Malware Analysis Report

2024-11-30 21:16

Sample ID 231230-e2qtkafce3
Target 0e6c4aa853ee3453ab12c34d5765c214
SHA256 4ef1d622c0e3482d50044b81e58acfde42d06f478bf31ad98ac9498de77bb957
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ef1d622c0e3482d50044b81e58acfde42d06f478bf31ad98ac9498de77bb957

Threat Level: Known bad

The file 0e6c4aa853ee3453ab12c34d5765c214 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:26

Reported

2023-12-31 20:11

Platform

win7-20231215-en

Max time kernel

211s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e6c4aa853ee3453ab12c34d5765c214.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\tYzeB\wusa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\p68b8qr\\ddodiag.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\tYzeB\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 852 N/A N/A C:\Windows\system32\wusa.exe
PID 1188 wrote to memory of 852 N/A N/A C:\Windows\system32\wusa.exe
PID 1188 wrote to memory of 852 N/A N/A C:\Windows\system32\wusa.exe
PID 1188 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\tYzeB\wusa.exe
PID 1188 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\tYzeB\wusa.exe
PID 1188 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\tYzeB\wusa.exe
PID 1188 wrote to memory of 1528 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1188 wrote to memory of 1528 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1188 wrote to memory of 1528 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1188 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe
PID 1188 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe
PID 1188 wrote to memory of 2200 N/A N/A C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe
PID 1188 wrote to memory of 1504 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1188 wrote to memory of 1504 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1188 wrote to memory of 1504 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 1188 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\XvQrn\EhStorAuthn.exe
PID 1188 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\XvQrn\EhStorAuthn.exe
PID 1188 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\XvQrn\EhStorAuthn.exe
PID 1188 wrote to memory of 856 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1188 wrote to memory of 856 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1188 wrote to memory of 856 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe
PID 1188 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e6c4aa853ee3453ab12c34d5765c214.dll,#1

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\tYzeB\wusa.exe

C:\Users\Admin\AppData\Local\tYzeB\wusa.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe

C:\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\XvQrn\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\XvQrn\EhStorAuthn.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe

C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe

Network

N/A

Files

memory/2708-0-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2708-1-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-4-0x0000000077A26000-0x0000000077A27000-memory.dmp

memory/1188-5-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1188-14-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-15-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-13-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-12-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-11-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-10-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-9-0x0000000140000000-0x000000014024F000-memory.dmp

memory/2708-8-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-7-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-16-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-23-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-24-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-22-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-21-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-20-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-19-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-18-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-17-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-25-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-26-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-27-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-28-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-30-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-29-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-31-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-35-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-34-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-37-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-38-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-36-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-33-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-42-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-44-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-43-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-41-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-40-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-39-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-32-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-45-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-46-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-47-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-48-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-49-0x0000000002730000-0x0000000002737000-memory.dmp

memory/1188-58-0x0000000077D90000-0x0000000077D92000-memory.dmp

memory/1188-57-0x0000000077C31000-0x0000000077C32000-memory.dmp

memory/1188-56-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-67-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-73-0x0000000140000000-0x000000014024F000-memory.dmp

memory/1188-78-0x0000000077A26000-0x0000000077A27000-memory.dmp

\Users\Admin\AppData\Local\tYzeB\wusa.exe

MD5 c15b3d813f4382ade98f1892350f21c7
SHA1 a45c5abc6751bc8b9041e5e07923fa4fc1b4542b
SHA256 8f067da98eb3ea9f1db2f0063ff54e07d992fbf051779b467e222639be4127e3
SHA512 6d028fe81fe45d0ef291741513ecf939e412912647347d4d5bad89571f33e1084dc0fd26eb7313c7191f938c3f50243f453e2690e2475fc3f5539a20c2ff2f3c

C:\Users\Admin\AppData\Local\tYzeB\WTSAPI32.dll

MD5 97e4f13851e40a0554115f9d4b566ab7
SHA1 f9349fe00e17f98bb96d942ef89b7f1707dabdbb
SHA256 61b0232a819db5c1e435628c3c467466fe5544b6268a47611e249fb0bedfbe15
SHA512 62d177c4e71ae709ed3f3c354f051f9065a07014df7e497160055389d5b144b92b19520924207840adbb4410a6f9b2f37fccb03987f3fd4a06aedee4eab6fd25

memory/108-86-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\hdpjg9\ddodiag.exe

MD5 509f9513ca16ba2f2047f5227a05d1a8
SHA1 fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256 ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512 ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

memory/2200-104-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\hdpjg9\XmlLite.dll

MD5 0843b31b797b7e0800d994fff11eb161
SHA1 974035cae003bda8f6ef4ff304ad26e98f4ea454
SHA256 257050736893e1edf384cdc768e6422e7a9ec31b9b2e3f9800209da901ffe5b1
SHA512 60488c59a9becfefb43b54ca69c288bae3485b0589cb75d415ec64283a05431e86ebfd7bc6f9463947b17677cc4e283e783b5c2454f6929ad6b68a2502cbd3dc

\Users\Admin\AppData\Local\XvQrn\EhStorAuthn.exe

MD5 3abe95d92c80dc79707d8e168d79a994
SHA1 64b10c17f602d3f21c84954541e7092bc55bb5ab
SHA256 2159d9d5c9355521de859d1c40907fcdfef19f8cf68eda7485b89e9aa119e3ad
SHA512 70fee5e87121229bba5c5e5aaa9f028ac0546dc9d38b7a00a81b882c8f8ce4abfdc364a598976b1463cca05e9400db715f8a4478ec61b03a693bbeee18c6ae5c

C:\Users\Admin\AppData\Local\XvQrn\UxTheme.dll

MD5 efcf04e4ebe1ab967feebfeb2d577ac5
SHA1 cf144e870dbf88c94d15fd6b3b53995de73ca705
SHA256 3d13a44a03e2750973d06e75f7297d9edd3acebca76c0ca046ac44312130ef93
SHA512 042aec6d27148f056aa2c7eff1c96c624ecbc3c4d278c01d80cde4de289213b57f46cf66ccc5f57ab6c3f35f9da7509d7fa22faf7a97bf654aa273cf54120d06

\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe

MD5 196ccaa3814f331d51e5ae80c85dcc58
SHA1 f9892e6d9eba6f95c755975fa3e2fa85a0d9b1bd
SHA256 ea79d80cd18333b3540f51abab08dfc9d4649dfd03acb88db821657e40f7874b
SHA512 43ccf05cdf3b61a0e894605ade5fa65b938df591f8ce37f70d4fb8839d392e41582c055b0fc68baeb9a17e471d7215c43e5d4574d8f05331dc9257a21976fa75

C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe

MD5 e00081da9c5ab03358ea3228d7bd8df8
SHA1 b30e3ed69a4068a2c8573dedc0f4233f03d7636c
SHA256 2022d407fa698fba91944433abbdf28ecf8e87321070be75fb5162528438c51f
SHA512 f3ea2b886aa82f19c4ca656cd0154ddff9d3487be123afde98c83e6a74f27499d084f806eda0e25e5265cbb20da396850a566c13fd16446bf26036da6d0f99aa

C:\Users\Admin\AppData\Local\FHpD9Xj4\WINMM.dll

MD5 939f088b4564bafa8c76601942466518
SHA1 8fa672050f0ca08af3f5248f96bde5cee4197d81
SHA256 2ae8cc0d82ce172c5b048735699d1aa8d9b76d879991469caf698253dedad8de
SHA512 3858932a43babc06f0a2ead42f986e4b53b9c397f3fc72bbe42463195f53a427c325de5a4115048ff4485c33af1e73ef7c9b2b3c925709e2949b6bbb7fd6e4ec

\Users\Admin\AppData\Local\FHpD9Xj4\WINMM.dll

MD5 1378e656b70a7f021bf7ac388e66cf85
SHA1 102fc66f9a939f9976440bdbe566a6809ca8335a
SHA256 80bbf6f3cd1466a03843097fe651df84964d2afe1302401cd61d94751eca976c
SHA512 8fd2674aae01936a85cac8ccaf42cffedc7bdc6c9b4b0b35496c7700dd785f8142eccd11d1909f3fc7e7f12f598c4d0b4cdbad5f20cd59617c38e2d891b4c4f1

memory/2220-132-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\FHpD9Xj4\xpsrchvw.exe

MD5 f732ea980c26b5bd9ec2dee3b75ed121
SHA1 fceee809d80a31ea4072f022aab4851ac9702ae6
SHA256 4dd4a30b89557d0dc3efcd634a7a19a6c288bd81b132788503a553d74bfd498f
SHA512 4692640fbc80412e241ba0b4654d5c84216086a1d33c7181cbdaee90bbf2f8b23fe76a3538684074ff5f60a7e701929384216ae9db3d1d6374cf83ecc2c6dff8

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\UuGJX8lLQf\xpsrchvw.exe

MD5 e18c749436ed1147388677c93e32abcb
SHA1 5b02bea949eb2a3af66454dca31f0c08c68f9f1c
SHA256 f9ce8376c9fab6a7f5c726358a7f7cabc17e50a3a598f389ea7206b12ffa75fd
SHA512 2aaae7e94e398ade56ce91667a78cbfb33ec53e5d4c06cce21ba4253afe13b023b875cd5363240197df5a74f07a89624017f735701dbe91cc3644f7a7f2bae6a

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 61fd23c19a7b837cf3e58e07890b46b0
SHA1 f77bde369170c0e9de45f83d15efada91e0fb8ed
SHA256 49423efd67674d6af7b6d26f5463ddc50cf99fa668d0401b8b673481a9b7adaf
SHA512 c72f46e379092392d5e4a8f03891c19e61be821b391cf510f5cf4b9c664d7f31c0c23c39e320a7e5b540117a36faac88abf4ba06db1ae07bc2f5812398b2a0f2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\UuGJX8lLQf\WINMM.dll

MD5 5cf551169232b207ec4f64f2c71dc173
SHA1 3d9874dab50ae7933561f2c7797de0f17b147032
SHA256 912c3bf92db77accd24330b74135c5ede19d48c0b320f66ba885bf08be129e6c
SHA512 20afc383eacc025dbec0e6f87a52a692db4c0bd23bbfe8b4e9fc426afecdb68c18d71ba2e74955903dad81cbe6d3af7bc703221e58068018b2ed92fa05d04cae

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:26

Reported

2023-12-31 20:09

Platform

win10v2004-20231215-en

Max time kernel

115s

Max time network

181s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e6c4aa853ee3453ab12c34d5765c214.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\RTYWtGVoXk\\SysResetErr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AvqN\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rHrc\RdpSaUacHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gv8B\SysResetErr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 3200 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3428 wrote to memory of 3200 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3428 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\rHrc\RdpSaUacHelper.exe
PID 3428 wrote to memory of 3732 N/A N/A C:\Users\Admin\AppData\Local\rHrc\RdpSaUacHelper.exe
PID 3428 wrote to memory of 1380 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3428 wrote to memory of 1380 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3428 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\gv8B\SysResetErr.exe
PID 3428 wrote to memory of 2060 N/A N/A C:\Users\Admin\AppData\Local\gv8B\SysResetErr.exe
PID 3428 wrote to memory of 3464 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3428 wrote to memory of 3464 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3428 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\AvqN\eudcedit.exe
PID 3428 wrote to memory of 4920 N/A N/A C:\Users\Admin\AppData\Local\AvqN\eudcedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0e6c4aa853ee3453ab12c34d5765c214.dll,#1

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\rHrc\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\rHrc\RdpSaUacHelper.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\gv8B\SysResetErr.exe

C:\Users\Admin\AppData\Local\gv8B\SysResetErr.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\AvqN\eudcedit.exe

C:\Users\Admin\AppData\Local\AvqN\eudcedit.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/116-1-0x0000000140000000-0x000000014024F000-memory.dmp

memory/116-0-0x0000022CE3DD0000-0x0000022CE3DD7000-memory.dmp

memory/3428-4-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/3428-6-0x00007FF9B4F2A000-0x00007FF9B4F2B000-memory.dmp

memory/3428-7-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-8-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-10-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-11-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-12-0x0000000140000000-0x000000014024F000-memory.dmp

memory/116-9-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-13-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-14-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-15-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-16-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-17-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-18-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-19-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-20-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-21-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-22-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-23-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-24-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-25-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-26-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-27-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-28-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-29-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-30-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-31-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-32-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-33-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-34-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-35-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-36-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-37-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-38-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-39-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-40-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-41-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-42-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-43-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-44-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-45-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-46-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-47-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-48-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-49-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

memory/3428-56-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-57-0x00007FF9B6160000-0x00007FF9B6170000-memory.dmp

memory/3428-66-0x0000000140000000-0x000000014024F000-memory.dmp

memory/3428-68-0x0000000140000000-0x000000014024F000-memory.dmp

C:\Users\Admin\AppData\Local\rHrc\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Local\rHrc\WINSTA.dll

MD5 2c93f7fccbc418819fc0e3905bcdc89a
SHA1 291ba7fe9c8bb5fa62c2a6260a88e64fc6d8af6c
SHA256 fe7ac648324326bcd05e8c9641265e695b5fd55c3c0ac9b611a88f7e6c771bc2
SHA512 2ad582fdc5932e0ff99ef5cc30ad002d09dfed58942fbd9d3144fe98d1c31825bd576af06dc2973f2e23e3a40eb48bf5a301f5f48869229cd72213db2c71fd75

C:\Users\Admin\AppData\Local\rHrc\WINSTA.dll

MD5 754b388b74d0e809a42bdb587a24b658
SHA1 469757213988c8a188bb66a52f9affb1f33be289
SHA256 8902a0eb8f5b71c4800bd8d8cba7d084d5d77ff61acc2b7c39d05ce6259a7f25
SHA512 c9eece234d819482e7c2804d8bf265bf1b5d30a409da0315703987e1280eab4242789f245fdc1d3e8f3eff7374dc9ef8b1af00151ce4322eca280346a0fc0a78

memory/3732-77-0x000001FBD66F0000-0x000001FBD66F7000-memory.dmp

memory/3732-78-0x0000000140000000-0x0000000140251000-memory.dmp

memory/3732-83-0x0000000140000000-0x0000000140251000-memory.dmp

C:\Users\Admin\AppData\Local\gv8B\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

C:\Users\Admin\AppData\Local\gv8B\DUI70.dll

MD5 3a5699a629bf158b7ec684c832f0d1a4
SHA1 d728dd0c7287b9822923d7db9ade71d5391d939d
SHA256 0ab636655eafad6d44e9c4edd9c604c9211a8a2d02d6fbcf9c0e4de8370b870f
SHA512 7575249ac07cc8eb05aa2c426ee7f95a696334a6bfeaf5fa145b984bb8ae7d41c8dad4f9d012882c7cba94dda5da3e5dbf87391be2d1ac0be93414a8af33a513

C:\Users\Admin\AppData\Local\gv8B\DUI70.dll

MD5 d16dfe5121fef6a73b9e6d356ffe480c
SHA1 e78b355e2d90b768d569a59cc5d4ee0328350841
SHA256 e0f3c336f277a8634efa1216999116535cdfc7641b4f5baac308128bf9d19537
SHA512 cd649d4d18beada5b3eb680e1d1c771b6b27d17ba2b1e83d2d6c1129a4335a7ebe7cab8393ab70dea1d9e32d988c5091028d0dac8621c695a07367d10899a424

memory/2060-97-0x0000000140000000-0x0000000140295000-memory.dmp

memory/2060-96-0x0000022AA5630000-0x0000022AA5637000-memory.dmp

C:\Users\Admin\AppData\Local\AvqN\eudcedit.exe

MD5 a9de6557179d371938fbe52511b551ce
SHA1 def460b4028788ded82dc55c36cb0df28599fd5f
SHA256 83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA512 5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

C:\Users\Admin\AppData\Local\AvqN\MFC42u.dll

MD5 b293b407543d13df26c1817b45e3b3d0
SHA1 80e4f302c2a1145cdf4cb492aaac8a0d22e25efa
SHA256 058fa5053d9ab2deb6460e79511940f253ce6cc4e48c4415435d57e7c325b06d
SHA512 08a4c921216c03ed738a64bfee22321b0d22fa1e7109873f45f0ae305600b6c0e09014ab4b11a25e7b65786a7cc57b0f6f29c9fc3a5c54288b26e83e8702900b

memory/4920-113-0x000001DAAAF80000-0x000001DAAAF87000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 f6d55a93e9740ea54a4d36a46683ac27
SHA1 aa8852a97670b01e89ae02e684a2c1875e913321
SHA256 a697a3d34ca323f9d4eb5f0f84de005a838ad0285144b38f411005084f59d82b
SHA512 418d95e29caef0643a5e2b4b377463d48b5cf2f43ad7313c5a38931369fc4d324b34e68a2fdaf8e005c7643677fc97e64d288b4e6a27475546383b61d35d2f8d