Analysis Overview
SHA256
3b12db2302d38fb3cb124b01f2f6bb81d2d14cc079e87406803e7883bc256a66
Threat Level: Known bad
The file 692759203e392d71d9dee01161280ef1 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 01:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 01:37
Reported
2024-01-20 01:39
Platform
win7-20231215-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\nL5vk0\\iexpress.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1312 wrote to memory of 2576 | N/A | N/A | C:\Windows\system32\p2phost.exe |
| PID 1312 wrote to memory of 2576 | N/A | N/A | C:\Windows\system32\p2phost.exe |
| PID 1312 wrote to memory of 2576 | N/A | N/A | C:\Windows\system32\p2phost.exe |
| PID 1312 wrote to memory of 2612 | N/A | N/A | C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe |
| PID 1312 wrote to memory of 2612 | N/A | N/A | C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe |
| PID 1312 wrote to memory of 2612 | N/A | N/A | C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe |
| PID 1312 wrote to memory of 1928 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1312 wrote to memory of 1928 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1312 wrote to memory of 1928 | N/A | N/A | C:\Windows\system32\iexpress.exe |
| PID 1312 wrote to memory of 1396 | N/A | N/A | C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe |
| PID 1312 wrote to memory of 1396 | N/A | N/A | C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe |
| PID 1312 wrote to memory of 1396 | N/A | N/A | C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe |
| PID 1312 wrote to memory of 1816 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1312 wrote to memory of 1816 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1312 wrote to memory of 1816 | N/A | N/A | C:\Windows\system32\psr.exe |
| PID 1312 wrote to memory of 1900 | N/A | N/A | C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe |
| PID 1312 wrote to memory of 1900 | N/A | N/A | C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe |
| PID 1312 wrote to memory of 1900 | N/A | N/A | C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1
C:\Windows\system32\p2phost.exe
C:\Windows\system32\p2phost.exe
C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
C:\Windows\system32\iexpress.exe
C:\Windows\system32\iexpress.exe
C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
C:\Windows\system32\psr.exe
C:\Windows\system32\psr.exe
C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
C:\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
Network
Files
memory/2092-0-0x0000000000190000-0x0000000000197000-memory.dmp
memory/2092-1-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-4-0x0000000077576000-0x0000000077577000-memory.dmp
memory/1312-5-0x0000000002AF0000-0x0000000002AF1000-memory.dmp
memory/1312-8-0x0000000140000000-0x000000014028D000-memory.dmp
memory/2092-7-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-9-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-12-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-11-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-10-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-14-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-15-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-16-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-13-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-18-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-17-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-20-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-19-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-21-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-22-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-23-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-24-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-25-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-26-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-27-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-28-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-30-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-29-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-31-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-32-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-33-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-34-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-36-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-35-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-37-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-38-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-39-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-41-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-43-0x0000000002AC0000-0x0000000002AC7000-memory.dmp
memory/1312-42-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-40-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-50-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-52-0x00000000777E0000-0x00000000777E2000-memory.dmp
memory/1312-51-0x0000000077681000-0x0000000077682000-memory.dmp
memory/1312-61-0x0000000140000000-0x000000014028D000-memory.dmp
memory/1312-67-0x0000000140000000-0x000000014028D000-memory.dmp
\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
| MD5 | 0dbd420477352b278dfdc24f4672b79c |
| SHA1 | df446f25be33ac60371557717073249a64e04bb2 |
| SHA256 | 1baba169de6c8f3b3c33cea96314c67b709a171bdc8ea9c250a0d016db767345 |
| SHA512 | 84014b2dcc00f9fa1a337089ad4d4abcaa9e3155171978ec07bc155ddaebebfabb529d8de3578e564b3aae59545f52d71af173ebb50d2af252f219ac60b453d1 |
C:\Users\Admin\AppData\Local\Z0VgzS\P2P.dll
| MD5 | 07a287432eda352e76eac111bb5e9098 |
| SHA1 | 370c5e3e713f243b1c808518e9a6668d1d182d16 |
| SHA256 | fd114b54985c0e2bf29dfa98852fb012bc5178c424df47bc2c469800da143fb2 |
| SHA512 | 6c0baea99784df1cc61c4c3aa9b30ed90872b38c0d5504155df202f3f951028411c75f3e7c01b5867b4deb99404ee29eee118d9cfea4ca6ba934b02fc270f567 |
\Users\Admin\AppData\Local\Z0VgzS\P2P.dll
| MD5 | 1a959e119a7e5a0330aa6676703af19e |
| SHA1 | cbe937a151baae703918e0f57a42e556c14f6c85 |
| SHA256 | 5509bf34b8a981abb8c2cff8420f832d900f19ee3223b0237aebe210ac1d8354 |
| SHA512 | e655911074b1621e48ffb465e4a12fea925386ed84d0f215a2e126c6475ee7f7db9a9aaac9a71d8dd72e4f92075398a8ce15b9651adda1a11f943dae5f4c8fb3 |
memory/2612-79-0x0000000000080000-0x0000000000087000-memory.dmp
memory/2612-80-0x0000000140000000-0x000000014028E000-memory.dmp
memory/2612-85-0x0000000140000000-0x000000014028E000-memory.dmp
C:\Users\Admin\AppData\Local\Z0VgzS\p2phost.exe
| MD5 | d8cac9aa6c580f35485a011b11b5a4c9 |
| SHA1 | 35e27d4140c5cfdd46c5ad7978c3ba3465c7d892 |
| SHA256 | 3f13d679c3ad907664fec9a7ece931085aa40ec99a0af69d1c06c86bc9edfde1 |
| SHA512 | 41218e851a483c181271f60ccaae55820500910a18f86ba429fa36ec694de8f993d3a4389e413c311cdacf2daa8426c4e98a7086fb12bdf069c89028ee1319fa |
C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\VERSION.dll
| MD5 | 87b2e3a784a789de78b2a31ea1de4390 |
| SHA1 | f70cabca5a3c1e41c58ef2351b9de11eb4152fef |
| SHA256 | dc484a974ec45d0983c429b0d919b89fff0226df28813aa041a73edd28d89f75 |
| SHA512 | ff2c63a82874d98bf40663a170a790e0a6cc314dad8d5e5c9ea56427f5f3dfbb6c47437defa97a0132d3f2f85c333c806a7ab568a3d7b224ba8bd8a087a83803 |
\Users\Admin\AppData\Local\Ki2Bh6Dn4\VERSION.dll
| MD5 | a988a5c7373c89ed5b84e40c117c2a6b |
| SHA1 | a3827115dca4e0ec6e2053d0996fb1b62b141cba |
| SHA256 | 0366357d287fad33662e342dee63c338c402bd47c1da1fa43d2d1a8b3667b5ea |
| SHA512 | 4a267e8dbdb4750b370056cdcf9d2d5886c28ab234ee1a3b15de09c565877d0d253ba10d8f82707f8157f83bec6957cc07c45210d7a2a7e751d398552788081e |
C:\Users\Admin\AppData\Local\Ki2Bh6Dn4\iexpress.exe
| MD5 | 46fd16f9b1924a2ea8cd5c6716cc654f |
| SHA1 | 99284bc91cf829e9602b4b95811c1d72977700b6 |
| SHA256 | 9f993a1f6a133fa8375eab99bf1710471dd13ef177ef713acf8921fb4ff565a3 |
| SHA512 | 52c91043f514f3f8ce07f8e60357786eb7236fcf6cdcccca0dd76000b9a23d6b138cebcdec53b01823cb2313ec850fc7bece326ec01d44ed33f4052b789b7629 |
memory/1396-97-0x0000000000100000-0x0000000000107000-memory.dmp
\Users\Admin\AppData\Local\ZlEsTIdS\psr.exe
| MD5 | a80527109d75cba125d940b007eea151 |
| SHA1 | facf32a9ede6abfaa09368bfdfcfec8554107272 |
| SHA256 | 68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495 |
| SHA512 | 77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774 |
C:\Users\Admin\AppData\Local\ZlEsTIdS\VERSION.dll
| MD5 | f7b1d37acf90859d126cd7db9bf33a04 |
| SHA1 | 9bd7a9e4c93a4d8ef8b537b23e0b72c433edd4c7 |
| SHA256 | 188dcc8d2566949336c28e61e00c775bb72938b88d1cdf503e88d42a625d3174 |
| SHA512 | 3f26beb6c772311cb343703d4846b5d520b03cdd9267e1ee6af87b284dae7fe654d570bf77265abd47bda15a76468720107dca0ec116f36081079610a980461e |
\Users\Admin\AppData\Local\ZlEsTIdS\VERSION.dll
| MD5 | bcab8a465870c6416ec9e79e29ff8808 |
| SHA1 | 86b842872bca6f94279e0fb9691e9d0c5ee16fad |
| SHA256 | 99144373f8bc93a170d0bd725a54e4fb34c56cdff8c7ea13d4bad62f6685edf9 |
| SHA512 | 5b1f22c86ca4e30c38248aad0f75f64e2a86d85c707d70ef56af1f44248691183019ea32d66fef9db5272af088c9c84c45411597b7636f40b535046deba7fbfb |
memory/1900-116-0x00000000000A0000-0x00000000000A7000-memory.dmp
memory/1312-137-0x0000000077576000-0x0000000077577000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk
| MD5 | d33247ac2623a8e8da47e8ed7a7c0f15 |
| SHA1 | e20068ac70ce529f8bc01396dc03a99d24f84f4f |
| SHA256 | afeb41e83ac78e60c81524239dc89e62e20f6a365951b2279d1fce0f6ced1db8 |
| SHA512 | a29939f7f60b1beca056f38dfe5627690f15145d09f6df338c2087c4d94327fbf5d5da85444214b8cc8c14c7761f4c73e772a5e18fd8bdcb724702a2e55a969c |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\H08\P2P.dll
| MD5 | 95ea9c54318ea1439b0b03346f944bb5 |
| SHA1 | a94667871a8d096c499de5d55a17a79049a550e6 |
| SHA256 | 86ef970ea2ab6440cf11e3501c90035b485c7b56e5245e30fce6112a289d7222 |
| SHA512 | 6fdac0be620fee1a844afd3834be8ab9caabcf82cf27d723e8827986ed9b8953d0a41ba152ea170f6cd4f15da6ffd79c4a38c0882c8103fa2986c0828ad530d4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\ZHz\VERSION.dll
| MD5 | a054aaafd87d279962e2f587cbe3c6cd |
| SHA1 | 39bb8bd45d8119240ceec9fc5d8056a878f8d1c5 |
| SHA256 | c843daa2634c4d6c0675249eab71a005f71d0fc2a723ccfecee56120d2520ff4 |
| SHA512 | 0aca1c07d0d51c03d1a94101ab1b4ec36f781dc827c175ee350499f931bb681dbaa59753784b2d188b54a13490d67a9608c6da3c06917e077d38545d772e4c8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 01:37
Reported
2024-01-20 01:39
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\UZh5Pkwd\\OptionalFeatures.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3464 wrote to memory of 4040 | N/A | N/A | C:\Windows\system32\SppExtComObj.Exe |
| PID 3464 wrote to memory of 4040 | N/A | N/A | C:\Windows\system32\SppExtComObj.Exe |
| PID 3464 wrote to memory of 776 | N/A | N/A | C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe |
| PID 3464 wrote to memory of 776 | N/A | N/A | C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe |
| PID 3464 wrote to memory of 4468 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 3464 wrote to memory of 4468 | N/A | N/A | C:\Windows\system32\OptionalFeatures.exe |
| PID 3464 wrote to memory of 4300 | N/A | N/A | C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe |
| PID 3464 wrote to memory of 4300 | N/A | N/A | C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe |
| PID 3464 wrote to memory of 3516 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 3464 wrote to memory of 3516 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 3464 wrote to memory of 4544 | N/A | N/A | C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe |
| PID 3464 wrote to memory of 4544 | N/A | N/A | C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\692759203e392d71d9dee01161280ef1.dll,#1
C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe
C:\Windows\system32\OptionalFeatures.exe
C:\Windows\system32\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe
C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe
C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/3188-0-0x000001795F910000-0x000001795F917000-memory.dmp
memory/3188-1-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-4-0x00000000084A0000-0x00000000084A1000-memory.dmp
memory/3464-7-0x00007FFB8782A000-0x00007FFB8782B000-memory.dmp
memory/3464-8-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-9-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-10-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-6-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-11-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-12-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-13-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-14-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-15-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-16-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-17-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-18-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-20-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-21-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-22-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-23-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3188-19-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-25-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-24-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-26-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-28-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-29-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-30-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-27-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-31-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-32-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-33-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-34-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-35-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-36-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-37-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-38-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-39-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-40-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-41-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-42-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-43-0x0000000002960000-0x0000000002967000-memory.dmp
memory/3464-50-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-53-0x00007FFB87C00000-0x00007FFB87C10000-memory.dmp
memory/3464-62-0x0000000140000000-0x000000014028D000-memory.dmp
memory/3464-60-0x0000000140000000-0x000000014028D000-memory.dmp
C:\Users\Admin\AppData\Local\xtVAESF\SppExtComObj.Exe
| MD5 | 728a78909aa69ca0e976e94482350700 |
| SHA1 | 6508dfcbf37df25cae8ae68cf1fcd4b78084abb7 |
| SHA256 | 2a6581576305771044f07ea0fef27f77859996dbf66c2017e938f90bfc1e010c |
| SHA512 | 22bf985e71afa58a1365cc733c0aa03dabd4b44e7c6a136eb5f9b870db14470201b4ef88a19fa3864af6c44e79e1a01d6f8806062d9d4861ba7dac77d82074f1 |
C:\Users\Admin\AppData\Local\xtVAESF\ACTIVEDS.dll
| MD5 | ad2142dd79759943be2189182cde50f7 |
| SHA1 | 2b1303715b08fd3e693b60b76859039ebe358bd0 |
| SHA256 | 0d134571e4a88855398ffc6c6e7a7db669b3a83b71a39a253f82da029520dd2d |
| SHA512 | e1f22c42c9af6326d52a07a50898beed314a1fdab84979d6980849d14bf1231dea258774ca3891fed0505c0704e033cb48890da2d48536aaa51d10f609fd6df0 |
memory/776-71-0x0000000140000000-0x000000014028E000-memory.dmp
memory/776-72-0x00000229E44D0000-0x00000229E44D7000-memory.dmp
memory/776-77-0x0000000140000000-0x000000014028E000-memory.dmp
C:\Users\Admin\AppData\Local\RWunwh\OptionalFeatures.exe
| MD5 | d6cd8bef71458804dbc33b88ace56372 |
| SHA1 | a18b58445be2492c5d37abad69b5aa0d29416a60 |
| SHA256 | fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8 |
| SHA512 | 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d |
C:\Users\Admin\AppData\Local\RWunwh\appwiz.cpl
| MD5 | 80c338b4a53003088ce9a15382f8c572 |
| SHA1 | a74ec3f039125e7ddb3491f3df774ce84e954cdc |
| SHA256 | b1d7255e06d3dc1049fd9bca497ccff2b75ab0118916bc4ce7353fc33c2a9a06 |
| SHA512 | ef3c10b1bda2256e76bfd672253db3ee0ae7826b3efe20856ae79d2ec27c7c17e90e184f2f9fbfa58ecde738450c740fb397a82256d992c41e9488415516bc80 |
memory/4300-89-0x0000017795570000-0x0000017795577000-memory.dmp
memory/4300-92-0x0000000140000000-0x000000014028E000-memory.dmp
C:\Users\Admin\AppData\Local\6CxXERmD\BdeUISrv.exe
| MD5 | 8595075667ff2c9a9f9e2eebc62d8f53 |
| SHA1 | c48b54e571f05d4e21d015bb3926c2129f19191a |
| SHA256 | 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db |
| SHA512 | 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88 |
C:\Users\Admin\AppData\Local\6CxXERmD\WTSAPI32.dll
| MD5 | f3ef1a8d6731c4d3b5f762f96d6c4673 |
| SHA1 | 64dabc60b3e5a75d79c2769eefd25c96e97a717f |
| SHA256 | 9fffa4c1033fb274a396386d36566a258cc75e97c00d152933416df00166a028 |
| SHA512 | 00f5a0439571c47fccb66a2ae27ba00f92d9099b0d8dd54e55000753c6ff36972c080527a8e98a42c67f2ac4eba3892cae07357381ef13b6f4d81cb10463d0f9 |
C:\Users\Admin\AppData\Local\6CxXERmD\WTSAPI32.dll
| MD5 | d2715efb10697c36ac8de95ccdbf7c6c |
| SHA1 | cd2ceaccd80c1fbb90101e5ca7b9ddca6bfff718 |
| SHA256 | 696467c9b00ebd6d7be92fc868ee64e708302f0f11ee95d9814eb43190ea8535 |
| SHA512 | 549c110f90632161b1890489457d245e71ab07945da442de881330b61299eae5cc5f21cf5d3e4c7035a8d28cb6d14e635ab1b3c2587f4e9102048b664cda9f38 |
memory/4544-105-0x0000023736450000-0x0000023736457000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 6344baf3f441ee7051241fb645775e29 |
| SHA1 | 65a8e899db6ac33314718d0523b8a0476e93206c |
| SHA256 | a415f9e751c3ab90511ca31e03a8992abe6dc122e7cfe950ddcfb54eb17d82f8 |
| SHA512 | adf658bbccc4c06676384466e1f5513988fb0d7116c5977fec49adc32bbf0b1e0d96b8f25f9f1d7fd4aed0284e625541baee0d10ee298ee4d9cd643b2e36d286 |