Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-v9g5dsdhbl
Target 6b0a5e806359b4b92fc00861e1bf8bff
SHA256 7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7687e9f3abc61ee051493a66f54044eea80c149788100ff4295211af104676cb

Threat Level: Known bad

The file 6b0a5e806359b4b92fc00861e1bf8bff was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 17:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 17:41

Reported

2024-01-20 17:43

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\CAS2M1KTt\\EaseOfAccessDialog.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 4528 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3516 wrote to memory of 4528 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3516 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
PID 3516 wrote to memory of 4996 N/A N/A C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe
PID 3516 wrote to memory of 1724 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3516 wrote to memory of 1724 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3516 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
PID 3516 wrote to memory of 1832 N/A N/A C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe
PID 3516 wrote to memory of 2868 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3516 wrote to memory of 2868 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3516 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe
PID 3516 wrote to memory of 1436 N/A N/A C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe

C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

memory/4040-1-0x0000000140000000-0x0000000140339000-memory.dmp

memory/4040-0-0x0000018721750000-0x0000018721757000-memory.dmp

memory/3516-5-0x00007FFFDB45A000-0x00007FFFDB45B000-memory.dmp

memory/3516-4-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/4040-8-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-9-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-7-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-10-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-11-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-12-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-13-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-14-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-15-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-16-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-17-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-18-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-19-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-20-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-21-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-22-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-23-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-24-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-25-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-26-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-27-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-30-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-32-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-34-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-36-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-37-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-38-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-40-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-39-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-42-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-43-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-44-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-45-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-46-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-41-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-35-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-33-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-31-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-29-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-28-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-47-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-50-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-53-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-54-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-56-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-57-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-60-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-62-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-64-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-65-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-63-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-61-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-59-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-58-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-55-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-52-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-51-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-49-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-48-0x0000000140000000-0x0000000140339000-memory.dmp

memory/3516-67-0x0000000000E80000-0x0000000000E87000-memory.dmp

memory/3516-76-0x00007FFFDBDA0000-0x00007FFFDBDB0000-memory.dmp

C:\Users\Admin\AppData\Local\2iF5zG\XmlLite.dll

MD5 15167b9af8291e0d6af123ffd20d44d1
SHA1 6ee6cec69aabc5c95b2c63ea6b3941e664aaa3d1
SHA256 2beaeb66bcd73a79fe997cd971bdd67a9cb3ce0c13cb595db27417a83578ed91
SHA512 c3022bcaefd79e3b2aae01f576b5f77c2a436aa8d2171339bc03facde98d1fdab3e81046f4c3e8b933cf423013c5ad5930748002a820237f9906f83be348a5c0

memory/4996-96-0x0000020200390000-0x0000020200397000-memory.dmp

C:\Users\Admin\AppData\Local\2iF5zG\XmlLite.dll

MD5 deee50d10ae72bb742b42cd7c86edaed
SHA1 81d5b748bd2b429245e62b34b3c7939e68c115d8
SHA256 407f88db24b1106e95975f81ad1bf515d3d6dd06f8e8bacbd3c2562301ada020
SHA512 7288ae0da2a7ba51ddbcf288aca80d0ac96b8546013d27bdc7ad9ccd8f21b4841db962290012f7c4e472321c3d0bf3aa04772270fe757e2a5482259f1ad88d6a

C:\Users\Admin\AppData\Local\2iF5zG\ddodiag.exe

MD5 85feee634a6aee90f0108e26d3d9bc1f
SHA1 a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA256 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512 b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

C:\Users\Admin\AppData\Local\ygDgV5C1\DUser.dll

MD5 ad67707c1856cf3a6bb04027e6489c96
SHA1 fce271e41241ff67cbb2de8a09b3d618bff1e093
SHA256 755e3a45ee17b6e45f9e0ac221bbd4e05dca3f373725b55d87355a16063d76a4
SHA512 68b027d7f6f847b30ee654a2bada172e587fb6237532c2380d388215b3276ce53a6a0f68cad39f8aa47d7dd0f82f284ffc36b183bf64e35872cca488de1abbac

C:\Users\Admin\AppData\Local\ygDgV5C1\DUser.dll

MD5 ea2f7ed0798f4795e8dfdfa1b3af4caa
SHA1 b14e38afa9ad8c4d369eea9bee26d1b4cc245c5e
SHA256 d26f41e8d6afda3eade338bf4416c05ecbe13f82446288f56f5230791619f15b
SHA512 02b010bce82fc2cfb1f68e8449c2fe828a361d43153b1d41213594ada22836c3669f6aca27d93b7da781dc2c3b0865630b80fd9c67404a7f6771d54c858deceb

memory/1832-113-0x000001D5EF980000-0x000001D5EF987000-memory.dmp

C:\Users\Admin\AppData\Local\ygDgV5C1\EaseOfAccessDialog.exe

MD5 e75ee992c1041341f709a517c8723c87
SHA1 471021260055eac0021f0abffa2d0ba77a2f380e
SHA256 0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA512 48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

C:\Users\Admin\AppData\Local\duSHcq\DUI70.dll

MD5 cbec2db00a4bb653a1c5b8c69edea31d
SHA1 92c2d6dc9351da341a80003da9de54a28aab1ab4
SHA256 acee873d72b1f06f59a1a6f0959af82a025464148bb740cf0a6a9bb5e76945cd
SHA512 558aae5f1f75367702474ae3d33c68a01de85828c9c01b38e16ae23accd22e9c69b5c929abd66de523cfab18191532485a67afe73a80bc9a669308cdeb470aa8

C:\Users\Admin\AppData\Local\duSHcq\DUI70.dll

MD5 fb0849152995b0a98c3868357292c623
SHA1 7e315b0d28e5803bf3fe3a4bc6081658371f0648
SHA256 23d44719b42de6bd2c4da2d10a2a8ac8d32f9ef44a4434cc852f69d062ba6dae
SHA512 e7703d2c64f492ebe8446d905fd4cb259b616a8c6917860937aeff6a3f558b31aa0911d8add2b74e1746705756f45c79bec8da0491cedcddd575709cad33cdad

memory/1436-130-0x00000180269D0000-0x00000180269D7000-memory.dmp

C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

MD5 325562720d6aa6eb20cc2b8ecef49884
SHA1 c8424c2c4c14870c75d380cbf80f4ade68ccc38e
SHA256 620bef9fdd5b589960ba4d75a6feb214eb75bdfba21b25869ddbe3e38777d082
SHA512 c0b8e7a77ae2dcec09d1268c7d9ea7fec4d804bf1afab781aa6910116b1cbe6e9f7b92ee153d96f5458f1d9d88d3831687763ee862deb0f92a3361d7fd3d24aa

C:\Users\Admin\AppData\Local\duSHcq\SystemSettingsAdminFlows.exe

MD5 094e356c4b9a9e7bf90cb827f93ead3a
SHA1 41f1f988ad7a36c232b45dc6fddd1f5e892b008c
SHA256 e3d0982cbf71c6f758f8327fe6a2e5d2dcb382436497151ce6ae48e384cfc22d
SHA512 20104e2c187213bf6be4edca24efaf25caee3977db7810ec29c15a564e76d951a6f63f9a1afa1f68d1af1a65a170bd857a55d26472a836182da489c164d7ecfb

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 5adbbd74eee1417a342568bdd1650b3a
SHA1 a55df6a2b7a57fc52e35396ebc6740a5b03da675
SHA256 be5cd6627b0b1c9762b5144179cdc458835fcf5f0232a00baf65d3321fc935d1
SHA512 26fcbd3edc0652c849c551213820c58dff7134ef230e49de9e1f1943ebac041ed4d5e45f09cea687b02671d2d0141b3cc2ed0f363c7062220242233d3b1ef4ac

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\XmlLite.dll

MD5 fd9ef5b903a08c01a5f580e32d522fa8
SHA1 dc5b9bf88ee193391e12e3e155f3a740f5521654
SHA256 ad21945b2d63a28f639c6db66262b3ea8f21fe9c49c76ae7f30963e3ce238fc3
SHA512 cb6ee74565f019177048c5c61c9af1f03753a7e4ed69f244cb74f9a3de8d673aeb20ffe8393bd5258bd8b387cc70879afe2291f6626c073713e6304c2828fe9a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\CAS2M1KTt\DUser.dll

MD5 6c7e663925c2f6c65bb904a9b3721f9b
SHA1 d225029169cb8e05fb64cdd1bdcb1802b1694c3a
SHA256 1a1b07837db7cc5adb87ca41e27e268b0812db8d165dc32bd5892f7e38e6e966
SHA512 5defad9db3376f70bd0637c696a9d062d6efcfbb7e26d6e77b446db69ccffa6cbd64df1e0cac3b5928ce40c01a785c7bf3366664d39fc4c61ac2d0742d622cb5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\8148Is\9fEWSgBS\DUI70.dll

MD5 0cf106ac4ef4e179eb1f6046ed11cca3
SHA1 b47bc9af1d4851a639317fd73f8adb0284663b9b
SHA256 e43254c2bd6f9fc83024e530948fb4ec32614fd2b2f7f1073580c966ff42f130
SHA512 036169370627843be89d6a59c3351f0f5f937247fd7cbca1d96deb1cc1b56665ce09e396923f9890056505075a0f72aaae8ea321eef37aac7e7084daaaf56323

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 17:41

Reported

2024-01-20 17:43

Platform

win7-20231215-en

Max time kernel

150s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\stU\dpnsvr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\DGtvy\\AdapterTroubleshooter.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\stU\dpnsvr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2844 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2844 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2844 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe
PID 1196 wrote to memory of 1572 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 1572 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 1572 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2968 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1196 wrote to memory of 2968 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1196 wrote to memory of 2968 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1196 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
PID 1196 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\stU\dpnsvr.exe
PID 1196 wrote to memory of 2508 N/A N/A C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6b0a5e806359b4b92fc00861e1bf8bff.dll,#1

C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

Network

N/A

Files

memory/2284-0-0x0000000140000000-0x0000000140339000-memory.dmp

memory/2284-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1196-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1196-5-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1196-7-0x0000000140000000-0x0000000140339000-memory.dmp

memory/2284-8-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-9-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-10-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-11-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-15-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-14-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-13-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-12-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-18-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-17-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-21-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-20-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-28-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-27-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-29-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-26-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-25-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-24-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-23-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-22-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-19-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-16-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-32-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-39-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-38-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-37-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-36-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-35-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-40-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-34-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-33-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-45-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-44-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-43-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-42-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-41-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-31-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-30-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-46-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-48-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-49-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-47-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-50-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-51-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-52-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-54-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-55-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-53-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-58-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-57-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-56-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-59-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-64-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-65-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-68-0x00000000024C0000-0x00000000024C7000-memory.dmp

memory/1196-63-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-62-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-61-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-60-0x0000000140000000-0x0000000140339000-memory.dmp

memory/1196-77-0x0000000077250000-0x0000000077252000-memory.dmp

memory/1196-76-0x00000000770F1000-0x00000000770F2000-memory.dmp

C:\Users\Admin\AppData\Local\eVcdx6Q\SYSDM.CPL

MD5 db6e76817f6b921100213fcc6171ced1
SHA1 c3954c7c73ba7cd6307ecfd87722da007ae2643c
SHA256 76fee30ee84579b11b51ea9e9a145955eb1ae55528eb36a5da2893fdc25a3c87
SHA512 673cefc9147f34f32484696e7f2ec11385c235138d9bdf8fbb3386d1a940bed644638bd9f00e36c0a77d4bda22afa41ff929d1d52993b8dc9622246f4615c0d2

memory/2868-108-0x0000000000280000-0x0000000000287000-memory.dmp

\Users\Admin\AppData\Local\eVcdx6Q\SYSDM.CPL

MD5 15135e1f03dab43c3f9a0321548de50f
SHA1 3b6f4854ef23d845801330a557edec239d22d42a
SHA256 0bff4aef44e56fd5f6b3a25720e4090e389f3e76f83bd5175a019f41dfc3b99a
SHA512 0bf537006ba79c68d4b429d01b8dcdf448ba463fee93529c22d885b2e9592940401fc6b4457baa2fbb3b3112a2535f56cf281e3e8015114c5db8e222dc727314

C:\Users\Admin\AppData\Local\eVcdx6Q\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

C:\Users\Admin\AppData\Local\N0t\d3d9.dll

MD5 58e9a380a2f917a71cd6718882149d2d
SHA1 dca0dd8e13c1673cfb38f306e5325bd9f5b028c8
SHA256 fb32fa5dea1a60a2220d5ecda1852d17f0a5f3f1c1a77f61afbd9188f1b0c017
SHA512 7256608ab354917f477506ef30c0b165994fddfb4bb22fb8085086a4422eff37868d38c85586894b0c7af85987b5fae316e34b535baafd5fe83c05fcc79c7e33

\Users\Admin\AppData\Local\N0t\d3d9.dll

MD5 a1591bc662091ead517847a064f14cf6
SHA1 a5d10698602c9767b3176492a272d43f3de6baa1
SHA256 e1981dae2bd02e643cff6d1f6a5d7ee3198e75a5fc1b4c48921854c7aaf1a19f
SHA512 9ab1c02e141819c81379958cd0a7a21d368682bde24612bae103feb1695762a2c43b8b2d6ba4f8dec2669e806603f4c01c2e2599677f99c4a2404a539822572a

C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

C:\Users\Admin\AppData\Local\N0t\AdapterTroubleshooter.exe

MD5 3b48c060089db96efa0fad2c5308a248
SHA1 b97b715cb72a6525143e0ffb2f8a13abb5ee3fdd
SHA256 3c9070561d2510f624f812c93959f8794f4f52c12b74358749833eeb051c544a
SHA512 b638d1148f151f7416da2e898ec5a602bd13b4e35d87b5fc80776e290e925460fcb13364cc77ef0f840095d71772b29fec1439bd34771417c1a05f07fa4a22bf

C:\Users\Admin\AppData\Local\stU\WINMM.dll

MD5 e8068ffce7078cacf0dc983764c9d662
SHA1 ec7c9ae56f903f272678545270007d3d67d41917
SHA256 a03b44754e3d439af4036fa5ccfa145f5621c07e4457e9a4690ab142a61318d2
SHA512 995b9ea2289d7549c4f592f6b09fff8357bc281208708114642a82b19ffda22dea6816831fc665062af9bae6e4cc3cd9b658774532fc346c1eec9cd5ef25e16e

\Users\Admin\AppData\Local\stU\WINMM.dll

MD5 4703e6f90b33c7508108d97a7692a978
SHA1 b331de0af673898bdb661c73a19b7399e7d5a583
SHA256 044aa37ae09ed70843d7d1093cb07ac8a62cde0ad9c8fc3a091d867486d84d6e
SHA512 7577d6c1a20a127abd300e3207b8e1f1dde6d6b206f8b7d1cc44876785837eb7eb60a2a08da8b526e0478206af9d0c1334857b02c13f676c19dacee3726c5b14

memory/2508-140-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

MD5 02f20a0d2ffd3d30776460e3d8114d36
SHA1 9e0bcdc06cabe007c1b3a1196081be84c06b36f2
SHA256 df99daf6b19e24272171186bf9c7ec9e3dbbbd2653bf78d68564d274e364bd4d
SHA512 71d9e2367de0794294d2937ea1802d74b307b32cb990290daea0a113326dedc0888c65c3bf222aa6822f7dc98fe1e80fc3da058d1593231f178b63b54b227f9a

C:\Users\Admin\AppData\Local\stU\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\YL32BKDN\h7ZDza\dpnsvr.exe

MD5 863c35161b01888e38e8a356f3010119
SHA1 59559dee41fd93429304de9ea883c5b237a31190
SHA256 cd039241e8e09ce9f4b440ccef19124bf34e22f165b76c786378a8d939aa17cf
SHA512 b410e2e1af216c85b49ddff713b5bde0bab1805bf361c5d9233687761c12bc10a716cd3f45a402c45edb4066631673489cf51b74c4d2784ed64c958a2e40eec1

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 cb7dbbb252bed6fd3dc2c97d85b3a758
SHA1 06d0604ab488fdc29c0988451881c010e3fd9092
SHA256 c8bfae9d1a56ad145a0622a361eb97ac03459ae92a07f86dd98d77ad8cbb5681
SHA512 c6d0786492145c266ddf2a100a071238f88e1ff7f846ad3972a51ff7d328040d6efc7777dd54dd3a15b43057f0f830bf5ebb471dbfed5e37092a939774b2f02e

memory/1196-163-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\gMBz\SYSDM.CPL

MD5 57598b8effd9ee00bb9de1de4d698579
SHA1 4682b4932c529c6b78e539658f28c2149b70069f
SHA256 74a48260144c9372547f173309c8cdda7c8df0316f8948697bc76fe4b3b2f839
SHA512 a06bba19bc24855c7992155a1a5cbcd6cca4ddc3d3d87768b4440256fe2cfa21e22f2aa71924be0a2aa32e52cbc7b08178ee33155dfe433c666cfae21fcc43ff

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\DGtvy\d3d9.dll

MD5 c19d5ba1d09b3f6416974e9705ddba57
SHA1 e5104acab769c1f5f64a83d564f713a430cbf7fb
SHA256 e076b25bc81949aa563be6a0a6052c6945b448f23041fa2de68dc16da5c148f2
SHA512 e4489dff5cb4502169e7c3b6272675ba696d08628f9df534cc9dc6228b3158b5edf0867faf6b629eebf1206b55ed749b7a9a786cca5a3afaa3a723fee8135e57

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\YL32BKDN\h7ZDza\WINMM.dll

MD5 f6867104198a685b2c187b047871b7a1
SHA1 5c50224f9fa1b3408095a046454985256e321935
SHA256 e6d525f7b9f95731299af758c4d3e97b9eafcc7bec8f2f3b2241e30b23d32da2
SHA512 8581781f015a9dc393a41f8bdde2bf4d0daa2aeacc96de5a11ee3769703be87231b6d97d4ea57b0d00ff22eb86f88c3d35bfa51bd0ae59c7c60d750e8e3d87d1