Malware Analysis Report

2024-11-15 08:50

Sample ID 240119-x2fbyacbbr
Target 686ead54f11ad7a199730fa54bd87917
SHA256 157dba446a7b409cd3c0b7b59b764fde1820a4c8c7431a2ea28e841ec9ea5056
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

157dba446a7b409cd3c0b7b59b764fde1820a4c8c7431a2ea28e841ec9ea5056

Threat Level: Known bad

The file 686ead54f11ad7a199730fa54bd87917 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-19 19:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-19 19:20

Reported

2024-01-19 19:23

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\ooE\\DEVICE~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2588 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2588 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2588 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe
PID 1216 wrote to memory of 2044 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1216 wrote to memory of 2044 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1216 wrote to memory of 2044 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1216 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe
PID 1216 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe
PID 1216 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe
PID 1216 wrote to memory of 2440 N/A N/A C:\Windows\system32\dialer.exe
PID 1216 wrote to memory of 2440 N/A N/A C:\Windows\system32\dialer.exe
PID 1216 wrote to memory of 2440 N/A N/A C:\Windows\system32\dialer.exe
PID 1216 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe
PID 1216 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe
PID 1216 wrote to memory of 2972 N/A N/A C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#1

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe

C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe

Network

N/A

Files

memory/1912-1-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1912-0-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1216-4-0x0000000077966000-0x0000000077967000-memory.dmp

memory/1216-5-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1216-12-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-11-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-10-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-9-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1912-8-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-7-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-13-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-15-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-14-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-17-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-18-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-16-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-19-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-20-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-21-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-22-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-24-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-23-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-25-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-27-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-26-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-29-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-28-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-31-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-30-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-32-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-35-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-34-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-33-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-36-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-37-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-65-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-64-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-63-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-62-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-61-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-60-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-59-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-58-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-57-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-56-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-55-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-54-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-53-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-52-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-51-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-50-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-49-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-48-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-47-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-46-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-45-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-44-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-43-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-42-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-41-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-40-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-39-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-38-0x0000000140000000-0x0000000140377000-memory.dmp

memory/1216-74-0x0000000002A50000-0x0000000002A57000-memory.dmp

memory/1216-85-0x0000000077A71000-0x0000000077A72000-memory.dmp

memory/1216-84-0x0000000077BD0000-0x0000000077BD2000-memory.dmp

\Users\Admin\AppData\Local\eNHG53n1G\SYSDM.CPL

MD5 a121d03a6d07fcac2b4074f19af1a147
SHA1 4e6f486f76833315bd56fe32e527311d100abf5e
SHA256 660046c1841f5e7dec979546b7fe3e1be5dabce6b4b7af6fe10b864ac03d5be4
SHA512 f9968942ebb5b9dafaae70f92988b0105648c956715b98fbb36ecba74e0a9172d8b8f7d66f32588cd1035f412088e0a98cb037df1ab4dc8dccc3980d55a17bc7

C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe

MD5 870726cdcc241a92785572628b89cc07
SHA1 63d47cc4fe9beb75862add1abca1d8ae8235710a
SHA256 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA512 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

memory/2732-104-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe

MD5 7e2eb3a4ae11190ef4c8a9b9a9123234
SHA1 72e98687a8d28614e2131c300403c2822856e865
SHA256 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA512 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

C:\Users\Admin\AppData\Local\4k4ENMr\XmlLite.dll

MD5 a4a453776b7d07f79c3f8296c7febf72
SHA1 3af3ea16e71c3655ec2f59290bde9254ed9020d2
SHA256 62d74716443adc56f3f726c29b4d158f76876e5440d4ed9ae8e022e11f81b6b9
SHA512 5ffd33f18a692a327fa95b8126a55a8a5f758bc9843ce624fbb25ff63612ae8bfd8fc4fa33a759c92e53ecb6e6208120eb954e4fe9c2ed6599f54b09472cab0a

memory/1696-124-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\eqVDJN76\dialer.exe

MD5 46523e17ee0f6837746924eda7e9bac9
SHA1 d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA256 23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512 c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

C:\Users\Admin\AppData\Local\eqVDJN76\TAPI32.dll

MD5 46fbb655538001d339135d4c77ee8d21
SHA1 c4b592a79a2a53d9aef93039118efbb1f9e57388
SHA256 7ff55a829b489dad5c4e9bd62b97443a9ca2c411f62b32691bb883e537f30539
SHA512 cf8a3197fdf7bd39e9ff7b90ff2c1c77fc29c8a009aa759058c2d08153dd3b555b35e6e56c68c80123175f1c58985f9763f1701b307a26187724c0bc110425bc

memory/2972-143-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1216-165-0x0000000077966000-0x0000000077967000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 39311e9d44fc91675f28e1583a4cddd2
SHA1 7a2aabaa786e306e6c8ff8914ba49e1a682d38f0
SHA256 be712bfb5efe009120d00fb774abc1e8deb779466871f5139b8e7173f4aa826c
SHA512 b647667a47a2eec165a5195c8c91e64523e4adcd8a27ed0b3ac744a28425c16958463bd1a3e96183504654128df9b2e66a5dd6184f240af5d8b6a7cf9a40d4e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-19 19:20

Reported

2024-01-19 19:23

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\u4Ui4\\sessionmsg.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\APG\sessionmsg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 3000 N/A N/A C:\Windows\system32\mspaint.exe
PID 3372 wrote to memory of 3000 N/A N/A C:\Windows\system32\mspaint.exe
PID 3372 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe
PID 3372 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe
PID 3372 wrote to memory of 3636 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3372 wrote to memory of 3636 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3372 wrote to memory of 3932 N/A N/A C:\Users\Admin\AppData\Local\APG\sessionmsg.exe
PID 3372 wrote to memory of 3932 N/A N/A C:\Users\Admin\AppData\Local\APG\sessionmsg.exe
PID 3372 wrote to memory of 1644 N/A N/A C:\Windows\system32\lpksetup.exe
PID 3372 wrote to memory of 1644 N/A N/A C:\Windows\system32\lpksetup.exe
PID 3372 wrote to memory of 3692 N/A N/A C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe
PID 3372 wrote to memory of 3692 N/A N/A C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#1

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe

C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\APG\sessionmsg.exe

C:\Users\Admin\AppData\Local\APG\sessionmsg.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe

C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/4332-0-0x0000000140000000-0x0000000140377000-memory.dmp

memory/4332-1-0x0000000140000000-0x0000000140377000-memory.dmp

memory/4332-3-0x000001AD911A0000-0x000001AD911A7000-memory.dmp

memory/3372-5-0x00000000036C0000-0x00000000036C1000-memory.dmp

memory/3372-8-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-10-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-7-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-9-0x00007FFC901AA000-0x00007FFC901AB000-memory.dmp

memory/3372-11-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-12-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-13-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-14-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-15-0x0000000140000000-0x0000000140377000-memory.dmp

memory/4332-16-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-17-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-18-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-19-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-20-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-22-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-23-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-21-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-24-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-25-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-26-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-27-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-28-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-29-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-30-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-31-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-32-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-33-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-34-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-35-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-36-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-37-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-38-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-39-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-40-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-41-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-42-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-43-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-44-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-45-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-46-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-47-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-48-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-49-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-50-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-51-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-52-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-53-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-54-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-55-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-56-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-57-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-58-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-59-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-61-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-60-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-62-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-63-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-64-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-65-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-66-0x0000000140000000-0x0000000140377000-memory.dmp

memory/3372-67-0x0000000003210000-0x0000000003217000-memory.dmp

memory/3372-76-0x00007FFC912E0000-0x00007FFC912F0000-memory.dmp

C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe

MD5 f221a4ccafec690101c59f726c95b646
SHA1 2098e4b62eaab213cbee73ba40fe4f1b8901a782
SHA256 94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709
SHA512 8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf

C:\Users\Admin\AppData\Local\raRvDY1c\MFC42u.dll

MD5 5f13b4c62f85ab2c01ff5c8c6a10bca4
SHA1 ed1ea0ebe89c4276daef66407588b3132e6c6736
SHA256 1544154c1bba837590a9b9833c8a86bf4d8a2354e2e22fbfb4c650de4d232038
SHA512 670b41600c19a5b906da2f496d3b441412990440d607e8642b94d70e330e845d215f99366ebb319f59e85f61726c91808b70bc3842572c09f8db9a7018a5359c

memory/4288-98-0x0000000140000000-0x000000014037E000-memory.dmp

memory/4288-100-0x000002ABDF7F0000-0x000002ABDF7F7000-memory.dmp

memory/4288-103-0x0000000140000000-0x000000014037E000-memory.dmp

C:\Users\Admin\AppData\Local\APG\sessionmsg.exe

MD5 480f710806b68dfe478ca1ec7d7e79cc
SHA1 b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA256 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA512 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

C:\Users\Admin\AppData\Local\APG\DUser.dll

MD5 702bc27161117d7a8294c608a32534bf
SHA1 ef183fb21eb03fa1db51bb2ee189e381dc50fef7
SHA256 2efd5495fc23c28e4ecc1b127c6a47e04965a72b45cd1a50ebfab037a22ac0f7
SHA512 2b7b75b3c46384c6979bf2244e78f7173bd917da153f2e5d74425e7cd7a60a9ce36a3893531920dcb1e73ad7029f9cc1d9a6fe7bbca9b8a2caa5fe81c9656204

memory/3932-114-0x0000000140000000-0x0000000140379000-memory.dmp

memory/3932-115-0x000001FBE2790000-0x000001FBE2797000-memory.dmp

memory/3932-120-0x0000000140000000-0x0000000140379000-memory.dmp

C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe

MD5 c75516a32e0aea02a184074d55d1a997
SHA1 f9396946c078f8b0f28e3a6e21a97eeece31d13f
SHA256 cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22
SHA512 92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc

C:\Users\Admin\AppData\Local\ACqx4XaS\dpx.dll

MD5 f39d4b64ad8035f15eb7c25e6ee41449
SHA1 32e6178d819a25d88a6b46ebcf36118dd08e8834
SHA256 65ae0849104a1c8f19589cc0bb34c9567358a7d64c69020f0874a8bc5c29de35
SHA512 c467fd4539c8964e8fd6c2fd394d28c345d8a8ac60616c6eb52671afbcddb6744e660056d5152a27b2c840c0d6a442b99b24e3c0d2c9b4aa17b88fed183dae6d

memory/3692-131-0x0000000140000000-0x0000000140378000-memory.dmp

memory/3692-133-0x00000229771F0000-0x00000229771F7000-memory.dmp

memory/3692-141-0x0000000140000000-0x0000000140378000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 747032d2cb3d6ce256b6ab17a9317405
SHA1 a726ffd1ed4cd189c030641d8751adbfa4026d57
SHA256 12c5c86243289459ac6362ad6651f9dc0286cf64c42ecbf1f08db92ee61e10d3
SHA512 249e570fc2ba1abf53e0e2ab890374359bbd5bfee23cea8dfacfeda84f8707d1d85d9cb3938f850804a02c44f60a2ae558fd540379f84df3f1457a744ada30ac