Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-mhb53agcgn
Target 6a2f78fd728fdf56e1674632e7f5a5ed
SHA256 7cdb42626487138e394194e7d97f06affc9a4cba685fca6d1a496bd1765140f9
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7cdb42626487138e394194e7d97f06affc9a4cba685fca6d1a496bd1765140f9

Threat Level: Known bad

The file 6a2f78fd728fdf56e1674632e7f5a5ed was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 10:27

Reported

2024-01-20 10:30

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\f28\\msra.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2492 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1220 wrote to memory of 2492 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1220 wrote to memory of 2492 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1220 wrote to memory of 340 N/A N/A C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe
PID 1220 wrote to memory of 340 N/A N/A C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe
PID 1220 wrote to memory of 340 N/A N/A C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe
PID 1220 wrote to memory of 1288 N/A N/A C:\Windows\system32\msra.exe
PID 1220 wrote to memory of 1288 N/A N/A C:\Windows\system32\msra.exe
PID 1220 wrote to memory of 1288 N/A N/A C:\Windows\system32\msra.exe
PID 1220 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe
PID 1220 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe
PID 1220 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe
PID 1220 wrote to memory of 1692 N/A N/A C:\Windows\system32\wisptis.exe
PID 1220 wrote to memory of 1692 N/A N/A C:\Windows\system32\wisptis.exe
PID 1220 wrote to memory of 1692 N/A N/A C:\Windows\system32\wisptis.exe
PID 1220 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe
PID 1220 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe
PID 1220 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#1

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe

C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

Network

N/A

Files

memory/1260-0-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1260-2-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1220-4-0x00000000778B6000-0x00000000778B7000-memory.dmp

memory/1220-5-0x0000000003950000-0x0000000003951000-memory.dmp

memory/1220-7-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1260-8-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-12-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-13-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-11-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-10-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-9-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-16-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-15-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-18-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-19-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-17-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-14-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-24-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-25-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-23-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-22-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-21-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-20-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-26-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-32-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-33-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-31-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-30-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-29-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-28-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-27-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-38-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-39-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-37-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-36-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-42-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-41-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-40-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-35-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-34-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-44-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-47-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-48-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-46-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-52-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-51-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-50-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-49-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-45-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-43-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-54-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-53-0x0000000003860000-0x0000000003867000-memory.dmp

memory/1220-63-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/1220-62-0x00000000779C1000-0x00000000779C2000-memory.dmp

memory/1220-61-0x0000000140000000-0x0000000140189000-memory.dmp

memory/1220-72-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Local\U7W1KzRoy\WTSAPI32.dll

MD5 5df72b7ff775d0cdeacb4d3f742af984
SHA1 a2bc7a78018bb92ab577a88bbe94687a07904785
SHA256 d6e30e2758dc0214a3fd28b28a6209552da1750f02edcdd3b7acf9397ef05c09
SHA512 e404d1115673a025ae3b51afa4f69dde9c83c72303f78221a4e2cc1ad35b42e4f73ed39b9564272bd23c2c114b580a3354afc3e6dc43cf7bb8e47ee1ad842941

\Users\Admin\AppData\Local\U7W1KzRoy\WTSAPI32.dll

MD5 eed85e8ef4905811a325c7e8d7d91e3c
SHA1 aa5fff61d50412d037e133d1bd01474595735593
SHA256 a5a8e8ab8f34ddf1876f9be68df8884a40c984eecafd7ecd24566bcb3f5277c6
SHA512 64e35b1dfd82071aa92a6865ff030271940491849b51ea0eb331fbfc955d656e1cfc0c3cfcb324499bc61c4bb70273444a2940b24c4add3305317fa97cfd2a77

memory/340-90-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\U7W1KzRoy\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

MD5 6928e6457abcd76fb59d12f5295b5b02
SHA1 dadb6bf2266af54bd810c8fa4fcad12ffad6bdad
SHA256 3725e6b589937bfd87beda11cf8dbe5c76fecc795067009c2f6a828eded43e22
SHA512 d6ef34e6ea4852c599039bbaf4f61f379c759e6bb9c0605b6d273f3dde1a5185a6ca9a876e99e5d0294b67a93020ff348b9f3010d30f927d8fbb226be68cf797

\Users\Admin\AppData\Local\BiEXiyRj5\UxTheme.dll

MD5 1b0b2bdd0c652c9be7c5d4315916b8d5
SHA1 04ca92977b3a9c1feb1bbe06bbc0d87ecc809c71
SHA256 f0ff30c8802f95df51dcbd4a6c627d79b421e103d81b4ad69144b51ecb4d9bad
SHA512 8f15194724cba39fb41172bdf9c06f1fb2f2134a4b268bfa4ef179dfc0b899fc4d2a2db1519879fd08fc2729e9ea4bd650a073ba68b13bfb7afd688a3d2bf55f

C:\Users\Admin\AppData\Local\BiEXiyRj5\UxTheme.dll

MD5 ce41b25e0d70084d084ab2803c48c121
SHA1 18d76fbdbf05880e5a0da38f95440e017342605f
SHA256 e44c80281cad960f66e836c074b239d0bcf083dc20b9fb095f3bf06ba79eb56d
SHA512 142794c1165eacb88dd305083b621519b488c7a4926233cda6d77ccf4b429ea12627db025291d9bd40b63531ee1d7134cf4a447b24b3263a1df1d6876224ea4b

memory/2576-108-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

MD5 d2731d1a4bc7d28ffba1b828ff48a484
SHA1 049f5c1caae03863e69de87e89cdf94e1bdf318c
SHA256 a2ef5aa53f6e633b37525db713fd9edb2c3d9ccad5375e81a92327897a26875c
SHA512 497c75930dfeac346ceb0c5a86b1fc2ce841a5ac76969209563e2ea3dd49d276fbb05028d6996722e36a6f3fdc31d59a344cc7e90762d4d1da618f0e706da222

C:\Users\Admin\AppData\Local\BiEXiyRj5\msra.exe

MD5 cba485ea0586f7152462c665887898f9
SHA1 8618aacf0c603887a0ead7c77a67d477b564faa2
SHA256 7bcbfa72e4aae0d23af59ae95c1164b179d7fdeab911ccddb6930eae457efaab
SHA512 741fb9a4052c0902118a3a7b01fb99c27eeac3cb2844755c56713875ccc724da4f3f445367c5749322d7ac6a3525525cf21aabd30facb49cee4d5f1d493f5a38

C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

MD5 09ebfd500a4a587f863c4f0f277feb5c
SHA1 b4a18906e52b2d4181e9ced75bf7d2e3a4ba40ad
SHA256 2cba12b737d65ee62ce2ac0855dd5025b152f250d0b6d8160c8fd700be2b1748
SHA512 ab6ef415580a0b323ffe53b0f475b8a086fda0540b7401bed1c35306b9ad16368897b1a0b2ebd60f3d0d661ebbc4432618a1f56ec6a64de1894458dc0bc14ba9

\Users\Admin\AppData\Local\6TSM6N\slc.dll

MD5 66f08c70c26a0f130615adcbfd1bf690
SHA1 b440f55a7d25a5bb208494bbd81d27585e6c07d7
SHA256 a224b076db149507e9dc78f29ec72e5bb266266e1718470a239ca3ab8c5547df
SHA512 e5c45200460adf8db3dce4aa0ea5909bc2187683102254066505dec5fbfd35fa94eff8ef72dba52a55e72e11e9b7002c79843cb99d510f0026a587013e24ba3a

C:\Users\Admin\AppData\Local\6TSM6N\slc.dll

MD5 2336c0f56dccd8f96a169900ae2bbfe6
SHA1 26b3db6fa0ebd0acbeee6dbac4cdef028604f442
SHA256 0b8940037dee65f28228ea43500198900696ad3c8d4ab5d958c5e105af2f7192
SHA512 4d0b541f07e01df1126f346b1a77ca52fafd0145fb59af6c308cfd45b0cd20123105c98b1f5e52155b3f00f2de4c07dd72a03deab7cfc8f0f305ad16c76f6dad

memory/2428-132-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

MD5 da180031f453d94500826072e3b33e8f
SHA1 c881623ab607873fb7923d138ca15fe495b52656
SHA256 c61b662f6c6a23c64e4e79c9aab29e0e72698907cbdddf188015cf035c8d956f
SHA512 b2bc81c0b000ac949180c207fa860559cc5e6cdfd286bd8396444cadbd4412cd67320ce2e5f0f691e4d55826cc4fea9be3d3f8d5fc481169c782d3d8861faa72

C:\Users\Admin\AppData\Local\6TSM6N\wisptis.exe

MD5 18c67e5ce2ae53072e87f4261fb19573
SHA1 dfd22545efaa88860c80e69e5730c469bcf0f1d0
SHA256 3abd7437170d934aad976566c9831a1c175cfac5b3354d98d194c4d3915fb188
SHA512 b975f9877282cc4df77043735d1f8a9f877e0f15a054dc7b5a172b0b4cbf7fa49630709dd0ec19c81f22ee4acc5b9735225391a41cc1d479690b6ae7c3e8a03c

\Users\Admin\AppData\Roaming\Microsoft\Protect\D18Q\wisptis.exe

MD5 1cf2fdc1839baa5c4f3bd029f906a541
SHA1 ccfc8b72fd5b73f0d624056410979b8638ef649c
SHA256 16a0bb8ae6b3befa92ccf7155b67ff60b2525ae0e1233342c73030925b03422f
SHA512 e2433c7cb364e624e6d4568ea27dc9de99ff6d7eb7afb25923b126c7cfb9fa26a9c44a3bce6470186b5d8c46adfeeb2b43843bb6abf9aaceba79b8d84b500f95

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 cc63ed61c9e8122e94eb479e78baf4db
SHA1 cfbcca37e00de91fda9e1ebcd92c04263ebb9ca4
SHA256 ae131e06d3438359d96db167b7dbe932cb0509e043548839e397e8252a257342
SHA512 0ba9ae7ea72246ccba1f977e2f00021d7addadca4c5ba69dd0df37addac11e622e894e3ecc0f51d900b284a3d0957d8ee57df22507fa82131d4558faf4d5df6b

memory/1220-163-0x00000000778B6000-0x00000000778B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\hRko\WTSAPI32.dll

MD5 4d9851868a2bb15d5503102710d02203
SHA1 2cb280b371ea9e4d36544dc306a601707b43de77
SHA256 0c56e8722a7e37db166cd384492213cf0612da08c331cba71fadb62d9d8ccf50
SHA512 e33d0bc07df029aa880506b8566d6df1bb53bc5f7e7d247bc1d1b049c64ae031cf242e3c36885e8bb3e24f16c270c6c87769963dc39423f207b83ef982f22055

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f28\UxTheme.dll

MD5 3c4c8150e692cbd172f35e16233936ee
SHA1 605834abc5a34cf930fbb7fc79e922f7dec0e14a
SHA256 72f29a00214da27b8138cb9b953acc95ddae4a1d9c9c84c4509769540a4dc526
SHA512 9af063f7f5ce8f0fa6561bbc94be59f5d8777e82eea8a4e04c667dd032537ef52519d2b839e430718866f041253a7fc274c2744f634aa57e992f669dc3244b3e

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\D18Q\slc.dll

MD5 7b3e290c5511b499ddd97233232277b0
SHA1 d0982391e8c36394427ce3c8530e2230422aff16
SHA256 061180e622f68bc66381ba6c19815964a781354cd5b150e6203dffcce9fc458b
SHA512 1fce864fd6d3a4a056e134a6b34afeb4bd3936750ca0dad93251a009468c034cd5c56722b93c250989ff8d145c053e344989c9f2a5b7b5a6a7baeb051d348e1e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 10:27

Reported

2024-01-20 10:30

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\DC\\Collab\\AYHA\\AtBroker.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 2540 N/A N/A C:\Windows\system32\perfmon.exe
PID 3568 wrote to memory of 2540 N/A N/A C:\Windows\system32\perfmon.exe
PID 3568 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe
PID 3568 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe
PID 3568 wrote to memory of 4592 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3568 wrote to memory of 4592 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3568 wrote to memory of 4844 N/A N/A C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe
PID 3568 wrote to memory of 4844 N/A N/A C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe
PID 3568 wrote to memory of 4756 N/A N/A C:\Windows\system32\cmstp.exe
PID 3568 wrote to memory of 4756 N/A N/A C:\Windows\system32\cmstp.exe
PID 3568 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe
PID 3568 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6a2f78fd728fdf56e1674632e7f5a5ed.dll,#1

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe

C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe

C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe

C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe

C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\AtBroker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/2496-1-0x0000000140000000-0x0000000140189000-memory.dmp

memory/2496-0-0x000001BD085A0000-0x000001BD085A7000-memory.dmp

memory/3568-4-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/2496-7-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-8-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-6-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-12-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-11-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-17-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-19-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-26-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-29-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-31-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-33-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-34-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-35-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-32-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-36-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-37-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-39-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-40-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-38-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-30-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-28-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-46-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-45-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-44-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-43-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-42-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-41-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-27-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-49-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-54-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-53-0x00000000010D0000-0x00000000010D7000-memory.dmp

memory/3568-61-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-62-0x00007FFA3F800000-0x00007FFA3F810000-memory.dmp

memory/3568-52-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-73-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Local\k2pQ\credui.dll

MD5 35994a6de72e4b12cfdbf1b08d80ba68
SHA1 12f586b6e4d1fe7266a62569305fc324aa329b12
SHA256 5a28af788f16d8c45593a685ddc68d6cede3271ce5c5a60c81adb1bfcfbf8a5f
SHA512 43d169b7c58c3f91fe9bc63fc3491e7fd47c79c751e6988b4cb659493af7e57ba0b222afb2154cad865b01825cc1dc837511f0398a5add6f823dd23a16f0ecf7

memory/4820-83-0x000001C174090000-0x000001C174097000-memory.dmp

C:\Users\Admin\AppData\Local\k2pQ\credui.dll

MD5 3760b4ea0beca7a8f82aeafe3a3acc7b
SHA1 88e9e6a9e3979a264c7858f598dbc3cde69990d7
SHA256 64b78af1cf1743871ea11ce608ba31a7a072de29bd0c030105912e313b4c3a4b
SHA512 1cb0f17db28f32dff47092d34e94e0322de597d8876dda04b74a131373ec3493ceeacec6bb43d894b38ae3ae50f6e764e0f9436d70789dea011653f7830d6c18

C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe

MD5 b591ca152d217c558a45a190c3d966eb
SHA1 888babdb6f0ff8251310c70fbc493a42c05d7d95
SHA256 d0b6a45781a6c75412ddf1c27bf2a10b190bd3dc98e78bb550385435a2a95fcb
SHA512 9044c76e92bd5cc0be44f3ec95680ad684d2042ba6dda690d47cfcc22c5cd11a5927290097cb9d1a06acd59a75eb874d7453f053c1667846b5a17c9e3ae1a498

memory/3568-71-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-51-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-50-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Local\k2pQ\perfmon.exe

MD5 0c9766f959a6116c1aa38266151d8e7b
SHA1 59ea5062a442a3f6d78a4b834dfc9c5c256bd950
SHA256 8214b63c77618690bfcfef9c6dfaf031f3bedc77dfdcf87d729b14fa343fa466
SHA512 55295727c28204f5280adbe74defc55dcba1e58b300733ad7ca200fa043238b020e511320a5776936c541549cad192e6af8b74ba6af9e7d05094627e45d0e234

C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe

MD5 1ecc7c9e10dcf56cf55472a777d953c4
SHA1 3ee5ff4e545f76a82bd1e6ecc99149af871140f5
SHA256 1b3d2e66d1e333e6796f6af5a481fb6a6dc1838dd4c902f54c6c595a6a55ee89
SHA512 1b5cc9b633c25ba33f69c8eacfc38cdf983cc3ee71a8cca2b6df0b3ecb3cc1b0eb7d34c8b1b111e1a89c2162bef3ad447688b5f7a5b70ebe3d8b8664528a3c39

C:\Users\Admin\AppData\Local\xF7yl\UxTheme.dll

MD5 cd462add91a35db5e427296fac96165b
SHA1 5c590d013d1af81cd6ca260e27947e0e837fd502
SHA256 61bc182737c670fa68bd81efb5beeb36f8023a4eadc6400c6a72c7ddf6b4361b
SHA512 7945c9830d16dab5d96a97a35bc611ed72386a19048c1361eaac055f305f4859a84eb24a81c1181b9bae31c0ad77103cd7b4f1b8bdbb3aa6957063e72a564c63

memory/4844-101-0x000001852C200000-0x000001852C207000-memory.dmp

C:\Users\Admin\AppData\Local\xF7yl\AtBroker.exe

MD5 2c89af2c66a3c4087d0005788a4cdf4b
SHA1 41751daf5f1f351a59b2dd11d8741e6165ba5efd
SHA256 345484aa84a45191c057f46a596ceffce17b7931c80e3319cd0d03483defada3
SHA512 d768ed78f7d24d325ae17abc5476f1cd8085f056b4dbebbc4932673bcaa90e27cbc1f14f097d5655d406d83e3b775955048f9ca0dc1d597ca2c60789a2a6ef05

C:\Users\Admin\AppData\Local\Aonz8\VERSION.dll

MD5 24b7cb24c31a13bc43668da56c5f4583
SHA1 6419166cecf5de471b2d07c6b43ec74be376089a
SHA256 85916e2a2cf525ed8d90f7886ac3be6a0d0b5f9230a5585cf0271014e247b462
SHA512 db3a08a024f70f3fd338d03ff313d30394555754387c356da99ff0b40a49c0656b39c09971d0fb53c19c495ad3b97b52c49bc059823e8a478a646cdedad9bf81

memory/2112-120-0x0000022D080D0000-0x0000022D080D7000-memory.dmp

C:\Users\Admin\AppData\Local\Aonz8\VERSION.dll

MD5 584dfebea572ae3cf1b7e86444963dd0
SHA1 d6b00c19149cc1a46b5db72875b9aa578c853a53
SHA256 40d5f163eacb49949668fe59ef34c6d251f7e77d8d55ed7928fb40dfe0874ec7
SHA512 645864e6d6ca61b261d19bd76989a2091e672172a69332a587d6d38cfe54959a79afb7a61095e685448cfcb61c23139be8f8e26a416a734878dd227e75acbe2d

C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

MD5 b45b65c2b646c1b3f60b02d798e0f794
SHA1 f7a30ce65dcfb17d265802e30a501d876431fdee
SHA256 360155289b81affce160e03140f70289b1173d82aeef971811263434693d7e1b
SHA512 696c57611c21353594cd903324add7662064d63fcb9940c2832f742f74ba8a54f23e852f0c650afa3953aa4ad4c558cc0a491e975685a857e0c9637b8e72700a

C:\Users\Admin\AppData\Local\Aonz8\VERSION.dll

MD5 b90297b55e8f8c637eb7d69795195ab0
SHA1 1c9b28d28835dff3f0e0eb43f85ba1fa646289f1
SHA256 504cb151da1368d82c2ba240e157b8a86c98f40c63447227728f2e64caa8e237
SHA512 9ce702783670a58ff360afb1a32e7f2ce021a83ec063f7fe670b1a975bf31a1e7463551021cc1e24acc0c0103af956b4df9c127d167e4443c75052ed8eef3faa

C:\Users\Admin\AppData\Local\Aonz8\cmstp.exe

MD5 b978cea86173c8e1916fb7a8fe2703c5
SHA1 a21c5bb3ed04eb271e8c9be4057aaaeb02d1fcd2
SHA256 c9ba7e6c7ec87ef7b9da3cf9520c3825b1f5997185420eaf8b19a73441c05557
SHA512 edfc6b3f8bca0daa63cdcc1965d308a9697527dcb12c96119f93b9f661561387f4f123c9cac3cd0a0d9767a16c6b79273daa67c57f2ab3249a42965dc9d256e3

C:\Users\Admin\AppData\Local\xF7yl\UxTheme.dll

MD5 4844e2b1fd9854b0adc44d37fe1b0243
SHA1 3b47f5bdfbd135bc77ebe22c923a9b81c5a885b3
SHA256 c437b3cf5c8db623f193cdac6f36ebfe8ce49177386f09b30b4c8f81c7fb3fb3
SHA512 8fa9599dea6750fe695d92d53a4366713bebadba0e3916f05c18779f8c0e341db7037fd697916d08994bea0a04f009e39ab33d79cd9fd908940e71b2babdbaaa

memory/3568-48-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-47-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-25-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-24-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-23-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-22-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-21-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-20-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-18-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-16-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-15-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-14-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-13-0x0000000140000000-0x0000000140189000-memory.dmp

memory/3568-9-0x00007FFA3DC8A000-0x00007FFA3DC8B000-memory.dmp

memory/3568-10-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 3417e097af440429e40c69c5d3f5c95b
SHA1 1bb85e2a69bb76503da3a10b5048995ffbd2a5fb
SHA256 217fdbec5a1b720b4e60fc921d18ca71ab65fb6fa30ad3ef2cf9ba0aa07b8849
SHA512 31e0ec7a15307dd16968c63d06c2b2d01f419b11243152fb4d4d6e6c02bf0200d782226e31de48d17329d7960556af3f7cb88f0475f95c4a68683a1fb0a53d93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\TklFvL\credui.dll

MD5 dacdbaff0663f5d7f5e0098c535c696c
SHA1 70012ae3c924161af945d127353c733e99ccdcb6
SHA256 7ffe97f8175627bb8a55be101bb90cdf4737ef88945127502495e0751a05893c
SHA512 11331174a8085dd7263180cd28f38080f0c3c01d11d2909b12f9cab8ac37036d7f989d93e2ef52c6fece67cc338809218d95b9488d4e03cb31a3b3e9fade11ea

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\AYHA\UxTheme.dll

MD5 2d8de8c9e3b2ecc4242ae9ecf3f81e51
SHA1 1ddfd5c948a75b20b643c0ce1e67f8e92357a73f
SHA256 db3f808790f7ba90df5dba62df5b320219acfc436e555c7df3643c222163ac20
SHA512 0a39c72abe8f1d02e7c2d52ab5c3856111251f6b3de0036b1b69ce2d43c9829339af52dfba1fd9c6d9ba8b41da5b4900cb23fcaf1d76a965768cd3a58e5fe58f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\ROMYIpv\VERSION.dll

MD5 206792accb4bb6603c5d5f7c2194f8e3
SHA1 d53c824de2793907b934ec94c0510b425aa5dc6f
SHA256 39ec527367bb28256012c31f928c9d224a933173b716ac62deeb916f388e7a3b
SHA512 33923cb50f8a52dde17727585c7111aab875d0a83a68030856fe05d90aea0d3a750ad155155f9bf1ce338bd197f7e571202bbf68a38f31848a85b486cfa3d6f1