Malware Analysis Report

2024-11-30 21:14

Sample ID 231230-a9r95sfga2
Target 093552f8e90fe1d26d3d19fd0456953c
SHA256 0d2f1d5bed4fb25099298f0ac7434379ca6ec3b1631e523524ba92813a495bb8
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d2f1d5bed4fb25099298f0ac7434379ca6ec3b1631e523524ba92813a495bb8

Threat Level: Known bad

The file 093552f8e90fe1d26d3d19fd0456953c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 00:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 00:55

Reported

2023-12-30 23:42

Platform

win7-20231215-en

Max time kernel

151s

Max time network

127s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\093552f8e90fe1d26d3d19fd0456953c.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxzw99o2p N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxzw99o2p\wer.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxzw99o2p\rdrleakdiag.exe N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\CXZW99~1\\RDRLEA~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2640 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1232 wrote to memory of 2640 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1232 wrote to memory of 2640 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1232 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe
PID 1232 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe
PID 1232 wrote to memory of 2444 N/A N/A C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe
PID 1232 wrote to memory of 2976 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1232 wrote to memory of 2976 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1232 wrote to memory of 2976 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1232 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe
PID 1232 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe
PID 1232 wrote to memory of 3056 N/A N/A C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe
PID 1232 wrote to memory of 2476 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1232 wrote to memory of 2476 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1232 wrote to memory of 2476 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1232 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe
PID 1232 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe
PID 1232 wrote to memory of 764 N/A N/A C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\093552f8e90fe1d26d3d19fd0456953c.dll

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe

C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe

C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe

Network

N/A

Files

memory/2500-0-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2500-1-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1232-4-0x00000000774D6000-0x00000000774D7000-memory.dmp

memory/1232-5-0x0000000002970000-0x0000000002971000-memory.dmp

memory/2500-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-44-0x0000000002940000-0x0000000002947000-memory.dmp

memory/1232-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-52-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-53-0x00000000775E1000-0x00000000775E2000-memory.dmp

memory/1232-54-0x0000000077740000-0x0000000077742000-memory.dmp

memory/1232-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-63-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-69-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1232-7-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe

MD5 f5a0163c466187625e0e09ea7f0d4ee0
SHA1 cfae1a524a46b7246fff760501957228d6758923
SHA256 e26d3a415b8bf2c65d90c430fd984340ae7c1da7fbc6c8801a6a1826bd5e734c
SHA512 08d06550d7d0fe06aadf9d06b2e8eeb52ea1be296a2a1fa304c547befbe9c076103d38dbf2ee59c7d0471ead9f6e432bebe72e00a45aa6d4bbc85dc822edb358

C:\Users\Admin\AppData\Local\bpJ\dpx.dll

MD5 ecc10121261e9b7dcd6ac64488082cdd
SHA1 f116cb30606b4adf2174571349232e1528107910
SHA256 ea937fad18baf7f63f3cf1fb448cd38425c3983d8a2d82f147353200764eb420
SHA512 ca7cd4aee5806e5a853bfb93d549f14a54de7c3827817594ae1ac027ad700a4aeb75faf14da9c181ea8986edfd12ca2435a9b40243359892b440842d5643d79b

\Users\Admin\AppData\Local\bpJ\dpx.dll

MD5 5340f72f71b35fe7ec7c78755f84aaa4
SHA1 09201901f5c815a6f7a564b3c449ff9ad62c4e8e
SHA256 f6c9f516060841a48062ab5795d7ab739993e79a0782d84ca24ba1cee45cf26b
SHA512 629907d89e30ef7deb22eccd4f47986f48413364cea8145740d391532f6de5a58a188e37ddf00ffc3d8ee6076bf22ba7b6df1cb4e41d78fc5a099209d0e89317

memory/2444-81-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\bpJ\lpksetup.exe

MD5 2d5c482a0785678f2cca31f861fe5daf
SHA1 6944171a718c5a644eed135f3fe1f59d375ef536
SHA256 b8a5a891a006ba657ca19c941336c0769c17433f470947fce404ad07a0b7da3d
SHA512 881a71fb13249dd554dbc2ad8d0975e1b36e0b098b949e7819c041197a49496afccade47bcc42d9152ecd487d193c14eab881148f2dc38d2837a8dbc4356b33d

C:\Users\Admin\AppData\Local\bpJ\lpksetup.exe

MD5 e04bd7d1143e03c1ecb51d7beee4667b
SHA1 e7e73c3a229243b4741f5567e58d5fc237aec644
SHA256 2740542aedf5e8be8b73a5f3bd1521184cf6dab87536004d9eaef7b47ad9de2c
SHA512 6a402a95f8482f0d2cfadc1ae53d0d6c011479e963574eeed2aa8dc18570961cc29bd8acc10746d543a863228e30939a8971de186c5e9b6946913945a3110d63

C:\Users\Admin\AppData\Local\5gWS\wer.dll

MD5 9fe58e69ca12aded6678d1dfa338f145
SHA1 6160c048ece2522c27a93a8cef9c1a07ab8f7978
SHA256 c85ddb850558cf7cdd1736bf5944fa12cfb2fc7e16c296847de0cc882071a9a8
SHA512 a177e7c88d1fc7354ebb8fe1aac519344c631b59ebffc49a75ee021f078ade6e5fae5cee8c5c1a162b46802fe32221ca950fddf3eca382c47750122658b03983

C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe

MD5 5e058566af53848541fa23fba4bb5b81
SHA1 769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256 ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512 352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe

MD5 1c0e48d6bcacc0ac0cb904013289367c
SHA1 b52c482d9973fd78c8a3a76b57d4da62a0c499fb
SHA256 68b96c8bad70b0c49a748b6b5a7ad07ac12bd804eb0784546cbdd8c83871e4cf
SHA512 ea64143fd50a07f9a2948a7fcf45f0a4c9cd95487cd1b21995e6c3b9efb8613ff30b3d3820a7e6fcd49c68bd170cc2868524597161bc3ee5b3fe94fb0f3cc0f3

\Users\Admin\AppData\Local\5gWS\wer.dll

MD5 7e6d05f74177d86a728387262c80e6dc
SHA1 5068df7f7226b76a7bc0c54585d91725a3bdbb42
SHA256 b6b855948b2a4ec8a0cbebc0217e9918c3c1d67208ccb87bc093a4c51c4e9b01
SHA512 864cfda21d25b57d7fdf4b0c3852b891d16d47688cadd02d7352f838104f028278c3e457a80532cf4eaca2847bd059ad69a4b7696d165180e51c13e93d7b0216

memory/3056-100-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\5gWS\rdrleakdiag.exe

MD5 b7227fb27fc07644cddd4c06444a34b9
SHA1 682636a01d9e9a6639b5f36b2ef812c49aa5bf07
SHA256 3ff39d129db0f5f1731769004c00627d4313b8f2e3b64cfd0d6541e285b64eef
SHA512 9fc4db48aa7b5ca1ddc303cddd952842daa535510392886d9ae73d901d61059f94f5b41c41812c532ba5f9f54bd09b4c48b15e55e64aa43e76cba23e3e9324b5

C:\Users\Admin\AppData\Local\HZs5Jo0E\DUI70.dll

MD5 a7c97fd69a7df688f0596c6b530f3750
SHA1 f1350730803b2f4bdeb9fd7a3f623f7d87585502
SHA256 51a67d2160ea46b6406a70f64e0b9ff829c952a557fbc5c393ae86cc06b9f7bc
SHA512 920dce190009a1ab93711879b94391aa6d3125037a1cecd78e0d6840cf434f6956e7aac04bb41f15b27a76efc7fec61ec57d8dce3ccd01a1a88f374b3f2b9551

\Users\Admin\AppData\Local\HZs5Jo0E\DUI70.dll

MD5 1a62c33d26dfb871999d04194f0afc7c
SHA1 7331431e84bb4bb8ee5782e9fb0777739edb17bc
SHA256 0a7dbed0de7a204e8687d7be52f39d30caffa1d03a767e20dcf5bb23355cfaf3
SHA512 a4e5023993f80c8ee688656f667321416e7f5c3a514fdece87b62cf4a0e6a540d2f8a782631db8b279c91acb705888c503b3b0464b37bc2febbd493eb75c9423

memory/764-118-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

\Users\Admin\AppData\Local\HZs5Jo0E\dpapimig.exe

MD5 fa351cc0fd3d62c04ba066f6162f8baf
SHA1 fb973b2e29840d85847b3370f9d5afd2f142bb95
SHA256 f28456ed48bb5d1d632e163e571fdac8b6420015bb88fdce102d6d5643a35921
SHA512 ce19f99859fccd1ff19bcba1745ddbc9cf587f9ebeeb9b650545ccb3e52b945711e8002ec077a25db7777cfb4ef9e23f2b929d593e43badf4d7e9223f260a5c1

memory/1232-137-0x00000000774D6000-0x00000000774D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 ea0dd28e8dac036a1ea0c9de375c44fa
SHA1 97e1b89b1773be4fd865930a0132552b1c652d39
SHA256 6d745dd2636a5e3f426c048d65c5807c54eba3b508a6215cb459ccfcea5e06b6
SHA512 8be34f99cb1fdf3f7b17f0c03b424ec615ddd93485661f21e19cea873eb7fc14955d752ec36b4aa0b5763e43d04fd3c5645becb3b9d3339c0c38c881be6a07db

C:\Users\Admin\AppData\Roaming\Mozilla\RFyAsk\dpx.dll

MD5 0eee8963fc79ec2215650ad898e2e6ab
SHA1 2b351095910ae6691d4c02210ab7b16d084eec78
SHA256 195b318acf53506c6a893c99dbb87acf1fd8d740022d19840922730eaeb7e569
SHA512 6b226a485090924267ad3ca5c73466567a93e3c1a08e24c39131a2e009a799eab96174468230c1930e0093e4d318dc98d6a3a4524f965fcc787d6a8d1029d349

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cxzw99o2p\wer.dll

MD5 b652bccf3dd2d24bace71b5009cea108
SHA1 6b4c96a6e81e49679c42feb7d515d0b1240ab833
SHA256 c0d80ca6d31316e138b4cc8579b418a82aa3a3e9d22e4ea16be72dcf52a73f17
SHA512 23e0f0f86e830ead6857004c7817ee4a2e8ccfadd0c764a805619081ef610537e32980a55b58f9fb2be12e8fce742bc7c8c9468ca57aa9b8e77c47ca2bf64d29

C:\Users\Admin\AppData\Roaming\Identities\hGR33i5O\DUI70.dll

MD5 d4b192601f8bc4fce1f609efe52a0968
SHA1 590e7bc33869fcb4a7b6647be086d4ed490ad392
SHA256 51fc2d0c6fec160697295895d8a54a393f33e9aa14011d29806d8ec83c0fed04
SHA512 26b8bd53fdd8e30bbd6e92e229c1ce35edd901f408e6cf9ffd5d82e91724b0a74666a7e6cce3737863bc63c16fdbf1b897a91db1f87dc1f6865cb06d0fd654c8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 00:55

Reported

2023-12-30 23:41

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

169s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\093552f8e90fe1d26d3d19fd0456953c.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\UukLG2ecnUq\\ie4ushowIE.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mSvz\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0t8CvSN\ie4ushowIE.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lZfB\Taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 540 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3500 wrote to memory of 540 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 3500 wrote to memory of 3944 N/A N/A C:\Users\Admin\AppData\Local\mSvz\FXSCOVER.exe
PID 3500 wrote to memory of 3944 N/A N/A C:\Users\Admin\AppData\Local\mSvz\FXSCOVER.exe
PID 3500 wrote to memory of 3776 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3500 wrote to memory of 3776 N/A N/A C:\Windows\system32\ie4ushowIE.exe
PID 3500 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\0t8CvSN\ie4ushowIE.exe
PID 3500 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\0t8CvSN\ie4ushowIE.exe
PID 3500 wrote to memory of 3560 N/A N/A C:\Windows\system32\consent.exe
PID 3500 wrote to memory of 3560 N/A N/A C:\Windows\system32\consent.exe
PID 3500 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\Gr4cRiKiD\consent.exe
PID 3500 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\Gr4cRiKiD\consent.exe
PID 3500 wrote to memory of 3316 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3500 wrote to memory of 3316 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3500 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\lZfB\Taskmgr.exe
PID 3500 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\lZfB\Taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\093552f8e90fe1d26d3d19fd0456953c.dll

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\mSvz\FXSCOVER.exe

C:\Users\Admin\AppData\Local\mSvz\FXSCOVER.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Windows\system32\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\0t8CvSN\ie4ushowIE.exe

C:\Users\Admin\AppData\Local\0t8CvSN\ie4ushowIE.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\Gr4cRiKiD\consent.exe

C:\Users\Admin\AppData\Local\Gr4cRiKiD\consent.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\lZfB\Taskmgr.exe

C:\Users\Admin\AppData\Local\lZfB\Taskmgr.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4624-0-0x0000000140000000-0x0000000140185000-memory.dmp

memory/4624-1-0x0000000000CF0000-0x0000000000CF7000-memory.dmp

memory/3500-5-0x00007FF8E006A000-0x00007FF8E006B000-memory.dmp

memory/3500-4-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

memory/3500-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/4624-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-44-0x0000000000A70000-0x0000000000A77000-memory.dmp

memory/3500-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-52-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-53-0x00007FF8E0A60000-0x00007FF8E0A70000-memory.dmp

memory/3500-62-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3500-64-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\mSvz\FXSCOVER.exe

MD5 5769f78d00f22f76a4193dc720d0b2bd
SHA1 d62b6cab057e88737cba43fe9b0c6d11a28b53e8
SHA256 40e8e6dabfa1485b11cdccf220eb86eeaa8256e99e344cf2b2098d4cdb788a31
SHA512 b4b3448a2635b21690c71254d964832e89bf947f7a0d32e79dcc84730f11d4afb4149a810a768878e52f88fc8baec45f1a2fec8e22c5301e9f39fe4fc6a57e3f

C:\Users\Admin\AppData\Local\mSvz\MFC42u.dll

MD5 b10d088cad46540fa220fadccb2b0fd7
SHA1 4b15ab920c96a0a28a92fe5d7462fe6d3e615e19
SHA256 b869b992008d84d858cbbb881dd7b5cf5094068da230e5cf623b7950d4b42595
SHA512 e884a9f5fda20a55b75f5de368088423d89e79118870e8955a666ca22f513112eb021600a1ffedf2218c85e045c94290b5920020fcd05c0ab78b6399480e09b7

memory/3944-73-0x0000022CF2DE0000-0x0000022CF2DE7000-memory.dmp

memory/3944-74-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3944-79-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Users\Admin\AppData\Local\0t8CvSN\ie4ushowIE.exe

MD5 9de952f476abab0cd62bfd81e20a3deb
SHA1 109cc4467b78dad4b12a3225020ea590bccee3e6
SHA256 e9cb6336359ac6f71ac75af2836efb28daa3bafd10a1f0b775dcdc2ec8850a6b
SHA512 3cbe50a146ca50b0657a78a2d89a34630c69823005668906785b2d2015cc6139c8dbbf7aefa5fe55957ef55ae06e758933b3b41eaf822e49dba3b7700582e2c9

C:\Users\Admin\AppData\Local\0t8CvSN\VERSION.dll

MD5 2f5a31af86d76459902ea8e498d00656
SHA1 7ab26df77d310b2be90c565e40f6224cd580b95f
SHA256 b6032e6f40adcee4e1575e9d6dba0030e886baf60df95d8641ba0f7ce2fa789e
SHA512 b6373fa31cc9c88a34f43f2488b262535a2a9ba7003b0f38c29d5af98eb734b625d871b9e03e56f5f46b8e63d72c5bdf5e02958bfdc081a451bad702958dd8c0

memory/3552-90-0x00000196D90E0000-0x00000196D90E7000-memory.dmp

memory/3552-91-0x0000000140000000-0x0000000140186000-memory.dmp

memory/3552-96-0x0000000140000000-0x0000000140186000-memory.dmp

C:\Users\Admin\AppData\Local\Gr4cRiKiD\consent.exe

MD5 6646631ce4ad7128762352da81f3b030
SHA1 1095bd4b63360fc2968d75622aa745e5523428ab
SHA256 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA512 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

C:\Users\Admin\AppData\Local\lZfB\Taskmgr.exe

MD5 58d5bc7895f7f32ee308e34f06f25dd5
SHA1 7a7f5e991ddeaf73e15a0fdcb5c999c0248a2fa4
SHA256 4e305198f15bafd5728b5fb8e7ff48d9f312399c744ecfea0ecac79d93c5e478
SHA512 872c84c92b0e4050ae4a4137330ec3cda30008fd15d6413bf7a913c03a021ad41b6131e5a7356b374ced98d37ae207147ebefd93893560dc15c3e9875f93f7a9

C:\Users\Admin\AppData\Local\lZfB\credui.dll

MD5 f3549728c239a94401203c477d2eb1a3
SHA1 1f6ff8839a488c2536f088b8b344a2ef5db28818
SHA256 a2a08129f0680ad7a144411ebc6819bfdb67156e682ffe122552a81d323ec254
SHA512 f2224e710db554767f7ac47cc5a6621640c8301e3515c0d51fd90bcd805eda62990a1f7977c3c548826d1d1f79a3e2f28d36a15e83bf11ea928ad2a9e72eeb39

memory/2076-116-0x0000025938D70000-0x0000025938D77000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 d4db4948afc5746b0266e82ecd3caa3a
SHA1 51fa8c46501d4ad0b0a985feccaed63faabd3521
SHA256 ca0acf2bf216c867c3854cdb8d0d8f30db152ec05d369e5df498659ae255fbe5
SHA512 a21230ad8f0e19491e30cc798ab0be8c0298a916dfe6c9d46dbe3970770cc50bab4b9c773bae00cb324fe11d2fc770385d90db80f4e92526cf876f66edb1c9c8