Malware Analysis Report

2024-11-30 21:31

Sample ID 231230-pb2s9agef9
Target 1818727531779e08447d319417050652
SHA256 a3b5894e80c78867b94b3056d4313604775c02074c40a17f4a8fd99cc4006303
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a3b5894e80c78867b94b3056d4313604775c02074c40a17f4a8fd99cc4006303

Threat Level: Known bad

The file 1818727531779e08447d319417050652 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 12:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 12:10

Reported

2024-01-03 10:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1818727531779e08447d319417050652.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1bW\cmstp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\WEVAt\\cmstp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1bW\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2380 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1264 wrote to memory of 2380 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1264 wrote to memory of 2380 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1264 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe
PID 1264 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe
PID 1264 wrote to memory of 3068 N/A N/A C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe
PID 1264 wrote to memory of 1656 N/A N/A C:\Windows\system32\cmstp.exe
PID 1264 wrote to memory of 1656 N/A N/A C:\Windows\system32\cmstp.exe
PID 1264 wrote to memory of 1656 N/A N/A C:\Windows\system32\cmstp.exe
PID 1264 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\1bW\cmstp.exe
PID 1264 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\1bW\cmstp.exe
PID 1264 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\1bW\cmstp.exe
PID 1264 wrote to memory of 1820 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1264 wrote to memory of 1820 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1264 wrote to memory of 1820 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1264 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe
PID 1264 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe
PID 1264 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1818727531779e08447d319417050652.dll,#1

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\waWvGhh\rdrleakdiag.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\1bW\cmstp.exe

C:\Users\Admin\AppData\Local\1bW\cmstp.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe

C:\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe

Network

N/A

Files

memory/1648-1-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1648-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1264-4-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

memory/1264-5-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1648-8-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-9-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-11-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-16-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-19-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-21-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-25-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-29-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-30-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-31-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-34-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-36-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-37-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-39-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-40-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-42-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-48-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-49-0x0000000002970000-0x0000000002977000-memory.dmp

memory/1264-47-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-46-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-61-0x0000000077260000-0x0000000077262000-memory.dmp

memory/1264-60-0x0000000077101000-0x0000000077102000-memory.dmp

memory/1264-56-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-44-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-45-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-43-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-67-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-41-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-38-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-73-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3068-85-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1264-35-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-33-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-32-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-28-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-27-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-26-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-24-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-23-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-22-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-20-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-18-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-17-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-15-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-14-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-13-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-12-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-10-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-7-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1264-96-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

\Users\Admin\AppData\Local\1bW\cmstp.exe

MD5 74c6da5522f420c394ae34b2d3d677e3
SHA1 ba135738ef1fb2f4c2c6c610be2c4e855a526668
SHA256 51d298b1a8a2d00d5c608c52dba0655565d021e9798ee171d7fa92cc0de729a6
SHA512 bfd76b1c3e677292748f88bf595bfef0b536eb22f2583b028cbf08f6ae4eda1aa3787c4e892aad12b7681fc2363f99250430a0e7019a7498e24db391868e787a

C:\Users\Admin\AppData\Local\1bW\VERSION.dll

MD5 c46e0f697e2ef3582c7dc2f88f5dff9a
SHA1 be5272d49c1b945d16c607778c499063193ae0b6
SHA256 ed56eed222371f38f377f54dc456bc007796d754cad219b0d4a401a2058fd853
SHA512 8c02dac2052ac805e2c87d20859b9a0b9d991a88d6f38271866e7be99915c0d0c7cab0b627beb24d78da8ad3b09b0b200187accce3e03bf8ac3cf4a3c09b13f1

\Users\Admin\AppData\Local\1bW\VERSION.dll

MD5 a3687f4433f20505c17be5bff855286f
SHA1 f40c23fb0d01b2d49a5905ca69a605b6a94edaf5
SHA256 425831ed48bb6c1079d898bccb4d018afbba3bd2aaa0a2eb531d32117bebc68a
SHA512 9e220112ebeeea76554ba9de7371c8b78ec80eb292863a9c4df99edb375364d7880d0a477ca291270e24a55f3605bb27e1acc3f096b597b802f670ddf016a6c9

memory/476-104-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Local\Vx3i2Zwk9\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\Vx3i2Zwk9\TAPI32.dll

MD5 18666d44fb1511bf3296e0979b778530
SHA1 88e968bf444b59e024907f440ee488e28fc1dd9d
SHA256 7dfdcc6fbfefc87e1693139cebe54d63ed6d04b1d1e8fc0e46906f3e7a6867e5
SHA512 35d0a29c2bc8cbbfe2b4cfa31eacf72155ba8c43141f008b32a6f77bd39acda56b025d2aab866ef74df42573be6ce767090650d2a3928e67b4f1cec0eebe7052

\Users\Admin\AppData\Local\Vx3i2Zwk9\TAPI32.dll

MD5 cc06d8e4b3516772c101fa63a40a2000
SHA1 47f709062b46855e4da28e0d2aa6762e4964afbb
SHA256 010a59461bb434c23d8bb62b300a1abc2df0eab6808412ce343682fe83e5723e
SHA512 2fc456c33f91b05be303f48d1ac01d01cae1a9b837454573ed0355f67a01a90b3f345a1a44156078d8eff4ca27ee3123338a08751fc30ad4b9fcaf9b01786960

memory/1224-122-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 ced52f1a1e699e42c72180a67b46b021
SHA1 2d7bed3aad3acad5051371260b6699cf1e6eab9b
SHA256 f99900b614d6de0fa0261ecc278f1d479cb69c17351801f312b1f1fe1130442a
SHA512 2981e7e475603f6027881a36a0814add3b7b577188405d270482320eb8fe47d5bde9b7c0b2801082f6ffcdbbd5303352b976e8067006925f34fa2d3757ca77ef

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\cLYa9hq\VERSION.dll

MD5 11c89f8bbd11b343b466c40c15044ac0
SHA1 e0faea1f1f088d8770db6df4ff2c1fa48f316b61
SHA256 ac78f4eb6179067d69ffd586c7cf7c52a085d2af25225ae2e1c4d00d87ad0627
SHA512 31afb6ee9350c0441baf06524c35deb66d947246c41513e18c070081916328f7cbafa74abf326058b505b21b98cfe40cb9dbce19f8d0d2a7226e03df92a7fa37

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\WEVAt\VERSION.dll

MD5 3ff5c4bb300fd97b2c791fef7ff5d313
SHA1 0ef067f60f3357e6b9777adad9c543f362c4db79
SHA256 1eae34fee64b3d362ffe3b04837ce45fe860be5e7b4d6e56951650e411e0fca7
SHA512 75022dfb69dbfd61717d89190b41bf12f081bab4a60be3a19512e806cac9dafbc349040aac89de8dee84588a4afaa2910500f4fe7d2545e0692c00582a8149ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DJjWOqASW\TAPI32.dll

MD5 ae12f6e27c229ba77c5ff79c40c36ae5
SHA1 c0d5c364cec013408286d8cc0e237aec5028d6b5
SHA256 4a7ec3534d533668d86286279832a09f8c4bd1f7191f4cd22ddd8d660ed1c36b
SHA512 487191fbabdc38a77ddd5c5af1cf0e9d74abcbe359c0a328feb3fa9d80db99cadd53780f818e50530e6d9ac572f9f67beb863a89cb1dae744f645b28157ac147

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 12:10

Reported

2024-01-03 10:19

Platform

win10v2004-20231222-en

Max time kernel

128s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1818727531779e08447d319417050652.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\eMo\\CUSTOM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 4364 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3488 wrote to memory of 4364 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3488 wrote to memory of 372 N/A N/A C:\Windows\System32\sihclient.exe
PID 3488 wrote to memory of 372 N/A N/A C:\Windows\System32\sihclient.exe
PID 3488 wrote to memory of 3796 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3488 wrote to memory of 3796 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3488 wrote to memory of 1196 N/A N/A C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe
PID 3488 wrote to memory of 1196 N/A N/A C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe
PID 3488 wrote to memory of 1500 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3488 wrote to memory of 1500 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3488 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe
PID 3488 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1818727531779e08447d319417050652.dll,#1

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\jAvuvNv\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe

C:\Users\Admin\AppData\Local\c3e0bk\CustomShellHost.exe

C:\Users\Admin\AppData\Local\cFvneX\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\cFvneX\EaseOfAccessDialog.exe

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv KmQemMGHV0+o4yX4S2LeLA.0.2

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp

Files

memory/1280-0-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/1280-2-0x0000014730AB0000-0x0000014730AB7000-memory.dmp

memory/3488-6-0x00007FFBB098A000-0x00007FFBB098B000-memory.dmp

memory/1280-8-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-11-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-15-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-19-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-23-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-28-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-32-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-36-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-39-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-44-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-47-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-49-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-48-0x0000000002F50000-0x0000000002F57000-memory.dmp

memory/3488-56-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-66-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-68-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/372-80-0x0000020FECBB0000-0x0000020FECBB7000-memory.dmp

memory/372-84-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/1196-102-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/1952-121-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/1952-116-0x000002162DCD0000-0x000002162DCD7000-memory.dmp

memory/1952-114-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/1196-98-0x000001E8F3510000-0x000001E8F3517000-memory.dmp

memory/372-77-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/372-78-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/3488-59-0x00007FFBB0A20000-0x00007FFBB0A30000-memory.dmp

memory/3488-46-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-45-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-43-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-42-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-41-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-40-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-38-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-37-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-35-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-34-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-33-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-31-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-30-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-29-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-27-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-26-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-25-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-24-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-22-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-21-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-20-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-18-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-17-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-16-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-14-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-13-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-12-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-10-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-9-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-7-0x0000000140000000-0x00000001402D1000-memory.dmp

memory/3488-4-0x00000000032E0000-0x00000000032E1000-memory.dmp