Malware Analysis Report

2024-11-15 08:50

Sample ID 240120-y6yvhsgafp
Target 6b6301393edd106e77d45cc57b552b52
SHA256 c4ad1b4e81e031ce20042ad7d4ef8f0d5febbcd3e3816a628dd03269fc5140bd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c4ad1b4e81e031ce20042ad7d4ef8f0d5febbcd3e3816a628dd03269fc5140bd

Threat Level: Known bad

The file 6b6301393edd106e77d45cc57b552b52 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-20 20:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-20 20:24

Reported

2024-01-20 20:27

Platform

win7-20231129-en

Max time kernel

150s

Max time network

119s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b6301393edd106e77d45cc57b552b52.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\MT6\wusa.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\\sTEH\\MpSigStub.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MT6\wusa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2932 N/A N/A C:\Windows\system32\wusa.exe
PID 1368 wrote to memory of 2932 N/A N/A C:\Windows\system32\wusa.exe
PID 1368 wrote to memory of 2932 N/A N/A C:\Windows\system32\wusa.exe
PID 1368 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\MT6\wusa.exe
PID 1368 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\MT6\wusa.exe
PID 1368 wrote to memory of 320 N/A N/A C:\Users\Admin\AppData\Local\MT6\wusa.exe
PID 1368 wrote to memory of 2324 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1368 wrote to memory of 2324 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1368 wrote to memory of 2324 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1368 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe
PID 1368 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe
PID 1368 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe
PID 1368 wrote to memory of 956 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1368 wrote to memory of 956 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1368 wrote to memory of 956 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1368 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe
PID 1368 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe
PID 1368 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe
PID 1368 wrote to memory of 1456 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1368 wrote to memory of 1456 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1368 wrote to memory of 1456 N/A N/A C:\Windows\system32\UI0Detect.exe
PID 1368 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe
PID 1368 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe
PID 1368 wrote to memory of 1224 N/A N/A C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b6301393edd106e77d45cc57b552b52.dll

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\MT6\wusa.exe

C:\Users\Admin\AppData\Local\MT6\wusa.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe

C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe

C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe

C:\Windows\system32\UI0Detect.exe

C:\Windows\system32\UI0Detect.exe

C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe

C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe

Network

N/A

Files

memory/2024-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2024-1-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-4-0x0000000076B56000-0x0000000076B57000-memory.dmp

memory/1368-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/2024-8-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-13-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-17-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-21-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-25-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-29-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-32-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-34-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-37-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-41-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-44-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-48-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-50-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-54-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-57-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-61-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-63-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-65-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-68-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/1368-64-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-62-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-60-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-59-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-77-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

memory/1368-76-0x0000000076D61000-0x0000000076D62000-memory.dmp

memory/1368-58-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-56-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-55-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-53-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-52-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-51-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-49-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-47-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-46-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-45-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-43-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-42-0x0000000140000000-0x0000000140384000-memory.dmp

\Users\Admin\AppData\Local\MT6\dpx.dll

MD5 89bfbca83c5421d68c00ab77f07cb001
SHA1 8cc88a4c73314ec9d026195de5ebcbf7a95dff65
SHA256 b259983c73b41b659fa3dc92e8c14eaa087ffd15f87efdf27f12f7723f353b95
SHA512 127fa9a9b16151d07b0e1b1d1868351b79b0745c39ff6a3a5d8b8e093d65fa6b5aace2648eadad22434c4561a35fd02ae35524ef4604330a0b06e136d2b29b05

C:\Users\Admin\AppData\Local\MT6\dpx.dll

MD5 d7ad90d64c0ed9534879babb139f2515
SHA1 b92d422971f8e5a5cffa15860c7f9954461af1f0
SHA256 714171270f656ffebaad3f14c71c72459bb3dbccee45e577c14d76c79af53c4f
SHA512 583abac0d3b7537faa79760d913c37c0e80aaa1df78029a98214a99a535c3e205f1a936d4fc504ba1165b8fd486293006c926b1b9d0548ddb4bb1d4e02246285

memory/320-104-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\MT6\wusa.exe

MD5 339423bed1aaae3aa9a9be6068902550
SHA1 a5f9ccf6920d873db211194d6125c117862e4f26
SHA256 e092f931b525452492eee08c95c04a521a7903cc4c48e346d582466e6d78411f
SHA512 2261bfafb198a323b51d8ae478bfaaf974910885bfd70824e785b0b96dabe21a945e38038f0586a8660120e2b2048f3284a56ddaa4705eef6746947b4a39a1da

\Users\Admin\AppData\Local\MT6\wusa.exe

MD5 0d0dc88f3afd709d108a7c3718d279e6
SHA1 694a7c0adac0c51b49f0db9aaa903d1a05834819
SHA256 2d5848dc96a95d04fdda11b77b5614eb25a60552148cdd69064f40c81199fc3d
SHA512 eba4dcbeba46a64b8cea6a9ad850ea72ccb224140b8aac59adbc1ab60bf354002275868830132f37c2177f69868afb410fb61a54625ab4c41f6ad862b1d46889

memory/1368-40-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-39-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-38-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-36-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-35-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-33-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-31-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-30-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-28-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-27-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-26-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-24-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-23-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-22-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-20-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-19-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-18-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-16-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-15-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-14-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-12-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-11-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-9-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-10-0x0000000140000000-0x0000000140384000-memory.dmp

memory/1368-7-0x0000000140000000-0x0000000140384000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\6bs\wusa.exe

MD5 d098d5640e7ff8ad7e15f715c7ed59ed
SHA1 e9f2af1288bc628a4aca3391a7895d233b6aee3a
SHA256 0a73d1b103aa58896afbbc771f6585a3bc33d1694077654952a3197fd245a789
SHA512 a65b8886c7402b3de60c3be8d7ad6db7ad7a18c0a928f22f0c85e46459ce34aedcf819e576df158514f7594e37c147dc97b7cb402c33a840fff140003762a5f4

\Users\Admin\AppData\Local\sK9\slc.dll

MD5 cd77cc8e2f60150a5afef7e815e0778c
SHA1 484da717f57ddda9dba79a27231a79d8a17f9c06
SHA256 2eb2b06ae6cfdeadbb00344c76d903f0dcb11bf2535ed3b58493cfe0b5d7b516
SHA512 ec7a6574e2348d9d2d0c2591326c04d7f7786f2baac079bebd8fa96c0810a3715a94f74139595a83de4e389ace50fa904d0a1f164d96755e9ba2ae11609359b8

C:\Users\Admin\AppData\Local\sK9\slc.dll

MD5 069023d5e3cca5f3442585fef49e4529
SHA1 d8b66d40c986b5a9daa3948974a0a461c971a356
SHA256 c3daf7eb69dcd128d65d5d5912663e7b1a5a93f8fb0d88091dbe864abae982c4
SHA512 86eddde3d96a0308af7a945baaf3c0c20fbc94b53a45c965b4a7f0737e8f8d703599e4dfac0ec4c9e9745adb617cc057f5f52d0185e99d3ce1ff6c4e521f9762

C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe

MD5 e3726ef38987827934cb65f14be55702
SHA1 a40874429e3f5f9e9568210f83bce35a671c0142
SHA256 ce4f24884f0ae79abb8c40e7f104bf24d4fa0e1cd0c0dccdc35ebea262bfa145
SHA512 63a675612073b44e39742b41d241b311c3cc1f3e9f777c39d384fc9c85a4e0ba9f159ea5fc1382c9a1e2dfab31e1b0765f81930b837fc2b0fbc9441cd7301502

\Users\Admin\AppData\Local\sK9\SnippingTool.exe

MD5 49d84b7d15e1b7c28e3dd3dab069bab6
SHA1 0978913241effcd15f4028d4844091badb5db77a
SHA256 b3c81fdfe2feef27cf85726b6d03e9d301b8abe061b358859f34faf45024d5cb
SHA512 28ff61f9fb977e6c5e8fd5056e3e1267959104673d6d7b8e3f7692123b45fb253dd03756fac19cf5f57ee41b0408b9bca7835ca777c2893e93eddcc33b2a7d43

C:\Users\Admin\AppData\Local\sK9\SnippingTool.exe

MD5 34404824d545bf2d79b151d330d1a592
SHA1 034bad4cae23b29381d566aae43805b7aafa3933
SHA256 97d481273d7dd3858b3599c7f626c0ae162471d0795d18b91e4deac00f19840b
SHA512 255af96347c968288c3bb662847a4f9b07bcb89df588866b8fd6289c999810d77c1b77253913acf9bfa278bf91486705681191ec38d015d3135eb999eeb2bd01

C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe

MD5 a754006b08779a8345f218a3f5d0f3cb
SHA1 58b8341bd7ae62e296cb9a44277d31b1e94df09c
SHA256 c18200a4cbb25714b76f92ce98504cb24eff6ad40529ead509b2a5846ae4f340
SHA512 1be4621f57d196e1b0a746aa430f3818f44ec85c73d15350aae7a5ec8d65c957d74523da8aa6d5cf5564a298c9280787333e60dab017d5446e67cea70f753715

\Users\Admin\AppData\Local\Aozp\VERSION.dll

MD5 bb4b4219756841cd6a1afc5b92161a75
SHA1 36744f282242257ac6d1730614347c8784922555
SHA256 a0374af98ea926253d3fd97accbf0ca1f37cba76bd6a0cd42c06195801523515
SHA512 c234d39706ed8b6e61cdb524b5f1bb575ee3d8d84e38742f61e2ea3c992456d4eb0284d473f1c5c13e1942b69627d076451e0abce4093f91386026e777f410c3

C:\Users\Admin\AppData\Local\Aozp\VERSION.dll

MD5 a71af61761cafef90065fbb4e751e052
SHA1 8ce540f0308944fcc9ccce2312f44d0b8770cfae
SHA256 8e991322f5f82bb3b0c642a2262d4b85241b45407a52162898f273c693464905
SHA512 eb109c67fd042a0f60df71920169820558c7badabe0e612338c87915419394938cf8990332e97a2b18c4871a6aa5cd476313d0cca9f4fa888c5b10a04e720cc5

\Users\Admin\AppData\Local\Aozp\MpSigStub.exe

MD5 844c05c85667101c9c28075337287cf8
SHA1 d47c5dc2ba4c58cd8a7e9353c1b854eb6143c90c
SHA256 86b539a380e752c24bc554a94692782b355aebcd74a92c99a6a51f164779d2c2
SHA512 92c5aeeeefb8578f0a2284c159ef62afbcebdd85147fd663a6339786988e2216f071a94e13ecbd902cbcad931532fa4b35ce6cced6dea40b0a7ae27bbcd0791b

C:\Users\Admin\AppData\Local\Aozp\MpSigStub.exe

MD5 1b7a87e3cbaf069ae472b7a36adbcb75
SHA1 63f15d030800c4e037409a9519043d5c37cf3a5a
SHA256 bfd991e8a6d59eb7f76fd965a4c5ab0c00de66371685e000b7417e7e9ceeee9b
SHA512 572e716c0dcf1c522c8dd041b78d71bd691f1bfee100c30025a441c68edc83fcaa4f8290eb78dbf43079ed70365645fdf04f048a665228fbaf9c7adfb0c80a98

C:\Users\Admin\AppData\Local\vF90so\WTSAPI32.dll

MD5 78009f13a6e26e8d29114b609782ae40
SHA1 94dff1701765d361540fb86ef6b4fbc7bc5fc0b3
SHA256 f95901e25e94c3de7a741abde64d886eff773c831dd490bbd2d31e0dc7b23be6
SHA512 5dd7684bfa49b94e223b526dc91d8f39332a4735ea241729b0a1b87cc2be04056e7d42827ee42e1940d758f7d7bf131aa4504ecceaa1fe21b78c25ac0508610d

memory/1224-158-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\vF90so\WTSAPI32.dll

MD5 2be1320ab4ddc7e8c8ae591cd7ada641
SHA1 ee997d0c55363146eb281b087663380bbf579362
SHA256 b5eff006c15e0bc6f6043a051fa61a0e3667f4c8c69bc962f7d0031aa4c71a54
SHA512 cfca56072fada363e8cb2eb7deb02e0cca1b6eab5f874dfced70f6dc3c96dd3d72bd20f405a0303634dec2e546f39507cdbc54885723c86478ffc6cc99c141ff

C:\Users\Admin\AppData\Local\vF90so\UI0Detect.exe

MD5 3cbdec8d06b9968aba702eba076364a1
SHA1 6e0fcaccadbdb5e3293aa3523ec1006d92191c58
SHA256 b8dab8aa804fc23021bfebd7ae4d40fbe648d6c6ba21cc008e26d1c084972f9b
SHA512 a8e434c925ef849ecef0efcb4873dbb95eea2821c967b05afbbe5733071cc2293fc94e7fdf1fdaee51cbcf9885b3b72bfd4d690f23af34558b056920263e465d

memory/1368-180-0x0000000076B56000-0x0000000076B57000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 94346b2896811291fc9ca79de350e886
SHA1 8a3bfb41ad10d8b5caaee915faec66974efba535
SHA256 bd65bbab80166cb56c269707fe29f259e8e36d7865e0efb3acd011054f26ad01
SHA512 48d9c2d202c5ae17736ff8239abbe29a3f83d6d93a3ba23d3007fb0551e0865e9bd0c316a1f69684561d83d7837d00e59faead9b7d7bb350a88d8a59c0124c40

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\6bs\dpx.dll

MD5 7a7cfd7a07909127edd5686c8490adcf
SHA1 ab10ba8ee73538886dda5b848e9c130b93678091
SHA256 dd330a8574efd98a18b49cd426faac2c1c8a5368c55d2d21ec39c416739da25c
SHA512 c5561b988cf53397d41b7be4fe6763d1a0760accc7ae56e8f2757641363bf65e2d546d17d16c8a92522b6d0aa82a99b952a7e7f9e74e0fa5ea5447c757d27f32

C:\Users\Admin\AppData\Roaming\Identities\{85F2D219-4DA8-41B0-8F71-51D9FDB705AC}\sTEH\VERSION.dll

MD5 1e2e883cf8883415d99a13ffb5169e4e
SHA1 a2b5ad8151a90df9338f526dacb53881cbbaedbc
SHA256 5a289b11e0ad477a48c594c3442f8648fd90db4a393a6e7853099ae8a711e130
SHA512 0b0591b3adee90c039b137dc8927eb0ab23b6667cde1828493521023fa3cef36627c7e617c5eb6f1987fa0fd87f1754967cb71df8d596b5330f8367d36a577d8

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\csvJH\WTSAPI32.dll

MD5 65d1902756e9b692ba1ab2be17d44dc8
SHA1 bd3cd6161b57fa88b163aadbf9d5925a3596a49b
SHA256 38238e68aebc81aea339d2c9ae9adac839bcdd363fc1f2e663d28017fb4d9f4c
SHA512 564038dd57cf49ec319544958733da68aec68a1ca6cf2e1af3aed572138674fb26618556a29496907ce3294771946459812b397242a8425df4096df2d9f5ec40

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-20 20:24

Reported

2024-01-20 20:27

Platform

win10v2004-20231215-en

Max time kernel

106s

Max time network

153s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b6301393edd106e77d45cc57b552b52.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\t0qw\\wlrmdr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3073191680-435865314-2862784915-1000\{837E0075-ED95-4C6E-83E3-B2EDB74EC34D} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 2444 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3488 wrote to memory of 2444 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3488 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe
PID 3488 wrote to memory of 1292 N/A N/A C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe
PID 3488 wrote to memory of 3216 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3488 wrote to memory of 3216 N/A N/A C:\Windows\system32\wlrmdr.exe
PID 3488 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe
PID 3488 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe
PID 3488 wrote to memory of 3560 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3488 wrote to memory of 3560 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3488 wrote to memory of 4420 N/A N/A C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe
PID 3488 wrote to memory of 4420 N/A N/A C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6b6301393edd106e77d45cc57b552b52.dll

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe

C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe

C:\Windows\system32\wlrmdr.exe

C:\Windows\system32\wlrmdr.exe

C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe

C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/4008-0-0x0000000000700000-0x0000000000707000-memory.dmp

memory/4008-1-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-4-0x0000000003010000-0x0000000003011000-memory.dmp

memory/3488-6-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-8-0x00007FFB1B1DA000-0x00007FFB1B1DB000-memory.dmp

memory/3488-9-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-11-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-12-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-13-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-14-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-15-0x0000000140000000-0x0000000140384000-memory.dmp

memory/4008-10-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-7-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-16-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-17-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-18-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-19-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-21-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-20-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-22-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-23-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-24-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-25-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-26-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-27-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-28-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-29-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-30-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-31-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-32-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-33-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-34-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-35-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-36-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-37-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-38-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-39-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-40-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-41-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-42-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-43-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-44-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-45-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-46-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-47-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-48-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-49-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-50-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-51-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-52-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-53-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-54-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-55-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-56-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-57-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-58-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-59-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-60-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-61-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-62-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-63-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-64-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-65-0x0000000140000000-0x0000000140384000-memory.dmp

memory/3488-68-0x0000000000FD0000-0x0000000000FD7000-memory.dmp

memory/3488-76-0x00007FFB1CBE0000-0x00007FFB1CBF0000-memory.dmp

C:\Users\Admin\AppData\Local\VlsWaG\SnippingTool.exe

MD5 f06d69f2fdd4d6a4e16f55769b7dccc1
SHA1 735eb9b032d924b59a8767b9d49bdb88bed05220
SHA256 83be001996cd4d9e5a1a8cd130e17e5b5ee81c9b5cf1b9d9196d8a39fbf7506d
SHA512 ccc1bff59636e91763659749d67b9f6255765ed5aed4b40b6f8111d4136a7e2fe9e0726396b0c837e4ab8717528134273ffc0825a205e501a13bf1d3aee5046b

C:\Users\Admin\AppData\Local\VlsWaG\dwmapi.dll

MD5 3e57448e8abb8f8e6b5bc1e1b4ce7d58
SHA1 2e04a54ff7a344051763f728c8543538a6d070db
SHA256 43c6b31b47ea7a75745de08e077627b99cfa173a9b328dc6adbe2abfc0850c6c
SHA512 ff7df1047ccfefca01c6deeee1499ec72862c3d59e7e1dc469d939b7d74cd2a1e8b0cd573a82a334909274fb8311dbe28c75c22e4af0acf7da1d13fc610ea7d8

memory/1292-96-0x0000026440980000-0x0000026440987000-memory.dmp

C:\Users\Admin\AppData\Local\AZfG9p1om\DUI70.dll

MD5 18cdcddecdd6936d42f22c3f0dd5a0e1
SHA1 f808bf56bf53a4552e8e795f240c4811c7ec990f
SHA256 9c02552adf1b6156b5cdd30316ec6015523c1f96b98f3c6f42cb8b0f425e5ee4
SHA512 906bd0242d3217bb6ef2271adce32c7958842e63ab382c27e2cd5351bcd20885718be9490e4b1f05a1309e91e5d63cff20452447636ebeaadb4831f886afdbf5

C:\Users\Admin\AppData\Local\AZfG9p1om\wlrmdr.exe

MD5 ef9bba7a637a11b224a90bf90a8943ac
SHA1 4747ec6efd2d41e049159249c2d888189bb33d1d
SHA256 2fda95aafb2e9284c730bf912b93f60a75b151941adc14445ed1e056140325b1
SHA512 4c1fdb8e4bf25546a2a33c95268593746f5ae2666ce36c6d9ba5833357f13720c4722231224e82308af8c156485a2c86ffd97e3093717a28d1300d3787ef1831

memory/2856-113-0x000001F0FA420000-0x000001F0FA427000-memory.dmp

C:\Users\Admin\AppData\Local\MB4k\EaseOfAccessDialog.exe

MD5 e75ee992c1041341f709a517c8723c87
SHA1 471021260055eac0021f0abffa2d0ba77a2f380e
SHA256 0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA512 48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

C:\Users\Admin\AppData\Local\MB4k\DUser.dll

MD5 21556fd0041db1bcf39967d962d025a8
SHA1 a56522c1713fcab2733b808e18824b573f7b7731
SHA256 9fdce9c9111574549109eeb83ffa400945fc2f0173a24d5bb18ff28bc1a1eecb
SHA512 07a003e623c6bde7143ed227735cb4220d09569f90bba67e3a1e7a485e1c7293e6329450f8ee4116d18b90d71e7abb938663f0a139f5a0e30ccd709fc98894f8

memory/4420-134-0x00000209AAE10000-0x00000209AAE17000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 43d717ed0c1b6380a555a319118b7836
SHA1 f88bc023cb1f39bac6d94ca3c58e33d02cd764dd
SHA256 6700f66c60a602a7b1e982ab8d6ab72353d98e9d86b69a81f02c4f93dde52bca
SHA512 dd656f089c9aca6f13774628c366fb43ab489d57c33f8f5d281fe40916327bc5d504546011e9cd621c09f308a300431ba7e30b37c34cb00c3bbbedfd1cb4eb8e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EqTJy\dwmapi.dll

MD5 081094a61946f5eb588282c075817f3d
SHA1 0b27a2fdc5d6e628e2255eefdd42bdf5a04eed4c
SHA256 dc22ed32b33064a34998ef43507a269860080c60771ad3e7f8f8162ce2e5b1c3
SHA512 774492f268b53bafd01572dbd05ee6bc984b500cb98e156d9a96d46e468ead84c77e38c81d614d31ad5faf39e62adb5b0242dba37bf4e334939742ff8fd22b2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 3b8fde193c931f3cc0805e72d4cf80de
SHA1 f566d1207610e226d037ebf8119aa8b9073a83ff
SHA256 d92cb21acc14615681641922bc48a5900c6e0e96e6ef538f5a55ac21c75ad486
SHA512 d07801e512452e748f6e834975df8b70c3ad8bafeb063371b6a96269f0cacf37828f1e45947eb849f0f84d376a338d78df7e77f689108a74befb33407bce8513

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 86434ae062f84e5e68401dc86ef5fd00
SHA1 b561a0a0303a50f72168724ba8dc4d972eca1202
SHA256 06885d307489102869d51d0cab8db702432bb6130ed989a3805cb843b0d01251
SHA512 5d28799c79f6114f4a45591ed9bed0025029ca609b35468a4314ac6e52a7ee252cc634bd238f4a53fec82c570961ce33e07c4d105ca034a6712278d1a185eb5f

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0A55C1OB\microsoft.windows[1].xml

MD5 291a3f3ebf21195c8af7c2f120ca4dfc
SHA1 1cade2dac000db3bca92e2daee371beffd2c0bee
SHA256 fbe32bda6ca669397ca6d02b329f235aee87a8f36b09a589548e969c19cb78de
SHA512 ed2dea282f97d25171e0e95fe718103e04e37f13a1edf79373af204ac344cdb9a0fca34d82e45d3475a9845ee92644a99a1c2733f8858fe384e3b6958331f287

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

MD5 bc9ab38bb9b3ace0690aeef1e8e62b6c
SHA1 ebd2ebc0417aec62ec4307ad1b6c4d1e6d40923d
SHA256 64aa2f9ce80e4a0b951bd58b0427d52fd0eaffe80dd163ed92b60671d93ec3a0
SHA512 0e874edc8c069f7ee0f4078921a8c9e318bcff9bda84fe9f074b3b6af923c4a60897339b83b84601d0a3f6dac6370b139184367abdf3f06c70c336e0c2127f6a