Analysis Overview
SHA256
892e68338ae1bf289538e7adc59ca9c6aa1fc53177d487ac54ce04b884b02c24
Threat Level: Known bad
The file 25edddec0091b8df0ce125b69c0a282a was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 03:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 03:12
Reported
2024-01-02 01:54
Platform
win10v2004-20231215-en
Max time kernel
23s
Max time network
172s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe | N/A |
| N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HXX\consent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wJAENb\psr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe | N/A |
| N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wJAENb\psr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wJAENb\psr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\y5LsjmpjQF\\BitLockerWizardElev.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wJAENb\psr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3404 wrote to memory of 3916 | N/A | N/A | C:\Windows\system32\PresentationSettings.exe |
| PID 3404 wrote to memory of 3916 | N/A | N/A | C:\Windows\system32\PresentationSettings.exe |
| PID 3404 wrote to memory of 4360 | N/A | N/A | C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe |
| PID 3404 wrote to memory of 4360 | N/A | N/A | C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe |
| PID 3404 wrote to memory of 2768 | N/A | N/A | C:\Windows\system32\BitLockerWizardElev.exe |
| PID 3404 wrote to memory of 2768 | N/A | N/A | C:\Windows\system32\BitLockerWizardElev.exe |
| PID 3404 wrote to memory of 2332 | N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe |
| PID 3404 wrote to memory of 2332 | N/A | N/A | C:\Windows\system32\backgroundTaskHost.exe |
| PID 3404 wrote to memory of 5032 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 3404 wrote to memory of 5032 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 3404 wrote to memory of 4080 | N/A | N/A | C:\Users\Admin\AppData\Local\HXX\consent.exe |
| PID 3404 wrote to memory of 4080 | N/A | N/A | C:\Users\Admin\AppData\Local\HXX\consent.exe |
| PID 3404 wrote to memory of 1612 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 3404 wrote to memory of 1612 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 3404 wrote to memory of 2084 | N/A | N/A | C:\Users\Admin\AppData\Local\wJAENb\psr.exe |
| PID 3404 wrote to memory of 2084 | N/A | N/A | C:\Users\Admin\AppData\Local\wJAENb\psr.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25edddec0091b8df0ce125b69c0a282a.dll,#1
C:\Windows\system32\PresentationSettings.exe
C:\Windows\system32\PresentationSettings.exe
C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe
C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Windows\system32\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\H51Mw\BitLockerWizardElev.exe
C:\Users\Admin\AppData\Local\H51Mw\BitLockerWizardElev.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
C:\Users\Admin\AppData\Local\wJAENb\psr.exe
C:\Users\Admin\AppData\Local\wJAENb\psr.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\HXX\consent.exe
C:\Users\Admin\AppData\Local\HXX\consent.exe
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| IE | 20.223.36.55:443 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/2760-0-0x0000017AFF910000-0x0000017AFF917000-memory.dmp
memory/2760-1-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-7-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-11-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-15-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-20-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-24-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-26-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-29-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-32-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-35-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-39-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-43-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-46-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-51-0x0000000003300000-0x0000000003307000-memory.dmp
memory/3404-50-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-48-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-58-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-59-0x00007FFE52420000-0x00007FFE52430000-memory.dmp
memory/3404-49-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-47-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-68-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-70-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-45-0x0000000140000000-0x00000001401FE000-memory.dmp
C:\Users\Admin\AppData\Local\u4BEQfh3\PresentationSettings.exe
| MD5 | 790799a168c41689849310f6c15f98fa |
| SHA1 | a5d213fc1c71a56de9441b2e35411d83770c01ec |
| SHA256 | 6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8 |
| SHA512 | 8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866 |
C:\Users\Admin\AppData\Local\u4BEQfh3\WINMM.dll
| MD5 | dd54b6b5a45777f62c5c0218c240d95d |
| SHA1 | f890099c88682ac8f87a86faeb51f4cd7cc4f55c |
| SHA256 | 720f2e2d395d4a3095935a79075ab8043c6ac2b4d428546b89e5dcc6e73e57e3 |
| SHA512 | 2d2f6d49cd9c12674afd3b8dffab4952884e602be8f352507c1ba6f94da543d7d23234b1c7b187525cf69d261ea8cdbd55e53a3ea266ec36680ab74bab192aed |
memory/4360-80-0x000001E1B9690000-0x000001E1B9697000-memory.dmp
memory/4360-79-0x0000000140000000-0x0000000140200000-memory.dmp
memory/3404-44-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-42-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-41-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-40-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-38-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-37-0x0000000140000000-0x00000001401FE000-memory.dmp
C:\Users\Admin\AppData\Local\H51Mw\FVEWIZ.dll
| MD5 | 918c2b27644f39f4203b190236303666 |
| SHA1 | 0901e7f82d047289edb7fb13af3df1b58c8e81b0 |
| SHA256 | 53813d496b942f799a491b2bb5514e953ef4fcdd2262ca78d72deebf6630b25b |
| SHA512 | 32ebbd66d2f1694ef6d620cb92652e14450577a4a277e24843674bc03cc552ab5ac0093f502956423ec61bed8e91f311298d8bd34ade755b2f437abf7620941e |
memory/2332-98-0x000001BD60BF0000-0x000001BD60BF7000-memory.dmp
C:\Users\Admin\AppData\Local\H51Mw\BitLockerWizardElev.exe
| MD5 | 8ac5a3a20cf18ae2308c64fd707eeb81 |
| SHA1 | 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544 |
| SHA256 | 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5 |
| SHA512 | 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b |
memory/3404-36-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-33-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-34-0x0000000140000000-0x00000001401FE000-memory.dmp
C:\Users\Admin\AppData\Local\HXX\consent.exe
| MD5 | 6646631ce4ad7128762352da81f3b030 |
| SHA1 | 1095bd4b63360fc2968d75622aa745e5523428ab |
| SHA256 | 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64 |
| SHA512 | 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da |
C:\Users\Admin\AppData\Local\wJAENb\psr.exe
| MD5 | ad53ead5379985081b7c3f1f357e545a |
| SHA1 | 6f5aa32c1d15fbf073558fadafd046d97b60184e |
| SHA256 | 4f0144f0e3e721b44babbf41b513942e4117f730546105480571f9c8fce56a1f |
| SHA512 | 433098bd74c34fbadfa447ef45cfa9dc076aef4cf7f2a0a6fe79d5e67f2504eebe8aa31fc1b7a4c5eeb20ede2c5485f75ad0fd77b4ecba3d68ca63313e6f6ea0 |
C:\Users\Admin\AppData\Local\wJAENb\XmlLite.dll
| MD5 | 17508120bdc78409bf4fdf356f4e6181 |
| SHA1 | 927c271433aa776ef2f01a862228dd4a63a23928 |
| SHA256 | 608540541b1bdc19246dc9376a486bae2eccf7a4ed4d8ebacb8a1e81ff330068 |
| SHA512 | 0feea26e26cb9d7b73ea418f007a2c6436bcde2d21c66f3a7825e0745c92e39625b63a8d94e5e1b8a85f9b239a0aa5d53fc3509e413d4fb9fed2dab7eb8d088e |
memory/2084-122-0x000001F2FD580000-0x000001F2FD587000-memory.dmp
memory/3404-31-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-30-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-27-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-28-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-25-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-23-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-21-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-22-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-19-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-18-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-17-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-16-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-14-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-13-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-12-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-10-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-9-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/2760-8-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/3404-5-0x00007FFE51FCA000-0x00007FFE51FCB000-memory.dmp
memory/3404-4-0x0000000003320000-0x0000000003321000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 03:12
Reported
2024-01-02 01:54
Platform
win7-20231215-en
Max time kernel
58s
Max time network
142s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\QLDu1\\rrinstaller.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1384 wrote to memory of 2952 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1384 wrote to memory of 2952 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1384 wrote to memory of 2952 | N/A | N/A | C:\Windows\system32\spinstall.exe |
| PID 1384 wrote to memory of 2992 | N/A | N/A | C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe |
| PID 1384 wrote to memory of 2992 | N/A | N/A | C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe |
| PID 1384 wrote to memory of 2992 | N/A | N/A | C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe |
| PID 1384 wrote to memory of 1156 | N/A | N/A | C:\Windows\system32\rrinstaller.exe |
| PID 1384 wrote to memory of 1156 | N/A | N/A | C:\Windows\system32\rrinstaller.exe |
| PID 1384 wrote to memory of 1156 | N/A | N/A | C:\Windows\system32\rrinstaller.exe |
| PID 1384 wrote to memory of 1152 | N/A | N/A | C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe |
| PID 1384 wrote to memory of 1152 | N/A | N/A | C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe |
| PID 1384 wrote to memory of 1152 | N/A | N/A | C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe |
| PID 1384 wrote to memory of 2804 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1384 wrote to memory of 2804 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1384 wrote to memory of 2804 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1384 wrote to memory of 2784 | N/A | N/A | C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe |
| PID 1384 wrote to memory of 2784 | N/A | N/A | C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe |
| PID 1384 wrote to memory of 2784 | N/A | N/A | C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\25edddec0091b8df0ce125b69c0a282a.dll,#1
C:\Windows\system32\spinstall.exe
C:\Windows\system32\spinstall.exe
C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe
C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe
C:\Windows\system32\rrinstaller.exe
C:\Windows\system32\rrinstaller.exe
C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe
C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe
C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe
C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe
Network
Files
memory/1724-1-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1724-0-0x0000000000390000-0x0000000000397000-memory.dmp
memory/1384-4-0x0000000077806000-0x0000000077807000-memory.dmp
memory/1384-9-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-20-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-23-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-27-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-33-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-34-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-42-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-45-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-49-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-50-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-51-0x0000000002610000-0x0000000002617000-memory.dmp
memory/1384-48-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-62-0x0000000077A70000-0x0000000077A72000-memory.dmp
memory/1384-59-0x0000000077911000-0x0000000077912000-memory.dmp
memory/1384-58-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-69-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-47-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-46-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-75-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/2992-89-0x0000000000310000-0x0000000000317000-memory.dmp
memory/1384-44-0x0000000140000000-0x00000001401FE000-memory.dmp
C:\Users\Admin\AppData\Local\3r9ULfXg\spinstall.exe
| MD5 | 29c1d5b330b802efa1a8357373bc97fe |
| SHA1 | 90797aaa2c56fc2a667c74475996ea1841bc368f |
| SHA256 | 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f |
| SHA512 | 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee |
memory/1384-43-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-41-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-40-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-39-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-38-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-37-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-36-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-35-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-32-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-31-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-30-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-29-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-28-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-26-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-25-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-24-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-22-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-21-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-19-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-18-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-17-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-16-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-15-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-14-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-13-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-12-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-11-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-10-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1724-8-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-7-0x0000000140000000-0x00000001401FE000-memory.dmp
memory/1384-5-0x0000000002630000-0x0000000002631000-memory.dmp
C:\Users\Admin\AppData\Local\J8W\MFPlat.DLL
| MD5 | b687b083f14569068f50a1c01025295d |
| SHA1 | 8880658d7e3d3a6c4899c7a5d8a77cd63299bbde |
| SHA256 | ec4498d0a88ee58087f824540978c7d26cc124e20eb9b74d7701f4ed9698aaab |
| SHA512 | 86481ea93bedecf83ad3ccb9272301e2c6337e7abc59a4bae5ef1ecb2decbaeb99ab94512b96dfcf14b259dde8e407f54fe0f5f3079f270323d24f20e6e2e19c |
memory/1152-112-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\J8W\rrinstaller.exe
| MD5 | 0d3a73b0b30252680b383532f1758649 |
| SHA1 | 9f098d2037e4dd94eca6d04c37b3d4ad8b0cc931 |
| SHA256 | fc8a992b6ac311e1b1491ec3e31e273a41f7fdf3f68176321307b68489a03fbc |
| SHA512 | a7961f4d8d0e07959d1501d721c7751b01af6704c7da5c1f31e40de5372ee6a1fce2f3e0077c8e6a1bed017e11ce4be9b0d17c04e30b222fb3f0df67b870b2d4 |
C:\Users\Admin\AppData\Local\2PAT5Fb4\RDVGHelper.exe
| MD5 | 53fda4af81e7c4895357a50e848b7cfe |
| SHA1 | 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f |
| SHA256 | 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038 |
| SHA512 | dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051 |
\Users\Admin\AppData\Local\2PAT5Fb4\dwmapi.dll
| MD5 | 727048d6353639e36f8bb7ea80d0ddac |
| SHA1 | e4d8f2ea61837def1d5190053deeb139a932e33e |
| SHA256 | 3335c1c4b4b68aa73ca8bcc992e71f510451b6aa5a92f60f36ee4ec829a9f7c8 |
| SHA512 | 7a97d178e1cb06e255ef138c2f6c0365048c86005edbd515bca18b1dd7903c979c593b6bdd7be513f3fe6cabb48ac24fcc76932b97d61a2237babc05462a48bd |
memory/2784-128-0x0000000000100000-0x0000000000107000-memory.dmp
memory/1384-159-0x0000000077806000-0x0000000077807000-memory.dmp