Malware Analysis Report

2024-11-30 21:46

Sample ID 231230-1ffmcsfdd8
Target 1d2d2319bece5591fb091367e4515364
SHA256 4d93807b1a4ad7968dde1724378be12ea66fc5a4dc525b5c8e87f4dbba362c29
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d93807b1a4ad7968dde1724378be12ea66fc5a4dc525b5c8e87f4dbba362c29

Threat Level: Known bad

The file 1d2d2319bece5591fb091367e4515364 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:35

Reported

2024-01-04 12:36

Platform

win7-20231215-en

Max time kernel

149s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d2d2319bece5591fb091367e4515364.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nts\irftp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\EXHESW~1\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nts\irftp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 2652 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1296 wrote to memory of 2652 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1296 wrote to memory of 2652 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1296 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\9iH\TpmInit.exe
PID 1296 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\9iH\TpmInit.exe
PID 1296 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\9iH\TpmInit.exe
PID 1296 wrote to memory of 2964 N/A N/A C:\Windows\system32\irftp.exe
PID 1296 wrote to memory of 2964 N/A N/A C:\Windows\system32\irftp.exe
PID 1296 wrote to memory of 2964 N/A N/A C:\Windows\system32\irftp.exe
PID 1296 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\nts\irftp.exe
PID 1296 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\nts\irftp.exe
PID 1296 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\nts\irftp.exe
PID 1296 wrote to memory of 2488 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1296 wrote to memory of 2488 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1296 wrote to memory of 2488 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1296 wrote to memory of 344 N/A N/A C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe
PID 1296 wrote to memory of 344 N/A N/A C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe
PID 1296 wrote to memory of 344 N/A N/A C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe
PID 1296 wrote to memory of 864 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1296 wrote to memory of 864 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1296 wrote to memory of 864 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1296 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe
PID 1296 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe
PID 1296 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d2d2319bece5591fb091367e4515364.dll,#1

C:\Users\Admin\AppData\Local\9iH\TpmInit.exe

C:\Users\Admin\AppData\Local\9iH\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\irftp.exe

C:\Windows\system32\irftp.exe

C:\Users\Admin\AppData\Local\nts\irftp.exe

C:\Users\Admin\AppData\Local\nts\irftp.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

Network

N/A

Files

memory/536-0-0x0000000140000000-0x000000014015B000-memory.dmp

memory/536-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1296-4-0x0000000077956000-0x0000000077957000-memory.dmp

memory/1296-5-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/536-8-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-10-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-16-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-22-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-24-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-31-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-35-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

memory/1296-32-0x0000000077B61000-0x0000000077B62000-memory.dmp

memory/1296-23-0x00000000029B0000-0x00000000029B7000-memory.dmp

memory/1296-21-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-20-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-19-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-42-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-48-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-51-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-18-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-17-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-15-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-14-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-13-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-12-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-11-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-9-0x0000000140000000-0x000000014015B000-memory.dmp

memory/1296-7-0x0000000140000000-0x000000014015B000-memory.dmp

C:\Users\Admin\AppData\Local\9iH\ACTIVEDS.dll

MD5 b2120b1201ac195387b65a2774ad5cfd
SHA1 07e0313c765f7671e6ce64eeb0d8197f62634401
SHA256 a228dcfd92493504d1ad2a82f77d2f0a89897aaebac35b87ef856a57c9d02ee1
SHA512 0998048d1708170466f8be35ab879ea1a54eaff8909ad34dfb720e7765d7b82af04c659e27ae867ef4dacc126f981e6dfa642acd138a573f894670c5e0855c7a

C:\Users\Admin\AppData\Local\9iH\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

\Users\Admin\AppData\Local\nts\irftp.exe

MD5 0cae1fb725c56d260bfd6feba7ae9a75
SHA1 102ac676a1de3ec3d56401f8efd518c31c8b0b80
SHA256 312f4107ff37dc988d99c5f56178708bb74a3906740cff4e337c0dde8f1e151d
SHA512 db969064577c4158d6bf925354319766b0d0373ddefb03dbfc9a9d2cadf8ddcd50a7f99b7ddf2ffad5e7fdbb6f02090b5b678bdf792d265054bff3b56ee0b8ec

C:\Users\Admin\AppData\Local\nts\WINMM.dll

MD5 a8e2218d621fcfdc062993271b5ad9b8
SHA1 2f7ef4f8c326c0aa4d3dc7271c65b607fa80fa18
SHA256 881a0fa78ddeb18253e4cef08790fa2031574770dd1f88037e417f9ac382e73d
SHA512 cf92f6ce52aa5c265ca5ddad71cf00b2dc22784905369b832e8918e70ae36a7710b30f43198abd3f31538ae4c3f65bbfa4a03216fb22aa8ce15a6a90ae23a2ab

\Users\Admin\AppData\Local\nts\WINMM.dll

MD5 12b1ac40018046d151909b74a3898e20
SHA1 fec57d99e77544165aa619fbcf50c3aebe359dff
SHA256 ae6a271846dc917525ada0715cd4dc241fb8af39cf9130479cb89908fc557d9e
SHA512 fb1c009f8a6b8270573bf53e9c80401aa5ac86dbf03aeced6252c310cca5bf2f63f39e9b6418733ab17256966e1d1538a34ccd174509833e8fee9a2eb086578e

memory/2936-70-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2936-71-0x0000000140000000-0x000000014015D000-memory.dmp

memory/2936-76-0x0000000140000000-0x000000014015D000-memory.dmp

C:\Users\Admin\AppData\Local\nts\irftp.exe

MD5 793d6d39534af6db72b613e7e18e3b67
SHA1 81bbbaa4cb431f359385e0bee5fa1aeff73e4ef7
SHA256 1a26304cb644b0649b494f3972dbc4ec43c1a32b985eda78d2a387173bd5f441
SHA512 3a3b9beee87b44c263d6f05f0b6575ab1db9894e983149a8e9b246ccdaaf8a8490576d953feefffe61e8055c302341de881f8407296cd568ace52cbefa7537a6

\Users\Admin\AppData\Local\OM1r\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

C:\Users\Admin\AppData\Local\OM1r\SYSDM.CPL

MD5 5e66ce1ed8a3a846c256c9fdc4fd973b
SHA1 b92e0ed0db174841fb9ac5d964f10728c63ca78b
SHA256 516305fd02701139108f1a5d247ae12142be087bcd5ddfc40d9a41557cd9d64a
SHA512 58bd981047ee29e7669b8a9d1f58e00f08caee42c62dd66827eaedca3de90a5488e90ebd70c9549af93ec72ed9f50408641c3d927ef22fedac1a8c5b7deaf3a8

\Users\Admin\AppData\Local\OM1r\SYSDM.CPL

MD5 ad092cb7458dd5bcd5efda0b1b2320b9
SHA1 daeacedf0e26d37c53113f3599916d6a3cb0eded
SHA256 1a453a0033f58c097ed7406ec99db9bc4c6359ddaa8d16ab796fb18e321e142b
SHA512 c8db394ea6d1be27d1636e57109a365c376c3801fdd8f4b5ec36ad82f0d5a58a40fe62c569d245965fa55cf2182331ee3756c09dea5f6c7c9e4947c176e2e033

memory/344-88-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/344-89-0x0000000140000000-0x000000014015C000-memory.dmp

memory/344-94-0x0000000140000000-0x000000014015C000-memory.dmp

C:\Users\Admin\AppData\Local\r0HBcNs\SYSDM.CPL

MD5 3ec58cfdefb65a2cb030f94d124b53d3
SHA1 286991af40bb463252a68b488632feb7a8ce689a
SHA256 403d032d7ea61edbc4f9eeec33b442d53669e566409c108a20815d27cd13111e
SHA512 e77681a29351015e443562379c918212547500f84105358e67c93c0bafdf9b9a6b8f32263b2cced925e18f3ef659fb8cf1499d9933c8d7e036dbfd191c147797

\Users\Admin\AppData\Local\r0HBcNs\SYSDM.CPL

MD5 62a58073cdd65038f8d7552035fe0a6c
SHA1 6b68e6b0e2727ec4d3eb9af8df66da33bb1220e4
SHA256 3b84081b0a11f1a136e55b090186b3304bce3a8be478a1f687d50828793f92da
SHA512 217da8d47887a73a39a5faa4b2bdb02ca01d6358bf4eedd78d6e35db3eaace8cf2d7e679200d6d29dca1b012770410e9444f98eb45649cc522bf167a8aff1e14

memory/2888-106-0x0000000000270000-0x0000000000277000-memory.dmp

memory/2888-111-0x0000000140000000-0x000000014015C000-memory.dmp

C:\Users\Admin\AppData\Local\r0HBcNs\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 878eb1841d0098143fa8e689a647e4ba
SHA1 8bbfcb4e15bd7f0bc3fecd7bd404b902c0cfb4a9
SHA256 e84bcf06181512cdb69aad8cb28c1f352cc611c52ae54607b496067e7324f423
SHA512 18170cc2a80ddf07878680cf3c8db63d2843e09b9abe0cb0df950d693e856a846ccd320c73ae04f01c8b7d6a78e23890c62db128400de67ec12d3d99ff0a2960

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\rJFljd\WINMM.dll

MD5 1fb5be36769495e89a5f5b68306ffc36
SHA1 ffc31755591a41562b4b27d5ed32011548128c86
SHA256 8cc0b3bbe8377965f8fffa0cf5101c7eeca6975fc2befdc660a1b0b40e1a4ccd
SHA512 08381840cf6d8f1979100999ad4767ec9f301fc4c9e30582d2fd278566a17185da8db4cd6c01ea22f90c138eb8948bfae45784c51444f35069425eddc3d5d939

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\exhesWIdQi8\SYSDM.CPL

MD5 6cad38c017c548e69720fb2d7c048844
SHA1 9ef55f724e5558c2a595a146387b2a5ea7eb5918
SHA256 6d0039458f06f1b03a53fba3d6c0a04bdcf78ac6e56283b880bcac059a28bfb0
SHA512 8307814e606a090c41f6ae9a0fab8d6e5aed4f484d7530fb457625b538fbcfc6efab119df8865d682628af6dc8f4d267d3bd07c10e370ee09bf03b0c016bf77b

C:\Users\Admin\AppData\Roaming\Mozilla\ckvqo51H6LQ\SYSDM.CPL

MD5 d4815b4ebb9034c9c011f086a42e1d27
SHA1 61466d2e4941b4e102fa61dc187bae099b4152a8
SHA256 421c90c3948f9a28ac1a505a88a65cad15d65715e96ab6efcb496525bd689dd8
SHA512 e0251c2ee0198fe6188e969e95c31ca0ba1fbdb128120975ad219a145358c80bb253c6aac1bb0c7b1404c7723e080a8d2b653e26017e16b98ca872ba18cd2d0f

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:35

Reported

2024-01-04 12:36

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d2d2319bece5591fb091367e4515364.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\GVqU\\SystemPropertiesAdvanced.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3576 wrote to memory of 2392 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3576 wrote to memory of 2392 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3576 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe
PID 3576 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe
PID 3576 wrote to memory of 4912 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3576 wrote to memory of 4912 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3576 wrote to memory of 1448 N/A N/A C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe
PID 3576 wrote to memory of 1448 N/A N/A C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe
PID 3576 wrote to memory of 3468 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3576 wrote to memory of 3468 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3576 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe
PID 3576 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1d2d2319bece5591fb091367e4515364.dll,#1

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2744-1-0x000001ECCFC20000-0x000001ECCFC27000-memory.dmp

memory/2744-0-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-4-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3576-6-0x00007FFA4005A000-0x00007FFA4005B000-memory.dmp

memory/3576-7-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-9-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-10-0x0000000140000000-0x000000014015B000-memory.dmp

memory/2744-8-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-12-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-11-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-13-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-14-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-15-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-16-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-17-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-18-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-19-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-20-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-21-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-22-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-23-0x0000000000950000-0x0000000000957000-memory.dmp

memory/3576-24-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-31-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-32-0x00007FFA40CA0000-0x00007FFA40CB0000-memory.dmp

memory/3576-41-0x0000000140000000-0x000000014015B000-memory.dmp

memory/3576-43-0x0000000140000000-0x000000014015B000-memory.dmp

C:\Users\Admin\AppData\Local\wvMfa\CameraSettingsUIHost.exe

MD5 9e98636523a653c7a648f37be229cf69
SHA1 bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA256 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA512 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

C:\Users\Admin\AppData\Local\wvMfa\DUI70.dll

MD5 9435d9c74547b7f7f1325040c9a5931c
SHA1 32d85c3ab0751a6b963616f1e7d77f6e41026a8d
SHA256 e324c5e43873d0dec8f650c3619a553ddc885a5d7a104636826b8e2508b43510
SHA512 d7e89926cc7e27fd904a94d40e23635ad6b9104f8d0e8f85112ec2bbd658bc3bf6bfba67f158e7be7b676c7f72681598e2f48f0976a3219a2d7ab3318fd82fef

C:\Users\Admin\AppData\Local\wvMfa\DUI70.dll

MD5 b2aef922fce6c40a1c3ad21a7acadf94
SHA1 9287ab2e1a0363c9ac426f32fadd9732d6b1dc09
SHA256 3564fd033da970ecf97eb0cbedab1a8757d9a47a5e1ff238a71bab5ba5fa3536
SHA512 176bfa917054b90f4b3a9b51008ddb7a5ef67ec8d969019e00fd4a9ad29e31d615f3ae5c76259e4d29d5287fecbba0b31e0dd1d93524ac2a8cf449ba159e66f6

memory/2248-53-0x0000000140000000-0x00000001401A1000-memory.dmp

memory/2248-52-0x000001F1820C0000-0x000001F1820C7000-memory.dmp

memory/2248-58-0x0000000140000000-0x00000001401A1000-memory.dmp

C:\Users\Admin\AppData\Local\pVlcwq\SystemPropertiesAdvanced.exe

MD5 fa040b18d2d2061ab38cf4e52e753854
SHA1 b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256 c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512 511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

C:\Users\Admin\AppData\Local\pVlcwq\SYSDM.CPL

MD5 61a86a92ddf7b92f048b6aab665449d6
SHA1 5809b27b0e8c71fd3fa66668f0195a2721adc2f8
SHA256 df3cea67f5db30b14ca1256d9ab5f79e7383e3ec229dd4f97405e917060e0a4f
SHA512 f3a10cb802a43f285c07aaedbccd2113e235129a8b2d09ee0eb1640cf9a26904998b911940e323e58b27f3c4554a1f3d1c36f055b6d6f5a6d345330bd6863b08

memory/1448-70-0x0000000140000000-0x000000014015C000-memory.dmp

memory/1448-69-0x0000028A0E850000-0x0000028A0E857000-memory.dmp

memory/1448-75-0x0000000140000000-0x000000014015C000-memory.dmp

C:\Users\Admin\AppData\Local\8zC0Qx9r\DisplaySwitch.exe

MD5 5338d4beddf23db817eb5c37500b5735
SHA1 1b5c56f00b53fca3205ff24770203af46cbc7c54
SHA256 8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e
SHA512 173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

C:\Users\Admin\AppData\Local\8zC0Qx9r\DUser.dll

MD5 423d7c9163a9df1c96c02abcf8aa28ac
SHA1 47be1e90e74c756db07c076140ea7516e7ab37d4
SHA256 16d03463b1e0f4e5c0c37ac2162b6d04f36f7a789c811c3de224312092696260
SHA512 7d59a8585ea05bb7fb557f0622ac80af743b51f33e75f11a8991130bb16de6f369fdb075330c59225eb337b4209c87dfe271d094f8cb5fe7ea5f15a896c43e88

memory/4636-87-0x000001EB3D9D0000-0x000001EB3D9D7000-memory.dmp

memory/4636-86-0x0000000140000000-0x000000014015D000-memory.dmp

memory/4636-92-0x0000000140000000-0x000000014015D000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 4d5d00321f143474f897a5f67d2d39f6
SHA1 0a90a15b1bf788038eb9296081645099e7ead3bc
SHA256 e68f6df241d554be436bca49fa82f27a5f447c2dade4e81b34b1f07d8a7be122
SHA512 a11582f4e3e2b853d1090b930cb05e79482505dd80a8dbb6855d7ce0105bb556a171ce043137fc509b16109a58871f20081e26e84b4f190d8f7b9937c2327dbd