Malware Analysis Report

2024-11-30 21:13

Sample ID 231230-lntrmaafcj
Target 14c1ebb77518e40dfd55948e33030b1a
SHA256 8ebd61a2a0c4892b5c8cd12bfe9e461fc9b289d20450e3d93291fb0e4ab146f4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ebd61a2a0c4892b5c8cd12bfe9e461fc9b289d20450e3d93291fb0e4ab146f4

Threat Level: Known bad

The file 14c1ebb77518e40dfd55948e33030b1a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 09:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 09:41

Reported

2023-12-31 10:53

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\14c1ebb77518e40dfd55948e33030b1a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gL3\msinfo32.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\m6U\\cmstp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gL3\msinfo32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 780 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1248 wrote to memory of 780 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1248 wrote to memory of 780 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1248 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
PID 1248 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
PID 1248 wrote to memory of 1168 N/A N/A C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe
PID 1248 wrote to memory of 1956 N/A N/A C:\Windows\system32\cmstp.exe
PID 1248 wrote to memory of 1956 N/A N/A C:\Windows\system32\cmstp.exe
PID 1248 wrote to memory of 1956 N/A N/A C:\Windows\system32\cmstp.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe
PID 1248 wrote to memory of 1440 N/A N/A C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe
PID 1248 wrote to memory of 1536 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1248 wrote to memory of 1536 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1248 wrote to memory of 1536 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1248 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\gL3\msinfo32.exe
PID 1248 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\gL3\msinfo32.exe
PID 1248 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\gL3\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\14c1ebb77518e40dfd55948e33030b1a.dll,#1

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe

C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe

C:\Users\Admin\AppData\Local\WvqOdM\cmstp.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\gL3\msinfo32.exe

C:\Users\Admin\AppData\Local\gL3\msinfo32.exe

Network

N/A

Files

memory/2172-0-0x0000000140000000-0x0000000140176000-memory.dmp

memory/2172-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1248-4-0x00000000776E6000-0x00000000776E7000-memory.dmp

memory/1248-5-0x0000000002120000-0x0000000002121000-memory.dmp

memory/1248-7-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-10-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-15-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-20-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-26-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-31-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-35-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-38-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-44-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-48-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-51-0x0000000002100000-0x0000000002107000-memory.dmp

memory/1248-57-0x00000000778F1000-0x00000000778F2000-memory.dmp

memory/1248-56-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-58-0x0000000077A50000-0x0000000077A52000-memory.dmp

memory/1248-47-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-46-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-45-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-43-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-41-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-67-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-42-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-40-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-39-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-73-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-37-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-36-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-34-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-33-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-32-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-30-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-29-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-28-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-27-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-25-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-24-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-23-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-21-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-22-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-19-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-18-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-17-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-16-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-14-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-13-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-12-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-11-0x0000000140000000-0x0000000140176000-memory.dmp

memory/1248-9-0x0000000140000000-0x0000000140176000-memory.dmp

memory/2172-8-0x0000000140000000-0x0000000140176000-memory.dmp

\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe

MD5 7b031d4b4fde446d3a6064e379df3e28
SHA1 2fc49a7afab4eaa4fec2d892b0c0dfc549f89068
SHA256 9d09717b867c8e345d010b1141168cdeed8d55e169d811fcaf88d0d1f1cf13fa
SHA512 ef9b97299fbae407fe39b2a7e2c8084e4d5ae0b18f95251a6da7e66a45c2557530370e81c212eeabf0feb41440243c2e398c0c76780b96df0c8164562de0f211

C:\Users\Admin\AppData\Local\ko5EvoY9\slc.dll

MD5 cf9da61d0e2dbe18068e9272336f68a2
SHA1 6f4061f2373569cfd43f0aea2f5ea669f582c7b0
SHA256 5fc22e2b5d8f188ed1b51bf158b4af0b451de2b7b2480afc775814684e43df83
SHA512 9297f29fae48e1d7c9778fddf33f70186890e457c78e0a7bd91717d1b272e77852aa38550a293f4a339274efc8f276f409f40f374edc705bb504769cb43ea8cd

C:\Users\Admin\AppData\Local\ko5EvoY9\lpksetup.exe

MD5 2063339961f2f8073b628eaff5781979
SHA1 047e1b8e5cc0f96410572623cc5fdc4a78473ae7
SHA256 b63ea2c8e0f9b0f009494e2b2a6c1d4c5625ea96c18bd10fa6610e8bf244fe87
SHA512 b398b4acca950efc1fc0afcc2db89a256fa2a43478c6f0dee73ec80bd024a5ee55ff6556c1e07f7a22097f64a8bde79cd69885f4e85c5dc2e44b71ee7c7dccb2

\Users\Admin\AppData\Local\ko5EvoY9\slc.dll

MD5 7c86af52ed250c8c79dde9f9f1f3cb6f
SHA1 db66472a65e6758a3614573cf772fa7cfc6a49a7
SHA256 4ae2013407652388879fddd7718e32aae4b0863ef1b9454c2765d059d91bdc49
SHA512 0fbebb7ce012c26a2deb0d64834dc075eab15003a9e1d32bdce150fae715bc679ec7005fca8c26c98befbd4c6ef3f6a15985722281298e6346c4722c7e7749b3

memory/1248-85-0x00000000776E6000-0x00000000776E7000-memory.dmp

memory/1168-86-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\WvqOdM\cmstp.exe

MD5 74c6da5522f420c394ae34b2d3d677e3
SHA1 ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA256 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512 bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

C:\Users\Admin\AppData\Local\WvqOdM\VERSION.dll

MD5 43b4d57d98f5b88437c604945e19773b
SHA1 6a7bbfcb7159fce28090ef487df0524866a0d1ca
SHA256 9ce1bed1ffa31cc73820b87863d5ec6a7c98e78b4ea70f0d4edf2b1e01f33d93
SHA512 b50c90a065e40edeaa985fadb6d6ddfa84d050ae9ac2858369385236ce529623d771895499fca86385787ec9314f70bd36d1c866077ac6160e4cd98849e47aef

memory/1440-106-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\gL3\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

C:\Users\Admin\AppData\Local\gL3\MFC42u.dll

MD5 60de768a73079f559513e3879923be82
SHA1 894b11ef58833a2c15f9d8a1741d870b3d587c4d
SHA256 f7c876ebfab2a90af7be47202a18a965ed7a23b807ca513217c5624cc837689b
SHA512 562d944f50ccf6e37039528503f007458c3d617132f0f2febd99876d5250db3d7587b66d310e658af0805f87ffed9821252898a6f525838ba1426eef2b868d39

memory/2176-123-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 ecd29867bd11251d0dad5061b7d7ba78
SHA1 7ff5f45161a20288098b798998229d8c34d70627
SHA256 f224016820e39487873749e552b8f8a34b686dc3301cfb2ebfd4c5dac82fe8ba
SHA512 04ad2be03ccaa841403b5920db5139ccfd59dddf05f453c6c92f51db959e410cc2990145b80100f755d1414dcb8033ab8e88cf90724080a8d3eee6058c3fe75e

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\rh\slc.dll

MD5 4c312ab17cb3a7860dbad536142a2840
SHA1 35aeb94a90d6e7e8aacb86ff84a19f46ee764ef4
SHA256 2e30a104512610f8dc28a6f1ace7d351f87371a01c50bc6a7c6ede4f2d909ee7
SHA512 6f3344e8801ecf804d10f0402e1a5083d51e9420341db6bfed45fdda19bbb295d605a707c756d8770e0e6e3722c7e48fa5f8cc33d142f478e60991144cfc132b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 09:41

Reported

2023-12-31 10:54

Platform

win10v2004-20231215-en

Max time kernel

116s

Max time network

167s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\14c1ebb77518e40dfd55948e33030b1a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\RLAFE7~1\\rdpclip.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\s6R\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\I1T\sigverif.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 1424 N/A N/A C:\Windows\system32\sigverif.exe
PID 3356 wrote to memory of 1424 N/A N/A C:\Windows\system32\sigverif.exe
PID 3356 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\I1T\sigverif.exe
PID 3356 wrote to memory of 2032 N/A N/A C:\Users\Admin\AppData\Local\I1T\sigverif.exe
PID 3356 wrote to memory of 4384 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3356 wrote to memory of 4384 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3356 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\s6R\rdpclip.exe
PID 3356 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\s6R\rdpclip.exe
PID 3356 wrote to memory of 1804 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3356 wrote to memory of 1804 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3356 wrote to memory of 2524 N/A N/A C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe
PID 3356 wrote to memory of 2524 N/A N/A C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\14c1ebb77518e40dfd55948e33030b1a.dll,#1

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\s6R\rdpclip.exe

C:\Users\Admin\AppData\Local\s6R\rdpclip.exe

C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\B3iSyN8U\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\I1T\sigverif.exe

C:\Users\Admin\AppData\Local\I1T\sigverif.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/852-1-0x0000000140000000-0x0000000140176000-memory.dmp

memory/852-0-0x000001FA91400000-0x000001FA91407000-memory.dmp

memory/3356-5-0x00007FF816CDA000-0x00007FF816CDB000-memory.dmp

memory/3356-4-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/852-8-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-9-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-10-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-7-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-11-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-13-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-14-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-18-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-21-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-25-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-29-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-34-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-38-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-42-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-44-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-48-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-49-0x0000000000DC0000-0x0000000000DC7000-memory.dmp

memory/3356-56-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-47-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-46-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-57-0x00007FF816DA0000-0x00007FF816DB0000-memory.dmp

memory/3356-45-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-66-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-68-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-43-0x0000000140000000-0x0000000140176000-memory.dmp

memory/2032-78-0x0000000140000000-0x0000000140177000-memory.dmp

memory/2032-83-0x0000000140000000-0x0000000140177000-memory.dmp

memory/2032-77-0x000001905DAE0000-0x000001905DAE7000-memory.dmp

memory/4048-94-0x000002513A930000-0x000002513A937000-memory.dmp

memory/2524-111-0x000001BBD3DA0000-0x000001BBD3DA7000-memory.dmp

memory/3356-41-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-40-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-39-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-37-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-36-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-35-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-33-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-32-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-31-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-30-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-28-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-27-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-26-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-23-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-24-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-22-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-20-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-19-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-17-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-16-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-15-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3356-12-0x0000000140000000-0x0000000140176000-memory.dmp