Malware Analysis Report

2024-11-30 21:27

Sample ID 240108-nyrfcshbak
Target 4b59b3ac6f8e8796c5cccad0b1b1a495
SHA256 42b8c865b89d3a47aa2ff8baaf8b6860f8a84217760f269ff2ea980f2bd6250d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42b8c865b89d3a47aa2ff8baaf8b6860f8a84217760f269ff2ea980f2bd6250d

Threat Level: Known bad

The file 4b59b3ac6f8e8796c5cccad0b1b1a495 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-08 11:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-08 11:48

Reported

2024-01-08 11:51

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b59b3ac6f8e8796c5cccad0b1b1a495.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Qbi\\dwm.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2136 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1248 wrote to memory of 2136 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1248 wrote to memory of 2136 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1248 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe
PID 1248 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe
PID 1248 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe
PID 1248 wrote to memory of 3040 N/A N/A C:\Windows\system32\dwm.exe
PID 1248 wrote to memory of 3040 N/A N/A C:\Windows\system32\dwm.exe
PID 1248 wrote to memory of 3040 N/A N/A C:\Windows\system32\dwm.exe
PID 1248 wrote to memory of 2292 N/A N/A C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe
PID 1248 wrote to memory of 2292 N/A N/A C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe
PID 1248 wrote to memory of 2292 N/A N/A C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe
PID 1248 wrote to memory of 2008 N/A N/A C:\Windows\system32\Utilman.exe
PID 1248 wrote to memory of 2008 N/A N/A C:\Windows\system32\Utilman.exe
PID 1248 wrote to memory of 2008 N/A N/A C:\Windows\system32\Utilman.exe
PID 1248 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe
PID 1248 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe
PID 1248 wrote to memory of 1020 N/A N/A C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b59b3ac6f8e8796c5cccad0b1b1a495.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe

C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe

C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe

C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe

Network

N/A

Files

memory/2352-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2352-1-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

memory/1248-5-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/2352-8-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-7-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-10-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-14-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-21-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-22-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-24-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-27-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-32-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-34-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-33-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-35-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-36-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-38-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-40-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-42-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-43-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-46-0x0000000002C10000-0x0000000002C17000-memory.dmp

memory/1248-45-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-44-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-41-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-39-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-37-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-31-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-30-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-53-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-29-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-28-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-26-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-25-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-23-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-54-0x00000000774E1000-0x00000000774E2000-memory.dmp

memory/1248-55-0x0000000077640000-0x0000000077642000-memory.dmp

memory/1248-20-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-19-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-18-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-17-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-16-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-64-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-15-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-13-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-68-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-12-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-11-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-9-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/1248-73-0x0000000140000000-0x00000001401E1000-memory.dmp

C:\Users\Admin\AppData\Local\Cts\PresentationSettings.exe

MD5 b7d76388a4a565a322330c1644c768bc
SHA1 ba21861d9fd331a2e226ba1aa7a476f8de26bf9f
SHA256 15f246c06db3d0d1cfb566ba941529747178a6f6c8a9a696700d584a55394ce8
SHA512 066c13a777844ef3675a03ee2f9a5d0b54943bd04fc53fc9108b19f984e702252259ec888064b81c0918cd6d8508b20329afb3fa39078a9d4f04675e60b5d16f

C:\Users\Admin\AppData\Local\Cts\WINMM.dll

MD5 58204a0b0f3e51934533ee455ea3574b
SHA1 37d796e6d80642a2d9cd3d94b2b5cc032eb08655
SHA256 d87ba233f227d495d821324bd7435adddf746d255e5b88d8239dbfb74728b8b9
SHA512 b1cf88f0eacf9f12fdc1a153dce6ce051d718b043e9525180dd118480eccb3d53aff644f994256ee9d151eac4cdaa53303298e4ec71eb8058806e34411218586

memory/2148-82-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2148-83-0x0000000140000000-0x00000001401E3000-memory.dmp

\Users\Admin\AppData\Local\Cts\WINMM.dll

MD5 00fc5f18e48db5f1b60cbacd43656e21
SHA1 4e0e7dbd032ee70ae20a0113c025ee1766e96247
SHA256 a6b81389e1ce10330ea970e4ad7cdc0fc31b3ea98fff4d4616bd763b7d3f40fd
SHA512 01dc2d23b689a238829066e242b54be71e7e112766b158758f7b74b22679b56cfed00406ca309458ad1460aff25c051a1fdb2ca7912914f676d17af6cc4fd10d

\Users\Admin\AppData\Local\Cts\PresentationSettings.exe

MD5 07cf8eea86f4421fdce2b35c3be6ec61
SHA1 de248c42fb58be5e6c0f0c2b93867294a0fed276
SHA256 20fb87145ba23312bc62e80a1966fb48f5ab75a678d2cf1d15cad2d7a398c596
SHA512 58cfc599cd73195a6823492b1dad4e97214c0798a70cebf194b4d00e7cb5c34bb9af1d87e05da25d995004eeb50225dc69dce96ab1d3cf7e89dcc64a7584843e

C:\Users\Admin\AppData\Local\CZcdZavYP\UxTheme.dll

MD5 843bb4eeb90421344ada193ab00cd7be
SHA1 44b516265acbe19f0c0fd4ffdb12eab5bd6aefca
SHA256 c155423250c85903afd9a4e9b40d7892ecee927f71891e59fe3f9f14391e0cf6
SHA512 4103765944e7e962fc29868b4bd7e38eb018a758d1ff37b5b09d21e80bbdc609c9c12a1a77438ee7644c8c4f6e27ad0763939b987a23235f5fa2f1176e9b48d0

C:\Users\Admin\AppData\Local\CZcdZavYP\dwm.exe

MD5 45ceffa9c7ee106d6161b2dc7ce2a740
SHA1 ad3041f982d6d9e8d70b1d3370a3aa9593dc77c6
SHA256 c68e99abfd1380833772a97ab0d8ab5949f7c484886981916134b8324a1335fd
SHA512 1096423449b6320e9197ed968ecabca21b12c25344be7415457f0cca8d75d01b883d236a008e2b3cd2971083e5d20ced8cb7b7eccff9f3a90ee3d1b6a975d26e

\Users\Admin\AppData\Local\CZcdZavYP\UxTheme.dll

MD5 9d2dc5917917d6ecb804d42b6968f50e
SHA1 3e113b82b6d67f0be1074b23f4a7e9dce188a582
SHA256 74731ab1c7b32f7cf801c92c00f39efd0aa37b53c4456b26f957b7ef162079e7
SHA512 ef7a7d0e079d78a2f846df2298afa21d9b63228bb565f133ff831cce207dbe4f5a6185eac13f2a29c762831f07d62ce6a04a7eee7167a962ce7871a48cac03c2

memory/2292-103-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Qbi\dwm.exe

MD5 f162d5f5e845b9dc352dd1bad8cef1bc
SHA1 35bc294b7e1f062ef5cb5fa1bd3fc942a3e37ae2
SHA256 8a7b7528db30ab123b060d8e41954d95913c07bb40cdae32e97f9edb0baf79c7
SHA512 7077e800453a4564a24af022636a2f6547bdae2c9c6f4ed080d0c98415ecc4fbf538109cbebd456e321b9b74a00613d647b63998e31925fbd841fc9d4613e851

\Users\Admin\AppData\Local\gWUvR\Utilman.exe

MD5 57eb90dd4c35a3a2c1bfe3eca200c12f
SHA1 4b22ed33b11ae8450c721b113dbb9702abc37f09
SHA256 f0a1db8e077e752d37ce6382fffbb906f9eb3c28e292627995f6987366982b4a
SHA512 51ca81c47137dd2582f9756e9e1ce7ce434bd4c92861770f85d3b2d1aa19e13f43cee4bd8f4bcd3da9aeb98503b18b83e7a76a6175dd64f436326aab41191e14

C:\Users\Admin\AppData\Local\gWUvR\DUI70.dll

MD5 f8e6c8ef15666bc39f4b00169fab07cc
SHA1 8d61aec326177f30f25c4f7cbf84c599709e6d87
SHA256 7498445d39a6b5ad0846916d631c2007082c7ab80a14142f7993caed88b48b9d
SHA512 3217dbcaab13e8fccc796f055b032c5ff222fbbfbb8ad383288e5cf757a02f33b94503b8142723b65c3f6cf901026194713c97fdac3079a44efb806afc555734

\Users\Admin\AppData\Local\gWUvR\DUI70.dll

MD5 193f2331e2f8584531a1ecacd00de34a
SHA1 92a22e1b7449347f25c84c778296e8609424e767
SHA256 a6da3489bff0e27a870c7bbc0df5e5514113339a5cc735866d080a6540e15270
SHA512 25a39289f28749b54885b72b1423ddbd163351a0a63e2ae436341b8b0df1cd2e6ec88c5534c0618b4f4fdabab1314fa8ba36195476172f3c8673436d330327b5

memory/1020-121-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe

MD5 08465f9c90a2d4ff9d27725beaed9e56
SHA1 db7f38d0ee7d5843953e9e70adab75c53b8046ff
SHA256 bc1cf7ef23e5ae4d9d5aa9dce81965d11cc7c2a2f6ed2cc366bb6a955729b7f9
SHA512 b2d4e07425e1427ffde18134b809390cb5433915c8d15e6be6c783bfc85bde9b50fcd8d2db8ccf83ec113ac69d622775c6d446e7caf7bb779fd870942a81987f

C:\Users\Admin\AppData\Local\gWUvR\Utilman.exe

MD5 f76737c5456a36967429dbc7d4905883
SHA1 d78fd3801379897c026e7fee76f9860f5c576e00
SHA256 5d15a18c973cabbf03038d8bd8e0443c699152ffa8e2224df3699d00b33b0d4f
SHA512 015aa4c1864a3645e8f3f25efd2c939d4b6fad93bdb2be5d179dcb5812707abea9e6e4df2bfcfaa7b6a749f6c21a8a43f6d503bc720832c5ed060d6d00b716c0

\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\sBV9\Utilman.exe

MD5 f51c28f087bd74bc268264585a2243a1
SHA1 4449a44e82bb83d1a7d1ad105859ce693b05e82b
SHA256 4315aee21d47fa32bcc8ac364ff35866fcfe5cd09064b21ad83f59e12da79ef7
SHA512 9d145234f8cb640f667ad5830e7538d7aab590d02eb8bebf25307c8c4a1e4da55ec052e8d2102628230071b2722ff1ba19ce7269adf0b1a3cf6265ec5a11085a

memory/1248-148-0x00000000772D6000-0x00000000772D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 f9cf0863691ead3c1da6f4a2b1db7bfe
SHA1 89dec5ea3ee9586068591a02f46e9c09e82592cd
SHA256 b82a425c26585ddb0d4d28678a50a0e141f6b2c1357abc924a8ee4af542df60b
SHA512 91997ef400d9b63a1f5e33cbf1b64e76beebfa5530bd89d7329a794d78898c0f6ab56e0a12fe416bab3b4ccc25f628d1340dc607f9098d0873720f00e166d547

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\diDhYaScV\WINMM.dll

MD5 99f47942eba9836f6c346cab2cf8ff01
SHA1 e637d2a4c882d772482ac5fc270b115fd6ed6348
SHA256 ed6f8cda228b29a7f1934d3e280f0bf6a9e648e9265cefc3f3f170ced10113f2
SHA512 d457ae635489c66f1640bb6e97a553e810f3401ff804dcbb169f8aba71d83e2701b3e0b283ecc35224f6f5e3c1def393b8ab7db8ecc54f227d10eca1d48ac92c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Qbi\UxTheme.dll

MD5 e5924114f69852b9a83f9c69402a33bc
SHA1 f3d7133cc065e024db3c9e32409c3b4bd280936e
SHA256 84c2d369962c7f17f00f20a26a57c0b2c6eacf24d9eeba0932f538af2f252741
SHA512 955ae1028e41aee3f4fc5a0db456bb4a1769282b3ce55e74408d917cf0ce7d86bb4f0eed171e89395ed6995e7856dfe47002b73969a27b7c049892df2b9d59f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\sBV9\DUI70.dll

MD5 18845e1be12d981dec6c3c551f1b8230
SHA1 f6cace89ad9d6e7e63ed275aadc56dbc7333637b
SHA256 e9b940c7a0ee041f19176f359824a30743b0236af5ce981be1dd66c62691b997
SHA512 605bf6ef7cdca479ac5fd90c0849b3a50502f5c32f845a0f0855b45a81597f5c0f4f73028b19b0b85b6285e8b5d2a3d845575aea469eedefdacd6d950709f272

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-08 11:48

Reported

2024-01-08 11:51

Platform

win10v2004-20231215-en

Max time kernel

158s

Max time network

164s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b59b3ac6f8e8796c5cccad0b1b1a495.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\eqJiWH\\cttune.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HkLl\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ilza\systemreset.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 1436 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3444 wrote to memory of 1436 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3444 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe
PID 3444 wrote to memory of 1480 N/A N/A C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe
PID 3444 wrote to memory of 2376 N/A N/A C:\Windows\system32\cttune.exe
PID 3444 wrote to memory of 2376 N/A N/A C:\Windows\system32\cttune.exe
PID 3444 wrote to memory of 1192 N/A N/A C:\Users\Admin\AppData\Local\HkLl\cttune.exe
PID 3444 wrote to memory of 1192 N/A N/A C:\Users\Admin\AppData\Local\HkLl\cttune.exe
PID 3444 wrote to memory of 1888 N/A N/A C:\Windows\system32\systemreset.exe
PID 3444 wrote to memory of 1888 N/A N/A C:\Windows\system32\systemreset.exe
PID 3444 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\Ilza\systemreset.exe
PID 3444 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\Ilza\systemreset.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4b59b3ac6f8e8796c5cccad0b1b1a495.dll,#1

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\HkLl\cttune.exe

C:\Users\Admin\AppData\Local\HkLl\cttune.exe

C:\Windows\system32\systemreset.exe

C:\Windows\system32\systemreset.exe

C:\Users\Admin\AppData\Local\Ilza\systemreset.exe

C:\Users\Admin\AppData\Local\Ilza\systemreset.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 178.113.50.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4860-1-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/4860-0-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/4860-3-0x000002358D260000-0x000002358D267000-memory.dmp

memory/3444-5-0x0000000002640000-0x0000000002641000-memory.dmp

memory/3444-7-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/4860-10-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-11-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-12-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-13-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-14-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-8-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-9-0x00007FFC2868A000-0x00007FFC2868B000-memory.dmp

memory/3444-19-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-20-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-18-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-17-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-16-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-24-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-26-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-25-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-29-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-28-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-30-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-31-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-32-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-27-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-22-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-23-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-21-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-15-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-33-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-34-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-35-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-36-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-39-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-38-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-37-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-40-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-43-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-45-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-47-0x0000000002610000-0x0000000002617000-memory.dmp

memory/3444-46-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-44-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-55-0x00007FFC28720000-0x00007FFC28730000-memory.dmp

memory/3444-54-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-64-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-66-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-42-0x0000000140000000-0x00000001401E1000-memory.dmp

memory/3444-41-0x0000000140000000-0x00000001401E1000-memory.dmp

C:\Users\Admin\AppData\Local\ekN3g\MFC42u.dll

MD5 cba0ec4de030e0c06fa13dcc72391078
SHA1 83d6d93ec4ab47c62c119c80797acb8e8144f5b2
SHA256 764c14a5000adffc5dffd39ed3284d72fa7fcf0004d80c4fe34f809294d54c37
SHA512 28a1ef583d69eca9faf1f2dff0fb8ae383ad111d37abfddc33741a19143c21447f8f821124f5c899406af9b78fcaa8264eb939e25e1bc3046ca09b9286b3934a

C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe

MD5 d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1 b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA256 2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA512 1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

C:\Users\Admin\AppData\Local\ekN3g\MFC42u.dll

MD5 1b0e89bbbb4ddeb37f8695db1424ada1
SHA1 2935b01d1018a8387d63482c6c992190ec4fdf87
SHA256 0c8b984b36b7d45712e2ca381034fc2ef9b098b269b138044d8acfb13f9a8e9b
SHA512 c34651480693e521d8cfbb749d73606ff05d989707f9c384f72da346443f86fe5cf898c371d757149ecce61305775203129b7db625b41733ee66eb56038af44b

memory/1480-76-0x0000000140000000-0x00000001401E8000-memory.dmp

memory/1480-77-0x000001E74B450000-0x000001E74B457000-memory.dmp

memory/1480-82-0x0000000140000000-0x00000001401E8000-memory.dmp

C:\Users\Admin\AppData\Local\ekN3g\DevicePairingWizard.exe

MD5 faff47848e40860628a9a9419d991831
SHA1 364b23ebb48914e4e57932a7bbc0fccfc3dbf21f
SHA256 559f09b11a2bb38476e8e655d2da61cfd6658e6caa8a6b3adb65cd4eb886fec7
SHA512 4776360e586161fd1433f45c7ac44259834cbcd5d6709e2b2bc76a6acd5c953bf01b0a2bf771139171676dac156fc97bf12bdc9ee78da0e776b3a1f85b31c0ff

memory/1480-75-0x0000000140000000-0x00000001401E8000-memory.dmp

C:\Users\Admin\AppData\Local\HkLl\OLEACC.dll

MD5 25f704a66ce322fd9588d95d8530ffeb
SHA1 93660a000ef411b01c2f6eeff138eb71799ff825
SHA256 8d5cc8d6451b1fc4a0859ce6bc997e79f4a6669cc87f4c9c176eb60c98d0fb5d
SHA512 56bdc5ea801d158d3904da724e9d79b3ce38caa518033a9bf2fc7954ad1910fb13a51d2227a3d394779f2b8f9da9ae8a4bd5c0f571f43a79a58b67bda199bfac

C:\Users\Admin\AppData\Local\HkLl\OLEACC.dll

MD5 07f9bd95764d02577f6808f5b5073d77
SHA1 94de414e6d7ff1aa0281a40742a09d4aacebfff1
SHA256 9a44883c59ab40a25882474da868829e79b5318c2aab2bc98407c794a6aa9090
SHA512 95a2f88822ad5d9fb0f7fe9c83064865b6d6c2a072ad6998acf78bc32adfb2ab7a85b2d79fe38c1561eb7efbd62deb5a58140719ca6e8135d370270046dc29c1

memory/1192-107-0x000001DD788C0000-0x000001DD788C7000-memory.dmp

memory/1192-110-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\AppData\Local\HkLl\cttune.exe

MD5 fa924465a33833f41c1a39f6221ba460
SHA1 801d505d81e49d2b4ffa316245ca69ff58c523c3
SHA256 de2d871afe2c071cf305fc488875563b778e7279e57030ba1a1c9f7e360748da
SHA512 eef91316e1a679cc2183d4fe9f8f40b5efa6d06f7d1246fd399292e14952053309b6891059da88134a184d9bd0298a45a1bf4bc9f27140b1a31b9523acbf3757

memory/1192-103-0x0000000140000000-0x00000001401E2000-memory.dmp

memory/1192-104-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\AppData\Local\Ilza\ReAgent.dll

MD5 8f53e5dccc765c15ea58c9c64a2b4620
SHA1 ec6a610ca56660a8bbea27ded5359851081b5273
SHA256 1f5b16209e4d187d02baee4a30855176688eca6a6f5323cd9bd563beb63a5aab
SHA512 93863d145e549c74b7c646d5651256a4817ce9d4529b2ccbf6da025ca00aedaa53b4e9fcabda941b6db9f5ebac19bbb263644404869392958ced6acddb81b70b

C:\Users\Admin\AppData\Local\Ilza\ReAgent.dll

MD5 c7f1dd665ed07ed15a286f1c188715b8
SHA1 820a75817ad08aa30fc4547f0fdbf3ecbbec9ab2
SHA256 59f945fb9b70879a10e133570e2939a41aab649d4e7605f34416915c78669820
SHA512 f975ec29fb01d5aca4e66b021f53be1ad78c84e14ec4a7be650e31e5f25aaa342de83afde1dd0635f1c8a626eba5ed5b57cee311746dcc058a3c8b031d87620c

memory/4712-126-0x00000245694F0000-0x00000245696D2000-memory.dmp

memory/4712-131-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\AppData\Local\Ilza\systemreset.exe

MD5 644addb4c2a24cb9115570c9cab8fd12
SHA1 a8314a94ca15c23890d6d359c6572690734676de
SHA256 1e0128352dabfd11c249f390ae92331824d26c6e31cf3b67876b7594baf0f9dd
SHA512 6d3876518645cd993cb21fe5e3034cf62ea4fbeaba89d01a46eb347a691e44f3c624e933fda2949501a35ee5d131a5287ce4594941b1c408dee8c0af56f9b62f

memory/4712-127-0x0000024569540000-0x0000024569547000-memory.dmp

memory/4712-123-0x0000000140000000-0x00000001401E2000-memory.dmp

C:\Users\Admin\AppData\Local\Ilza\ReAgent.dll

MD5 a07570055196d089ade9934c4d169015
SHA1 097651ccfc69cff751768b1cbd69c2d354351342
SHA256 7d86bc3499c4869fc75d5867b1811b481153ef6f1a2b4e5fb745661600a08602
SHA512 da820d6ffd279b048aa5baf344619b62a3fe606d333324be8ce5ca412d5b8ceb3f2c98bbc8a091dbccdb655bb816637cccdca05ae0156a5cd650e92f66e9716e

C:\Users\Admin\AppData\Local\Ilza\systemreset.exe

MD5 20b1d87d3079333b263d28edc69766aa
SHA1 5e46773803563e7e5e451f6997c5110753f61d23
SHA256 1984d8857b3ad682d2014091b830ebdbeff4599e0bd8898bd1b98461bf0cab2c
SHA512 8f185a5a6ff35c56aa9ca765cde24feffb4e1cbf2c77097af62bd4f1da32c1aae2e1fb4bad0bbb994df3a56bbfc551297f9d3fb8da8cc2b1f54708c25393a113

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 9251275283437d7c34cb5ab908270c51
SHA1 713bea0bd6658edbb60de86f3e59b99129e3422a
SHA256 e81e1281d68a83035fb0c5b4a073d0b4783baffc293764d85af5606c9509ca43
SHA512 b921b76ca2396307a76c7ba52326be211216264adb4484480ea821a48a2f9dd57fc710a9e9eda03169d83fd4351baa1700bf28b7e57d0f19b67082f3e9631aab

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\aXtycor\MFC42u.dll

MD5 7de5b6071e06c22a89c0521902425c21
SHA1 55a265b778d75378923d711badc3ceffdd044bd4
SHA256 85a10490db3059eee1b9376c54222cdd2c832105e648bf69b507a73449a64be1
SHA512 5f3f19a5ed3701d9148f0419890776c8d979fdba41ff299ba54f998e1971f250c448b43d6d9a72987c3a00d15990251cb453650a64ea45059b343350bbed8acf

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\eqJiWH\OLEACC.dll

MD5 7f3b5eb1f3026212eaeaeb9f54d0996a
SHA1 8aedc9f688512fc708df833e68ce214f551f59be
SHA256 d71e6cb0eb4ef12e067da70f9f18fa2caa39d4678ad88ec204125ab69c9dcc0b
SHA512 13a5782f9853ef78a77db03aa741d619f2cf130091481b36a0dde19fcfcc76b84289f04b55ad0ca784faf48e35b1489b5339dff580ca509a1e617ef6db73df58

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Lnty04I\ReAgent.dll

MD5 b6a98c9c33c1e3f2e3e127aa685f8688
SHA1 5f941ed6b2e226842c4109e496e127c361b3c865
SHA256 02857e477b1f2ca6253868416dbf21e3b7bfd0f223064f72d8eba7f634fa0eea
SHA512 079f1a7bb39b6afa9c2ee6632d8f623c65b018f9b62f08855d3095325d7c1d7cfd3e59e08cac9327862d559b319a7e10ff226529a7da09917e1fea7de2669fc4