Analysis Overview
SHA256
f3ca4c539c12c3d56e02f61e3aa2def83515305b89bcbe17274ac895313ad46a
Threat Level: Known bad
The file 6913c976717f771261d42365e9ed8940 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-20 01:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-20 01:00
Reported
2024-01-20 01:02
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\sqaZ7\osk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xQu\wbengine.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sqaZ7\osk.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\xQu\wbengine.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\KVQ7cn49HUu\\wbengine.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\sqaZ7\osk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\xQu\wbengine.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1
C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\wbengine.exe
C:\Windows\system32\wbengine.exe
C:\Users\Admin\AppData\Local\xQu\wbengine.exe
C:\Users\Admin\AppData\Local\xQu\wbengine.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Windows\system32\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
Network
Files
memory/1964-0-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1964-1-0x0000000000390000-0x0000000000397000-memory.dmp
memory/1272-4-0x0000000076F36000-0x0000000076F37000-memory.dmp
memory/1272-5-0x00000000029D0000-0x00000000029D1000-memory.dmp
memory/1964-7-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-9-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-13-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-11-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-14-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-17-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-16-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-23-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-22-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-26-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-24-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-27-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-31-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-30-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-32-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-33-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-34-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-29-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-35-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-28-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-25-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-36-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-21-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-39-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-41-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-42-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-43-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-40-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-38-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-37-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-44-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-20-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-45-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-47-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-48-0x00000000029A0000-0x00000000029A7000-memory.dmp
memory/1272-46-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-18-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-19-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-55-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-15-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-12-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-10-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-8-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-56-0x0000000077141000-0x0000000077142000-memory.dmp
memory/1272-57-0x00000000772A0000-0x00000000772A2000-memory.dmp
memory/1272-62-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-66-0x0000000140000000-0x000000014028A000-memory.dmp
memory/1272-71-0x0000000140000000-0x000000014028A000-memory.dmp
C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
| MD5 | 82612ccff43b4bebd91d9be898bb905c |
| SHA1 | 08d8fccd8cd426736c0dbf8557390c95b03d1b0a |
| SHA256 | ba6b30151a1b797b0057ff50b368dbfc0074038efdf61171d6dc1055abcf18a3 |
| SHA512 | 18b72581f4dc265d4c3966023508a1aac6bb76c4ae51d68a52ab29d18c7510b565765df6f1a7c1474191a1a768139dcb172d8b8eebf4c8fb860b8e0eae153c60 |
C:\Users\Admin\AppData\Local\sqaZ7\UxTheme.dll
| MD5 | 94db4f643fdbceaed6936c7a0a074b79 |
| SHA1 | 69998bb161ae3e65a7f8fc569d4975e8d9858174 |
| SHA256 | 580db80103977869c05569b0b74a36b18822d4eb641a76b10e3aa4d94deab4b1 |
| SHA512 | 3130fe329f4062dc5c00feac1fe075c1210793683d6ecd8fe46aa3455e63807510f34946681a27c6f2475c579f4b465c4dfe70faf1a7cc137a4b3b1a734c4b32 |
\Users\Admin\AppData\Local\sqaZ7\UxTheme.dll
| MD5 | d39c9934e9c3afc06b325055bf1c1467 |
| SHA1 | b39c6e547f200b77b7336a45eda6067cafe16b8b |
| SHA256 | 32392eb6f8e0d41e363f943191f00e2b952bad593c935188047f0feb03fd2237 |
| SHA512 | 26e71c6b236151b8a93ff36e4d1cd792ae8f4a188c40f1e2cf87ee737aa82aaa4630641cc7a92f15aa9d9c6afcf60e78583cd70df388845e97fcfe1218e1574f |
\Users\Admin\AppData\Local\sqaZ7\osk.exe
| MD5 | cbbaf202fbf1b2933fe2e757e4999acb |
| SHA1 | e8bf1f6ee44a5e344e3707b48001b7583f5b0e75 |
| SHA256 | 89bf6ace53974e3a014dac5105d88c0723e7ccab24acf7bd148cd182fc73a97b |
| SHA512 | b30b1c5849f60f9d17e1e4ed7c341ba4b7a83ddca8720bd7cc7baa1fa6daf77d09ed68c938eac070170cd1b57d95f3813c5a374d4f66d647c7e54415609ac125 |
memory/2840-80-0x00000000002C0000-0x00000000002C7000-memory.dmp
C:\Users\Admin\AppData\Local\sqaZ7\osk.exe
| MD5 | 265b903c98fcaff6ed48b82e9b2627d9 |
| SHA1 | 496b54a8e23731c1ec3fbe89cde134d9196df133 |
| SHA256 | e1fec0c9177b0aee052c7017a87cc73a36740617831fb6bd126b21030dddd9cf |
| SHA512 | 33dbf14321a4a8363b01412ad26c719cb144aab88fd3b3178a3ab9166a7fc5818be94398f78d8cc38a4d42c1c56ce6ce56ce8160e7e0095414b06307272bf9a9 |
C:\Users\Admin\AppData\Local\xQu\XmlLite.dll
| MD5 | 966f7a7d8a2a143c2af2c974c8b6ef19 |
| SHA1 | 9c56fc1d48f5c24be522e8f2cc19a77ac97388c7 |
| SHA256 | 3f80d06d08f23d2eb6da4bcb62cf1d5f5af62c3774c83c4079b5483b193b3c00 |
| SHA512 | 8b9195f8b26f55803741186f1b0a17f6704dff24b8caa6c86f47015514a0268143d85eea53c1a25cc661257f0f67bd3f0f25f446c8a3465d929ffb8a245d9d2d |
\Users\Admin\AppData\Local\xQu\XmlLite.dll
| MD5 | 83f261e4ff09b931b2ad336102616cb1 |
| SHA1 | 8b3877159d4e72c79f8d204500b015eb34c84c60 |
| SHA256 | 67a944af02e0dc98d6bd47c9bb5b69b55e738947fa5894f25cce201001f32d4d |
| SHA512 | 6f2e09def7f60c676ec1364fdfba5f7d124aa06e9e3d819391d0a653afb418e606b5c38523b98a37a9afa40a73254b29aa723def80e336e36ba1d67c8636254f |
memory/2632-104-0x00000000001F0000-0x00000000001F7000-memory.dmp
C:\Users\Admin\AppData\Local\xQu\wbengine.exe
| MD5 | 0e0bacce676a25aadcf28e49650761c2 |
| SHA1 | cd8e77787fdff7f3af285ee4a2fe826b205994d2 |
| SHA256 | dbfb61dbbce53afa43499ffa833ba1deaa141ad3d4551344b74dfa6a7f85d7ba |
| SHA512 | 3f505d7d6ba42bf7fd6cbe225b27089eed91565f8523c625568ab483399b4e2f0ffca59e86778b179ff68b3143eb1078756ab347a49877990040ccbb9f1c75f4 |
\Users\Admin\AppData\Local\xQu\wbengine.exe
| MD5 | 4b687288782ed067b8385b1ae0ba1040 |
| SHA1 | dbb9e216f72f5f8fbb5c36b0ddaf43622532bb66 |
| SHA256 | 669a123f8ba35da35caaa9a830c2b28e5158cb834b36f39b4e8984e6bbe56ad2 |
| SHA512 | bee16120a3207a572031e3c4e324fc5ea1ed971f0161d0044011344887ed23078d0bfe9a355d3e9bce8ee0cd0d1ff768f5a879a7e0bea4b7e5d8e2068693ea76 |
C:\Users\Admin\AppData\Local\xQu\wbengine.exe
| MD5 | a76c3ac80448aadf2c712820e5bd3788 |
| SHA1 | d23bfb2be8b63eefa70f2f0da3a70f1946a7f5df |
| SHA256 | bc0b7c0c6054854c5d81972ddd19467589e13d987612490afcb2305673faca5f |
| SHA512 | aeabf290f8ba234c88fdfb4862372f70e1f56ec378df4542a887ba65506cc414dd66cf23bd024cda04f053c220f6a25622fda6aff10d3eb9de329579dc9ab019 |
C:\Users\Admin\AppData\Local\Y4PRBO\SYSDM.CPL
| MD5 | 2bf62b235ab0a21be522f0ef6c8eda3e |
| SHA1 | de35da9db87d8f833f278a93ad18df5c006f0fcb |
| SHA256 | a2d7b9bc28b54f1a7be608232250d68848ebe1b595072f655ae816f26e3f163d |
| SHA512 | 62fa4d5e55bbca88e5abc25949ac34a5f0185f2ae919118ad834fb6b4661674e2e38f382d83a2542703ac5ae3a8673fe6c76c7f698b7763bb5158edab9d68797 |
\Users\Admin\AppData\Local\Y4PRBO\SYSDM.CPL
| MD5 | d858aa91301e807f3d361ff0f9cc184f |
| SHA1 | 451c4b6353b780e7c4bde3f94c3710cf94008ed7 |
| SHA256 | d9a24787844f5d387b336f9cb390f1743acb9e9247cdeb1fa55b6ac7222e0507 |
| SHA512 | 7cf63a2b5dd39cecca5e2d419ff0975d0747c872f1fb8b92263e36a45d7bb5032ce719b5a89d9cfcda9e2a961bc300013fe972d4c0271466e82ce946e2511ab5 |
memory/364-129-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
| MD5 | 74bd95429d5383e61874dad934730c21 |
| SHA1 | 5000c16c2dd3f337d25315dc935db93a3bd51119 |
| SHA256 | f984ac688b17d9fae0fc811ce9a3f0d10eefd9189b7efa7fbecfa3869b314e27 |
| SHA512 | e4908a422586927b65d79366b554a20b24eadf835015929869de8ec09d11be96cf84abaabbe2b9f601c98ee032fabf71db0cc777b812471af558446534687c73 |
\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
| MD5 | 2c78be1298c249d6c50a3105c5ab0d91 |
| SHA1 | f51bf8e2b7f395e38ea34476d3f2adab69a2efc2 |
| SHA256 | 55a4b6983566e2d444068127b9226a3431144506b609723a29bee8f23321446f |
| SHA512 | 1ce3d2b7119ff0bdb498178e84d7ea07729199dbe04681df591af77ccf9c4309e0e30a3dacb223d85a24db4f206e42efcfa905599c875cfe831227f3c6f49acd |
C:\Users\Admin\AppData\Local\Y4PRBO\SystemPropertiesPerformance.exe
| MD5 | ad9722789e5ab34bd33286d1d7e2e9d6 |
| SHA1 | c0106ac69144502be89179dd0f19e3476172eb9e |
| SHA256 | 1b4c3a8c45d6af7541e81cef0877c18bda3e43681881563cdfddc6e1ff6e5735 |
| SHA512 | d262ec76c0062bbbf347d26e065f9b8e2be03cd752b55e687247ecca5c5ac6ece7ba2001681b96ae51c156c7c1ef6c73d4375b523ab1e2b4af34b2d2d0814336 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\oM3MTl86Uy\SystemPropertiesPerformance.exe
| MD5 | 870726cdcc241a92785572628b89cc07 |
| SHA1 | 63d47cc4fe9beb75862add1abca1d8ae8235710a |
| SHA256 | 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6 |
| SHA512 | 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72 |
memory/1272-150-0x0000000076F36000-0x0000000076F37000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk
| MD5 | 77a4b3f3109d2eeddb0970ed422aa097 |
| SHA1 | 4a005d623b99e448809b3828f3c37b3c91f8c7c5 |
| SHA256 | 948bf86a8c4a53a80b161eff70f0024a9a9b28a94ce7348dd28fba94f3149a0c |
| SHA512 | 7b4e9de20ec264ecf4756108b9fc2719cf006b26f8481a4121cdd0c99457a6bc8066f2a38b7252fbe53c4c126a40af1e7c7198850cc05bac15c1546c70e02434 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\OojEKAxl7wr\UxTheme.dll
| MD5 | 294380421a493ab1a2fbee72b2d34308 |
| SHA1 | b2571b067328f5cd842585bba832d5a4ebd498e5 |
| SHA256 | ed7384fd815236dbe2884caad341932453a7d0207fa5a7839f32032cfac7ed01 |
| SHA512 | 5ba1340fca5534d09de2fa98226c957b21738e655ad859590668b540a0658fd2f9a1bd5c2481c0a1da7a542c23c58a4c55d9b31982f9f0cdbd38c21bc4512ed1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\KVQ7cn49HUu\XmlLite.dll
| MD5 | 33dc3f101a3dd47cd9d27487ed4f0c89 |
| SHA1 | f3337514e88b278750e800bc6913b130ad82d74c |
| SHA256 | 0dc27192b4b5b64fa48e2af7de154d164e787d05d64b90add64d010ae504c6d7 |
| SHA512 | 73178ec64ff165ac5ca39834ce0035b254fa72bd85e7bed3b8bb0add969d91ecf1709716afaee0af6405f8cc11097b0bcccb45f4fc364dcccb787ae765d1a937 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\oM3MTl86Uy\SYSDM.CPL
| MD5 | ff94c2777d864da474251275a67a6a21 |
| SHA1 | 27cf58296d4d74217588073018aaf596d04b3324 |
| SHA256 | 2998641fc3542ad418739e98697718594f28dc8eea0d9bd8adb8b9545082260d |
| SHA512 | 982dd91511c6d4d1a01acaf139600b7a81fe8f2756bc99963cdc038d7b619492a9115ead099480bc4f528888a4d133cd1c37453872f8662dc46ce78e69d5fb9f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-20 01:00
Reported
2024-01-20 01:02
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\j72g\wscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\j72g\wscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dturazvnnsjkgvr = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\UbAqzoaRr\\FileHistory.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\j72g\wscript.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3368 wrote to memory of 4180 | N/A | N/A | C:\Windows\system32\wscript.exe |
| PID 3368 wrote to memory of 4180 | N/A | N/A | C:\Windows\system32\wscript.exe |
| PID 3368 wrote to memory of 4404 | N/A | N/A | C:\Users\Admin\AppData\Local\j72g\wscript.exe |
| PID 3368 wrote to memory of 4404 | N/A | N/A | C:\Users\Admin\AppData\Local\j72g\wscript.exe |
| PID 3368 wrote to memory of 2808 | N/A | N/A | C:\Windows\system32\FileHistory.exe |
| PID 3368 wrote to memory of 2808 | N/A | N/A | C:\Windows\system32\FileHistory.exe |
| PID 3368 wrote to memory of 1920 | N/A | N/A | C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe |
| PID 3368 wrote to memory of 1920 | N/A | N/A | C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe |
| PID 3368 wrote to memory of 1628 | N/A | N/A | C:\Windows\system32\RdpSaUacHelper.exe |
| PID 3368 wrote to memory of 1628 | N/A | N/A | C:\Windows\system32\RdpSaUacHelper.exe |
| PID 3368 wrote to memory of 2740 | N/A | N/A | C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe |
| PID 3368 wrote to memory of 2740 | N/A | N/A | C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6913c976717f771261d42365e9ed8940.dll,#1
C:\Windows\system32\wscript.exe
C:\Windows\system32\wscript.exe
C:\Users\Admin\AppData\Local\j72g\wscript.exe
C:\Users\Admin\AppData\Local\j72g\wscript.exe
C:\Windows\system32\FileHistory.exe
C:\Windows\system32\FileHistory.exe
C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Windows\system32\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe
C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
Files
memory/2364-0-0x000001E65DDB0000-0x000001E65DDB7000-memory.dmp
memory/2364-1-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-4-0x0000000002960000-0x0000000002961000-memory.dmp
memory/2364-8-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-7-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-9-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-10-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-11-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-12-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-6-0x00007FFBC930A000-0x00007FFBC930B000-memory.dmp
memory/3368-13-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-14-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-15-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-16-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-17-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-18-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-19-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-20-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-21-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-22-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-23-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-24-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-25-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-26-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-27-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-29-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-28-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-32-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-30-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-31-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-34-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-35-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-37-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-39-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-40-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-41-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-43-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-45-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-47-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-48-0x0000000002920000-0x0000000002927000-memory.dmp
memory/3368-46-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-55-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-56-0x00007FFBCABC0000-0x00007FFBCABD0000-memory.dmp
memory/3368-44-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-42-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-38-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-36-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-33-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-65-0x0000000140000000-0x000000014028A000-memory.dmp
memory/3368-67-0x0000000140000000-0x000000014028A000-memory.dmp
C:\Users\Admin\AppData\Local\j72g\wscript.exe
| MD5 | 13551f0e862ff11791f590fbfb6c168f |
| SHA1 | 4bc640fc6714ac477a52409085988eeea3111a7a |
| SHA256 | d7ca3b728722ae4e2b1cc75b689b989f4938c2f333f8715bb5931743368d2156 |
| SHA512 | a4ec387c4755c26921e241e5fedc3f8f94a611c91c849e630383761bc431e4657095d0b6900e6d8e5826b6b38cd73ab39f7e66cca7c1cd90243bc1c3ea028a56 |
C:\Users\Admin\AppData\Local\j72g\VERSION.dll
| MD5 | f860d9536a778bd6847453c8dff01b33 |
| SHA1 | 6982321f1ee69078ff24b6dbf1ff673183bb296b |
| SHA256 | d6e6faad725b215cd10aa1b31727a6a0bc474cd8702b71e1480e8afceb6b5ac7 |
| SHA512 | c185e4f53a7f2c85e0035191aceee6585af7b750df5dbceafbdf93d099b258a25af9a45998fc2f34545cd9504a70f4bce5fd405e2230afadcbcb166e0069c575 |
C:\Users\Admin\AppData\Local\j72g\VERSION.dll
| MD5 | 33cfc1a00fd09b900c9ca572409494ba |
| SHA1 | 448741a0dda54d729b7925ce0b10a7398c7eeba1 |
| SHA256 | 2b56731e4390c3d88821cb3c20057219cf9e3d1a2affad8ae9c4470993d103dc |
| SHA512 | b880b4ac89ca6fae9e448070d40d0212350d47e43aece4670817e9b27624ffd16f4f18de879947493eb55680454bbf7a81bc1ab60c9f3923e94e4e2369295344 |
memory/4404-76-0x00000179B7AE0000-0x00000179B7AE7000-memory.dmp
memory/4404-77-0x0000000140000000-0x000000014028B000-memory.dmp
memory/4404-81-0x0000000140000000-0x000000014028B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\wscript.exe
| MD5 | a47cbe969ea935bdd3ab568bb126bc80 |
| SHA1 | 15f2facfd05daf46d2c63912916bf2887cebd98a |
| SHA256 | 34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100 |
| SHA512 | f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc |
C:\Users\Admin\AppData\Local\HhFcEWh\UxTheme.dll
| MD5 | c0e2989a972a0fd1d863741a30c8d16a |
| SHA1 | 4629c7156e11c138a8df21343498a5d88d4db6d8 |
| SHA256 | 2dcb4f1052cad7d06e2f9a467a238befb230ab769c948b75a0272cbe7dca85b7 |
| SHA512 | 90d2b252c4ad761f02f80b34bc2203733bc10418c591bcf82b8cb2a5c261fe82d6850e8431f5ad02e470ba55c1dd659f99a10ff9afde7f30ea2b7188339d26c7 |
C:\Users\Admin\AppData\Local\HhFcEWh\UxTheme.dll
| MD5 | e0a462cbc5d21ecbe2c1ed4cd4d00fe4 |
| SHA1 | 73e86bccfcd35662d4ad390617bde1eb4cb30c35 |
| SHA256 | b256e55e0e5a2b76867661090fd0bca5e0b8b74bb9dd8dadae86b1bdd9e3f52b |
| SHA512 | 86eed1fcf56fb48ac300973e9ad6d6fb90a436c74e85552b3f2b53d067e983c781e5e156cf670f04611eb61f0ca8bb4e825446a8af8f69826cfd2b0480a18dbc |
memory/1920-93-0x0000020E92940000-0x0000020E92947000-memory.dmp
C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
| MD5 | 71c68c1755a51168a641b72db88e21f0 |
| SHA1 | 753b07aa014cad800684e28656044b4c8ebf5e7d |
| SHA256 | 62231cb8fa31621b1672fd9c3365005143ba2b839bb3ecf1aa389a4fd1e780e2 |
| SHA512 | c5a4b2068a10f773169557d64f4f5351ad617f973b3ae62c226b392fd13143e143be8bf3eff0dda5bc40ed25a3b115c830939b60b8453f95a5faa16bab0f551c |
C:\Users\Admin\AppData\Local\HhFcEWh\FileHistory.exe
| MD5 | 6fff8baa880c9fe7f4444fd7ae9c7663 |
| SHA1 | 918a6474d9e9df22c00be6f5b528c47dbbcbf4e9 |
| SHA256 | 774efb39deba8ecf1cb96e3f7b35ab12e7ac8284136e7398213f7004d48ebc6d |
| SHA512 | c715b8cc14c620451eabdb65b8a01f2d4c5996831a7aa299902619ae7aefbb54ff63997c68f304e719dfb872a94a375ab026a0398545c86ddcb4bee3c36ba068 |
C:\Users\Admin\AppData\Local\wEeE7UHW\WINSTA.dll
| MD5 | 1466064bbfdff42e043f14a00f4cb2f6 |
| SHA1 | d119cf2d43815d2fc9fafcae94e26736ab821153 |
| SHA256 | ba47d9b2408117b7f48abadd4ff36f20a7358dfb34d9db221a28c3c9111cf3b8 |
| SHA512 | 71808dcb377ebda24d4914e4351649ba8b1ebd26887c5a620bbfea74717dcbfb1ac3ea9d9d9211966bb26bbb75c70e3ce3ebf89559efd55af488226691df3f8d |
memory/2740-110-0x0000025AD1DF0000-0x0000025AD1DF7000-memory.dmp
C:\Users\Admin\AppData\Local\wEeE7UHW\WINSTA.dll
| MD5 | 0bc6f42d8f922c774b7ee4d90d99cfd9 |
| SHA1 | 16e71eb1bd9a777875f3c45fcf2f0c9580691e21 |
| SHA256 | 6520e561cf1f811574e23922f559e580742407796caf1c5100c55639b2e79a7e |
| SHA512 | 10fcd908d21cb225dda27e3809dd69c0e4582f74ed5ea5f2fba8b8bfe47125582b4d650c6ce1b2c2e282f7aadb64f0929a8247ad649ac8e21b31f281d0f73485 |
C:\Users\Admin\AppData\Local\wEeE7UHW\RdpSaUacHelper.exe
| MD5 | 0d5b016ac7e7b6257c069e8bb40845de |
| SHA1 | 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2 |
| SHA256 | 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067 |
| SHA512 | cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dvizybqqo.lnk
| MD5 | 1084a0430bc74734cb9de98d321905f2 |
| SHA1 | bfe1d4da7470285f2597a9ee9fac717743718aa0 |
| SHA256 | 685120edca3b6d6c6ed9866ebf8a591fab07a77dfe22d436f2d10bb5f84dce58 |
| SHA512 | e22ba8da75c090b1b305a48e9fb9121a17c1c88417b1bad65e5ba2fc20ff9e6c60ad024501f6f446c9631e72ebc15ef0f3815496efd48505ae20fa8e758e502d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\D3S4bU\VERSION.dll
| MD5 | 8469e2e301699c9872ab52a393213a8d |
| SHA1 | c0e3f6110939983923ca9958fd0171f52ab99d7b |
| SHA256 | 3f7df7b9d11eb43a173a4d5aef3003004c2e89071b7148495f2cf4ba689521ab |
| SHA512 | 8add8e569aa0c97a76a4cdaed6dc59c0ae28c1461157b92678fe77e5d4bf99cf47204f6ac8913f723fe3a2ed7e29d7d5f34f109ebef7e40eb4f97f9eca709853 |
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\UbAqzoaRr\UxTheme.dll
| MD5 | aa8f6f8e186b92078204d1cb5c1459b0 |
| SHA1 | fe520c2e4e9eac5e73dd09ce0757a75281c5f32f |
| SHA256 | c0c038a51c9d7c53ce5dfd505c421bc92e7931cd201a5374c6cae3965c0780cb |
| SHA512 | 67ee8c0e59f00584501afee58b10e3d466bb1d110b85fa2ac98f0e4befe0d4b8a039ddf2ceec52b5bbf16cfbd17ecaf1aab7fc3503e5e410e6825c72731c9644 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\cl\WINSTA.dll
| MD5 | de56ccf2370e278c425c1585c3cfa7d5 |
| SHA1 | 20b97859173fc6b89997501d29b800acf4579c8c |
| SHA256 | 07a2781482a4cc8e88fc4eb4189be00dc1cf7d7f05d52f9257865a35a8e2a7bc |
| SHA512 | 9ae0e3b0227ed95b28254b52cb972408e2a79011b0b230a530e9b3d2af3b70b55dbe71bacc986f2599e29aa1c81be78fb74ceddd9d2a671bb9d2a3acbb610d1f |