Malware Analysis Report

2024-11-30 21:28

Sample ID 240107-lm3cdaachp
Target 48a2c1b0ae44e0de371601aff527f30b
SHA256 fdbb91b12bdfc332412d6d786fb4325b0dd24ed0900747236583542332b2accc
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fdbb91b12bdfc332412d6d786fb4325b0dd24ed0900747236583542332b2accc

Threat Level: Known bad

The file 48a2c1b0ae44e0de371601aff527f30b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-07 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-07 09:39

Reported

2024-01-07 09:42

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a2c1b0ae44e0de371601aff527f30b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\IbH\spinstall.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\5AeBS7i0UA\\SystemPropertiesHardware.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IbH\spinstall.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 2940 N/A N/A C:\Windows\system32\spinstall.exe
PID 1276 wrote to memory of 2940 N/A N/A C:\Windows\system32\spinstall.exe
PID 1276 wrote to memory of 2940 N/A N/A C:\Windows\system32\spinstall.exe
PID 1276 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\IbH\spinstall.exe
PID 1276 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\IbH\spinstall.exe
PID 1276 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\IbH\spinstall.exe
PID 1276 wrote to memory of 1440 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1276 wrote to memory of 1440 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1276 wrote to memory of 1440 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 1276 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe
PID 1276 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe
PID 1276 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe
PID 1276 wrote to memory of 1680 N/A N/A C:\Windows\system32\rstrui.exe
PID 1276 wrote to memory of 1680 N/A N/A C:\Windows\system32\rstrui.exe
PID 1276 wrote to memory of 1680 N/A N/A C:\Windows\system32\rstrui.exe
PID 1276 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe
PID 1276 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe
PID 1276 wrote to memory of 1424 N/A N/A C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a2c1b0ae44e0de371601aff527f30b.dll,#1

C:\Windows\system32\spinstall.exe

C:\Windows\system32\spinstall.exe

C:\Users\Admin\AppData\Local\IbH\spinstall.exe

C:\Users\Admin\AppData\Local\IbH\spinstall.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe

C:\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe

Network

N/A

Files

memory/2908-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2908-1-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1276-5-0x0000000002960000-0x0000000002961000-memory.dmp

memory/1276-7-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-9-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-10-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-11-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-12-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-13-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/2908-8-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-14-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-15-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-17-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-16-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-18-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-19-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-21-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-20-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-23-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-22-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-24-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-25-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-26-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-27-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-28-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-29-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-31-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-30-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-32-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-33-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-34-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-36-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-35-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-37-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-38-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-40-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-39-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-41-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-42-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-43-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-44-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-45-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-46-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-47-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-48-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-49-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-50-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-51-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-52-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-53-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-55-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-54-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-56-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-57-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-58-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-59-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-60-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-61-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-62-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-63-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-64-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-65-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/1276-69-0x00000000021D0000-0x00000000021D7000-memory.dmp

memory/1276-78-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

memory/1276-79-0x0000000077120000-0x0000000077122000-memory.dmp

\Users\Admin\AppData\Local\IbH\spinstall.exe

MD5 29c1d5b330b802efa1a8357373bc97fe
SHA1 90797aaa2c56fc2a667c74475996ea1841bc368f
SHA256 048bd22abf158346ab991a377cc6e9d2b20b4d73ccee7656c96a41f657e7be7f
SHA512 66f4f75a04340a1dd55dfdcc3ff1103ea34a55295f56c12e88d38d1a41e5be46b67c98bd66ac9f878ce79311773e374ed2bce4dd70e8bb5543e4ec1dd56625ee

C:\Users\Admin\AppData\Local\IbH\XmlLite.dll

MD5 c49948b10110c6261214eb3e20f8f616
SHA1 434f6eb93f93c9fc3d12f05d5f8978e9b6b02f0f
SHA256 09285e63659e90c28d2c746dc56ea95395fdf261038cb37e1b4f6de4514430a2
SHA512 7afc7776945d99ab08da58d7294373011e85373dd1f6ae88c872341c129d6886a91a4411afab27bb3fd3ee2ba1401c99cb99a13e58efc22e3bdb4cca7bd4d73e

memory/2956-106-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\hpDJt\SystemPropertiesHardware.exe

MD5 c63d722641c417764247f683f9fb43be
SHA1 948ec61ebf241c4d80efca3efdfc33fe746e3b98
SHA256 4759296b421d60c80db0bb112a30425e04883900374602e13ed97f7c03a49df2
SHA512 7223d1c81a4785ed790ec2303d5d9d7ebcae9404d7bf173b3145e51202564de9977e94ac10ab80c6fe49b5f697af3ec70dfd922a891915e8951b5a1b5841c8be

C:\Users\Admin\AppData\Local\hpDJt\SYSDM.CPL

MD5 e86553d054e45c2ef22dae7d10170647
SHA1 78936d2745e83a411f9c3097a83118768cb01e45
SHA256 95cde2cdc93c6eea69b9c02bb64ead473aa555bb1c05e4bcfad0badb2def1fdf
SHA512 683736827e9a7b9079ef12b19c0df9b277a2c6768feed78e1a6e348d88326a9c623c3587786d55e33c2020e9adfd243eca9931368cef9a726d1ba0575436e7fd

memory/1276-124-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/2260-126-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\VUDDIUO\rstrui.exe

MD5 3db5a1eace7f3049ecc49fa64461e254
SHA1 7dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256 ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512 ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

C:\Users\Admin\AppData\Local\VUDDIUO\SRCORE.dll

MD5 68cf3eafc80d87bb23c02c0b4a198351
SHA1 f4b037d14c8a29cbac834e9cca9f651a31e13d68
SHA256 abdb62bbc320067a93fae50cf31156a0d56e72bced5fca037017759072a4ca7a
SHA512 74c77c92a452a91a5bdf26811b0a999508a31df73c8f235eb984701c4d760971b79b89837cf94949161f80397e37860cfa4b404491afb35bf2479cd3dc811873

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 2dbe2d6aca02d23738c237d3782cb727
SHA1 d08266a909412a6712b741413ffa139475e5846d
SHA256 b66b2da3f7ac160c6e386f267a67f814e9f1c1a86ab73e1c65dceb478ccacca4
SHA512 bcd93a567866d1cac751dec2592766a1e1a7f3828f9aec12d667c5b9fc96f5adbc301c5ecaa70d40b91e3df1f3d52c41df401b0de467a3dd8e5e8c4692938f4c

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-07 09:39

Reported

2024-01-07 09:42

Platform

win10v2004-20231215-en

Max time kernel

112s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a2c1b0ae44e0de371601aff527f30b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\NETWOR~1\\O4SL07~1\\OMADMC~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\asQ\omadmclient.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZSEe83RC4\CustomShellHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\szq3rG651\tcmsetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3432 wrote to memory of 2888 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3432 wrote to memory of 2888 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 3432 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\szq3rG651\tcmsetup.exe
PID 3432 wrote to memory of 4448 N/A N/A C:\Users\Admin\AppData\Local\szq3rG651\tcmsetup.exe
PID 3432 wrote to memory of 4056 N/A N/A C:\Windows\system32\omadmclient.exe
PID 3432 wrote to memory of 4056 N/A N/A C:\Windows\system32\omadmclient.exe
PID 3432 wrote to memory of 3440 N/A N/A C:\Users\Admin\AppData\Local\asQ\omadmclient.exe
PID 3432 wrote to memory of 3440 N/A N/A C:\Users\Admin\AppData\Local\asQ\omadmclient.exe
PID 3432 wrote to memory of 4352 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3432 wrote to memory of 4352 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3432 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\ZSEe83RC4\CustomShellHost.exe
PID 3432 wrote to memory of 4204 N/A N/A C:\Users\Admin\AppData\Local\ZSEe83RC4\CustomShellHost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\48a2c1b0ae44e0de371601aff527f30b.dll,#1

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\omadmclient.exe

C:\Windows\system32\omadmclient.exe

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\ZSEe83RC4\CustomShellHost.exe

C:\Users\Admin\AppData\Local\ZSEe83RC4\CustomShellHost.exe

C:\Users\Admin\AppData\Local\asQ\omadmclient.exe

C:\Users\Admin\AppData\Local\asQ\omadmclient.exe

C:\Users\Admin\AppData\Local\szq3rG651\tcmsetup.exe

C:\Users\Admin\AppData\Local\szq3rG651\tcmsetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 150.1.37.23.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
IE 20.223.36.55:443 tcp
US 93.184.221.240:80 tcp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.211:80 tcp
GB 96.17.178.211:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/880-2-0x0000016BEECD0000-0x0000016BEECD7000-memory.dmp

memory/880-0-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-12-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-14-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-19-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-21-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-25-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-26-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-24-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-29-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-32-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-36-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-39-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-44-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-45-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-50-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-54-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-59-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-63-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-65-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-64-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-70-0x0000000002FC0000-0x0000000002FC7000-memory.dmp

memory/3432-62-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-61-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-60-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-81-0x00007FFC297A0000-0x00007FFC297B0000-memory.dmp

memory/3432-58-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/4448-98-0x00000139E3DE0000-0x00000139E3DE7000-memory.dmp

memory/3440-118-0x000001D6AA7A0000-0x000001D6AA7A7000-memory.dmp

memory/4204-135-0x000001E435CD0000-0x000001E435CD7000-memory.dmp

memory/3432-57-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-56-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-55-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-53-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-52-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-51-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-49-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-48-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-47-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-46-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-43-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-42-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-41-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-40-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-38-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-37-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-35-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-34-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-33-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-31-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-30-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-28-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-27-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-23-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-22-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-20-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-18-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-17-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-16-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-15-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-13-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-11-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-10-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-8-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-9-0x00007FFC2898A000-0x00007FFC2898B000-memory.dmp

memory/3432-7-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/880-6-0x0000000140000000-0x00000001402E1000-memory.dmp

memory/3432-4-0x0000000008750000-0x0000000008751000-memory.dmp