Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-tqflsacgfl
Target 6ae01647123bf97071130c123fe77e97
SHA256 2432a727b7612212c6c75b5114e832254e05720df6fd9d38b7993973e74efd9f
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2432a727b7612212c6c75b5114e832254e05720df6fd9d38b7993973e74efd9f

Threat Level: Known bad

The file 6ae01647123bf97071130c123fe77e97 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 16:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 16:15

Reported

2024-01-20 16:18

Platform

win7-20231129-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\1gPy\\dpnsvr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2628 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1368 wrote to memory of 2628 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1368 wrote to memory of 2628 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1368 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe
PID 1368 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe
PID 1368 wrote to memory of 2516 N/A N/A C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe
PID 1368 wrote to memory of 1656 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1368 wrote to memory of 1656 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1368 wrote to memory of 1656 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1368 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe
PID 1368 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe
PID 1368 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe
PID 1368 wrote to memory of 2824 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1368 wrote to memory of 2824 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1368 wrote to memory of 2824 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1368 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe
PID 1368 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe
PID 1368 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#1

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe

C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe

C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe

C:\Users\Admin\AppData\Local\jY3\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe

C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

Network

N/A

Files

memory/1420-0-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1420-1-0x0000000000130000-0x0000000000137000-memory.dmp

memory/1368-4-0x0000000077246000-0x0000000077247000-memory.dmp

memory/1368-5-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1420-8-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-11-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-14-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-17-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-18-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-22-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-28-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-33-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-36-0x0000000002530000-0x0000000002537000-memory.dmp

memory/1368-34-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-32-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-42-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-45-0x0000000077351000-0x0000000077352000-memory.dmp

memory/1368-46-0x00000000774B0000-0x00000000774B2000-memory.dmp

memory/1368-31-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-30-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-29-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-57-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-53-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-27-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-26-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-25-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-24-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-23-0x0000000140000000-0x000000014019B000-memory.dmp

\Users\Admin\AppData\Local\Cw0\Secur32.dll

MD5 2ea1934c7b1f3b431cd48dd0b5b99fcc
SHA1 82d5301c5fef81097cf9b7c951890f8af0242d2c
SHA256 f9c325fa1d38e247be6a16c5ee455f13526b5598beba2ab15dd43644e7a7356c
SHA512 f1adff3181b7ce7b63cacdc85cbbe9c209d06f108638db7796c9ed35c6c8fec372b5c4a1de2f1aecc847ae9286e59166c63e52c6b9046b5f4af0d17119eb1ba0

memory/2516-76-0x0000000140000000-0x000000014019C000-memory.dmp

memory/2516-74-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2516-71-0x0000000140000000-0x000000014019C000-memory.dmp

C:\Users\Admin\AppData\Local\Cw0\Secur32.dll

MD5 dccc4ca5ea32372436872bd40463a8e5
SHA1 19fadba5723e77096e4ab1c580a1299524fc01ec
SHA256 083919c8ad03c137b966c6bec7ba22857514765f50731d53413bd7196e48fdbd
SHA512 5a2531e3a6bd71b75c9041e44e6baae609c9fe443dee8155122ce0e751ccd24c2666cc13d5cfd620cfbcdc49da22b5b6dafc409be4d2c18789ebba5a0b39c8bc

C:\Users\Admin\AppData\Local\Cw0\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

memory/1368-21-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-20-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-19-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-16-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-15-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-13-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-12-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-10-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-9-0x0000000140000000-0x000000014019B000-memory.dmp

memory/1368-7-0x0000000140000000-0x000000014019B000-memory.dmp

\Users\Admin\AppData\Local\jY3\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

memory/1904-88-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1904-94-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1904-90-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\jY3\WINMM.dll

MD5 9d349ebc4a163d3ce66171036541719f
SHA1 e2faf709171933e9e6bd99433338db228f36070f
SHA256 f284333a59194ce4128683a9e39586fae8ef9b4fec2311856e4748e9a83e1f02
SHA512 908cf7665f27e8eeebea242895cdfcc406593972d0bd3c819079e2724089ba003f24ed73c72d5f9357a0db474fc7726a02c569e05c28f3c526bb20e97b9567ef

C:\Users\Admin\AppData\Local\jY3\WINMM.dll

MD5 f0463bc7a559dc0abca68cdd7987b25f
SHA1 ef5876158de7cd2efba8aa30ef87b3593aa9248f
SHA256 172bc5c0b189261c4c031cd1578ecd25115f30b7bb23ab34f6e2fb139f23dd6b
SHA512 98507190aece9081d44c470c2d4c53e90dc75f3b38ed6d194553374ee9d868e943850db0faebe9dd9ce8cabb6673204e624e3598442ed6a09ef5d0ace0934511

\Users\Admin\AppData\Local\S02ojB\WTSAPI32.dll

MD5 e2c81c91a813cf58492e42505565382e
SHA1 fddac3b24fbc5f82b3d30b276e4fd5dd84f89c56
SHA256 4f81dee6f412a6b2949ee1e69f8ff834596e1c13e57070bc459bdf28fd2a5890
SHA512 23996a8fa6254b5840e237f73a198cbeb746d928ef900a1b29cb549f9588e86152913960c55ffe57f2201d6dfe807046d552eecd6aaf2dd2fa88ef156ec4cc33

memory/1988-112-0x0000000140000000-0x000000014019C000-memory.dmp

memory/1988-108-0x0000000000330000-0x0000000000337000-memory.dmp

C:\Users\Admin\AppData\Local\S02ojB\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

C:\Users\Admin\AppData\Local\S02ojB\WTSAPI32.dll

MD5 a79a3e86930c6026eae93a4342c73b1b
SHA1 f76744988a076e89e01962c7acb869393bcf3d00
SHA256 b122443a6a845b1ea7c293743c365e4fee9a4a761589de7f4921eb592dc3cbdc
SHA512 efdebdc873372b7c219aabda35c5cc9827a326c2ca1db613199238646e0680cc5616eb61721afd5be111182b66ed176354e80b9033d9b66a3e26d2a7031b6f86

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 7cb62f51179ae60df59468f7e1edac53
SHA1 780a16a7d029520365dc92108060e29fd857d21c
SHA256 a7cd31e621d7e81a36a885a734c721634cb20d3b10d57f8c7e65b948237e1beb
SHA512 d58ce1b22af6d9f38586e8430b000208a797e708285e1abf492a2443c70784ba88e923114634d8fd2295b639deab7196d3b878394de6c16185f8a97858c17c34

memory/1368-131-0x0000000077246000-0x0000000077247000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\thuZCOJ9jta\Secur32.dll

MD5 bf189627646280052add855725891120
SHA1 1a824b1ba042cdccb78e57ef328125c9546a4d02
SHA256 5f3d38f5b66ba1e80b3c7340cb5b779854a17d20a4440d9acddccce628e629d4
SHA512 718523caa7e08c59e7220eeeddee91479a727a795f089cb156313d14b7e1b01a1a2d63aa4aad3b41ce5bdc2842ee38a486ce00319fe7d81426d2d9d1b23230ed

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\1gPy\WINMM.dll

MD5 a0a809302f24c4c09ec411342183132c
SHA1 c8021fc93fc6a336cfe45b4a71adc23a8740435e
SHA256 b6ef55a3f9f0b148fbc12be1609da8b39907bb4a2b95801d220fb93746076266
SHA512 1f7b7955b50515b335f498359de08b17a340e127145f817d3d719cf2e9d0a4084da3091da781313f6cd2f79cfcd76d65eb06ffe761d5b0f2e57d73e6e40d0f4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\MX\WTSAPI32.dll

MD5 3c9b51f9b30a3d678ec7963a71f9eddb
SHA1 44d5a4bcadc8821f77ae38726423ff84af4f5589
SHA256 6c1e735470113cffc72b268c9227c0954473534540aae56d6b759cfd80dd916c
SHA512 19484fbde74b60e3fd76f8313457f449f3f5ccc907724aade986e335e07d87a55815bee533e838f19f489e9ab5b8b75ee3948c29035df5d23bb85dd838edb04d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 16:15

Reported

2024-01-20 16:18

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\gaWd\\mmc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XYO\AtBroker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 5012 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3488 wrote to memory of 5012 N/A N/A C:\Windows\system32\DWWIN.EXE
PID 3488 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE
PID 3488 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE
PID 3488 wrote to memory of 4552 N/A N/A C:\Windows\system32\mmc.exe
PID 3488 wrote to memory of 4552 N/A N/A C:\Windows\system32\mmc.exe
PID 3488 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe
PID 3488 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe
PID 3488 wrote to memory of 2144 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3488 wrote to memory of 2144 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3488 wrote to memory of 4268 N/A N/A C:\Users\Admin\AppData\Local\XYO\AtBroker.exe
PID 3488 wrote to memory of 4268 N/A N/A C:\Users\Admin\AppData\Local\XYO\AtBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ae01647123bf97071130c123fe77e97.dll,#1

C:\Windows\system32\DWWIN.EXE

C:\Windows\system32\DWWIN.EXE

C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE

C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe

C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\AtBroker.exe

C:\Users\Admin\AppData\Local\XYO\AtBroker.exe

C:\Users\Admin\AppData\Local\XYO\AtBroker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

memory/3460-1-0x000001F4E6B70000-0x000001F4E6B77000-memory.dmp

memory/3460-0-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-4-0x0000000003310000-0x0000000003311000-memory.dmp

memory/3488-7-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-8-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-6-0x00007FFB1B1DA000-0x00007FFB1B1DB000-memory.dmp

memory/3488-9-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-10-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-11-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-12-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-13-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-15-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-17-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-16-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-18-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-19-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-20-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3460-14-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-21-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-22-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-23-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-24-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-26-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-25-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-27-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-28-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-29-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-30-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-31-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-33-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-35-0x0000000003010000-0x0000000003017000-memory.dmp

memory/3488-34-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-32-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-42-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-45-0x00007FFB1CBE0000-0x00007FFB1CBF0000-memory.dmp

memory/3488-52-0x0000000140000000-0x000000014019B000-memory.dmp

memory/3488-54-0x0000000140000000-0x000000014019B000-memory.dmp

C:\Users\Admin\AppData\Local\BwMpPT\DWWIN.EXE

MD5 444cc4d3422a0fdd45c1b78070026c60
SHA1 97162ff341fff1ec54b827ec02f8b86fd2d41a97
SHA256 4b3f620272e709ce3e01ae5b19ef0300bd476f2da6412637f703bbaded2821f0
SHA512 21742d330a6a5763ea41a8fed4d71b98e4a1b4c685675c4cfeb7253033c3a208c23902caf0efdf470a85e0770cb8fac8af0eb6d3a8511445b0570054b42d5553

C:\Users\Admin\AppData\Local\BwMpPT\wer.dll

MD5 ccdbf456658a76a14f62060d4f43e782
SHA1 78cac76bbb25d74e2d13c354b913e23d88f271c8
SHA256 15205a8606a06e34f634bdda476b6bcc85dba604b7c66f6c8e65316bba2aba67
SHA512 f804f88e0fadf7d8de500bea71a0792deac2c8aa39367b9f80ad496f2aba73f595924b85f6ab37bc37d963e51a0a2fd736e1df382e432f6725e6a287348028fa

memory/5108-63-0x0000000140000000-0x000000014019D000-memory.dmp

memory/5108-64-0x000002E1D0420000-0x000002E1D0427000-memory.dmp

memory/5108-69-0x0000000140000000-0x000000014019D000-memory.dmp

C:\Users\Admin\AppData\Local\3KR2I7E\mmc.exe

MD5 8c86b80518406f14a4952d67185032d6
SHA1 9269f1fbcf65fefbc88a2e239519c21efe0f6ba5
SHA256 895eef1eda5700a425934ae3782d4741dfefb7deafa53891bde490150187b98a
SHA512 1bbdaa3ae8b5716ad2bd517055533e286ddb8a6c23cbc7aa602143dbb1ae132b513088ab61527c49737c554269c51416cceb80206ac8128ac6b003f1864eb099

C:\Users\Admin\AppData\Local\3KR2I7E\MFC42u.dll

MD5 79356d312d8d82f29775db59d6b3f0f3
SHA1 af939287a3b83078d20c3a76624b61b77d01f7c2
SHA256 8d2c77ac85ae39384819db2caff342c55089445b5686dd18afdcd08e4171b324
SHA512 79903fdca6f3163a87d10398b591209c0d47f3faf727aafd12d76a63eb5b632640b6e3eed7ccff5f0e85e8b8ab5c8f9f848652a6d04253817bad0709fedf58c4

C:\Users\Admin\AppData\Local\3KR2I7E\MFC42u.dll

MD5 4ea09ad9dd9bf86c096c31f2e513cab4
SHA1 fc8e89996202619a69d546866841dcea5cecc9ee
SHA256 73d72fae7459949885c15baa739548c9cbfb1824a1ccaf54dfd6865c4612603c
SHA512 a48142a526ac6ec28f1ae2f12869fbcabef8718ed0f4f77253518a161b38e3dd0f88ff303760eb5f94762c121f0899d41b7b1097c7e06dcb77976534e592aa60

memory/412-82-0x00000000011E0000-0x00000000011E7000-memory.dmp

memory/412-81-0x0000000140000000-0x00000001401A2000-memory.dmp

memory/412-85-0x0000000140000000-0x00000001401A2000-memory.dmp

C:\Users\Admin\AppData\Local\XYO\AtBroker.exe

MD5 30076e434a015bdf4c136e09351882cc
SHA1 584c958a35e23083a0861421357405afd26d9a0c
SHA256 ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512 675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

C:\Users\Admin\AppData\Local\XYO\UxTheme.dll

MD5 4688097bc6ef275a2d6f2dfc3dc55bb9
SHA1 26c86fd3d84d95eff280a0f48f3f1f51cb31cc5e
SHA256 be8a087a996543004b43b90976489810c4ece1f81c9ef92162a8ff3cb7309063
SHA512 975abb809ce9033d1d2fe771e5a691ef693357f9d77e637a8e8ec122fa6e0868d92a0929bf65f4abd2f1a73cf7acacbf186ea82eb203ad274143fcaf0d75cc1b

memory/4268-95-0x0000000140000000-0x000000014019C000-memory.dmp

memory/4268-94-0x000001B2F7D50000-0x000001B2F7D57000-memory.dmp

memory/4268-100-0x0000000140000000-0x000000014019C000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 df627a190baee262a53ae4f2949c68de
SHA1 17bf53425d1906f3c83eb60f656be61f528d409d
SHA256 b45471affdd73f637fd9c0f593c5dabc6844397c4749d69d75c305c8c4a5e9e0
SHA512 6a22bf776c2c7e5a2d9f7acdd25f61c1f22bef0cf296633f78f01ae7a52a04aca465ebf553cbe61bae298a8e906425bd5944d5d539eccfe134b3f008b1ff5123

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\gaWd\MFC42u.dll

MD5 fe91051803ed3d19c397aec8f8336a21
SHA1 ae1bb9ce42489d7ec5ce86b7565283f51ff393e5
SHA256 5e36fe1acb0ebe3ed421982333dd9a4d625a61ca8a50531ec38e5d0ea1a4fc45
SHA512 b47ec126be30aa78cb8a3f6022994ce2f1295a33839a9c93ad4d491d74f8afe1a11dfbc1c83ea91fdded40b1e217cddac23453ad8d5adf8f104819119c263375