Malware Analysis Report

2024-11-30 21:30

Sample ID 231231-dn241aegdr
Target 25d874573154be6d3d14ae6e97426536
SHA256 4583e87b6fc0bc83030af01bdfb800be4d3ee3807b22b28e263447ea2f863a36
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4583e87b6fc0bc83030af01bdfb800be4d3ee3807b22b28e263447ea2f863a36

Threat Level: Known bad

The file 25d874573154be6d3d14ae6e97426536 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Dridex payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 03:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 03:10

Reported

2024-01-02 01:45

Platform

win7-20231215-en

Max time kernel

152s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d874573154be6d3d14ae6e97426536.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Csq\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fgL\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1sd1\WFS.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\Ku\\shrpubw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fgL\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1sd1\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Csq\iexpress.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2560 N/A N/A C:\Windows\system32\iexpress.exe
PID 1224 wrote to memory of 2560 N/A N/A C:\Windows\system32\iexpress.exe
PID 1224 wrote to memory of 2560 N/A N/A C:\Windows\system32\iexpress.exe
PID 1224 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Csq\iexpress.exe
PID 1224 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Csq\iexpress.exe
PID 1224 wrote to memory of 372 N/A N/A C:\Users\Admin\AppData\Local\Csq\iexpress.exe
PID 1224 wrote to memory of 364 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1224 wrote to memory of 364 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1224 wrote to memory of 364 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\fgL\shrpubw.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\fgL\shrpubw.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\fgL\shrpubw.exe
PID 1224 wrote to memory of 1864 N/A N/A C:\Windows\system32\wermgr.exe
PID 1224 wrote to memory of 1864 N/A N/A C:\Windows\system32\wermgr.exe
PID 1224 wrote to memory of 1864 N/A N/A C:\Windows\system32\wermgr.exe
PID 1224 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\geN7Y0L\wermgr.exe
PID 1224 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\geN7Y0L\wermgr.exe
PID 1224 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\geN7Y0L\wermgr.exe
PID 1224 wrote to memory of 1536 N/A N/A C:\Windows\system32\WFS.exe
PID 1224 wrote to memory of 1536 N/A N/A C:\Windows\system32\WFS.exe
PID 1224 wrote to memory of 1536 N/A N/A C:\Windows\system32\WFS.exe
PID 1224 wrote to memory of 1492 N/A N/A C:\Users\Admin\AppData\Local\1sd1\WFS.exe
PID 1224 wrote to memory of 1492 N/A N/A C:\Users\Admin\AppData\Local\1sd1\WFS.exe
PID 1224 wrote to memory of 1492 N/A N/A C:\Users\Admin\AppData\Local\1sd1\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d874573154be6d3d14ae6e97426536.dll,#1

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\Csq\iexpress.exe

C:\Users\Admin\AppData\Local\Csq\iexpress.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\fgL\shrpubw.exe

C:\Users\Admin\AppData\Local\fgL\shrpubw.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\geN7Y0L\wermgr.exe

C:\Users\Admin\AppData\Local\geN7Y0L\wermgr.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\1sd1\WFS.exe

C:\Users\Admin\AppData\Local\1sd1\WFS.exe

Network

N/A

Files

memory/3008-1-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3008-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1224-3-0x0000000077986000-0x0000000077987000-memory.dmp

memory/1224-4-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1224-6-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-7-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-9-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-8-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-11-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-10-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-12-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-18-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-17-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-16-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-15-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-19-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-14-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-13-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-20-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-21-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-22-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-23-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-25-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-24-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-26-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-28-0x00000000029E0000-0x00000000029E7000-memory.dmp

memory/1224-27-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-37-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-40-0x0000000077A91000-0x0000000077A92000-memory.dmp

memory/1224-39-0x0000000077C20000-0x0000000077C22000-memory.dmp

memory/1224-38-0x0000000077BF0000-0x0000000077BF2000-memory.dmp

memory/3008-43-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-51-0x0000000140000000-0x000000014018A000-memory.dmp

memory/1224-50-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Users\Admin\AppData\Local\Csq\iexpress.exe

MD5 46fd16f9b1924a2ea8cd5c6716cc654f
SHA1 99284bc91cf829e9602b4b95811c1d72977700b6
SHA256 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA512 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

C:\Users\Admin\AppData\Local\Csq\VERSION.dll

MD5 f598008eaaa2f4b4b0127ad5bde3b5dd
SHA1 851a00710ac39728e8715e8372360ebdff8253f0
SHA256 43303fb343c7d5328739f6ed74ea70d3f9b21956199598a4de992a44373b8dcf
SHA512 4a37a1354442a8bafb0a8f569d14d5af99ea89624da2c23d2a28ddb0beadf905c241eb6b24f27190062a039481281e5f3cb63534cdf0b0b1406183769d4458ec

memory/1224-65-0x0000000077986000-0x0000000077987000-memory.dmp

\Users\Admin\AppData\Local\Csq\VERSION.dll

MD5 c95750b51f45367d4652a9ebda341121
SHA1 5501f55d27ba75f1cd7405e217f4fecfb28264cc
SHA256 989fc8071adcfad81741918f87d1b22cd641af9ea3c00da337208a6697e4f4b8
SHA512 b99787472b91aeaf9c47a6f19f644ac884f00977e14638a81e1a04553f3d7d8946832faffd1b03ce9cf489096e723c2d613d18033ce14c18dbefe63531c19e91

memory/372-67-0x0000000140000000-0x000000014018B000-memory.dmp

memory/372-69-0x0000000000480000-0x0000000000487000-memory.dmp

memory/372-72-0x0000000140000000-0x000000014018B000-memory.dmp

\Users\Admin\AppData\Local\fgL\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\fgL\shrpubw.exe

MD5 ef5f73589f7cf595666eacec6dfc0184
SHA1 b3a1c3e6dde98f85a40559678b794d5b5a3155fd
SHA256 e51c6aeba96186b67075010c8923ad1b8c30832339fcd26a5d99e6db3e92f4a5
SHA512 bc66d692c828a091379a412929dc786526074c3df0ef01a019917d3b3c43f97182bff7e3f8f60b2bf3dd3ded1aea1fcf3d64fe655611e88cefe3f19999282d6b

C:\Users\Admin\AppData\Local\fgL\MFC42u.dll

MD5 75b23b333c058aebf71a0c0bb065da39
SHA1 bb69028ee70ab70d2a249fb509b7caca0fd7bc59
SHA256 47c5ef9588f7e41fcd0837c418486d7a8ea5c515bd45093aee7bce34e23e1ba5
SHA512 4589f03c820947541573d590429f599c9f11271f98dfc950d8938cd9532d8c4740d1fc1d4c4db62dd3a1b28f5c91e661fdeefbdb872d223737f56f6adb263e8e

\Users\Admin\AppData\Local\fgL\MFC42u.dll

MD5 391fbab68237728e5158018e5aab4d4c
SHA1 ac3ca089312a31e36ad132badf14b9380b80aac5
SHA256 397844fa151f53a0993bbd7297e1349c954e502a24aaee9f8a17ca645e1c38bf
SHA512 819999f7207d8d638142cd5df8feeb6fcb69f3f47fbe21c873ebd043f94373f4fe53dfa2ba1fd2e0824537b2db34898e77b4f15c9fdbdb127b6461a7ba91c69a

memory/2216-84-0x0000000000070000-0x0000000000077000-memory.dmp

memory/2216-85-0x0000000140000000-0x0000000140191000-memory.dmp

memory/2216-89-0x0000000140000000-0x0000000140191000-memory.dmp

\Users\Admin\AppData\Local\geN7Y0L\wermgr.exe

MD5 41df7355a5a907e2c1d7804ec028965d
SHA1 453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA512 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

\Users\Admin\AppData\Local\1sd1\WFS.exe

MD5 a943d670747778c7597987a4b5b9a679
SHA1 c48b760ff9762205386563b93e8884352645ef40
SHA256 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA512 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

C:\Users\Admin\AppData\Local\1sd1\WFS.exe

MD5 cb4ba9ddfba7e1544e32998d85cec3bc
SHA1 561f2b279cca83b9f9da2f8a163752e7d5e1b59f
SHA256 2c1acd9711c0e6d9170cf7995ca7c2fc40c8cc2d81bf579ef62112b333202e66
SHA512 08cef790c602d9ea0a0e5c9f8b65db59c2c8fc605745a74f33c3c5f5fb9c9eab656c31215a8fefedb6070a9b26ecbbb8f4e99efcc4eac270165c3ed9443cfe01

C:\Users\Admin\AppData\Local\1sd1\credui.dll

MD5 9555a072c083466c51ba051e116be564
SHA1 d51e7e6bf705c092b7d1ecae237b3dc39610ecb4
SHA256 80f1084f8c0edd3218cce94364bd11d954553815ffca26652231ba18128b1173
SHA512 ad0b0ef241a6aa9d7a77be96e2293bf018017d0376204d807b94b4cf8898a9de71d1b2880490d7d2698b8673387bf1fe2781dda13bc3927727ffaa611a61730a

memory/1492-110-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1492-115-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 20dd33191c0970dae468beb9553989ac
SHA1 69be394796415ef72e6987daf8a3a5b2365eb1ea
SHA256 b7dd6426bdab5df70209684e2d90a4f320aa6782c0c7f8b0ecd53924e413feb6
SHA512 d9c000b0aa4da3a4dc58b9f78f084445abcfc0cdf5e55a06aaf6ea8db0e64809902e4e3287c6c27199b9d8e0830a6df678668274b34a1c667f25a9d6709d3559

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\Ku\MFC42u.dll

MD5 42bbcb0e2795596416ce38c4aa0765db
SHA1 8da153c6a96596e9adc647f7ecfec6814093337d
SHA256 321b9046bfd2580bcadb5de2661d5e488003c5f513b34fce92213be604fcd295
SHA512 1ee66f12c7bc71e09e9f169408524f4b997f4b9870180a7325f39f7c88641b2294b6e50a120750adebd060884d758101d292408f5218c1dc35a49f27386d6701

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 03:10

Reported

2024-01-02 01:46

Platform

win10v2004-20231215-en

Max time kernel

177s

Max time network

190s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d874573154be6d3d14ae6e97426536.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Dridex payload

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-983843758-932321429-1636175382-1000\\3hr9gEgmWzl\\WFS.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ceiz\SystemPropertiesHardware.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QoGHwEIO\WFS.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\McBD\SystemPropertiesProtection.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 4716 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3384 wrote to memory of 4716 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3384 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Ceiz\SystemPropertiesHardware.exe
PID 3384 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Ceiz\SystemPropertiesHardware.exe
PID 3384 wrote to memory of 2212 N/A N/A C:\Windows\system32\WFS.exe
PID 3384 wrote to memory of 2212 N/A N/A C:\Windows\system32\WFS.exe
PID 3384 wrote to memory of 4688 N/A N/A C:\Users\Admin\AppData\Local\QoGHwEIO\WFS.exe
PID 3384 wrote to memory of 4688 N/A N/A C:\Users\Admin\AppData\Local\QoGHwEIO\WFS.exe
PID 3384 wrote to memory of 1352 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3384 wrote to memory of 1352 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3384 wrote to memory of 1468 N/A N/A C:\Users\Admin\AppData\Local\McBD\SystemPropertiesProtection.exe
PID 3384 wrote to memory of 1468 N/A N/A C:\Users\Admin\AppData\Local\McBD\SystemPropertiesProtection.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25d874573154be6d3d14ae6e97426536.dll,#1

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\Ceiz\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\Ceiz\SystemPropertiesHardware.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\QoGHwEIO\WFS.exe

C:\Users\Admin\AppData\Local\QoGHwEIO\WFS.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\McBD\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\McBD\SystemPropertiesProtection.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/2880-0-0x00000246CB5A0000-0x00000246CB5A7000-memory.dmp

memory/2880-1-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-4-0x00007FFAF569A000-0x00007FFAF569B000-memory.dmp

memory/3384-3-0x0000000001550000-0x0000000001551000-memory.dmp

memory/3384-6-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-7-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-8-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-9-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-11-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-10-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-12-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-14-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-16-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-15-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-13-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-19-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-18-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-23-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-24-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-26-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-25-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-28-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-27-0x0000000001500000-0x0000000001507000-memory.dmp

memory/3384-37-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-39-0x00007FFAF6BD0000-0x00007FFAF6BE0000-memory.dmp

memory/3384-38-0x00007FFAF6BE0000-0x00007FFAF6BF0000-memory.dmp

memory/3384-22-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-21-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-48-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-20-0x0000000140000000-0x000000014018A000-memory.dmp

memory/3384-17-0x0000000140000000-0x000000014018A000-memory.dmp

memory/2880-51-0x0000000140000000-0x000000014018A000-memory.dmp

C:\Users\Admin\AppData\Local\Ceiz\SystemPropertiesHardware.exe

MD5 bf5bc0d70a936890d38d2510ee07a2cd
SHA1 69d5971fd264d8128f5633db9003afef5fad8f10
SHA256 c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA512 0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

C:\Users\Admin\AppData\Local\Ceiz\SYSDM.CPL

MD5 2042d940e5d9f9d3d63d6d906f790b4c
SHA1 b7f216269d37a25f2d7730cfcccf55d76c825681
SHA256 3e646f130b1e6cd402ac63f87b9f515a42e9a6108d1dfae158d4be82cd5f8075
SHA512 177ff9af7119871abfd642803ad555c0552488e60a71e96f18ce7d46f7f73268e05ef417cce8f5bbfa0a7c5b289738caf3e54582b2e8eff7c5d4e3eb8d47e71e

memory/2944-59-0x000001F985070000-0x000001F985077000-memory.dmp

memory/2944-58-0x0000000140000000-0x000000014018B000-memory.dmp

memory/2944-62-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Users\Admin\AppData\Local\QoGHwEIO\WFS.exe

MD5 3cbc8d0f65e3db6c76c119ed7c2ffd85
SHA1 e74f794d86196e3bbb852522479946cceeed7e01
SHA256 e23e4182efe7ed61aaf369696e1ce304c3818df33d1663872b6d3c75499d81f4
SHA512 26ae5845a804b9eb752078f1ffa80a476648a8a9508b4f7ba56c94acd4198f3ba59c77add4feb7e0420070222af56521ca5f6334f466d5db272c816930513f0a

C:\Users\Admin\AppData\Local\QoGHwEIO\MFC42u.dll

MD5 ea20b267d3bfcc72c942ac70f234e446
SHA1 8e47084ec5b87480a251ca41d946fa58fd63e761
SHA256 8b01d5a8a27afd4436e329cbf3d738a4d873bc4779a4cd0c38a9a71f831f2517
SHA512 48a5294c183f7ec5074340856fae860146fb1d764cb37034e0db0244be9bd58df70afaca6c95ee5d09a528559d765a2c54e5f6dd414acd5e0f73890cb3d2a932

memory/4688-73-0x0000000140000000-0x0000000140191000-memory.dmp

memory/4688-74-0x000001B107760000-0x000001B107767000-memory.dmp

memory/4688-78-0x0000000140000000-0x0000000140191000-memory.dmp

C:\Users\Admin\AppData\Local\McBD\SYSDM.CPL

MD5 462579dc9af5097225d9160d909b4382
SHA1 8ef26c7006cc4ac8c9a61394d5cfb326e7ea9d07
SHA256 8ff9a756b2accd2639f7f6ed1425bb24cf545ddedc51568f6a31ce40fbe926e7
SHA512 35ddef99937cb96414f6958ad477d0be3bd6d4e95fafb002e6bea578ee0eb2ce169dd7fe52a77974e5b02a615a241d68bdf3f81b729199f5cb986cb009bb5151

C:\Users\Admin\AppData\Local\McBD\SystemPropertiesProtection.exe

MD5 26640d2d4fa912fc9a354ef6cfe500ff
SHA1 a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256 a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA512 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

memory/1468-89-0x000001E347FE0000-0x000001E347FE7000-memory.dmp

memory/1468-94-0x0000000140000000-0x000000014018B000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 f5ad47433b373c6ad5ec822f8876315f
SHA1 29d9d6006d527c878b9d0515d5c680fc0829ca6c
SHA256 3d87ea8cad18d0c0413c3d82c5327f4d25327796f7aad10fed514e5181b69a30
SHA512 114180762d5f1dd73f3f6afd56eaaa69917121d4dd6db3b1daa046e7c29e3397c7ac4b958cb0e466a384bc9b6ecca1558ff6824445443c73b7029fa2656266b2