Malware Analysis Report

2024-11-15 08:50

Sample ID 240122-ckq2wseahk
Target 6e701a6565714d75f57e4ac97c8b92cc
SHA256 bd76a02a02d4a0c8c7837fe4c4985ace8f6249f11e0a71ed9ffa55e8f4639be6
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd76a02a02d4a0c8c7837fe4c4985ace8f6249f11e0a71ed9ffa55e8f4639be6

Threat Level: Known bad

The file 6e701a6565714d75f57e4ac97c8b92cc was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 02:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 02:08

Reported

2024-01-22 02:11

Platform

win7-20231129-en

Max time kernel

149s

Max time network

118s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Q9P\cttune.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mjgqrtoi = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\ASSETC~1\\c2\\cttune.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Q9P\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2456 N/A N/A C:\Windows\system32\cttune.exe
PID 1352 wrote to memory of 2456 N/A N/A C:\Windows\system32\cttune.exe
PID 1352 wrote to memory of 2456 N/A N/A C:\Windows\system32\cttune.exe
PID 1352 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
PID 1352 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
PID 1352 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe
PID 1352 wrote to memory of 2088 N/A N/A C:\Windows\system32\cttune.exe
PID 1352 wrote to memory of 2088 N/A N/A C:\Windows\system32\cttune.exe
PID 1352 wrote to memory of 2088 N/A N/A C:\Windows\system32\cttune.exe
PID 1352 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Q9P\cttune.exe
PID 1352 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Q9P\cttune.exe
PID 1352 wrote to memory of 2424 N/A N/A C:\Users\Admin\AppData\Local\Q9P\cttune.exe
PID 1352 wrote to memory of 908 N/A N/A C:\Windows\system32\msra.exe
PID 1352 wrote to memory of 908 N/A N/A C:\Windows\system32\msra.exe
PID 1352 wrote to memory of 908 N/A N/A C:\Windows\system32\msra.exe
PID 1352 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
PID 1352 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe
PID 1352 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll

C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe

C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\Q9P\cttune.exe

C:\Users\Admin\AppData\Local\Q9P\cttune.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

Network

N/A

Files

memory/2324-1-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/2324-0-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-4-0x0000000077716000-0x0000000077717000-memory.dmp

memory/1352-5-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/1352-10-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-17-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-23-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-30-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-36-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-44-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-43-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-42-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-46-0x0000000002D40000-0x0000000002D47000-memory.dmp

memory/1352-45-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-41-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-53-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-40-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-39-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-38-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-54-0x0000000077921000-0x0000000077922000-memory.dmp

memory/1352-55-0x0000000077A80000-0x0000000077A82000-memory.dmp

memory/1352-37-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-64-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-70-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-72-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-35-0x0000000140000000-0x000000014018C000-memory.dmp

\Users\Admin\AppData\Local\ve93MSX\OLEACC.dll

MD5 d29b3f13c7c69551767b77abcad4125e
SHA1 a9b279b870b45a58c1eac409147fd33a4646dcae
SHA256 d9c6ca875da779818afd6b2dbb205d5fd0e8490f22b5775a4708d4f991e1071d
SHA512 b60bf43b8520d5bd8298f142db75b8ad1d1da405c5c1153a142bbbab0252c264d3a2a79c7d5fc8db4deadb2e2980bfd1c51c482dca2844600ae53762b8df4669

C:\Users\Admin\AppData\Local\ve93MSX\OLEACC.dll

MD5 d2fa98ad090b909b45b85e954dada722
SHA1 d25dcd5a4cf0fe9489606acb2af9addef107137f
SHA256 f610159f859e99638acf379b7e66c1510c4e0869a5fe6e06c4eddd72a7a9a89b
SHA512 f77005db07a07477260e112e7f50320f0c9ac21d44688be90ff52ecb861568741c338da0d4b32c068f4ce07f5e3935352852b9a50008db83d0dad548432ab5d9

memory/2492-84-0x0000000000330000-0x0000000000337000-memory.dmp

memory/2492-82-0x0000000140000000-0x000000014018D000-memory.dmp

C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe

MD5 44c3a38325752df5ee0d885f26e7b545
SHA1 a9261793401898ff86e0cf65cf47b70a2997794e
SHA256 10cc1b4430e82e7ab9ee72c494bf6d91b284ebe30f24ad9e48430be303c527cb
SHA512 2f41483506faaca0dd067bd79eeee2f875a8bef175a81db0dd08822fbe1c77feb4f9d818efc14d92fcb30ba4a98d5a6ddbbecdfbb9f0e438fcbd1199b22bb6e1

\Users\Admin\AppData\Local\ve93MSX\cttune.exe

MD5 2d601a6850c3ea535280c828ce7fb76b
SHA1 f9bb659886a6f3e35b377c4e197694f72edd1968
SHA256 0e2ccbf8f819dffea21ed3f0413cf85dd315ff497203818e94a6e229a5aade9a
SHA512 9f5fd75406597951dad4486afe5e48270ed9ba97279cc775124978ba306660d343f3169f76825af53842c6d6762104cb8c90171ce309d14dd37e2fde5f85bff8

memory/1352-34-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Users\Admin\AppData\Local\ve93MSX\cttune.exe

MD5 616858298155b77fb0d6bbb26a5cd1ba
SHA1 0e606db0dd24ec59c0c9112b10b50e2b99716e9d
SHA256 75a65e15de76118ad573bff1e6b3344cfd25ce9e196641103f66a23f7d0f0245
SHA512 1ad858b96a779698714c3687b7a0867fa33f8e8b1951144dfcaaf979c587a927f9ef6769ac24816701fb960884b0dac91fe0ffb43cf4da6fb02c02ce4af5acb5

memory/1352-33-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-32-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-31-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-29-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-28-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-27-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-26-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-25-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-24-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-22-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-21-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-20-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-19-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-18-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-16-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-15-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-14-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-13-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-12-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-11-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-9-0x0000000140000000-0x000000014018C000-memory.dmp

memory/2324-8-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1352-7-0x0000000140000000-0x000000014018C000-memory.dmp

\Users\Admin\AppData\Local\Q9P\UxTheme.dll

MD5 a25cf12a1f79cdc9676aca0a0ad6ddb6
SHA1 a2c409091408a83b3b9e516ba3e68c7990185480
SHA256 fbce1218619839b4565b7a25d201dea01b74ecb7525fe3043b15a4582527e8d5
SHA512 8cb770e0d50cde26e386c6460b6cd8946ff47de23af91ebc03a6d665b5e1fa4aadebfd91726c05bf11d218799ff89c735a69666e5744150da349c6658391606d

memory/2424-103-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\Q9P\UxTheme.dll

MD5 b5d1885a2177af486ce85408de4526ec
SHA1 d336d19263c463ac017b3054c4b2e70c639e5291
SHA256 50fda92dcf2753b304ae2728f9d04e9e110950ca882d4e85ff2eef22bcd8a0d6
SHA512 ee7c4b1bd5bf98dbaba7951e836cf1cff485cf0253d968d4d0633ebd2d7fd1414e3be9eaff440546f3a957c1965cf42a6105c94d8b49966bef9b0a6d4fba5bd9

C:\Users\Admin\AppData\Local\Q9P\cttune.exe

MD5 d1e20b16b60b6803510caef8881e1194
SHA1 93ccf27e3d3bea286447bd6ec675876048ed8e77
SHA256 b23e106251aa6f3311980f271ef823a14b27bd27631984969d219f768a435b89
SHA512 f556765774622c2fe8e15e4054b3a074cfe5d9c281142821b35513864c1de1438799c8a2e7cfdd3a4a5e89f70695cbbd871c4754909526dbdf1ef7d38101f4d5

\Users\Admin\AppData\Local\Q9P\cttune.exe

MD5 aa31ed5c61cfa7d5e5c2f635372ba429
SHA1 4424e6e7b36353e3b16903f8f438bd2dcdf89ebe
SHA256 7ee79d8602a1905d3ba50c84374490952be8c7bde744bf1915e5b02503df1a6d
SHA512 1b371e0e69e26e04dfcd881f5e142406c09f2a36e3534721d6a359b5c69c2e7ef2c24d2e618de4b39a29e39256a12b1cceb59fa83a3afaa47d1db7eb6fca061d

C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

MD5 d58052adf867cf1cee08b892fb092b1d
SHA1 b74c7a8e8d212f1f4f4cb82362f44e7643394d05
SHA256 8653f9ab8986534f1b33eb01142a4442ff3192d784a894d00519e14197db4da2
SHA512 4420ab69c9b09467d6d15e2f302f39ad8c0954af5646f4fa2fc858b6f1e43d03a95a7e3e9529f1b5c704d8bba456ea484bee69cd5d205739d93c9bca48878468

\Users\Admin\AppData\Local\5tU0cUbmK\UxTheme.dll

MD5 c9f4655e2e65c349ea4d21556b7097af
SHA1 37bafdbc9109b9ec8a9017443960e9cc0edf4cac
SHA256 7b06676b80dbb6ac703c158914ec912b41f782fafd9fdfdff4206ee22c050232
SHA512 daf3de69239017a76af00842ff1c86f65bf6d4b04bb058d75ebd6ba8a0c90b4248229dc618749797f0959047d2043f8153bb227fe458ce7673d07f6090490828

memory/2712-120-0x0000000000290000-0x0000000000297000-memory.dmp

C:\Users\Admin\AppData\Local\5tU0cUbmK\UxTheme.dll

MD5 af23e57e9f12570ae71a028da8e9f8b1
SHA1 d98c021043ddacbf2e6a39ece38681350af11ee0
SHA256 45d9dc9ff8b4b6d6936c916df570e3ef0e7363744b389cece4adc6652d7a3ba8
SHA512 ed5e7c5f27b838624b101d765b375e02b7a93f9d8149e6c169cd0e8575dc4af65df9283fd0e93b98573b4cf573a45dbb370972d419b5338549c86f8f8e47c21d

\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

MD5 acf25c1de82564b6517868ff6835d541
SHA1 d4e326eba523e7e7b47408d8aae1292a483d662d
SHA256 d06a5fc49b5e66e88bc685d83c271eb7019a6f17703034b37d3a4338aef639eb
SHA512 c71d575fb8eb80bc67279d8f5c067fceffeff5b13823cd0359ce73afbe37f00642de9f3e622054bc1299e6a6e7d022ebf2e7f37bd8bef67d269facb0c5bd411a

C:\Users\Admin\AppData\Local\5tU0cUbmK\msra.exe

MD5 f01c9d4555780b277c81718890ffc42f
SHA1 534cd3d56c599a2a126f11ec5b07169909ff0b10
SHA256 111398c6afa943d141fd7ebd62f0f1ff156f1a0b4faf9a370a771657f0a61927
SHA512 53f1924058da9d808c02c64d8a8ffc39cbcd6990acbaba57752f8972b8f20ef2ea727a2ff91220ca7a0744a780c1e17854ca09c85d8a1605b54ff30396fa06c9

\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\qq\msra.exe

MD5 794a278db74270984297b38c7d03e4d1
SHA1 adbc0ac6b6f1f3d2eaa081895e43e9873cf594d5
SHA256 3d229681ccdd324aea62113153e43c09ffe593bcd332e4fe165ddeaca286d619
SHA512 b24e4ae5f5103cdf84ed8714a46a45e6f48dd0eb33b7f1eb73904814cff79db861ac6ae8520be37248e438b100f670032d77ff56a2e37ed65dab65c7dce4eb47

memory/1352-140-0x0000000077716000-0x0000000077717000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dbyxyty.lnk

MD5 f3ca7089aadc220a5ae1b2ff2c97308b
SHA1 64b0d34c9af83edbe143ec190fe7f5582055b87d
SHA256 458035737261cfb51044c12dbc5806146f99a2be94936097782026423a5dddec
SHA512 6f7b894a8a8eec21d12d120a2bc38596f8c617d25bb6a5e212e281f00fecd47a4d9c1dfc5501fec1c71edefe0c7c3619ca04578c6650d58e744632a091788892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\SXtSm77\OLEACC.dll

MD5 7e7d055d97ce50462c911ba380bde4ba
SHA1 a41e20cbdbde6b4aee6f9da95d5be6ad469d2c23
SHA256 3f2a5f31ffa7bd2ae37dc9f31f79fbbab7810544fad6fd1afd2167bad01ac7fa
SHA512 3bd788451db22b6d9beecf84c310dc975b743ae420985b2543a5c20c7fb632496135162754e416b531c154a15cd0636dcc30762957937c4170147bd1f510f568

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\c2\UxTheme.dll

MD5 386d206dfadbb216e26fee868466afb9
SHA1 5b9f741f2f72d97f48f9df97c14ed041ea8ae935
SHA256 0059b4b865c99b2ceb402aa45ab339aef29ca57fc6aa0b51075d2b8b204c247e
SHA512 f7f680af7ce1e9000107599a6c20a6566897101eb2a624876d8fd6b4558e508ed47e5597af76dfe91d1408b41312c19f2b2a2de82da715c47acdc3e8cb5fa983

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\qq\UxTheme.dll

MD5 772fb215aabbe4e188ee8ab76f4dcb7c
SHA1 faf90ccaf93b95e166371e509d4549a44a67fc2f
SHA256 2948b756f13042294114378cb6bf1600728c93489b33703b87d636e74cbea516
SHA512 57ae1952d42ca74bebca4550ceeec29ca07b895083e74fdd878441484deaa0676846f5903a47dd46fb8d9e463df90b2b316f08ed9d8d3e05479d22f3b951dcc8

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 02:08

Reported

2024-01-22 02:11

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\p7u\\cmstp.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3580 wrote to memory of 1400 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3580 wrote to memory of 1400 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3580 wrote to memory of 1716 N/A N/A C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe
PID 3580 wrote to memory of 1716 N/A N/A C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe
PID 3580 wrote to memory of 4392 N/A N/A C:\Windows\system32\Narrator.exe
PID 3580 wrote to memory of 4392 N/A N/A C:\Windows\system32\Narrator.exe
PID 3580 wrote to memory of 2892 N/A N/A C:\Windows\system32\cmstp.exe
PID 3580 wrote to memory of 2892 N/A N/A C:\Windows\system32\cmstp.exe
PID 3580 wrote to memory of 4656 N/A N/A C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe
PID 3580 wrote to memory of 4656 N/A N/A C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe
PID 3580 wrote to memory of 3728 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3580 wrote to memory of 3728 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3580 wrote to memory of 1300 N/A N/A C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe
PID 3580 wrote to memory of 1300 N/A N/A C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6e701a6565714d75f57e4ac97c8b92cc.dll

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe

C:\Windows\system32\Narrator.exe

C:\Windows\system32\Narrator.exe

C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe

C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe

C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp

Files

memory/1000-0-0x0000000002640000-0x0000000002647000-memory.dmp

memory/1000-1-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-4-0x0000000006F30000-0x0000000006F31000-memory.dmp

memory/3580-6-0x0000000140000000-0x000000014018C000-memory.dmp

memory/1000-7-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-8-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-10-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-11-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-12-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-9-0x00007FF93046A000-0x00007FF93046B000-memory.dmp

memory/3580-13-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-14-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-15-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-16-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-17-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-18-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-19-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-20-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-21-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-22-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-23-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-24-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-25-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-26-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-27-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-28-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-29-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-30-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-31-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-33-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-32-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-35-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-34-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-36-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-37-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-38-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-40-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-39-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-41-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-43-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-42-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-44-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-46-0x0000000002270000-0x0000000002277000-memory.dmp

memory/3580-45-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-53-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-54-0x00007FF930500000-0x00007FF930510000-memory.dmp

memory/3580-63-0x0000000140000000-0x000000014018C000-memory.dmp

memory/3580-65-0x0000000140000000-0x000000014018C000-memory.dmp

C:\Users\Admin\AppData\Local\Ue2\BitLockerWizardElev.exe

MD5 8ac5a3a20cf18ae2308c64fd707eeb81
SHA1 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA512 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

C:\Users\Admin\AppData\Local\Ue2\FVEWIZ.dll

MD5 54b0b224124254de976220ace8e81a88
SHA1 2947bba6da35591058c811e779e1ca6500fb1374
SHA256 3582d8247b3dddb340250a0d5cebc1ab8dd918f81c07398c0792cbc83495f493
SHA512 6272b6dacc3427b0bce983f11757dae8e7644f697275018ffc288a606f04b6170c7fe359fef78d63029b4092fe7a569bc346c18e70971ce3a701445783dcf676

memory/1716-75-0x000001C0B55C0000-0x000001C0B55C7000-memory.dmp

memory/1716-74-0x0000000140000000-0x000000014018D000-memory.dmp

memory/1716-80-0x0000000140000000-0x000000014018D000-memory.dmp

C:\Users\Admin\AppData\Local\1IsK3mGu\Narrator.exe

MD5 d92defaa4d346278480d2780325d8d18
SHA1 6494d55b2e5064ffe8add579edfcd13c3e69fffe
SHA256 69b8c93d9b262b36e2bdc223cc0d6e312cc471b49d7cc36befbba1f863a05d83
SHA512 b82c0fbc07361e4ad6e4ab171e55e1e41e9312ba995dce90696ca90f734f5d1ea11371ca046e8680ea566a1c2e0643ab86f1f6dcf6cbd05aed8448425a2830b5

C:\Users\Admin\AppData\Local\iMthGw27\cmstp.exe

MD5 4cc43fe4d397ff79fa69f397e016df52
SHA1 8fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256 f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512 851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

C:\Users\Admin\AppData\Local\iMthGw27\VERSION.dll

MD5 83f6fba7aaa05a8381a6802d95648bd5
SHA1 60f4ab00b7d0c34e4b01c2e79b7098c507aeb6cf
SHA256 2e07be93d86813adad8ae6bf64fc6a511fa62660ba9633073a60fe99a3f61409
SHA512 4a9f3fb9bb60bb39ce735b48010646e43de55e13767e475019e9f786ecff39143776304cc0fec602547babfe41b86e6ea873551c636a9ee41f8e06d25f625917

memory/4656-102-0x000001E964CC0000-0x000001E964CC7000-memory.dmp

memory/4656-107-0x0000000140000000-0x000000014018D000-memory.dmp

C:\Users\Admin\AppData\Local\rrkeYruM\SystemPropertiesDataExecutionPrevention.exe

MD5 de58532954c2704f2b2309ffc320651d
SHA1 0a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA256 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512 d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

C:\Users\Admin\AppData\Local\rrkeYruM\SYSDM.CPL

MD5 38f9d586bdedd52efecbd860891e2dcb
SHA1 d24ff785f7d172f3a929af386c9ea1d9b57d9725
SHA256 6aa9b56466562eb33f0ecc2ee68cd9a5d2cb3633528d8f45363333cedd51b249
SHA512 29e694e9793907e7bd977551586084c5ae9a06f1d5437ceaea173ec15e2499d8decda26301f99990761f5d4df149f3d97dc9741d4e0c8baf61b98654d964ab83

memory/1300-119-0x000001FCF4140000-0x000001FCF4147000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 37d5eb0bed06ca1b72bb550d07087061
SHA1 d0a37643101696e6ff1b3e0b2419836dcf0246fa
SHA256 257558f1698a04fc8eabe128d0de7eba6d72af2e2ada64604b7565eeb06ed0ff
SHA512 ac567c179ca4b7a51a63cef1f9eb26284bd6c34167686aaf26c323bf89943dfb197ca959543e55b6b2e27100a0327fef4aa698993fb3d5b8f7ca8b0fa128f512