Malware Analysis Report

2024-11-30 21:30

Sample ID 231231-dqfnsafccq
Target 25edddec0091b8df0ce125b69c0a282a
SHA256 892e68338ae1bf289538e7adc59ca9c6aa1fc53177d487ac54ce04b884b02c24
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

892e68338ae1bf289538e7adc59ca9c6aa1fc53177d487ac54ce04b884b02c24

Threat Level: Known bad

The file 25edddec0091b8df0ce125b69c0a282a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 03:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 03:12

Reported

2024-01-02 01:54

Platform

win10v2004-20231215-en

Max time kernel

23s

Max time network

172s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25edddec0091b8df0ce125b69c0a282a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\y5LsjmpjQF\\BitLockerWizardElev.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wJAENb\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3404 wrote to memory of 3916 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3404 wrote to memory of 3916 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3404 wrote to memory of 4360 N/A N/A C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe
PID 3404 wrote to memory of 4360 N/A N/A C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe
PID 3404 wrote to memory of 2768 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3404 wrote to memory of 2768 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3404 wrote to memory of 2332 N/A N/A C:\Windows\system32\backgroundTaskHost.exe
PID 3404 wrote to memory of 2332 N/A N/A C:\Windows\system32\backgroundTaskHost.exe
PID 3404 wrote to memory of 5032 N/A N/A C:\Windows\system32\consent.exe
PID 3404 wrote to memory of 5032 N/A N/A C:\Windows\system32\consent.exe
PID 3404 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\HXX\consent.exe
PID 3404 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\HXX\consent.exe
PID 3404 wrote to memory of 1612 N/A N/A C:\Windows\system32\psr.exe
PID 3404 wrote to memory of 1612 N/A N/A C:\Windows\system32\psr.exe
PID 3404 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\wJAENb\psr.exe
PID 3404 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\wJAENb\psr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25edddec0091b8df0ce125b69c0a282a.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe

C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\H51Mw\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\H51Mw\BitLockerWizardElev.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\wJAENb\psr.exe

C:\Users\Admin\AppData\Local\wJAENb\psr.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\HXX\consent.exe

C:\Users\Admin\AppData\Local\HXX\consent.exe

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 92.123.241.104:80 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
IE 20.223.36.55:443 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2760-0-0x0000017AFF910000-0x0000017AFF917000-memory.dmp

memory/2760-1-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-35-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-39-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-43-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-46-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-51-0x0000000003300000-0x0000000003307000-memory.dmp

memory/3404-50-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-48-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-58-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-59-0x00007FFE52420000-0x00007FFE52430000-memory.dmp

memory/3404-49-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-47-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-68-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-70-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-45-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe

MD5 790799a168c41689849310f6c15f98fa
SHA1 a5d213fc1c71a56de9441b2e35411d83770c01ec
SHA256 6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8
SHA512 8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

C:\Users\Admin\AppData\Local\u4BEQfh3\WINMM.dll

MD5 dd54b6b5a45777f62c5c0218c240d95d
SHA1 f890099c88682ac8f87a86faeb51f4cd7cc4f55c
SHA256 720f2e2d395d4a3095935a79075ab8043c6ac2b4d428546b89e5dcc6e73e57e3
SHA512 2d2f6d49cd9c12674afd3b8dffab4952884e602be8f352507c1ba6f94da543d7d23234b1c7b187525cf69d261ea8cdbd55e53a3ea266ec36680ab74bab192aed

memory/4360-80-0x000001E1B9690000-0x000001E1B9697000-memory.dmp

memory/4360-79-0x0000000140000000-0x0000000140200000-memory.dmp

memory/3404-44-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-42-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-41-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-40-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-38-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-37-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\H51Mw\FVEWIZ.dll

MD5 918c2b27644f39f4203b190236303666
SHA1 0901e7f82d047289edb7fb13af3df1b58c8e81b0
SHA256 53813d496b942f799a491b2bb5514e953ef4fcdd2262ca78d72deebf6630b25b
SHA512 32ebbd66d2f1694ef6d620cb92652e14450577a4a277e24843674bc03cc552ab5ac0093f502956423ec61bed8e91f311298d8bd34ade755b2f437abf7620941e

memory/2332-98-0x000001BD60BF0000-0x000001BD60BF7000-memory.dmp

C:\Users\Admin\AppData\Local\H51Mw\BitLockerWizardElev.exe

MD5 8ac5a3a20cf18ae2308c64fd707eeb81
SHA1 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA512 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

memory/3404-36-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-34-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\HXX\consent.exe

MD5 6646631ce4ad7128762352da81f3b030
SHA1 1095bd4b63360fc2968d75622aa745e5523428ab
SHA256 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA512 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

C:\Users\Admin\AppData\Local\wJAENb\psr.exe

MD5 ad53ead5379985081b7c3f1f357e545a
SHA1 6f5aa32c1d15fbf073558fadafd046d97b60184e
SHA256 4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f
SHA512 433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0

C:\Users\Admin\AppData\Local\wJAENb\XmlLite.dll

MD5 17508120bdc78409bf4fdf356f4e6181
SHA1 927c271433aa776ef2f01a862228dd4a63a23928
SHA256 608540541b1bdc19246dc9376a486bae2eccf7a4ed4d8ebacb8a1e81ff330068
SHA512 0feea26e26cb9d7b73ea418f007a2c6436bcde2d21c66f3a7825e0745c92e39625b63a8d94e5e1b8a85f9b239a0aa5d53fc3509e413d4fb9fed2dab7eb8d088e

memory/2084-122-0x000001F2FD580000-0x000001F2FD587000-memory.dmp

memory/3404-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-9-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2760-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3404-5-0x00007FFE51FCA000-0x00007FFE51FCB000-memory.dmp

memory/3404-4-0x0000000003320000-0x0000000003321000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 03:12

Reported

2024-01-02 01:54

Platform

win7-20231215-en

Max time kernel

58s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25edddec0091b8df0ce125b69c0a282a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\QLDu1\\rrinstaller.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 2952 N/A N/A C:\Windows\system32\spinstall.exe
PID 1384 wrote to memory of 2952 N/A N/A C:\Windows\system32\spinstall.exe
PID 1384 wrote to memory of 2952 N/A N/A C:\Windows\system32\spinstall.exe
PID 1384 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe
PID 1384 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe
PID 1384 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe
PID 1384 wrote to memory of 1156 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1384 wrote to memory of 1156 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1384 wrote to memory of 1156 N/A N/A C:\Windows\system32\rrinstaller.exe
PID 1384 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe
PID 1384 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe
PID 1384 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe
PID 1384 wrote to memory of 2804 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1384 wrote to memory of 2804 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1384 wrote to memory of 2804 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1384 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe
PID 1384 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe
PID 1384 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\25edddec0091b8df0ce125b69c0a282a.dll,#1

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe

C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe

C:\Windows\system32\rrinstaller.exe

C:\Windows\system32\rrinstaller.exe

C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe

C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe

C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe

Network

N/A

Files

memory/1724-1-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1724-0-0x0000000000390000-0x0000000000397000-memory.dmp

memory/1384-4-0x0000000077806000-0x0000000077807000-memory.dmp

memory/1384-9-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-42-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-45-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-49-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-50-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-51-0x0000000002610000-0x0000000002617000-memory.dmp

memory/1384-48-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-62-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1384-59-0x0000000077911000-0x0000000077912000-memory.dmp

memory/1384-58-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-69-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-47-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-46-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-75-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2992-89-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1384-44-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

memory/1384-43-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-41-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-40-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-39-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-38-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-37-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-36-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-35-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1724-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1384-5-0x0000000002630000-0x0000000002631000-memory.dmp

C:\Users\Admin\AppData\Local\J8W\MFPlat.DLL

MD5 b687b083f14569068f50a1c01025295d
SHA1 8880658d7e3d3a6c4899c7a5d8a77cd63299bbde
SHA256 ec4498d0a88ee58087f824540978c7d26cc124e20eb9b74d7701f4ed9698aaab
SHA512 86481ea93bedecf83ad3ccb9272301e2c6337e7abc59a4bae5ef1ecb2decbaeb99ab94512b96dfcf14b259dde8e407f54fe0f5f3079f270323d24f20e6e2e19c

memory/1152-112-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe

MD5 0d3a73b0b30252680b383532f1758649
SHA1 9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931
SHA256 fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc
SHA512 a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4

C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

\Users\Admin\AppData\Local\2PAT5Fb4\dwmapi.dll

MD5 727048d6353639e36f8bb7ea80d0ddac
SHA1 e4d8f2ea61837def1d5190053deeb139a932e33e
SHA256 3335c1c4b4b68aa73ca8bcc992e71f510451b6aa5a92f60f36ee4ec829a9f7c8
SHA512 7a97d178e1cb06e255ef138c2f6c0365048c86005edbd515bca18b1dd7903c979c593b6bdd7be513f3fe6cabb48ac24fcc76932b97d61a2237babc05462a48bd

memory/2784-128-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1384-159-0x0000000077806000-0x0000000077807000-memory.dmp