Malware Analysis Report

2024-11-30 21:33

Sample ID 240105-g631ssefgq
Target 42fb3ee5241879292ba25f13d72e481a
SHA256 fd5e34eee23d95710ee091014560dee606e8f934c8c2f1ad1151716bf1086a40
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd5e34eee23d95710ee091014560dee606e8f934c8c2f1ad1151716bf1086a40

Threat Level: Known bad

The file 42fb3ee5241879292ba25f13d72e481a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-05 06:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-05 06:25

Reported

2024-01-05 07:21

Platform

win7-20231215-en

Max time kernel

40s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\42fb3ee5241879292ba25f13d72e481a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2304 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1232 wrote to memory of 2304 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1232 wrote to memory of 2304 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1232 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
PID 1232 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
PID 1232 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe
PID 1232 wrote to memory of 768 N/A N/A C:\Windows\system32\WFS.exe
PID 1232 wrote to memory of 768 N/A N/A C:\Windows\system32\WFS.exe
PID 1232 wrote to memory of 768 N/A N/A C:\Windows\system32\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\42fb3ee5241879292ba25f13d72e481a.dll,#1

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\ftRpd\WFS.exe

C:\Users\Admin\AppData\Local\ftRpd\WFS.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\XJpj\perfmon.exe

C:\Users\Admin\AppData\Local\XJpj\perfmon.exe

Network

N/A

Files

memory/2500-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/2500-1-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-4-0x00000000774D6000-0x00000000774D7000-memory.dmp

memory/1232-9-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-15-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-21-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-23-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-26-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-31-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-35-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-37-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-42-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-45-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-47-0x0000000002950000-0x0000000002957000-memory.dmp

memory/1232-46-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-44-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-43-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-41-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-55-0x00000000775E1000-0x00000000775E2000-memory.dmp

memory/1232-56-0x0000000077740000-0x0000000077742000-memory.dmp

memory/1232-54-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-40-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-39-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-38-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-36-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-34-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-33-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-32-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-65-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-30-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-29-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-28-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-27-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-25-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-71-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-24-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-22-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-20-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-19-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-17-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-18-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-16-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-13-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-14-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-11-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-12-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-10-0x0000000140000000-0x000000014028B000-memory.dmp

memory/2500-7-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-8-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1232-5-0x0000000002970000-0x0000000002971000-memory.dmp

\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe

MD5 870726cdcc241a92785572628b89cc07
SHA1 63d47cc4fe9beb75862add1abca1d8ae8235710a
SHA256 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA512 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

C:\Users\Admin\AppData\Local\DwMUDi\SYSDM.CPL

MD5 b8841df0dc0bc3c755b5fc5cbef4fb68
SHA1 1d6570ef1e62c78cdf794279e9b3b10a1cdba5d5
SHA256 7e1801efac04cf806ea735421b7287519645c9fbdc35b92a542b4e409b23caf2
SHA512 9543cab19cafb8fc6224eddacde9765fff317c4b8f4b2a198015a4944bda8ffcc1a4dc89516e29e84623e8494803e5477b7f168c8a07502d96eb6ae9d028bb74

C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe

MD5 417b1a8cb4f12f06dd2787071323e9e1
SHA1 16cb00df8f465f2e60f85f6c6be737388d121179
SHA256 2856a9d8cdca849425e022b1742a26b3b00cf4098681b963cab082c23453cdcd
SHA512 4fa8744d2031800e50a6bb2553dca3f1d9cdc5d2b55657246bfd20f0ce2f20f9b3515803242bb1c5edd0c48931d221fc83c193452d893520d2021d1059040e51

\Users\Admin\AppData\Local\DwMUDi\SYSDM.CPL

MD5 d709ca8f8a779da776abf83cb5cd1a1e
SHA1 5e61ca8d39f57b6cf2c8c5c21a6a10e289b3c0c7
SHA256 c111f88e7bbd98f80ab4fe529b7c28ff095856836018dcae6f743aae0c12f2d6
SHA512 8f2032940239ba0721f0cfe99f1fa20dd785e0d9f81e3e14787521b5a9939820841509269890d8b8f72e69d9b1bd400e20dc615616d89cf4a763cf541d20093a

memory/2208-84-0x0000000140000000-0x000000014028C000-memory.dmp

memory/2208-83-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\DwMUDi\SystemPropertiesPerformance.exe

MD5 531c9ce95bd42ec1fd100723eaa210f7
SHA1 71c72028a744e9628fecd70a188ac2632151aa09
SHA256 a60166b01ca1dbee3c5370d9140562ee72d7da880a1cda442ed30dc0f5223f9b
SHA512 f3cf55810aeb065f85ca84894715bb302bc054b1247aefe28c0e80dd6e00bb6d3cfb1430a7646298d2f9bb9b518efd602ba03c166ab62ef8cd551a9062426d4f

memory/1232-94-0x00000000774D6000-0x00000000774D7000-memory.dmp

\Users\Admin\AppData\Local\ftRpd\WFS.exe

MD5 abf6673950d0c9a3b0fc0600976b4194
SHA1 2b72b9ee92260c379668a941e440c307a2f6fc27
SHA256 faf002e555a979cd8aafd8a9bdf9fd9ead2bca24c02819ec2975552d715ec2e1
SHA512 3a8c931dab6a70a24985f2c3ad17dfa73278d723b1b25382c7c7c9a179f3f3c6b619a89bf924f18bd760cce1a88c31fab3cd2c891c552f359ac1380eec183112

C:\Users\Admin\AppData\Local\ftRpd\MFC42u.dll

MD5 c467fbb5a4592637427df2c57ad9495c
SHA1 9cf64b4423dff5ccde0c93dab523a3700b9f694f
SHA256 decff76d4c80241d6e9c93d1c4879d4946b5ed2cc7d54ecb5e8e26a921e7f7d6
SHA512 daae52adfcef029382c63d948bed875ba9114762e511456d3fd36deb4501fdbdd34985a699dd8fac6e08453794899015cad38d1e5624ed47dab39a6f94e4cf0f

C:\Users\Admin\AppData\Local\ftRpd\WFS.exe

MD5 f41ab1599e67b0509cd59cd786118aa6
SHA1 4bbb338a9fe95aa1f4da4f074cc9e1427e34ea6b
SHA256 2db60d71024939269c47c7393024778dc6cd4672e97f1ef352cdfdb31af89251
SHA512 b4fc7764c6a62747e3752b4d9b06133ecb9c82f12c54fce6eca3edc4c0ce8651f3f5c5d351e5d8ebbcac2d1fe1eec27a0d5bbe820e8817db3eb4c2977c4f6d5c

\Users\Admin\AppData\Local\ftRpd\MFC42u.dll

MD5 6240a63d85416f4b4b7af5a23df31a57
SHA1 f57a7a583a7ff8e92f98c2dc069e3550f76d0dd7
SHA256 6af084e9ca6bb00531b2e218fd24680119cb548fb5b1f7fe94e3db934598396b
SHA512 81153f30f59d48809603cb61ab06f189b28b9b58b40983ef876332838c5238628ca62c54a7d6f61390c32bd7c42b8ee6e72aef60af282e304c95145921460fd4

C:\Users\Admin\AppData\Local\ftRpd\WFS.exe

MD5 c649f57113d8f8c6b137e52fe636e8d7
SHA1 0992ca75691fae64fd253023510147e332f36fdf
SHA256 a5e7c53ac703ea35b20886bf592e0c7653f59809fdc49d77d993c4a84d8a2768
SHA512 747555956d22b8d1cd8764c0c891af9debefcad837c16f6ec7e03b4b357ba6894dcbe9715e6322ee6aab7287a40eeaf0b2995082157326bda1c4a56e77ba502a

\Users\Admin\AppData\Local\XJpj\Secur32.dll

MD5 eba5d44088c613dd060be697278d855f
SHA1 86fe3b624fae3b257a2f8cc6339c331d864b976f
SHA256 3645b244b798684a4509fbe3db11b022d458e4f1df8aa30be94742b2750962e3
SHA512 4dfedeaaa2e15f62f2606fd50a106338123c9ede9077302a3f10a0e505b0953b5a3198776bc39b2b21beb9d8cf53dc69ac6c9e2d36b95238b77d25fe8541b760

memory/1796-125-0x0000000000330000-0x0000000000337000-memory.dmp

C:\Users\Admin\AppData\Local\XJpj\perfmon.exe

MD5 c261ffb00eda4dcca573921f1d497b76
SHA1 14cd60cacfaa5bae9747ec1801c4b1b6c525ef37
SHA256 5dcd70abd222b38de3ad33ddc71bc5f8aad58d49938e10e8b3609be38eda0ac6
SHA512 6e568f3c530870ade17043f33477567e6dfd46ba29a7b2d22adf42817460938087914f7631b39fc96a6bfa15b07b449d280c849c375f04e181962b8d54634360

C:\Users\Admin\AppData\Local\XJpj\Secur32.dll

MD5 2cbac88a9eed142c0ac17aa9747e964b
SHA1 181204775b4a3843dde2a55d2892bbdfd0b5d8fc
SHA256 3edb459e6c9481d9291691edd34d959550231bc121561ec8e94b4cafd4cf4921
SHA512 ff8fc318749594d42ea7c0e7d301972aa09fd7a874c9dca69544581c00148237405a275634c0ef4a4b350f565d9dff1079eafa45436c7999ee02eddb9172256f

\Users\Admin\AppData\Local\XJpj\perfmon.exe

MD5 e28e3cafca12140842d01c322cc1ca36
SHA1 b9c26f5d570fc80ac1dd6abb4c0d7e1d2bfc5fed
SHA256 8cb0db078a5ab7f250804ef3463fff9a721d30e7f018a88d22a8a5d318624310
SHA512 d3044eabbe486b58572e82f5a7196fc2ed5b6a930c6603b544377017d46ee17945a47836503883c88f8a7ce1749ee117763e5009ab02e559613f7a8f25fcb634

C:\Users\Admin\AppData\Local\XJpj\perfmon.exe

MD5 0fee95028f3e44118a97ffae4a3e36e7
SHA1 938d0c494eead2e6f1a322be3756995d7ab94f2a
SHA256 04996710bf7db6669103f400e453349677396dacb357e2d9bfc8d23e14397442
SHA512 47677a626c8950767ce2bb65e585127c006c67557132a1e2784cba6b7329788c78d86dfa021c5022f2aeb2f62a0e21afaabe3105b032bc0cf0bedc72cafe1cfe

\Users\Admin\AppData\Roaming\Microsoft\Credentials\40\perfmon.exe

MD5 11cf98684b08864dd296ef0aafc59d5e
SHA1 315a19bf258f6f9de2af27b77fbfb24f8a9b3682
SHA256 3017e2240da6699f0adf4c8cb63cb4103b78c140639e0d3183942b363dab9009
SHA512 5d71c540ba923e4994d4b4afd82b9886f84760ecb5f4fdbc5ca6cb18c7c8eb382336bdd28bd5c695457da33beac83cb6e12e9d43913c4297d0d987b4bfaa556c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 50f4f984d7b629721fb3ceb3f52d09b0
SHA1 14be5888d3e1c4c2ff57ef5575438de38b554bcb
SHA256 ef065a54709d4ac1befdf4325972f69ef9da7b7c0157f6837e39604274e32875
SHA512 76eb7291aef8395ebe46b59e7fd9ad2f29f64e8f737ebebaba01ac2541ef4b939370f66a0ca128ffa6e9f09c7e97cbd4bbdb546bb834a9437f7045914055460c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2hZ\SYSDM.CPL

MD5 b9500baaa9ef4fa69c286872e4e5c3ed
SHA1 a3af820ee993b63fab648e7047f03ed1feb18971
SHA256 231b2558952168a5815c02adc6373b5ca959a043a5b1314dcf409b96c06e40f4
SHA512 40eece3c96e0f393080b735b9e0b2838120abadf23516dc38cc23059c1059ffa227ff62722aa32a478200af7c9e5244bc85bf805d6e2751e114855234aa5a894

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\19VZG6U\MFC42u.dll

MD5 e33e911793b6cdebd9f136150ae8591f
SHA1 fc6acc543e70be7fd16a6a76817a244808b39a7b
SHA256 d8f5bd3f9f122d114a95cfa403db3fb20a9b32c5de5fe69d11770faad0ad1e08
SHA512 3a475d519ae43e3f13c9e67b21ea8db79833fe6370896164864586a8596e0ab65a78af3ce211d077e76f5437d226e784cd0d747674336861aa46e9a1140122f5

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\40\Secur32.dll

MD5 e8738ef68121cf40d7ff23e978471034
SHA1 39803441fd377553a72be1929dd47a1091e3409a
SHA256 cb6fe0bbb84010962bb907fa9ad44905a491ccedceefabb2f63f426e60a5aeb4
SHA512 8044ae6b057ae7ec45aff7315a116688d5d48c5d1f98fe23436a18be04297112c393f1a45f242883e7c35f0da8ce1d572e3e596ee55322d7660b572d50b3a3e4

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-05 06:25

Reported

2024-01-05 07:20

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

177s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\42fb3ee5241879292ba25f13d72e481a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\Qauy\\MUSNOT~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 4856 N/A N/A C:\Windows\system32\mspaint.exe
PID 3512 wrote to memory of 4856 N/A N/A C:\Windows\system32\mspaint.exe
PID 3512 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe
PID 3512 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe
PID 3512 wrote to memory of 2996 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3512 wrote to memory of 2996 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3512 wrote to memory of 4888 N/A N/A C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe
PID 3512 wrote to memory of 4888 N/A N/A C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe
PID 3512 wrote to memory of 3700 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3512 wrote to memory of 3700 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3512 wrote to memory of 4896 N/A N/A C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe
PID 3512 wrote to memory of 4896 N/A N/A C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\42fb3ee5241879292ba25f13d72e481a.dll,#1

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe

C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\wngm\MusNotificationUx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 33.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1816-1-0x0000000140000000-0x000000014028B000-memory.dmp

memory/1816-0-0x0000027C039D0000-0x0000027C039D7000-memory.dmp

memory/3512-5-0x00007FFCC502A000-0x00007FFCC502B000-memory.dmp

memory/3512-4-0x0000000000630000-0x0000000000631000-memory.dmp

memory/1816-8-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-9-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-10-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-11-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-12-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-13-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-7-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-14-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-15-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-16-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-17-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-18-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-19-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-21-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-22-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-20-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-23-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-24-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-25-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-26-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-28-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-27-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-29-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-30-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-31-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-32-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-33-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-34-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-35-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-37-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-38-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-36-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-39-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-40-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-41-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-42-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-43-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-44-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-45-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-47-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-46-0x0000000000610000-0x0000000000617000-memory.dmp

memory/3512-54-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-55-0x00007FFCC6AA0000-0x00007FFCC6AB0000-memory.dmp

memory/3512-64-0x0000000140000000-0x000000014028B000-memory.dmp

memory/3512-66-0x0000000140000000-0x000000014028B000-memory.dmp

C:\Users\Admin\AppData\Local\Uo2tf9P\mspaint.exe

MD5 f221a4ccafec690101c59f726c95b646
SHA1 2098e4b62eaab213cbee73ba40fe4f1b8901a782
SHA256 94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709
SHA512 8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

C:\Users\Admin\AppData\Local\Uo2tf9P\MFC42u.dll

MD5 268b586340fab5074f17aca058cad3cc
SHA1 ab8134697ee626bbb77a151e666d08232a9da0b1
SHA256 671d789a96206374d750e39f67519f8c3c30536066b2e0beabb459eaef62a9a0
SHA512 6ef57937be6aa648d9dd5afe7a4703775cb512b5f82bb71c7ed2e34380e7ff173a56b2f446825527435fcddd5e764435ca75e074aa3394097622b618d0595331

memory/1188-76-0x000001C6F7680000-0x000001C6F7687000-memory.dmp

memory/1188-77-0x0000000140000000-0x0000000140292000-memory.dmp

memory/1188-80-0x0000000140000000-0x0000000140292000-memory.dmp

C:\Users\Admin\AppData\Local\Q9r\MusNotificationUx.exe

MD5 869a214114a81712199f3de5d69d9aad
SHA1 be973e4188eff0d53fdf0e9360106e8ad946d89f
SHA256 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361
SHA512 befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

C:\Users\Admin\AppData\Local\Q9r\XmlLite.dll

MD5 62daff326b906c05605df8b44df28b72
SHA1 68fcbbfe5fdb6ad19bf9dfd0a352893c77a7960b
SHA256 eece8996ec8e046a1b064cc0dda1f88a2507a1b22d1aab01c4665d04d12abea1
SHA512 e297ec21a66aa312ddb58d42f000b441e3925ce51256efdbedebc4746ea39f21a0ff48ee8b76dfa3ec693983dcd8a548c43ec26724926fc100b499164b1e4514

memory/4888-90-0x000001AD0C9C0000-0x000001AD0C9C7000-memory.dmp

memory/4888-89-0x0000000140000000-0x000000014028C000-memory.dmp

C:\Users\Admin\AppData\Local\wngm\XmlLite.dll

MD5 b1457fcd90fb8b6db197f90ca3c4a86c
SHA1 5bd14a4268064e441cc84abf8fe9cd5c94142086
SHA256 5728104e6dd649c457d6138866eca6bd3c911590c6c000f51be21a0d85de341a
SHA512 72e6beeb2b852846d5c28fb5b4a1b714352b5220ff12784ce0956d2151967731515e9b8bbe0e61cc19c339df7e585aacbf6e487a2b5f41ca12a405d0d024ffe2

memory/4896-108-0x0000022C1DF50000-0x0000022C1DF57000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 262baa4a5197c6aae8f0bf3843a89167
SHA1 279da828fc7641725443f0600ad12446f3176c71
SHA256 4a8eac2d857d2c9be712bdfc0e71ed4be0b4c8ed007a4990733e803cc89cb24f
SHA512 e13b0a510455c5ac0ba2fdceb097039625ad430dd64f302534bf76c9fb1676a706ddc9528876f854ce5f3b0985a1b67c19376f35a674f9728d744eb2844606a8