Analysis Overview
SHA256
8ebd61a2a0c4892b5c8cd12bfe9e461fc9b289d20450e3d93291fb0e4ab146f4
Threat Level: Known bad
The file 14c1ebb77518e40dfd55948e33030b1a was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-30 09:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 09:41
Reported
2023-12-31 10:53
Platform
win7-20231215-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\gL3\msinfo32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\gL3\msinfo32.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\m6U\\cmstp.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\gL3\msinfo32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1248 wrote to memory of 780 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1248 wrote to memory of 780 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1248 wrote to memory of 780 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 1248 wrote to memory of 1168 | N/A | N/A | C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe |
| PID 1248 wrote to memory of 1168 | N/A | N/A | C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe |
| PID 1248 wrote to memory of 1168 | N/A | N/A | C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe |
| PID 1248 wrote to memory of 1956 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1248 wrote to memory of 1956 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1248 wrote to memory of 1956 | N/A | N/A | C:\Windows\system32\cmstp.exe |
| PID 1248 wrote to memory of 1440 | N/A | N/A | C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe |
| PID 1248 wrote to memory of 1440 | N/A | N/A | C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe |
| PID 1248 wrote to memory of 1440 | N/A | N/A | C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe |
| PID 1248 wrote to memory of 1536 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 1248 wrote to memory of 1536 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 1248 wrote to memory of 1536 | N/A | N/A | C:\Windows\system32\msinfo32.exe |
| PID 1248 wrote to memory of 2176 | N/A | N/A | C:\Users\Admin\AppData\Local\gL3\msinfo32.exe |
| PID 1248 wrote to memory of 2176 | N/A | N/A | C:\Users\Admin\AppData\Local\gL3\msinfo32.exe |
| PID 1248 wrote to memory of 2176 | N/A | N/A | C:\Users\Admin\AppData\Local\gL3\msinfo32.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14c1ebb77518e40dfd55948e33030b1a.dll,#1
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
C:\Windows\system32\cmstp.exe
C:\Windows\system32\cmstp.exe
C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe
C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe
C:\Windows\system32\msinfo32.exe
C:\Windows\system32\msinfo32.exe
C:\Users\Admin\AppData\Local\gL3\msinfo32.exe
C:\Users\Admin\AppData\Local\gL3\msinfo32.exe
Network
Files
memory/2172-0-0x0000000140000000-0x0000000140176000-memory.dmp
memory/2172-1-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1248-4-0x00000000776E6000-0x00000000776E7000-memory.dmp
memory/1248-5-0x0000000002120000-0x0000000002121000-memory.dmp
memory/1248-7-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-10-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-15-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-20-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-26-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-31-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-35-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-38-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-44-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-48-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-51-0x0000000002100000-0x0000000002107000-memory.dmp
memory/1248-57-0x00000000778F1000-0x00000000778F2000-memory.dmp
memory/1248-56-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-58-0x0000000077A50000-0x0000000077A52000-memory.dmp
memory/1248-47-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-46-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-45-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-43-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-41-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-67-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-42-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-40-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-39-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-73-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-37-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-36-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-34-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-33-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-32-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-30-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-29-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-28-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-27-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-25-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-24-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-23-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-21-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-22-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-19-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-18-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-17-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-16-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-14-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-13-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-12-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-11-0x0000000140000000-0x0000000140176000-memory.dmp
memory/1248-9-0x0000000140000000-0x0000000140176000-memory.dmp
memory/2172-8-0x0000000140000000-0x0000000140176000-memory.dmp
\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
| MD5 | 7b031d4b4fde446d3a6064e379df3e28 |
| SHA1 | 2fc49a7afab4eaa4fec2d892b0c0dfc549f89068 |
| SHA256 | 9d09717b867c8e345d010b1141168cdeed8d55e169d811fcaf88d0d1f1cf13fa |
| SHA512 | ef9b97299fbae407fe39b2a7e2c8084e4d5ae0b18f95251a6da7e66a45c2557530370e81c212eeabf0feb41440243c2e398c0c76780b96df0c8164562de0f211 |
C:\Users\Admin\AppData\Local\ko5EvoY9\slc.dll
| MD5 | cf9da61d0e2dbe18068e9272336f68a2 |
| SHA1 | 6f4061f2373569cfd43f0aea2f5ea669f582c7b0 |
| SHA256 | 5fc22e2b5d8f188ed1b51bf158b4af0b451de2b7b2480afc775814684e43df83 |
| SHA512 | 9297f29fae48e1d7c9778fddf33f70186890e457c78e0a7bd91717d1b272e77852aa38550a293f4a339274efc8f276f409f40f374edc705bb504769cb43ea8cd |
C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
| MD5 | 2063339961f2f8073b628eaff5781979 |
| SHA1 | 047e1b8e5cc0f96410572623cc5fdc4a78473ae7 |
| SHA256 | b63ea2c8e0f9b0f009494e2b2a6c1d4c5625ea96c18bd10fa6610e8bf244fe87 |
| SHA512 | b398b4acca950efc1fc0afcc2db89a256fa2a43478c6f0dee73ec80bd024a5ee55ff6556c1e07f7a22097f64a8bde79cd69885f4e85c5dc2e44b71ee7c7dccb2 |
\Users\Admin\AppData\Local\ko5EvoY9\slc.dll
| MD5 | 7c86af52ed250c8c79dde9f9f1f3cb6f |
| SHA1 | db66472a65e6758a3614573cf772fa7cfc6a49a7 |
| SHA256 | 4ae2013407652388879fddd7718e32aae4b0863ef1b9454c2765d059d91bdc49 |
| SHA512 | 0fbebb7ce012c26a2deb0d64834dc075eab15003a9e1d32bdce150fae715bc679ec7005fca8c26c98befbd4c6ef3f6a15985722281298e6346c4722c7e7749b3 |
memory/1248-85-0x00000000776E6000-0x00000000776E7000-memory.dmp
memory/1168-86-0x0000000000100000-0x0000000000107000-memory.dmp
\Users\Admin\AppData\Local\WvqOdM\cmstp.exe
| MD5 | 74c6da5522f420c394ae34b2d3d677e3 |
| SHA1 | ba135738ef1fb2f4c2c6c610be2c4e855a526668 |
| SHA256 | 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6 |
| SHA512 | bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a |
C:\Users\Admin\AppData\Local\WvqOdM\VERSION.dll
| MD5 | 43b4d57d98f5b88437c604945e19773b |
| SHA1 | 6a7bbfcb7159fce28090ef487df0524866a0d1ca |
| SHA256 | 9ce1bed1ffa31cc73820b87863d5ec6a7c98e78b4ea70f0d4edf2b1e01f33d93 |
| SHA512 | b50c90a065e40edeaa985fadb6d6ddfa84d050ae9ac2858369385236ce529623d771895499fca86385787ec9314f70bd36d1c866077ac6160e4cd98849e47aef |
memory/1440-106-0x0000000000170000-0x0000000000177000-memory.dmp
\Users\Admin\AppData\Local\gL3\msinfo32.exe
| MD5 | d291620d4c51c5f5ffa62ccdc52c5c13 |
| SHA1 | 2081c97f15b1c2a2eadce366baf3c510da553cc7 |
| SHA256 | 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae |
| SHA512 | 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b |
C:\Users\Admin\AppData\Local\gL3\MFC42u.dll
| MD5 | 60de768a73079f559513e3879923be82 |
| SHA1 | 894b11ef58833a2c15f9d8a1741d870b3d587c4d |
| SHA256 | f7c876ebfab2a90af7be47202a18a965ed7a23b807ca513217c5624cc837689b |
| SHA512 | 562d944f50ccf6e37039528503f007458c3d617132f0f2febd99876d5250db3d7587b66d310e658af0805f87ffed9821252898a6f525838ba1426eef2b868d39 |
memory/2176-123-0x0000000000080000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk
| MD5 | ecd29867bd11251d0dad5061b7d7ba78 |
| SHA1 | 7ff5f45161a20288098b798998229d8c34d70627 |
| SHA256 | f224016820e39487873749e552b8f8a34b686dc3301cfb2ebfd4c5dac82fe8ba |
| SHA512 | 04ad2be03ccaa841403b5920db5139ccfd59dddf05f453c6c92f51db959e410cc2990145b80100f755d1414dcb8033ab8e88cf90724080a8d3eee6058c3fe75e |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\rh\slc.dll
| MD5 | 4c312ab17cb3a7860dbad536142a2840 |
| SHA1 | 35aeb94a90d6e7e8aacb86ff84a19f46ee764ef4 |
| SHA256 | 2e30a104512610f8dc28a6f1ace7d351f87371a01c50bc6a7c6ede4f2d909ee7 |
| SHA512 | 6f3344e8801ecf804d10f0402e1a5083d51e9420341db6bfed45fdda19bbb295d605a707c756d8770e0e6e3722c7e48fa5f8cc33d142f478e60991144cfc132b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 09:41
Reported
2023-12-31 10:54
Platform
win10v2004-20231215-en
Max time kernel
116s
Max time network
167s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\I1T\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\s6R\rdpclip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\I1T\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\s6R\rdpclip.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\RLAFE7~1\\rdpclip.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\s6R\rdpclip.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\I1T\sigverif.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 1424 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 3356 wrote to memory of 1424 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 3356 wrote to memory of 2032 | N/A | N/A | C:\Users\Admin\AppData\Local\I1T\sigverif.exe |
| PID 3356 wrote to memory of 2032 | N/A | N/A | C:\Users\Admin\AppData\Local\I1T\sigverif.exe |
| PID 3356 wrote to memory of 4384 | N/A | N/A | C:\Windows\system32\rdpclip.exe |
| PID 3356 wrote to memory of 4384 | N/A | N/A | C:\Windows\system32\rdpclip.exe |
| PID 3356 wrote to memory of 4048 | N/A | N/A | C:\Users\Admin\AppData\Local\s6R\rdpclip.exe |
| PID 3356 wrote to memory of 4048 | N/A | N/A | C:\Users\Admin\AppData\Local\s6R\rdpclip.exe |
| PID 3356 wrote to memory of 1804 | N/A | N/A | C:\Windows\system32\RdpSaUacHelper.exe |
| PID 3356 wrote to memory of 1804 | N/A | N/A | C:\Windows\system32\RdpSaUacHelper.exe |
| PID 3356 wrote to memory of 2524 | N/A | N/A | C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe |
| PID 3356 wrote to memory of 2524 | N/A | N/A | C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\14c1ebb77518e40dfd55948e33030b1a.dll,#1
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\rdpclip.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\s6R\rdpclip.exe
C:\Users\Admin\AppData\Local\s6R\rdpclip.exe
C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\I1T\sigverif.exe
C:\Users\Admin\AppData\Local\I1T\sigverif.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/852-1-0x0000000140000000-0x0000000140176000-memory.dmp
memory/852-0-0x000001FA91400000-0x000001FA91407000-memory.dmp
memory/3356-5-0x00007FF816CDA000-0x00007FF816CDB000-memory.dmp
memory/3356-4-0x0000000000DE0000-0x0000000000DE1000-memory.dmp
memory/852-8-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-9-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-10-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-7-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-11-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-13-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-14-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-18-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-21-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-25-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-29-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-34-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-38-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-42-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-44-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-48-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-49-0x0000000000DC0000-0x0000000000DC7000-memory.dmp
memory/3356-56-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-47-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-46-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-57-0x00007FF816DA0000-0x00007FF816DB0000-memory.dmp
memory/3356-45-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-66-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-68-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-43-0x0000000140000000-0x0000000140176000-memory.dmp
memory/2032-78-0x0000000140000000-0x0000000140177000-memory.dmp
memory/2032-83-0x0000000140000000-0x0000000140177000-memory.dmp
memory/2032-77-0x000001905DAE0000-0x000001905DAE7000-memory.dmp
memory/4048-94-0x000002513A930000-0x000002513A937000-memory.dmp
memory/2524-111-0x000001BBD3DA0000-0x000001BBD3DA7000-memory.dmp
memory/3356-41-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-40-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-39-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-37-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-36-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-35-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-33-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-32-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-31-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-30-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-28-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-27-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-26-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-23-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-24-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-22-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-20-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-19-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-17-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-16-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-15-0x0000000140000000-0x0000000140176000-memory.dmp
memory/3356-12-0x0000000140000000-0x0000000140176000-memory.dmp