Malware Analysis Report

2024-11-30 21:27

Sample ID 240106-htl27aagaq
Target 45958928fbbbf80172f7886aad1a3e8b
SHA256 11bd20582fb4a6a48501ce358c8ca69d6fb7974e611e50882bc4a9f0fcd72b0a
Tags
dridex botnet evasion payload trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11bd20582fb4a6a48501ce358c8ca69d6fb7974e611e50882bc4a9f0fcd72b0a

Threat Level: Known bad

The file 45958928fbbbf80172f7886aad1a3e8b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload trojan persistence

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 07:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 07:01

Reported

2024-01-06 07:05

Platform

win7-20231215-en

Max time kernel

7s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\jwunK3TC\dpapimig.exe

C:\Users\Admin\AppData\Local\jwunK3TC\dpapimig.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\5DY5S\wusa.exe

C:\Users\Admin\AppData\Local\5DY5S\wusa.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\ZZ7fK5BL\tcmsetup.exe

C:\Users\Admin\AppData\Local\ZZ7fK5BL\tcmsetup.exe

Network

N/A

Files

memory/1988-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1988-1-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1212-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1212-14-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-13-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-12-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-11-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-10-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-9-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-8-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1988-7-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-18-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-19-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-17-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-21-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-32-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-33-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-35-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-34-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-31-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-30-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-29-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-28-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-27-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-26-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-25-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-24-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-23-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-22-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-20-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-16-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-15-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-37-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-40-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-46-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-47-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-48-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-45-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-50-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-52-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-55-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-57-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-58-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-60-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-62-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-65-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-64-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-63-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-61-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-59-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-56-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-54-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-53-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-51-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-49-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-44-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-43-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-42-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-66-0x0000000002A70000-0x0000000002A77000-memory.dmp

memory/1212-41-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-39-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-38-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-36-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/1212-76-0x0000000077120000-0x0000000077122000-memory.dmp

memory/1212-75-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

C:\Users\Admin\AppData\Local\jwunK3TC\dpapimig.exe

MD5 7a064a5e6d8203352328d3810ba4acef
SHA1 3944b2b0ef287a2cb455205dc52764e5ea1952e6
SHA256 39926843f40d41fa54b2bd6d341c59dc2c81a265b8d34cf58b770db026fb81f4
SHA512 e90a11e29fd379a7384a20f0d3988f670ca47c3c3cde0c7c5b5e26226a97d4347dbdf121787f7766a5cd12ece3a698e0b720653991348795a519ad368be40f97

\Users\Admin\AppData\Local\jwunK3TC\DUI70.dll

MD5 cdecc955e66201400341001379500fe1
SHA1 8ca4e393e2fdef21ec55e8a933ab905d79b44030
SHA256 0b4cc1c640ceb2437f5e0fcd6b605981d42048ef381b8bcdd1732406900de10b
SHA512 5238f48fb9e90d9d2281f1c8649893ea75530289dac136ed017b05730f3727a9ae00b867b91c4e4f261cb0ba1a3ebfd20afe17785dc4755965e2b56aa0d4d837

memory/2992-103-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\jwunK3TC\DUI70.dll

MD5 8ea58ace535a7af65f8149f2cdc07f63
SHA1 a42ec04a60d9e2b670d715e215acd61e33d046aa
SHA256 dd7a3457522885adb8ed984768bf701fad1544d05d3083e2d7dc435f46c8b277
SHA512 61081a74fa96f2c7c5c0ccc9737aa97453f1d85a8c8f5c4f76837adece35c28240836e7647cdb360c8c9fdcf21d95370e3d4d03673a68d8395ed334cd04a570c

\Users\Admin\AppData\Local\jwunK3TC\dpapimig.exe

MD5 8427eb7a3b35f798acb2e907f8dc8d27
SHA1 fe9ba2aa19822e51e47823659074dbbaf62c6a98
SHA256 52fa42b8526a42d8add1f33396e77e04118f953e81c90c9bba9985f3802e59a2
SHA512 05191c03e55920b4bd49ba20cc4df32d543f2f8dbb596e28149131e7786c9d0188c1427afda8826db67fc6749cd6862cfc6ed98964f8bc0e3732ba27fe51588e

C:\Users\Admin\AppData\Local\jwunK3TC\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

memory/1212-114-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Local\5DY5S\dpx.dll

MD5 f78c30dbdb37568475a4637679b3699f
SHA1 4190ac32ba2aafd85a7cafa19f325ad03fac30a2
SHA256 6866d57339e007e81776e281df66e7aa6e6a57fed16aa908f12de37a0dadda5b
SHA512 fdc12495f7c86412a912a1750cd9070da08d87a1fdac48ca0a5320dc9cefefb09d6169f93a498c977d614edcb0308e1bbde07768c2a1d30ccdc44e653aa8837e

\Users\Admin\AppData\Local\5DY5S\dpx.dll

MD5 38060cdcc5a28fe64f584a6f5f1d4fda
SHA1 ead95d2607d13a3c48445dc7be4d0ca7d2608eac
SHA256 b3a3d3ec2a3c0db3a438b91fbd8d6ec82245ebec8cc58f0ac987a8fe4d210bb9
SHA512 6228def82537ba865e288aaaf801fd133e0eaeded11e727d73c2478f1b9e4d81c34196c954d45414b5284aa27e77b76632760e3422580517a3f0f819d8a95d92

memory/2780-122-0x0000000000320000-0x0000000000327000-memory.dmp

C:\Users\Admin\AppData\Local\5DY5S\wusa.exe

MD5 469f709ba6ec11331883a5c95935558e
SHA1 8ba5b0d9f426838f7c9696a035b21ad92f7e4201
SHA256 50d6dddaa09c37b19bc8c6132968da325e03cd7e3cb1a98eaf7c482bf7433cad
SHA512 1e5707e5118d7f4f39dceae4c49c795c9553b14f9191342965483a5826362188cb1ce3466d462cd963e0a304d26e4191ec996ab534197906cd4f277890b650d7

\Users\Admin\AppData\Local\5DY5S\wusa.exe

MD5 3bb2c85681c32fa2c52b5623a0c0c685
SHA1 0ed764a496eb08af1a5a6d1c997c1643c2664ac5
SHA256 904980d13dd1c6abc1fed3304b1f3c2b906fc2864cebf94850e8372fcc22a173
SHA512 bd0bb1ac96b4d05cb6cc4cbc1d1c03343f3d81815e2ab868152bf5bdd1802a4f9782bdeef7444a525f75b8cca818a3932d000bf899941f527d47a9652f8a0b92

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\s54\wusa.exe

MD5 fcac749c1959f4351b31610853930138
SHA1 1ce91709836175234ad2be56b17cb582aae9a6e0
SHA256 3cfc65ff2a2c906a6b21e54efb2b505f15cbf4f5c644489ec85b3e8aa8d3f3a6
SHA512 9a7d1d7bb42809157152c5d9fdb3b4e2ad08fea7aa5cacea6915935ce041d743c78d37e0875a376c858e5de7d42bc76450aa90a3d1d6504c427cc1c1b185e327

C:\Users\Admin\AppData\Local\ZZ7fK5BL\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\ZZ7fK5BL\TAPI32.dll

MD5 3c61c1860af6f5cfdbd37440ac2f4d33
SHA1 2bcc2fbc37654c69883f7ed66b1768d0c341963c
SHA256 e68d25cfa6ff65a214ab26858800ad76765b8851557a1bbea2c571ffca1ef75e
SHA512 d4d6e312f2db114264ee8abd618c05fdda24a41eeb86d0534c034a1ff0ea9539b0f041a8d616486397804196ada409951894ea391d61a0de5d9bb20c38f28227

\Users\Admin\AppData\Local\ZZ7fK5BL\TAPI32.dll

MD5 edfaa2bf419c95b23f968a2c04bf164d
SHA1 d8146b3c7ba17f1e6b4b9c61be1143f854d9f163
SHA256 fdc98ee646c36a0663f6a5cdeaa1979af5b2e0677aed457597e183a1526761fe
SHA512 4050a7ea71807d586411d5d5bf3905a073551c25d014504567b6b8f109be979821ffcd7ec9ea91ef944473ff76b0836562b04a10212d303a6727622d37e2f22a

memory/1764-139-0x0000000000080000-0x0000000000087000-memory.dmp

\Users\Admin\AppData\Local\ZZ7fK5BL\tcmsetup.exe

MD5 fd020b037e6517def1d8d1322c77c0d9
SHA1 3fbc7d70929d2781f2178626cfc489aa188ef9dd
SHA256 2cca676a08c2ab765a4bd8368e9a4a6228ee31d1959d3aca7c15bb9a464f30cf
SHA512 1f3da985bb180ac287ae1ba6b6aee1c91198345ef7fb0e554701a0ed0d0aebe6fdb8caee8cf3ae9f7b8281657c2ae0bebed6d352f43639b07fdbf0e9c787d85c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 0d01d827a3573c83d5503adf46bea770
SHA1 d986e47e6de2b3118180858dddb115e8eeb7d049
SHA256 6866e99f94dc0d1a59fbafaa99d8d2619461e0189d70ffd2c7c6778678cc1adf
SHA512 d39b07160596f15e9564f84f0631859ff605ae05c5f3581ffecdf935e2a4455427da7a0e2e9e4b0601a7b3b9855a42a9867cfc059e6db4bc01e2414e3d814fa3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\9Bou08ahK2N\DUI70.dll

MD5 418a28ab937d8100b71754cd13ecaf7b
SHA1 e9732e18eb5593721cf0e6daaa44cf90949962e6
SHA256 a7724049d63b64716679edf4aa79b2d4ce88b43d535d885b41ccb42e8862c338
SHA512 8990d7f5c66c6321d710a13e003768e03076bf1b4b3ed01be2101681bf7a504a5b7c72e8458937f0d188a028e32ee9a6a7135f3649a63710c24518dfe809cc2b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\s54\dpx.dll

MD5 9fc47377eafd2b5759624c286d057abc
SHA1 30a487358960b50f02c5079cd356481b83c3bd9a
SHA256 9fb28163a3453429900928cd616c25f0e990446cf3539954cdebd6e2bf46fc48
SHA512 0fa230dada8eea143657d3f1f26de5bc730643c9eb8e93d85f8f37e4cd81041be508c84eadf456cd07656d856f027e9742264724f2b7a7328e60b23591cc25c3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\ODHPbKeDC9z\TAPI32.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 07:01

Reported

2024-01-06 07:05

Platform

win10v2004-20231215-en

Max time kernel

130s

Max time network

215s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Java\\Deployment\\Eb\\Dxpserver.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\u6W\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 436 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3536 wrote to memory of 436 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3536 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe
PID 3536 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe
PID 3536 wrote to memory of 2304 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 3536 wrote to memory of 2304 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 3536 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe
PID 3536 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe
PID 3536 wrote to memory of 3000 N/A N/A C:\Windows\system32\WFS.exe
PID 3536 wrote to memory of 3000 N/A N/A C:\Windows\system32\WFS.exe
PID 3536 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\u6W\WFS.exe
PID 3536 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\u6W\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\45958928fbbbf80172f7886aad1a3e8b.dll,#1

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe

C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe

C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\u6W\WFS.exe

C:\Users\Admin\AppData\Local\u6W\WFS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3080-1-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3080-0-0x000001C3328A0000-0x000001C3328A7000-memory.dmp

memory/3080-4-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-5-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/3080-7-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-8-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-11-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-9-0x00007FFAF21FA000-0x00007FFAF21FB000-memory.dmp

memory/3536-10-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-12-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-13-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-15-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-14-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-16-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-17-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-18-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-19-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-20-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-21-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-22-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-23-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-24-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-25-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-26-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-27-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-28-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-29-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-31-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-32-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-33-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-30-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-34-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-35-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-38-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-41-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-44-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-47-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-50-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-51-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-49-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-48-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-46-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-45-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-43-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-42-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-40-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-39-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-37-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-36-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-52-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-53-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-55-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-56-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-57-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-58-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-62-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-63-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-65-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-64-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-68-0x0000000001410000-0x0000000001417000-memory.dmp

memory/3536-61-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-60-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-59-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-54-0x0000000140000000-0x00000001402A8000-memory.dmp

memory/3536-76-0x00007FFAF3980000-0x00007FFAF3990000-memory.dmp

C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe

MD5 67586339b86494ed3a7f8d0e926711cb
SHA1 25900685bc5dd406c6c3a9b4bae9050b40283c2a
SHA256 d5f8acac7ac89d81d4e5d714594b2e15c088decae60ed3d6d878ed0cd48c98ba
SHA512 b5f3b1d3f2a79c327d9d60ef5690483ce8b84e5d5c976d5493f91e41a7c22c9486de82fc6ee763d1bfb6f4d205c4668e1c0a47a45a32dfee9f8bfb70823820d7

memory/4820-96-0x00000267D5950000-0x00000267D5957000-memory.dmp

C:\Users\Admin\AppData\Local\lm0KW\UxTheme.dll

MD5 dc4853001e2e3b7af1e984c0ddb572bb
SHA1 0ce67719f24cdac917f6bdc2a1e1ffaf5b877ed9
SHA256 d242034fd0ecda669662bb0045a43829138c22a20f8924289e6491dbbed6d29d
SHA512 51f0653e030f237fb5ed3966879c595925e2cc6dce3ba055cb77bef242654cc080cfa2e1e0679526dd3f92496978dfcb34532e2c5692ae9103c0b7529f24f34b

C:\Users\Admin\AppData\Local\lm0KW\UxTheme.dll

MD5 22d2471f6c9e401e93dfc55da78e0590
SHA1 ea7893df0f30ff68db76a7bbb388554bfd75c56e
SHA256 0fa9bdd6c997b9f54bb274d43796042071d7c2fcff5bab719f9f40da8a9e1408
SHA512 abc0779e834e85948e936c041e2865977b4d9f5f6e1f697cd2790bf0b79252d578f4c1c52e9d59c4ef7c85214c30c069cd69227d6855219e7a86637edfb1e909

C:\Users\Admin\AppData\Local\lm0KW\FileHistory.exe

MD5 6d7d0f66b5543d4a05a94be5270bbc12
SHA1 f66509b257a87820b5984529ed3cbad88b30a30b
SHA256 b05937986c119a5683dcdd980054b74cd35a6bdf6b88f3936fe0e7a96f4cba96
SHA512 6f52908031834a5569c5c7778bd2c789b5a0d659b50db373653558f3dfdec84ff8713da480b993b08990b769f642c89a433e64c29e466ef263482b25788b5cf2

C:\Users\Admin\AppData\Local\wR7sxaO\dwmapi.dll

MD5 d2268477a539e31ba006b176f1161025
SHA1 a31f408dea642b2c72e5cfaeed2b6811caa707ca
SHA256 ff4ce651000a3a2aad71552128c5d938726e6994d1bbf2699c5e792a3840b2be
SHA512 7867bc8caf07c57f5976eca1d895e705f850b257f89f40b33ed51d6cac7be6714577b54becbdd07e1a0b477e7e120ef86ecbbfef1fe4f0466337022cb4357634

C:\Users\Admin\AppData\Local\wR7sxaO\dwmapi.dll

MD5 b4c0899d846c9fefcdcbafbc0865422c
SHA1 8af7c6ad8d64dcae8799fe2801f11430dbb1effa
SHA256 f0ed020136d11db84317e853ebdf29f5c5349d6a97b4d34332dbb09e0ffe205b
SHA512 9b09b35914d7a9edd9824703d4c500214cc1aad05c097a1d84d9710935ac9061252bb7a85f02e508c78825000dcc5bbcc2c0f603d9bc111f36520c982f5ce1e4

memory/1796-113-0x00000174084F0000-0x00000174084F7000-memory.dmp

C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe

MD5 2049ec4476d97a7751ccff25648bd4d7
SHA1 0b34ecd91006ac34b892873e839363abefd2e6c4
SHA256 d83427f0145da93a36a77a5f711521533db4b6dc5322cad704f65be32c13501e
SHA512 635f8f4534e0321e97f37019b41ec3dd27c46eb930d1155d9dfe17abbef93ba8d481990fb5ca71161c5d322a848f1603e246519364adab85abef6b5e97cf356d

C:\Users\Admin\AppData\Local\wR7sxaO\Dxpserver.exe

MD5 e7e757fb48adf2d5fcb5d858af72f87f
SHA1 6298cd42e72f0074d103e11d3840663073cc8383
SHA256 14087e2f37bae4881d97ae915159a58e78ae09f620c897b476400a5940c0a0dd
SHA512 bbd01a984229eee99ee3269285ebe950ce8f4542b38b47b9dcf8e6f9bb660efdd93d888375d6e6c73de84e23e60b033401f348be54070516aa74b6c8ab157196

C:\Users\Admin\AppData\Local\u6W\WFS.exe

MD5 ea1c955d5429a0fb6781c6f6401881e4
SHA1 b834e065cc1feb2f944458acf5d5a1ea605e6299
SHA256 f8129b172265270a445cc52956e7932f3b6a6deaa7855b0a3d0c6b751afc0dd5
SHA512 f1345d2206367ef3961f97101ec5a352e302ef4fc119c0e7889c8111fd513a3feabda732fd2079aa7737e99c91988db0b19c874860a8efabc68f94b00ff1d95c

C:\Users\Admin\AppData\Local\u6W\MFC42u.dll

MD5 54849bb4b13143d906c1154ca49f703a
SHA1 5d496053318af4405d693516537417f0d77b230f
SHA256 bfaee18dfaf0f8e1d93fc500632fe0b8a5b3ed7e8a824710e257a0fe778b9798
SHA512 c0923352f7bb87a5fd5bf15b4b863ed2a80ac09a7aadb115fd823fcf17691cd299386ee8b2113bc089afdfeb0459c098316c6948722101a9b8bb39c767be8862

memory/3416-131-0x000002B97FEE0000-0x000002B97FEE7000-memory.dmp

C:\Users\Admin\AppData\Local\u6W\MFC42u.dll

MD5 e188166ce942a5687f44a78485a2d9fd
SHA1 f9ca9cb52411dfd3653010d5b9f422c540e3169f
SHA256 e70dc63262af36d16df2e8a9cf45d9d5a425ea8a928f42ef322b764f09617fd9
SHA512 dbf6b7226a73de469ebb0b85a1dbfdfedd764d3cbaeadfd0866a4d21e257ecdb0c2faee28fd3b20c3471feaa79398da6acd87f5595df1e8bf72c4d419e45e578

C:\Users\Admin\AppData\Local\u6W\WFS.exe

MD5 3691c48e32d13496f3d1b2cb936514f5
SHA1 323a37e30171094b4fb52f7c0e9020ec2cce6278
SHA256 97526d358584149ebfd78e9c2363aece2bf8164519e10941915f5da417fd34a8
SHA512 db6f2b35dc571a8f34843836e0774570e35d96b99587ccdf4f44b03719e020d7cf9395213869e5136e381fa95aa716f20a004150acb3fef18773af12315413cb

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 52e8deb2231ec1445086e91e39b0839e
SHA1 8f5028ccc6f006563631e2cd6cfcc2f2536371b5
SHA256 8b0c3b3cbd598bb84b16eec532af95fe747db54d3d1383c1627c33e7c5d5ee09
SHA512 4e5bb4033fa3b8363516d06a1c27aae3739caa14b003c564cdbcc15dc3bcc85c6a7c261892b8eebee3eeb78f43d03192d40855dcd6baedfae86cfeaa39b4f975

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\TY\UxTheme.dll

MD5 a9170dfb91f0c127fd2633aecd33a9a8
SHA1 8e3a952091134818e4609b70fad7e0770c98a324
SHA256 c49890a81c680380432b77519dad1657edda90cac7a4778c409c9f40cb279a2e
SHA512 e852e0b9ec5bdaa751974809ae996e35832f5aa076166401d7b46badeacdd5b74b6f9d3db178ccf06672aef99e9877642cb59200f60d86e65792d85cc079aa3f

C:\Users\Admin\AppData\Roaming\Sun\Java\Deployment\Eb\dwmapi.dll

MD5 4fd71b53468ccd90099002ff380e45dd
SHA1 eece851802e967dc8679159b979a653555198cab
SHA256 cd24ed85cc325fd1d6bc8525fdd1e9cfc73c6444a7c236891d25df521aa5dbe2
SHA512 1eb09571932db877131c29893aacd896ff98a2454557f47a8de2635915cc3c50f9be80685e18c9bb0bc352901d84b4670b04da82f5e946d51e8fbeae97c88135

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\84czrBJg\MFC42u.dll

MD5 590073124ae23aec4465424c033d0c2b
SHA1 19fa364448d9608b137a8513111ea9e05e3ef616
SHA256 343e341aa4a0fca2f6678242bde2ef71e047d7a1e74de92ca5676c11748e1b44
SHA512 861cb8a8d47190d1090d032f5bbfcc999bf0583776e868d2e2fd5e0d6ba46db0040ff2b37daeedb86dff03b6b5b5da09d4ee672b64e5ee8f03c8491aae6f5c02