Malware Analysis Report

2024-11-30 21:22

Sample ID 231230-zhn6vaehbm
Target 1c112351a2237b7e116ee59bd65db792
SHA256 076083217aac190f6310dbf110f16fa2216583931f932b8d7b6cf604768c33cd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

076083217aac190f6310dbf110f16fa2216583931f932b8d7b6cf604768c33cd

Threat Level: Known bad

The file 1c112351a2237b7e116ee59bd65db792 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 20:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 20:43

Reported

2024-01-01 04:35

Platform

win10v2004-20231215-en

Max time kernel

154s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c112351a2237b7e116ee59bd65db792.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\ABWHHq\\MusNotificationUx.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1jF\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1300 N/A N/A C:\Windows\system32\rstrui.exe
PID 3580 wrote to memory of 1300 N/A N/A C:\Windows\system32\rstrui.exe
PID 3580 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\1jF\rstrui.exe
PID 3580 wrote to memory of 2296 N/A N/A C:\Users\Admin\AppData\Local\1jF\rstrui.exe
PID 3580 wrote to memory of 1160 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3580 wrote to memory of 1160 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3580 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe
PID 3580 wrote to memory of 4644 N/A N/A C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe
PID 3580 wrote to memory of 1896 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3580 wrote to memory of 1896 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3580 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe
PID 3580 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c112351a2237b7e116ee59bd65db792.dll,#1

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\1jF\rstrui.exe

C:\Users\Admin\AppData\Local\1jF\rstrui.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe

C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4496-1-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4496-0-0x0000021D68670000-0x0000021D68677000-memory.dmp

memory/3580-5-0x00007FF93046A000-0x00007FF93046B000-memory.dmp

memory/3580-4-0x0000000007010000-0x0000000007011000-memory.dmp

memory/3580-7-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4496-8-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-9-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-10-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-11-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-12-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-13-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-14-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-15-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-16-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-17-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-18-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-19-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-20-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-21-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-22-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-23-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-24-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-25-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-26-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-27-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-28-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-29-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-30-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-31-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-32-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-33-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-34-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-35-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-36-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-37-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-38-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-39-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-40-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-41-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-42-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-43-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-44-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-45-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-46-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-47-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-49-0x00000000028E0000-0x00000000028E7000-memory.dmp

memory/3580-48-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-56-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-57-0x00007FF930500000-0x00007FF930510000-memory.dmp

memory/3580-66-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3580-68-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Users\Admin\AppData\Local\1jF\rstrui.exe

MD5 4cad10846e93e85790865d5c0ab6ffd9
SHA1 8a223f4bab28afa4c7ed630f29325563c5dcda1a
SHA256 9ddcfcaf2ebc810cc2e593446681bc4ccbad39756b1712cf045db8dee6310b4b
SHA512 c0db44de0d35a70277f8621a318c5099378da675376e47545cfbfa7412e70a870fd05c92e0d6523ea2e0139d54d9eeaed14973762341fa3154406ae36f4ce7c6

C:\Users\Admin\AppData\Local\1jF\SPP.dll

MD5 5ad0983ee269c8bec39ddce01407e7c1
SHA1 3e25438466601928d9799bbbea9f31a4d75e3ca5
SHA256 e552ee2a58a333b4c420f29b642e14030ee1d20a0ebaf440e120c12dda329c64
SHA512 df2a43185e8569dc6f7f3fda91d11e9d864d5219e782cfd04dec3a028cb80ac98ee3990864af457433f8a43f3beadee078b890c8c37a4d97bb36a9695168ac67

memory/2296-78-0x0000000140000000-0x00000001401C3000-memory.dmp

memory/2296-77-0x000002A6480E0000-0x000002A6480E7000-memory.dmp

memory/2296-83-0x0000000140000000-0x00000001401C3000-memory.dmp

C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe

MD5 b6d1d01115b94935e9de31a7fb58d5fd
SHA1 a14b8b318c205dd91017ebfaa1456a7274afffe7
SHA256 03dc279432f1c50b8710bf9bec6e7a626729f26883c8f37478a0402d2552338f
SHA512 d1c0284f1efd085ba49259689fd2eeb0a5d15224f435c1e5a494794f7de029279c6a5310fabfde2c479a13aa37d00e638fdf44930056aa34f2a7c4438d619583

C:\Users\Admin\AppData\Local\Omq7ioChO\XmlLite.dll

MD5 55d4844a87a26e49d674228ba235ade4
SHA1 1edbfce95b356d22f6fc67a51b9e773e61d1ce62
SHA256 53976076f237cdffe91f0008b62c0a951ccf258cd65e950e1291b0e552ed3faf
SHA512 307979d015a46ccdaac4463960c672a76d1e816ad8732eb94bae87d87c3bebc8fe2165b89f66ab7c492d77a74976506abd6b34c3510526c33526ec0f688458da

C:\Users\Admin\AppData\Local\Omq7ioChO\XmlLite.dll

MD5 7f435cec2f9b1a47d39dcb3b95c01a83
SHA1 e94cdeabf73a5032d9a075316859a23d21b46281
SHA256 00fb541585e33ddfe2be4f07520bcb97b336d5e7583da5062297f410e47b05f4
SHA512 844f7fffa6d5f82726a501dc6301c96df3cd2dfeaa5101e5893ff5e7e9aa094f485161652e729787ec2c10c5fcd55779b94dfe4a1842d6ede88bf4b19bbfc6bf

memory/4644-97-0x000001D576E70000-0x000001D576E77000-memory.dmp

C:\Users\Admin\AppData\Local\Omq7ioChO\MusNotificationUx.exe

MD5 869a214114a81712199f3de5d69d9aad
SHA1 be973e4188eff0d53fdf0e9360106e8ad946d89f
SHA256 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361
SHA512 befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

C:\Users\Admin\AppData\Local\fSdzmb\dpapimig.exe

MD5 b6d6477a0c90a81624c6a8548026b4d0
SHA1 e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256 a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA512 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

C:\Users\Admin\AppData\Local\fSdzmb\DUI70.dll

MD5 b44fb86324ee0f54f00fc67f77769e75
SHA1 2405d35a9a4f3425d99c9114a1aefb7b7fcf646b
SHA256 fd89123eca1fe036e44ad5a85f56c1bd1b449be49ff37421311dcde1853ffc38
SHA512 c78f68d5d295b06045618dc11dd01376ab5a251655ecc22a72594eed9c7aadc59d4b1ac6a1000c67f0948469ec8eadcd8f412908bb89786123d845726d2d1447

memory/4476-114-0x000002383B430000-0x000002383B437000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 5608e32d237a04719f1965dee509ad34
SHA1 432e57ebd6071db28a11cf91b1313ab3ff2d0d89
SHA256 ecc99c328eff62f92765353dd24b035fbea290d6110f60c40be3745a89d4958d
SHA512 158489f0482261af4f302c10a858495ee7f9c0147ae663e61eb582c55190f1f1652568010c4d33e1d8127eff3b24f3b18c158cfb9b666bb3a97d2ece9901bd3a

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 20:43

Reported

2024-01-01 04:35

Platform

win7-20231129-en

Max time kernel

150s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c112351a2237b7e116ee59bd65db792.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\CbM\\dvdupgrd.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 2528 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1344 wrote to memory of 2528 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1344 wrote to memory of 2528 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1344 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe
PID 1344 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe
PID 1344 wrote to memory of 1948 N/A N/A C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe
PID 1344 wrote to memory of 1920 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1344 wrote to memory of 1920 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1344 wrote to memory of 1920 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1344 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe
PID 1344 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe
PID 1344 wrote to memory of 2948 N/A N/A C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe
PID 1344 wrote to memory of 2796 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1344 wrote to memory of 2796 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1344 wrote to memory of 2796 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1344 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe
PID 1344 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe
PID 1344 wrote to memory of 1852 N/A N/A C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c112351a2237b7e116ee59bd65db792.dll,#1

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\cl2P5c5yx\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe

C:\Users\Admin\AppData\Local\e8p6\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe

C:\Users\Admin\AppData\Local\H6KKFd\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

Network

N/A

Files

memory/1912-0-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1912-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1344-4-0x00000000770A6000-0x00000000770A7000-memory.dmp

memory/1344-5-0x0000000003E00000-0x0000000003E01000-memory.dmp

memory/1344-10-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-14-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-23-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-32-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-41-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-47-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-49-0x0000000003C50000-0x0000000003C57000-memory.dmp

memory/1344-56-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-60-0x0000000077410000-0x0000000077412000-memory.dmp

memory/1344-67-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-72-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-73-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1948-85-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1344-57-0x00000000772B1000-0x00000000772B2000-memory.dmp

memory/1344-48-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-46-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-45-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-44-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-43-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-42-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-40-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-39-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-38-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-37-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-36-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-35-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-34-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-33-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-31-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-30-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-29-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-28-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-27-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-26-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-25-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-24-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-22-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/2948-103-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1344-21-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-20-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-19-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-18-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-17-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-16-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-15-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-13-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-12-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-11-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-9-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1912-8-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1344-7-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1852-122-0x0000000000220000-0x0000000000227000-memory.dmp

memory/1344-142-0x00000000770A6000-0x00000000770A7000-memory.dmp