Malware Analysis Report

2024-11-30 21:30

Sample ID 231230-nyqttsdbd9
Target 178409a846e128855539e3d22bdd8ecb
SHA256 ecde9ad52e5d625acdf6ce054e51a231edbbcd886e1298a14ea7a4306c57cfa0
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ecde9ad52e5d625acdf6ce054e51a231edbbcd886e1298a14ea7a4306c57cfa0

Threat Level: Known bad

The file 178409a846e128855539e3d22bdd8ecb was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 11:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 11:48

Reported

2024-01-03 08:50

Platform

win10v2004-20231215-en

Max time kernel

135s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\178409a846e128855539e3d22bdd8ecb.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\3Mc6VXNo2Qn\\msinfo32.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jTW5Pj\eudcedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 4244 N/A N/A C:\Windows\system32\mspaint.exe
PID 3316 wrote to memory of 4244 N/A N/A C:\Windows\system32\mspaint.exe
PID 3316 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe
PID 3316 wrote to memory of 3580 N/A N/A C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe
PID 3316 wrote to memory of 1564 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3316 wrote to memory of 1564 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3316 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe
PID 3316 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe
PID 3316 wrote to memory of 1636 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3316 wrote to memory of 1636 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3316 wrote to memory of 4040 N/A N/A C:\Users\Admin\AppData\Local\jTW5Pj\eudcedit.exe
PID 3316 wrote to memory of 4040 N/A N/A C:\Users\Admin\AppData\Local\jTW5Pj\eudcedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\178409a846e128855539e3d22bdd8ecb.dll,#1

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe

C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe

C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\jTW5Pj\eudcedit.exe

C:\Users\Admin\AppData\Local\jTW5Pj\eudcedit.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp

Files

memory/1920-0-0x000001D939EB0000-0x000001D939EB7000-memory.dmp

memory/1920-1-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-5-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-7-0x00007FFC689EA000-0x00007FFC689EB000-memory.dmp

memory/3316-11-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-13-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-15-0x0000000000840000-0x0000000000847000-memory.dmp

memory/3316-12-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-23-0x00007FFC695C0000-0x00007FFC695D0000-memory.dmp

memory/3316-24-0x00007FFC695B0000-0x00007FFC695C0000-memory.dmp

memory/3316-22-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-33-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-10-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-9-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-8-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-6-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/3316-3-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/1920-36-0x0000000140000000-0x00000001400AD000-memory.dmp

C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe

MD5 50b12ea34395dad229b8464a9a725ff6
SHA1 8fdcb0507befdb731ffc331eb6f2c3306e3802f0
SHA256 371b015dcea2927c306ef8d880c1dfe8297eeb0a64fc36cd0a843151b4ff552a
SHA512 653235f6b9e9ecc0dd656148063acc20dd59bb60519c5f10a3816fa69ca8f3b876573aac1f9f8b381d30c833ec5679943383ed570520d458b3f44bdccadfe921

C:\Users\Admin\AppData\Local\UgBiK\mspaint.exe

MD5 46e65e41dbd94bbad493408a46b4a456
SHA1 46041970924f135a2475de54095c144aa4ce5a5b
SHA256 31b2884745c6e93df4458cd15d7171c91e2cbf494eaa21d667fe4ebad8952de1
SHA512 402ded3d3135601ad0fb705c34f87215e5a4ffddb290a89a1a6577cc88d62155ab10c1dc4d11818fc9576b2ad1d3710f0bdb1e3c6dfd0ea82f29445e76270996

C:\Users\Admin\AppData\Local\UgBiK\WINMM.dll

MD5 01bd9d7bb1409146b8a1cd2065d17056
SHA1 042d82677a3cbc0de8776cab406c13edd561fa55
SHA256 f7741f859cde80004d03ae73dc883cda2839c4bc3ae4b3eaec12545221ce6b37
SHA512 caf87440b65c8349b4974ebeac64f79e0a052c346827bc9813a906f264935276661ab5c37ce34e586b7c2b15825c7eec144188ae696698e3cef226896e84dda6

memory/3580-45-0x000001FF09BA0000-0x000001FF09BA7000-memory.dmp

memory/3580-44-0x0000000140000000-0x00000001400AF000-memory.dmp

memory/3580-47-0x0000000140000000-0x00000001400AF000-memory.dmp

C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe

MD5 0aed91da63713bf9f881b03a604a1c9d
SHA1 b1b2d292cb1a4c13dc243b5eab13afb316a28b9a
SHA256 5cf1604d2473661266e08fc0e4e144ea98f99b7584c43585eb2b01551130fd14
SHA512 04bca9b321d702122b6e72c2ad15b7cd98924e5dfc3b8dd0e907ea28fd7826d3f72b98c67242b6698594df648d3c2b6b0952bb52a2363b687bbe44a66e830c03

C:\Users\Admin\AppData\Local\2AioL\SLC.dll

MD5 9ddd4fc0449313c0f8928c861e82d59a
SHA1 6ac9b2389831ccb8ee2225ab00b4e7a57c60f144
SHA256 5c75ed616297014a3a602a2dd07ed166a38118dd5288db2998b6ed9d4af46971
SHA512 84be854fad826486d5d39f445b603059d48ecc22be0692607c7747fa45c6ccfa9775854b069ddc72df52241aaec23c8254c63f408f26ada2d3c3fb030bcbc558

memory/1292-56-0x0000027402800000-0x0000027402807000-memory.dmp

memory/1292-57-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1292-61-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Users\Admin\AppData\Local\2AioL\msinfo32.exe

MD5 304e47a35b3233501e8f121b620d67e8
SHA1 eafb77c6ac44ed04ed5ba548ccba6d387f3d6828
SHA256 11974c88d33107f217aa426131e71db94d65727fdf5c34a3479101541ca5c0fa
SHA512 823940b356734fe48d54b3eec4e41f09213f45ecd91ecaf94e3af3586d91c91e170d6220ebcec2529941aa0d546356bd4386498819b7c6969367193e6a93be32

C:\Users\Admin\AppData\Local\jTW5Pj\eudcedit.exe

MD5 a9de6557179d371938fbe52511b551ce
SHA1 def460b4028788ded82dc55c36cb0df28599fd5f
SHA256 83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA512 5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

C:\Users\Admin\AppData\Local\jTW5Pj\MFC42u.dll

MD5 063b08ece19964bb44c048bdaf338d0c
SHA1 629c98179cd6f9dd0d642305ba7ce56525833c6c
SHA256 82bbb37f2ea3e1afd819a87eba997c908ba7b061bdb28880e11bf490f6b6c48b
SHA512 c9374043f8b06799b2fc49c88c5b26e838dbd9ac28f87fa4293cbd1775b67d1ded3eacd62c02c4230c694114f65b078dfa6fb196510e0106c9e32a96bd1484f7

memory/4040-72-0x00000255F66B0000-0x00000255F66B7000-memory.dmp

memory/4040-73-0x0000000140000000-0x00000001400B4000-memory.dmp

memory/4040-77-0x0000000140000000-0x00000001400B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\l7xBXtS\mspaint.exe

MD5 f221a4ccafec690101c59f726c95b646
SHA1 2098e4b62eaab213cbee73ba40fe4f1b8901a782
SHA256 94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709
SHA512 8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 09ab618dc8e321b60a8ee78c6a525be7
SHA1 e9af386acb4ac0ec85e763b895e9a0fa0f33c461
SHA256 d66732b84b59303e85a57ba643114a9d630868e7f40bc35dbfe18b307589639e
SHA512 86b85eddfc514aa74619bc5f69adaf8015e56308807a13415ecc2f18ff97b71f44b93fcc87f3e08f188246c3b61ce41ecf4b3fc245a90d09a94c8aeb7a3495a5

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\l7xBXtS\WINMM.dll

MD5 ea04ef1af4fbac9aa76c0cc7a2fdd3cf
SHA1 6c392356b8649fb5feb740f4e89eeb4695942356
SHA256 148d939ccef3afb4211af3b7d812661cc2395ea32c995698284c5b30286f0351
SHA512 1e30196a4143d7490c9989c939ad55214c4031ab0597e94b235312ebb4cee7d672b47d16d82d6bccdd06a7ddb42de3b6c9ff0538b58774a3af46ca514d4aa21a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\79tXQ\MFC42u.dll

MD5 a3321785fe2b4bdc976c2df0e83b3f5f
SHA1 d4f9f8a0861cb843589f1edf9f479c6c4b86e661
SHA256 6ee610fc58e549d6c3b0300212475a24691c5b3d2b3be98add2b88a34bf964a3
SHA512 1c42b96226186c3c93fc5f4cf6437fdad8ca4aef915db5f7370c50b4595dd12e526d136f4dc4135237a19bad1370ea84be3c9d77482c1c70b08a75f68b18f285

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 11:48

Reported

2024-01-03 08:50

Platform

win7-20231215-en

Max time kernel

151s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\178409a846e128855539e3d22bdd8ecb.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\6OJKQX~1\\dpapimig.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 960 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1260 wrote to memory of 960 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1260 wrote to memory of 960 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1260 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe
PID 1260 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe
PID 1260 wrote to memory of 576 N/A N/A C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe
PID 1260 wrote to memory of 2832 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1260 wrote to memory of 2832 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1260 wrote to memory of 2832 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1260 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe
PID 1260 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe
PID 1260 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe
PID 1260 wrote to memory of 2492 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1260 wrote to memory of 2492 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1260 wrote to memory of 2492 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1260 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe
PID 1260 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe
PID 1260 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\178409a846e128855539e3d22bdd8ecb.dll,#1

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe

C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe

C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe

C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe

Network

N/A

Files

memory/2916-1-0x0000000000120000-0x0000000000127000-memory.dmp

memory/2916-0-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-3-0x00000000775A6000-0x00000000775A7000-memory.dmp

memory/1260-4-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1260-6-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-8-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-14-0x0000000001D50000-0x0000000001D57000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-22-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-23-0x0000000077910000-0x0000000077912000-memory.dmp

memory/1260-24-0x0000000077940000-0x0000000077942000-memory.dmp

memory/1260-33-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/1260-35-0x0000000140000000-0x00000001400AD000-memory.dmp

memory/2916-36-0x0000000140000000-0x00000001400AD000-memory.dmp

C:\Users\Admin\AppData\Local\qqA\MpSigStub.exe

MD5 2e6bd16aa62e5e95c7b256b10d637f8f
SHA1 350be084477b1fe581af83ca79eb58d4defe260f
SHA256 d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA512 1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

C:\Users\Admin\AppData\Local\qqA\VERSION.dll

MD5 7163e9ab92ec3c99778fcdcbee4bf7b4
SHA1 4c72da9798af84f4f1131f5c8253ebeebd38592e
SHA256 92091dccc423f1d30ae64595ccaacde06dbb26f3d9d214fa2b07c517e4feb9b4
SHA512 25bb09889228b1b5c04b3163ef15e3acd1b3b8286fd2c7c54db2e447c520fa2a25e82a726ac7ec6767f829a9280aa0969443128bc1072b213ac3eccef9d9b735

memory/576-50-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/576-52-0x0000000000100000-0x0000000000107000-memory.dmp

memory/576-55-0x0000000140000000-0x00000001400AE000-memory.dmp

memory/1260-60-0x00000000775A6000-0x00000000775A7000-memory.dmp

C:\Users\Admin\AppData\Local\gyv1TOyB2\DUI70.dll

MD5 42b74b886c2d75ff9bf4636e558d7ee2
SHA1 096a9d095b93fd378afdc04e04f0d82d23320b3d
SHA256 642f7b6daf911406a48014ce3cb624d1980ed73a5ace4439de573ff2791043f9
SHA512 688ad13892a5e66726574759fd21579887e2452b54397682a81643735ef050dd4fc4a8d152183802ad7f15f80eb2cdf889aa67a1b9050dcfd813cad00b363c78

C:\Users\Admin\AppData\Local\gyv1TOyB2\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

memory/2888-69-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2888-68-0x0000000140000000-0x00000001400E1000-memory.dmp

memory/2888-73-0x0000000140000000-0x00000001400E1000-memory.dmp

C:\Users\Admin\AppData\Local\0OU6\WTSAPI32.dll

MD5 631038be4bd53f745415c744e811f016
SHA1 bf6039ad50e15305c2983d6ee8ff6cf1cfeb8fec
SHA256 c96f6800e719594a0985a65c2b5b86590c7470a36872f13804d5dbbcf4df32f9
SHA512 5abcc343583f350ebff83996ffaea1faca0491f5a85e2a1b739263100899bb88ef5969dc180c4d7d91c248f0f20a45b7b9b6187462ea98d70284cb4dd6a88385

C:\Users\Admin\AppData\Local\0OU6\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

memory/944-85-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/944-90-0x0000000140000000-0x00000001400AE000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 888a56a2b5d28010483b74411b1d1e2d
SHA1 f6089e5d3764fbb42ebbce5d1674679786f4a4b6
SHA256 7046f799effa7d5907f8e8a36620d7ba534e1bd8329faed9994d8dfdfe3c3000
SHA512 c9f4ba4765696043628b111ec2a4f9a13c89c0bbcb16ecaea261f75259da3ce7b83c0da5bb0688825600705cce0b728fa665da0a152cbb860e353e2406aa0f7b