Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-bdnshscbb9
Target 6bf2b8dfb0ae1a87d53b7df0eba45900
SHA256 040d5692e18f3667089d59f660741709390f41f201dd0f2d879ec90e47435a97
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

040d5692e18f3667089d59f660741709390f41f201dd0f2d879ec90e47435a97

Threat Level: Known bad

The file 6bf2b8dfb0ae1a87d53b7df0eba45900 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 01:01

Reported

2024-01-21 01:04

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\W9Wu\calc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\Ut9as\\AdapterTroubleshooter.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\W9Wu\calc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 2112 N/A N/A C:\Windows\system32\calc.exe
PID 1320 wrote to memory of 2112 N/A N/A C:\Windows\system32\calc.exe
PID 1320 wrote to memory of 2112 N/A N/A C:\Windows\system32\calc.exe
PID 1320 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\W9Wu\calc.exe
PID 1320 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\W9Wu\calc.exe
PID 1320 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\W9Wu\calc.exe
PID 1320 wrote to memory of 2760 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1320 wrote to memory of 2760 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1320 wrote to memory of 2760 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1320 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe
PID 1320 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe
PID 1320 wrote to memory of 2856 N/A N/A C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe
PID 1320 wrote to memory of 1704 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1320 wrote to memory of 1704 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1320 wrote to memory of 1704 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1320 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe
PID 1320 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe
PID 1320 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\W9Wu\calc.exe

C:\Users\Admin\AppData\Local\W9Wu\calc.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe

C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe

Network

N/A

Files

memory/2192-1-0x0000000000240000-0x0000000000247000-memory.dmp

memory/2192-0-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-4-0x0000000077956000-0x0000000077957000-memory.dmp

memory/1320-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/2192-8-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-10-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-11-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-13-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-17-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-18-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-19-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-22-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-25-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-26-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-24-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-28-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-27-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-23-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-29-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-21-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-20-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-16-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-30-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-34-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-35-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-39-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-42-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-45-0x00000000025A0000-0x00000000025A7000-memory.dmp

memory/1320-44-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-43-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-41-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-40-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-38-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-52-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-36-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-37-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-53-0x0000000077B61000-0x0000000077B62000-memory.dmp

memory/1320-54-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

memory/1320-33-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-31-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-32-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-15-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-14-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-12-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-9-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-7-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-63-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/1320-69-0x0000000140000000-0x00000001401BC000-memory.dmp

C:\Users\Admin\AppData\Local\W9Wu\calc.exe

MD5 09fe8f5734bc2eac8bdfa6a0db387879
SHA1 d64c137dd78d6dcac0a1985b9bf4bfb6008701ba
SHA256 4aa0e1665b0a29ec997a9f561f49e6d9f8e9fd8259813c3478a6bd28d3f12802
SHA512 48a815a4e17b84bcb212669fca202313100a3cc9c470838bf39e3be28977b994ef1aa22ff7144d8140372bda5fe2ca54227e4418d1e85a50b13034cbaadbc32e

\Users\Admin\AppData\Local\W9Wu\WINMM.dll

MD5 51128ba135ba596f3bb418b11c85c621
SHA1 bd3695af1424ae29dbdcdcd8c02ffb188fbd4b3a
SHA256 1bdca5b67f7185f21ec03d18dbd58b07a49d88b0bacd1ea9ec79709de6e11dfa
SHA512 9452dc9d55c1b6ef3136e446073b78138f6d55b6f4d681d82812fc053787e196f0057503b8f60f801a5f6f5d1f2523f951c3466879291eda04b813db6ecc2723

C:\Users\Admin\AppData\Local\W9Wu\WINMM.dll

MD5 de2b84d52f060bcc4c7189415131f8b5
SHA1 49b40b0919b846e4f0712aa0eb1bc8d7dc6f2cd0
SHA256 b831abfefe07c3f87ea40b8183917b7862b551a075864565018f962b981bc3cd
SHA512 e527145e62d4ec5c9bee3502115bf6106c8bf82a603d02e4d719d98804c954500dedc0158462c563a272be9ba8ad489ddf9190f96c80ed49d25a24501b9c1796

memory/2620-81-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2620-82-0x0000000140000000-0x00000001401BE000-memory.dmp

\Users\Admin\AppData\Local\W9Wu\calc.exe

MD5 afbd6ca409e247fd0d76207e4c998fa7
SHA1 9508cdf8f01a4f0cfa82da75ddaa2748a2d24874
SHA256 a8d6e8c954c37ac56704f7cadbbbf125969018396d23d8bcfc02f4d134fffc1e
SHA512 d359a64de49e4882c7bf153e035fd69a5ee90eb5003ddbda49aa597cc8d9223549d3cb43da9e2f0f9a8cf76c90dece70688cba4d0d2a11b3c570a0e17458988c

C:\Users\Admin\AppData\Local\W9Wu\calc.exe

MD5 b308ff3bf227b6f5e2b14c450b7468e0
SHA1 b7a1ad036084f62b93bf41beb041503cec352c44
SHA256 20ceee5d5c213b9da6a560ed4e78b0f0cd50118bad9d7756c351372b8a260237
SHA512 81003e4a3a2b3c4ae408835214c14d5ab886bd01df7c833243366c1c7b57078df5e8c0f3313bc575d1c9382675df262ae740263d68585152c00378756d0f4193

C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

C:\Users\Admin\AppData\Local\rz5r4e\d3d9.dll

MD5 bf8b96a275e6604475bc4e098cbc8451
SHA1 6b5ace38da5932d7a49a02d80a9091f038f1b72f
SHA256 810a5b3c8be966fd424908d77d48ee5ef260eaf025e1e14a670c027c6fd8ebf2
SHA512 47b59175be131a7796f817f40ec1075d4e1f2be0b4a341f265b5a202b48f71dbd2edd3d3b061d2440ea10d2e86c1bd8791b9c6cae902fa447523a7a0e780294a

\Users\Admin\AppData\Local\rz5r4e\d3d9.dll

MD5 ccdac99c8ef02e35ede2f92e80a0dd64
SHA1 45e8b44ffdb79da6c184ac73d644d3a7671236f0
SHA256 ddd610a65a9635a2b87b86ba8f668372f3e2218ad076b25a31e8f5f88fc5f788
SHA512 c2ba435b4c7d5cf54bd7bfee9e701aaec1af32babf27b3b91a1fe77021a367fc5e6ae900ee42368e3ede26d0522b85193c585a71659f4a4e8004d7b21ca09546

memory/2856-103-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\OwD1Q\WTSAPI32.dll

MD5 da5ac15a9c33aecf356e1822b841a221
SHA1 b3980dc0801d5168b7e1cfd39d8e011d4593e10f
SHA256 1ab5e32dece3ad289a221b60665e8cc74394498744a274139fbd1865658da2eb
SHA512 2416f726722aa101a180c8bcae9fdea9b9523279c61035b5195551ffec63008fda5b03475578ec8958ca84cfb4ddafaa00b6d1a7a956414619ff8dbd7394e468

C:\Users\Admin\AppData\Local\OwD1Q\WTSAPI32.dll

MD5 9b20c91f6dde094fbc0b56a18b66b714
SHA1 6d1ccd162309a1110c5bf24877f8a178474b7781
SHA256 7a508e3a708189f660dc5707c212936d471f7f8e2bfe4d1e45de6492aa6c7c4d
SHA512 25914e3ab19b255f276469bf4d7d8b1ddb2929256ab707570bfd232c59052702e2f07923f239dd00c4692af60195e19900a1a997b21e9345ef15d7178bff615c

C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

memory/1320-141-0x0000000077956000-0x0000000077957000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 873a58cac353341b2769c258728b0346
SHA1 443e95a7d9d7d13ead8c47d2a2a1bcdec7b5d0e6
SHA256 c7971e77cf4c5cb15cf114674beeff2c3f79253042fe4f3a9795b5102830954f
SHA512 7f9fa1909cec3903ef864a9c3fa04d3b9806bafbe477a5446cdf6f44f3a1e9fc3b9e863bdd677d1ab90b30600c395a6ee677355036654472e1260badda53fec3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\82SDd\WINMM.dll

MD5 ba58532ea25bf3c04924a2b24ef759b2
SHA1 17cd30f58604639f0bffdf5162fdc2b1b563c85f
SHA256 d077dbf9174af2889111588142a1270fdc51c108ee4f53c9ed6bf4a4a8797095
SHA512 231cb5bbf20f395d367648407918e8030d17e6062b04e00fcf73ccc314b099b04a766ef20c87b70e8c4bf8be08301c3d9ce0879f2ff7e0e66746092f88fcad9e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\Ut9as\d3d9.dll

MD5 079962ec263c4b5b31b8d9e4c949a96a
SHA1 cd2c39c14e705765b559af182ca04d218b42df43
SHA256 8980f2d5d3e4f3ac6ce8873c4d570e73216f63474f0d327d4748d737353ee379
SHA512 2747e49885d752ad3543201e15601b11630e3a206e652144402db1a806305fd7363b3eab6913bb24300d5cdea7cf2fed576386a4f610144b7fcf819fb6c4de7b

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\yOe\WTSAPI32.dll

MD5 a964a79e384c403db02f77882958f330
SHA1 8fe9faedaed7339972c5e4d5b31ca6028458bae0
SHA256 ac33e757d92ec0686a4bf288303499fbfca3d1edfefd87235c8a9493df14cbb3
SHA512 8ac519f885d7476845afd6a99330b5f1272327508e2f5e8ad8b113792a4e7e5ccbec34c84e5411dcda0d28f7e8b5e5156d7d1f1166f4f6f205e380431f60ec6d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 01:01

Reported

2024-01-21 01:04

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\9Apeh8FC6\\SppExtComObj.Exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3416 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3552 wrote to memory of 3416 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3552 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
PID 3552 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
PID 3552 wrote to memory of 4992 N/A N/A C:\Windows\system32\consent.exe
PID 3552 wrote to memory of 4992 N/A N/A C:\Windows\system32\consent.exe
PID 3552 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
PID 3552 wrote to memory of 4296 N/A N/A C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
PID 3552 wrote to memory of 2168 N/A N/A C:\Windows\system32\SppExtComObj.Exe
PID 3552 wrote to memory of 2168 N/A N/A C:\Windows\system32\SppExtComObj.Exe
PID 3552 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
PID 3552 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
PID 3552 wrote to memory of 2500 N/A N/A C:\Windows\system32\mblctr.exe
PID 3552 wrote to memory of 2500 N/A N/A C:\Windows\system32\mblctr.exe
PID 3552 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
PID 3552 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe

C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe

C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe

C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\SppExtComObj.Exe

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe

C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/2044-0-0x00000202CE140000-0x00000202CE147000-memory.dmp

memory/2044-1-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-8-0x00007FFA75E5A000-0x00007FFA75E5B000-memory.dmp

memory/3552-7-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-9-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-10-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-14-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-18-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-19-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-24-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-23-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-22-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-26-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-25-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-27-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-28-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-29-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-21-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-30-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-31-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-32-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-20-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-17-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-16-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-15-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-13-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-12-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-11-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-6-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-4-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/3552-34-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-35-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-36-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-40-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-39-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-41-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-42-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-38-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-37-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-43-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-44-0x0000000000F50000-0x0000000000F57000-memory.dmp

memory/3552-33-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-52-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-53-0x00007FFA76040000-0x00007FFA76050000-memory.dmp

memory/2044-51-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-62-0x0000000140000000-0x00000001401BC000-memory.dmp

memory/3552-64-0x0000000140000000-0x00000001401BC000-memory.dmp

C:\Users\Admin\AppData\Local\Hdq7E\DUser.dll

MD5 3ecaa73db340e8c72f04b5d846fca7ca
SHA1 a8c71ff5ef401db413e39a51355b27f4a9636339
SHA256 0f9ab8c86592a6f22c890734e5dd856fff622a489150773170c5fa6f12cb0f15
SHA512 a83b6e62ba6e9eb106465dd340ad4851c4272928759a9f66dde10e4863ea0c81ca24aa35ab8216d6cbdea726c3f2c517cfaf81a0c55efde0f4eecab09e658365

C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe

MD5 480f710806b68dfe478ca1ec7d7e79cc
SHA1 b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA256 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA512 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

C:\Users\Admin\AppData\Local\Hdq7E\DUser.dll

MD5 3cf5410bf3c4e84a07a130be752e3a60
SHA1 90ebd2ee19fef8b5b83741c6a64b5e6a3ee3553e
SHA256 137e1017e3b089328277f18c70b551da675eebef81656b6ab8b3c4560a619749
SHA512 0a59e7bfa8593a36f5a99d34b7c2bec32a0204bc9d5494b8a586589c654fab20acabf6c12fe8c2b21eac5de0d7fd0d8cb2ab57e19a4147fb9203adf432feadb4

memory/2468-73-0x0000000140000000-0x00000001401BE000-memory.dmp

memory/2468-75-0x000001C0FC7D0000-0x000001C0FC7D7000-memory.dmp

memory/2468-79-0x0000000140000000-0x00000001401BE000-memory.dmp

C:\Users\Admin\AppData\Local\IFt4W1tIe\ACTIVEDS.dll

MD5 c9f6e6682e4e91ed12a1dc3d21e62efb
SHA1 1ebe640e53ac67e5e7a1943bc43443de3642db62
SHA256 e81c36d1ad40f292541d4783038c65e6f61d95b3486535ccd55a90e3bc8352e6
SHA512 0f7b7db1b391e6092ed16f0a4f63479257fdec59aebbb8bcc2d9ae737f921ac9b80e3951d225700c61dd77595e1c6c5afb515664ec1cd8e8eee0199edd28cc6f

C:\Users\Admin\AppData\Local\IFt4W1tIe\ACTIVEDS.dll

MD5 b74c410efc0be2c402004decd33780d6
SHA1 aa560f031e4f9023d4845710010c5a0d93011821
SHA256 86b6009efb0312b0896da5f5bb56b21d2ff15e442f4e6b1a08e5af1495303ec2
SHA512 0c95747b0a6b9c7a5ce2ff722fd450f9d8639c9e176159bba8a97314edba185839ceb207989bc0954d77401295b2791d8be4fe5252ba8a52a8dff8c3ac61699a

memory/2340-99-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/2340-104-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/2340-98-0x000001F1B8EB0000-0x000001F1B8EB7000-memory.dmp

C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe

MD5 4bdbe0723e3d0850febbf8c524bbaaae
SHA1 6e8698f2392aaf02440e679e6baaaec1d4a163c8
SHA256 72e5ff540de63737ab98ed58e5f9e2136dd96eb91481c131c76714a4fe9a0630
SHA512 b0e9aa0494059e87c5dd0aed546b8c32583539b85a4c8ea2ef245b9ac648c5f8769e55bcd08dd336f028355f5cf05d151828e2ba19ad988c549542ba9055a838

C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe

MD5 f4ffd37463488cd21b73810e7cfa46df
SHA1 baba51e90b5b75bc2376bf83d370aded220197e0
SHA256 e605ec1915b24c19aba48f62b26e8255b7f5cf1e9946f4ba2cf2f3afb5d1d6ad
SHA512 f4b985d86ce91477beb3ffb96706318890567e22727a138095d162071b734ce5e082bff77f4f5eab147bd72514a856a15f7416e8f8806b620cdfb99f1d5bcd45

C:\Users\Admin\AppData\Local\AYzwzV\WINMM.dll

MD5 882347c1b447d106cf94258c04835248
SHA1 e21334f3ece6f76ea14c38400ae607fa2ad0a6e4
SHA256 86f173b7152ef5db22483ba5bccd74374d7ff615bdcf6e5fd76c4d4e87928e84
SHA512 a0f2a63ff139b10a86de465d4e9c0b76843d472156df8ab79f5db4222a92baeded4bb460040921435f689df19b3b4bc3ff73a375fb218d7827191a9fdda45f1b

memory/3664-115-0x0000023165C90000-0x0000023165C97000-memory.dmp

C:\Users\Admin\AppData\Local\AYzwzV\WINMM.dll

MD5 289f2848ef9d24b3ea00092a6d4533f8
SHA1 7f7d19bbcb7863cea350bb5309e9b4fed6acf30a
SHA256 af2f900a3de0b85166c99393551d303f2fd5859234aadc764768000a4d6a915c
SHA512 585817c78a64cc37f1ee9a0bcd0db8e55a022d20734f972d9a17fc05201e52f6e455f1f305786fb1e5102e9ecaa1eb97f29fc96f900e8ab6b77f43075e8af417

C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

MD5 e7398b4378c9ae087d680836893b0e7f
SHA1 8a547a9bd5a1d56efd37bab774d77edbd2380364
SHA256 a5ea5969e2e27b06a7dbf313a3ec29352d121552b22a90077c82d6adb967762c
SHA512 c726ba04b6e87b260e24f4371c3475855b98ac5c1f2fdcdcdcc23fcc5b7994effddd8c6638143c7322081184911231d9117572e7f9553437662a14b402c609b1

C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe

MD5 80f06d5105497a698a4dd58003a72474
SHA1 32c3ee2da3ef7150d3771e1f751507c86fd37dc7
SHA256 1030fc0e4f555791acf128d5c083b1b769ebb5ce3b16a4ee128eeabf6acb64e8
SHA512 d267cad0b80b18773f5720dcb2fa87081a810afa39729012d47d54a01ca414276190c2c5c07d2940c8ae3afcd739c452f158371a56d135aac4c22fe0e5a9d529

C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe

MD5 6646631ce4ad7128762352da81f3b030
SHA1 1095bd4b63360fc2968d75622aa745e5523428ab
SHA256 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA512 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 e4f980761d4b2f50131e45abd59d7a60
SHA1 46395e85449028a574e26fa3c7fa2ac850a9cd56
SHA256 bbec79f875831f6a9f1be483ad71395b715ed75e5a7da4a02bc51d45c4624aa1
SHA512 9cefa29f4ed047545df2841ef00cfd6ca3c86f24423febb2de6e9d6c4b8dffb567373d630c058bbe864b7a726e05a01aa0aaeac585ac26328c91ca92199d2183

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uYd\DUser.dll

MD5 0bc88fc73b87d666758fb6bf0c1ccfdd
SHA1 8ab7c6cc57acd6583d6bb2c75cd2997d0626a80e
SHA256 c7fe682588c725ac2cc45f7280e84e6c5b19383683f1ffc3b288b306e9aa393f
SHA512 e3405478899b567035e6d2781c3a3573a4f43c1db214cbecf61580d375d7e0277ffae7ae89f132b66cc643ebefb04e386b13bd1f31c01e5d12d4c11c7b3be800

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\9Apeh8FC6\ACTIVEDS.dll

MD5 7d2492ee437fb311530ccb848975db4b
SHA1 8f6e81c3ed775887a359f81332f186ca916f373d
SHA256 53807ab411bcc7b41622999af736d045858069ff96dcbb11b77ef3cdccba7040
SHA512 f303441759c9efce6c8b1b24f349d515496962646ef63e982cfc62fcecdaaefedc3077da12b4276b2ed89df1524e7406f0fa9b3e185a5ccabb7f70a554d5837e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uYd\rY4tacONr\WINMM.dll

MD5 af21885de1e84dddf5e04757b7c2623f
SHA1 9d7682f0993b6eac54949958de60c50df7848b52
SHA256 852dde5ad8c75257a87fa6dc69b5ad6d802873b31ecc4e667124b085c41d9ac9
SHA512 23e6ed8831a251544cd8592f4637faaed813cabe719cb007c4a6db81c7d5e27477c55fcf54807002b8bc77997e4430710868f03f9532d9176432d52ff8421e87