Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-drspqsdcgm
Target 47e04c70fffb6b0ad07d234e5dfdfcd1
SHA256 a8479670e076135900cbf3395cf76ad539f21bd25db9d74da42c1afb19c0edc2
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a8479670e076135900cbf3395cf76ad539f21bd25db9d74da42c1afb19c0edc2

Threat Level: Known bad

The file 47e04c70fffb6b0ad07d234e5dfdfcd1 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 03:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 03:14

Reported

2024-01-07 03:17

Platform

win7-20231129-en

Max time kernel

150s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47e04c70fffb6b0ad07d234e5dfdfcd1.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oYy\msra.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\#SHARE~1\\76RVLVYY\\Ml\\msra.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oYy\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2780 N/A N/A C:\Windows\system32\msdtc.exe
PID 1376 wrote to memory of 2780 N/A N/A C:\Windows\system32\msdtc.exe
PID 1376 wrote to memory of 2780 N/A N/A C:\Windows\system32\msdtc.exe
PID 1376 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe
PID 1376 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe
PID 1376 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe
PID 1376 wrote to memory of 3052 N/A N/A C:\Windows\system32\msra.exe
PID 1376 wrote to memory of 3052 N/A N/A C:\Windows\system32\msra.exe
PID 1376 wrote to memory of 3052 N/A N/A C:\Windows\system32\msra.exe
PID 1376 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\oYy\msra.exe
PID 1376 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\oYy\msra.exe
PID 1376 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\oYy\msra.exe
PID 1376 wrote to memory of 1432 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1376 wrote to memory of 1432 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1376 wrote to memory of 1432 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1376 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe
PID 1376 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe
PID 1376 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47e04c70fffb6b0ad07d234e5dfdfcd1.dll,#1

C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe

C:\Users\Admin\AppData\Local\PVMb71Rx9\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\oYy\msra.exe

C:\Users\Admin\AppData\Local\oYy\msra.exe

C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe

C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

Network

N/A

Files

memory/1972-0-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1972-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1376-4-0x0000000077696000-0x0000000077697000-memory.dmp

memory/1376-5-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/1376-9-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-19-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-32-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-40-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-39-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-42-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1376-51-0x0000000077A00000-0x0000000077A02000-memory.dmp

memory/1376-50-0x00000000778A1000-0x00000000778A2000-memory.dmp

memory/1376-49-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-41-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-60-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-66-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-38-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/2604-78-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2604-83-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2604-80-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1376-37-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-36-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-35-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-34-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-33-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-31-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-30-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-29-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-28-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-27-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-26-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-25-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-24-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-23-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-22-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-21-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-20-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-18-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-17-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-16-0x0000000140000000-0x00000001401B4000-memory.dmp

\Users\Admin\AppData\Local\oYy\NDFAPI.DLL

MD5 65781e6d4c716e03c05c2bc4480f9f93
SHA1 2d7893b69adb397955835413f73e88c7c9bfdb8a
SHA256 02b8d998da984864985213f7a986d8b01597d19faed62d253a2a11240b221060
SHA512 0017a89e58d6ea2d29f91f6a5ceb30561d61fd991bb11154b3dd0692ffe3e8e93d64cb3e1f56a4d93534af4c01ac24b5a7fff3e9b9213b54b6ecfaeab094ee4f

memory/2892-104-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\oYy\NDFAPI.DLL

MD5 51705f2c044163f3848a38674100f3e0
SHA1 4865fb29586abaf87dc47793ff89aae2202b7772
SHA256 bc7b965e571c3efb05b3c2e2371e2247ec10bb9072ee3eca80735d3b618206f5
SHA512 5128a180b3e515a6904dec8937565779351083ca737d82121e42db350e3b21024d045f93e2141c1abb604a662b111cd89d3c6d650daa8470f26c4c077c716ed2

C:\Users\Admin\AppData\Local\oYy\msra.exe

MD5 8c9795b4b049c221d0ff20e84e74a302
SHA1 20b027b7412fd7c81710a8b713111a825231741c
SHA256 f3d37f2157f5546ea2c29ea5aece618460d650bedbb80846d50b44d7456310de
SHA512 140d42a87ae33f5739ce0aa63aba4363275b6300d293a5a0c15e37a190f8350c62d5d6dc10495026fb6e0c72d0b6a6f37dfd6af01d97c33fc4c16262f936ba57

\Users\Admin\AppData\Local\oYy\msra.exe

MD5 21034b714a8bc0076bb59fa0d2086589
SHA1 b62448693ce1531143417a4668cf4b3329bed5bd
SHA256 8a3ddebb685370bc04a7b18bf06545fdacfe4ee0c31e61f0a37e3069b3c13fd5
SHA512 ca27185dac1732240c053173782d9a2e5bc9833b85fdaba118d173a4dc97234f67b70fca36ce3d9a9bb35b7fb5c6cda66da8a0e3094ba1b1a4077d36426de892

C:\Users\Admin\AppData\Local\oYy\msra.exe

MD5 a838fafdea01cbfa15a9ffcf96821cac
SHA1 2aea3c1ae96e08958dce5b380a4830ebf4fe32b6
SHA256 d95c62f02569b33ffa1c70999b77727917a754a259b2f431fd98c86057e699c2
SHA512 9636a8948f612f0f34e926412ad57304541cea23e64ff2aae27752cebcea8b88341770d35c60208cb7b5617aba2fedc0fbec2db1a6cb7c10a568684beacd8814

memory/1376-15-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-14-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-13-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-12-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-11-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-10-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1376-8-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1972-7-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/2500-126-0x0000000000420000-0x0000000000427000-memory.dmp

\Users\Admin\AppData\Local\ywMsak9k\VERSION.dll

MD5 20c5bd783f9c833fb58aa4985d6414ea
SHA1 e7da1f768b3b51241b4489e5a4de202892e7ed27
SHA256 fd58bdeeae235555ed196bc98c4834412ddb2cf893f645485c6d77d5e2c1145f
SHA512 99f3a1d2a06a24cdcd52b75119a6d59f009e226377785b64a647f829f665067f691473566e9d3ff5f9250d60c8479145b7f36f5bef2e121f6e7f0e13f5f95b0d

C:\Users\Admin\AppData\Local\ywMsak9k\VERSION.dll

MD5 ca4796ab040cd362e04d29458c321b3d
SHA1 2edaa7323e57a8cb10e06fb08588d732305625cc
SHA256 73f8bbe94931f19d35e8fa8f4c85f44ee5478549e9b82368e51beb94d1130539
SHA512 7afefe491b81c4ee7265a2b6581eff7645ec54e92ca0217f288cae471994932431f972b0ac12ad246c50d5535fb8cb78480c768972887288fa77823aab3e4bb3

C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe

MD5 a29d0f3a5373722c7d39f8aa6e20506d
SHA1 a162eebc86d5b4b8154e42bfd36c1092b4758117
SHA256 e96a71d58c12146fb4b345d8decde98baa7ea4080b405758f0395c645eee7f7f
SHA512 93ab980c1ebaf6608bf62f4ceed39eecc830aced7328e249e8c2ebf20c1a5a8c4728b6d6e54f37cd0e4557773f6dfad6803e177bccbdeb8907595671f15a5558

\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe

MD5 cce22bb73bc0da143bdac5c01132be1d
SHA1 6a95f8d37025ab2b38515666582baf73bebb35d7
SHA256 72f737f15f37fd9de2c0aead587e2561ba9421de5919c2716c406a338c6b3ac7
SHA512 5f807863349dea64f75cc60d5205bb9065c4cd4a5f1d978374a7afac1eae607ec5274b2cdaddc03c60e015d44bcf823df22c34af1e3cf81cb2db1f5a864aa17d

C:\Users\Admin\AppData\Local\ywMsak9k\MpSigStub.exe

MD5 22c391c7995162304c72b2fd149a67a0
SHA1 765bc500415ae9b3101fd65abce9b8dc10feee32
SHA256 de9573159b1bcb6ff8d54be26863252ebf417d8c0e5d3789e17582b6ba0c362b
SHA512 393afb4f29e1948e3aa6c80aec58729168df7bcb0c5c173306d5bb0551d44ef8e9d6d0492716a892ce49befa253aab97a30a829992d717fb73f8d7dfa968bda7

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\tVZ3FVk\MpSigStub.exe

MD5 1089b68e7bb4b604f5cd66eb685dded1
SHA1 e9d41fde4f213764d5153075240fe80a285cbd59
SHA256 c88a366ad2dc9d8a10bd421e1f79d3a987d201383101abddf67b22984aeef63e
SHA512 7726a5de3f27315d0044dfd2a9b27cd3edf7ebc7cbd67c736daf426987615d4daca04de926a5d9291564a0e8f164929006c4d5d3ef46fac4acf3b0d60e67c8ae

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 5f0c0cbc4d75320192161ad2a7be6b89
SHA1 21c1a7178651b46cb31862a4a0aaa8700a27b224
SHA256 87c8974372eb2c92f148dad3a723d2de4da9134efe9fc50a398b9a73c0791129
SHA512 0b7707fc4ce9475695a8d1da371048e66b7dc657ad4837fe7860739e26ba4854e2b60cbb81c1e881f0dfd0f291e0f0499d545dac94bdb72cb214e9c94972e01b

memory/1376-153-0x0000000077696000-0x0000000077697000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\oLr\VERSION.dll

MD5 0b386eb2dd62c143e0e7c5a1181a802b
SHA1 5c0a1a12b4cb7d53c90dbeaee4345eddc8dc7f41
SHA256 5dc9522f56cdeec83131749cfe559e673fea8a8b3fca22d8b9a372f0ebc2ca80
SHA512 38cbd4b37cbef7e946ddb5ebd9ff2fedf926ede19c2cf2902a453ed1979de997cf9c8183ab88337110ac537e56d7446b8bd1aa125499e5f2798f124f8d3aabc9

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\76RVLVYY\Ml\NDFAPI.DLL

MD5 41b2e34645d1f45aaa68a7f3f0dc36a1
SHA1 cbae4dcd0d8077395bc9020dde32ec55537c6c56
SHA256 e06a118f3e06ab6a0f791fdb6334a580101cb26fc4b6beef8f15564911dc1590
SHA512 e8404e440988a2c0ddf8674dae89288d05763a64ab35bb9708106b66566c36b0b9841e0531e58f63f34eebb1764ff9caecdc8ef8ed149b13752fef7d3f35879e

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\tVZ3FVk\VERSION.dll

MD5 b08c473125a69cfb3dd596c59f53f4ec
SHA1 c230f05c07f455cf85dd127abe9e58a0ff43c14a
SHA256 2e2a7134c276fd73325d73dcbf820b0530fdb0780d125685df9df6878c49d1b4
SHA512 a911329574bf7fce8791167bfca5800f9d57bfd68ab329b4aafac1fb7a0bbaef37ac3916c202ba3b010e220d6590d2ad6f2505815c87bf62d177573ce8a12085

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 03:14

Reported

2024-01-07 03:17

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47e04c70fffb6b0ad07d234e5dfdfcd1.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\LSIotu\\msra.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XurecUqwQ\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\28VbLF6\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\97mATcB3\DevicePairingWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 944 N/A N/A C:\Windows\system32\cttune.exe
PID 3496 wrote to memory of 944 N/A N/A C:\Windows\system32\cttune.exe
PID 3496 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\XurecUqwQ\cttune.exe
PID 3496 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\XurecUqwQ\cttune.exe
PID 3496 wrote to memory of 5088 N/A N/A C:\Windows\system32\msra.exe
PID 3496 wrote to memory of 5088 N/A N/A C:\Windows\system32\msra.exe
PID 3496 wrote to memory of 4488 N/A N/A C:\Users\Admin\AppData\Local\28VbLF6\msra.exe
PID 3496 wrote to memory of 4488 N/A N/A C:\Users\Admin\AppData\Local\28VbLF6\msra.exe
PID 3496 wrote to memory of 1564 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3496 wrote to memory of 1564 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3496 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\97mATcB3\DevicePairingWizard.exe
PID 3496 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\97mATcB3\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\47e04c70fffb6b0ad07d234e5dfdfcd1.dll,#1

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\28VbLF6\msra.exe

C:\Users\Admin\AppData\Local\28VbLF6\msra.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\XurecUqwQ\cttune.exe

C:\Users\Admin\AppData\Local\XurecUqwQ\cttune.exe

C:\Users\Admin\AppData\Local\97mATcB3\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\97mATcB3\DevicePairingWizard.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp

Files

memory/5072-1-0x0000023F68DA0000-0x0000023F68DA7000-memory.dmp

memory/5072-0-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-4-0x0000000007210000-0x0000000007211000-memory.dmp

memory/5072-7-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-6-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-8-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-15-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-20-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-28-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-33-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-39-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-41-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-42-0x0000000002E70000-0x0000000002E77000-memory.dmp

memory/3496-50-0x00007FFEF9460000-0x00007FFEF9470000-memory.dmp

memory/3496-49-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-40-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-38-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-61-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-59-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/1848-76-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/4488-88-0x00000226973C0000-0x00000226973C7000-memory.dmp

memory/4488-93-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1848-71-0x000001FD2CA00000-0x000001FD2CA07000-memory.dmp

memory/1848-70-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3496-37-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-36-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/4752-104-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/4752-110-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/4752-106-0x000001DEBB770000-0x000001DEBB777000-memory.dmp

memory/3496-35-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-34-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-32-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-31-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-30-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-29-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-27-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-26-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-25-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-23-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-24-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-22-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-21-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-19-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-18-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-17-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-16-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-14-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-13-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-12-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-11-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/3496-9-0x00007FFEF8EBA000-0x00007FFEF8EBB000-memory.dmp

memory/3496-10-0x0000000140000000-0x00000001401B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\SK\OLEACC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\LSIotu\UxTheme.dll

MD5 53eb0c448bcef7b6b2f6544cc3a44047
SHA1 e8eaca5dd55a08479c1929ef0592ddea3af28f3b
SHA256 3920c0922e795be7b4265c4745d17bd37c075f46a0f2261552ad4d7472f89082
SHA512 b669c28dccd9ad98a70ba0edea2c2ccfff777fc61e1fc4a509adf94f3a0ead5608e48f4c0b20d27d375ce33bd134843474cef8dd3e07e1e4830dbfb14c83c7c8

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Z2u275EJAuN\MFC42u.dll

MD5 5dabaf02711ccc1d6ed8f1dc0cd200e4
SHA1 ec16318c9f371f17966b278e92a952d667cab2b6
SHA256 983a72daab827a0a2e360cf2c8575294abae69b6b45193f3d656f82a87293185
SHA512 832c005890d21ca74c48811a2768dde1915e510578c2ed8996195a096e82cd5c2d234305c9cc806371295afe6006895a3c6f12af1a477ce3f83a4193ae120231