Malware Analysis Report

2024-11-30 21:31

Sample ID 231231-c6p2qahdgp
Target 24dc00b648e1da094abe409fc55cfd8b
SHA256 95ac611145f8bdc5b23e409ce8ca644477a513f6d31b87cd229e296b647d0df8
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95ac611145f8bdc5b23e409ce8ca644477a513f6d31b87cd229e296b647d0df8

Threat Level: Known bad

The file 24dc00b648e1da094abe409fc55cfd8b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 02:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 02:41

Reported

2024-01-01 23:59

Platform

win7-20231215-en

Max time kernel

170s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24dc00b648e1da094abe409fc55cfd8b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Ixe\\dwm.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 3032 N/A N/A C:\Windows\system32\dwm.exe
PID 1260 wrote to memory of 3032 N/A N/A C:\Windows\system32\dwm.exe
PID 1260 wrote to memory of 3032 N/A N/A C:\Windows\system32\dwm.exe
PID 1260 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
PID 1260 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
PID 1260 wrote to memory of 3028 N/A N/A C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe
PID 1260 wrote to memory of 868 N/A N/A C:\Windows\system32\dwm.exe
PID 1260 wrote to memory of 868 N/A N/A C:\Windows\system32\dwm.exe
PID 1260 wrote to memory of 868 N/A N/A C:\Windows\system32\dwm.exe
PID 1260 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe
PID 1260 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe
PID 1260 wrote to memory of 848 N/A N/A C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe
PID 1260 wrote to memory of 2528 N/A N/A C:\Windows\system32\mmc.exe
PID 1260 wrote to memory of 2528 N/A N/A C:\Windows\system32\mmc.exe
PID 1260 wrote to memory of 2528 N/A N/A C:\Windows\system32\mmc.exe
PID 1260 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe
PID 1260 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe
PID 1260 wrote to memory of 1628 N/A N/A C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24dc00b648e1da094abe409fc55cfd8b.dll,#1

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe

C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe

C:\Users\Admin\AppData\Local\zmHgoM\dwm.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe

C:\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe

Network

N/A

Files

memory/2420-1-0x0000000140000000-0x000000014028C000-memory.dmp

memory/2420-0-0x0000000000240000-0x0000000000247000-memory.dmp

memory/1260-4-0x0000000077156000-0x0000000077157000-memory.dmp

memory/1260-5-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/1260-12-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-11-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-10-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-9-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-8-0x0000000140000000-0x000000014028C000-memory.dmp

memory/2420-7-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-13-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-17-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-16-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-21-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-20-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-25-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-27-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-35-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-37-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-38-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-36-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-34-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-33-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-32-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-31-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-30-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-29-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-28-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-26-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-39-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-24-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-40-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-42-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-43-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-41-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-23-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-22-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-44-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-47-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-48-0x0000000002B10000-0x0000000002B17000-memory.dmp

memory/1260-46-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-55-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-59-0x00000000773C0000-0x00000000773C2000-memory.dmp

memory/1260-62-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-58-0x0000000077261000-0x0000000077262000-memory.dmp

memory/1260-65-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-45-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-19-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-18-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-15-0x0000000140000000-0x000000014028C000-memory.dmp

memory/1260-14-0x0000000140000000-0x000000014028C000-memory.dmp

\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

C:\Users\Admin\AppData\Local\mfgIroFyI\UxTheme.dll

MD5 440cc76f78a86ec4b17243041f8f5a20
SHA1 9b6410ea7da8d6663ba8d87883dcff0b7093cb11
SHA256 277ea122d4f47912bc861fb305c05989a8abebf5e047ada7863c01b8245d7f7b
SHA512 652173373b4ce9a4c7d5d37d64363cc9ea1c6e4ed3b725b429f0ee523c247114476ad6a6838e22f6f507454d4ba7e6e3227bbb9afdf4319f22880a1aa9f65f3d

\Users\Admin\AppData\Local\mfgIroFyI\UxTheme.dll

MD5 a45fbecd291f8364fa5d74257227e4af
SHA1 22dfc69189a57dae3f3148c3cd525fa14208d65b
SHA256 f4daccb7a912cc67558b4b190499b5586e269049aaa4774253cab9a751e60d09
SHA512 d2c7ed2bed92f374f6a24de3f50f5a95b9d16b196aaf1ed331df1e766035e23c03a51d0b76293bade816fd558af032a5292f20557ad30805010857196c5ea5c7

C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe

MD5 45ceffa9c7ee106d6161b2dc7ce2a740
SHA1 ad3041f982d6d9e8d70b1d3370a3aa9593dc77c6
SHA256 c68e99abfd1380833772a97ab0d8ab5949f7c484886981916134b8324a1335fd
SHA512 1096423449b6320e9197ed968ecabca21b12c25344be7415457f0cca8d75d01b883d236a008e2b3cd2971083e5d20ced8cb7b7eccff9f3a90ee3d1b6a975d26e

memory/3028-80-0x0000000001A90000-0x0000000001A97000-memory.dmp

C:\Users\Admin\AppData\Local\mfgIroFyI\dwm.exe

MD5 5eae15de1e8a068dec966c6304369f07
SHA1 306d2092f34ea546964d855b5478afb493cdd962
SHA256 9ac1a947036653e312c1ea739fd60a7236007d35d6b8957910388a43e748cbef
SHA512 c2fdbdb152fdfaed246139be48cdcc0e84443dfb7dfe3e8e2a5784675788db8a211c214b4f6a71ca1bb132c07c1a6b52680d15670dbab59aaa8e6649fbc60def

memory/1260-91-0x0000000077156000-0x0000000077157000-memory.dmp

C:\Users\Admin\AppData\Local\zmHgoM\UxTheme.dll

MD5 cd05667f81fd3c5749e869ed7072bde9
SHA1 1c198e60b5d6a223462527a8007079f6dc3cc902
SHA256 4c27198135a578a18c5bd208f2ecb918a7583c61666555aabd3eece489550be3
SHA512 8c109d0cb42941df78e33d943e6956247148cefa3db6bcca6c270f5b111d2debcad5ee7106eb3724c9895c1db08ccd87ef79500ced1624622abad3dc3054a07e

memory/848-99-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\NoRKpuZ\mmc.exe

MD5 9fea051a9585f2a303d55745b4bf63aa
SHA1 f5dc12d658402900a2b01af2f018d113619b96b8
SHA256 b212e59e4c7fe77f6f189138d9d8b151e50eb83a35d6eadfb1e4bb0b4262c484
SHA512 beba79f0b6710929871fbdf378d3c0a41f230ac30cbfa87173f7b77c35e06425f48db42ed3b16d5d9bcb7ef0098dffcd0d2947da8fb7ec1136ea62205f1afc76

\Users\Admin\AppData\Local\NoRKpuZ\MFC42u.dll

MD5 c1d3a53704c819d80fa906ae76301e2f
SHA1 4fd5256b9fa5965ac7318ea35882162914468212
SHA256 1a4e3d2ac8a26b194807345f096df626ffab860dcf5c2ae72f47d39d9ae08923
SHA512 38c2a93a471a732689c695488a3096f078fd6f8346030a083779b8f5a824f8b6c4b59101190ef4331506e9ffa5ee12f3711bf052e4a567454fb61be10834a0b6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 ee14fd84587a5bafc52492ca6e26c5f7
SHA1 ed4ab21f12721c8973ebe3050d12254f2d2cb8ef
SHA256 f15b457cf52ad959c77d9bde6ccf8a25996d0d06de59db37c23d9165d85af68e
SHA512 ac8a7bef2eff8f90fe9333e73626b99d64bb9b6dce265f5072fbf120c0ed30bd1c07aa448159e7f133dd272484fa9549e235699a0719ef64fc35e710a23fa5e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\xoYGVp7\UxTheme.dll

MD5 39c0247bb2d695c0e7c51726d2681fa9
SHA1 c4c1e6fc397b56e234f31a380c66acecab2826da
SHA256 fe539570820905afd286fd6ba7f7ac29d16fe874070f33b58ac5add9c70f0934
SHA512 94ed642532f0b7ddaa6d11e2b0d3a1c2eb343c79c4a5a02883b5a3ee1ea34797946676923b87dfc158604a995ef9f6ab5a85cd04cdd16c0cd20be9d6fc30f1f7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 02:41

Reported

2024-01-01 23:57

Platform

win10v2004-20231215-en

Max time kernel

127s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24dc00b648e1da094abe409fc55cfd8b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\BXOA69~1\\osk.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 2416 N/A N/A C:\Windows\system32\sdclt.exe
PID 3492 wrote to memory of 2416 N/A N/A C:\Windows\system32\sdclt.exe
PID 3492 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe
PID 3492 wrote to memory of 4792 N/A N/A C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe
PID 3492 wrote to memory of 4992 N/A N/A C:\Windows\system32\osk.exe
PID 3492 wrote to memory of 4992 N/A N/A C:\Windows\system32\osk.exe
PID 3492 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe
PID 3492 wrote to memory of 4048 N/A N/A C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe
PID 3492 wrote to memory of 4860 N/A N/A C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
PID 3492 wrote to memory of 4860 N/A N/A C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
PID 3492 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe
PID 3492 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\24dc00b648e1da094abe409fc55cfd8b.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe

C:\Users\Admin\AppData\Local\kmc1wPeP2\sdclt.exe

C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\E4xHpqLz\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe

C:\Users\Admin\AppData\Local\9e6fH1trv\osk.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp

Files

memory/4032-1-0x0000000140000000-0x000000014028C000-memory.dmp

memory/4032-3-0x00000209E5EF0000-0x00000209E5EF7000-memory.dmp

memory/3492-6-0x00007FF9CACAA000-0x00007FF9CACAB000-memory.dmp

memory/3492-5-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/3492-10-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-9-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-11-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-12-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-13-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-14-0x0000000140000000-0x000000014028C000-memory.dmp

memory/4032-8-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-17-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-20-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-23-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-29-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-34-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-35-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-36-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-41-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-45-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-47-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-49-0x0000000001290000-0x0000000001297000-memory.dmp

memory/3492-56-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-57-0x00007FF9CAD40000-0x00007FF9CAD50000-memory.dmp

memory/3492-48-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-68-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-66-0x0000000140000000-0x000000014028C000-memory.dmp

memory/4792-78-0x0000000140000000-0x000000014028D000-memory.dmp

memory/4792-84-0x0000000140000000-0x000000014028D000-memory.dmp

memory/4792-79-0x0000026F45C80000-0x0000026F45C87000-memory.dmp

memory/4792-77-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3492-46-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-44-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-43-0x0000000140000000-0x000000014028C000-memory.dmp

memory/4048-103-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/4048-98-0x00000209719A0000-0x00000209719A7000-memory.dmp

memory/4048-96-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/3764-122-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3764-117-0x000002887B890000-0x000002887B897000-memory.dmp

memory/3764-115-0x0000000140000000-0x000000014028D000-memory.dmp

memory/4048-95-0x0000000140000000-0x00000001402D2000-memory.dmp

memory/3492-42-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-40-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-39-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-38-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-37-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-33-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-32-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-31-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-30-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-28-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-27-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-26-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-25-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-24-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-22-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-21-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-19-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-18-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-16-0x0000000140000000-0x000000014028C000-memory.dmp

memory/3492-15-0x0000000140000000-0x000000014028C000-memory.dmp