0ba1fbdb128120975ad219a145358c80bb253c6aac1bb0c7b1404c7723e080a8d2b653e26017e16b98ca872ba18cd2d0f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 21:35
Reported
2024-01-04 12:36
Platform
win10v2004-20231215-en
Max time kernel
148s
Max time network
165s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\GVqU\\SystemPropertiesAdvanced.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d2d2319bece5591fb091367e4515364.dll,#1
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2744-1-0x000001ECCFC20000-0x000001ECCFC27000-memory.dmp
memory/2744-0-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-4-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/3576-6-0x00007FFA4005A000-0x00007FFA4005B000-memory.dmp
memory/3576-7-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-9-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-10-0x0000000140000000-0x000000014015B000-memory.dmp
memory/2744-8-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-12-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-11-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-13-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-14-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-15-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-16-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-17-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-18-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-19-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-20-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-21-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-22-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-23-0x0000000000950000-0x0000000000957000-memory.dmp
memory/3576-24-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-31-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-32-0x00007FFA40CA0000-0x00007FFA40CB0000-memory.dmp
memory/3576-41-0x0000000140000000-0x000000014015B000-memory.dmp
memory/3576-43-0x0000000140000000-0x000000014015B000-memory.dmp
C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe
| MD5 | 9e98636523a653c7a648f37be229cf69 |
| SHA1 | bd4da030e7cf4d55b7c644dfacd26b152e6a14c4 |
| SHA256 | 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717 |
| SHA512 | 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78 |
C:\Users\Admin\AppData\Local\wvMfa\DUI70.dll
| MD5 | 9435d9c74547b7f7f1325040c9a5931c |
| SHA1 | 32d85c3ab0751a6b963616f1e7d77f6e41026a8d |
| SHA256 | e324c5e43873d0dec8f650c3619a553ddc885a5d7a104636826b8e2508b43510 |
| SHA512 | d7e89926cc7e27fd904a94d40e23635ad6b9104f8d0e8f85112ec2bbd658bc3bf6bfba67f158e7be7b676c7f72681598e2f48f0976a3219a2d7ab3318fd82fef |
C:\Users\Admin\AppData\Local\wvMfa\DUI70.dll
| MD5 | b2aef922fce6c40a1c3ad21a7acadf94 |
| SHA1 | 9287ab2e1a0363c9ac426f32fadd9732d6b1dc09 |
| SHA256 | 3564fd033da970ecf97eb0cbedab1a8757d9a47a5e1ff238a71bab5ba5fa3536 |
| SHA512 | 176bfa917054b90f4b3a9b51008ddb7a5ef67ec8d969019e00fd4a9ad29e31d615f3ae5c76259e4d29d5287fecbba0b31e0dd1d93524ac2a8cf449ba159e66f6 |
memory/2248-53-0x0000000140000000-0x00000001401A1000-memory.dmp
memory/2248-52-0x000001F1820C0000-0x000001F1820C7000-memory.dmp
memory/2248-58-0x0000000140000000-0x00000001401A1000-memory.dmp
C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe
| MD5 | fa040b18d2d2061ab38cf4e52e753854 |
| SHA1 | b1b37124e9afd6c860189ce4d49cebbb2e4c57bc |
| SHA256 | c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c |
| SHA512 | 511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4 |
C:\Users\Admin\AppData\Local\pVlcwq\SYSDM.CPL
| MD5 | 61a86a92ddf7b92f048b6aab665449d6 |
| SHA1 | 5809b27b0e8c71fd3fa66668f0195a2721adc2f8 |
| SHA256 | df3cea67f5db30b14ca1256d9ab5f79e7383e3ec229dd4f97405e917060e0a4f |
| SHA512 | f3a10cb802a43f285c07aaedbccd2113e235129a8b2d09ee0eb1640cf9a26904998b911940e323e58b27f3c4554a1f3d1c36f055b6d6f5a6d345330bd6863b08 |
memory/1448-70-0x0000000140000000-0x000000014015C000-memory.dmp
memory/1448-69-0x0000028A0E850000-0x0000028A0E857000-memory.dmp
memory/1448-75-0x0000000140000000-0x000000014015C000-memory.dmp
C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe
| MD5 | 5338d4beddf23db817eb5c37500b5735 |
| SHA1 | 1b5c56f00b53fca3205ff24770203af46cbc7c54 |
| SHA256 | 8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e |
| SHA512 | 173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c |
C:\Users\Admin\AppData\Local\8zC0Qx9r\DUser.dll
| MD5 | 423d7c9163a9df1c96c02abcf8aa28ac |
| SHA1 | 47be1e90e74c756db07c076140ea7516e7ab37d4 |
| SHA256 | 16d03463b1e0f4e5c0c37ac2162b6d04f36f7a789c811c3de224312092696260 |
| SHA512 | 7d59a8585ea05bb7fb557f0622ac80af743b51f33e75f11a8991130bb16de6f369fdb075330c59225eb337b4209c87dfe271d094f8cb5fe7ea5f15a896c43e88 |
memory/4636-87-0x000001EB3D9D0000-0x000001EB3D9D7000-memory.dmp
memory/4636-86-0x0000000140000000-0x000000014015D000-memory.dmp
memory/4636-92-0x0000000140000000-0x000000014015D000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 4d5d00321f143474f897a5f67d2d39f6 |
| SHA1 | 0a90a15b1bf788038eb9296081645099e7ead3bc |
| SHA256 | e68f6df241d554be436bca49fa82f27a5f447c2dade4e81b34b1f07d8a7be122 |
| SHA512 | a11582f4e3e2b853d1090b930cb05e79482505dd80a8dbb6855d7ce0105bb556a171ce043137fc509b16109a58871f20081e26e84b4f190d8f7b9937c2327dbd |