Malware Analysis Report

2024-11-30 21:12

Sample ID 231230-zvyk2sggbr
Target 1c68b9d9ca1d91bd01ebbb33ad3ebecd
SHA256 a602c5ce8b7598df60ceb994f78d80b7a944c3af06eecbd1c1bbcd18d44cac96
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a602c5ce8b7598df60ceb994f78d80b7a944c3af06eecbd1c1bbcd18d44cac96

Threat Level: Known bad

The file 1c68b9d9ca1d91bd01ebbb33ad3ebecd was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 21:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 21:02

Reported

2024-01-01 05:15

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c68b9d9ca1d91bd01ebbb33ad3ebecd.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\abIi\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WMmi\winlogon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\6IvjNX\\eudcedit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\abIi\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WMmi\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 1864 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1260 wrote to memory of 1864 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1260 wrote to memory of 1864 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1260 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe
PID 1260 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe
PID 1260 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe
PID 1260 wrote to memory of 2176 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1260 wrote to memory of 2176 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1260 wrote to memory of 2176 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1260 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\abIi\eudcedit.exe
PID 1260 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\abIi\eudcedit.exe
PID 1260 wrote to memory of 1760 N/A N/A C:\Users\Admin\AppData\Local\abIi\eudcedit.exe
PID 1260 wrote to memory of 756 N/A N/A C:\Windows\system32\winlogon.exe
PID 1260 wrote to memory of 756 N/A N/A C:\Windows\system32\winlogon.exe
PID 1260 wrote to memory of 756 N/A N/A C:\Windows\system32\winlogon.exe
PID 1260 wrote to memory of 1804 N/A N/A C:\Users\Admin\AppData\Local\WMmi\winlogon.exe
PID 1260 wrote to memory of 1804 N/A N/A C:\Users\Admin\AppData\Local\WMmi\winlogon.exe
PID 1260 wrote to memory of 1804 N/A N/A C:\Users\Admin\AppData\Local\WMmi\winlogon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c68b9d9ca1d91bd01ebbb33ad3ebecd.dll,#1

C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe

C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\abIi\eudcedit.exe

C:\Users\Admin\AppData\Local\abIi\eudcedit.exe

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\WMmi\winlogon.exe

C:\Users\Admin\AppData\Local\WMmi\winlogon.exe

Network

N/A

Files

memory/2408-1-0x0000000140000000-0x0000000140204000-memory.dmp

memory/2408-0-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1260-4-0x0000000076CE6000-0x0000000076CE7000-memory.dmp

memory/1260-5-0x0000000002600000-0x0000000002601000-memory.dmp

memory/1260-10-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-11-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-9-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-14-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-15-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-13-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-12-0x0000000140000000-0x0000000140204000-memory.dmp

memory/2408-8-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-7-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-20-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-19-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-18-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-17-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-21-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-22-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-16-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-23-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-24-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-30-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-31-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-32-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-39-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-38-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-37-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-36-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-35-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-34-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-33-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-29-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-28-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-27-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-26-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-25-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-46-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-45-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-48-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-52-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-51-0x00000000025D0000-0x00000000025D7000-memory.dmp

memory/1260-50-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-49-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-47-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-44-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-43-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-42-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-41-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-40-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-61-0x0000000076F50000-0x0000000076F52000-memory.dmp

memory/1260-60-0x0000000076DF1000-0x0000000076DF2000-memory.dmp

memory/1260-59-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-70-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1260-74-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\DgLU\WINMM.dll

MD5 c747f7477d1568cd9d4634742bb9a3e9
SHA1 743b8b59ba0a902815292ff47e913d29f5400aeb
SHA256 abb61f5dccfec6c155dc3830221ae9e8471e30fddcc9d2acae5b2681752946e8
SHA512 81dac455861550369a4bffa0c769fa08fc801780060817dbfa4638de64415c3416c885d6aeac10d289849750c5c165556b9916d6cde8e04fa8e4d887ef4dbe0e

\Users\Admin\AppData\Local\DgLU\WINMM.dll

MD5 936618bb19f8fe7ed051a9c45e2273f4
SHA1 b11dd26505a998e994dbe6f0c074eb8afb86f766
SHA256 324fcb100f093b01205871b710424af442d557a604007878901da90fd841d880
SHA512 bda02e8e8255e7486420fa8aa77cd448251897267cd7bec47c311852520ccb7124e03baa0a0dd1b51e33c81af376de9ce6a952b948b3071a5d12b9b594398f27

memory/2744-89-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\DgLU\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

C:\Users\Admin\AppData\Local\abIi\MFC42u.dll

MD5 bfcac23085da0d6448d27d390ba36168
SHA1 311835f4538fddd77286ebb9c39b78dd4518c0bf
SHA256 c2e8f1acd80bdd78c94d559c53a1139abec458e386b3915d850bb327008f4523
SHA512 9ccdb714a88c8aca4343cc0b2823e31be001d7623c355281983faf997386ba8182082d22a5c3285bf07818c7be9fc9c29f2ee2737c927a16f78319848bbb8ccb

memory/1760-107-0x0000000001B50000-0x0000000001B57000-memory.dmp

\Users\Admin\AppData\Local\abIi\MFC42u.dll

MD5 94db45da5078936c1b1afd5dac97cc74
SHA1 ca06b214a65cb28df4247eb316673c9f50fdc923
SHA256 ef2d038e09aa6011d8381cac4084b02630de30efe0f64aacb7ba1bf394d65fcc
SHA512 c8411a0511f044e39a508adbb410b2ba476d7d64d17c00e9a25bcaa09e5884d87a5bba5f6bbe303b6a48f2825c2f4b3beec1f8a912146f10fd0a4301aad830f7

C:\Users\Admin\AppData\Local\abIi\eudcedit.exe

MD5 a6b1756aedd34881755b5f9b74458696
SHA1 f78f98d42fc93e4e2c357d4cfed276326b8379eb
SHA256 0cbc4790fa50598dc973211c11beac1dc6521bf83e4bb4692ca0396d3bc4e90d
SHA512 687ee90e3bfb63f035b92a26bbbb479e40d7732f0817207079c7c5315436dbf03286c5db5f757ca5f569177302d18a13c995be86179a91c08fe2857f744571ca

\Users\Admin\AppData\Local\abIi\eudcedit.exe

MD5 743f3ec4d180931e579e2d4e55a6bff0
SHA1 ccc805c658d4692ca3d524bacef93cc76119af29
SHA256 219933600a8f533a89b735199b3c872b1cdcba79e25ef7e8374c4bce676710ba
SHA512 b75015245f06c3946497af47ac7c3ddc61b7511ca1c6b2e99a40a3bb8779886795f44be6a5bbe8c41c93d6793371123fb56e1b0c122586694d869fd423b6352e

C:\Users\Admin\AppData\Local\abIi\eudcedit.exe

MD5 e1c6eca26ab9587d8330294e901d04cd
SHA1 55cf052033a9f4dac969e1553afd1098877685dd
SHA256 b26878d8fe3099d099d57734e52eec95431ceb5c301b77726cdb3a39f8fff489
SHA512 968fc8220434ba7e74b1919ca9e295f1c93f8e449c4b50fac7f660bee75fb35f0db306681f434acfc3f4de95ccef9e508e9ebda771255aa7232ad66d980fe89d

\Users\Admin\AppData\Local\WMmi\WINSTA.dll

MD5 9d1f6a4b39f60cd53a4c583ba7e629d3
SHA1 6ed0cdd8413e6e31b68c7f1e0e9a7a05f44b95a1
SHA256 d3e5e643dc9d04ee0867cb617bfb60affcac9ec15335df9306f96122552ffd12
SHA512 03622ce1ac5ec93f0ce046015d2cdaf8841cd2d4a4af257413212dbf0fbc445ffd0a4459c06ada19b671a0334356a71cd23b89328fd7eb70e22000a9a1d6abc4

C:\Users\Admin\AppData\Local\WMmi\WINSTA.dll

MD5 9f6ca5620ba65ba971305235590f95fd
SHA1 02ae768aff270fbd015cf8c0fc9ec27e8a57afd1
SHA256 eb152bbadc2e0170476b41599e7389b016f0cd439c7f28eb2b02f112da7c8e13
SHA512 4c58ae13f625a6ca8375b656d5e101f81332ad6252829ea74547b5960ee9ae34fd48caee55d449edc9fd7f7e4aa6604d5589f3335d43a3bb086878eeaac227a5

memory/1804-124-0x0000000001B40000-0x0000000001B47000-memory.dmp

C:\Users\Admin\AppData\Local\WMmi\winlogon.exe

MD5 acbfa72957a4baad58cab9b0363b0a77
SHA1 8890b6ea0dbccc99da9eccb9ae5967dc92ce3a52
SHA256 6f9d7028acdcd1b1306721e1f89637c8de7aaa0950509ddad64989b8bc37d0c1
SHA512 98cb75ddf05d83602deb5649dd19c9ee5089b2bd8b6c013f9ad17ad810541612c574fe6a50f4b9e88ec065640c97e3ea116621f64985a7c1cf086af68fcb1c34

\Users\Admin\AppData\Local\WMmi\winlogon.exe

MD5 a01c3d31993e3167a6724cca541e4ecb
SHA1 89190a4a519e49b21b957c38df6f86a8fab5ed66
SHA256 9450576b511e982b98db0e125f4236cd0734a4f99069b0b46203bd424bb1b33f
SHA512 4bc847f02fc34a16652126563c14ca7ee9cb24b164461e83d0a634b38e56e4aef73c46d0ac6eeaf4f190f6ad98894a5f45782bc602cff1140841008038a6bbad

C:\Users\Admin\AppData\Local\WMmi\winlogon.exe

MD5 77211d7bde18528d5a2b649d7ab9425f
SHA1 d14888c673badb77505bf807198879ec2d7e7559
SHA256 ba77636b000527d16c0a2c1cc5ac0718c87c53525c27543ec831022761b06779
SHA512 5f0b0f8969b4af2fd230889889ed914a96f78e6b4b89f0790943d93384c2acf57381ef3d26886de11cbb192cfd4a6c0cba853cdd2e68fbb29409b59bc7445de2

\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\oXPSiHN5\winlogon.exe

MD5 e30e7c8853125d4690a01054d1d2bbf1
SHA1 07320ab24af781500fe3ddfe96693b5ba358b912
SHA256 4819ae8701342969648512feeed1de67771121a220f94edde6dd025f7b7b70b7
SHA512 46427f7dde2b458251f4bc0af5a5dccb4c2b8762b1cbeed53a7d4e7f74cfe81c6768c187c568ca511f479813a1520976df4dd5db58971fd2891b44cf4447db4e

memory/1260-147-0x0000000076CE6000-0x0000000076CE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 d8eb6397a23ff48e5732552c3bab61c0
SHA1 f5e15932a994eb561ddec1e62966c3c0b1580afc
SHA256 90d3e8ba291acc1a8876cce9c0fa2d314e85dcb6a9314255d4ece4cfa792d71d
SHA512 28cc5376e63b20dbb1e97180638dad2f4fec3bf7d86cd96623c3cbc3c08fce61888ad5642f6de475330accd5566fe60088ce94b8aed894973022821a1ae631a5

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\ZM568GVY\iWWo\WINMM.dll

MD5 da3e87e8a219c33b7274dcca0265183d
SHA1 c01658dc829f39c52a58a4788509b316c1def25a
SHA256 2dc585398b022bc3f38404b24cf51fc1574c118df57848674ade1b5a04771318
SHA512 9475c6b779bf89a525b6e1ab91142b3fb53ebc6749350c5438efdfea3ebd2d3bfe0b61b5d8408db142ad776003cffbc66869497c60bf2a396ab4627737b0aaec

C:\Users\Admin\AppData\Roaming\Macromedia\6IvjNX\MFC42u.dll

MD5 ceb1bd2d07a7b62c1f04a0059412e34f
SHA1 a716ae26a144cbab75c98761aea9dc227db10bee
SHA256 d3cfdc6215246d37347b06ccbaa1621c948809ea6dcb84f95a189e9bd942e0d8
SHA512 fa593812d0a2690f4d4f1d8007a54d78d13496fb5ca035ab3a524f5f4aab97ef0fd7bc2b03beb46d892fe8cf4a7472d52049de566f21919c016542d44e9105eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\oXPSiHN5\WINSTA.dll

MD5 31394dae1efc74799049f740a60c352b
SHA1 60916311b9fa492ca2eb885cc1326ce1419c1103
SHA256 abc05481bd1d163580ffbb2cfcdec1651cffe8ce1d1ccb3643fe4fca21d5b3bc
SHA512 0e9a7c654aa9f81627223d9202e2397e7558fa92497609441ce86843b842b5c9d888563d96743030dadd883fc73c4f6777740ca6066199ffa9e4ac03fae8bdbb

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 21:02

Reported

2024-01-01 05:16

Platform

win10v2004-20231222-en

Max time kernel

10s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c68b9d9ca1d91bd01ebbb33ad3ebecd.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\LI2VM9~1\\iexpress.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Kel\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6vxsYBK\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nnJY3X\Taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3436 wrote to memory of 1912 N/A N/A C:\Windows\system32\mmc.exe
PID 3436 wrote to memory of 1912 N/A N/A C:\Windows\system32\mmc.exe
PID 3436 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\Kel\mmc.exe
PID 3436 wrote to memory of 2372 N/A N/A C:\Users\Admin\AppData\Local\Kel\mmc.exe
PID 3436 wrote to memory of 1896 N/A N/A C:\Windows\system32\iexpress.exe
PID 3436 wrote to memory of 1896 N/A N/A C:\Windows\system32\iexpress.exe
PID 3436 wrote to memory of 4964 N/A N/A C:\Users\Admin\AppData\Local\6vxsYBK\iexpress.exe
PID 3436 wrote to memory of 4964 N/A N/A C:\Users\Admin\AppData\Local\6vxsYBK\iexpress.exe
PID 3436 wrote to memory of 5008 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3436 wrote to memory of 5008 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3436 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\nnJY3X\Taskmgr.exe
PID 3436 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\nnJY3X\Taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1c68b9d9ca1d91bd01ebbb33ad3ebecd.dll,#1

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\Kel\mmc.exe

C:\Users\Admin\AppData\Local\Kel\mmc.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\nnJY3X\Taskmgr.exe

C:\Users\Admin\AppData\Local\nnJY3X\Taskmgr.exe

C:\Users\Admin\AppData\Local\6vxsYBK\iexpress.exe

C:\Users\Admin\AppData\Local\6vxsYBK\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/2752-1-0x0000000140000000-0x0000000140204000-memory.dmp

memory/2752-0-0x00000190599A0000-0x00000190599A7000-memory.dmp

memory/2752-7-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-13-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-19-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-20-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-21-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-28-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-32-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-38-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-42-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-46-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-50-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-51-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-53-0x00000000022C0000-0x00000000022C7000-memory.dmp

memory/3436-59-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-49-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-69-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-71-0x0000000140000000-0x0000000140204000-memory.dmp

memory/2372-81-0x0000000002650000-0x0000000002657000-memory.dmp

memory/2372-82-0x0000000140000000-0x0000000140206000-memory.dmp

memory/4964-96-0x0000022BC4E10000-0x0000022BC4E17000-memory.dmp

memory/2404-111-0x000001727A620000-0x000001727A627000-memory.dmp

memory/3436-60-0x00007FFE4AD40000-0x00007FFE4AD50000-memory.dmp

memory/3436-48-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-47-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-45-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-44-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-43-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-41-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-40-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-39-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-37-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-36-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-35-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-34-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-33-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-31-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-30-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-29-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-27-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-26-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-25-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-24-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-23-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-22-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-18-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-17-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-16-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-15-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-14-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-12-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-11-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-10-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-8-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-9-0x00007FFE49EFA000-0x00007FFE49EFB000-memory.dmp

memory/3436-6-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3436-4-0x00000000023C0000-0x00000000023C1000-memory.dmp