Malware Analysis Report

2024-11-30 21:46

Sample ID 231231-ck5kaaefd4
Target 23f9d2ae51af5c55ef51d26821cc73bb
SHA256 d47a15f7fcfebfac9cd8e6613d618624b4ab1de7e052026b9b7ff566827f26ac
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d47a15f7fcfebfac9cd8e6613d618624b4ab1de7e052026b9b7ff566827f26ac

Threat Level: Known bad

The file 23f9d2ae51af5c55ef51d26821cc73bb was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 02:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 02:09

Reported

2024-01-05 04:03

Platform

win7-20231215-en

Max time kernel

151s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9d2ae51af5c55ef51d26821cc73bb.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\T0e0\p2phost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Credentials\\HC\\DeviceDisplayObjectProvider.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\T0e0\p2phost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2660 N/A N/A C:\Windows\system32\p2phost.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Windows\system32\p2phost.exe
PID 1204 wrote to memory of 2660 N/A N/A C:\Windows\system32\p2phost.exe
PID 1204 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
PID 1204 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
PID 1204 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\T0e0\p2phost.exe
PID 1204 wrote to memory of 840 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 840 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 840 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe
PID 1204 wrote to memory of 2784 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1204 wrote to memory of 2784 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1204 wrote to memory of 2784 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1204 wrote to memory of 1572 N/A N/A C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe
PID 1204 wrote to memory of 1572 N/A N/A C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe
PID 1204 wrote to memory of 1572 N/A N/A C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9d2ae51af5c55ef51d26821cc73bb.dll,#1

C:\Users\Admin\AppData\Local\T0e0\p2phost.exe

C:\Users\Admin\AppData\Local\T0e0\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe

C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe

Network

N/A

Files

memory/2504-0-0x00000000006B0000-0x00000000006B7000-memory.dmp

memory/2504-1-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-4-0x0000000077256000-0x0000000077257000-memory.dmp

memory/1204-5-0x0000000002970000-0x0000000002971000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/2504-8-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-28-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-26-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-30-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-33-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-36-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-37-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-38-0x0000000002950000-0x0000000002957000-memory.dmp

memory/1204-35-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-32-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-31-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-29-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-46-0x0000000077461000-0x0000000077462000-memory.dmp

memory/1204-45-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-25-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-50-0x00000000775C0000-0x00000000775C2000-memory.dmp

memory/1204-56-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-60-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-24-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-22-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/2760-74-0x0000000140000000-0x00000001402C6000-memory.dmp

memory/2760-78-0x0000000140000000-0x00000001402C6000-memory.dmp

memory/2760-79-0x0000000001B50000-0x0000000001B57000-memory.dmp

C:\Users\Admin\AppData\Local\T0e0\p2phost.exe

MD5 a2ac63c10ee6237bdb207919ebcf47bb
SHA1 7ee91492601fb06374982198c5d7324be91632b8
SHA256 848807b52f832cdfd4e12cb8d688db7f6b95e2d56752bd59003534a9407aa28d
SHA512 934b07f37ee01a21541646cc3a6c7a911ee24ac05d992fc401e487e3d5544f21d89900e18d2ff07de883f43e9524cf55d5e28c981f07f9420c48bc779ea88b4c

\Users\Admin\AppData\Local\T0e0\P2PCOLLAB.dll

MD5 a8c6159df88e83246cf94db8a761f5b4
SHA1 78b15cc086d65b52bd8631314c465a9f57832733
SHA256 37c707995f88407bc9b1ef3460334a1f7c8641ad2db727c22c5f44bc29663b41
SHA512 6f657f6b4225d82fb4e6b4452c339245e2c3156bb9871ff785af1c834be68a404177dbd47eb9822865074b6cd5a7c8cedc229a6c260948582fddb2cc0bb4a229

C:\Users\Admin\AppData\Local\T0e0\P2PCOLLAB.dll

MD5 c75ac080f68396d8713eea8fc6cd8182
SHA1 55c2adb3dc68b24129357d0d42c46127ea4b1917
SHA256 4e1b05997438071e8751d7d2965630786ac2133964da490b029777231566fd9a
SHA512 f07db3a4e78e90b6fbb2fac7ac9ebb3fecffc458ec33ecfe5d03de1ae8cf4edb5c4af68097507c08f977f004158e93e16d573c85f468bc10e3c741f9715ef434

C:\Users\Admin\AppData\Local\T0e0\p2phost.exe

MD5 0dbd420477352b278dfdc24f4672b79c
SHA1 df446f25be33ac60371557717073249a64e04bb2
SHA256 1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA512 84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

memory/1204-91-0x0000000077256000-0x0000000077257000-memory.dmp

C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe

MD5 fe18eda12ca06afa3f63c27932e81f56
SHA1 16e586cd6db614e6f50dc52e21d65057286bc121
SHA256 d44f5eee1a1bc4045d097e091308a2871825aadd0f58c59bf3598bf74406da5a
SHA512 c1ff44c7e9f8539e8fbf60b8fdbc1213466e4394d0ef85cf799a19be14610cc2d146d6ba3655d8fedcd39bfdfad0bdfdf1c61cd90b78c913c9bfd6c45214d594

\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe

MD5 582b27174be9a93efb664e6d5bb2b6c5
SHA1 5922755657692be3e84d7db0c1987bda6114950f
SHA256 16c95aac6868330f6463e1b585fdbb6c17efdf27e34f31bfd390176da2a66938
SHA512 7d4a277c00eb219a442b9b9112fdec5b8f1d9a5f31759b516b4efcf79ce0137f2f2000ee374c42a190d3a8e2376599d5fe051cafaf381050b1580a32e3c6417c

C:\Users\Admin\AppData\Local\zpRbP2AZ\XmlLite.dll

MD5 8f8c4f87def653d3efbc6a32dba0349e
SHA1 abbb880748b9125a0a280d03cce947d278ef4db6
SHA256 c06f0a63ee7c526876ab3c3597d0f4ba589cb148c5e441b39c6119f83ad0b053
SHA512 f8e1aa10824fb9db31c9304940e920c4ae5509b17675764b90f4cf244a5df58162c3fc1787d4eba5544044719921e0a9f2ff409efecb4805aa93bdaae0618dae

\Users\Admin\AppData\Local\zpRbP2AZ\XmlLite.dll

MD5 ed97e41045fa9412013ecdc3d97de69e
SHA1 0d3693813fd48367c10f7719b0204c6d5aee4a9b
SHA256 cb9a2a8880b78e746226db99e5983dd4c439655aa8b8cb29e68a3e9705c43d53
SHA512 55cc258477b95a16a1f50dba91e001a83e3b30c193aa121b4c349409a399c8bff2f6e994450371f766ae59c4324d15418231efafbaeec4cf7420f7124283e684

memory/2384-99-0x0000000000170000-0x0000000000177000-memory.dmp

memory/2384-105-0x0000000140000000-0x00000001402C6000-memory.dmp

C:\Users\Admin\AppData\Local\zpRbP2AZ\DeviceDisplayObjectProvider.exe

MD5 05e500f49720a60d05e0aafe42779471
SHA1 91a91f88a68b441f9e78690db09b122a2049a571
SHA256 569028adcefe0c1d797e347bc99fe439ab100a80c298b0f1ea55eff31b97b8f0
SHA512 894d434cef367268a2cfea479fb40305dd0e9aae2cbe4c460fb27204cbc27d12db7e0f3cab671ac01343082bada7cf6b3cf10a16bba36944153aa116f811701a

C:\Users\Admin\AppData\Local\61euku5G\WTSAPI32.dll

MD5 a20e64cd5fc7a119c2b77f7604d27714
SHA1 5b540ef59ca3ac0127601db5b9920e7f986fe1dd
SHA256 7778957af3656f169147a4d290cf92a4c448068711b52d88e61034a9c81f8f7f
SHA512 e2ef072a6a7315cd412f6615599986483926629e59ca90eb940bcaae1e659f1199393e1dcbe8e0fb4a3b66bd77e15b59abff1e03170c0309a8489d7ea992c2a3

\Users\Admin\AppData\Local\61euku5G\WTSAPI32.dll

MD5 04b1f4ccff7478839765d5bf8f3a7259
SHA1 535662bea1f622fbba85f716a15c20028dab8790
SHA256 f8c538d1044e8bcbf40cbec1af892c80e1a2cd5d316df7b8dfdbe9cc869067e3
SHA512 7a3793d496715ae7fe2914f20fd4d458b42cbb75b2c1aeb20d161852a31b00fae4b9dcd35bf1a8b22d87b18866355c05a202ca8e156329cfd56e9473f6ac04ed

C:\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe

MD5 4aa3edfad3005708d50d1d2e9ff1dadd
SHA1 b1125c66514706fcf058785bcdd272856f99b77c
SHA256 d862732b85c9072a553b74c90c3d76bfa8b6b84f7be8d7ba25ba27b0af2cfc32
SHA512 5ea8941d16bd5f15e81d46e3754b08481092d35cf7f7ca11bfa09b50989dfb31eda04dfa63c195011f5dba11400387cb6a86967e0ae422c3b315a4e269b1e3eb

memory/1572-117-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\61euku5G\RDVGHelper.exe

MD5 54d141930907c219f6512659763c4d90
SHA1 6b35b7cc91c82b191682cde9e9ff0cb6a45124d1
SHA256 74635ab24d4afd39dc38da01a5721c9e7609a9d4f6c75d741924b7f919a51b46
SHA512 418adf1a6547dc0c31b2345237eb48292a9039a5366cabda765ddd9842845dd3f3f30e5f11ede35115c89b0575ca7181cd5567103e84e231b13dd9008ea7444e

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\caL\RDVGHelper.exe

MD5 285322cccefbe3533207aaab74ff057a
SHA1 1d331d6b2016e513d036035e47ca4a50deefd1cd
SHA256 75d749600ff402c205518c143273c7223134ce6cf5b3a92d743078fcdd9c5e3a
SHA512 18b6c1547bf618529cd3dbfd5b806d0a1d7a0e49bbbf7fc5c19e8e858d95b0ff65e503734730491431394b84e9890a28922daba4373474fcbe6f002fddca1366

\Users\Admin\AppData\Roaming\Mozilla\Extensions\caL\RDVGHelper.exe

MD5 f1756a4c448df3b2f7670db22be3fc1d
SHA1 6e588d434c690340b65d669e209d97912dcaae5d
SHA256 2fe200a8e63dbf49ebd50309373cd2b00927ce12a4dc9ef0b8f1b7fd2aff472e
SHA512 58022cc824984bde050c750fa98137f492e668d49492565531857472d493bc663197550e7f4e7a9a4a5a4788b4c80fe8b52431ef3ea5ceabe5af3fcdac1b2a9e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 4be8fab5f2a669181366e9bcd7cb8100
SHA1 fa977d4abd2fa711a375d72c97adb7bb4c2a8044
SHA256 04b34f71b74eac6bf3a38bf715abb98334976667ae46283fc361ee562ddaebed
SHA512 4d14b7a40d37a811961512760f9e24f19e6deff55055df426837053bd9014e811103f119dc03fb0e575adaf2946028df5676ea7363642aa5a4803bb8b804630d

C:\Users\Admin\AppData\Roaming\Adobe\VGjeDOg\P2PCOLLAB.dll

MD5 ed334326bcdcb7e1771d114b968d3992
SHA1 4310e49807a8ed608e6f57a7629e24ebe1c92301
SHA256 bd8763d28db6f8e01bda0cdf56f1e7a3383538e309e122746533676c67be8ac0
SHA512 52d35910090e542541d2c41fb066b86c8f1b65d8b0ac59152d257753e81549cc76ff8a32be7b3d1bb1d160208e8a06eaf573c87b929a01988c0ec049c63bf206

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\HC\XmlLite.dll

MD5 0a836ac423a75bf03108432ddcda9efa
SHA1 2265983ced9785dffd28778c0f88b80c80759560
SHA256 da184beced8ad67bba521aaaa637bd12bb04de5ad9817f8c7acb83c16720d5a8
SHA512 6d92927f7a17507402961e4978b5c497bff5259e3f914eef501a1ee545f0be9988d253afa439f5f4aafb8cee72c4ca3312ca304204023fa7e042a57780d88030

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\caL\WTSAPI32.dll

MD5 bb18f0d9c00afd8f822e27179f75df9e
SHA1 fa0ab3b4ab8ec4b1900c0f9600b277f57ef078c8
SHA256 3dab90c8f8cbbd492f5d92a85413f67871ede63c540fd0d1559f525d41717de5
SHA512 94e57bacab44dd0ca2a5e842f39fbf2859f88b882d3d65d4d5f91b2ca3cd6fb981f247cfa82239ee34eec3ef70c32f0745178f70135750476655063e1cb3a3d8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 02:09

Reported

2024-01-05 04:03

Platform

win10v2004-20231222-en

Max time kernel

64s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9d2ae51af5c55ef51d26821cc73bb.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\OUDQJR~1\\dwm.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uot\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 1280 N/A N/A C:\Windows\system32\dialer.exe
PID 3512 wrote to memory of 1280 N/A N/A C:\Windows\system32\dialer.exe
PID 3512 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\uot\dialer.exe
PID 3512 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\uot\dialer.exe
PID 3512 wrote to memory of 4264 N/A N/A C:\Windows\system32\dwm.exe
PID 3512 wrote to memory of 4264 N/A N/A C:\Windows\system32\dwm.exe
PID 3512 wrote to memory of 4580 N/A N/A C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe
PID 3512 wrote to memory of 4580 N/A N/A C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe
PID 3512 wrote to memory of 3700 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 3512 wrote to memory of 3700 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 3512 wrote to memory of 4056 N/A N/A C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe
PID 3512 wrote to memory of 4056 N/A N/A C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\23f9d2ae51af5c55ef51d26821cc73bb.dll,#1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe

C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe

C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\uot\dialer.exe

C:\Users\Admin\AppData\Local\uot\dialer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp

Files

memory/5084-0-0x000001D7EB7B0000-0x000001D7EB7B7000-memory.dmp

memory/5084-1-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-5-0x00007FFFFBC9A000-0x00007FFFFBC9B000-memory.dmp

memory/5084-8-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-11-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-14-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-19-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-23-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-24-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-27-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-29-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-33-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-35-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-37-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-38-0x00000000012B0000-0x00000000012B7000-memory.dmp

memory/3512-45-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-46-0x00007FFFFD200000-0x00007FFFFD210000-memory.dmp

memory/3512-57-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-55-0x0000000140000000-0x00000001402C5000-memory.dmp

C:\Users\Admin\AppData\Local\uot\TAPI32.dll

MD5 e345bc21f9129ef14a4d695e783c5b20
SHA1 22abfcd1776fcd2460bbf3bf47bb0311d5a8342a
SHA256 47fc6ce8460a0338a8d8293e007082c391001d85c38d8d81e18ca358d0cfb77a
SHA512 6bcf1dcd5b5132863fe5b4af88be09757451be50984dcf4910b160f6c4d89273673b0bb616963c61dc2b1ee7653a70d184e14f25bf2af668ecb5014a07ea5cb9

memory/3312-67-0x0000000140000000-0x00000001402C7000-memory.dmp

memory/3312-72-0x0000000140000000-0x00000001402C7000-memory.dmp

C:\Users\Admin\AppData\Local\uot\dialer.exe

MD5 7b1f4d56d93d145a3da0df79c572f77e
SHA1 82f45f5fc01219b68c00297172160866cde248c5
SHA256 6b1a2fc33ce5e96d7a39a4abf86c8a3042088abe59aedcb4d55aea788ac6c8d2
SHA512 f57833b7bc9ea0285ddef6daae1d7abddd919d4e4f1c3211f7a39c72f79e702669219f1aa1a1a74a58c89bfd9359ba0b95c78344b64a619b03aa5ab9fb2ea7d6

C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll

MD5 c0cbfedde819e35a9db2d9dddbc4e9a3
SHA1 7166ba4867d19d37c682477181ae10fc8a174214
SHA256 d7b03ef35709fe694712195118fdfbb6b99ab909039dd8f2003f0af2b6bcb17b
SHA512 ca2dc6b9aec13b76fff6192b6c35b57868913b45b6d3f18a804dac6fd79e576cb13f248ceeba246af151981dcc41c8ae04e08724b6524a5339096977ad1cb7d9

C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4580-87-0x0000000140000000-0x00000001402C6000-memory.dmp

memory/4580-91-0x0000000140000000-0x00000001402C6000-memory.dmp

C:\Users\Admin\AppData\Local\LIcTdiir6\XmlLite.dll

MD5 e757f85ee54232bf40d4c6583b971473
SHA1 dc5288a4871aac84c2fd959084e67566cebd83b4
SHA256 5b1100f52af3a8802445793051326648a9c028cd3dfebcfd5be84d62f77c83cf
SHA512 160ccb6f9fe63826f224fb058b1478fa1bdfd1c58e13f092d71be6076debc922033ad36fcfdc6077bcecd2fc58c637069cbe65a7e59514ad1426933bdcabab3d

memory/4056-100-0x000002A0AD2A0000-0x000002A0AD2A7000-memory.dmp

memory/4056-106-0x0000000140000000-0x00000001402C6000-memory.dmp

C:\Users\Admin\AppData\Local\LIcTdiir6\XmlLite.dll

MD5 3b591a3d495ed6f3d50f06b427c4eb4a
SHA1 1f15df46a93b871da7ca24794361dc2331fb729f
SHA256 8cc49798d16204431a89be934845eed7f8dce712e372cec1082c657db687ffbb
SHA512 070cf7250536dc8a8ee5bf09d618d505a5db7c29a50dc26d7caecf785f40612c6357d0f7382996040cce63b1027e46d902269b27e0e50c6dd28074d29ff0a3e1

C:\Users\Admin\AppData\Local\LIcTdiir6\Dxpserver.exe

MD5 62d7168eac7aa772cc3df4aa8fc89a32
SHA1 cacb82b6db6c5c24a3489ff81747cc336217602b
SHA256 3b666e5aadb9511fb55126bdcecc09249dfac202359bdd75e7eddb33f04622d5
SHA512 cf59695aa34d31113dd02356752ed30c73f9e8805af0be293a11a0e68eb8a60ceee23fad817893871fc1e6f38b5e83801b520624aac609fd1f87c4e5f38ffbc7

memory/4580-88-0x0000019A1A470000-0x0000019A1A477000-memory.dmp

C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll

MD5 5101c5553042cab33e7788092574ec15
SHA1 246aa1d2c3826d91d107f0bb5f54c33a93c122bb
SHA256 b30e67d9f853ae46c5df0a663d81103b553f4b244c3221846fe9dad30547e7ea
SHA512 60cb7cd44578793d7f25199d8869933724f2ea117e8c8f773a8cba6861b540a7b0a1093b01aaa68521e0ea76fe614bc2fc4e6e9194f77c11814eafd34262ae7a

C:\Users\Admin\AppData\Local\NgpjE4onL\dxgi.dll

MD5 b3ff0e34a5c6be0907c9b79ec9d6bef0
SHA1 cf95eb3a5a220ffda8657c8c7da520f24c9fc9d7
SHA256 e3798b63e42ae8289df6f02f773e0e01fc5d3332f3594a3c7299d11e9c7b39dc
SHA512 fefd8d2d19f40a8efca18e242dfa92834e2ccd0231fbd349bcf15bbe3401940098054a96f8316ee14916fee3b51f6161c4431e6d661f67bd8c2156740c9b4526

C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe

MD5 c252d1c81482a6a42089e38491c7a6e9
SHA1 52b3c6760114a8039839da8d356d58b3b3d4bd32
SHA256 8e96e06a058f8bb30b24fce55bd6946216b7f0f4f1c69d846a3a87cd5ab00594
SHA512 f95f1835d7ce5138c451a6de4443e94726b0daa95d1486f29cf8ab1ab3e2f86a8f9a6b1347197dd598a409d319d55dcf09a85a4856ea075a8912e77d8c4a8a6e

C:\Users\Admin\AppData\Local\NgpjE4onL\dwm.exe

MD5 2c3cc5ac4c335f857374108d0346a144
SHA1 ac42a5edbb68ba396e0361cf0528cef426980011
SHA256 8adab6d1a5d62bbc2436fae920eaa930508c3bdde589102cefe99840944023b8
SHA512 28cb4d351f0f8ac1f35883b7996222b0e83e6d8adba179d8a6d7790bcfe3981abb5c5287850bdb6568e8cdc74060544fce37b9fc6a33870f2c2bdd44b537c1d6

memory/3312-66-0x000001B0ACEB0000-0x000001B0ACEB7000-memory.dmp

C:\Users\Admin\AppData\Local\uot\TAPI32.dll

MD5 eb573d8eb4a5b9eabd3fcd501e992049
SHA1 dbabd81eaf048acdbdff4798fc361aff833d4e98
SHA256 db9edad2062b466a6f6dd4e8a2120aec2dcd960499451762e33df744d97c7c4e
SHA512 62b9bf51051786d6c8a7b93661eefd2e99f4227fd39fab5e021d9e3ad16097996eb0990ef766dd9a1d19cea12ae366ce9762c2a6d862aae6634d7c6e9e9e3dd5

C:\Users\Admin\AppData\Local\uot\dialer.exe

MD5 b2626bdcf079c6516fc016ac5646df93
SHA1 838268205bd97d62a31094d53643c356ea7848a6
SHA256 e3ac5e6196f3a98c1946d85c653866c318bb2a86dd865deffa7b52f665d699bb
SHA512 615cfe1f91b895513c687906bf3439ca352afcadd3b73f950af0a3b5fb1b358168a7a25a6796407b212fde5f803dd880bcdc350d8bac7e7594090d37ce259971

memory/3512-36-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-34-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-32-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-31-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-30-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-28-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-25-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-26-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-22-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-20-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-21-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-18-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-16-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-17-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-15-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-13-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-12-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-10-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-9-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-7-0x0000000140000000-0x00000001402C5000-memory.dmp

memory/3512-4-0x0000000002C70000-0x0000000002C71000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 c62f465cba51840f84e84f4881f89e04
SHA1 f17db4daed7a2285693fb264789d68a4b6d96b73
SHA256 bdc4d8a95eda3ffbfa39bc8abfdfc60f35a6367b8e2ac47dcd4f9bb5ee77ae00
SHA512 308fac3a80b952cefdcaea4226e7ba0c5533fb3850516c1ac654d15c8f54b450f2dd9794a605a18e5cb412e02ef8c7a5432d785caf28f00e9104ab3f67358fd5