Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-ksdershggn
Target 6ce094e7633ddc304e6c7b56a7e56e86
SHA256 dcb4e6dfc9dea7413fcd611f3f06c684dc85f48b698fe86c13fe9884756f81da
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcb4e6dfc9dea7413fcd611f3f06c684dc85f48b698fe86c13fe9884756f81da

Threat Level: Known bad

The file 6ce094e7633ddc304e6c7b56a7e56e86 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 08:51

Reported

2024-01-21 08:54

Platform

win7-20231215-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\M3CyXJ\\unregmp2.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2752 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1208 wrote to memory of 2752 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1208 wrote to memory of 2752 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1208 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe
PID 1208 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe
PID 1208 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe
PID 1208 wrote to memory of 2612 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1208 wrote to memory of 2612 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1208 wrote to memory of 2612 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1208 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe
PID 1208 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe
PID 1208 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe
PID 1208 wrote to memory of 1984 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1208 wrote to memory of 1984 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1208 wrote to memory of 1984 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1208 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe
PID 1208 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe
PID 1208 wrote to memory of 2888 N/A N/A C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#1

C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe

C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

Network

N/A

Files

memory/3032-1-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3032-0-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1208-4-0x0000000077976000-0x0000000077977000-memory.dmp

memory/1208-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/1208-10-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-15-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-24-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-29-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-34-0x0000000002D50000-0x0000000002D57000-memory.dmp

memory/1208-33-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-32-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-31-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-43-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

memory/1208-42-0x0000000077A81000-0x0000000077A82000-memory.dmp

memory/1208-41-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-52-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-30-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-56-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-28-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-27-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-26-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-25-0x0000000140000000-0x00000001401B3000-memory.dmp

\Users\Admin\AppData\Local\Gwuh\ACTIVEDS.dll

MD5 6618e8ab0096b8d6141684ed364e59df
SHA1 55c34e3de75ce3933578190fde85a2b7a25d5dd5
SHA256 7c168c1146ebcb2d1f385d51678fb88345cee87c5759e0b2a78f883cab8b088b
SHA512 b18b3cc9ca32cbf721e3279a035718b323f123f5d33e2c8b4e17b159d056da503cdf5f8db26d9ff93e8b13e276a8156b130d307d33892abf8226e2239d56bd6c

memory/2864-75-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/2864-71-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/2864-70-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\Gwuh\ACTIVEDS.dll

MD5 00e01b38231bed66de5c95fe7acc110f
SHA1 f25d792b6e1f700cc5128121f91f3ece3207cfbe
SHA256 bdf05171fe6239b30262d7ac2315208f5187a79f14f69de9918c79d53cb02bfa
SHA512 10223c5af05e7ccdc3c68071cf6167162337aebc778fa6cca403f83b146a5d57c6659c3865bd0af1fa37c9e4cd7b18e2b1663399cdd84ff0d02b85086c8b9182

C:\Users\Admin\AppData\Local\Gwuh\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

memory/1208-23-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-22-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-21-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-20-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-19-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-18-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-17-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-16-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-14-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-13-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-12-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-11-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-9-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3032-8-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\Beqdv5A\TpmInit.exe

MD5 cb661681711ea898dbcb4e2c1d2bed15
SHA1 8c292d24e45dcfb4c600be237afb48dd7e4eb692
SHA256 30d7058651694f3d1ffa8970213fc4d47a4f761c62d6ae4e8a55cc639d976d6e
SHA512 ce8fa00f93c347d62595c14de78deca2311ede41e64775c63db4565cd2311b69379d008ad5e6482478fee9348c4eac2dcff248991ddab666c82b55074cb2173f

\Users\Admin\AppData\Local\AycmYUL\slc.dll

MD5 e062276aaf615d105b92946b855446e3
SHA1 94340f21567d9fcd445ed2dd81bcb2ab9a4940ac
SHA256 a7a85e3a935105040f3dc50f20364faf2aae5be952f5e8174a454dbc37dfabef
SHA512 79fcb5e7428a64bcdcd12a891092b22a567a5f37b619531c1ecc68521b8c1a4a770d9d313da4f494dbda3a8189b0795f6ff029cd45e3e26a76fb3d7e1a737b57

memory/2664-92-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/2664-87-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\AycmYUL\slc.dll

MD5 afebc581cf19402bdb835bb1f8a16bd5
SHA1 1ae3c4282abb14f3d4ca47d9816c4b9b15a19abd
SHA256 75e1a6557292300eacad5912515444d1250f8dae2b7f968f6a9084b7ec993a7d
SHA512 5bb0319df0ebc65dd61f59152da0cdf31b3b0e0b999c142b9b0e57411df23a8730bb645617c1b2c711ed66b62ce0093bbb9caf7f26e1783570b4b8c07a04d6ed

C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

MD5 fc25e5af88252293ccefbc61e065ba5f
SHA1 e598ec93f597d2337c53d3d8a712f48cd4d9d291
SHA256 1c88b47094b366e8597f5776fb59a9820ee853c596071616b855835b5b47f31c
SHA512 a1c6543ebe3c0bf4c5ab9c1d177a5dab2903372ce5bb191bddde57a099bcd96afbe3aaee47cb522fa38221222a2e642e02f9d922ca441d791ea3f639196469d0

\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

MD5 bd0f1822dd39b3ca55c9298204b9536b
SHA1 2bde816582dea428cba88829127d3986f6947d2e
SHA256 8f4f4fc6805bd315a2312f0e2dd673f9d4f896a45ef0166a8b3acb1bf310e33c
SHA512 0930630659b6edb84c833a3495c6f5e953e7ed901ad7e7751da84578cbc84d72bd35429f15421c3bdc53ac8c6dfb8404dadbbebfa5d2b73bfb4651696f9036a8

C:\Users\Admin\AppData\Local\AycmYUL\unregmp2.exe

MD5 c9615633a77670762da82aa30b726ac9
SHA1 2ad4a23c8193c03ae971b96f51f4f3d6918ae10d
SHA256 615f5497fd774a734d1d5df0d4b163c5538fad60c079570074a50a2270727211
SHA512 bd18d75e8d82387d4e7ef88d19b750f9f7147a445431b7635878fe801115dcf055e5739db397bcafd2908acd8608b0122d219d540f81884b36cdb5a8f962c76d

C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

MD5 ada57928e757c164cf3c1b4eb0f3b8b8
SHA1 e65211865c96a026b7cecddfdfa7d63ab655c0b0
SHA256 3efbfc7392529f70aa5c25fb92182ecc8c861be8546cae018caa163075569187
SHA512 31b9674f387b578de7b3cf3e9881d2e6aa3393faa4b31cd908b31ed2ae5756939f199855d05ff43068627d548cf0db6bebef3957647354297c08d30ae64548e4

memory/2888-110-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/2888-106-0x0000000140000000-0x00000001401BA000-memory.dmp

\Users\Admin\AppData\Local\YAi75\MFC42u.dll

MD5 5e824247b1c8ca0d72749c0bb383430d
SHA1 caebaccebaba4ce99d8874e8f209905970d07ab8
SHA256 d57daa881f013540532ba9cf6755e76a21dea69cb596bd8f240123a5a3c1de64
SHA512 29ae78cba5498dcaa45252c1963aa3e174f133dc7e99e0eb88a803d953dd5f495c273bfea1552a7d22aa220e4d7a74daf8df67fd80bf92ab01a35794356d6084

C:\Users\Admin\AppData\Local\YAi75\MFC42u.dll

MD5 2581517c201fa6f7ab9fd5c3e2ce8738
SHA1 187228ae91f866b70f8ecf0b0eb638c0b74b102e
SHA256 ec65cdcc97fb8aaf786dc021abf119b5184a7e3e1fd40d3a8177d7e4ac54a288
SHA512 238284ed2893235a536dbb30ff51764f7206ba88687e401a7e07e3ca51501b96f8e5d640cee4e86006e96d78eba11bb722a1db80085f81b54ca8fc1ae67be7b9

\Users\Admin\AppData\Local\YAi75\msinfo32.exe

MD5 b8580c902fdd73ca9ba81047609c49b3
SHA1 f53fbc2f4c4946ee7680ebf3cd2026a192752787
SHA256 0a2e1b2da02240139ef3a606d70a1335205d9e8ecb39c7d08f528132b8e7736c
SHA512 a3f8ed5a14795d4b29e7b49a1c7d13a852bc09af9e29213978c7dc59155900f5e23091ab3aef81749a3e4f5419da5259968943c4708359b3dcd8612f13ebc55b

C:\Users\Admin\AppData\Local\YAi75\msinfo32.exe

MD5 9174227d74c673e6486312640a80aa63
SHA1 4e46a053ded6f3b952a7ad7c4a8b7b10247c6385
SHA256 eeeed330460844aad5216bd66dec3e0a6ac5bb300041e995b21e7b3d29f95380
SHA512 c5de6e34c771020cd249222a1ad1b6ab9aee884f4dbd239c3352fe6847512d9d0b3881b33d9ccee7c2d35a2ec1684497f8b0b092d675251e61127835fb1f3141

\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\oZNvn\msinfo32.exe

MD5 803cdd34d755785f1a4c14d600694b51
SHA1 687e81231f63b402c00237ee4d6cdd4f0bd61809
SHA256 fd465e202417142bb7bff6d45d761af3821f62203be17e3cb3ed40c4a5ecb8bb
SHA512 475a4ff175d5389a6f29c3d4d6378232f2fb7cd6260886ce4211ab0936a37555ea5ac693ed61f0ff44c7d24096bd1a93095aacec9aa3c3c6b14ec160bfbfadae

memory/1208-130-0x0000000077976000-0x0000000077977000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 cc442d178c24a3f2780b1b2170163a68
SHA1 7f6c7a10827a6dae674d1477cfce688ebe9c6176
SHA256 c69a6625685b397d59975b9a9d963d8dd1be6dfb7764673e340533e26e9b1912
SHA512 52222f7933d801de02eaf2329cb4b1878221534531f25e49fa8ee48c754852326f076cb2911341973f998e0beded5a9ced29b47f9edfccac69c1985237a7e442

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\Beqdv5A\ACTIVEDS.dll

MD5 9ce521f467f2f7e60445bd3d19305b98
SHA1 8226150bfc517ca56b014b7c8bb3d7404b640780
SHA256 2c4845c5be438b8b095afc0fce8dc7986348f5535295ee3a61abe976dc27e4f9
SHA512 b86670d8aae6dff84eef95fef58b89719a9e1f3a260a98343c2227f3d0ec210efb619923022e83f4875008a8da25f9f74e17bec84fa29400dc8132b4e004ccbd

C:\Users\Admin\AppData\Roaming\Identities\M3CyXJ\slc.dll

MD5 b3c89196e161b4f793aee1eba04089d1
SHA1 f81da082da9aa095b0a5e8f97fcad94119dbdd74
SHA256 429fcf869391e5e1aad004404f6c9b50f6dda7feb8f6422241d56ee8ddcea485
SHA512 fb946868e701e1c9d8d9c6aba542d8855acb6bb39b3bf44b480b1b64d768ac8b24198bf44543ae3a318d5655d4d8770cc30c44bb9195306ae6d8a4a4f2d72ec8

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\oZNvn\MFC42u.dll

MD5 19056485ca943ece677f81bba2f1e4c5
SHA1 7c007ff03a9b0a972c5cbeff711ab326628ea280
SHA256 fa57ae9b61b89443cd48954d0e4024b943e14abe91be8bd1ec0026d9675c1b6d
SHA512 7ab26e5338bf1e6b793ec555e37c74450f78a3c111e881416c939f0cab20991413eedb509af7fa8be9937b50465e86afcfca7145b4efbdc471703178b2197bc3

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 08:51

Reported

2024-01-21 08:54

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\b1ilq\\slui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8zj\slui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\953\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2916 N/A N/A C:\Windows\system32\MusNotifyIcon.exe
PID 3532 wrote to memory of 2916 N/A N/A C:\Windows\system32\MusNotifyIcon.exe
PID 3532 wrote to memory of 732 N/A N/A C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe
PID 3532 wrote to memory of 732 N/A N/A C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe
PID 3532 wrote to memory of 2300 N/A N/A C:\Windows\system32\slui.exe
PID 3532 wrote to memory of 2300 N/A N/A C:\Windows\system32\slui.exe
PID 3532 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\8zj\slui.exe
PID 3532 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\8zj\slui.exe
PID 3532 wrote to memory of 2164 N/A N/A C:\Windows\system32\wscript.exe
PID 3532 wrote to memory of 2164 N/A N/A C:\Windows\system32\wscript.exe
PID 3532 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\953\wscript.exe
PID 3532 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\953\wscript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6ce094e7633ddc304e6c7b56a7e56e86.dll,#1

C:\Windows\system32\MusNotifyIcon.exe

C:\Windows\system32\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe

C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\8zj\slui.exe

C:\Users\Admin\AppData\Local\8zj\slui.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\953\wscript.exe

C:\Users\Admin\AppData\Local\953\wscript.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/4796-1-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/4796-0-0x0000024472870000-0x0000024472877000-memory.dmp

memory/3532-4-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/3532-7-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-9-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-10-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-11-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-12-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-13-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-8-0x00007FFCEFC8A000-0x00007FFCEFC8B000-memory.dmp

memory/3532-14-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-6-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-15-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-16-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-17-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-18-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-19-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-20-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-21-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-22-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-23-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-24-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-25-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-26-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-27-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-28-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-29-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-30-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-31-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-33-0x0000000001460000-0x0000000001467000-memory.dmp

memory/3532-32-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/4796-35-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-41-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-42-0x00007FFCF0B80000-0x00007FFCF0B90000-memory.dmp

memory/3532-51-0x0000000140000000-0x00000001401B3000-memory.dmp

memory/3532-53-0x0000000140000000-0x00000001401B3000-memory.dmp

C:\Users\Admin\AppData\Local\pgvj\MusNotifyIcon.exe

MD5 c54b1a69a21e03b83ebb0aeb3758b6f7
SHA1 b32ee7e5b813554c4b8e8f96f176570e0f6e8b6c
SHA256 ac3e12011b70144cc84539bbccacdfae35bd4ea3ee61b4a9fca5f082d044d8bf
SHA512 2680ab501ffe7d40fed28eb207d812880c8a71d71a29d59ba3da27c0bae98c74893e04807d93fba7b5e673c3e13a1ad21bfaab10bdb871d83349ff4e7c614b19

C:\Users\Admin\AppData\Local\pgvj\XmlLite.dll

MD5 63b235765fc17589e41d8625c926a631
SHA1 aa68b4ccdc12dc8a093cc8f09022859934f0241f
SHA256 0da5a71a04b00330992efd247aa4baffd4e6c01e01cc6cddd5f2f2939acf746b
SHA512 a4d6557412222f2f0d600b041013e487fa32d1fa675f85f0e3d746fdc4bb79bb15d0eed3f10d55c1d7f8347e1c82b029159f1385a33ecbf2ea229634c8f4a24f

memory/732-63-0x000001F8622B0000-0x000001F8622B7000-memory.dmp

memory/732-62-0x0000000140000000-0x00000001401B4000-memory.dmp

memory/732-68-0x0000000140000000-0x00000001401B4000-memory.dmp

C:\Users\Admin\AppData\Local\8zj\slui.exe

MD5 eb725ea35a13dc18eac46aa81e7f2841
SHA1 c0b3304c970324952e18c4a51073e3bdec73440b
SHA256 25e7624d469a592934ab8c509d12c153c2799e604c2a4b8a83650a7268577dff
SHA512 39192a1fad29654b3769f007298eff049d0688a3cb51390833ec563f44f9931cd3f6f8693db37b649b061b5aab379b166c15dade56d0fc414375243320375b26

C:\Users\Admin\AppData\Local\8zj\WINBRAND.dll

MD5 fa67e94f768921cd0fa15cd8197c4327
SHA1 24e00655fca6f191c469ac8a978b277220c21db4
SHA256 0f61a93ffa93c36426c990f3812008b432838b88a5fb8902f75cae5b7135beb1
SHA512 6193c7b5435110865d6dbbc4868ea20179b02fd8103ae348556d70641cc63ad26a7616b09d4e132d85e89c992888acb59ee86544efde09e5551c06adc0a6de70

memory/3708-79-0x0000012B7DBE0000-0x0000012B7DBE7000-memory.dmp

memory/3708-85-0x0000000140000000-0x00000001401B4000-memory.dmp

C:\Users\Admin\AppData\Local\953\VERSION.dll

MD5 5bea0a6c3ddb0ada28bf7c0bfb3f093f
SHA1 27da8388017d52440645fc1bcd4eaca388a5f494
SHA256 ccc8dcb3394b5b86231a75ab890b6613e4c20caec21dedee04cfe718d633fed0
SHA512 b74ff36440e45cfe4da57ca2983ba66e9c71ba3a1dcb65d6cc105db9523f598998dd538dbf04dd8a3a24f396d37a797e0373cf857a8aaa5df27d68403443f586

C:\Users\Admin\AppData\Local\953\wscript.exe

MD5 a47cbe969ea935bdd3ab568bb126bc80
SHA1 15f2facfd05daf46d2c63912916bf2887cebd98a
SHA256 34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100
SHA512 f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

memory/2664-96-0x00000208F73B0000-0x00000208F73B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 0bb0b6ac67c15c21b988b2782c52d949
SHA1 74cf236b848dd521cc0a3784d59526a40105751e
SHA256 5f268cdcd92bb2602c2716b1e1e080389762aa8cbb7f04605e578ba1d565e19d
SHA512 545181331fb3d2ebfde40b1e32821865fcc85461e557f56c29b19ebca359f0c21bb40caf611160fde6bcf2ee5fcd6f5e6abcb177f9acd5f36ff3662658b57484