Malware Analysis Report

2024-11-30 21:21

Sample ID 231230-ff4nzaagf2
Target 0f0d1dda6227706e8d61177dffa5cbdf
SHA256 45fc0a1d1213cb8479f0ec7f3e2aa552411c2c4da173ed0aaef5c56e207e515c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

45fc0a1d1213cb8479f0ec7f3e2aa552411c2c4da173ed0aaef5c56e207e515c

Threat Level: Known bad

The file 0f0d1dda6227706e8d61177dffa5cbdf was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:49

Reported

2023-12-31 22:14

Platform

win7-20231215-en

Max time kernel

151s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0d1dda6227706e8d61177dffa5cbdf.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\g5N\cmstp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ley\Netplwiz.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\g5N\cmstp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ley\Netplwiz.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ogMPsei\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\g5N\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ley\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2648 N/A N/A C:\Windows\system32\cmstp.exe
PID 1256 wrote to memory of 2648 N/A N/A C:\Windows\system32\cmstp.exe
PID 1256 wrote to memory of 2648 N/A N/A C:\Windows\system32\cmstp.exe
PID 1256 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\g5N\cmstp.exe
PID 1256 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\g5N\cmstp.exe
PID 1256 wrote to memory of 2040 N/A N/A C:\Users\Admin\AppData\Local\g5N\cmstp.exe
PID 1256 wrote to memory of 792 N/A N/A C:\Windows\system32\sdclt.exe
PID 1256 wrote to memory of 792 N/A N/A C:\Windows\system32\sdclt.exe
PID 1256 wrote to memory of 792 N/A N/A C:\Windows\system32\sdclt.exe
PID 1256 wrote to memory of 980 N/A N/A C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe
PID 1256 wrote to memory of 980 N/A N/A C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe
PID 1256 wrote to memory of 980 N/A N/A C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe
PID 1256 wrote to memory of 2808 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1256 wrote to memory of 2808 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1256 wrote to memory of 2808 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1256 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\ley\Netplwiz.exe
PID 1256 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\ley\Netplwiz.exe
PID 1256 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\ley\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0d1dda6227706e8d61177dffa5cbdf.dll,#1

C:\Users\Admin\AppData\Local\g5N\cmstp.exe

C:\Users\Admin\AppData\Local\g5N\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe

C:\Users\Admin\AppData\Local\0ZzP\sdclt.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\ley\Netplwiz.exe

C:\Users\Admin\AppData\Local\ley\Netplwiz.exe

Network

N/A

Files

memory/1068-0-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1068-1-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

memory/1256-4-0x0000000077706000-0x0000000077707000-memory.dmp

memory/1256-5-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/1256-8-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-9-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-12-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-15-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-17-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-19-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-20-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-21-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-24-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-26-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-27-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-28-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-25-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-30-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-31-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-35-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-37-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-36-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-39-0x0000000002AA0000-0x0000000002AA7000-memory.dmp

memory/1256-34-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-33-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-32-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-29-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-45-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-46-0x0000000077911000-0x0000000077912000-memory.dmp

memory/1256-47-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1256-23-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-22-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-18-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-16-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-14-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-13-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-11-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-10-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1068-7-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-56-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-62-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/1256-66-0x0000000140000000-0x00000001401F5000-memory.dmp

C:\Users\Admin\AppData\Local\g5N\cmstp.exe

MD5 74c6da5522f420c394ae34b2d3d677e3
SHA1 ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA256 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512 bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

\Users\Admin\AppData\Local\g5N\cmstp.exe

MD5 f3fa89d3e65cf09838afc7f0acace8be
SHA1 a6ecc88348c2fce6efe4905fdda2581accd129be
SHA256 af52bcb97910c553d71c0063d25bd6916d840ce5930a430be582b15734033b3d
SHA512 aa290ed03685d62e1397b4747a265bb4bb62f6671dc80156ff00b0647d7d0e34003bf36d9da452c1dca655af4067c14a7e5edb6b73be8f06eeb5fe7c937c75a3

\Users\Admin\AppData\Local\g5N\VERSION.dll

MD5 c2b80ad57b6e05cb2004a238c815b88c
SHA1 79ed45379325cbd3e5ac608b38a0fb123362c424
SHA256 101a36b8edca6e4839befb4cae816f155d1addf78cadb87643d35e0767973b16
SHA512 b5d156dff9348d8a198a5ceb7f6fcbad91fa73c5b437f3757d0ea440bc6e8dc3203adfa596acb00d21a783baed54c00c03f5b8cb2aa5350fa290c29899cb3b6a

C:\Users\Admin\AppData\Local\g5N\VERSION.dll

MD5 aaee53093494f1bbb8233fe99ebdb417
SHA1 ce44088be02bc476cd1242df6744038b2bcdf943
SHA256 a60429397d79acb802a98f9168d799ae43743accacb8582b08b92fa6b568efd1
SHA512 d80159375cc96fb82f0e1c8f727891b4ddfa61d5fc7a2c6fc391dfdc6f5350c40c9a0eb56b076d329e7d0f173072c6e9c372b354bbc99d5c231e5670dbb46e4c

memory/2040-74-0x0000000000410000-0x0000000000417000-memory.dmp

memory/2040-75-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/2040-100-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/1256-101-0x0000000077706000-0x0000000077707000-memory.dmp

\Users\Admin\AppData\Local\0ZzP\sdclt.exe

MD5 cdebd55ffbda3889aa2a8ce52b9dc097
SHA1 4b3cbfff5e57fa0cb058e93e445e3851063646cf
SHA256 61bd24487c389fc2b939ce000721677cc173bde0edcafccff81069bbd9987bfd
SHA512 2af69742e90d3478ae0a770b2630bfdc469077311c1f755f941825399b9a411e3d8d124126f59b01049456cddc01b237a3114847f1fe53f9e7d1a97e4ba36f13

C:\Users\Admin\AppData\Local\0ZzP\ReAgent.dll

MD5 c375dc2a3768cb99421ab8009e5a6699
SHA1 df853ecbe4e5812db67fec750b1f7f432e1dcc6c
SHA256 c4cb7130a748e1b108bb0c807314d8c1a457a32cf0687f2bceef9c9463862e98
SHA512 0629ca8832d5281eb4b2abf50343337e6cec246a9bfb467504b47b82bace75df4c708ef19e6c25170e1702372a7a3d45fd5d494dea6912e2542271b6802e4479

memory/980-109-0x0000000000090000-0x0000000000097000-memory.dmp

memory/980-115-0x0000000140000000-0x00000001401F6000-memory.dmp

\Users\Admin\AppData\Local\ley\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

C:\Users\Admin\AppData\Local\ley\NETPLWIZ.dll

MD5 ef4ffd6950c4fff0a7f71f564a096857
SHA1 a0bd5e65f03b1dc48f704a06227bbf41f65184ab
SHA256 c80523149e07e04e5052c5ddac46d8730a9ce2a057586774d18283b30fcb41e2
SHA512 bb114ae80403735a04f51066fb4e54f64700ef1533c8dfae3bd60567e0f3b0c6f7d402b57eac424b216fee7a80e7c1a143194a27be1e3ed80595ce4476d0da3f

memory/2820-127-0x0000000000270000-0x0000000000277000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 a70226623783e80cc4074895ffaf4ab9
SHA1 54039c6b4c4cf692bb42fda2a3600eebf3c26ba8
SHA256 f11454346f890f2d5c3d5723976936eb37c11cb2a169785e2bfbe8abde335589
SHA512 629d27c9919586766c688b36331c3b3f9948203596adfa76dbd18e2e5f8a89e5c4704f47f787b7628ac42238c8c559f89f361ba84a47523a5f281bd8c49ba335

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\nKfLfH631FK\VERSION.dll

MD5 a21b763c5826a6a37e6e680ba9970054
SHA1 97d4f1965ccae05d145ac26e91b663bdf70141bb
SHA256 a468cff080e1b61c14f6aa7d7e555ee69b3faf20ffc324d00edbb7d5d422ab2a
SHA512 8c24edd2deca2dd7a9ffc90e472b55e72127725546ba6a7baaaf0a0d254f20334ce1cbb62db09e2a3eed70073c9b8a0307a42c419647cf53183b7d6a66cbec3c

C:\Users\Admin\AppData\Roaming\Identities\ogMPsei\ReAgent.dll

MD5 cc4ccc6390c80bc943b79c0bbc049193
SHA1 8a374a5337ac3561c30161901420a76c6f05aa93
SHA256 2ca87e4dacb260aed051758463f6ef8b1738f0e07b897db8b9e919009f50f140
SHA512 77b7f2beb215ade147899ec7bfc8bb3cb7f959d7d35725fa2d11ad86ac668f11726565d76869b4eec84641afbb59bad33fd45a0b05c53cebea21f1f50f292210

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:49

Reported

2023-12-31 22:14

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0d1dda6227706e8d61177dffa5cbdf.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\x9UJwYU9F62\\phoneactivate.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 4656 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3496 wrote to memory of 4656 N/A N/A C:\Windows\system32\LockScreenContentServer.exe
PID 3496 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe
PID 3496 wrote to memory of 588 N/A N/A C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe
PID 3496 wrote to memory of 1912 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3496 wrote to memory of 1912 N/A N/A C:\Windows\system32\phoneactivate.exe
PID 3496 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe
PID 3496 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe
PID 3496 wrote to memory of 4528 N/A N/A C:\Windows\system32\mmc.exe
PID 3496 wrote to memory of 4528 N/A N/A C:\Windows\system32\mmc.exe
PID 3496 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe
PID 3496 wrote to memory of 5040 N/A N/A C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f0d1dda6227706e8d61177dffa5cbdf.dll,#1

C:\Windows\system32\LockScreenContentServer.exe

C:\Windows\system32\LockScreenContentServer.exe

C:\Windows\system32\phoneactivate.exe

C:\Windows\system32\phoneactivate.exe

C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe

C:\Users\Admin\AppData\Local\7WUxNu\LockScreenContentServer.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe

C:\Users\Admin\AppData\Local\MiK5ZBTE\mmc.exe

C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe

C:\Users\Admin\AppData\Local\vZB5tLRp\phoneactivate.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
GB 88.221.135.217:80 tcp

Files

memory/3952-0-0x00000184CC9E0000-0x00000184CC9E7000-memory.dmp

memory/3952-1-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-4-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

memory/3496-6-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3952-7-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-9-0x00007FFB6724A000-0x00007FFB6724B000-memory.dmp

memory/3496-10-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-11-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-8-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-14-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-18-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-21-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-26-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-27-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-28-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-30-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-36-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-38-0x0000000006BB0000-0x0000000006BB7000-memory.dmp

memory/3496-37-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-35-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-45-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-55-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-57-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-46-0x00007FFB68DE0000-0x00007FFB68DF0000-memory.dmp

memory/3496-34-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-33-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/588-68-0x0000028232E30000-0x0000028232E37000-memory.dmp

memory/588-72-0x0000000140000000-0x000000014023B000-memory.dmp

memory/588-66-0x0000000140000000-0x000000014023B000-memory.dmp

memory/3496-32-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-31-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/2320-83-0x000001D24F430000-0x000001D24F437000-memory.dmp

memory/2320-89-0x0000000140000000-0x000000014023B000-memory.dmp

memory/5040-101-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/5040-105-0x0000000140000000-0x00000001401F6000-memory.dmp

memory/5040-103-0x00000000029D0000-0x00000000029D7000-memory.dmp

memory/3496-29-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-24-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-25-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-23-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-22-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-20-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-19-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-17-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-16-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-15-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-13-0x0000000140000000-0x00000001401F5000-memory.dmp

memory/3496-12-0x0000000140000000-0x00000001401F5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\39\UxTheme.dll

MD5 3fb37605b0247604d9ddf3e83db67f34
SHA1 78d5e7a46ef0f01de9a0c360de8cc120a8ab8eff
SHA256 7d54c6ca2cb78a0adb0f76fdf863064e0b0c4f3ab3135d6f119977f873dd0663
SHA512 fb104657844778c97b4d908e821163bf34fd0ee5e604ff2ae46ab06e03a1d6f0c14e1fc0fe364003c2dba78fdc0671f88dc22767ecb720e9c531bcdb9d81e4c9