Malware Analysis Report

2024-11-30 21:38

Sample ID 231230-zfkqmsghb6
Target 1bfea61bfeabf731b6b76050cd35602a
SHA256 e59b5a342c8d8f9669a312558f4d75ee3188eccad66c611d9467dd830cfac128
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e59b5a342c8d8f9669a312558f4d75ee3188eccad66c611d9467dd830cfac128

Threat Level: Known bad

The file 1bfea61bfeabf731b6b76050cd35602a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 20:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 20:39

Reported

2024-01-04 05:41

Platform

win7-20231215-en

Max time kernel

200s

Max time network

46s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1bfea61bfeabf731b6b76050cd35602a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ywJJ\sethc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\945\tabcal.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\J5DZP6~1\\tabcal.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\945\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 320 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1244 wrote to memory of 320 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1244 wrote to memory of 320 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 1244 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe
PID 1244 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe
PID 1244 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe
PID 1244 wrote to memory of 2320 N/A N/A C:\Windows\system32\sethc.exe
PID 1244 wrote to memory of 2320 N/A N/A C:\Windows\system32\sethc.exe
PID 1244 wrote to memory of 2320 N/A N/A C:\Windows\system32\sethc.exe
PID 1244 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\ywJJ\sethc.exe
PID 1244 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\ywJJ\sethc.exe
PID 1244 wrote to memory of 1664 N/A N/A C:\Users\Admin\AppData\Local\ywJJ\sethc.exe
PID 1244 wrote to memory of 2916 N/A N/A C:\Windows\system32\tabcal.exe
PID 1244 wrote to memory of 2916 N/A N/A C:\Windows\system32\tabcal.exe
PID 1244 wrote to memory of 2916 N/A N/A C:\Windows\system32\tabcal.exe
PID 1244 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\945\tabcal.exe
PID 1244 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\945\tabcal.exe
PID 1244 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\945\tabcal.exe
PID 1244 wrote to memory of 2360 N/A N/A C:\Windows\system32\wscript.exe
PID 1244 wrote to memory of 2360 N/A N/A C:\Windows\system32\wscript.exe
PID 1244 wrote to memory of 2360 N/A N/A C:\Windows\system32\wscript.exe
PID 1244 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe
PID 1244 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe
PID 1244 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1bfea61bfeabf731b6b76050cd35602a.dll,#1

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\ywJJ\sethc.exe

C:\Users\Admin\AppData\Local\ywJJ\sethc.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\945\tabcal.exe

C:\Users\Admin\AppData\Local\945\tabcal.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe

C:\Users\Admin\AppData\Local\sFIG1VF\wscript.exe

Network

N/A

Files

memory/2732-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2732-1-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-4-0x00000000776B6000-0x00000000776B7000-memory.dmp

memory/1244-5-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/1244-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2732-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-41-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-43-0x0000000002AA0000-0x0000000002AA7000-memory.dmp

memory/1244-42-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-40-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-39-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-50-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-52-0x0000000077A20000-0x0000000077A22000-memory.dmp

memory/1244-51-0x00000000778C1000-0x00000000778C2000-memory.dmp

memory/1244-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-61-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-65-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-9-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1244-10-0x0000000140000000-0x00000001401B5000-memory.dmp

\Users\Admin\AppData\Local\g1ZlA\SystemPropertiesRemote.exe

MD5 d0d7ac869aa4e179da2cc333f0440d71
SHA1 e7b9a58f5bfc1ec321f015641a60978c0c683894
SHA256 5762e1570de6ca4ff4254d03c8f6e572f3b9c065bf5c78fd5a9ea3769c33818a
SHA512 1808b10dc85f8755a0074d1ea00794b46b4254573b6862c2813a89ca171ad94f95262e8b59a8f9a596c9bd6a724f440a14a813eab93aa140e818ee97af106db7

C:\Users\Admin\AppData\Local\g1ZlA\SYSDM.CPL

MD5 876fe2db1d894a2e45e387de12cf93d0
SHA1 b6df25681dbec2fd01c28f03cd57a2a274b7675f
SHA256 922809dd57f81eeaef46a5fcd3982d3e428bddbfe02828f770a09a4d788be810
SHA512 f8ec2a2a01346ed3e8f1ab35e67180290746db23770a3389e7a5239cf28cbcbaf4f4ea139c480f56beb93f390341f1c3be800400ce6f40bc5911d6e5a4e2f407

memory/752-79-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/752-80-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/752-85-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1244-90-0x00000000776B6000-0x00000000776B7000-memory.dmp

\Users\Admin\AppData\Local\ywJJ\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

C:\Users\Admin\AppData\Local\ywJJ\DUI70.dll

MD5 1258722d2e0bb1009ac455ded4bbca3a
SHA1 accf33f79e1c625578d4d0ac7998046b1cb08d3f
SHA256 d3246ed0081106090bc74bd432e0dbba61355fac20b2e048153eb62823cf1c8b
SHA512 f6e2b3335d8ac32afac7fc1e385a873c1ffd91245c3f6c2ab6392c1fd950d30a6ccabc4d300550d6de7819a05c4f53bd83923f0fcab619f594c01e7d22476199

memory/1664-98-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Users\Admin\AppData\Local\945\tabcal.exe

MD5 98e7911befe83f76777317ce6905666d
SHA1 2780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA256 3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512 fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

C:\Users\Admin\AppData\Local\945\HID.DLL

MD5 e171fa80ffeeec786a7d3893a812e58a
SHA1 8daaf122b91125ab4d60d01465e9c4c07555c068
SHA256 0c8de3ef2ce855cf1485968e6c41ff6cc03f5d70bf9d9900a1e162d1e099c33e
SHA512 a4c9043ec480b7b445ac8178a1959f425ee5ec3523397063e175459362e8eac382e2d17e388b2ec461bb8c41abcf1978db0f66b8d9730258d017345e6b76ced9

\Users\Admin\AppData\Local\sFIG1VF\wscript.exe

MD5 8886e0697b0a93c521f99099ef643450
SHA1 851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256 d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512 fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

C:\Users\Admin\AppData\Local\sFIG1VF\VERSION.dll

MD5 914b5763350bf69a3f6a5804b8e75245
SHA1 a2740c6c256bd58b300a8a3183c582d4f25d8b4a
SHA256 dcb6c788f938d7c66844c1cf3a6ac268cfc4977317ebf52002c7f34289b00400
SHA512 e82d4158ae6260b7782eb643656a71d7cb0eb9436dd3d3699e50f4a631ab2caf63b9923e499d91bbfddcbfe9ff1240e708cc5bf6deee6a81d6bc850ae6be8e0c

memory/2336-133-0x00000000000E0000-0x00000000000E7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 09d870f3662d43d6d5e4d86c4e16b04d
SHA1 f0b6c9ced515fc4301a787edd9e7c0a83679d046
SHA256 f9c5ea12f41aecd2d798b7e8c50dfae9d5780b124f25d30aa34445b2dd163fdc
SHA512 ba63009bbbf7292cac4f6def67b3cd3fe69f6a14c2bb92a819a1126da93dc0853640aefd39ba8ef79b71b594c553abfa91729fec47254d68751bf32345b3c603

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 20:39

Reported

2024-01-04 05:40

Platform

win10v2004-20231215-en

Max time kernel

194s

Max time network

208s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1bfea61bfeabf731b6b76050cd35602a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~1\\8RFht2\\DXPSER~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7cqZZV7\PasswordOnWakeSettingFlyout.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MQBw\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 2916 N/A N/A C:\Windows\system32\Narrator.exe
PID 3516 wrote to memory of 2916 N/A N/A C:\Windows\system32\Narrator.exe
PID 3516 wrote to memory of 2004 N/A N/A C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
PID 3516 wrote to memory of 2004 N/A N/A C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
PID 3516 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\7cqZZV7\PasswordOnWakeSettingFlyout.exe
PID 3516 wrote to memory of 2288 N/A N/A C:\Users\Admin\AppData\Local\7cqZZV7\PasswordOnWakeSettingFlyout.exe
PID 3516 wrote to memory of 2276 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 3516 wrote to memory of 2276 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 3516 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe
PID 3516 wrote to memory of 2728 N/A N/A C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe
PID 3516 wrote to memory of 3732 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3516 wrote to memory of 3732 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3516 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\MQBw\OptionalFeatures.exe
PID 3516 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\MQBw\OptionalFeatures.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1bfea61bfeabf731b6b76050cd35602a.dll,#1

C:\Windows\system32\Narrator.exe

C:\Windows\system32\Narrator.exe

C:\Users\Admin\AppData\Local\aib6Uzv\Narrator.exe

C:\Users\Admin\AppData\Local\aib6Uzv\Narrator.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\7cqZZV7\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\7cqZZV7\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe

C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\MQBw\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\MQBw\OptionalFeatures.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1044-1-0x0000018D62710000-0x0000018D62717000-memory.dmp

memory/1044-0-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-4-0x0000000002730000-0x0000000002731000-memory.dmp

memory/1044-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-6-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-9-0x00007FFB8336A000-0x00007FFB8336B000-memory.dmp

memory/3516-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-41-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-42-0x0000000002CC0000-0x0000000002CC7000-memory.dmp

memory/3516-43-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-40-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-39-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-50-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-51-0x00007FFB842A0000-0x00007FFB842B0000-memory.dmp

memory/3516-60-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3516-62-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\aib6Uzv\Narrator.exe

MD5 d92defaa4d346278480d2780325d8d18
SHA1 6494d55b2e5064ffe8add579edfcd13c3e69fffe
SHA256 69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83
SHA512 b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

C:\Users\Admin\AppData\Local\7cqZZV7\PasswordOnWakeSettingFlyout.exe

MD5 591a98c65f624c52882c2b238d6cd4c4
SHA1 c960d08c19d777069cf265dcc281807fbd8502d7
SHA256 5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA512 1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

C:\Users\Admin\AppData\Local\7cqZZV7\DUI70.dll

MD5 5d10c72081cbecf7bc9156e537ef2a7e
SHA1 ad0c1bc99ae5f02aa242f8dafa1c1d62fe3ba4f7
SHA256 e3a2df1e00df4c00c1a853d6f8f1581933caf0dfbc9326f153c6b121e8301cbe
SHA512 8a4381b810ad7ce14df5ef1fa10ce55b35a9bda5a8169761f911cf3bc572b05217ae0ab88661bb8964e4d9485e90e639db15f9d157522cdf2b47262ef18265c6

memory/2288-79-0x000002BA2BDF0000-0x000002BA2BDF7000-memory.dmp

memory/2288-80-0x0000000140000000-0x00000001401FB000-memory.dmp

memory/2288-85-0x0000000140000000-0x00000001401FB000-memory.dmp

C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe

MD5 6344f1a7d50da5732c960e243c672165
SHA1 b6d0236f79d4f988640a8445a5647aff5b5410f7
SHA256 b1081651ac33610824e2088ff64d1655993dd3d6073af1e5ffe0b4a0027f502f
SHA512 73f6fa01b880e6619fafa065c171bd0a2b7b2d908762b5aca15f2b8d856b5501b3884e3566ef9b8032c8cbf9bb15116e60c22fded4656c8857c974cda4213d65

C:\Users\Admin\AppData\Local\obmUmn3p\XmlLite.dll

MD5 2125ff6f1961ede767eff3c23741919f
SHA1 5bacc29bf0029ce681717de6f8ad6c4f618705bf
SHA256 7ca2d93b2bc287983d79f1f859ecab489bb5b1869520d5ebc701e24199f61bfe
SHA512 048eefcbaf7a87b79de4c28d8398d00cc582180b81b78b3039cb8620223ff0ad0666f78f32f8bd0c0524b5c62003a0f56219c0dd3189c5eecfe459675522d60f

C:\Users\Admin\AppData\Local\obmUmn3p\XmlLite.dll

MD5 9384dc945747b3105b275d36d4740139
SHA1 84f869c07054149a9e4b455517dcf310e1204154
SHA256 4c100b6e0bef5f6ab1049698d45160f686178b2a7e9f60216507a15a33c1a07c
SHA512 f8795a4854e5f37199066726c0f503d187f231646ffab293bc1a63038512f3a6e465054e16c567261f0c20b40b7c5844ad6ca88cf3116fc0ffe0ce7531432244

memory/2728-97-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2728-96-0x000001F568160000-0x000001F568167000-memory.dmp

memory/2728-102-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\obmUmn3p\Dxpserver.exe

MD5 f0eef9c361f1998a9a6b4c32d9afc0f6
SHA1 1251e6c7dc4f5ff9e3be37d654109a27c793570f
SHA256 bdacd6d7fb59fe9d20ff0ef199e0182a7acebf064012248a56ff4bde567de45c
SHA512 f59c43954795f34511ef53baa6dcfff2c331dfc19ae1490d2df856f3e4b4a1bbe15cbf66b432935ece21bf8684a859ac55c28c5e59d03988b9846ad911aa0609

C:\Users\Admin\AppData\Local\MQBw\OptionalFeatures.exe

MD5 d6cd8bef71458804dbc33b88ace56372
SHA1 a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256 fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA512 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

C:\Users\Admin\AppData\Local\MQBw\appwiz.cpl

MD5 505a6dbdb59a1ca6a5a8ccfeabac2325
SHA1 55c8ec479f3b6d491069eddc77a1e2f9a3608bb4
SHA256 7c4d9a3fb6c3d7281b6d05b5243e4fead71b11d465cb4f073f002e6edd89706b
SHA512 d30e17c14cede5af5cb53ed9ddd7a6ea4b679dad285e1e1a3177bfcdbf6a5da2e0e95f70e38fa94d2de493c53278549d6d92917cc1178a0562632b9dc5691235

C:\Users\Admin\AppData\Local\MQBw\appwiz.cpl

MD5 1d1ae737e9514688efd01165c4bc64d5
SHA1 8e04ae37760f7e33a812d38e4662ff48f4c154be
SHA256 6f46f7a376848f90476f2096f637f6d3b3b8215d4c2922c44bf011d43b7e0076
SHA512 1e63b1810f485fb1a898893e3ebb9dab297618c9e56299af7961b80f441f7881ae238180a8b3edd3ca1c3cf4285fc2b2a26fda3b38aa57fed9304b24572b84ec

memory/944-113-0x000002827F1D0000-0x000002827F1D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 0fbb839b7dd1c28db98999e97705015c
SHA1 a02cb69869ba4beeda4711cc53ffedeb75f3982c
SHA256 256f98ea001cf5eae9e5346a67676d0b1ef6add0e2945c43f74309b72e0b9732
SHA512 c20f9deb7563e25fc2bdfbc2d0358bf9e6a552db9e63ea6fc3f0516a77c068494bbb0f3cc0a5e9788d0c398367615ae850a25806c9d72844f979878086aed89c