Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-d2fg6aahgr
Target 69602855143bf25085262765aa2cd991
SHA256 14c81cca53cfefe7eaaad66283b38b081c7e31c5bda2f3f0e0386f68f1d6c216
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14c81cca53cfefe7eaaad66283b38b081c7e31c5bda2f3f0e0386f68f1d6c216

Threat Level: Known bad

The file 69602855143bf25085262765aa2cd991 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 03:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 03:30

Reported

2024-01-20 03:32

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\AlVTlz\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 3684 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 3684 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 2124 N/A N/A C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 2124 N/A N/A C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 2084 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 2084 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 2056 N/A N/A C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe
PID 3528 wrote to memory of 4124 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3528 wrote to memory of 4124 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3528 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe
PID 3528 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#1

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4488-1-0x000002CB076B0000-0x000002CB076B7000-memory.dmp

memory/4488-0-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-5-0x00007FF95885A000-0x00007FF95885B000-memory.dmp

memory/3528-4-0x0000000007F60000-0x0000000007F61000-memory.dmp

memory/4488-8-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-9-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-10-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-11-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-12-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-13-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-14-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-7-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-15-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-19-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-18-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-17-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-20-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-24-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-25-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-31-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-32-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-37-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-36-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-35-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-34-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-33-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-30-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-29-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-38-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-39-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-28-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-27-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-26-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-23-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-21-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-22-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-16-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-40-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-43-0x0000000007F40000-0x0000000007F47000-memory.dmp

memory/3528-42-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-50-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-51-0x00007FF95A700000-0x00007FF95A710000-memory.dmp

memory/3528-62-0x0000000140000000-0x00000001401BD000-memory.dmp

C:\Users\Admin\AppData\Local\PNg2Ui\newdev.dll

MD5 4d3ffb15f5fbb365f44e4311f01c0be3
SHA1 3260bc68775cc3f8cbcad735569156444f714a2e
SHA256 84f457e0dd7e4b222eeeb65f7516eed279d372052799c305812def75511a8e70
SHA512 ecac7bce370a4c0fd40b9bad4ed9ad9a45e956e1b930f71d4c126b04e64595e75f70ed0c7066c1ba014be61b932e22151e8394e5882d20a8a75c842055634db6

memory/2124-71-0x0000000140000000-0x00000001401BE000-memory.dmp

C:\Users\Admin\AppData\Local\PNg2Ui\newdev.dll

MD5 a16b33ad0238bfcc1dad29120617c303
SHA1 3511ec7169d7c273d28647c6bd81ad516aa85ba6
SHA256 a2750ddccd49739d1896114d3784d90310d8f51eb63846870c79a03421626437
SHA512 e9664e1fd61cee27177ebd6cc4bd8bebbe268dad5f5e1d149d7ffdadabc5c21ba47e8c282dda921e563dd93a39fb4e548921171f1f10ba3fbcd5621576ad36ff

memory/2124-73-0x00000143E39E0000-0x00000143E39E7000-memory.dmp

memory/2124-77-0x0000000140000000-0x00000001401BE000-memory.dmp

C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe

MD5 1cd118ffa0726cc6d52ba3a30e54ca02
SHA1 4c6f5fbb731e0db7d6bec435068f7840032019c0
SHA256 288edd6eedb0a59875afe9f298c8c3093622c82eaf5ad5f62409bdc77435ac58
SHA512 f591b15f6431c820ce91cf07af6c5fc8cf214578f9049f36828a6357acaba8425c658f10ceab1eb8a863d56ee445fb06be615a60fff1f59e9a560d9f27f6f73d

C:\Users\Admin\AppData\Local\PNg2Ui\SystemSettingsAdminFlows.exe

MD5 d0546c4830e096ef58606e641e47dbb4
SHA1 219f75fbd6a89378719257eefa19505a1f031d2e
SHA256 2abc9984f2f6eee4a599810235e7a5323d59bce18147c9353ef10736458c0c4e
SHA512 1b9b5129ef804b18a316fd8d8cf6b8c6903c16a111c64bc533c9fd38f6ddaaf4f66c75ee98571737acf5cb697896b0c1069cbae28fbf79bfbcb07515901b71c5

memory/3528-60-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3528-41-0x0000000140000000-0x00000001401BD000-memory.dmp

C:\Users\Admin\AppData\Local\q0lJQO\DUI70.dll

MD5 dc10a29f073f93375a5eb6f90d24c88a
SHA1 e030546d41fe236a79f75b39d8f7d3d2e917a991
SHA256 a0a04956e01750079f378892788cdaa8faa6f173a1bd2fd81685f28249823b18
SHA512 a07fd0dcafde5cebb6df020533e4e160b7cfe13e16f196d737899dc47ea2079d1529504dbdc41f826e10ef32d5c002f2b65fbb2ae58118631bd00dcd26b79c21

memory/2056-90-0x0000000140000000-0x0000000140203000-memory.dmp

memory/2056-92-0x0000022CDA300000-0x0000022CDA307000-memory.dmp

memory/2056-96-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\q0lJQO\DUI70.dll

MD5 41f2b2f8cb3cdf4bca07ebe606ae60a2
SHA1 2f2d288d8333ee031aca20387c2bd3da3e1f27c2
SHA256 af8d26d35ad4e0044c713a8c13335397772e0031259916a2962b78c018999765
SHA512 f3854907f0608740f88199fe950a754b14623e579b10bbd59750fcb8c153402c631a197bda50ce84d8d31708d0099c00ccc0ab868d5b74afe7f935dd4d05754e

C:\Users\Admin\AppData\Local\q0lJQO\SystemSettingsAdminFlows.exe

MD5 e1f715b91192831cca3f8cd9a57151cd
SHA1 508afaef0c7f952f6049eb1a8c75e30293f9e1a3
SHA256 643cb338930be76c88919152f1b11d17e8685bb83a6f7d7127969ccfe9d736b7
SHA512 f9114bafc5b251926a8468f4770219b94b39d7e2c11fa2050dfe661fd002070db6333ca76697a03db58610ed018ba6f7f4fd4081f1b71bc1efce063c6d522f33

C:\Users\Admin\AppData\Local\RkSgnqjiZ\VERSION.dll

MD5 0eb7db93e6f576aefe118320067e2ee8
SHA1 ad654f9b9c95bf0dd9649bcafde5f38eba5f21ea
SHA256 1fd6d15a91f6baf16a620415b2fb7fcd688d721abd46c8d7916b481c315e558e
SHA512 30e1478e75020f0332891fba3e80b855ad9476c68f5b12185467b7f3069c7172b53e2504b3300f8414e0370c5963eb8c0dc207ba7474b6a6e3132bd6532705d9

memory/3400-110-0x0000021BF0A10000-0x0000021BF0A17000-memory.dmp

C:\Users\Admin\AppData\Local\RkSgnqjiZ\VERSION.dll

MD5 753b4eb952ef4ad40fff6d629e7375b4
SHA1 a43f513da158fc08b6ca3d6ed7386d5f1e546467
SHA256 a0035356841a033d2b7008a777a84623e93d6df75a33ec9466e258c0e16ea86d
SHA512 338f143ade45da7d8e39372bf5c7ce6fe57ee45663f3c781b4d3e5008a6c3a7cd0eb2952b1e66b573db2ec2ac4ad5772bad0a35b5f6ca22a8366d873bb6e86f2

C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

MD5 af7c83528bc2dc5fc085efb7ec613155
SHA1 46b6d23ee308a5990f3620dc68672ea5294039a2
SHA256 45a34430795632cd804a5bca3017038e62ee9cd4e0c09a1ffd5d7f25785c2a37
SHA512 f2d1a6e440749a063665f89bf8706dd12ac2b53907e0ebee7ea6a8ff20e59cdaf22fb44a214a27dbd1b6568b28915fed184168f0bca20e4ac04602c6591e523a

C:\Users\Admin\AppData\Local\RkSgnqjiZ\unregmp2.exe

MD5 2d0e30b9e231693f77bec57dc601d6f6
SHA1 41e7115645ca8b04efea9e962b776a38f4e93d41
SHA256 69072c074b3ce44686c8aeef212334beef5e231c29c30b70303ae262f09b53f8
SHA512 a8544c7a6c911930467febc9433a99374f7594e476960ab242469c40672aa422a5b2b4cc12cba96b588998d818c7ca0a7bde711782e21cb836cdf608af7eceb0

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 8575ac6dee2801b196a8ce3b655cb8f8
SHA1 c3bb53f1cfe1361a6d1856c3d8b03f384200de1d
SHA256 019ad295c9d8d9515d62946fc8197814471f8dba5082b90835d84a52a8a7589b
SHA512 459e3b168c3fcee642a3253963405ec4e2684c0d9128a0f80117fb27ed1d2f36463640435c5677c491c31c470246dc2644c9874d665831714f4a1fa5a4bea78f

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\U2xe0FOyVqb\newdev.dll

MD5 dfab52fcc9773b6a2fdd39bf7fb50eb9
SHA1 2571c9c39478766c20e2b989279a3dc9c410239f
SHA256 9159cf35b5dc3f86899215a89284c72b3cc14e238c2c832226456550b87638c3
SHA512 f7a4169cb6a96edfefaf66a57d3fb9b74088c21ce44fb2a490a955a566ce60ab33febe664a08cfe3f00ea3821762def33e4e0124470f63211c8327abee086b69

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\AlVTlz\DUI70.dll

MD5 68d6a67e801da4c0ce1cd46bb9140c08
SHA1 cb6fc02e6ced75d2b8453ee7bedb6ad71ef2d4ad
SHA256 157b4dc55b8355a7949a6f6f2ee7b7df542b6dcc138cf916639a87a6aaee3021
SHA512 a1de5b291fd36be5dafa8dc6900b68ed13ab273b33ccbc365f90d2d4c31ae34318649ab4bc38c3643c748cc456029306b4df016b94dcdcfb6ca8725d73bff453

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\e9HbDZAVC\VERSION.dll

MD5 4645e2975c4cdef057efdc23dad89f77
SHA1 acf8701415557b830856269feb774efdc52da38e
SHA256 54cd89b456a69c574c6a12bdcce634a5b2c53b0e525d420c034026545b95c23b
SHA512 cf17e1814a30350dfb352d9e01e392b012259469ae772ceee3404ba17d11a672dc0ce551bc6193c83c48670e3bab7773124c7adef3109c838e61fb45500a00a1

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 03:30

Reported

2024-01-20 03:32

Platform

win7-20231215-en

Max time kernel

150s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Pft\consent.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\re5Aa\\consent.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Pft\consent.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 2292 N/A N/A C:\Windows\system32\wbengine.exe
PID 1144 wrote to memory of 2292 N/A N/A C:\Windows\system32\wbengine.exe
PID 1144 wrote to memory of 2292 N/A N/A C:\Windows\system32\wbengine.exe
PID 1144 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe
PID 1144 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe
PID 1144 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe
PID 1144 wrote to memory of 2752 N/A N/A C:\Windows\system32\consent.exe
PID 1144 wrote to memory of 2752 N/A N/A C:\Windows\system32\consent.exe
PID 1144 wrote to memory of 2752 N/A N/A C:\Windows\system32\consent.exe
PID 1144 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Pft\consent.exe
PID 1144 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Pft\consent.exe
PID 1144 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Pft\consent.exe
PID 1144 wrote to memory of 2136 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1144 wrote to memory of 2136 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1144 wrote to memory of 2136 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1144 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe
PID 1144 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe
PID 1144 wrote to memory of 2140 N/A N/A C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69602855143bf25085262765aa2cd991.dll,#1

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe

C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe

C:\Users\Admin\AppData\Local\Pft\consent.exe

C:\Users\Admin\AppData\Local\Pft\consent.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe

C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

Network

N/A

Files

memory/1940-1-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1940-0-0x0000000000310000-0x0000000000317000-memory.dmp

memory/1144-4-0x00000000775B6000-0x00000000775B7000-memory.dmp

memory/1144-5-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1144-14-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-13-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-12-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-15-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-16-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-11-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-10-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-9-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1940-8-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-18-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-17-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-21-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-20-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-24-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-23-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-28-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-32-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-33-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-31-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-30-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-29-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-27-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-26-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-25-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-22-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-19-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-7-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-37-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-41-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-40-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-43-0x0000000002DF0000-0x0000000002DF7000-memory.dmp

memory/1144-42-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-39-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-38-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-36-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-35-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-34-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-52-0x0000000077820000-0x0000000077822000-memory.dmp

memory/1144-51-0x00000000776C1000-0x00000000776C2000-memory.dmp

memory/1144-50-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-61-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1144-67-0x0000000140000000-0x00000001401BD000-memory.dmp

\Users\Admin\AppData\Local\lTs00iZw\XmlLite.dll

MD5 2766d208c99ff5f47554c773c6668c05
SHA1 db4febeb9e254f1e1c8f464454e6b2f8a69d80f3
SHA256 c846f8df7a804faef01fb1f61f98859c0b9867cf43a6af3a6730659a596cebec
SHA512 04054780b52dbce46f3dfab10abe701efa0659972212502cf718f414ae774cd5fd5d003ee088d5c95affc114a90cc3a93998ec4bf984eb516a1cc633c8d47ab2

memory/2604-79-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2604-84-0x0000000140000000-0x00000001401BE000-memory.dmp

memory/2604-80-0x0000000140000000-0x00000001401BE000-memory.dmp

C:\Users\Admin\AppData\Local\lTs00iZw\XmlLite.dll

MD5 c222dfca16df96d9dbd2b37c2f090eec
SHA1 13a18827d0dadb644d5052450a6e284b6222253b
SHA256 3081ad0b27ed1c87c548436842134d641077d0bb57358f75a05a1b2711b3a309
SHA512 e6c9dd7eb4ff41bd967802e8dc1caf04f74a11c40ebf2afaf94e0f2f858ae98e82d0deb5e87b40c9eb8df1d4c1a26cb29ce728796274dc5a6c976ffd65952b0f

C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe

MD5 90b0b571ed73aec49271dca4bb9fddec
SHA1 59322db363f47b2369c6d6315018ff2e8a4535a3
SHA256 d818199ff812108644d9fe7adec3e65dbd028dd00a48a3d16fd247ac0fba3fd9
SHA512 bcdf3aca7693cc71a1298ca683e71edd71b2418306f948f3a13995854d03296e28b0278b03988fb92df64f517b79a38e830d10f6f153fe02434bcfd4b4e20469

\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe

MD5 a826e27365f3b8d4fd3c380b4b38fc9a
SHA1 9919d60c56f21247cdef3965646e068e55a19de1
SHA256 9f9fd60693cb31d1c68f7e5f6ba48a56034e309465216e21fd98b9334760cf8f
SHA512 8d1018cbda66c7c81a7c2fe12e7e0d1f378872e55c70522933f608b3a535604b8c034811a2ea75eb4704c443e153d04d5c186f78d87f0a056ca2c209e2e0b459

C:\Users\Admin\AppData\Local\lTs00iZw\wbengine.exe

MD5 c14e2e2a14c31d16b728b1e74fd670e1
SHA1 0cf65ad861cf96b2c92182f418fe2dabecfacb85
SHA256 224bcf9315bdc7e5b0c0da13b485692aec21ae17d68bd7f3e5c3692d272eac93
SHA512 0a4eb749e13a0a6ac49889b337136da949e2b6a00452fe45b90167ce60998907b8525634a3004c6f792a05494a790ee127a2ca13cbb53a888feb5264ffd36184

\Users\Admin\AppData\Local\Pft\WTSAPI32.dll

MD5 fe140709d168f6df98547e1d31946b1d
SHA1 99297cf10d813dfd3f7c066dc6bfc5ccbe76c1c3
SHA256 779a50583ea637da2cf4b485cc4ce6304a0067909b9dca1c5b5ffea6d3cf4012
SHA512 7fb0e313be8b2050d28be7c59714ea0ecb1a065d19c1529335a4e1eca4d87f722365d031f0bed580f492ae49ab0d8066c026e76761f7c4e4435835b09bc5986c

memory/2008-103-0x0000000000380000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Local\Pft\WTSAPI32.dll

MD5 de793ecfebf3134cb30854751f14049d
SHA1 0a994e261d8f2f1919f4849c63a6bd68baa3bb11
SHA256 9cda479bb5867caeaceac15ec22dc6c1afc57fae7ec9dce0ef69b3733440a226
SHA512 9e6c27a81b155f0c40237c4915e2ea6b25ccbd8ce9efa06761de7c68c09e2933d30ee1895e1bf18919ef589bedb2084e95bc5889180e116a8364ee33b9f96b82

C:\Users\Admin\AppData\Local\Pft\consent.exe

MD5 0b5511674394666e9d221f8681b2c2e6
SHA1 6e4e720dfc424a12383f0b8194e4477e3bc346dc
SHA256 ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b
SHA512 00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

\Users\Admin\AppData\Local\vaHG\WINMM.dll

MD5 26d28fdf51c9e067e818a7951b02e386
SHA1 4746575fffe1acabcd5e4af9219c425ba83c6ad5
SHA256 9f17625d96c538bed5cb4242eb06866b3af5827a979ff91a4de476eac1515309
SHA512 3adf7c5b37715a18a1a1a9ec67a99fb2c13daa9b538f117edf19a6119ac6b3ca762bb38ff71f4242183281a4fb4bb93f03c67546d4f56de9bc3f243f26ef6ec3

memory/2140-123-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\vaHG\WINMM.dll

MD5 ccfd429ca3005cf9cd36dd624041e723
SHA1 d2bbf8d30bac51715f1abb8febe88d45505993aa
SHA256 eef34e76813816c6e943a7dbb5d1d2e88c09d7c2264ffee1cfb13f6b74eb1519
SHA512 7eea10c0ad6b45cdff2ba8409d13d99565383cce6790a7b2b11e6e59bed4c66a2554452dff0e757b670ef3a2617cbe75be5acd24d3005cc21965c10f70a900ad

C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

C:\Users\Admin\AppData\Local\vaHG\PresentationSettings.exe

MD5 3f683d4d5672f3faba37eca24845d161
SHA1 b7b38cd750a253b2a9faa15251107b99c1c972c4
SHA256 f5d4919e83f63f7c0f3580e93b99088800a01b960d8ddc799aea70105a3edaea
SHA512 5dbb651b8511ffb6f3ea98faf60d6cd43c82d826d6f08126823828034cc45a5bb2e8d0a83ac44c27aeec0a57fed373f8cff895b7aae86f675181a5bafbfd115c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 51d79a6710733ea51904f935a9c1c806
SHA1 4894210655499ae9b1bb96e0a88427ff8b4be195
SHA256 b7ec7eecf8072770def8cbae00e6cacaf67cf1ee13a225412733f0ef11df2484
SHA512 ac1384c1e430aa923d20a92d51169da015c4e65e9cd7e0e30658f71bac8891d39205d1b3558ea3c875f940b6ef1be8d595d58e2581a2cd07f42cc2ab9cf89bb1

memory/1144-146-0x00000000775B6000-0x00000000775B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\SmlmOHTivqg\XmlLite.dll

MD5 faefe20267490a71cb73415e32b71da7
SHA1 84fb53c7c106677a72bf52323e4f70e57166f505
SHA256 edf2c2648783c2060e249cd6c4497c3604c1afa2c3865e3b08cbb1e94762a708
SHA512 adf8e4f6e617c16b2f0bdbdc0e1b5cda8c5b2904e25c8fa7aa4b5eff3c23d606aa22680d542a6ed3bf72f353cdf9056b626f6d6f676ad7e4b554ee789c16dd5b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\re5Aa\WTSAPI32.dll

MD5 7718b3192329489add3592629d195bd5
SHA1 e35c92cf96a71c39a8fc5f6902746baa3854f890
SHA256 cdc6e61aceedbbbd9b36f62ae851bc921c37b93e992a1fd2d27afa9c107d3c6f
SHA512 120fbc64f181a693e564b768bd22fce163c4b8834e2c86a1848091e33b1b375a41f1660470ebded8c2d665246d2a03d450d51e11b4c98e0cff013b5e5f80fa06

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\02csxhV5MJI\WINMM.dll

MD5 e3ada2a571cae3ea7051aad7a760fb1b
SHA1 28024a3bef8a167a5d1d071de7d4115da1e85976
SHA256 34f5f22c44efb87d79f6bec8ab1fe2911f2dcc8930262c7b0f52490a63d1ce7b
SHA512 3b6aca4fadf0aaa55f947290237a8d53f6faa54b708d605f5288f26f6d66cf4461b858f1d11efb68a99b21b26f5cadd53f3e14aa00a9e8676428f68a56339a9a