Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-hyq7psecb5
Target 69cd7320b88e1819f445bb8db3d0e43f
SHA256 bcdd2a40691235cb270bc9cdcf08b99de975ddb77896eb02fd19508fdd2a57d5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcdd2a40691235cb270bc9cdcf08b99de975ddb77896eb02fd19508fdd2a57d5

Threat Level: Known bad

The file 69cd7320b88e1819f445bb8db3d0e43f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 07:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 07:08

Reported

2024-01-20 07:11

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lgpbj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\wr8pTpN92\\tcmsetup.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 1204 N/A N/A C:\Windows\system32\icardagt.exe
PID 1212 wrote to memory of 1204 N/A N/A C:\Windows\system32\icardagt.exe
PID 1212 wrote to memory of 1204 N/A N/A C:\Windows\system32\icardagt.exe
PID 1212 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe
PID 1212 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe
PID 1212 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe
PID 1212 wrote to memory of 988 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1212 wrote to memory of 988 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1212 wrote to memory of 988 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1212 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe
PID 1212 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe
PID 1212 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe
PID 1212 wrote to memory of 1672 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1212 wrote to memory of 1672 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1212 wrote to memory of 1672 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1212 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe
PID 1212 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe
PID 1212 wrote to memory of 2212 N/A N/A C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#1

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe

C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe

C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe

Network

N/A

Files

memory/2968-0-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2968-1-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-4-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

memory/1212-5-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1212-10-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-9-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-14-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-15-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-13-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-12-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-11-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/2968-8-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-7-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-16-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-17-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-18-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-19-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-26-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-27-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-30-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-31-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-29-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-28-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-25-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-24-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-23-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-22-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-21-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-20-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-33-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-32-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-35-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-36-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-37-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-38-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-34-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-39-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-40-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-42-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-41-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-43-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-44-0x0000000002A80000-0x0000000002A87000-memory.dmp

memory/1212-52-0x0000000076FC1000-0x0000000076FC2000-memory.dmp

memory/1212-53-0x0000000077120000-0x0000000077122000-memory.dmp

memory/1212-51-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-62-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1212-68-0x0000000140000000-0x00000001401BA000-memory.dmp

\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

MD5 a520593b050b99f2b09815c3d37c69e4
SHA1 3a1064b06131d2c187c2be46c01a8830e4a9919c
SHA256 0287143d4ecf9600418d343c655ed945832aa071e2a1326e398e4039dc41f11c
SHA512 b98686e1449e629f70c67a8ea0f618ceed0b3e8c02a0d47c18c071f3777ad4f78d237ab2f5bc06d7f4d02f0cd263ee9de46a6c2926246d207165e477a8141ac4

C:\Users\Admin\AppData\Local\sIuNUZy\VERSION.dll

MD5 c9385c0ba09767995bf2e8407e68dd8d
SHA1 415308c0e13ded65c22197797b2629d351163856
SHA256 458a5b9bf16fadb417c090c8b94370abcb0ed6f061d924095eed19597e7e9a8c
SHA512 c01f7b154b5e50e136a4c8a060453a91247fdabf122ae27d7cb3ed4cded4298f23fb909aaa28f7f54ae7cc0f7b275b978f47ab93631487ecaf2e1573d3127783

C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

MD5 2763c73ec27fbf4f66b7c183b48393d0
SHA1 051aee887fef944ed7a42491f17bfc5b105e28f5
SHA256 8894ba0eaa73094990ea8143b959a321f3a2b6076e6ba3150ceb10b811f6cf52
SHA512 16c34a52ab483797e3273bd2aaed4ecfd289aed00a19d9fb2d566a804215c5c8c43371c0f872cfe4b7e920df2705a11a5169bb8cc562abe1dd48b191661eac20

\Users\Admin\AppData\Local\sIuNUZy\VERSION.dll

MD5 42ac48bdaf6d69917b60fc7e3f51cdb0
SHA1 c7b479813d2f0f35548d1ec2871ea73c3136d7ff
SHA256 4a0c116ca7d509b38726121b38bc8bd0b86099bb55ec7dc1f383998ab521d39e
SHA512 75d4c670894196570c9df00be23842454ff1c6b59ee44779954c3d80d7faf42981d50f31f3fe2088db3e54e07ad64938d27864fefc257cc638ade28f0ab05dea

memory/592-80-0x00000000003C0000-0x00000000003C7000-memory.dmp

memory/592-81-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/592-85-0x0000000140000000-0x00000001401BB000-memory.dmp

C:\Users\Admin\AppData\Local\sIuNUZy\icardagt.exe

MD5 a5ad94dc8a9820653956e68f2e5c9040
SHA1 38a29fddff6724054c283f5e9ee2c4efb368d8d8
SHA256 cb61bb1a071dddbe0558aa7f404fccdb9be24786da034a35419d57312d0cdc44
SHA512 283dd737c5bb20e73ea1602fe5d96bde6d4e04016696da00258487d1d647017e7953806038dd7de847d57da711a77c62e182628b1c7378875e66457cbd8ca6d1

C:\Users\Admin\AppData\Local\pfaKg9vz\TAPI32.dll

MD5 6966bec7cae45006a7c0f9eadcbc25c2
SHA1 419c5e7bdbccafd37bec70ece2684ed67da3264e
SHA256 c0cf1ca579251cf3ce8c66774ee5eb7fc488070adbe0fcf2993324294c8b8651
SHA512 abd94d2ab6d403116fc7b2d42670f4b47801c90be7f0f05d031fe4e1bf0aac2d98998e1b801a214201420b8e8c0be4a82cf07708afd793b6b9df2a9609e6fb8d

memory/3020-101-0x0000000000270000-0x0000000000277000-memory.dmp

\Users\Admin\AppData\Local\pfaKg9vz\TAPI32.dll

MD5 5ee00be4e9cc8211ce9774f3bf983804
SHA1 585d0af75a51405f9c05fe41b15d12cd9e31887c
SHA256 42b6b09325e0b644ddb22980538dc760d311e8cc62b1e6d5fec4e6ee59b9ea58
SHA512 e534cb000f86dc37586b15e9b1c98a079229a179716c5986e5d70468544ec66ef6688fdfb1f2e6f946adceb18abbdc2033251658327992eafb61a87545a47a99

C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Local\pfaKg9vz\tcmsetup.exe

MD5 fd020b037e6517def1d8d1322c77c0d9
SHA1 3fbc7d70929d2781f2178626cfc489aa188ef9dd
SHA256 2cca676a08c2ab765a4bd8368e9a4a6228ee31d1959d3aca7c15bb9a464f30cf
SHA512 1f3da985bb180ac287ae1ba6b6aee1c91198345ef7fb0e554701a0ed0d0aebe6fdb8caee8cf3ae9f7b8281657c2ae0bebed6d352f43639b07fdbf0e9c787d85c

C:\Users\Admin\AppData\Local\7Z9\DUI70.dll

MD5 cc3b1bff8e1bd665f18b92448c84ca8c
SHA1 aad725560d3ae8283e096c1fae686ba1d2fa519f
SHA256 176bf96ea3f0bdad235c04eb5f973d778400292cc3c1e2e3726fd48dd41716db
SHA512 f20162eb8f59f92a94c659b95e5a62a959f656f3f76b9e7408bf91b2704791f51eeaf859cc0a7b551a2cd99fc80c4956b5627d692d837a76a3ba02b4dd318b10

\Users\Admin\AppData\Local\7Z9\DUI70.dll

MD5 6097680372b9004823b13dc918d382a9
SHA1 f1142332ad4459604772acf3efdd1e7519809f5f
SHA256 4fe16c88764089187c0bd478b51cf25607f29db8381e5c2f07a53d64e3a46976
SHA512 bc12856fe00cc8db72d276b8a66aec3e6600c64e27276cecec593833fe5af9c5b1af28d045d845e29570b4b8cd282498a94e1af94f7d71eaf6460323e2a1e87e

memory/2212-119-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\7Z9\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

\Users\Admin\AppData\Local\7Z9\dpapimig.exe

MD5 168921893dcac96e79bfc4a76c0d8016
SHA1 940d9ebdb7376fddc442a36b9151609f5ccb096c
SHA256 c7030fbac527514b789dd81f37059c5291ae2184f8b1f1f672e0d59cb428265a
SHA512 51974963fe861463d52ece22dd8aa4135d93d9449e9ce3923271f4dbb897566e30156c1e94de91be53658359d8d9527fab395a3766c633ba8285dfa629ab2229

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yiudzqwx.lnk

MD5 207310677cc002610410a30bc19e6fff
SHA1 675ca1e0b8c9aa12cab7578be8491cc11092c6c6
SHA256 f343a860fd73002e16e8c157c4844c96b1ec64f18dc4c75a562c25e4e782e589
SHA512 fcf7c4957f5870f6d72299edc36ada9b2efb944890a7eb1c6d4771db1467a7d57a6ba42a2cb45d530201930118873a489a2caba81d02d3922b57210ba6d0df61

memory/1212-144-0x0000000076DB6000-0x0000000076DB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\w3Gkhdk8977\VERSION.dll

MD5 dd7f0f99c3c00e31b8fd20fbd5ad4f93
SHA1 c3cc11ee96968210eb68c4161d19b334e2ec33db
SHA256 42ae418173af25bc4f280134099cbbd2fb106feeb83bc812f346e18329a802ad
SHA512 04e6c5f66b7de6a292ebe3d090613b2121652f2cc714056411a4ee3e3cd7c8575b9f1abae3aad032fe4582cf6e5846dce26a32d83696e2c442add16569842b5e

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\wr8pTpN92\TAPI32.dll

MD5 7bdcfc7b01c9ab7ad29835541d536349
SHA1 a6458ee7519ae2f197abf25ad7d3d004c8c7c2f0
SHA256 740dc4f183d739d0bab0814b27cd9b62d833f7492d460ba6aa1923f066c0eb8f
SHA512 23d32f5740e3fa09245576a4e58512eca1465ad2b75ddbb63cfb332c8844cf7b2b79a5b0430af058416a052ab6eee747dbccd145b525416fb54c6547864bcf02

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\pER6T\DUI70.dll

MD5 417f25949c36271d81c3f1964461d04d
SHA1 772ab65d28206b935c4d5e02a18cd729fd58e349
SHA256 084727b10e99bd67df09aa6b5f66f5fa61ffee6d1ae671ba15e8893bc512abc1
SHA512 474daced1ae18dcc459c933a4e5d92439642304a3a49f03e301c09c5e3bb16b17494ddbe58654b0020cb977947665dabaa17179ca1473ab32ff05f8320a5bfa5

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 07:08

Reported

2024-01-20 07:11

Platform

win10v2004-20231222-en

Max time kernel

85s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\fbesmd\\sethc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Lzbkz\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gxRt\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 2344 N/A N/A C:\Windows\system32\osk.exe
PID 3512 wrote to memory of 2344 N/A N/A C:\Windows\system32\osk.exe
PID 3512 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Lzbkz\osk.exe
PID 3512 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Lzbkz\osk.exe
PID 3512 wrote to memory of 1604 N/A N/A C:\Windows\system32\sethc.exe
PID 3512 wrote to memory of 1604 N/A N/A C:\Windows\system32\sethc.exe
PID 3512 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\gxRt\sethc.exe
PID 3512 wrote to memory of 1400 N/A N/A C:\Users\Admin\AppData\Local\gxRt\sethc.exe
PID 3512 wrote to memory of 4336 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3512 wrote to memory of 4336 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3512 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe
PID 3512 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\69cd7320b88e1819f445bb8db3d0e43f.dll,#1

C:\Users\Admin\AppData\Local\Lzbkz\osk.exe

C:\Users\Admin\AppData\Local\Lzbkz\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\gxRt\sethc.exe

C:\Users\Admin\AppData\Local\gxRt\sethc.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 88.221.135.217:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/2120-1-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/2120-0-0x000001A09B090000-0x000001A09B097000-memory.dmp

memory/3512-4-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/3512-8-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/2120-7-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-6-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-10-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-9-0x00007FFFED05A000-0x00007FFFED05B000-memory.dmp

memory/3512-12-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-13-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-14-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-11-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-16-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-17-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-15-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-18-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-19-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-21-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-22-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-23-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-28-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-33-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-37-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-41-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-42-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-44-0x0000000001310000-0x0000000001317000-memory.dmp

memory/3512-43-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-40-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-39-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-38-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-36-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-35-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-34-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-32-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-31-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-30-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-29-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-26-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-61-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-63-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-52-0x00007FFFED100000-0x00007FFFED110000-memory.dmp

C:\Users\Admin\AppData\Local\Lzbkz\WINMM.dll

MD5 f826f65f2088358e8b2ef4644f5d5f48
SHA1 fb2edbdbecd12878340c1b7863bfbb7d257193b4
SHA256 1689525d877bc827595ffff7006f625b23265fc74a768ec61e3e4dc71b711323
SHA512 a185bce98d2bb459abaafeec196388e78cfc78ae1ad23881bdb8ac54db73af0a4a732bdf34a333b6dafe21905464e2ed25ccdf23a263364f0e7aaca43f18ad9f

memory/3092-72-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3092-73-0x000002F46FA60000-0x000002F46FA67000-memory.dmp

C:\Users\Admin\AppData\Local\Lzbkz\WINMM.dll

MD5 ad9266b679ec3582d0055010373a9449
SHA1 345590b88092cdfe7e320a85b831fcbe5e552048
SHA256 937dd979e88970ff8bbb42e6de23ac9f21611c1febcf52e0ec8b03a276efa687
SHA512 285293dfa23b5cb943d19f02fe587990dd530f850a1eba024b402ca8a30ffd16d407407d5c9ec21a3576795c538557c07b6ddab9059d9d77c2f7b145b7bcac86

C:\Users\Admin\AppData\Local\Lzbkz\osk.exe

MD5 eb9834aac2bbe2ddef192b48524e4cff
SHA1 efbbd4188cfde1fcd5467f72e41fb71b144fe32c
SHA256 fcd3e1a94e38c73a79971e1ad1800b83fc1e5347f42908825286fa4ee70730d5
SHA512 e75dc02d047405662bd64c5c398509226f11b33906e347e4029eb1d2b397421f7d3ddc6cba8c3eced336fbaafa8c2160d5e746368e7100f826688c89a90df0d8

memory/3092-78-0x0000000140000000-0x00000001401BC000-memory.dmp

C:\Users\Admin\AppData\Local\Lzbkz\osk.exe

MD5 c0d2d20dd90155ec20f1b11d8a953e4d
SHA1 e624108769e7a4878d7171e2ef76cbb0a43749a2
SHA256 5219a12c59203e4cb917d6db28b8ac0d572e7465c6dc738f024b5f36654cbdbd
SHA512 04961a07b755fc8b974e84bbed3aceae71fc42e22f82dbd679327536a0fcce2b80a9ebf7a0af148e4f2a46002062f5a4bd00c43052536bc51347bdae8a87687d

memory/3512-51-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-27-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-25-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-24-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3512-20-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Users\Admin\AppData\Local\gxRt\DUI70.dll

MD5 e7e12578ce6e5b94b152b634b39b75ac
SHA1 960a3977ca4baecb55a142c2521f815c60a3b2e9
SHA256 257533265ea1d65e50c76559f1ec8ec096d42c25b0ebf84de0f3fcba53df8c55
SHA512 83aab61a34b1bf388fd60f90487366c36e9ff8b6aad7291f6d0e8d886c9ffbcd136b68e0a143e4c2c239be9698ace851deb5424f49596ae2fdb9cb5b5f94d9b8

memory/1400-91-0x00000125E9C00000-0x00000125E9C07000-memory.dmp

memory/1400-95-0x0000000140000000-0x0000000140200000-memory.dmp

memory/1400-89-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Users\Admin\AppData\Local\gxRt\DUI70.dll

MD5 54e15f9b03ad4ca2fba2639485375705
SHA1 e7331b9fa82bd62d2ce68aedc9849c64a7877760
SHA256 07660569c989c6e78b848690e61dee24a83c1b38b8493f81ca9f2e108972a24e
SHA512 c16c52c138dbab43af328ec1573dd957ee7f7aa66043558638a5f26c27742909b7e64d76bafe40ded077f143dfba39dd704b617d078910110297cc41903bbf5e

C:\Users\Admin\AppData\Local\gxRt\sethc.exe

MD5 8ba3a9702a3f1799431cad6a290223a6
SHA1 9c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

C:\Users\Admin\AppData\Local\Y4KQ\XmlLite.dll

MD5 44b53a7697ece831827ede0c8b51cebe
SHA1 36cf15f16948832c204a2aafb561651019f1185e
SHA256 e9f36dcce374a22cf5d31eca269babd1636b5fc917b2fccd89c6a4913cfbb2ca
SHA512 d3f517fd181587d1fd1ec9d2ec8ea74b769658fe221ed45a3e79fb586bac2c8d851af3f486171df013a386e2d0f6eeb84e38a0f9777752146ea6887bc900c3f3

memory/4296-107-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/4296-106-0x000001734ECC0000-0x000001734ECC7000-memory.dmp

C:\Users\Admin\AppData\Local\Y4KQ\XmlLite.dll

MD5 de49b3f11039816deee8f19b490a2ad1
SHA1 c9551ee59b4bb8108b0bff66a534cb141c482a47
SHA256 e75b494e0b082f90868b04f244a1822c247f7e4dab6fe4b3a084975a987609c3
SHA512 c3188c5d13270d8bd2af8b2467893e53de69ac412c0afd98f8eb43be3e5e3ffc0707938886a06dde6459eee15cd0ae927eec5d1c8adf6dfd73d28a9bc31ea483

C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

MD5 18820593b885bbc1225acdfd0206969a
SHA1 74e25ede6adc6629eda39f5135f26578df89e64d
SHA256 811a4df6ef3bfdb4e4b2c0fbe239d1c64a4552a4f8c8678cdd60710f07229335
SHA512 4e05870fe73d32275e8b8c674a3d2ee9f8aca5a28d63b3ed56e3556556ea72445baf6786e715b5909662ad3eac4e4e63600043eea9021582c524ed0ac550fc79

C:\Users\Admin\AppData\Local\gxRt\sethc.exe

MD5 33c3a72395b0de30c1f0af7dc795f434
SHA1 d3a29603195fa85bf98ac0e26869b6b189c6b57d
SHA256 05af54cd21f22eecb5c1bdb24822f2ccfb5f3deec3c036fee16adccf46555fb7
SHA512 458403f9943fb3421e4b57f623338990d2ce71e63522f35e8f77f757229ef581e9fe606b066755b6a11f0dbabecd2b7f21bf909f92edef1a832d3787ced9a1d0

C:\Users\Admin\AppData\Local\Y4KQ\MoUsoCoreWorker.exe

MD5 f01b4344b00b31823a90118cb2a4c344
SHA1 2f30c9de63a981837243d9b03797d52a18ed12ab
SHA256 f0d68c1bb662400760955515e4fe3492950aeca704484df45b596d123ae1c2e5
SHA512 8091818b8cd58793c7e649a7e83ade6a6c57fd72814693526cb96813b2359def75699ef7c913ea0f2f35ce49a3f71b5db42a4d182f1ad850608c9e0a8eecac4c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 28e803b72f243d7ef4e105e8dbecd1b4
SHA1 40b0c302346fedfbc0b4946fb832385919c7c3c7
SHA256 86b3d956d0531563ed549e9bf2d18585b042ec6b3f1c31fb600fbd506957186d
SHA512 7cf7bb7b4c02354f3df1b4062c7a644a53d4b53ea436df8ec9e424bc7174619afb5b97852ac70ed7fe1d7fdce341792cee8be25562e0e123007a052c10dbea21

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\A7\WINMM.dll

MD5 389d8d5fc28377883482fcee982a9ff0
SHA1 7ff45a6d754d257e09f9a1a8cd43918dc27346f6
SHA256 8df16900f6d3119cbe26bed37fe7f98e2751b3d7b30639b59ff053a9a6f27715
SHA512 ce7f24d02084d8ba5740ea8f6aaa4657361825e78d4f4897f1492491fcfb0ae88f4c67361ed86f622ae7e08e1e4822d1c02ac891c898941bacf7af04ddd319ac

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\fbesmd\DUI70.dll

MD5 3288ead7764e2685053cd5bda56ebf2e
SHA1 d0b35b0e5f3b1ebd555d8707bec3d9c9ef560dd8
SHA256 9a13291d39c26a2269d59044d72eef8e22b3800b0aa87ab524e693a628defb97
SHA512 04c8ab52779ce8ba8b82d4cc11ce0b3a6f4781db4bf9792d79e67ae3aa6682c7c4872e3e3fd86bcb02e6e0bb1abe79fa735a961b40154fcb7aeefd17bea3e719

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Tg\XmlLite.dll

MD5 577c6c11ec9b41e613f5a60c0edc09c3
SHA1 c6af2f166f135117b190f8c05b359ac0585674b4
SHA256 7aedf07eba199ee4869d0593dde40b02b6b085fd781372692b38c5efe6140f39
SHA512 6b5cd4749d4cc6b9346217511d6823179e9bd399126849bcf6e4327113de76920958a051af7bda162369c8070df53c5639cdb059f67537ec60b8ffc4d5f76f33