Malware Analysis Report

2024-11-30 21:31

Sample ID 231231-dl1s6aebbq
Target 25b805781ec9ad5acc34674d7e9b929f
SHA256 ce628650176caef50d872a085534c24a2bd035103b4aa2af5b3396a475cd5c69
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce628650176caef50d872a085534c24a2bd035103b4aa2af5b3396a475cd5c69

Threat Level: Known bad

The file 25b805781ec9ad5acc34674d7e9b929f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 03:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 03:06

Reported

2024-01-02 01:34

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25b805781ec9ad5acc34674d7e9b929f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\eEZC\\mfpmp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 2980 N/A N/A C:\Windows\system32\icardagt.exe
PID 1240 wrote to memory of 2980 N/A N/A C:\Windows\system32\icardagt.exe
PID 1240 wrote to memory of 2980 N/A N/A C:\Windows\system32\icardagt.exe
PID 1240 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe
PID 1240 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe
PID 1240 wrote to memory of 580 N/A N/A C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe
PID 1240 wrote to memory of 2204 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1240 wrote to memory of 2204 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1240 wrote to memory of 2204 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1240 wrote to memory of 1096 N/A N/A C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe
PID 1240 wrote to memory of 1096 N/A N/A C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe
PID 1240 wrote to memory of 1096 N/A N/A C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe
PID 1240 wrote to memory of 1140 N/A N/A C:\Windows\system32\sethc.exe
PID 1240 wrote to memory of 1140 N/A N/A C:\Windows\system32\sethc.exe
PID 1240 wrote to memory of 1140 N/A N/A C:\Windows\system32\sethc.exe
PID 1240 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe
PID 1240 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe
PID 1240 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25b805781ec9ad5acc34674d7e9b929f.dll,#1

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe

C:\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe

C:\Users\Admin\AppData\Local\jkVJ\mfpmp.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe

C:\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe

Network

N/A

Files

memory/2448-1-0x0000000001AC0000-0x0000000001AC7000-memory.dmp

memory/2448-0-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1240-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1240-7-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-10-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-9-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2448-8-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-12-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-13-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-11-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-16-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-14-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-15-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-17-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-18-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-19-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-20-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-22-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-21-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-24-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-23-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-28-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-27-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-26-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-25-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-30-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-29-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-32-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-33-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-31-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-38-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-37-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-36-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-35-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-34-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-42-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-41-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-40-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-39-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-44-0x00000000021E0000-0x00000000021E7000-memory.dmp

memory/1240-43-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-51-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-52-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

memory/1240-53-0x0000000077020000-0x0000000077022000-memory.dmp

memory/1240-62-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-68-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1240-71-0x0000000140000000-0x00000001401B7000-memory.dmp

\Users\Admin\AppData\Local\5BkkoZc\icardagt.exe

MD5 2fe97a3052e847190a9775431292a3a3
SHA1 43edc451ac97365600391fa4af15476a30423ff6
SHA256 473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7
SHA512 93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

C:\Users\Admin\AppData\Local\5BkkoZc\VERSION.dll

MD5 24f4fd9d41ea77714dccf42e5b3dcf3f
SHA1 04620bf4d0272c941cf8401fddd48cfba42bda20
SHA256 d7e9b505b103340c92d2b00f70a289838e0369a4ff8aaae1a1251feedb873892
SHA512 c4affd76c9a28b3181d6a4a9fe9900c38a9675490c27fd64b1a2bdbace4fb885d1a0cffe4fa9286202d7877421d004135d625998799cb6d18940d74991c4d422

memory/580-80-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/580-82-0x0000000000610000-0x0000000000617000-memory.dmp

memory/580-92-0x0000000140000000-0x00000001401B8000-memory.dmp

\Users\Admin\AppData\Local\jkVJ\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

\Users\Admin\AppData\Local\jkVJ\MFPlat.DLL

MD5 e9cb3ac2256ecafe8b1c565bcba1023e
SHA1 5ee1e7c6d1f7a3067c7f85ceaf664bda4d79c4de
SHA256 21e3e0e62cf051775e8d6c6a35eee955d195cc2c8780094dfeb627cfe126c19a
SHA512 9aba56c63bc9fe2279b899e600a691e7346944425a0fd07d0c11e58763f5c9aad5b2796a66b6af45e48f17c3fa871e673265afa7b099a95c03a3d48f85f6a4cc

memory/1096-105-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\Fvh5tTV\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

C:\Users\Admin\AppData\Local\Fvh5tTV\UxTheme.dll

MD5 83714cfc2ead2e11c2fecf4433408f81
SHA1 e84152fd75093b7fb77509997bd13b0095816308
SHA256 53345a0061769085598475304f8bad1873427b2ad35d6a8eb22603fee24d82d9
SHA512 cb001e68dce634b2434d405f6d5907d3d0eec623aeadb058d4dab590e2872f716adcbeb4eadafc89a78e6508463c758cafb0d6ac5230f0d6f308aada56bd9dd4

\Users\Admin\AppData\Local\Fvh5tTV\UxTheme.dll

MD5 559e76e4659339c8e8cf931d1db25fa2
SHA1 1ad8f59efd52fdbe0a46d7806d60133c55bcf265
SHA256 e2560145be36b22c9f615a3cf881f035796bafc87c36fc1f6652790e9dfbbf92
SHA512 bf0dc2f205eedcee1ea816f984bf19e0aab195881b2baa9a26b12e096a610e99a3ceb63dab970821a8bcdcb632eecfbb8a46dc087e232c3eeacbecb8884be494

memory/2364-124-0x0000000001B60000-0x0000000001B67000-memory.dmp

memory/1240-142-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 51733f8f305136dc85e7afadca803c05
SHA1 996794be643131dffc3dd784983a689334928fcc
SHA256 9e37913d6ff6a489388164d37cdcbb90c23fcd19fce17c9b252db58fb7280fa8
SHA512 f3dd81303a30d441c9c808da5103249e3a1d6362ac0aeb2b75df5c055b3aee7b40b8a4fb87d41a82d1fd94acd8cc5c4757a9c4c1d7a43c6a520d8920549fb422

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\eEZC\MFPlat.DLL

MD5 6df8a68cc10ad365ec2e92a54b3c26bd
SHA1 9350ca502689d3a663cc38c8b74a59f0dc3ca9a0
SHA256 b08788e34a61cc9a3d56d28eda62c59c8811d16db6564ec32d931dabc09e45a8
SHA512 a32859c53f17ecc38e58de89a63e0bb70b7b9dff4d06ab8d8025885894493b5269ad905a5c763b3772d8e7adb1dfd5bb047b45ab38a0391885354f39453b42e9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\izM6z\UxTheme.dll

MD5 2a1da8ccaf17dd2f7b242aa7938a5e53
SHA1 4476fd6d290aa087fa5278d1ae07e132b01b29a2
SHA256 287fa7b8e1f2dfbd1d1c3bf7cc2eee4af9e1cb108ab10f5db127bc40bf68792e
SHA512 49a49ecf6fe30a7c3d8d43e9e2142b3573aca0b9a4b48054c5de44c59fd862f32c6dae01367dadd016da406f5a2acfb4e608cc133c5f1bdc1b96787a260d468e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 03:06

Reported

2024-01-02 01:35

Platform

win10v2004-20231215-en

Max time kernel

45s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25b805781ec9ad5acc34674d7e9b929f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\Dw1FUdt\\DMNOTI~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VpbrEs\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lG4A4X\DmNotificationBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HqKnP\isoburn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 4684 N/A N/A C:\Windows\system32\perfmon.exe
PID 3440 wrote to memory of 4684 N/A N/A C:\Windows\system32\perfmon.exe
PID 3440 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\VpbrEs\perfmon.exe
PID 3440 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\VpbrEs\perfmon.exe
PID 3440 wrote to memory of 2076 N/A N/A C:\Windows\system32\DmNotificationBroker.exe
PID 3440 wrote to memory of 2076 N/A N/A C:\Windows\system32\DmNotificationBroker.exe
PID 3440 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\lG4A4X\DmNotificationBroker.exe
PID 3440 wrote to memory of 4324 N/A N/A C:\Users\Admin\AppData\Local\lG4A4X\DmNotificationBroker.exe
PID 3440 wrote to memory of 3400 N/A N/A C:\Windows\system32\isoburn.exe
PID 3440 wrote to memory of 3400 N/A N/A C:\Windows\system32\isoburn.exe
PID 3440 wrote to memory of 3648 N/A N/A C:\Users\Admin\AppData\Local\HqKnP\isoburn.exe
PID 3440 wrote to memory of 3648 N/A N/A C:\Users\Admin\AppData\Local\HqKnP\isoburn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25b805781ec9ad5acc34674d7e9b929f.dll,#1

C:\Windows\system32\DmNotificationBroker.exe

C:\Windows\system32\DmNotificationBroker.exe

C:\Users\Admin\AppData\Local\VpbrEs\perfmon.exe

C:\Users\Admin\AppData\Local\VpbrEs\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\HqKnP\isoburn.exe

C:\Users\Admin\AppData\Local\HqKnP\isoburn.exe

C:\Users\Admin\AppData\Local\lG4A4X\DmNotificationBroker.exe

C:\Users\Admin\AppData\Local\lG4A4X\DmNotificationBroker.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2460-0-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2460-1-0x0000021E092B0000-0x0000021E092B7000-memory.dmp

memory/3440-7-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-9-0x00007FFD9D7FA000-0x00007FFD9D7FB000-memory.dmp

memory/3440-15-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-22-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-29-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-36-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-40-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-44-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-43-0x0000000001280000-0x0000000001287000-memory.dmp

memory/3440-51-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-63-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-58-0x00007FFD9E080000-0x00007FFD9E090000-memory.dmp

memory/3440-61-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/4524-72-0x000001A57E170000-0x000001A57E177000-memory.dmp

memory/4524-78-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/4524-73-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/4324-90-0x000001E17C950000-0x000001E17C957000-memory.dmp

memory/4324-95-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3648-106-0x000002DD8FC60000-0x000002DD8FC67000-memory.dmp

memory/4324-89-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/3440-42-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-41-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-39-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-38-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-37-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-35-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-34-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-33-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-32-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-31-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-30-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-28-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-27-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-26-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-25-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-24-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-23-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-21-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-20-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-19-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-18-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-16-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-17-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-14-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-13-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-12-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2460-11-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-8-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-10-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-6-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3440-4-0x0000000003330000-0x0000000003331000-memory.dmp