Malware Analysis Report

2024-11-30 21:09

Sample ID 231230-jw54hsfefm
Target 12e3f7ee57ccd575d74bd82a5df0f7f2
SHA256 59a49db98f488f92d86bcf0651a1c4845a25fa03b96fe3fe17f8a55e9f190b86
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59a49db98f488f92d86bcf0651a1c4845a25fa03b96fe3fe17f8a55e9f190b86

Threat Level: Known bad

The file 12e3f7ee57ccd575d74bd82a5df0f7f2 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 08:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 08:02

Reported

2023-12-31 07:23

Platform

win7-20231215-en

Max time kernel

40s

Max time network

36s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12e3f7ee57ccd575d74bd82a5df0f7f2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2956 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1260 wrote to memory of 2956 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1260 wrote to memory of 2956 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1260 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe
PID 1260 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe
PID 1260 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12e3f7ee57ccd575d74bd82a5df0f7f2.dll,#1

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe

C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\MuA5DorCo\TpmInit.exe

C:\Users\Admin\AppData\Local\MuA5DorCo\TpmInit.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\Ke3Wqr\eudcedit.exe

C:\Users\Admin\AppData\Local\Ke3Wqr\eudcedit.exe

Network

N/A

Files

memory/1716-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1716-0-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-4-0x00000000770E6000-0x00000000770E7000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-18-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-21-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-23-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-28-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-32-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-35-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-36-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-38-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-41-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-44-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-48-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-51-0x0000000002A80000-0x0000000002A87000-memory.dmp

memory/1260-47-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-46-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-57-0x00000000771F1000-0x00000000771F2000-memory.dmp

memory/1260-56-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-45-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-60-0x0000000077350000-0x0000000077352000-memory.dmp

memory/1260-43-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-67-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-42-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-40-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-39-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-73-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-37-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-34-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-33-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-31-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-30-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-29-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-26-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-25-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-24-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-22-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1716-8-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1260-5-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

memory/1260-75-0x0000000140000000-0x00000001401BB000-memory.dmp

C:\Users\Admin\AppData\Local\1PMLVDY\NETPLWIZ.dll

MD5 68d14eef87ae27afb1728af58179e7fa
SHA1 f390a767af25187410095af724a9b18331d23c4d
SHA256 b9945ba7dd6ceea0260394425e38b244f169c23c16af2afda51817f9101c9725
SHA512 060b576f43940022df39bcbe2d1b3d8ae7b633deff19852810e1a6b66f1ec14b4682e19090ebe2f5e325d5d4d63931734d87886b9102c7dab3e6b2d95565ba85

C:\Users\Admin\AppData\Local\1PMLVDY\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

\Users\Admin\AppData\Local\1PMLVDY\NETPLWIZ.dll

MD5 50377388156394967176d993c426aef2
SHA1 643cb7c28336cc90a983e80e3931e01a4bc3e1d2
SHA256 e03f346ac95e44cdd4f7dfed4bcd64baaf7943cbc9746a624d76cd0a5534a02d
SHA512 c8473d1b800c66725bb0c924d206c7b7d24cab6033a354c34425b888e9efa966cb0d84fb46e44f94a681c70793f220f4d43a159f575777e87ece55a0c506210d

memory/2972-85-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1260-96-0x00000000770E6000-0x00000000770E7000-memory.dmp

\Users\Admin\AppData\Local\MuA5DorCo\TpmInit.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\MuA5DorCo\ACTIVEDS.dll

MD5 a3482c2fbd09c7c000f6b295ac699d09
SHA1 c0dbf1a615cdbd56936efdf0d14aa363cff03549
SHA256 63564a7f94ba22ca9c5c8f337076dc368adf6d5de0537bc1a09c906e24a9a1b1
SHA512 ffb8a6b4d0e8bd0fa93af8a770fa04c11583741b82e25f992837f44b05a1e4dbad673c662b6e128b56b60e44ec67c19b873548f630608e88f7eb0233b200b108

memory/2652-104-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\MuA5DorCo\TpmInit.exe

MD5 824bffedf884562b37175828f10b3d87
SHA1 175b968f98791f6ef05d362a8c0eaae41135a60c
SHA256 a17264f27f9547054a4721dcedfbdc2731b48a803f2c09ddb86240f25f0416b3
SHA512 9ce74980378f0b7c3ddc0b6d538d8b8bc88a1745ede6551100e5b4a143b5cd89c89f75eea0a16363425af2e1ed946709f770da688ca7d6b89183d7857ebbdc6d

C:\Users\Admin\AppData\Local\Ke3Wqr\MFC42u.dll

MD5 8aaaafa4da03db0a5a754b5c9e6f30ca
SHA1 6025ccdf37a4c7a52370598799bc117154102425
SHA256 6e82dd978efa70d277827c1ce1a08eeb27c3e44a60db00b0a979245167c1bc7c
SHA512 00461c5efcfde74382a7bd214ed13907a502b93954fab5a839663285d54d4339cbecf14a21752acb0519cc11090f571c1f8980caeeb100c4006b0c771ef0a415

\Users\Admin\AppData\Local\Ke3Wqr\MFC42u.dll

MD5 366038fdaa95165b542f58658a283203
SHA1 6569a78b4a84e85280a5f64f17c3efa16e7ba70c
SHA256 d6e6b2970306196941030c7d143ae81535bda92b7b58622236fb0c4901666c71
SHA512 fcb43a383e82a7f8994307751a65c85fc25bda45dfb6aa6b0e2956340d584e73804b84b851f718e15aaad05ec8543fcca2dcd34f4bef62d4fe04c48d9f920fd8

memory/1676-129-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\Ke3Wqr\eudcedit.exe

MD5 f0e6eafc8a9b065a8f25da831d92e70a
SHA1 050037e69f1ce06f35f826d5200664fad90d84b0
SHA256 0a53b47617fe8a0d39f2114dcb862b801983c03080f03967bdca4ca9d777c47f
SHA512 ce0283b1f98ccf76be059fc0483ed05a47c2a4e50cb0b3241efc5deddc55e8e0826cb40067ddfbc4ca32059b3878d40fd67cce6f305abdb0fed80bef73fe7092

\Users\Admin\AppData\Local\Ke3Wqr\eudcedit.exe

MD5 93de201a053394535d1e0f83460deac6
SHA1 9bd9d80f1c9f57026731f1154b21c8001114978c
SHA256 aba4d87b0c22b82ed794ed0bf8b2c5871f4b27e7f81fda902a9981119651847f
SHA512 ac85d803e29ef955b0fd507d31c97fd32a0c3cdcef789e77d915e5bd6f9d4b6d854d05546822241ad57d366d1fcf2ed2d3c831c44caee36fcb0446cc10c37904

C:\Users\Admin\AppData\Local\Ke3Wqr\eudcedit.exe

MD5 17497cae5c185590d29b5c7ed1545c35
SHA1 77a520339449e14c066909c59e2da2f24786134a
SHA256 d68ac8bcf9250b0affbb725da7ebb788a36f7f0244408f1300b46aa4c9a2eae3
SHA512 7b8406610710a113fc6189265cc407095db3cb86ec731a11246c2f743eb0b7b7a9de44808cf38ae7ec11b5e71b8a540ae1883db117e45c18de1a7ab6209c8dcd

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9LpaXR7\eudcedit.exe

MD5 c55cd94d56fb2832541e55e7f8cdde31
SHA1 918b85688c43a0a20ce56cdbb01bbfa49429e42c
SHA256 847327c17c3d965f9d0a7c15b3d56220a81b85ed940015d086ebc586328d1dc2
SHA512 c4cb0a59ec42d15aaba25daa43cb2428bd8664b069512b34a186cbe50fcffd49ea934e1d2a12eb53b0e098099b2dd56bb29598745468339b8752cdbbe5e00a30

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 96b79f1dd9fcbfab5195d5641bda14e7
SHA1 7907029614dab7d11cafcaa86819a7d29667ddae
SHA256 c0a46e2a9562bf9d6acbecbc0f9c81e8dd81c90d6113580d9f66836c7d0d17dc
SHA512 f469e4798158bd60ba54f85ed97beb3fb2aba051f20412f6e16f2160b0421e35059ff503a6b65229b4ff7d5471c493b99ffe6b6283d7f94790a09a03a7da9db3

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9LpaXR7\MFC42u.dll

MD5 33df4c8950d3f0dc98af77e7bdcc8e71
SHA1 6457a36f1822dc09559c85c6ad83a7d4cdd5ad7d
SHA256 83cc06287efadb694766bf76cf8177a40194e758e3e6b478c6bb917c7ae2ce5f
SHA512 090e4cebbc77700d1a03e884eb801cc8a5110fe976fb0bc14c8286013f8b357162b4a5fcaa29f55bfb573ce6249e27a558a11675bfd6b31cb57f4fd711423ce1

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 08:02

Reported

2023-12-31 07:20

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12e3f7ee57ccd575d74bd82a5df0f7f2.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\RbIaB4Y4\\SystemSettingsAdminFlows.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FPv8\Utilman.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uAa7V\SystemSettingsAdminFlows.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\66R9Ru\AgentService.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 3492 N/A N/A C:\Windows\system32\Utilman.exe
PID 3352 wrote to memory of 3492 N/A N/A C:\Windows\system32\Utilman.exe
PID 3352 wrote to memory of 4084 N/A N/A C:\Users\Admin\AppData\Local\FPv8\Utilman.exe
PID 3352 wrote to memory of 4084 N/A N/A C:\Users\Admin\AppData\Local\FPv8\Utilman.exe
PID 3352 wrote to memory of 3456 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3352 wrote to memory of 3456 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3352 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\uAa7V\SystemSettingsAdminFlows.exe
PID 3352 wrote to memory of 2528 N/A N/A C:\Users\Admin\AppData\Local\uAa7V\SystemSettingsAdminFlows.exe
PID 3352 wrote to memory of 2488 N/A N/A C:\Windows\system32\AgentService.exe
PID 3352 wrote to memory of 2488 N/A N/A C:\Windows\system32\AgentService.exe
PID 3352 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\66R9Ru\AgentService.exe
PID 3352 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\66R9Ru\AgentService.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\12e3f7ee57ccd575d74bd82a5df0f7f2.dll,#1

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\uAa7V\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\uAa7V\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\FPv8\Utilman.exe

C:\Users\Admin\AppData\Local\FPv8\Utilman.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Users\Admin\AppData\Local\66R9Ru\AgentService.exe

C:\Users\Admin\AppData\Local\66R9Ru\AgentService.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/216-1-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/216-0-0x00000209D0AA0000-0x00000209D0AA7000-memory.dmp

memory/3352-5-0x00007FF832A3A000-0x00007FF832A3B000-memory.dmp

memory/3352-4-0x0000000008040000-0x0000000008041000-memory.dmp

memory/3352-7-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/216-9-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-11-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-10-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-12-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-16-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-20-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-24-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-25-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-28-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-32-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-34-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-38-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-39-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-43-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-47-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-49-0x0000000002C70000-0x0000000002C77000-memory.dmp

memory/3352-48-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-46-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-45-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-56-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-44-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-57-0x00007FF832C00000-0x00007FF832C10000-memory.dmp

memory/3352-66-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-42-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-68-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-41-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-40-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-37-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-36-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-35-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-33-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-31-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-30-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-29-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-27-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-26-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-23-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/4084-79-0x0000026A90170000-0x0000026A90177000-memory.dmp

memory/4084-83-0x0000000140000000-0x0000000140201000-memory.dmp

memory/4084-77-0x0000000140000000-0x0000000140201000-memory.dmp

memory/2528-94-0x000001E1FAA10000-0x000001E1FAA17000-memory.dmp

memory/2528-95-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3352-22-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-21-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-19-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-18-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/2680-113-0x00000179B7A80000-0x00000179B7A87000-memory.dmp

memory/3352-17-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-15-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-14-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-13-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/3352-8-0x0000000140000000-0x00000001401BB000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 05811d2ba30e00a52774c32e64d97ed3
SHA1 bf37b8496f634a3eb3dd98c3610e4607dd072d79
SHA256 3426b818ae50be92d7201610e410e003c21c1cc989196c1ee6d279d87388a0e5
SHA512 7c030131c39998e5fb8ca3eb90d478ab6d746659b5d63ff36461854676807806811de7e260a9bb644f8f06a80403ac918ade9f63ec824fb0fbb481d4aae38588

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\UnW0qLAd4\DUI70.dll

MD5 2eef61dc7c2107571a9bbfe8dd2c6d80
SHA1 41f441931ad27eb6411e70b0abfa9f587b310ca1
SHA256 0759a9523f422283fe346ef4f206549eb0bd71174cb6a65ddc54595b9af3eadf
SHA512 a2fa2074567b4a617e78c30e8ea27604b0ebc86da158ec2a7f18170f270a4a61c8598d192f0b421d56237da4c69b06fae4351666114709cfa570450988970dd2

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\RbIaB4Y4\newdev.dll

MD5 b9cc6fa3b1cc6635a3a4e5c5a921e33a
SHA1 9e2ce0ed597fe9583e73a40b5924e36782e35919
SHA256 c796a97c816f4497e286e8ec4ee1f029b72606b960f12d1b4fb258827ce0a72d
SHA512 1d83e6c972de3dece76a2ce1d9a0ee1ee4321d3fbf88df4a74399d2011ea7815784efcd7bd2972d7e7d03498eb59cd2f021a7780e4f0dd92630bb5bcb038a4de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\8EAyg9k\VERSION.dll

MD5 3c15b07637d2c3b1b83fd1ba68438088
SHA1 972493ab4765375f760dc8ea4f0169da2ae16b35
SHA256 db3bb04dbc7ff5b442ca1faa568180c83c91269bc59b8d974894be2a0844caa2
SHA512 0df81c86e502f7837662487156850c5b895ea68816e9a041880ce5ea774e2dc8c2c65e69968c977124bfb0e0c98a1dd76fe974b85e278f6a060f2a5a85b978cf