Analysis Overview
SHA256
fd5e34eee23d95710ee091014560dee606e8f934c8c2f1ad1151716bf1086a40
Threat Level: Known bad
The file 42fb3ee5241879292ba25f13d72e481a was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-05 06:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-05 06:25
Reported
2024-01-05 07:21
Platform
win7-20231215-en
Max time kernel
40s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 2304 | N/A | N/A | C:\Windows\system32\SystemPropertiesPerformance.exe |
| PID 1232 wrote to memory of 2304 | N/A | N/A | C:\Windows\system32\SystemPropertiesPerformance.exe |
| PID 1232 wrote to memory of 2304 | N/A | N/A | C:\Windows\system32\SystemPropertiesPerformance.exe |
| PID 1232 wrote to memory of 2208 | N/A | N/A | C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe |
| PID 1232 wrote to memory of 2208 | N/A | N/A | C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe |
| PID 1232 wrote to memory of 2208 | N/A | N/A | C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe |
| PID 1232 wrote to memory of 768 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1232 wrote to memory of 768 | N/A | N/A | C:\Windows\system32\WFS.exe |
| PID 1232 wrote to memory of 768 | N/A | N/A | C:\Windows\system32\WFS.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42fb3ee5241879292ba25f13d72e481a.dll,#1
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
C:\Windows\system32\WFS.exe
C:\Windows\system32\WFS.exe
C:\Users\Admin\AppData\Local\ftRpd\WFS.exe
C:\Users\Admin\AppData\Local\ftRpd\WFS.exe
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Users\Admin\AppData\Local\XJpj\perfmon.exe
C:\Users\Admin\AppData\Local\XJpj\perfmon.exe
Network
Files
memory/2500-0-0x00000000002A0000-0x00000000002A7000-memory.dmp
memory/2500-1-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-4-0x00000000774D6000-0x00000000774D7000-memory.dmp
memory/1232-9-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-15-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-21-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-23-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-26-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-31-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-35-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-37-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-42-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-45-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-47-0x0000000002950000-0x0000000002957000-memory.dmp
memory/1232-46-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-44-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-43-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-41-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-55-0x00000000775E1000-0x00000000775E2000-memory.dmp
memory/1232-56-0x0000000077740000-0x0000000077742000-memory.dmp
memory/1232-54-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-40-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-39-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-38-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-36-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-34-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-33-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-32-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-65-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-30-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-29-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-28-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-27-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-25-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-71-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-24-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-22-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-20-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-19-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-17-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-18-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-16-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-13-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-14-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-11-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-12-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-10-0x0000000140000000-0x000000014028B000-memory.dmp
memory/2500-7-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-8-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1232-5-0x0000000002970000-0x0000000002971000-memory.dmp
\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
| MD5 | 870726cdcc241a92785572628b89cc07 |
| SHA1 | 63d47cc4fe9beb75862add1abca1d8ae8235710a |
| SHA256 | 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6 |
| SHA512 | 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72 |
C:\Users\Admin\AppData\Local\DwMUDi\SYSDM.CPL
| MD5 | b8841df0dc0bc3c755b5fc5cbef4fb68 |
| SHA1 | 1d6570ef1e62c78cdf794279e9b3b10a1cdba5d5 |
| SHA256 | 7e1801efac04cf806ea735421b7287519645c9fbdc35b92a542b4e409b23caf2 |
| SHA512 | 9543cab19cafb8fc6224eddacde9765fff317c4b8f4b2a198015a4944bda8ffcc1a4dc89516e29e84623e8494803e5477b7f168c8a07502d96eb6ae9d028bb74 |
C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
| MD5 | 417b1a8cb4f12f06dd2787071323e9e1 |
| SHA1 | 16cb00df8f465f2e60f85f6c6be737388d121179 |
| SHA256 | 2856a9d8cdca849425e022b1742a26b3b00cf4098681b963cab082c23453cdcd |
| SHA512 | 4fa8744d2031800e50a6bb2553dca3f1d9cdc5d2b55657246bfd20f0ce2f20f9b3515803242bb1c5edd0c48931d221fc83c193452d893520d2021d1059040e51 |
\Users\Admin\AppData\Local\DwMUDi\SYSDM.CPL
| MD5 | d709ca8f8a779da776abf83cb5cd1a1e |
| SHA1 | 5e61ca8d39f57b6cf2c8c5c21a6a10e289b3c0c7 |
| SHA256 | c111f88e7bbd98f80ab4fe529b7c28ff095856836018dcae6f743aae0c12f2d6 |
| SHA512 | 8f2032940239ba0721f0cfe99f1fa20dd785e0d9f81e3e14787521b5a9939820841509269890d8b8f72e69d9b1bd400e20dc615616d89cf4a763cf541d20093a |
memory/2208-84-0x0000000140000000-0x000000014028C000-memory.dmp
memory/2208-83-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
| MD5 | 531c9ce95bd42ec1fd100723eaa210f7 |
| SHA1 | 71c72028a744e9628fecd70a188ac2632151aa09 |
| SHA256 | a60166b01ca1dbee3c5370d9140562ee72d7da880a1cda442ed30dc0f5223f9b |
| SHA512 | f3cf55810aeb065f85ca84894715bb302bc054b1247aefe28c0e80dd6e00bb6d3cfb1430a7646298d2f9bb9b518efd602ba03c166ab62ef8cd551a9062426d4f |
memory/1232-94-0x00000000774D6000-0x00000000774D7000-memory.dmp
\Users\Admin\AppData\Local\ftRpd\WFS.exe
| MD5 | abf6673950d0c9a3b0fc0600976b4194 |
| SHA1 | 2b72b9ee92260c379668a941e440c307a2f6fc27 |
| SHA256 | faf002e555a979cd8aafd8a9bdf9fd9ead2bca24c02819ec2975552d715ec2e1 |
| SHA512 | 3a8c931dab6a70a24985f2c3ad17dfa73278d723b1b25382c7c7c9a179f3f3c6b619a89bf924f18bd760cce1a88c31fab3cd2c891c552f359ac1380eec183112 |
C:\Users\Admin\AppData\Local\ftRpd\MFC42u.dll
| MD5 | c467fbb5a4592637427df2c57ad9495c |
| SHA1 | 9cf64b4423dff5ccde0c93dab523a3700b9f694f |
| SHA256 | decff76d4c80241d6e9c93d1c4879d4946b5ed2cc7d54ecb5e8e26a921e7f7d6 |
| SHA512 | daae52adfcef029382c63d948bed875ba9114762e511456d3fd36deb4501fdbdd34985a699dd8fac6e08453794899015cad38d1e5624ed47dab39a6f94e4cf0f |
C:\Users\Admin\AppData\Local\ftRpd\WFS.exe
| MD5 | f41ab1599e67b0509cd59cd786118aa6 |
| SHA1 | 4bbb338a9fe95aa1f4da4f074cc9e1427e34ea6b |
| SHA256 | 2db60d71024939269c47c7393024778dc6cd4672e97f1ef352cdfdb31af89251 |
| SHA512 | b4fc7764c6a62747e3752b4d9b06133ecb9c82f12c54fce6eca3edc4c0ce8651f3f5c5d351e5d8ebbcac2d1fe1eec27a0d5bbe820e8817db3eb4c2977c4f6d5c |
\Users\Admin\AppData\Local\ftRpd\MFC42u.dll
| MD5 | 6240a63d85416f4b4b7af5a23df31a57 |
| SHA1 | f57a7a583a7ff8e92f98c2dc069e3550f76d0dd7 |
| SHA256 | 6af084e9ca6bb00531b2e218fd24680119cb548fb5b1f7fe94e3db934598396b |
| SHA512 | 81153f30f59d48809603cb61ab06f189b28b9b58b40983ef876332838c5238628ca62c54a7d6f61390c32bd7c42b8ee6e72aef60af282e304c95145921460fd4 |
C:\Users\Admin\AppData\Local\ftRpd\WFS.exe
| MD5 | c649f57113d8f8c6b137e52fe636e8d7 |
| SHA1 | 0992ca75691fae64fd253023510147e332f36fdf |
| SHA256 | a5e7c53ac703ea35b20886bf592e0c7653f59809fdc49d77d993c4a84d8a2768 |
| SHA512 | 747555956d22b8d1cd8764c0c891af9debefcad837c16f6ec7e03b4b357ba6894dcbe9715e6322ee6aab7287a40eeaf0b2995082157326bda1c4a56e77ba502a |
\Users\Admin\AppData\Local\XJpj\Secur32.dll
| MD5 | eba5d44088c613dd060be697278d855f |
| SHA1 | 86fe3b624fae3b257a2f8cc6339c331d864b976f |
| SHA256 | 3645b244b798684a4509fbe3db11b022d458e4f1df8aa30be94742b2750962e3 |
| SHA512 | 4dfedeaaa2e15f62f2606fd50a106338123c9ede9077302a3f10a0e505b0953b5a3198776bc39b2b21beb9d8cf53dc69ac6c9e2d36b95238b77d25fe8541b760 |
memory/1796-125-0x0000000000330000-0x0000000000337000-memory.dmp
C:\Users\Admin\AppData\Local\XJpj\perfmon.exe
| MD5 | c261ffb00eda4dcca573921f1d497b76 |
| SHA1 | 14cd60cacfaa5bae9747ec1801c4b1b6c525ef37 |
| SHA256 | 5dcd70abd222b38de3ad33ddc71bc5f8aad58d49938e10e8b3609be38eda0ac6 |
| SHA512 | 6e568f3c530870ade17043f33477567e6dfd46ba29a7b2d22adf42817460938087914f7631b39fc96a6bfa15b07b449d280c849c375f04e181962b8d54634360 |
C:\Users\Admin\AppData\Local\XJpj\Secur32.dll
| MD5 | 2cbac88a9eed142c0ac17aa9747e964b |
| SHA1 | 181204775b4a3843dde2a55d2892bbdfd0b5d8fc |
| SHA256 | 3edb459e6c9481d9291691edd34d959550231bc121561ec8e94b4cafd4cf4921 |
| SHA512 | ff8fc318749594d42ea7c0e7d301972aa09fd7a874c9dca69544581c00148237405a275634c0ef4a4b350f565d9dff1079eafa45436c7999ee02eddb9172256f |
\Users\Admin\AppData\Local\XJpj\perfmon.exe
| MD5 | e28e3cafca12140842d01c322cc1ca36 |
| SHA1 | b9c26f5d570fc80ac1dd6abb4c0d7e1d2bfc5fed |
| SHA256 | 8cb0db078a5ab7f250804ef3463fff9a721d30e7f018a88d22a8a5d318624310 |
| SHA512 | d3044eabbe486b58572e82f5a7196fc2ed5b6a930c6603b544377017d46ee17945a47836503883c88f8a7ce1749ee117763e5009ab02e559613f7a8f25fcb634 |
C:\Users\Admin\AppData\Local\XJpj\perfmon.exe
| MD5 | 0fee95028f3e44118a97ffae4a3e36e7 |
| SHA1 | 938d0c494eead2e6f1a322be3756995d7ab94f2a |
| SHA256 | 04996710bf7db6669103f400e453349677396dacb357e2d9bfc8d23e14397442 |
| SHA512 | 47677a626c8950767ce2bb65e585127c006c67557132a1e2784cba6b7329788c78d86dfa021c5022f2aeb2f62a0e21afaabe3105b032bc0cf0bedc72cafe1cfe |
\Users\Admin\AppData\Roaming\Microsoft\Credentials\40\perfmon.exe
| MD5 | 11cf98684b08864dd296ef0aafc59d5e |
| SHA1 | 315a19bf258f6f9de2af27b77fbfb24f8a9b3682 |
| SHA256 | 3017e2240da6699f0adf4c8cb63cb4103b78c140639e0d3183942b363dab9009 |
| SHA512 | 5d71c540ba923e4994d4b4afd82b9886f84760ecb5f4fdbc5ca6cb18c7c8eb382336bdd28bd5c695457da33beac83cb6e12e9d43913c4297d0d987b4bfaa556c |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk
| MD5 | 50f4f984d7b629721fb3ceb3f52d09b0 |
| SHA1 | 14be5888d3e1c4c2ff57ef5575438de38b554bcb |
| SHA256 | ef065a54709d4ac1befdf4325972f69ef9da7b7c0157f6837e39604274e32875 |
| SHA512 | 76eb7291aef8395ebe46b59e7fd9ad2f29f64e8f737ebebaba01ac2541ef4b939370f66a0ca128ffa6e9f09c7e97cbd4bbdb546bb834a9437f7045914055460c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2hZ\SYSDM.CPL
| MD5 | b9500baaa9ef4fa69c286872e4e5c3ed |
| SHA1 | a3af820ee993b63fab648e7047f03ed1feb18971 |
| SHA256 | 231b2558952168a5815c02adc6373b5ca959a043a5b1314dcf409b96c06e40f4 |
| SHA512 | 40eece3c96e0f393080b735b9e0b2838120abadf23516dc38cc23059c1059ffa227ff62722aa32a478200af7c9e5244bc85bf805d6e2751e114855234aa5a894 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\19VZG6U\MFC42u.dll
| MD5 | e33e911793b6cdebd9f136150ae8591f |
| SHA1 | fc6acc543e70be7fd16a6a76817a244808b39a7b |
| SHA256 | d8f5bd3f9f122d114a95cfa403db3fb20a9b32c5de5fe69d11770faad0ad1e08 |
| SHA512 | 3a475d519ae43e3f13c9e67b21ea8db79833fe6370896164864586a8596e0ab65a78af3ce211d077e76f5437d226e784cd0d747674336861aa46e9a1140122f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\40\Secur32.dll
| MD5 | e8738ef68121cf40d7ff23e978471034 |
| SHA1 | 39803441fd377553a72be1929dd47a1091e3409a |
| SHA256 | cb6fe0bbb84010962bb907fa9ad44905a491ccedceefabb2f63f426e60a5aeb4 |
| SHA512 | 8044ae6b057ae7ec45aff7315a116688d5d48c5d1f98fe23436a18be04297112c393f1a45f242883e7c35f0da8ce1d572e3e596ee55322d7660b572d50b3a3e4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-05 06:25
Reported
2024-01-05 07:20
Platform
win10v2004-20231215-en
Max time kernel
131s
Max time network
177s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\Qauy\\MUSNOT~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 4856 | N/A | N/A | C:\Windows\system32\mspaint.exe |
| PID 3512 wrote to memory of 4856 | N/A | N/A | C:\Windows\system32\mspaint.exe |
| PID 3512 wrote to memory of 1188 | N/A | N/A | C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe |
| PID 3512 wrote to memory of 1188 | N/A | N/A | C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe |
| PID 3512 wrote to memory of 2996 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3512 wrote to memory of 2996 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3512 wrote to memory of 4888 | N/A | N/A | C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe |
| PID 3512 wrote to memory of 4888 | N/A | N/A | C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe |
| PID 3512 wrote to memory of 3700 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3512 wrote to memory of 3700 | N/A | N/A | C:\Windows\system32\MusNotificationUx.exe |
| PID 3512 wrote to memory of 4896 | N/A | N/A | C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe |
| PID 3512 wrote to memory of 4896 | N/A | N/A | C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\42fb3ee5241879292ba25f13d72e481a.dll,#1
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe
C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Windows\system32\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe
C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/1816-1-0x0000000140000000-0x000000014028B000-memory.dmp
memory/1816-0-0x0000027C039D0000-0x0000027C039D7000-memory.dmp
memory/3512-5-0x00007FFCC502A000-0x00007FFCC502B000-memory.dmp
memory/3512-4-0x0000000000630000-0x0000000000631000-memory.dmp
memory/1816-8-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-9-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-10-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-11-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-12-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-13-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-7-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-14-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-15-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-16-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-17-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-18-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-19-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-21-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-22-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-20-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-23-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-24-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-25-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-26-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-28-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-27-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-29-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-30-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-31-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-32-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-33-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-34-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-35-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-37-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-38-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-36-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-39-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-40-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-41-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-42-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-43-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-44-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-45-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-47-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-46-0x0000000000610000-0x0000000000617000-memory.dmp
memory/3512-54-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-55-0x00007FFCC6AA0000-0x00007FFCC6AB0000-memory.dmp
memory/3512-64-0x0000000140000000-0x000000014028B000-memory.dmp
memory/3512-66-0x0000000140000000-0x000000014028B000-memory.dmp
C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe
| MD5 | f221a4ccafec690101c59f726c95b646 |
| SHA1 | 2098e4b62eaab213cbee73ba40fe4f1b8901a782 |
| SHA256 | 94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709 |
| SHA512 | 8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf |
C:\Users\Admin\AppData\Local\Uo2tf9P\MFC42u.dll
| MD5 | 268b586340fab5074f17aca058cad3cc |
| SHA1 | ab8134697ee626bbb77a151e666d08232a9da0b1 |
| SHA256 | 671d789a96206374d750e39f67519f8c3c30536066b2e0beabb459eaef62a9a0 |
| SHA512 | 6ef57937be6aa648d9dd5afe7a4703775cb512b5f82bb71c7ed2e34380e7ff173a56b2f446825527435fcddd5e764435ca75e074aa3394097622b618d0595331 |
memory/1188-76-0x000001C6F7680000-0x000001C6F7687000-memory.dmp
memory/1188-77-0x0000000140000000-0x0000000140292000-memory.dmp
memory/1188-80-0x0000000140000000-0x0000000140292000-memory.dmp
C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe
| MD5 | 869a214114a81712199f3de5d69d9aad |
| SHA1 | be973e4188eff0d53fdf0e9360106e8ad946d89f |
| SHA256 | 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361 |
| SHA512 | befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012 |
C:\Users\Admin\AppData\Local\Q9r\XmlLite.dll
| MD5 | 62daff326b906c05605df8b44df28b72 |
| SHA1 | 68fcbbfe5fdb6ad19bf9dfd0a352893c77a7960b |
| SHA256 | eece8996ec8e046a1b064cc0dda1f88a2507a1b22d1aab01c4665d04d12abea1 |
| SHA512 | e297ec21a66aa312ddb58d42f000b441e3925ce51256efdbedebc4746ea39f21a0ff48ee8b76dfa3ec693983dcd8a548c43ec26724926fc100b499164b1e4514 |
memory/4888-90-0x000001AD0C9C0000-0x000001AD0C9C7000-memory.dmp
memory/4888-89-0x0000000140000000-0x000000014028C000-memory.dmp
C:\Users\Admin\AppData\Local\wngm\XmlLite.dll
| MD5 | b1457fcd90fb8b6db197f90ca3c4a86c |
| SHA1 | 5bd14a4268064e441cc84abf8fe9cd5c94142086 |
| SHA256 | 5728104e6dd649c457d6138866eca6bd3c911590c6c000f51be21a0d85de341a |
| SHA512 | 72e6beeb2b852846d5c28fb5b4a1b714352b5220ff12784ce0956d2151967731515e9b8bbe0e61cc19c339df7e585aacbf6e487a2b5f41ca12a405d0d024ffe2 |
memory/4896-108-0x0000022C1DF50000-0x0000022C1DF57000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 262baa4a5197c6aae8f0bf3843a89167 |
| SHA1 | 279da828fc7641725443f0600ad12446f3176c71 |
| SHA256 | 4a8eac2d857d2c9be712bdfc0e71ed4be0b4c8ed007a4990733e803cc89cb24f |
| SHA512 | e13b0a510455c5ac0ba2fdceb097039625ad430dd64f302534bf76c9fb1676a706ddc9528876f854ce5f3b0985a1b67c19376f35a674f9728d744eb2844606a8 |