Analysis Overview
SHA256
157dba446a7b409cd3c0b7b59b764fde1820a4c8c7431a2ea28e841ec9ea5056
Threat Level: Known bad
The file 686ead54f11ad7a199730fa54bd87917 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-19 19:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-19 19:20
Reported
2024-01-19 19:23
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\ooE\\DEVICE~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#1
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Windows\system32\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe
C:\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe
C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe
C:\Users\Admin\AppData\Local\eqVDJN76\dialer.exe
Network
Files
memory/1912-1-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1912-0-0x0000000000330000-0x0000000000337000-memory.dmp
memory/1216-4-0x0000000077966000-0x0000000077967000-memory.dmp
memory/1216-5-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/1216-12-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-11-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-10-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-9-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1912-8-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-7-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-13-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-15-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-14-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-17-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-18-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-16-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-19-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-20-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-21-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-22-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-24-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-23-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-25-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-27-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-26-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-29-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-28-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-31-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-30-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-32-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-35-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-34-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-33-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-36-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-37-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-65-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-64-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-63-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-62-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-61-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-60-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-59-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-58-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-57-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-56-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-55-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-54-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-53-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-52-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-51-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-50-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-49-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-48-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-47-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-46-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-45-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-44-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-43-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-42-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-41-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-40-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-39-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-38-0x0000000140000000-0x0000000140377000-memory.dmp
memory/1216-74-0x0000000002A50000-0x0000000002A57000-memory.dmp
memory/1216-85-0x0000000077A71000-0x0000000077A72000-memory.dmp
memory/1216-84-0x0000000077BD0000-0x0000000077BD2000-memory.dmp
\Users\Admin\AppData\Local\eNHG53n1G\SYSDM.CPL
| MD5 | a121d03a6d07fcac2b4074f19af1a147 |
| SHA1 | 4e6f486f76833315bd56fe32e527311d100abf5e |
| SHA256 | 660046c1841f5e7dec979546b7fe3e1be5dabce6b4b7af6fe10b864ac03d5be4 |
| SHA512 | f9968942ebb5b9dafaae70f92988b0105648c956715b98fbb36ecba74e0a9172d8b8f7d66f32588cd1035f412088e0a98cb037df1ab4dc8dccc3980d55a17bc7 |
C:\Users\Admin\AppData\Local\eNHG53n1G\SystemPropertiesPerformance.exe
| MD5 | 870726cdcc241a92785572628b89cc07 |
| SHA1 | 63d47cc4fe9beb75862add1abca1d8ae8235710a |
| SHA256 | 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6 |
| SHA512 | 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72 |
memory/2732-104-0x00000000000F0000-0x00000000000F7000-memory.dmp
\Users\Admin\AppData\Local\4k4ENMr\DeviceDisplayObjectProvider.exe
| MD5 | 7e2eb3a4ae11190ef4c8a9b9a9123234 |
| SHA1 | 72e98687a8d28614e2131c300403c2822856e865 |
| SHA256 | 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0 |
| SHA512 | 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf |
C:\Users\Admin\AppData\Local\4k4ENMr\XmlLite.dll
| MD5 | a4a453776b7d07f79c3f8296c7febf72 |
| SHA1 | 3af3ea16e71c3655ec2f59290bde9254ed9020d2 |
| SHA256 | 62d74716443adc56f3f726c29b4d158f76876e5440d4ed9ae8e022e11f81b6b9 |
| SHA512 | 5ffd33f18a692a327fa95b8126a55a8a5f758bc9843ce624fbb25ff63612ae8bfd8fc4fa33a759c92e53ecb6e6208120eb954e4fe9c2ed6599f54b09472cab0a |
memory/1696-124-0x0000000000170000-0x0000000000177000-memory.dmp
\Users\Admin\AppData\Local\eqVDJN76\dialer.exe
| MD5 | 46523e17ee0f6837746924eda7e9bac9 |
| SHA1 | d6b2a9cc6bd3588fa9804ada5197afda6a9e034b |
| SHA256 | 23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382 |
| SHA512 | c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a |
C:\Users\Admin\AppData\Local\eqVDJN76\TAPI32.dll
| MD5 | 46fbb655538001d339135d4c77ee8d21 |
| SHA1 | c4b592a79a2a53d9aef93039118efbb1f9e57388 |
| SHA256 | 7ff55a829b489dad5c4e9bd62b97443a9ca2c411f62b32691bb883e537f30539 |
| SHA512 | cf8a3197fdf7bd39e9ff7b90ff2c1c77fc29c8a009aa759058c2d08153dd3b555b35e6e56c68c80123175f1c58985f9763f1701b307a26187724c0bc110425bc |
memory/2972-143-0x0000000000190000-0x0000000000197000-memory.dmp
memory/1216-165-0x0000000077966000-0x0000000077967000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk
| MD5 | 39311e9d44fc91675f28e1583a4cddd2 |
| SHA1 | 7a2aabaa786e306e6c8ff8914ba49e1a682d38f0 |
| SHA256 | be712bfb5efe009120d00fb774abc1e8deb779466871f5139b8e7173f4aa826c |
| SHA512 | b647667a47a2eec165a5195c8c91e64523e4adcd8a27ed0b3ac744a28425c16958463bd1a3e96183504654128df9b2e66a5dd6184f240af5d8b6a7cf9a40d4e2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-19 19:20
Reported
2024-01-19 19:23
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\APG\sessionmsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\APG\sessionmsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\u4Ui4\\sessionmsg.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\APG\sessionmsg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3372 wrote to memory of 3000 | N/A | N/A | C:\Windows\system32\mspaint.exe |
| PID 3372 wrote to memory of 3000 | N/A | N/A | C:\Windows\system32\mspaint.exe |
| PID 3372 wrote to memory of 4288 | N/A | N/A | C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe |
| PID 3372 wrote to memory of 4288 | N/A | N/A | C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe |
| PID 3372 wrote to memory of 3636 | N/A | N/A | C:\Windows\system32\sessionmsg.exe |
| PID 3372 wrote to memory of 3636 | N/A | N/A | C:\Windows\system32\sessionmsg.exe |
| PID 3372 wrote to memory of 3932 | N/A | N/A | C:\Users\Admin\AppData\Local\APG\sessionmsg.exe |
| PID 3372 wrote to memory of 3932 | N/A | N/A | C:\Users\Admin\AppData\Local\APG\sessionmsg.exe |
| PID 3372 wrote to memory of 1644 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 3372 wrote to memory of 1644 | N/A | N/A | C:\Windows\system32\lpksetup.exe |
| PID 3372 wrote to memory of 3692 | N/A | N/A | C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe |
| PID 3372 wrote to memory of 3692 | N/A | N/A | C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\686ead54f11ad7a199730fa54bd87917.dll,#1
C:\Windows\system32\mspaint.exe
C:\Windows\system32\mspaint.exe
C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe
C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe
C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
C:\Users\Admin\AppData\Local\APG\sessionmsg.exe
C:\Users\Admin\AppData\Local\APG\sessionmsg.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\lpksetup.exe
C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe
C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.179.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/4332-0-0x0000000140000000-0x0000000140377000-memory.dmp
memory/4332-1-0x0000000140000000-0x0000000140377000-memory.dmp
memory/4332-3-0x000001AD911A0000-0x000001AD911A7000-memory.dmp
memory/3372-5-0x00000000036C0000-0x00000000036C1000-memory.dmp
memory/3372-8-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-10-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-7-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-9-0x00007FFC901AA000-0x00007FFC901AB000-memory.dmp
memory/3372-11-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-12-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-13-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-14-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-15-0x0000000140000000-0x0000000140377000-memory.dmp
memory/4332-16-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-17-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-18-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-19-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-20-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-22-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-23-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-21-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-24-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-25-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-26-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-27-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-28-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-29-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-30-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-31-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-32-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-33-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-34-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-35-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-36-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-37-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-38-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-39-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-40-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-41-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-42-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-43-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-44-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-45-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-46-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-47-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-48-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-49-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-50-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-51-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-52-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-53-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-54-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-55-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-56-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-57-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-58-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-59-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-61-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-60-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-62-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-63-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-64-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-65-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-66-0x0000000140000000-0x0000000140377000-memory.dmp
memory/3372-67-0x0000000003210000-0x0000000003217000-memory.dmp
memory/3372-76-0x00007FFC912E0000-0x00007FFC912F0000-memory.dmp
C:\Users\Admin\AppData\Local\raRvDY1c\mspaint.exe
| MD5 | f221a4ccafec690101c59f726c95b646 |
| SHA1 | 2098e4b62eaab213cbee73ba40fe4f1b8901a782 |
| SHA256 | 94aa32a2c9c1d2db78318d9c68262c2f834abe26b6e9a661700324b55fdd5709 |
| SHA512 | 8e3f4e4f68565ef09f5e762d6bb41b160711bbacac9dfcbe33edea9885fd042e6ce9a248bfcc62f9cffdb8e6bbe1b04c89bd41fcd9a373a5c8bc7bbff96dceaf |
C:\Users\Admin\AppData\Local\raRvDY1c\MFC42u.dll
| MD5 | 5f13b4c62f85ab2c01ff5c8c6a10bca4 |
| SHA1 | ed1ea0ebe89c4276daef66407588b3132e6c6736 |
| SHA256 | 1544154c1bba837590a9b9833c8a86bf4d8a2354e2e22fbfb4c650de4d232038 |
| SHA512 | 670b41600c19a5b906da2f496d3b441412990440d607e8642b94d70e330e845d215f99366ebb319f59e85f61726c91808b70bc3842572c09f8db9a7018a5359c |
memory/4288-98-0x0000000140000000-0x000000014037E000-memory.dmp
memory/4288-100-0x000002ABDF7F0000-0x000002ABDF7F7000-memory.dmp
memory/4288-103-0x0000000140000000-0x000000014037E000-memory.dmp
C:\Users\Admin\AppData\Local\APG\sessionmsg.exe
| MD5 | 480f710806b68dfe478ca1ec7d7e79cc |
| SHA1 | b4fc97fed2dbff9c4874cb65ede7b50699db37cd |
| SHA256 | 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc |
| SHA512 | 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db |
C:\Users\Admin\AppData\Local\APG\DUser.dll
| MD5 | 702bc27161117d7a8294c608a32534bf |
| SHA1 | ef183fb21eb03fa1db51bb2ee189e381dc50fef7 |
| SHA256 | 2efd5495fc23c28e4ecc1b127c6a47e04965a72b45cd1a50ebfab037a22ac0f7 |
| SHA512 | 2b7b75b3c46384c6979bf2244e78f7173bd917da153f2e5d74425e7cd7a60a9ce36a3893531920dcb1e73ad7029f9cc1d9a6fe7bbca9b8a2caa5fe81c9656204 |
memory/3932-114-0x0000000140000000-0x0000000140379000-memory.dmp
memory/3932-115-0x000001FBE2790000-0x000001FBE2797000-memory.dmp
memory/3932-120-0x0000000140000000-0x0000000140379000-memory.dmp
C:\Users\Admin\AppData\Local\ACqx4XaS\lpksetup.exe
| MD5 | c75516a32e0aea02a184074d55d1a997 |
| SHA1 | f9396946c078f8b0f28e3a6e21a97eeece31d13f |
| SHA256 | cb3cbeaaff7c07b044f70177e2899a87e80840d177238eb7dd25b8d9e20bef22 |
| SHA512 | 92994fdb75b15742e33e6d7a499664b722e45b9c160d8cc42d30bc727044063d589f45853692b5b754df6ff0fd21294dc32fed985b153f93f4bcf9f8c89a5bcc |
C:\Users\Admin\AppData\Local\ACqx4XaS\dpx.dll
| MD5 | f39d4b64ad8035f15eb7c25e6ee41449 |
| SHA1 | 32e6178d819a25d88a6b46ebcf36118dd08e8834 |
| SHA256 | 65ae0849104a1c8f19589cc0bb34c9567358a7d64c69020f0874a8bc5c29de35 |
| SHA512 | c467fd4539c8964e8fd6c2fd394d28c345d8a8ac60616c6eb52671afbcddb6744e660056d5152a27b2c840c0d6a442b99b24e3c0d2c9b4aa17b88fed183dae6d |
memory/3692-131-0x0000000140000000-0x0000000140378000-memory.dmp
memory/3692-133-0x00000229771F0000-0x00000229771F7000-memory.dmp
memory/3692-141-0x0000000140000000-0x0000000140378000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 747032d2cb3d6ce256b6ab17a9317405 |
| SHA1 | a726ffd1ed4cd189c030641d8751adbfa4026d57 |
| SHA256 | 12c5c86243289459ac6362ad6651f9dc0286cf64c42ecbf1f08db92ee61e10d3 |
| SHA512 | 249e570fc2ba1abf53e0e2ab890374359bbd5bfee23cea8dfacfeda84f8707d1d85d9cb3938f850804a02c44f60a2ae558fd540379f84df3f1457a744ada30ac |