Analysis Overview
SHA256
040d5692e18f3667089d59f660741709390f41f201dd0f2d879ec90e47435a97
Threat Level: Known bad
The file 6bf2b8dfb0ae1a87d53b7df0eba45900 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 01:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 01:01
Reported
2024-01-21 01:04
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\W9Wu\calc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\W9Wu\calc.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\Ut9as\\AdapterTroubleshooter.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\W9Wu\calc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1320 wrote to memory of 2112 | N/A | N/A | C:\Windows\system32\calc.exe |
| PID 1320 wrote to memory of 2112 | N/A | N/A | C:\Windows\system32\calc.exe |
| PID 1320 wrote to memory of 2112 | N/A | N/A | C:\Windows\system32\calc.exe |
| PID 1320 wrote to memory of 2620 | N/A | N/A | C:\Users\Admin\AppData\Local\W9Wu\calc.exe |
| PID 1320 wrote to memory of 2620 | N/A | N/A | C:\Users\Admin\AppData\Local\W9Wu\calc.exe |
| PID 1320 wrote to memory of 2620 | N/A | N/A | C:\Users\Admin\AppData\Local\W9Wu\calc.exe |
| PID 1320 wrote to memory of 2760 | N/A | N/A | C:\Windows\system32\AdapterTroubleshooter.exe |
| PID 1320 wrote to memory of 2760 | N/A | N/A | C:\Windows\system32\AdapterTroubleshooter.exe |
| PID 1320 wrote to memory of 2760 | N/A | N/A | C:\Windows\system32\AdapterTroubleshooter.exe |
| PID 1320 wrote to memory of 2856 | N/A | N/A | C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe |
| PID 1320 wrote to memory of 2856 | N/A | N/A | C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe |
| PID 1320 wrote to memory of 2856 | N/A | N/A | C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe |
| PID 1320 wrote to memory of 1704 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1320 wrote to memory of 1704 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1320 wrote to memory of 1704 | N/A | N/A | C:\Windows\system32\RDVGHelper.exe |
| PID 1320 wrote to memory of 1600 | N/A | N/A | C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe |
| PID 1320 wrote to memory of 1600 | N/A | N/A | C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe |
| PID 1320 wrote to memory of 1600 | N/A | N/A | C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1
C:\Windows\system32\calc.exe
C:\Windows\system32\calc.exe
C:\Users\Admin\AppData\Local\W9Wu\calc.exe
C:\Users\Admin\AppData\Local\W9Wu\calc.exe
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe
C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe
C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe
Network
Files
memory/2192-1-0x0000000000240000-0x0000000000247000-memory.dmp
memory/2192-0-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-4-0x0000000077956000-0x0000000077957000-memory.dmp
memory/1320-5-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/2192-8-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-10-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-11-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-13-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-17-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-18-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-19-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-22-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-25-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-26-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-24-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-28-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-27-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-23-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-29-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-21-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-20-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-16-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-30-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-34-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-35-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-39-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-42-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-45-0x00000000025A0000-0x00000000025A7000-memory.dmp
memory/1320-44-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-43-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-41-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-40-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-38-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-52-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-36-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-37-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-53-0x0000000077B61000-0x0000000077B62000-memory.dmp
memory/1320-54-0x0000000077CC0000-0x0000000077CC2000-memory.dmp
memory/1320-33-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-31-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-32-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-15-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-14-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-12-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-9-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-7-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-63-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/1320-69-0x0000000140000000-0x00000001401BC000-memory.dmp
C:\Users\Admin\AppData\Local\W9Wu\calc.exe
| MD5 | 09fe8f5734bc2eac8bdfa6a0db387879 |
| SHA1 | d64c137dd78d6dcac0a1985b9bf4bfb6008701ba |
| SHA256 | 4aa0e1665b0a29ec997a9f561f49e6d9f8e9fd8259813c3478a6bd28d3f12802 |
| SHA512 | 48a815a4e17b84bcb212669fca202313100a3cc9c470838bf39e3be28977b994ef1aa22ff7144d8140372bda5fe2ca54227e4418d1e85a50b13034cbaadbc32e |
\Users\Admin\AppData\Local\W9Wu\WINMM.dll
| MD5 | 51128ba135ba596f3bb418b11c85c621 |
| SHA1 | bd3695af1424ae29dbdcdcd8c02ffb188fbd4b3a |
| SHA256 | 1bdca5b67f7185f21ec03d18dbd58b07a49d88b0bacd1ea9ec79709de6e11dfa |
| SHA512 | 9452dc9d55c1b6ef3136e446073b78138f6d55b6f4d681d82812fc053787e196f0057503b8f60f801a5f6f5d1f2523f951c3466879291eda04b813db6ecc2723 |
C:\Users\Admin\AppData\Local\W9Wu\WINMM.dll
| MD5 | de2b84d52f060bcc4c7189415131f8b5 |
| SHA1 | 49b40b0919b846e4f0712aa0eb1bc8d7dc6f2cd0 |
| SHA256 | b831abfefe07c3f87ea40b8183917b7862b551a075864565018f962b981bc3cd |
| SHA512 | e527145e62d4ec5c9bee3502115bf6106c8bf82a603d02e4d719d98804c954500dedc0158462c563a272be9ba8ad489ddf9190f96c80ed49d25a24501b9c1796 |
memory/2620-81-0x0000000000090000-0x0000000000097000-memory.dmp
memory/2620-82-0x0000000140000000-0x00000001401BE000-memory.dmp
\Users\Admin\AppData\Local\W9Wu\calc.exe
| MD5 | afbd6ca409e247fd0d76207e4c998fa7 |
| SHA1 | 9508cdf8f01a4f0cfa82da75ddaa2748a2d24874 |
| SHA256 | a8d6e8c954c37ac56704f7cadbbbf125969018396d23d8bcfc02f4d134fffc1e |
| SHA512 | d359a64de49e4882c7bf153e035fd69a5ee90eb5003ddbda49aa597cc8d9223549d3cb43da9e2f0f9a8cf76c90dece70688cba4d0d2a11b3c570a0e17458988c |
C:\Users\Admin\AppData\Local\W9Wu\calc.exe
| MD5 | b308ff3bf227b6f5e2b14c450b7468e0 |
| SHA1 | b7a1ad036084f62b93bf41beb041503cec352c44 |
| SHA256 | 20ceee5d5c213b9da6a560ed4e78b0f0cd50118bad9d7756c351372b8a260237 |
| SHA512 | 81003e4a3a2b3c4ae408835214c14d5ab886bd01df7c833243366c1c7b57078df5e8c0f3313bc575d1c9382675df262ae740263d68585152c00378756d0f4193 |
C:\Users\Admin\AppData\Local\rz5r4e\AdapterTroubleshooter.exe
| MD5 | d4170c9ff5b2f85b0ce0246033d26919 |
| SHA1 | a76118e8775e16237cf00f2fb79718be0dc84db1 |
| SHA256 | d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da |
| SHA512 | 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608 |
C:\Users\Admin\AppData\Local\rz5r4e\d3d9.dll
| MD5 | bf8b96a275e6604475bc4e098cbc8451 |
| SHA1 | 6b5ace38da5932d7a49a02d80a9091f038f1b72f |
| SHA256 | 810a5b3c8be966fd424908d77d48ee5ef260eaf025e1e14a670c027c6fd8ebf2 |
| SHA512 | 47b59175be131a7796f817f40ec1075d4e1f2be0b4a341f265b5a202b48f71dbd2edd3d3b061d2440ea10d2e86c1bd8791b9c6cae902fa447523a7a0e780294a |
\Users\Admin\AppData\Local\rz5r4e\d3d9.dll
| MD5 | ccdac99c8ef02e35ede2f92e80a0dd64 |
| SHA1 | 45e8b44ffdb79da6c184ac73d644d3a7671236f0 |
| SHA256 | ddd610a65a9635a2b87b86ba8f668372f3e2218ad076b25a31e8f5f88fc5f788 |
| SHA512 | c2ba435b4c7d5cf54bd7bfee9e701aaec1af32babf27b3b91a1fe77021a367fc5e6ae900ee42368e3ede26d0522b85193c585a71659f4a4e8004d7b21ca09546 |
memory/2856-103-0x0000000000190000-0x0000000000197000-memory.dmp
\Users\Admin\AppData\Local\OwD1Q\WTSAPI32.dll
| MD5 | da5ac15a9c33aecf356e1822b841a221 |
| SHA1 | b3980dc0801d5168b7e1cfd39d8e011d4593e10f |
| SHA256 | 1ab5e32dece3ad289a221b60665e8cc74394498744a274139fbd1865658da2eb |
| SHA512 | 2416f726722aa101a180c8bcae9fdea9b9523279c61035b5195551ffec63008fda5b03475578ec8958ca84cfb4ddafaa00b6d1a7a956414619ff8dbd7394e468 |
C:\Users\Admin\AppData\Local\OwD1Q\WTSAPI32.dll
| MD5 | 9b20c91f6dde094fbc0b56a18b66b714 |
| SHA1 | 6d1ccd162309a1110c5bf24877f8a178474b7781 |
| SHA256 | 7a508e3a708189f660dc5707c212936d471f7f8e2bfe4d1e45de6492aa6c7c4d |
| SHA512 | 25914e3ab19b255f276469bf4d7d8b1ddb2929256ab707570bfd232c59052702e2f07923f239dd00c4692af60195e19900a1a997b21e9345ef15d7178bff615c |
C:\Users\Admin\AppData\Local\OwD1Q\RDVGHelper.exe
| MD5 | 53fda4af81e7c4895357a50e848b7cfe |
| SHA1 | 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f |
| SHA256 | 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038 |
| SHA512 | dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051 |
memory/1320-141-0x0000000077956000-0x0000000077957000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk
| MD5 | 873a58cac353341b2769c258728b0346 |
| SHA1 | 443e95a7d9d7d13ead8c47d2a2a1bcdec7b5d0e6 |
| SHA256 | c7971e77cf4c5cb15cf114674beeff2c3f79253042fe4f3a9795b5102830954f |
| SHA512 | 7f9fa1909cec3903ef864a9c3fa04d3b9806bafbe477a5446cdf6f44f3a1e9fc3b9e863bdd677d1ab90b30600c395a6ee677355036654472e1260badda53fec3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\82SDd\WINMM.dll
| MD5 | ba58532ea25bf3c04924a2b24ef759b2 |
| SHA1 | 17cd30f58604639f0bffdf5162fdc2b1b563c85f |
| SHA256 | d077dbf9174af2889111588142a1270fdc51c108ee4f53c9ed6bf4a4a8797095 |
| SHA512 | 231cb5bbf20f395d367648407918e8030d17e6062b04e00fcf73ccc314b099b04a766ef20c87b70e8c4bf8be08301c3d9ce0879f2ff7e0e66746092f88fcad9e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\Ut9as\d3d9.dll
| MD5 | 079962ec263c4b5b31b8d9e4c949a96a |
| SHA1 | cd2c39c14e705765b559af182ca04d218b42df43 |
| SHA256 | 8980f2d5d3e4f3ac6ce8873c4d570e73216f63474f0d327d4748d737353ee379 |
| SHA512 | 2747e49885d752ad3543201e15601b11630e3a206e652144402db1a806305fd7363b3eab6913bb24300d5cdea7cf2fed576386a4f610144b7fcf819fb6c4de7b |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\yOe\WTSAPI32.dll
| MD5 | a964a79e384c403db02f77882958f330 |
| SHA1 | 8fe9faedaed7339972c5e4d5b31ca6028458bae0 |
| SHA256 | ac33e757d92ec0686a4bf288303499fbfca3d1edfefd87235c8a9493df14cbb3 |
| SHA512 | 8ac519f885d7476845afd6a99330b5f1272327508e2f5e8ad8b113792a4e7e5ccbec34c84e5411dcda0d28f7e8b5e5156d7d1f1166f4f6f205e380431f60ec6d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 01:01
Reported
2024-01-21 01:04
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
150s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\9Apeh8FC6\\SppExtComObj.Exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3552 wrote to memory of 3416 | N/A | N/A | C:\Windows\system32\sessionmsg.exe |
| PID 3552 wrote to memory of 3416 | N/A | N/A | C:\Windows\system32\sessionmsg.exe |
| PID 3552 wrote to memory of 2468 | N/A | N/A | C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe |
| PID 3552 wrote to memory of 2468 | N/A | N/A | C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe |
| PID 3552 wrote to memory of 4992 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 3552 wrote to memory of 4992 | N/A | N/A | C:\Windows\system32\consent.exe |
| PID 3552 wrote to memory of 4296 | N/A | N/A | C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe |
| PID 3552 wrote to memory of 4296 | N/A | N/A | C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe |
| PID 3552 wrote to memory of 2168 | N/A | N/A | C:\Windows\system32\SppExtComObj.Exe |
| PID 3552 wrote to memory of 2168 | N/A | N/A | C:\Windows\system32\SppExtComObj.Exe |
| PID 3552 wrote to memory of 2340 | N/A | N/A | C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe |
| PID 3552 wrote to memory of 2340 | N/A | N/A | C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe |
| PID 3552 wrote to memory of 2500 | N/A | N/A | C:\Windows\system32\mblctr.exe |
| PID 3552 wrote to memory of 2500 | N/A | N/A | C:\Windows\system32\mblctr.exe |
| PID 3552 wrote to memory of 3664 | N/A | N/A | C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe |
| PID 3552 wrote to memory of 3664 | N/A | N/A | C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2b8dfb0ae1a87d53b7df0eba45900.dll,#1
C:\Windows\system32\sessionmsg.exe
C:\Windows\system32\sessionmsg.exe
C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\SppExtComObj.Exe
C:\Windows\system32\mblctr.exe
C:\Windows\system32\mblctr.exe
C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
C:\Windows\system32\consent.exe
C:\Windows\system32\consent.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/2044-0-0x00000202CE140000-0x00000202CE147000-memory.dmp
memory/2044-1-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-8-0x00007FFA75E5A000-0x00007FFA75E5B000-memory.dmp
memory/3552-7-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-9-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-10-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-14-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-18-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-19-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-24-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-23-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-22-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-26-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-25-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-27-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-28-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-29-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-21-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-30-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-31-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-32-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-20-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-17-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-16-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-15-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-13-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-12-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-11-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-6-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-4-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/3552-34-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-35-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-36-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-40-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-39-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-41-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-42-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-38-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-37-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-43-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-44-0x0000000000F50000-0x0000000000F57000-memory.dmp
memory/3552-33-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-52-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-53-0x00007FFA76040000-0x00007FFA76050000-memory.dmp
memory/2044-51-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-62-0x0000000140000000-0x00000001401BC000-memory.dmp
memory/3552-64-0x0000000140000000-0x00000001401BC000-memory.dmp
C:\Users\Admin\AppData\Local\Hdq7E\DUser.dll
| MD5 | 3ecaa73db340e8c72f04b5d846fca7ca |
| SHA1 | a8c71ff5ef401db413e39a51355b27f4a9636339 |
| SHA256 | 0f9ab8c86592a6f22c890734e5dd856fff622a489150773170c5fa6f12cb0f15 |
| SHA512 | a83b6e62ba6e9eb106465dd340ad4851c4272928759a9f66dde10e4863ea0c81ca24aa35ab8216d6cbdea726c3f2c517cfaf81a0c55efde0f4eecab09e658365 |
C:\Users\Admin\AppData\Local\Hdq7E\sessionmsg.exe
| MD5 | 480f710806b68dfe478ca1ec7d7e79cc |
| SHA1 | b4fc97fed2dbff9c4874cb65ede7b50699db37cd |
| SHA256 | 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc |
| SHA512 | 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db |
C:\Users\Admin\AppData\Local\Hdq7E\DUser.dll
| MD5 | 3cf5410bf3c4e84a07a130be752e3a60 |
| SHA1 | 90ebd2ee19fef8b5b83741c6a64b5e6a3ee3553e |
| SHA256 | 137e1017e3b089328277f18c70b551da675eebef81656b6ab8b3c4560a619749 |
| SHA512 | 0a59e7bfa8593a36f5a99d34b7c2bec32a0204bc9d5494b8a586589c654fab20acabf6c12fe8c2b21eac5de0d7fd0d8cb2ab57e19a4147fb9203adf432feadb4 |
memory/2468-73-0x0000000140000000-0x00000001401BE000-memory.dmp
memory/2468-75-0x000001C0FC7D0000-0x000001C0FC7D7000-memory.dmp
memory/2468-79-0x0000000140000000-0x00000001401BE000-memory.dmp
C:\Users\Admin\AppData\Local\IFt4W1tIe\ACTIVEDS.dll
| MD5 | c9f6e6682e4e91ed12a1dc3d21e62efb |
| SHA1 | 1ebe640e53ac67e5e7a1943bc43443de3642db62 |
| SHA256 | e81c36d1ad40f292541d4783038c65e6f61d95b3486535ccd55a90e3bc8352e6 |
| SHA512 | 0f7b7db1b391e6092ed16f0a4f63479257fdec59aebbb8bcc2d9ae737f921ac9b80e3951d225700c61dd77595e1c6c5afb515664ec1cd8e8eee0199edd28cc6f |
C:\Users\Admin\AppData\Local\IFt4W1tIe\ACTIVEDS.dll
| MD5 | b74c410efc0be2c402004decd33780d6 |
| SHA1 | aa560f031e4f9023d4845710010c5a0d93011821 |
| SHA256 | 86b6009efb0312b0896da5f5bb56b21d2ff15e442f4e6b1a08e5af1495303ec2 |
| SHA512 | 0c95747b0a6b9c7a5ce2ff722fd450f9d8639c9e176159bba8a97314edba185839ceb207989bc0954d77401295b2791d8be4fe5252ba8a52a8dff8c3ac61699a |
memory/2340-99-0x0000000140000000-0x00000001401BD000-memory.dmp
memory/2340-104-0x0000000140000000-0x00000001401BD000-memory.dmp
memory/2340-98-0x000001F1B8EB0000-0x000001F1B8EB7000-memory.dmp
C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
| MD5 | 4bdbe0723e3d0850febbf8c524bbaaae |
| SHA1 | 6e8698f2392aaf02440e679e6baaaec1d4a163c8 |
| SHA256 | 72e5ff540de63737ab98ed58e5f9e2136dd96eb91481c131c76714a4fe9a0630 |
| SHA512 | b0e9aa0494059e87c5dd0aed546b8c32583539b85a4c8ea2ef245b9ac648c5f8769e55bcd08dd336f028355f5cf05d151828e2ba19ad988c549542ba9055a838 |
C:\Users\Admin\AppData\Local\IFt4W1tIe\SppExtComObj.Exe
| MD5 | f4ffd37463488cd21b73810e7cfa46df |
| SHA1 | baba51e90b5b75bc2376bf83d370aded220197e0 |
| SHA256 | e605ec1915b24c19aba48f62b26e8255b7f5cf1e9946f4ba2cf2f3afb5d1d6ad |
| SHA512 | f4b985d86ce91477beb3ffb96706318890567e22727a138095d162071b734ce5e082bff77f4f5eab147bd72514a856a15f7416e8f8806b620cdfb99f1d5bcd45 |
C:\Users\Admin\AppData\Local\AYzwzV\WINMM.dll
| MD5 | 882347c1b447d106cf94258c04835248 |
| SHA1 | e21334f3ece6f76ea14c38400ae607fa2ad0a6e4 |
| SHA256 | 86f173b7152ef5db22483ba5bccd74374d7ff615bdcf6e5fd76c4d4e87928e84 |
| SHA512 | a0f2a63ff139b10a86de465d4e9c0b76843d472156df8ab79f5db4222a92baeded4bb460040921435f689df19b3b4bc3ff73a375fb218d7827191a9fdda45f1b |
memory/3664-115-0x0000023165C90000-0x0000023165C97000-memory.dmp
C:\Users\Admin\AppData\Local\AYzwzV\WINMM.dll
| MD5 | 289f2848ef9d24b3ea00092a6d4533f8 |
| SHA1 | 7f7d19bbcb7863cea350bb5309e9b4fed6acf30a |
| SHA256 | af2f900a3de0b85166c99393551d303f2fd5859234aadc764768000a4d6a915c |
| SHA512 | 585817c78a64cc37f1ee9a0bcd0db8e55a022d20734f972d9a17fc05201e52f6e455f1f305786fb1e5102e9ecaa1eb97f29fc96f900e8ab6b77f43075e8af417 |
C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
| MD5 | e7398b4378c9ae087d680836893b0e7f |
| SHA1 | 8a547a9bd5a1d56efd37bab774d77edbd2380364 |
| SHA256 | a5ea5969e2e27b06a7dbf313a3ec29352d121552b22a90077c82d6adb967762c |
| SHA512 | c726ba04b6e87b260e24f4371c3475855b98ac5c1f2fdcdcdcc23fcc5b7994effddd8c6638143c7322081184911231d9117572e7f9553437662a14b402c609b1 |
C:\Users\Admin\AppData\Local\AYzwzV\mblctr.exe
| MD5 | 80f06d5105497a698a4dd58003a72474 |
| SHA1 | 32c3ee2da3ef7150d3771e1f751507c86fd37dc7 |
| SHA256 | 1030fc0e4f555791acf128d5c083b1b769ebb5ce3b16a4ee128eeabf6acb64e8 |
| SHA512 | d267cad0b80b18773f5720dcb2fa87081a810afa39729012d47d54a01ca414276190c2c5c07d2940c8ae3afcd739c452f158371a56d135aac4c22fe0e5a9d529 |
C:\Users\Admin\AppData\Local\6JQ3J7Ek\consent.exe
| MD5 | 6646631ce4ad7128762352da81f3b030 |
| SHA1 | 1095bd4b63360fc2968d75622aa745e5523428ab |
| SHA256 | 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64 |
| SHA512 | 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk
| MD5 | e4f980761d4b2f50131e45abd59d7a60 |
| SHA1 | 46395e85449028a574e26fa3c7fa2ac850a9cd56 |
| SHA256 | bbec79f875831f6a9f1be483ad71395b715ed75e5a7da4a02bc51d45c4624aa1 |
| SHA512 | 9cefa29f4ed047545df2841ef00cfd6ca3c86f24423febb2de6e9d6c4b8dffb567373d630c058bbe864b7a726e05a01aa0aaeac585ac26328c91ca92199d2183 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uYd\DUser.dll
| MD5 | 0bc88fc73b87d666758fb6bf0c1ccfdd |
| SHA1 | 8ab7c6cc57acd6583d6bb2c75cd2997d0626a80e |
| SHA256 | c7fe682588c725ac2cc45f7280e84e6c5b19383683f1ffc3b288b306e9aa393f |
| SHA512 | e3405478899b567035e6d2781c3a3573a4f43c1db214cbecf61580d375d7e0277ffae7ae89f132b66cc643ebefb04e386b13bd1f31c01e5d12d4c11c7b3be800 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\9Apeh8FC6\ACTIVEDS.dll
| MD5 | 7d2492ee437fb311530ccb848975db4b |
| SHA1 | 8f6e81c3ed775887a359f81332f186ca916f373d |
| SHA256 | 53807ab411bcc7b41622999af736d045858069ff96dcbb11b77ef3cdccba7040 |
| SHA512 | f303441759c9efce6c8b1b24f349d515496962646ef63e982cfc62fcecdaaefedc3077da12b4276b2ed89df1524e7406f0fa9b3e185a5ccabb7f70a554d5837e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\uYd\rY4tacONr\WINMM.dll
| MD5 | af21885de1e84dddf5e04757b7c2623f |
| SHA1 | 9d7682f0993b6eac54949958de60c50df7848b52 |
| SHA256 | 852dde5ad8c75257a87fa6dc69b5ad6d802873b31ecc4e667124b085c41d9ac9 |
| SHA512 | 23e6ed8831a251544cd8592f4637faaed813cabe719cb007c4a6db81c7d5e27477c55fcf54807002b8bc77997e4430710868f03f9532d9176432d52ff8421e87 |