Malware Analysis Report

2024-11-30 21:15

Sample ID 231230-fje5sabdf6
Target 0f2a6647e91d05a44aad4c4062a4d73c
SHA256 9ffd0ac05d13744074cb2f6b94d51655e5d5a08e0043f27c7400fdd5fe887cce
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ffd0ac05d13744074cb2f6b94d51655e5d5a08e0043f27c7400fdd5fe887cce

Threat Level: Known bad

The file 0f2a6647e91d05a44aad4c4062a4d73c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 04:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 04:53

Reported

2023-12-31 22:58

Platform

win7-20231215-en

Max time kernel

200s

Max time network

40s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2a6647e91d05a44aad4c4062a4d73c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Extensions\\HvnvNNEl\\SystemPropertiesProtection.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 432 N/A N/A C:\Windows\system32\p2phost.exe
PID 1244 wrote to memory of 432 N/A N/A C:\Windows\system32\p2phost.exe
PID 1244 wrote to memory of 432 N/A N/A C:\Windows\system32\p2phost.exe
PID 1244 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
PID 1244 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
PID 1244 wrote to memory of 2552 N/A N/A C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe
PID 1244 wrote to memory of 1144 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1244 wrote to memory of 1144 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1244 wrote to memory of 1144 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1244 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe
PID 1244 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe
PID 1244 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe
PID 1244 wrote to memory of 1408 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1244 wrote to memory of 1408 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1244 wrote to memory of 1408 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1244 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe
PID 1244 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe
PID 1244 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2a6647e91d05a44aad4c4062a4d73c.dll,#1

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe

C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe

C:\Users\Admin\AppData\Local\O6w3\fvenotify.exe

Network

N/A

Files

memory/2676-0-0x00000000006B0000-0x00000000006B7000-memory.dmp

memory/2676-1-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-4-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

memory/1244-5-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2676-8-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-15-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-18-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-20-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-25-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-27-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-30-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-33-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-38-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-42-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-48-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-50-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-49-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-51-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-52-0x0000000002670000-0x0000000002677000-memory.dmp

memory/1244-47-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-46-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-45-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-44-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-43-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-41-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-59-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-60-0x00000000770D1000-0x00000000770D2000-memory.dmp

memory/1244-61-0x0000000077230000-0x0000000077232000-memory.dmp

memory/1244-40-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-39-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-37-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-36-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-35-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-34-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-32-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-31-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-29-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-28-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-26-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-24-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-23-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-22-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-21-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-19-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-17-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-16-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-14-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-13-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-12-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-11-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-10-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-9-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-7-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-70-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/1244-75-0x0000000140000000-0x00000001401D1000-memory.dmp

C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe

MD5 a6862c047107693aedfc41d41a58f0d2
SHA1 9d2a83b7e1c2b3e82a3869da0735115771f830f7
SHA256 4418457f41dac23099b00039a8f4318862b1f55953ab978656a8dae6d3b1daeb
SHA512 310489128111cc4eb81448a15f5bbd5f9caf68e598082f1343436d84e999f0757b54585b6876d32392aa2bc7091758e3e27dcf0dcec0aa691924174f94533208

C:\Users\Admin\AppData\Local\JgtNew1\P2PCOLLAB.dll

MD5 dee2a7275177bf5047d87335d1ec9c4d
SHA1 5e92745a17e18a96adca2b7f25eb69e2625bfa35
SHA256 30d7e2d020dad5d79ee615059f245b98017217639650f06f41e03dc0c2865458
SHA512 4859e02de5bf7bbd68fdecd3dd4669a382e382bfd6dd76d152de35af0c94672456f2c186c0fde6045d2d76b877a4729bd1f39d3a189b5d9a38dd1c217a38d65b

\Users\Admin\AppData\Local\JgtNew1\p2phost.exe

MD5 23dc3fbdc43b88775ce0bc1e1cb4f72a
SHA1 eb0d1d23364c371dfd299460f5f0aa97bd983774
SHA256 d475a9019d7acbdd50bb1cace4d77e68b5be37115867ffdbf3d43fd0007256cd
SHA512 3375c36a85f64647552833004970ac1f69505384d94f6f444aa4be5310522f7eee881124fa94ba3ce724cafb4afc8f9105b1d50b88671d46836aa9c2c097ebfa

memory/1244-87-0x0000000076FC6000-0x0000000076FC7000-memory.dmp

memory/2552-89-0x0000000000200000-0x0000000000207000-memory.dmp

\Users\Admin\AppData\Local\JgtNew1\P2PCOLLAB.dll

MD5 0802826b4653e96e35bcbbc832e65c60
SHA1 a47d52c9d1456f55e6345232a2343b0107fa239e
SHA256 e2fe6673a18f0c204f669b70337f610de3db1fcc1bfdbeebb214de57fb780e21
SHA512 98cbc9cbb87700b4772df3ef9e685d14ca6f6cf8ddfe7604ea4808ca7cddcccbc7da87aa07782952d30a4791af6ed0ac077357f724b5b38340689eb472ab4f30

C:\Users\Admin\AppData\Local\JgtNew1\p2phost.exe

MD5 04c478751e41006d9cedb9dec78187f8
SHA1 eacf21af3e895ef671fc05b3bcd2224de0a64ea4
SHA256 36c01c8e27cd92518e63720412458b1a453f79433beca2d591c6849b1658019f
SHA512 78e973189f923694254617f100d893bfff4e0f68644d6737dbdf7053f31b75e44c078238f78cd7d5c3b2d283ac5ae09c110c366c53af3ae418ed440215149221

C:\Users\Admin\AppData\Local\sRUBS\SystemPropertiesProtection.exe

MD5 05138d8f952d3fff1362f7c50158bc38
SHA1 780bc59fcddf06a7494d09771b8340acffdcc720
SHA256 753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA512 27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

C:\Users\Admin\AppData\Local\sRUBS\SYSDM.CPL

MD5 d5f2fc851fdaa9201aa8ad194643e268
SHA1 fd5a41d0144d93515e63400224013b180388e559
SHA256 c0f07c24b82bab53e0af94f54f167f5920cdf8842df3742fcd0a95a298b9493b
SHA512 bd8ced7fd4c1cdae60214fe5d7b2d94a51f51f070b6130e7e5b46be9a1a0f31baefcde7a533e26690faa7aa71220ace351401c66f4973cb383994ecc118e6dc2

memory/2132-123-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Local\O6w3\fvenotify.exe

MD5 e61d644998e07c02f0999388808ac109
SHA1 183130ad81ff4c7997582a484e759bf7769592d6
SHA256 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

C:\Users\Admin\AppData\Local\O6w3\slc.dll

MD5 d364e4db7c5ec9195b5a1f631cd31a5c
SHA1 7a6b8678cb7a1c710ba15f1fa5ceb2077c8e9511
SHA256 cb020ba0ae18f80a718185503344c1507b475ce4778eb12be3fe8e16e3c7a33a
SHA512 4dd926a843f8a587bbce0794b549671424be91fa3db9e27b2d7c1c4ef9103cea5c5400b85a896792ea367906acdf60bc6a7616e59bc6b7a453f69e2e250b311a

memory/1540-141-0x00000000000C0000-0x00000000000C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 1cdd4facb9d944b68633c2f194d576f5
SHA1 1dad729e2318de7c3187c4923456b90291dbd218
SHA256 ed315c2f89a9b3589b31c084d18dbf3e620b43821096e5f92aefa05bd39bbcf5
SHA512 652923795e5c13a07199eb258560499edad79feac4636f3b7bba4142bae5aa37afc9f491885c85a41c6c8db0c6f99e73e27db0ca82dea1f5da2bd094e70f4665

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\O7RKY4WqK\P2PCOLLAB.dll

MD5 76d4919238affd444966cfb447d3de23
SHA1 a2096a95e79069de82aac2c82aacbdc7aba564f3
SHA256 a822ecf2a8966e5df9934f06bbb6fd7968669f856d9a9a0d353c84f4ffe26ac7
SHA512 2edce51d24c91dec8f85a4bba5c665bf5603f0b28b9a49d3d4d57a038a6425b1c84ed28e6f4c5803080df57afd1abb887cb1a9049850ae96fbcf063717793b9c

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 04:53

Reported

2023-12-31 22:57

Platform

win10v2004-20231215-en

Max time kernel

88s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2a6647e91d05a44aad4c4062a4d73c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\WINDOW~1\\YELKF9~1\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 948 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3452 wrote to memory of 948 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3452 wrote to memory of 4464 N/A N/A C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe
PID 3452 wrote to memory of 4464 N/A N/A C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe
PID 3452 wrote to memory of 4060 N/A N/A C:\Windows\system32\systemreset.exe
PID 3452 wrote to memory of 4060 N/A N/A C:\Windows\system32\systemreset.exe
PID 3452 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe
PID 3452 wrote to memory of 2280 N/A N/A C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe
PID 3452 wrote to memory of 3596 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3452 wrote to memory of 3596 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3452 wrote to memory of 868 N/A N/A C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe
PID 3452 wrote to memory of 868 N/A N/A C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f2a6647e91d05a44aad4c4062a4d73c.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe

C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe

C:\Windows\system32\systemreset.exe

C:\Windows\system32\systemreset.exe

C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe

C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe

C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/4936-1-0x0000023E85110000-0x0000023E85117000-memory.dmp

memory/4936-0-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/3452-6-0x00007FF93B85A000-0x00007FF93B85B000-memory.dmp

memory/3452-8-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-9-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-10-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-11-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-13-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-12-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-15-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-14-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/4936-7-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-16-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-17-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-18-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-19-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-22-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-23-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-24-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-25-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-26-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-21-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-20-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-28-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-30-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-33-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-32-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-31-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-29-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-37-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-39-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-40-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-43-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-45-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-46-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-47-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-48-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-49-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-52-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-51-0x0000000000DE0000-0x0000000000DE7000-memory.dmp

memory/3452-50-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-44-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-42-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-59-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-41-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-38-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-63-0x00007FF93BC80000-0x00007FF93BC90000-memory.dmp

memory/3452-36-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-69-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-71-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-35-0x0000000140000000-0x00000001401D1000-memory.dmp

memory/3452-34-0x0000000140000000-0x00000001401D1000-memory.dmp

C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe

MD5 b066236196d54182b3c7eec85f3613ce
SHA1 7a5d9c1f4efd9d678fa3c405ffdd121979f56daa
SHA256 fec73ca5cafdc07a1a251422717f398f8ae6c243c4b4ade8c9eed4de4f22a3e7
SHA512 de86d5b5f175f39fe0de4440595f6f5463f10df7e1e7c65b51d607dc3f0332bb9c56a3fed22c7462e320dcb755c9fc79e2fe984549a1e62a108ce67cb8546523

memory/3452-27-0x0000000140000000-0x00000001401D1000-memory.dmp

C:\Users\Admin\AppData\Local\LX4DP5\WINMM.dll

MD5 a3163da5627e5b28470e43ee48395348
SHA1 833722176ae345480a799c9d38327719c2d346cc
SHA256 4692377b2dc7a2b9f5ba0a2455e962a34a9e05cad2435e80865bfa4d551736d7
SHA512 0a0b4ade48b546c15c7a2cf7f74be35bcb70ee214df383b998bed3d53156fd850897080764837607c3977f682a08ec5de3e3af34dd38e52f664e3e0cdfb21dd9

memory/4464-81-0x0000000140000000-0x00000001401D3000-memory.dmp

memory/4464-80-0x0000021E75540000-0x0000021E75547000-memory.dmp

C:\Users\Admin\AppData\Local\LX4DP5\WINMM.dll

MD5 b0f636dcf44d67fb27f9ff791b5189ab
SHA1 e1135ce92280914fa1c4cdb24812eb8b8fd74f90
SHA256 828a1a13b1ea52c4e7eb7c96a1932702a4a01b8c469df613fe305a55c84cf5fa
SHA512 fd0374b2c23116a7f2518c687b04482aee0dc28be43f0e40d4bef3c0d273b61ccee4632643b1451205e956117ca43b200ed1fbf9aa7f77d010c2dfd3c72b47a3

C:\Users\Admin\AppData\Local\LX4DP5\PresentationSettings.exe

MD5 1d5006a3b0934a808323bf1925992e00
SHA1 ea965ef787f93c47aba18cc3e1263e91c0fce813
SHA256 28028ac82cd8517efcaf7700efd5c93652fdadbba241db3e5b1c8b759a17212d
SHA512 cc25d01b55318393590948977a254a79ad0e214deea571b4cf6c5668ec3ff9693fad0fdab551ab8a99cd56f56d57d0fc91b2f26ecdeab091f4ae870a3d5b8a94

C:\Users\Admin\AppData\Local\KpIiS50\ReAgent.dll

MD5 37b0e1cf9142423e9a8672e8e6a2f945
SHA1 db73bfefa3b8e16dfab5d8be2459bc4279b11605
SHA256 415198ba960aa0ceb6a1ee2edd52e48d7f17ca6a4666826e4ef73cd7a790b544
SHA512 d72d26873b54b4cd90382092b0116b0bd9c55c0f223d4f6c8c7134029030e1e32627e6e05f82be4e28a2f0729b5312e6cedf90c971ab60d7dec91ab54466354b

C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe

MD5 a9c462fa1e0fa77ed85d5d08d34a8e7b
SHA1 c6cc0276edfc39729fd57058aa16ea017ce84cf9
SHA256 2f48f46e049426886362b927cd81f59b8ebfedef7670fe8901f3e1b58f2339d2
SHA512 6b3deb328cd1db6ab872188afaf46cd38e9adb47d6637272dd8749566e7e9d6887c1197b3f62aac7e5b9c45176bd46fc83f5f4e52951a019c637097bc152658b

C:\Users\Admin\AppData\Local\KpIiS50\ReAgent.dll

MD5 e8ff9cb98b675aa73469d5c8d87806ee
SHA1 bdcd1389028e4dce77937390551687e77b2a0692
SHA256 39198f9c19fc6bb1883f20483bd5c0857ec46e9e4f97fec8d9b752a3a8b2bd1d
SHA512 662f784a8e915eba142250797daf69b1480d9812886a120293bc243c08da9354373661776059767b03ab063ce6a62e1f4a7db88f46cbd47e5ff7c424d1342cc2

memory/2280-97-0x0000024409BF0000-0x0000024409BF7000-memory.dmp

C:\Users\Admin\AppData\Local\KpIiS50\systemreset.exe

MD5 10c2dde33ee9206f99def1eef6a42e82
SHA1 321887de6ab040a93bbc481633e9c150fd4a3e3e
SHA256 adb1d0320d66d7b213bf18d4438eeb5e55518cc5116d158633b68406876167d6
SHA512 b07a9783b288ff996ddca65a289ecf2dd372907e189823b261203550c52f9f18d6e3c36aff5a0be7b22c3cb2e4b1ed99d2e9c5589adccaad2bd041beb21fcb96

C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe

MD5 53f8ce170f30e18ba604ef15f3a16420
SHA1 a0ac3c5129a1a3fc26016da14d3af085e02127a2
SHA256 7bccaa7f87c643c4f6a9877dc326bc9f41cbaa801e7318ba309ac912dbfc0c62
SHA512 40d064f88587564593c94995a3447119788f4d9692c6bc428b7cdf99f4196d9c83973db65e36c8659ea1f645b3450785a3498de39dbf157b5f582b95538cfae7

C:\Users\Admin\AppData\Local\onQTRAc4\UxTheme.dll

MD5 b583faa0d469e26f7c6d878021b5be56
SHA1 49baaeb43d24c3bb54437127a7e0abd1caa15993
SHA256 e42d1cdf4063a87b668c54648d5cb50734039f21f1b1c10d43e37cce9da1570e
SHA512 01ae84f3bbc6257aa49dcac463ff73988671934913f88d41a461e8816f7526774b73961e9770d44943efbd660cc87ef447e4b0894513fd939ba6e95af1bb9b93

C:\Users\Admin\AppData\Local\onQTRAc4\UxTheme.dll

MD5 26871b457d1290e5c5c2130679bfac49
SHA1 c8943d2a5fb4f007e404702b3cd89ce7645cb2e4
SHA256 49b83d98694609b587d43aa34f032df8d94ddb1104f1bf4d0131e7272538e61e
SHA512 b542f93b167770767cdc69f6fa1543fc98b9d443f1a2b34828f02b3d20e99ecf6b3f5d73f67fc8e0e6baaa5e307a441747a62e74f09fb0ba493819b7da519834

memory/868-115-0x000002385A2D0000-0x000002385A2D7000-memory.dmp

C:\Users\Admin\AppData\Local\onQTRAc4\FileHistory.exe

MD5 64c94bb19eac8f660a54955de4d5bedb
SHA1 078315d690daf2b0905409fd7e3ca330f853ee75
SHA256 6202f6ec67234622217fb4c3c6e54bf03638c9f4747806063e2f044821e2c803
SHA512 553ee7493c8350e1df2efbeceab5ca6253331b5b353678cfe4aedab69f74b251905d80331619b66919156de6168caa718fbaa2dcb9018a5e15348ff6f320f8bb

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 d6b10746024c6551d7ed9cb8a6da26ba
SHA1 e0d5fc78bd26a292d54d3f409af4e42117ed3d27
SHA256 576675245248aac994f19f203b41633c12680d50e617f7c94500f694525a3583
SHA512 f8b8b3e5fc4c7754591f2a65cdc596b2b51b19582c46064107f1135ab37666b9f1bf4327d1734ecb00e9610f0f94a43e712eca288713b2fc9a4c9f9f2199da15

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\FU3enpE2\WINMM.dll

MD5 7f902e047a6e7caa5f19e3384fe006a9
SHA1 6e1934904ece222f9914261b6959c158b91301d6
SHA256 43985b0617a5b47a9d7d70008c262b336ec3a106290265adb63280b2d715d206
SHA512 3f4423f7e7a3bbad0afc3209a3d6fdb94a8a49cdb54bb6db600cddf550cce99a0fb6d401cfedf77af50bbea6d3140867ba8ce7655abd6bb2a9af77c0ad6b4706

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\YelKF9RFef\ReAgent.dll

MD5 4d3463cedc1f6295a8b5ac4c141a5360
SHA1 ba906cf8c09dd3a552d77a2c2da7c3a05188a3a6
SHA256 e531b49bd5e1626abdadd23d9544dbf50a54d2eda19497632666857f3cc77f4e
SHA512 739ac71401566bb49acedd171e543564a1f96c941cdc2c1580120366b27d40c8cd26f22980fa1fda23d881f3bc6fc0b460a4f46ab1d530504656895f22eb0c09

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\HFNKA\UxTheme.dll

MD5 730af7c9946dd4338bc04066c810de47
SHA1 11683e614b271a1f48363afa5db3c379d54c2419
SHA256 76bafc5a7d3638badba324f57857df10d7bb39f04620cc4b65f6af1e8c2e61e6
SHA512 7be694c34eb51dba27e79d05532e58a24694d867001ad14ce9ea4a92ad8de3dcace9c4b0e709d12194d07af13cf4f2b0962b705497da20a526d1c51dd2bde055