Malware Analysis Report

2024-11-30 21:31

Sample ID 240101-yefjvsgchp
Target 03c183d59e6ea2fe7b8e65f3e9b3efe0.exe
SHA256 ac0991bd093102a13f9dc9cd52dc8d339a81ebe551e7ff4079f575be23e2d7c3
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac0991bd093102a13f9dc9cd52dc8d339a81ebe551e7ff4079f575be23e2d7c3

Threat Level: Known bad

The file 03c183d59e6ea2fe7b8e65f3e9b3efe0.exe was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-01 19:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-01 19:41

Reported

2024-01-01 19:45

Platform

win7-20231215-en

Max time kernel

152s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c183d59e6ea2fe7b8e65f3e9b3efe0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\Jiip1eC\\tcmsetup.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 1316 N/A N/A C:\Windows\system32\wisptis.exe
PID 1256 wrote to memory of 1316 N/A N/A C:\Windows\system32\wisptis.exe
PID 1256 wrote to memory of 1316 N/A N/A C:\Windows\system32\wisptis.exe
PID 1256 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe
PID 1256 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe
PID 1256 wrote to memory of 1652 N/A N/A C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe
PID 1256 wrote to memory of 1940 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1256 wrote to memory of 1940 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1256 wrote to memory of 1940 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1256 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe
PID 1256 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe
PID 1256 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe
PID 1256 wrote to memory of 484 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1256 wrote to memory of 484 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1256 wrote to memory of 484 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1256 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe
PID 1256 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe
PID 1256 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c183d59e6ea2fe7b8e65f3e9b3efe0.dll,#1

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe

C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe

C:\Users\Admin\AppData\Local\8k0\tcmsetup.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe

C:\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe

Network

N/A

Files

memory/1444-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1444-1-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-4-0x0000000077646000-0x0000000077647000-memory.dmp

memory/1256-5-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/1444-8-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-9-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-10-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-13-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-14-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-15-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-18-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-19-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-20-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-17-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-23-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-27-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-26-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-25-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-28-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-24-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-30-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-32-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-33-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-34-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-31-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-36-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-40-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-42-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-47-0x0000000002B10000-0x0000000002B17000-memory.dmp

memory/1256-46-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-44-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-45-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-43-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-41-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-39-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-38-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-54-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-55-0x0000000077851000-0x0000000077852000-memory.dmp

memory/1256-37-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-56-0x00000000779B0000-0x00000000779B2000-memory.dmp

memory/1256-35-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-29-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-21-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-22-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-16-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-11-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-12-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-7-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-65-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/1256-71-0x0000000140000000-0x00000001401C2000-memory.dmp

C:\Users\Admin\AppData\Local\MpCxJ\WTSAPI32.dll

MD5 92f4d4a294ae98fc3dbd8b4fc0e0f64f
SHA1 2b5805693938a3cb84ca612adf2495223b6881cc
SHA256 13698f884382f58f1009dd5b42ed95e12b52e2a33d19c50c6509f05c75b0ac3d
SHA512 5bc71479a526892e88109484f864b1da8d549d1f3104c628c54c442dfd65216dd5797e54bde4ed99fa15f770a4d649fdf9587cdd0d17ba643cfc71199ce3e3c3

\Users\Admin\AppData\Local\MpCxJ\WTSAPI32.dll

MD5 8d01acb67ef2c4114fde391cdd78d593
SHA1 376dc264527d965d4c6696e2ba731a15f90fe370
SHA256 2299e31e5d9225d4f8a41955a0c585e27654cd897f42dfa2d0dda564085fdace
SHA512 7a774eed44957d3efac50697f26de1f65abe38eb798c72e12ebe2d5ee51db8e3ee026d51e4bff98f7a08132a12c5b5f63e0459dfb3585dab31cf5bc37e7897ed

memory/1652-84-0x0000000140000000-0x00000001401C3000-memory.dmp

memory/1652-83-0x0000000000320000-0x0000000000327000-memory.dmp

C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe

MD5 162379f6b23b896ccfcea017618913a8
SHA1 87b2b3fdc3a47bdef4f9db47199a88d8bb510608
SHA256 2b009021577229743969fc5a66a7490de3f1437906e64b094a825dd0f7724950
SHA512 ca01d0ded078bebd3d965508ac6c6a5d407905f9e209c7eabd880a3fe3d443d77cbe5a47379873a44d5cedbc42d25d0c0794c83523ee0503c46c27cba6c94a99

\Users\Admin\AppData\Local\MpCxJ\wisptis.exe

MD5 f891e45520297283519d680e39db33db
SHA1 7052cace48d48e308931b910d3db223284841136
SHA256 0cdd4fe61dd08ce1bc75ed682299528b87244d6be43a836ad040d4d6ff7ab2f4
SHA512 b4ff077a5519c4eaa86b349df0bfbc9a3c34ccbfe03f61128bebc9f8eb1003121cacd54395718f7136a75a05ce4f39f587bf66aa2bb81acca963b1b7d7df9a1b

C:\Users\Admin\AppData\Local\MpCxJ\wisptis.exe

MD5 3aca02553e1ea4d7589785c3f8d2212a
SHA1 d49739e725e70d110addc7f747574503a6ecff29
SHA256 0b765825dbf20e1778fd5bc16117edd6d3e29d8adf790e27391c1ca21b46cb1e
SHA512 f8b8d29a68e9104a098010d4610729c074a24a8d03b915b428f2e5b760e57f7ade2be5c8a1c0c2e2c56614a11d85f1c1f265de8d37f190bfbd3ec978fd23b6aa

memory/1256-98-0x0000000077646000-0x0000000077647000-memory.dmp

\Users\Admin\AppData\Local\8k0\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\8k0\TAPI32.dll

MD5 25c9914c178dcac7a784c65e019849a0
SHA1 f9c06ac9aab1a0394cb0e02beadc8cfad3228de3
SHA256 329dd23cab1c4b50c54400c0645e6e655f8e690145c44ed5723e58662ff568aa
SHA512 34a7d93a5ab8ae2627d8f2618c7db13b04b5a188e2f1f40693d7618baa42121b58b6936da712f99163c2a432921d3d0af985fe510b4577bad71c2d49cc654728

memory/1644-106-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\BRntBhj\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

C:\Users\Admin\AppData\Local\BRntBhj\MFC42u.dll

MD5 bf5e00871328ac8ad26ea0a1408089cf
SHA1 7b6ec47f4aa475caa090b6001e7f84362dee2890
SHA256 68ca6e71188dfea0f984db9ec6262ce9df93933d3ae13c04f9b9a3c5aa96c6af
SHA512 aed6ac4831cb9ac77eed874474313fded9a17b452d509db31896afc181a9ee925635e96488ff7cdd343c42f57984e55f59e41cb3000996ded4707966bb0acbf8

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 92833c2af4b025ff62b96c9a972c4df0
SHA1 868165be659802086fd62dd653b4f3f0bd3b67cf
SHA256 c60aaddcfe8359e7bd8500813d7552301364f2bf2d40adcad6148a853214de51
SHA512 e40f899db8d3496e8833a324c4224385774c7072e6338a1d46559a78d52b9457015dd9051fd63d5bb5602b22fa9df40e6183faef158d73e490d292cc7fbaf06c

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\upf\WTSAPI32.dll

MD5 29b18f951756b414f6b39996728a8a3a
SHA1 f2199c78e1c7ef3ee341a5950b812b89d52ceea8
SHA256 ebeb7a8738ff8a81c7405620ba6477ba464267cca8f5d78136f2f14c5af7c26f
SHA512 d8fd7c425b69ef69d2eb27d5500c21f54b23d20883e5976b6144249d157c2e46baaf799fd261c17475b3d6496c7ad394e7490e90bb3dee9fc882efe443544026

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-01 19:41

Reported

2024-01-01 19:44

Platform

win10v2004-20231215-en

Max time kernel

14s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c183d59e6ea2fe7b8e65f3e9b3efe0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\E5z0bsaP\\EhStorAuthn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2g0Pl\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CISfUNjAz\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\A5p\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 2540 N/A N/A C:\Windows\system32\tabcal.exe
PID 3392 wrote to memory of 2540 N/A N/A C:\Windows\system32\tabcal.exe
PID 3392 wrote to memory of 3980 N/A N/A C:\Users\Admin\AppData\Local\2g0Pl\tabcal.exe
PID 3392 wrote to memory of 3980 N/A N/A C:\Users\Admin\AppData\Local\2g0Pl\tabcal.exe
PID 3392 wrote to memory of 1612 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3392 wrote to memory of 1612 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3392 wrote to memory of 3208 N/A N/A C:\Users\Admin\AppData\Local\CISfUNjAz\EhStorAuthn.exe
PID 3392 wrote to memory of 3208 N/A N/A C:\Users\Admin\AppData\Local\CISfUNjAz\EhStorAuthn.exe
PID 3392 wrote to memory of 3176 N/A N/A C:\Windows\system32\wscript.exe
PID 3392 wrote to memory of 3176 N/A N/A C:\Windows\system32\wscript.exe
PID 3392 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\A5p\wscript.exe
PID 3392 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\A5p\wscript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\03c183d59e6ea2fe7b8e65f3e9b3efe0.dll,#1

C:\Users\Admin\AppData\Local\CISfUNjAz\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\CISfUNjAz\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\A5p\wscript.exe

C:\Users\Admin\AppData\Local\A5p\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\2g0Pl\tabcal.exe

C:\Users\Admin\AppData\Local\2g0Pl\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 65.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 183.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 71.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 59.179.17.96.in-addr.arpa udp

Files

memory/4732-0-0x00000202035D0000-0x00000202035D7000-memory.dmp

memory/4732-1-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-14-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-21-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-28-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-31-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-30-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-37-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-44-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-46-0x0000000007570000-0x0000000007577000-memory.dmp

memory/3392-47-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-55-0x00007FFDA6C20000-0x00007FFDA6C30000-memory.dmp

memory/3392-66-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3980-81-0x0000000140000000-0x00000001401C3000-memory.dmp

memory/3980-76-0x000002118CCC0000-0x000002118CCC7000-memory.dmp

memory/3208-95-0x0000029336370000-0x0000029336377000-memory.dmp

memory/1600-109-0x00000128DDD20000-0x00000128DDD27000-memory.dmp

memory/3980-75-0x0000000140000000-0x00000001401C3000-memory.dmp

memory/3392-64-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-54-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-45-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-43-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-42-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-41-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-40-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-39-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-38-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-36-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-35-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-34-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-33-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-32-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-29-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-27-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-26-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-25-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-24-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-23-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-22-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-20-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-19-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-18-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-17-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-16-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-15-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-13-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-12-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-11-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-10-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-9-0x00007FFDA583A000-0x00007FFDA583B000-memory.dmp

memory/3392-8-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/4732-7-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-6-0x0000000140000000-0x00000001401C2000-memory.dmp

memory/3392-4-0x0000000007590000-0x0000000007591000-memory.dmp