Malware Analysis Report

2024-11-15 08:50

Sample ID 240119-jprybaacf5
Target 6714db2df8a6f6b5c50d59629ec34c6c
SHA256 d86ef2b5b3a29c907febf6d15d8f3fa781e1d5314549fed66df51d00db694818
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d86ef2b5b3a29c907febf6d15d8f3fa781e1d5314549fed66df51d00db694818

Threat Level: Known bad

The file 6714db2df8a6f6b5c50d59629ec34c6c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 07:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 07:50

Reported

2024-01-19 07:53

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1LYvp\slui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\4HBT6\\SoundRecorder.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1LYvp\slui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 2888 N/A N/A C:\Windows\system32\slui.exe
PID 1360 wrote to memory of 2888 N/A N/A C:\Windows\system32\slui.exe
PID 1360 wrote to memory of 2888 N/A N/A C:\Windows\system32\slui.exe
PID 1360 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\1LYvp\slui.exe
PID 1360 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\1LYvp\slui.exe
PID 1360 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\1LYvp\slui.exe
PID 1360 wrote to memory of 784 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1360 wrote to memory of 784 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1360 wrote to memory of 784 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1360 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
PID 1360 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
PID 1360 wrote to memory of 1864 N/A N/A C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe
PID 1360 wrote to memory of 2832 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1360 wrote to memory of 2832 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1360 wrote to memory of 2832 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1360 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
PID 1360 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe
PID 1360 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\1LYvp\slui.exe

C:\Users\Admin\AppData\Local\1LYvp\slui.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe

C:\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe

Network

N/A

Files

memory/2168-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2168-1-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-4-0x00000000779A6000-0x00000000779A7000-memory.dmp

memory/1360-5-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1360-7-0x0000000140000000-0x0000000140331000-memory.dmp

memory/2168-8-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-9-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-10-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-11-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-12-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-13-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-15-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-14-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-16-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-19-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-20-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-18-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-24-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-23-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-22-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-21-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-17-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-25-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-26-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-27-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-29-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-30-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-31-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-32-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-28-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-34-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-35-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-38-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-39-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-40-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-41-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-36-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-42-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-37-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-43-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-45-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-44-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-46-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-47-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-48-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-49-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-52-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-53-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-51-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-50-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-54-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-55-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-33-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-56-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-57-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-59-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-61-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-62-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-60-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-64-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-63-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-65-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-66-0x0000000002590000-0x0000000002597000-memory.dmp

memory/1360-58-0x0000000140000000-0x0000000140331000-memory.dmp

memory/1360-74-0x0000000077AB1000-0x0000000077AB2000-memory.dmp

memory/1360-77-0x0000000077C10000-0x0000000077C12000-memory.dmp

C:\Users\Admin\AppData\Local\1LYvp\slui.exe

MD5 4c69d77cedf7f93c32016dfcdd2e2d48
SHA1 42a775e41b551df80e6d0c10fe504ff229575cc6
SHA256 88a6c503b97735038aeecdbeacf977777507c6af2eca6cce77fddb1d581247af
SHA512 98d82edca5e42a2d05f2318f2612bcc2b47bf0f7f1a9b39dd722e8e798af27aee4eb8bfb1a798db4ed710191148758b2f645415c73e3979608c679cc56bc2d04

C:\Users\Admin\AppData\Local\1LYvp\WINBRAND.dll

MD5 e5c9c7d7e52fd682e921e3e9460ac004
SHA1 17337c9052eb419454d6ae66c756ce22e76b3da0
SHA256 83d33081af1ef341e4047cce0ffab5a25f015d2e2b7dbf9914f90ee1dd89cf9e
SHA512 cd7cf70010aafb0472a879da5527144966c2317c511c3e2df31951be277bd038bbc89dd694dc7f6d75caf9e7efc5ff16b3996bd5e9a8b8fbcfc78f12e9ef2a83

\Users\Admin\AppData\Local\1LYvp\WINBRAND.dll

MD5 f9d45b1dc0431c1e093e212c00b819ed
SHA1 2de9cb5e9acf358fcb627acdbfba13404a6ce04c
SHA256 a93123a4e1325c0025e8e91971536434dd4a6d54ce02af9ee659530b8be80237
SHA512 f918ce1a255da0523505aa9d0ceb4ed89bfdec5f3435df8c81aa3d7df9bc8c8d7e37e1b430601746415f4ee92af17d85920463ba0d95a73749bc99131c90bb91

memory/3000-98-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\1LYvp\slui.exe

MD5 5c70675645de3a5d03c151f37a2b8242
SHA1 2259f35ac4c77f3f2fc5bbe9811b3c24de1e2bf1
SHA256 9e26996c442389e61c4eef9048735b89adc8fa0d1a72b2b5e35a5efd78f64650
SHA512 df520d2857cfad413542f2ad846bff8664ac5ee9c532dcb6ee52a771387b8a0e1b5b3b59b2ab5af6f1642758daf0317b72b161399d35457d1163bf3b0d2ac118

C:\Users\Admin\AppData\Local\1LYvp\slui.exe

MD5 4036533e7ad0a6f1fcf6bddd8915a3e7
SHA1 6a0607493719824ca744ee98288c6c3b93c27779
SHA256 a6fb08368d86b0d9923da90e0a9337fa73b7d28238fcb40c67697bbfafbc4be0
SHA512 5a65ddd9eb69f84ce7d668a6da990d47f5af8c91c045729a3db9c5329ca78ee55f6358773c23a77826704d9c6567592c781b26bc924e5c664a369968ee80f56c

\Users\Admin\AppData\Local\xTgeUD\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Local\xTgeUD\WINMM.dll

MD5 5231bdcb06e75797eae0f5a2f04d5b62
SHA1 3823dce4039a449214f83fce7229039d3f66ab97
SHA256 f9c92587c6c8c6a035bbbb2ba3ad09843392df098f8d1b0b81f4dd66bbf692e0
SHA512 94c58fa06e6e467586cf9cd2d73056c8bdce88aeb77210540d8da157e9fc5998686913948f6ec77b207094cca46aebcacd2abfb542b23d5c888d33d65f75a448

\Users\Admin\AppData\Local\xTgeUD\WINMM.dll

MD5 be6a135b25e5ddcb17a2e609fdc276f1
SHA1 ae8876baa92ece9ccf2b7c6c2bbab0bd529659bb
SHA256 e39a8c71a30523802383240a4cbb01369655afbf185a26efe97acf2ee93c9d6d
SHA512 350bbec3cc4468d598d2aaf1be61aab25c17eef9483a6dc9de814259299efc087fda0a4287ba7e3462cdf0fabc54abb4c73785dbdefa6d8e1ff089f205f0dfa0

memory/1864-118-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\0ShrJ\rdrleakdiag.exe

MD5 5e058566af53848541fa23fba4bb5b81
SHA1 769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256 ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512 352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

C:\Users\Admin\AppData\Local\0ShrJ\wer.dll

MD5 49b55439a96b7003436742ad9e335996
SHA1 eadb0c32c6836ffddeb9bae3f628da1dc46eb354
SHA256 93db37691d69b750e9d8d4c76f7af600bb70ddd93f0570eefef06bf1475ae4ae
SHA512 abc9b4cb1eac592bab581dcd8aa872cd00a4ace2e6f567d2a59582403a1ea95515fbaf2ff8b7179ea27acd83ad60edd6681a75480330b25c6636c68a7988ae24

memory/2828-135-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\0ShrJ\wer.dll

MD5 b5e9c51fa887699fe07dfb07cac15ed1
SHA1 bec490f6765cf1f0f75d8f0d2004ccc87d984453
SHA256 ab72a3bb8f0fbf1e5a10ccebde5daa66156743e5e7eacebab537460d2f0e8387
SHA512 42e06786b64afa93d1ae3847f1660f06030e2fac6c703deb8c73b5d4754311e6e92032ddd4727d05b0af76d6de2b59466fe8556cda9494d7bc38878cd44faa38

memory/1360-157-0x00000000779A6000-0x00000000779A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 b211d9f88c0b1e77ca0b761adbf41af1
SHA1 d9deccd2217e6e372bebeae751275b1734bc146a
SHA256 24ba390e6461f4f0acf1292ba1dc6d3be1d5894768c1f4a18df92c485cf5c1ba
SHA512 8398a3b228588ea211c2918389ceae1b9bb13883a95345772583261e1b2ffed6eaf1fd060f93d862168c62502c5abbe5bbbff5914308e8290a6ec8182ee3987c

C:\Users\Admin\AppData\Roaming\Identities\{EF0662BB-4AFF-4F56-815E-2ED0C139F855}\8F1\WINBRAND.dll

MD5 798b239a9c885dd28e896ad5dd58cf29
SHA1 cd8a6df7f2291db2b5d33a7b40e8b7bf5d52e249
SHA256 25c36ce747691e368aa3ed7ebaf9e8290324e454299edeeda3e8a3ac69561f69
SHA512 66f7b5a56da76c46ac2ca290d38ae49b3a94482606580122763ab2c923d471bee8a090ad07eeeb61907b6e2a8f80e9c13708f370e61dd960cb3e6cd983a9f9f7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\4HBT6\WINMM.dll

MD5 d7b4fb439c322922134c6d7ff180e548
SHA1 a225f6fa1effb287d372be66e143853c245b922d
SHA256 678b553820afccc2eee907367d2a1d38e2531ba2d3162e461705c5de4f687984
SHA512 1ad7fb22fabac3fa9d66c667055ff559b4fb3ff25903cc3b888a374d0fb1f24ad985e8b0983dfafd6dbb386b7a120227675c0cfa5bd359325fa84121d4937e31

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\62\wer.dll

MD5 153901ab12c8a12a81b63dd43607377f
SHA1 01877819eab589c806804c8905ba17305240f364
SHA256 a4210f6342865988fd4c7bf8566649ccd2e48a5aa6574fbe5908533bb965ebc2
SHA512 0b119887d580fdefa41a9660e3f5acd50712682f011c7c2ae7652ce0715beedafe823dc62d33a8a9394a83bb07dfba91095184e36040802598978c06f9c8a4e6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 07:50

Reported

2024-01-19 07:53

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ddiqrdu = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\4J4NzkY\\sppsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 4436 N/A N/A C:\Windows\system32\cmstp.exe
PID 3412 wrote to memory of 4436 N/A N/A C:\Windows\system32\cmstp.exe
PID 3412 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe
PID 3412 wrote to memory of 4864 N/A N/A C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe
PID 3412 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe
PID 3412 wrote to memory of 560 N/A N/A C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe
PID 3412 wrote to memory of 2848 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3412 wrote to memory of 2848 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3412 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe
PID 3412 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe
PID 3412 wrote to memory of 2776 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3412 wrote to memory of 2776 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3412 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe
PID 3412 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6714db2df8a6f6b5c50d59629ec34c6c.dll,#1

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe

C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe

C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe

C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/800-0-0x0000023F663B0000-0x0000023F663B7000-memory.dmp

memory/800-1-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-5-0x00007FFA9554A000-0x00007FFA9554B000-memory.dmp

memory/3412-4-0x00000000078D0000-0x00000000078D1000-memory.dmp

memory/800-8-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-9-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-10-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-7-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-11-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-12-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-13-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-14-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-15-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-16-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-17-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-18-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-19-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-20-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-21-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-22-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-23-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-24-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-25-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-26-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-27-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-29-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-31-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-34-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-35-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-37-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-36-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-33-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-32-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-30-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-38-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-39-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-40-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-28-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-41-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-42-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-43-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-45-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-44-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-47-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-50-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-52-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-53-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-51-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-49-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-48-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-46-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-54-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-55-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-57-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-56-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-58-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-61-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-63-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-64-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-65-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-66-0x0000000002FD0000-0x0000000002FD7000-memory.dmp

memory/3412-62-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-60-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-59-0x0000000140000000-0x0000000140331000-memory.dmp

memory/3412-74-0x00007FFA972E0000-0x00007FFA972F0000-memory.dmp

C:\Users\Admin\AppData\Local\DbMLLK\VERSION.dll

MD5 b485bc2c938b7ef3b7d634563eb26eba
SHA1 44d826673d5736b0c92ef9d6eca9d12d4a6b3aa1
SHA256 d1ea149e973d18c97de7ce48b4775f09ada300235189150c0af99ad71aa32bbc
SHA512 f47c8039023206cc43ba105cc83eafb30435ed5823165be2040eb39666627289bc21fde9423bf188b61fb473fcd0feb112fa56f41ffa15e20c5f70acfbd2fc73

C:\Users\Admin\AppData\Local\DbMLLK\VERSION.dll

MD5 8d12cc5ebd1dc117c2350334c64e51a6
SHA1 3eff9980a31999a3a34185a93f142226f3086b27
SHA256 fe9523e6386913d82d6c2803ce6539ea50bb6bee898ac595e9a0a7e4395e7ff6
SHA512 2806dfb03c560edb48a11e5b7896088542215efdc5b5496f9188ccd5f95f357bf66cf85b876d0e453d47a7a13cc59297b8ad08ffb7ae33cb31bbb9acec049a2a

memory/4864-95-0x00000134D43F0000-0x00000134D43F7000-memory.dmp

C:\Users\Admin\AppData\Local\DbMLLK\VERSION.dll

MD5 aac63ed7382e87e3796b8b38cd27658d
SHA1 a779b1c352d959c1fbac59a5bcce47df68619b61
SHA256 d79ba099bcef2fa569d032f00e84739400ef66e9bdb96a08eab4dcb61f5405c5
SHA512 6e54bbce3f136e673687d1ecc20c22b0a3e559155f80c719a28cc59c0015960b317f911819a582087ccb5d4729cf543c82b54b6ed42d2456d42559e2597e1379

C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe

MD5 4cc43fe4d397ff79fa69f397e016df52
SHA1 8fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256 f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512 851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

C:\Users\Admin\AppData\Local\DbMLLK\cmstp.exe

MD5 121dfc2fe6f6a84b06eb0d6f0dbc2c8e
SHA1 7e322b5a7003dd7370c330a4179f91bd50d4b07a
SHA256 2651ec3fa204d1ff89595fba5dbd8b1565cb32bf0b4e91623202f2d8097bbe09
SHA512 c5b9c4b641d8486c8e6e65c047d8292f5a44bc9341bae65b2588f4b5694ce5495feb54ff11ec5b58ebb4d9cf2aaecab586ebf0bc58bf6b9161d17b1b9db58f59

C:\Users\Admin\AppData\Local\Gkdmb\XmlLite.dll

MD5 75fef8ec2da7e712ea0b8c3d60af413f
SHA1 a52255558de36a60d022ea5af621320bfee36d83
SHA256 1444f5be0608bab20c0302d860f81aad105ef22fd4afdf722577cef9c1aa0221
SHA512 c5f207f9dba1c010f00652bf0c10d2942aaadea10ccdb114d6ac4c612cdc13e098d13c0b189a23f24a7a3d4e8a3f02ba3cd3fa73c499dd95de1caa79c19c8af0

C:\Users\Admin\AppData\Local\Gkdmb\XmlLite.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/560-112-0x000001F7D1DD0000-0x000001F7D1DD7000-memory.dmp

C:\Users\Admin\AppData\Local\Gkdmb\sppsvc.exe

MD5 76522df15475f02bf7dc0aa202f4c9de
SHA1 3ec68f95f83365e73f4a85f1cf97787ce6e75eef
SHA256 5125f542dd7dbda0c2ea920d9e4090ded59cdcfd29e87e28a9dae7554089bcf9
SHA512 0aad23389328c3cb5f77e93834f0cfcb0666282fafe56db935146a606da63b27d748757ac34be865c328fa2103dc60389017c4f3a88bb61e791e8014e33604b1

C:\Users\Admin\AppData\Local\vOm174L7s\UxTheme.dll

MD5 a9cd11bed2c07f798caedf4cc013acb4
SHA1 c115955839c6b4f52deedeecd5ce45b1d640de12
SHA256 eaa2de2fc193015e81ac575cd06fb082b1db4331456b26ae5fcbe66147c290bd
SHA512 bade396ddbbc49f363761d4adb96c474290963721ff113a6d25e980602425557345a3fa10e2229fa6f3de5e5e81d0fd9f856a36868db1ecd9b0716fdcca655b1

C:\Users\Admin\AppData\Local\vOm174L7s\SnippingTool.exe

MD5 6ececee18c82ad304b1d06b10208d2ff
SHA1 56988e12e06fab7cc3a1baab7d78979c2dc8d290
SHA256 fb2200e5ed55b7f2f2324ce5656dd73f589c4dfd5ff568776825e7bc81a6595e
SHA512 1a951a7971619537dbf26dc35cb6524986fce572850fa0ef117e0ac4f91e6b642a0027adf29979e98ef2380e6d201a06cc410565a8db34c482e0f3e11311a90f

C:\Users\Admin\AppData\Local\vOm174L7s\UxTheme.dll

MD5 047fb5fba00720f7c8d0e86f3f48a04d
SHA1 da35002a111a7f4a6492ca3635187b9f1de80bdc
SHA256 359d6a91ed1ec5722202458f04c50592a64ad2ff10378c961a46e53d34f6072a
SHA512 394c0bf917725063ff1c160f4335b1d9ee8b18838b14a0fe1a43f05b016930e6cb04fe26120fb605ab9ca0242a5345acf429a7ba8712c06f6d0dbfc9e58cbb1b

C:\Users\Admin\AppData\Local\q25ZD\WINSTA.dll

MD5 87f3487d9b3609ee8d85309b202eba23
SHA1 fad9cb70114f31a30b82a3941b9aeebf8b9e0ab5
SHA256 aaa3ec4df10df7c46ede712624eb3ba8289e4548226a59bb28f9608a409b87ac
SHA512 9586b528dcc2c91dd2149dbb426280f825b50c6ecd21c9f578aafb9097f94ab23e7b09d32276ecf0bf5c75e8726d88b74e9e72b6aaeccbc2391379eb13b8edd0

C:\Users\Admin\AppData\Local\q25ZD\WINSTA.dll

MD5 276eb57200c0063186402a4304451536
SHA1 f78ec17fcb7a398ab1bd31a86af18a416665e4e6
SHA256 17ffe57e068eacabc091356a90c75dbf10a60fffaa8e37177adcd425be6257b5
SHA512 7e71b25f20fad100206a2132dbd0e03accaaabd40b53878fc7b32a862dbbc62c692234be78f2ffa93fd591a471d1a479bf23170ad5ffa80ba61e6c65cab3dd9b

memory/4848-139-0x000001E42E9A0000-0x000001E42E9A7000-memory.dmp

C:\Users\Admin\AppData\Local\q25ZD\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Udjzqp.lnk

MD5 9b4f8d1a23abf25112971055d616d32a
SHA1 34b759178210de08deed06055eb0989224997872
SHA256 33021467e2df029a97a6f2db4f45ef9f0fcb146052cfd4b0fde1a09f63a79289
SHA512 31677224c0b088f91c03daedb2303644e425c0c0c0528521510e2fd08ce01876c9568cbf5d62f6fe19443222e57d75e927024c9f35b3a1bbb27126619c0475f5

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\ymOch4b3\VERSION.dll

MD5 6428df938670ba9ba8e8f3b7e5e4afbd
SHA1 3a9c3cfdf58aac25e9ab7edcc5a8d9120ccdf6c6
SHA256 3b24bc5c24dcb54d77de8156f5ba38ca71c50b5fcd72d39c76064d536fe06521
SHA512 191d1bd87d81039e031b9ea7c2f5a1ec492b3a2b384ff2509fcdaaf51f86f3e821bd51d947974c924b339910df73b6d3d35c6a645c2b5d2bd724ed1c9321ea87

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\4J4NzkY\XmlLite.dll

MD5 b4561c365bf82b197da05111c811ff56
SHA1 057ba2ca7045af2e900fb32fa43876855dad7515
SHA256 dab1ebd0f5ff1202c3c2a4a755f6b04f0cce18340a618435f15ffee8fdf4ac22
SHA512 9aba6501d0023f100a3cf38a44cf468bc139a57b19593b61788e03d191f4f14db35efe73a2214797b272e2a4ea4c05d249bf0784dce24204bb91d389c7e9eb80

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\fO\WINSTA.dll

MD5 85a51b315a1959ac8a2bb1814a53bbe5
SHA1 9da4c3ec46b1fb5858113650564e826038bf0500
SHA256 135c94d666f3cd4b401cf35d43680713f689c4eef286bee3cbd81478cac4e39d
SHA512 3a44cd1736d26e0bf3707be3ec3a123bbc849f6576c8e70a50949c8c892896fcef38937de3e2c9d0083f03e18e2bbadfa3559336a64f399486e7d3b541cca5ee