Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-b1xzpshgf7
Target 692759203e392d71d9dee01161280ef1
SHA256 3b12db2302d38fb3cb124b01f2f6bb81d2d14cc079e87406803e7883bc256a66
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3b12db2302d38fb3cb124b01f2f6bb81d2d14cc079e87406803e7883bc256a66

Threat Level: Known bad

The file 692759203e392d71d9dee01161280ef1 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 01:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 01:37

Reported

2024-01-20 01:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\nL5vk0\\iexpress.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1312 wrote to memory of 2576 N/A N/A C:\Windows\system32\p2phost.exe
PID 1312 wrote to memory of 2576 N/A N/A C:\Windows\system32\p2phost.exe
PID 1312 wrote to memory of 2576 N/A N/A C:\Windows\system32\p2phost.exe
PID 1312 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
PID 1312 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
PID 1312 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
PID 1312 wrote to memory of 1928 N/A N/A C:\Windows\system32\iexpress.exe
PID 1312 wrote to memory of 1928 N/A N/A C:\Windows\system32\iexpress.exe
PID 1312 wrote to memory of 1928 N/A N/A C:\Windows\system32\iexpress.exe
PID 1312 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
PID 1312 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
PID 1312 wrote to memory of 1396 N/A N/A C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
PID 1312 wrote to memory of 1816 N/A N/A C:\Windows\system32\psr.exe
PID 1312 wrote to memory of 1816 N/A N/A C:\Windows\system32\psr.exe
PID 1312 wrote to memory of 1816 N/A N/A C:\Windows\system32\psr.exe
PID 1312 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
PID 1312 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
PID 1312 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1

C:\Windows\system32\p2phost.exe

C:\Windows\system32\p2phost.exe

C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe

C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe

C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe

C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe

Network

N/A

Files

memory/2092-0-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2092-1-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-4-0x0000000077576000-0x0000000077577000-memory.dmp

memory/1312-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/1312-8-0x0000000140000000-0x000000014028D000-memory.dmp

memory/2092-7-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-9-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-12-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-11-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-10-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-14-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-15-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-16-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-13-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-18-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-17-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-20-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-19-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-21-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-22-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-23-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-24-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-25-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-26-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-27-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-28-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-30-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-29-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-31-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-32-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-33-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-34-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-36-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-35-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-37-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-38-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-39-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-41-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-43-0x0000000002AC0000-0x0000000002AC7000-memory.dmp

memory/1312-42-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-40-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-50-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-52-0x00000000777E0000-0x00000000777E2000-memory.dmp

memory/1312-51-0x0000000077681000-0x0000000077682000-memory.dmp

memory/1312-61-0x0000000140000000-0x000000014028D000-memory.dmp

memory/1312-67-0x0000000140000000-0x000000014028D000-memory.dmp

\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe

MD5 0dbd420477352b278dfdc24f4672b79c
SHA1 df446f25be33ac60371557717073249a64e04bb2
SHA256 1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345
SHA512 84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1

C:\Users\Admin\AppData\Local\Z0VgzS\P2P.dll

MD5 07a287432eda352e76eac111bb5e9098
SHA1 370c5e3e713f243b1c808518e9a6668d1d182d16
SHA256 fd114b54985c0e2bf29dfa98852fb012bc5178c424df47bc2c469800da143fb2
SHA512 6c0baea99784df1cc61c4c3aa9b30ed90872b38c0d5504155df202f3f951028411c75f3e7c01b5867b4deb99404ee29eee118d9cfea4ca6ba934b02fc270f567

\Users\Admin\AppData\Local\Z0VgzS\P2P.dll

MD5 1a959e119a7e5a0330aa6676703af19e
SHA1 cbe937a151baae703918e0f57a42e556c14f6c85
SHA256 5509bf34b8a981abb8c2cff8420f832d900f19ee3223b0237aebe210ac1d8354
SHA512 e655911074b1621e48ffb465e4a12fea925386ed84d0f215a2e126c6475ee7f7db9a9aaac9a71d8dd72e4f92075398a8ce15b9651adda1a11f943dae5f4c8fb3

memory/2612-79-0x0000000000080000-0x0000000000087000-memory.dmp

memory/2612-80-0x0000000140000000-0x000000014028E000-memory.dmp

memory/2612-85-0x0000000140000000-0x000000014028E000-memory.dmp

C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe

MD5 d8cac9aa6c580f35485a011b11b5a4c9
SHA1 35e27d4140c5cfdd46c5ad7978c3ba3465c7d892
SHA256 3f13d679c3ad907664fec9a7ece931085aa40ec99a0af69d1c06c86bc9edfde1
SHA512 41218e851a483c181271f60ccaae55820500910a18f86ba429fa36ec694de8f993d3a4389e413c311cdacf2daa8426c4e98a7086fb12bdf069c89028ee1319fa

C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\VERSION.dll

MD5 87b2e3a784a789de78b2a31ea1de4390
SHA1 f70cabca5a3c1e41c58ef2351b9de11eb4152fef
SHA256 dc484a974ec45d0983c429b0d919b89fff0226df28813aa041a73edd28d89f75
SHA512 ff2c63a82874d98bf40663a170a790e0a6cc314dad8d5e5c9ea56427f5f3dfbb6c47437defa97a0132d3f2f85c333c806a7ab568a3d7b224ba8bd8a087a83803

\Users\Admin\AppData\Local\Ki2Bh6Dn4\VERSION.dll

MD5 a988a5c7373c89ed5b84e40c117c2a6b
SHA1 a3827115dca4e0ec6e2053d0996fb1b62b141cba
SHA256 0366357d287fad33662e342dee63c338c402bd47c1da1fa43d2d1a8b3667b5ea
SHA512 4a267e8dbdb4750b370056cdcf9d2d5886c28ab234ee1a3b15de09c565877d0d253ba10d8f82707f8157f83bec6957cc07c45210d7a2a7e751d398552788081e

C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe

MD5 46fd16f9b1924a2ea8cd5c6716cc654f
SHA1 99284bc91cf829e9602b4b95811c1d72977700b6
SHA256 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3
SHA512 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629

memory/1396-97-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe

MD5 a80527109d75cba125d940b007eea151
SHA1 facf32a9ede6abfaa09368bfdfcfec8554107272
SHA256 68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
SHA512 77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

C:\Users\Admin\AppData\Local\ZlEsTIdS\VERSION.dll

MD5 f7b1d37acf90859d126cd7db9bf33a04
SHA1 9bd7a9e4c93a4d8ef8b537b23e0b72c433edd4c7
SHA256 188dcc8d2566949336c28e61e00c775bb72938b88d1cdf503e88d42a625d3174
SHA512 3f26beb6c772311cb343703d4846b5d520b03cdd9267e1ee6af87b284dae7fe654d570bf77265abd47bda15a76468720107dca0ec116f36081079610a980461e

\Users\Admin\AppData\Local\ZlEsTIdS\VERSION.dll

MD5 bcab8a465870c6416ec9e79e29ff8808
SHA1 86b842872bca6f94279e0fb9691e9d0c5ee16fad
SHA256 99144373f8bc93a170d0bd725a54e4fb34c56cdff8c7ea13d4bad62f6685edf9
SHA512 5b1f22c86ca4e30c38248aad0f75f64e2a86d85c707d70ef56af1f44248691183019ea32d66fef9db5272af088c9c84c45411597b7636f40b535046deba7fbfb

memory/1900-116-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1312-137-0x0000000077576000-0x0000000077577000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 d33247ac2623a8e8da47e8ed7a7c0f15
SHA1 e20068ac70ce529f8bc01396dc03a99d24f84f4f
SHA256 afeb41e83ac78e60c81524239dc89e62e20f6a365951b2279d1fce0f6ced1db8
SHA512 a29939f7f60b1beca056f38dfe5627690f15145d09f6df338c2087c4d94327fbf5d5da85444214b8cc8c14c7761f4c73e772a5e18fd8bdcb724702a2e55a969c

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\H08\P2P.dll

MD5 95ea9c54318ea1439b0b03346f944bb5
SHA1 a94667871a8d096c499de5d55a17a79049a550e6
SHA256 86ef970ea2ab6440cf11e3501c90035b485c7b56e5245e30fce6112a289d7222
SHA512 6fdac0be620fee1a844afd3834be8ab9caabcf82cf27d723e8827986ed9b8953d0a41ba152ea170f6cd4f15da6ffd79c4a38c0882c8103fa2986c0828ad530d4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\ZHz\VERSION.dll

MD5 a054aaafd87d279962e2f587cbe3c6cd
SHA1 39bb8bd45d8119240ceec9fc5d8056a878f8d1c5
SHA256 c843daa2634c4d6c0675249eab71a005f71d0fc2a723ccfecee56120d2520ff4
SHA512 0aca1c07d0d51c03d1a94101ab1b4ec36f781dc827c175ee350499f931bb681dbaa59753784b2d188b54a13490d67a9608c6da3c06917e077d38545d772e4c8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 01:37

Reported

2024-01-20 01:39

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\UZh5Pkwd\\OptionalFeatures.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 4040 N/A N/A C:\Windows\system32\SppExtComObj.Exe
PID 3464 wrote to memory of 4040 N/A N/A C:\Windows\system32\SppExtComObj.Exe
PID 3464 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe
PID 3464 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe
PID 3464 wrote to memory of 4468 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3464 wrote to memory of 4468 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3464 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe
PID 3464 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe
PID 3464 wrote to memory of 3516 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3464 wrote to memory of 3516 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 3464 wrote to memory of 4544 N/A N/A C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe
PID 3464 wrote to memory of 4544 N/A N/A C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe

C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/3188-0-0x000001795F910000-0x000001795F917000-memory.dmp

memory/3188-1-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-4-0x00000000084A0000-0x00000000084A1000-memory.dmp

memory/3464-7-0x00007FFB8782A000-0x00007FFB8782B000-memory.dmp

memory/3464-8-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-9-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-10-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-6-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-11-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-12-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-13-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-14-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-15-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-16-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-17-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-18-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-20-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-21-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-22-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-23-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3188-19-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-25-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-24-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-26-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-28-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-29-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-30-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-27-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-31-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-32-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-33-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-34-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-35-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-36-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-37-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-38-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-39-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-40-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-41-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-42-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-43-0x0000000002960000-0x0000000002967000-memory.dmp

memory/3464-50-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-53-0x00007FFB87C00000-0x00007FFB87C10000-memory.dmp

memory/3464-62-0x0000000140000000-0x000000014028D000-memory.dmp

memory/3464-60-0x0000000140000000-0x000000014028D000-memory.dmp

C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe

MD5 728a78909aa69ca0e976e94482350700
SHA1 6508dfcbf37df25cae8ae68cf1fcd4b78084abb7
SHA256 2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c
SHA512 22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1

C:\Users\Admin\AppData\Local\xtVAESF\ACTIVEDS.dll

MD5 ad2142dd79759943be2189182cde50f7
SHA1 2b1303715b08fd3e693b60b76859039ebe358bd0
SHA256 0d134571e4a88855398ffc6c6e7a7db669b3a83b71a39a253f82da029520dd2d
SHA512 e1f22c42c9af6326d52a07a50898beed314a1fdab84979d6980849d14bf1231dea258774ca3891fed0505c0704e033cb48890da2d48536aaa51d10f609fd6df0

memory/776-71-0x0000000140000000-0x000000014028E000-memory.dmp

memory/776-72-0x00000229E44D0000-0x00000229E44D7000-memory.dmp

memory/776-77-0x0000000140000000-0x000000014028E000-memory.dmp

C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe

MD5 d6cd8bef71458804dbc33b88ace56372
SHA1 a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256 fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA512 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

C:\Users\Admin\AppData\Local\RWunwh\appwiz.cpl

MD5 80c338b4a53003088ce9a15382f8c572
SHA1 a74ec3f039125e7ddb3491f3df774ce84e954cdc
SHA256 b1d7255e06d3dc1049fd9bca497ccff2b75ab0118916bc4ce7353fc33c2a9a06
SHA512 ef3c10b1bda2256e76bfd672253db3ee0ae7826b3efe20856ae79d2ec27c7c17e90e184f2f9fbfa58ecde738450c740fb397a82256d992c41e9488415516bc80

memory/4300-89-0x0000017795570000-0x0000017795577000-memory.dmp

memory/4300-92-0x0000000140000000-0x000000014028E000-memory.dmp

C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe

MD5 8595075667ff2c9a9f9e2eebc62d8f53
SHA1 c48b54e571f05d4e21d015bb3926c2129f19191a
SHA256 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db
SHA512 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88

C:\Users\Admin\AppData\Local\6CxXERmD\WTSAPI32.dll

MD5 f3ef1a8d6731c4d3b5f762f96d6c4673
SHA1 64dabc60b3e5a75d79c2769eefd25c96e97a717f
SHA256 9fffa4c1033fb274a396386d36566a258cc75e97c00d152933416df00166a028
SHA512 00f5a0439571c47fccb66a2ae27ba00f92d9099b0d8dd54e55000753c6ff36972c080527a8e98a42c67f2ac4eba3892cae07357381ef13b6f4d81cb10463d0f9

C:\Users\Admin\AppData\Local\6CxXERmD\WTSAPI32.dll

MD5 d2715efb10697c36ac8de95ccdbf7c6c
SHA1 cd2ceaccd80c1fbb90101e5ca7b9ddca6bfff718
SHA256 696467c9b00ebd6d7be92fc868ee64e708302f0f11ee95d9814eb43190ea8535
SHA512 549c110f90632161b1890489457d245e71ab07945da442de881330b61299eae5cc5f21cf5d3e4c7035a8d28cb6d14e635ab1b3c2587f4e9102048b664cda9f38

memory/4544-105-0x0000023736450000-0x0000023736457000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 6344baf3f441ee7051241fb645775e29
SHA1 65a8e899db6ac33314718d0523b8a0476e93206c
SHA256 a415f9e751c3ab90511ca31e03a8992abe6dc122e7cfe950ddcfb54eb17d82f8
SHA512 adf658bbccc4c06676384466e1f5513988fb0d7116c5977fec49adc32bbf0b1e0d96b8f25f9f1d7fd4aed0284e625541baee0d10ee298ee4d9cd643b2e36d286