Malware Analysis Report

2024-11-15 08:50

Sample ID 240121-l66h5sbdf8
Target 6d08db5aa8c6eec9c991d6a14bd58a5f
SHA256 b183bd1e5a5f6a08cdb529a91cb1a1049d1b0f9700f6a10bf3716e17acb79d43
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b183bd1e5a5f6a08cdb529a91cb1a1049d1b0f9700f6a10bf3716e17acb79d43

Threat Level: Known bad

The file 6d08db5aa8c6eec9c991d6a14bd58a5f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 10:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 10:09

Reported

2024-01-21 10:12

Platform

win7-20231215-en

Max time kernel

149s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\868\msinfo32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\NTPvJN\\xpsrchvw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\868\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2576 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1188 wrote to memory of 2576 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1188 wrote to memory of 2576 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1188 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\868\msinfo32.exe
PID 1188 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\868\msinfo32.exe
PID 1188 wrote to memory of 1624 N/A N/A C:\Users\Admin\AppData\Local\868\msinfo32.exe
PID 1188 wrote to memory of 2736 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1188 wrote to memory of 2736 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1188 wrote to memory of 2736 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1188 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe
PID 1188 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe
PID 1188 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe
PID 1188 wrote to memory of 320 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1188 wrote to memory of 320 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1188 wrote to memory of 320 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1188 wrote to memory of 2456 N/A N/A C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe
PID 1188 wrote to memory of 2456 N/A N/A C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe
PID 1188 wrote to memory of 2456 N/A N/A C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#1

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\868\msinfo32.exe

C:\Users\Admin\AppData\Local\868\msinfo32.exe

C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe

C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

Network

N/A

Files

memory/1944-0-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1944-1-0x00000000000A0000-0x00000000000A7000-memory.dmp

memory/1188-4-0x00000000770B6000-0x00000000770B7000-memory.dmp

memory/1188-5-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/1188-10-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-15-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-19-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-32-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-36-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-41-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-43-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-45-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-49-0x0000000002D30000-0x0000000002D37000-memory.dmp

memory/1188-44-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-54-0x00000000771C1000-0x00000000771C2000-memory.dmp

memory/1188-58-0x0000000077320000-0x0000000077322000-memory.dmp

memory/1188-53-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-42-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-64-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-40-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-39-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-38-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-37-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-70-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-35-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-34-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-33-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-31-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-30-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-29-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-28-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-27-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-26-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-25-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-24-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-23-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-22-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-21-0x0000000140000000-0x0000000140188000-memory.dmp

\Users\Admin\AppData\Local\868\MFC42u.dll

MD5 9a8dc62e32501d04cb18ae5f7494bc04
SHA1 273b186014c267bd179f59509c803c7766bcfbdd
SHA256 ddda8b4645a8994e52b3136d7dc9485cb31367931da6fccae36dd6e0018f39bc
SHA512 d19575e20f016dd2666d3815f93acacd30aa3e5a82a6bde901a3f309ad191a57e00feb86a8e3f68d5016bb1ae90fa738a8bea8382d673d72ec109dd4187a0f4c

memory/1624-83-0x0000000140000000-0x000000014018F000-memory.dmp

memory/1624-82-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\868\MFC42u.dll

MD5 cfcaae66df2588ac6682a159425fc137
SHA1 31d8a335bfec2adbe700706c8a2e5c230b663329
SHA256 c0c360cf0e4cba8780e1ad7d5478e700fc7cfa052e62ade387608b03b52b3d22
SHA512 0df8ce3c10aeb399202294baf97fccf493bc8c8ba9630aea37b90e130b64e9ae1fc9f7ee0641357ea7a16b22190e2be033b6bcd28842a22dfb7c7f1d8ffbb2a9

C:\Users\Admin\AppData\Local\868\msinfo32.exe

MD5 6085258e9a717632c5229247f6b3d789
SHA1 803c2a0f417b1c44a3a0ca09c72e84c143d393c3
SHA256 d60484932618d925889b051d281ba1f9955ff00d1304d8d5e730b08f199402ad
SHA512 36e70f6912b3f8f9e2932d02a30e304a9d9ba857fdc667dcfd8bfe3bfcaa39fd051a4643e4446f874c04b40f7cb2cb3f03628b0329c148c2a2cf3c7457301b67

\Users\Admin\AppData\Local\868\msinfo32.exe

MD5 97ce3c53764afd4faef6abbfb083fd61
SHA1 bfe281d6e83a8b69f7d18a8163330817255dc5d3
SHA256 8eee375af634ed26c1f51f857c2c98752c49160cb4ffc28689af8e1eb9273595
SHA512 251472e865bff70a40b3f8adb83637c392a3a14f162a30d2bd1a1464d55f821e1636752d8cc1996d112426c3ecf52999651a368fa43ea2e8bca6c88c1918b38b

C:\Users\Admin\AppData\Local\868\msinfo32.exe

MD5 25dde92c4b2706cea5bdb39797564a4f
SHA1 101ff7e3318f94cb676cb6b314af9cd5bb34fc3e
SHA256 677860e656a98a027999f8817e735cdb5460a7fb1c5bcdd26051e75edae1679e
SHA512 52b03ec3b3c7c3b53552b7d0526e32c1665741df5038f894bdfc987047e05b63fd75a3e223c4fda3c6b5479043e79a43103f46349ef6252d448d17259a4a90fd

memory/1188-20-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-18-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-17-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-16-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-14-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-13-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-12-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-11-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-9-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1944-8-0x0000000140000000-0x0000000140188000-memory.dmp

memory/1188-7-0x0000000140000000-0x0000000140188000-memory.dmp

C:\Users\Admin\AppData\Local\2f80XIFH\WINMM.dll

MD5 b67ff48c55c945c9b7247e5b071fb7c3
SHA1 2e1f14451fda10972f47457f167d65212fadaeea
SHA256 4d3337a166d81eff02952ed134d58c92c9c2c87d563fa84e0d8cc76f264bbbf1
SHA512 32187972cfa0328b4d6768d5e2c60ab14e2122dc40e73a9b3a901e1fe688069d9802f96f5ddc0c73c7960b9a361ed5d2ae22bbee585836782bd79291dfe99070

\Users\Admin\AppData\Local\2f80XIFH\WINMM.dll

MD5 f201ff7b4bc97c22fb95e6c1155f7cf3
SHA1 aa37cdbb19aed8b5cc8e001da99f2a73e990ae5e
SHA256 463c9ca2aa4e2552f3cf85545085bbc846139841cf748240c9b8869d4884c9e1
SHA512 6e07cccd16943b30023e20730fdb40bd5da37abe88c618c6a7578f971db005d1a8c907245b2001c25114ed9715116cf6b601748cdd08d1591983de86a3584b39

memory/2788-104-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

MD5 559be0ae9c969221036690d0af24def1
SHA1 d78f92fe2b9af474cc3da69a760272def2f154c8
SHA256 6f0814a1c8890dff9fbbdd31544974611a83c5f5551e19076e973f36b4509041
SHA512 ade53016a9156c464251d701b8e8b53597f6eec3a8e58e436fc76da9725d02911374f0d68a9fb74bb847f9e16abf2562864893a80746ad8a337b9a6ba3ffae54

\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

MD5 58d7f04d6d936369fb6f3efe180c8e24
SHA1 3ec27d982d68a991c8fcae9b6500e7a7e86e9895
SHA256 2b06b8f0879cee09906e19034c3bae445a51678c0f7bc08926d3fcf79700263d
SHA512 32e0c3751b3f18bc0d31e4a3e3afcf9f45c564124fac34e334c2464add8a45e5996e3464ea6119fb1436cabf47a90e010892746bca8cb974d930101506583235

C:\Users\Admin\AppData\Local\2f80XIFH\xpsrchvw.exe

MD5 bd3ed549fbe90b5bf53b9ff14a4587a3
SHA1 e573e14e8d7d383118f8b86fd9af4ce4995c55c4
SHA256 7d9e2c06a9d29e08e4877064375360cdc8d7eb681ba5d0a7e7c1804f6f1d47cf
SHA512 1dc56e0226a8ad5798d0973e911af0c48e28d3a66d54f1979945e38a24ca7e1e9b2469ad69c0b5e52d94f9b9c2d434ec7bce3ddeae616e68d4197b85e259b98a

\Users\Admin\AppData\Local\JoJxAa\ACTIVEDS.dll

MD5 ff6af6b65238cf6431d67a9dc19688a2
SHA1 af729735a2cc11452f949eb4efa0b849696be39c
SHA256 94a86b8d722ef9103f1d6efc5f731b10639c0d56235f29d3321d2a3c34c5c750
SHA512 9194f2fdee55e41a5d481a03081773d2bcfa8d7c704064c1030217fe1ddc56969653d4756a6897706dad55df25807a059d816991ce75eecce97fd41f0996e55f

C:\Users\Admin\AppData\Local\JoJxAa\ACTIVEDS.dll

MD5 aca9f6792bf33eff7571038dc52f48c3
SHA1 3e758053eb5ac7535735dbb7fe2a5b85b8b52222
SHA256 0eb7ba97ef5c19b3c2d8214e1d25fb650929010a7784e7160038bbfa64d3605b
SHA512 11d357c2223fcfbbd060d11126c05a52b6076ce16fe4e412d15ff6f134a54b5f5b3dc8dc38388da9ff5212cbf0c9bf28cb1bc7011cbd08c63d6387396fe0c92f

C:\Users\Admin\AppData\Local\JoJxAa\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KNas\TpmInit.exe

MD5 32cd4f02545a050fe870da7c0f7adfd5
SHA1 f123b4408f7bfdb82c7de079bf8366522bc63566
SHA256 4b25de3bde7cec30ec2e10ce4f9eeb0dd10dc8b526afd0c90c54819a9d6758c4
SHA512 3c71050ac52b202a276ff8e87d114dd475085422cc1937cce2b9d8628c8962d56eeffb74c9a483448577367898f00535cf6110921216ebe2a1aec871558d7674

memory/1188-151-0x00000000770B6000-0x00000000770B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 5f70884d5bcaa4397dca3193360643ba
SHA1 2ae500fe3e97192f4849e5613823828af5fe0558
SHA256 5188feb242b5096b16b1b374637534471fbe4b4d74661547606b1615324d5de4
SHA512 1ec5a8e3d1171913625e796483b4ba74c24d2c9146cee1119a33ad679f24b52a2c1c5a589dd65e309b90c826c256df22c1dc1111ca3c18701ab4ded978f8a7d8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\etagMJSL\MFC42u.dll

MD5 468a614e33bccee889aa0802a237ac8b
SHA1 642f6c4be8a0f805e50c4bd7bb9b19dde46ce27d
SHA256 c2f4dcf0cfcdd6fcbac0d12e7fe94396f86e5d942b41455f823aef9a410753f8
SHA512 f1e0e7934ea971c650003e19657b4663459734d261e53e43437d9fb39bf8164a646113b74e5abefd27ee0f8a540faaf8d0e9bb788f1c35c62979d527e31f4e33

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\NTPvJN\WINMM.dll

MD5 f4bfc5406e65e0970e3a8ad7b9ff5c7c
SHA1 0959ec1b662bea47c8bac62e64b6d9a61048a8ee
SHA256 798f3839ad7a6050d9d0d1632dad094323d3990a4742e753db318a27e830a4e6
SHA512 0dcf92611438ba49b35afed1c218c6b2461c54ca5a8fbe75377ae45e1b2d1a7c77485f768f0d2c6c8f6e6b92b10f8f25f98cba8c0fd307736998f1800bd80579

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\KNas\ACTIVEDS.dll

MD5 5da1615afc5108169c7431c08a0cab9d
SHA1 976bed6e59187f72f2e6f79b1bf098a5637193e1
SHA256 f2aa3c23ab988859e1d09358fab0459131664cf37e7652f05e327b999ecb15cd
SHA512 0f72e1a69363c5645cb7a6039b9ef01eb9a7580043df7758a1b53b2137a97f2747d0d0e1ffc7f5ec963df515588b922dfe879a16d518f3478190090c695a4a7a

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 10:09

Reported

2024-01-21 10:12

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\EUlJnF1n\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\vlO3\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hgF\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 3300 N/A N/A C:\Windows\system32\msconfig.exe
PID 3468 wrote to memory of 3300 N/A N/A C:\Windows\system32\msconfig.exe
PID 3468 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\vlO3\msconfig.exe
PID 3468 wrote to memory of 4460 N/A N/A C:\Users\Admin\AppData\Local\vlO3\msconfig.exe
PID 3468 wrote to memory of 2472 N/A N/A C:\Windows\system32\sdclt.exe
PID 3468 wrote to memory of 2472 N/A N/A C:\Windows\system32\sdclt.exe
PID 3468 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\hgF\sdclt.exe
PID 3468 wrote to memory of 2096 N/A N/A C:\Users\Admin\AppData\Local\hgF\sdclt.exe
PID 3468 wrote to memory of 4056 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3468 wrote to memory of 4056 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 3468 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe
PID 3468 wrote to memory of 1104 N/A N/A C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6d08db5aa8c6eec9c991d6a14bd58a5f.dll,#1

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

C:\Users\Admin\AppData\Local\hgF\sdclt.exe

C:\Users\Admin\AppData\Local\hgF\sdclt.exe

C:\Users\Admin\AppData\Local\vlO3\msconfig.exe

C:\Users\Admin\AppData\Local\vlO3\msconfig.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/2388-0-0x0000000140000000-0x0000000140188000-memory.dmp

memory/2388-2-0x0000022937EF0000-0x0000022937EF7000-memory.dmp

memory/3468-5-0x00007FFA4F4AA000-0x00007FFA4F4AB000-memory.dmp

memory/3468-4-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2388-8-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-9-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-10-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-11-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-12-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-7-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-14-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-15-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-19-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-20-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-23-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-22-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-26-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-27-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-25-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-28-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-29-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-30-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-34-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-33-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-32-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-31-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-24-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-21-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-18-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-17-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-16-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-13-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-35-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-37-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-41-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-46-0x0000000000760000-0x0000000000767000-memory.dmp

memory/3468-45-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-44-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-43-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-42-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-40-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-39-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-38-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-36-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-53-0x0000000140000000-0x0000000140188000-memory.dmp

memory/3468-56-0x00007FFA4F760000-0x00007FFA4F770000-memory.dmp

memory/3468-63-0x0000000140000000-0x0000000140188000-memory.dmp

C:\Users\Admin\AppData\Local\vlO3\VERSION.dll

MD5 33912728ed8fbe3e7cc97f6b3c3a88b1
SHA1 36859280062a30dadc54ed86d9d91607c6f92989
SHA256 b37c6d5ed2957b066dedaf20d57fef4e5e1531238cd9e41749e2ed9dbbd01eec
SHA512 d535929d13396c215e364aaf9e0d49408ff302ca59b2d84b2652be89b9ae68cfe9c9c68aba437ee6bcfc2f4b7141cc891b801e10da86c8d98ca182d63a34ba2d

memory/4460-74-0x0000000140000000-0x0000000140189000-memory.dmp

memory/4460-80-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Local\vlO3\msconfig.exe

MD5 cf6c3b40ba244445f348f1afa6de5f58
SHA1 90df3ba3d79439ce637069c5b6e327783e9cf968
SHA256 b48c84a7f8a269bb19874624ed2fae2bf685d8f13113fcc4d2fc622c90bee376
SHA512 23213f04d58ba7d38b620a9ad68281ba16001b87eded399a138fcd9c9492b1b4a3c520c6772d5ac003253787c2c30f9a509b45bec1edc1da45b45c63fa215dee

memory/4460-75-0x000001DD8CFD0000-0x000001DD8CFD7000-memory.dmp

C:\Users\Admin\AppData\Local\hgF\SPP.dll

MD5 5280132f784ddfa56495f8cd0f00f5a8
SHA1 afcdbb8984715687ce5f92866a3c6dbbc225a2fe
SHA256 abd5fa25e8cc54180478f490c42e377a0ee71522fcc712040f83449a3dde7bcb
SHA512 befe91baf6439202b49ab63931fa2a3da2a821ef91b2c5c2cad69ba5802cd2823578f52f13d2495c2a3358eef3937d59c873242629a1a38659da913b39e7d7b8

memory/2096-91-0x000002DC6A3F0000-0x000002DC6A3F7000-memory.dmp

memory/2096-97-0x0000000140000000-0x0000000140189000-memory.dmp

C:\Users\Admin\AppData\Local\hgF\SPP.dll

MD5 563ddfd9093bef70004cc8c04993262b
SHA1 8343b9c33b51247834a3aa6dbebf33c03d2e7dbd
SHA256 fdfcaba5574425855835cdd1fbd3478766d10c1417186e5678d8a5c96dc416f7
SHA512 76d8b7529eefd0fb257c5e8b7da9f3cf08ce8e1cff835bd749b2f253392e4aa954ade356e367c0afdd8f43dbcd2f4eefd354090f4f801c00fc3f683f45b45755

C:\Users\Admin\AppData\Local\hgF\sdclt.exe

MD5 689251f53924c4747ce64258aa7fc5d9
SHA1 381e05d1ca1ace8f6fa1be22f0e9c6fd994f4758
SHA256 a0e2aa624455aa7f6afebc8ca663c4362df2bfb4b77a0b779c9f4f449cdd5c70
SHA512 c3d0376b052a83400f19f348d12c5c73a02a283a1d3f1540c9bca58267d782abf689497898863693d344218b98035324a9a151983763fda3867efba8cbdf6b96

C:\Users\Admin\AppData\Local\16Ctixbp\dwmapi.dll

MD5 a1085f35207d27fb6509a01c94acfe06
SHA1 495d93fb0fbd106fda3226045ac3e598517bcf05
SHA256 c750c6edd79b1e999d623826e4f81c6d1c0c31ad44e557477d0f7737ab6b67af
SHA512 7c8c68c5c9860435dce34c9e1c199e3f5ec4a3a686569b27937702789cab7893354f66d8d21209b90fa655b17d7c05717707bfe648b3abd82606a9d9104b659a

memory/1104-111-0x0000024AE4830000-0x0000024AE4837000-memory.dmp

C:\Users\Admin\AppData\Local\16Ctixbp\dwmapi.dll

MD5 03a0c388a0ba0e1972c9b12d47b13395
SHA1 41a7b67df8b86e40065ca611b57c3e1aa784914e
SHA256 75462c976981fffad0224dda523cdf5c4a5f49997c6c1be09b785b0971790a3a
SHA512 3d70c7170ba6117a93c4f7abb7f35af2deb94bc0ccc485f7175b7a9e694c34de685d57447f71d57a2999e947f5882b8846bb185d7d087da4b7daa2534eca297c

C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

MD5 029faebfb6b88a228df45d4b730e1fa3
SHA1 674c019496c3992de4a99137cadbaa4b21fd7d16
SHA256 3f7fd249c2d0f6a992bb6923e9201768614bc1bed4571ab2de05096ad3f6fef5
SHA512 914e71f50fc1946f72ceb586bca0ae16c6d39f4320fe270e37b9b13571ae80257d258f09b204ef78a28f783d7f973052df1d74bb58d23c1faf019a2548941af6

C:\Users\Admin\AppData\Local\hgF\sdclt.exe

MD5 63861a270165aef842f584a17ac53b48
SHA1 3b76f46b0007671437424e0774beeddeeb301f27
SHA256 e60e442639113f009bbad39a015fae140b9d7b69b687708207d39fc409f50635
SHA512 87996c24b68c04bb0cb6d1e375f62732b7a66898c9de7966b28eee9155aa09326e8b351dad7c1f72e6ff11eec32519f92564b9d8c34fef0272eccd5a12099a0c

C:\Users\Admin\AppData\Local\16Ctixbp\SnippingTool.exe

MD5 214120d578d82e1594862e0db209af30
SHA1 7c0c1c99ccdf1d5cc44e864cea276cca7cc8cd70
SHA256 7be9671f202d070324ce02ee95ce3db3e51094799c6c29fbabe80520092669c0
SHA512 8bdf5928d73a576ea10ff644711d8fdeab2d0a53560972fa78976e3406322806891e95a9b5104cdd65f06245cbd4d70baa11892bdb5aec156c70055fe4a95a3d

C:\Users\Admin\AppData\Local\vlO3\VERSION.dll

MD5 9d21ac8806ed3d10eb8110d9f0927878
SHA1 b91cb85653e5c8c14f075d5978b5addc9cd3fc44
SHA256 1ec5acd6ccbb3092363bd2e720b606bff17aa075bec3a55cc24ac1c0459b9ac0
SHA512 8923dae8024335cd9a80e65ccef4131c7905b73ec2c9784da243f0f9180ed634a61ae26fcd2e590fa74da8d2bab3294da8bf356230cdd50b314b0cd48bd1af8a

C:\Users\Admin\AppData\Local\vlO3\msconfig.exe

MD5 39009536cafe30c6ef2501fe46c9df5e
SHA1 6ff7b4d30f31186de899665c704a105227704b72
SHA256 93d2604f7fdf7f014ac5bef63ab177b6107f3cfc26da6cbd9a7ab50c96564a04
SHA512 95c9a8bc61c79108634f5578825544323e3d980ae97a105a325c58bc0e44b1d500637459969602f08d6d23d346baec6acd07d8351803981000c797190d48f03a

memory/3468-65-0x0000000140000000-0x0000000140188000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 c823c10030a2fcfe84c5fa9f0fd27858
SHA1 71c900ac1deea2741b2f8fd7faadc69a08b5fe64
SHA256 e4a92798a06af598173a374bf049437e0868086bc4d567bfabd08c6cd3f9f575
SHA512 41cd5e06625e0cc18b0fd31b8b52c0fd30fd387689d1245a1e785eda21fd75e1e14c330f64154dfa7a01f4c130d715fb2f6427c549f39b0eb8e15ef78f7f1ada

C:\Users\Admin\AppData\Roaming\Microsoft\Word\v86e\VERSION.dll

MD5 f58e79917707e974c503ed055080d2fb
SHA1 4f6f2aa646b9d20fda4b0423f58477cf26f6bb57
SHA256 36316b9f2190c0ef0083d50128279c6294c6ff3a8e75152cc5bf2a74a3e05220
SHA512 a7c2e2b991fdbab465a299304e43cfdea9a245ba7f960d7fe1a638d1d79742023e05c0629c7a4560323b494c887e9488d4a0c10eef3d18bf769f9a6ca0e84a94

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EUlJnF1n\SPP.dll

MD5 7af1530c7a8ea808e13813830aef9264
SHA1 86791a9589344ee2feddc5c257710d0aeeee679f
SHA256 7618935f51ce8d8c322b4e1b3ed023e485da10a3b0089ed0c237008c482c6578
SHA512 2b7450144d0bcf63118e704f5466d51568655b07887bacd7a6e6a8a82f950c190234cd27e1b2e4af0baaa71824e53a96cca955f6ec46ccbfbd691e2a40875581

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\nDBXX\dwmapi.dll

MD5 1ddb4a9fd55a369b6a5a3faea38c84ac
SHA1 af12593a9114708065476d7e664f7516c1de14fe
SHA256 198213e2bdd278d0efd22222624abde4c1f4fe8844c842c1118b62aa089f3d9d
SHA512 b3668c5b8ea8f5b348b7fba5613f7bf13d456d1b0b10cfe82e5f2b4ac349f7e7178b40daed14639e70e277eca5f8aabb16cc4a25337ef4888293e58516aa3dab