Malware Analysis Report

2024-11-30 21:28

Sample ID 240106-ygny1sedep
Target 470a0c9038037fc6a2bad827b79c05f5
SHA256 46bb70f8985b23c93eb60120af7a40209923078981f408ec419fe290076b3183
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46bb70f8985b23c93eb60120af7a40209923078981f408ec419fe290076b3183

Threat Level: Known bad

The file 470a0c9038037fc6a2bad827b79c05f5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-06 19:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 19:45

Reported

2024-01-06 19:48

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\470a0c9038037fc6a2bad827b79c05f5.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\jDz\\wlrmdr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TR0\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Lzm\wlrmdr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ujNK3\GamePanel.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 4828 N/A N/A C:\Windows\system32\consent.exe
PID 3452 wrote to memory of 4828 N/A N/A C:\Windows\system32\consent.exe
PID 3452 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\oui\consent.exe
PID 3452 wrote to memory of 2264 N/A N/A C:\Users\Admin\AppData\Local\oui\consent.exe
PID 3452 wrote to memory of 4620 N/A N/A C:\Users\Admin\AppData\Local\TR0\sppsvc.exe
PID 3452 wrote to memory of 4620 N/A N/A C:\Users\Admin\AppData\Local\TR0\sppsvc.exe
PID 3452 wrote to memory of 3376 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3452 wrote to memory of 3376 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3452 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Lzm\wlrmdr.exe
PID 3452 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\Lzm\wlrmdr.exe
PID 3452 wrote to memory of 3164 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3452 wrote to memory of 3164 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3452 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\ujNK3\GamePanel.exe
PID 3452 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\ujNK3\GamePanel.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\470a0c9038037fc6a2bad827b79c05f5.dll

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\oui\consent.exe

C:\Users\Admin\AppData\Local\oui\consent.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\TR0\sppsvc.exe

C:\Users\Admin\AppData\Local\TR0\sppsvc.exe

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\wlrmdr.exe

C:\Users\Admin\AppData\Local\Lzm\wlrmdr.exe

C:\Users\Admin\AppData\Local\Lzm\wlrmdr.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Users\Admin\AppData\Local\ujNK3\GamePanel.exe

C:\Users\Admin\AppData\Local\ujNK3\GamePanel.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 21.179.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4172-1-0x0000000000BB0000-0x0000000000BB7000-memory.dmp

memory/4172-0-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-5-0x00007FFB96FBA000-0x00007FFB96FBB000-memory.dmp

memory/3452-4-0x0000000008350000-0x0000000008351000-memory.dmp

memory/3452-7-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-8-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-9-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-10-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-11-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-22-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-24-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-34-0x00007FFB97F10000-0x00007FFB97F20000-memory.dmp

memory/3452-41-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-31-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-23-0x00000000080A0000-0x00000000080A7000-memory.dmp

memory/3452-21-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-20-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-19-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-18-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-17-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-16-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-15-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-14-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-13-0x0000000140000000-0x0000000140101000-memory.dmp

memory/3452-12-0x0000000140000000-0x0000000140101000-memory.dmp

memory/4172-44-0x0000000140000000-0x0000000140101000-memory.dmp

C:\Users\Admin\AppData\Local\oui\consent.exe

MD5 6646631ce4ad7128762352da81f3b030
SHA1 1095bd4b63360fc2968d75622aa745e5523428ab
SHA256 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA512 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

C:\Users\Admin\AppData\Local\TR0\sppsvc.exe

MD5 eae301b9e48876561a9d65f7d1d5df4c
SHA1 bb00e8736bd579b8e9e2ed635cde2578a82593fa
SHA256 00f7f63e9c9f8a748391e5b16acd34dd34694230066116651babc894ca40db03
SHA512 20cdf33826454b7c7f4c6ca7b20a12b4842a433aed8eb702c724384cbe3a28430258f0dc07901684d136c1ca04b499032237c1f634d2453865905968816d73ed

C:\Users\Admin\AppData\Local\TR0\XmlLite.dll

MD5 71e8c2756f85c3b7791d8cbe408b04a9
SHA1 7895625f8a6e953d20c8f11dbb11224e003d6392
SHA256 e1af36dd5125bfb3789e19ec54893fea95b7d831877cc7bfd951844558b8be5e
SHA512 6f2fb7e8a8faf43cc535e742dd5966ebb7cb17f76d9bf01cee59a3118a8d3648fee5cf502682e1a28e1e1a23ec91264bfb86cdfacdef8efb9af079b833172028

memory/4620-59-0x0000000140000000-0x0000000140102000-memory.dmp

memory/4620-60-0x0000018B9D630000-0x0000018B9D637000-memory.dmp

memory/4620-65-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Users\Admin\AppData\Local\TR0\sppsvc.exe

MD5 ec6cef0a81f167668e18fa32f1606fce
SHA1 6d56837a388ae5573a38a439cee16e6dde5b4de8
SHA256 82c59a2f606ebf1a8a0de16be150600ac63ad8351c6bf3952c27a70257cb70f8
SHA512 f40b37675329ca7875d958b4b0019082548a563ada217c7431c2ca5c7f93957b242f095f7f04bcdd6240b97ea99e89bfe3a003f97c43366d00a93768fef7b4c5

C:\Users\Admin\AppData\Local\Lzm\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

C:\Users\Admin\AppData\Local\Lzm\DUI70.dll

MD5 4c5c59080af267cf5b8f2944286f03b3
SHA1 ebbca6b80ada8e6ae351404a794f27cae47748d0
SHA256 762d5bf34f7f90a95c646487155f57e9fa2fbd56656ea31d246708fdde7ba0a4
SHA512 b2e988701aedd4030f84e2bb67331357cde9ef32e3713b0371aecb8fd79300b0e8f11aa7b7dc247d0a483806083a5d6401b5c6b854163acca49228ef732273a2

memory/2784-76-0x0000000140000000-0x0000000140147000-memory.dmp

memory/2784-78-0x00000273A9ED0000-0x00000273A9ED7000-memory.dmp

memory/2784-82-0x0000000140000000-0x0000000140147000-memory.dmp

C:\Users\Admin\AppData\Local\ujNK3\GamePanel.exe

MD5 266f6a62c16f6a889218800762b137be
SHA1 31b9bd85a37bf0cbb38a1c30147b83671458fa72
SHA256 71f8f11f26f3a7c1498373f20f0f4cc960513d0383fe24906eeb1bc9678beecd
SHA512 b21d9b0656ab6bd3b158922722a332f07096ddd4215c802776c5807c9cf6ece40082dd986ea6867bdc8d22878ce035a5c8dfcc26cfae94aeee059701b6bf1e68

C:\Users\Admin\AppData\Local\ujNK3\dwmapi.dll

MD5 9cf01ddd9cf6ce1adb66e20b8dc29fd3
SHA1 22a48b539dd24a636b263575437c714a46c41861
SHA256 d1112eeb08397b5d64ea925edf893312252ed0232596a959c81a728ffec212ea
SHA512 9b2fdc5e035d27d87abaef9f5141d941c5f16ebb4d8d88854bba799d9009d37d8594d3e9faa3ea0e6ca5b70b84cc426f76472283228ac1b6e6508ad3d21d4baf

memory/2940-95-0x000002BFB4C60000-0x000002BFB4C67000-memory.dmp

memory/2940-99-0x0000000140000000-0x0000000140102000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 2979108e81b2a4385515a4bfac650111
SHA1 86561bc4a8aeb2795a1a173339130b397d50549f
SHA256 f006b61174ab481bf984f03deb9b6e256ea0bcaa96309e3adb0f8c1f692b8dd9
SHA512 09fdd4210d7da789df49e9c1c6a1ca5936a2e7bc4f5487c7a251cc433b2777210ea17212363b0dc92bc4e744acc24e516f4a2c7b02e5f3530e8aff16a3b105c5

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 19:45

Reported

2024-01-06 19:48

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\470a0c9038037fc6a2bad827b79c05f5.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\CIj\\msdtc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2184 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1196 wrote to memory of 2184 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1196 wrote to memory of 2184 N/A N/A C:\Windows\system32\Dxpserver.exe
PID 1196 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe
PID 1196 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe
PID 1196 wrote to memory of 268 N/A N/A C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe
PID 1196 wrote to memory of 2136 N/A N/A C:\Windows\system32\msdtc.exe
PID 1196 wrote to memory of 2136 N/A N/A C:\Windows\system32\msdtc.exe
PID 1196 wrote to memory of 2136 N/A N/A C:\Windows\system32\msdtc.exe
PID 1196 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe
PID 1196 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe
PID 1196 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\wermgr.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\wermgr.exe
PID 1196 wrote to memory of 2500 N/A N/A C:\Windows\system32\wermgr.exe
PID 1196 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\hvkl4xnIr\wermgr.exe
PID 1196 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\hvkl4xnIr\wermgr.exe
PID 1196 wrote to memory of 752 N/A N/A C:\Users\Admin\AppData\Local\hvkl4xnIr\wermgr.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1196 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe
PID 1196 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe
PID 1196 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\470a0c9038037fc6a2bad827b79c05f5.dll

C:\Windows\system32\Dxpserver.exe

C:\Windows\system32\Dxpserver.exe

C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe

C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe

C:\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\hvkl4xnIr\wermgr.exe

C:\Users\Admin\AppData\Local\hvkl4xnIr\wermgr.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe

C:\Users\Admin\AppData\Local\6H77\SoundRecorder.exe

Network

N/A

Files

memory/2232-0-0x0000000140000000-0x0000000140101000-memory.dmp

memory/2232-1-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1196-4-0x00000000774E6000-0x00000000774E7000-memory.dmp

memory/1196-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1196-7-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-8-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-10-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-9-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-11-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-12-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-13-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-15-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-14-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-16-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-17-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-19-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-20-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-18-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-22-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-21-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-24-0x0000000002B00000-0x0000000002B07000-memory.dmp

memory/1196-23-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-31-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-32-0x00000000776F1000-0x00000000776F2000-memory.dmp

memory/1196-33-0x0000000077880000-0x0000000077882000-memory.dmp

memory/1196-42-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-44-0x0000000140000000-0x0000000140101000-memory.dmp

memory/2232-45-0x0000000140000000-0x0000000140101000-memory.dmp

memory/1196-52-0x00000000774E6000-0x00000000774E7000-memory.dmp

C:\Users\Admin\AppData\Local\C0aNYH\Dxpserver.exe

MD5 4d38389fb92e43c77a524fd96dbafd21
SHA1 08014e52f6894cad4f1d1e6fc1a703732e9acd19
SHA256 070bc95c486c15d2edc3548ba416dc9565ead401cb03a0472f719fb55ac94e73
SHA512 02d8d130cff2b8de15139d309e1cd74a2148bb786fd749e5f22775d45e193b0f75adf40274375cabce33576480ff20456f25172d29a034cd134b8084d40a67ba

C:\Users\Admin\AppData\Local\C0aNYH\XmlLite.dll

MD5 83a34bccc1a6154c42bf90d702a774e1
SHA1 7dc354c41bbce21c5b7d0d3311358141c38ebad6
SHA256 5f0222a99b5a263758aa42c8efe4702fc4c25cbce0ffb591f8cd2883ead69919
SHA512 e2bceed9bb7598a24ccc53ddabd5d1c56dd6b058079d8bfbd0aa0cb579b8e9dcbd726ddf4a48ad2cdaa1ed56ac405892e037366c04f8201dce8bd73e45214789

memory/268-60-0x0000000140000000-0x0000000140102000-memory.dmp

memory/268-62-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/268-66-0x0000000140000000-0x0000000140102000-memory.dmp

\Users\Admin\AppData\Local\Mwm5WE\msdtc.exe

MD5 de0ece52236cfa3ed2dbfc03f28253a8
SHA1 84bbd2495c1809fcd19b535d41114e4fb101466c
SHA256 2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA512 69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

C:\Users\Admin\AppData\Local\Mwm5WE\VERSION.dll

MD5 15ecd8a6b857dda4a13a81eeba57a2c2
SHA1 1b4f955e4f93c48b2b170c12ee715f9b32e67aeb
SHA256 dbc30969a7fb44a18ff26a7b9c01cd568c4ba26a63cff2b24a6f300ff0680e85
SHA512 2dbe65f69352e9cce08cdebb2f14c813867cf972350dde0d4e1e0f065fa8a365fac1ea5e6876790e872cecb32900fe6e1ec8be7aa7d7a8dc14af7956c34b4441

memory/1276-83-0x0000000140000000-0x0000000140102000-memory.dmp

\Users\Admin\AppData\Local\hvkl4xnIr\wermgr.exe

MD5 41df7355a5a907e2c1d7804ec028965d
SHA1 453263d230c6317eb4a2eb3aceeec1bbcf5e153d
SHA256 207bfec939e7c017c4704ba76172ee2c954f485ba593bc1bc8c7666e78251861
SHA512 59c9d69d3942543af4f387137226516adec1a4304bd5696c6c1d338f9e5f40d136450907351cce018563df1358e06a792005167f5c08c689df32d809c4cebdcf

\Users\Admin\AppData\Local\6H77\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Local\6H77\WINMM.dll

MD5 51c6a6a9a1169a7b77c6adc43f7f25ba
SHA1 a3576a7e99fee35f66f7b8308645db722662c9d5
SHA256 22aa5b13580d44a8bddd24cd9e7af83c2ba392d64eefd29ad05434cca52be569
SHA512 585039b0c1a415643d4e2fbd71848083da3b9aa6958d9458df5ccc8e0c087732af25d183933a574c3cf0c960fbda5ed7b3480da40c2a46e391f544f9e0a8d5eb

memory/1940-104-0x0000000140000000-0x0000000140103000-memory.dmp

memory/1940-109-0x0000000140000000-0x0000000140103000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 b6b373b291504c02e0e580bfc69d9b02
SHA1 7748708e8501c0023465a48734057aa6fbf2e321
SHA256 21600b8bc5aee69e5488defe8bdd871dfac38be185eefee19ced6119969dea85
SHA512 6be96c2fc30ccb772223f19182b1f5111754564d40e37a2a6b6cc0bfd37e364629b9a9293977c8515300a7367a8c2a729689eb7890b29893a378c625dce8a6e8