Malware Analysis Report

2024-11-30 21:40

Sample ID 231230-3t48zsaba9
Target 2097c2f618063464714ea21731ffd184
SHA256 5a5f45234e753828244ad1f27ef0e01eabdc9302d542ceb6626308b2652e38ca
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a5f45234e753828244ad1f27ef0e01eabdc9302d542ceb6626308b2652e38ca

Threat Level: Known bad

The file 2097c2f618063464714ea21731ffd184 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 23:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 23:49

Reported

2024-01-04 21:35

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2097c2f618063464714ea21731ffd184.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PHZy\perfmon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\9.0\\Collab\\UmGqD\\SoundRecorder.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PHZy\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 2812 N/A N/A C:\Windows\system32\perfmon.exe
PID 1308 wrote to memory of 2812 N/A N/A C:\Windows\system32\perfmon.exe
PID 1308 wrote to memory of 2812 N/A N/A C:\Windows\system32\perfmon.exe
PID 1308 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\PHZy\perfmon.exe
PID 1308 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\PHZy\perfmon.exe
PID 1308 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\PHZy\perfmon.exe
PID 1308 wrote to memory of 1620 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1308 wrote to memory of 1620 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1308 wrote to memory of 1620 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1308 wrote to memory of 572 N/A N/A C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe
PID 1308 wrote to memory of 572 N/A N/A C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe
PID 1308 wrote to memory of 572 N/A N/A C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe
PID 1308 wrote to memory of 2892 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1308 wrote to memory of 2892 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1308 wrote to memory of 2892 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1308 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe
PID 1308 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe
PID 1308 wrote to memory of 2488 N/A N/A C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe
PID 1308 wrote to memory of 1612 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1308 wrote to memory of 1612 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1308 wrote to memory of 1612 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1308 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe
PID 1308 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe
PID 1308 wrote to memory of 1908 N/A N/A C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2097c2f618063464714ea21731ffd184.dll,#1

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\PHZy\perfmon.exe

C:\Users\Admin\AppData\Local\PHZy\perfmon.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe

C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe

C:\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe

Network

N/A

Files

memory/2040-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2040-1-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-4-0x00000000778E6000-0x00000000778E7000-memory.dmp

memory/1308-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/1308-7-0x0000000140000000-0x0000000140186000-memory.dmp

memory/2040-8-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-10-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-11-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-9-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-12-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-13-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-14-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-15-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-16-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-17-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-18-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-19-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-20-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-21-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-22-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-23-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-24-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-25-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-26-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-27-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-28-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-29-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-30-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-31-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-32-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-33-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-34-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-35-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-36-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-37-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-38-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-39-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-41-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-43-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-42-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-44-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-45-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-46-0x0000000002A90000-0x0000000002A97000-memory.dmp

memory/1308-40-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-53-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-57-0x0000000077C50000-0x0000000077C52000-memory.dmp

memory/1308-56-0x0000000077AF1000-0x0000000077AF2000-memory.dmp

memory/1308-64-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-68-0x0000000140000000-0x0000000140186000-memory.dmp

memory/1308-73-0x0000000140000000-0x0000000140186000-memory.dmp

\Users\Admin\AppData\Local\PHZy\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

C:\Users\Admin\AppData\Local\PHZy\Secur32.dll

MD5 28791430e8aef96c7e34ee609f9d8fe0
SHA1 872e5288358e16be8f2ecf81c2668360ee3ef2b3
SHA256 2fa96d6168f878a26bd2d25e57e545a22b50e40e802e5446303f6e07b01e5caf
SHA512 c90fabf355a2f73a6e4c648f20a7d52bff8eaa6657040176cce427a75852de4cb9180653f9f5c1849d6f336fb49a9d37924faf03b3d56eca74a01c2c8edbe29c

memory/1988-82-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1988-83-0x0000000140000000-0x0000000140187000-memory.dmp

C:\Users\Admin\AppData\Local\wQSXM\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Local\wQSXM\UxTheme.dll

MD5 a8023a0bd8dd77c426e3f88e5c2aff7b
SHA1 bc2052e82fd691a6315a307836d7f6d2bc629204
SHA256 83221d22b807f89fa605adf02b8989aecb16e4a0cd2abb6fe2de2e2f59415d70
SHA512 7d21db9243deb89b4e69bafb0d7b4aa9128658077a43ba12b15c2d6cd0a06a7db2498dbc38156974de64bfe9ca9e560ac065123dcef02fee5bffdab831d3de14

memory/572-101-0x0000000000290000-0x0000000000297000-memory.dmp

\Users\Admin\AppData\Local\fv40zx3\SnippingTool.exe

MD5 7633f554eeafde7f144b41c2fcaf5f63
SHA1 44497c3d6fada0066598a6170b90c53e28ddf96c
SHA256 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA512 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

C:\Users\Admin\AppData\Local\fv40zx3\UxTheme.dll

MD5 6e4698de71cf369b8fa48629220f2959
SHA1 d1f6ab21a86cd5603da6715ac415bf53bb0a4696
SHA256 1b083de942b7c2c222722f14718c77ce27fc66453c8079cac05ec560be4121e2
SHA512 82108043c1093ff7879ea4d238aeed6dcdf7282d446b9bade39ec7cd8ddbc481f707541e1e516e2c5534e1fa380022836b59cf7817c6e24dd9509a37547b5eb4

memory/2488-118-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\3TR6Y8\WindowsAnytimeUpgradeResults.exe

MD5 6f3f29905f0ec4ce22c1fd8acbf6c6de
SHA1 68bdfefe549dfa6262ad659f1578f3e87d862773
SHA256 e9c4d718d09a28de8a99386b0dd65429f433837c712314e98ec4f01031af595b
SHA512 16a9ad3183d7e11d9f0dd3c79363aa9a7af306f4f35a6f1e0cc1e175ef254e8052ec94dfd600dbe882f9ab41254d482cce9190ab7b0c005a34e46c66e8ff5f9e

C:\Users\Admin\AppData\Local\3TR6Y8\DUI70.dll

MD5 4292f99ba4d6a588278993b9f549162f
SHA1 cf60b071fa37e89adcaa8cb9b5b360191628344b
SHA256 7254625f6c76c0f9a0205b3f003ba7800380a0d0acdc3026f2325c21dd8bf721
SHA512 0741c0b1578404e14a6a6dcc37ffa239bf247138165e82e80a45dcfc8401eb8551aa6e224fad39f5374490e9c1bc0c6ddbb75571a66cb88f23bfcab9eaf94740

memory/1908-132-0x0000000000370000-0x0000000000377000-memory.dmp

memory/1308-154-0x00000000778E6000-0x00000000778E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 c655dbcc85cce6f86ead40501884cdd2
SHA1 1b3ab2b5171b89472936ea85c1974d36f0c0eed9
SHA256 2174c2b3b867e027cdeb77173659f49c02468867d7d66e3bbb07c2a43c7c1668
SHA512 dd90b951f68422e090e3e739480e3fe2a7c4f07b6fc4820962089c8132e0421007e7aedb6f07b3612e575b8cf73e165019b9ba4c3408a4b34f76be803f669ef3

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 23:49

Reported

2024-01-04 21:34

Platform

win10v2004-20231215-en

Max time kernel

129s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2097c2f618063464714ea21731ffd184.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\X3D\\rdpinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2SKjED463\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bSQjYAD\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UV4\WindowsActionDialog.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1496 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3480 wrote to memory of 1496 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3480 wrote to memory of 512 N/A N/A C:\Users\Admin\AppData\Local\UV4\WindowsActionDialog.exe
PID 3480 wrote to memory of 512 N/A N/A C:\Users\Admin\AppData\Local\UV4\WindowsActionDialog.exe
PID 3480 wrote to memory of 624 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3480 wrote to memory of 624 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3480 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\2SKjED463\rdpinit.exe
PID 3480 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\2SKjED463\rdpinit.exe
PID 3480 wrote to memory of 3604 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3480 wrote to memory of 3604 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3480 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\bSQjYAD\mfpmp.exe
PID 3480 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\bSQjYAD\mfpmp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2097c2f618063464714ea21731ffd184.dll,#1

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\bSQjYAD\mfpmp.exe

C:\Users\Admin\AppData\Local\bSQjYAD\mfpmp.exe

C:\Users\Admin\AppData\Local\2SKjED463\rdpinit.exe

C:\Users\Admin\AppData\Local\2SKjED463\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Users\Admin\AppData\Local\UV4\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\UV4\WindowsActionDialog.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 138.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 140.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 151.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 148.179.17.96.in-addr.arpa udp
FR 20.74.47.205:443 tcp
FR 20.74.47.205:443 tcp
FR 20.74.47.205:443 tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 8.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 153.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 96.17.179.148:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/3076-0-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3076-2-0x000002D774160000-0x000002D774167000-memory.dmp

memory/3480-5-0x00007FFD11FBA000-0x00007FFD11FBB000-memory.dmp

memory/3480-4-0x0000000002680000-0x0000000002681000-memory.dmp

memory/3076-8-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-7-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-16-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-23-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-31-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-32-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-38-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-44-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-45-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-46-0x00000000020D0000-0x00000000020D7000-memory.dmp

memory/3480-43-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-53-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-42-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-54-0x00007FFD12DA0000-0x00007FFD12DB0000-memory.dmp

memory/3480-65-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-63-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-41-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-40-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-39-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-37-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-36-0x0000000140000000-0x0000000140186000-memory.dmp

memory/512-74-0x0000000140000000-0x00000001401CC000-memory.dmp

memory/512-80-0x0000000140000000-0x00000001401CC000-memory.dmp

memory/1576-97-0x0000000140000000-0x0000000140187000-memory.dmp

memory/1820-111-0x000001C4B29D0000-0x000001C4B29D7000-memory.dmp

memory/1576-91-0x0000028EB7070000-0x0000028EB7077000-memory.dmp

memory/1576-92-0x0000000140000000-0x0000000140187000-memory.dmp

memory/512-76-0x00000203C0EB0000-0x00000203C0EB7000-memory.dmp

memory/3480-35-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-34-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-33-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-30-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-29-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-28-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-27-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-26-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-25-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-24-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-22-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-21-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-20-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-19-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-18-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-17-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-15-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-14-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-13-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-12-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-11-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-9-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3480-10-0x0000000140000000-0x0000000140186000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 b24fe33fb86d2cfaa051d0d1db8aee01
SHA1 eb166b6fbe1acd52ca6aabb747127953dc14ac92
SHA256 58d0ff50401ac964537105e3f50585e789b544669f7fc2dc2a3fa07cffc9bc8d
SHA512 296e588928299a3030644cb235b033706c02ff6e017b3f6e6e3cab4ccfafd2c5fb1eb9d2c7f5a868d8a5a1723501c02fec2803dccadcb6c9625c7d3088bf241c

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\kaG3g1K\MFPlat.DLL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e