Malware Analysis Report

2024-11-15 08:50

Sample ID 240122-dxwzcafcdr
Target 6e98953bf2fdd7c3a404f182f3070944
SHA256 995bc9b977d5419139f29029dd2d9df2ce41f3a0496ec39a37946620a20d877a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

995bc9b977d5419139f29029dd2d9df2ce41f3a0496ec39a37946620a20d877a

Threat Level: Known bad

The file 6e98953bf2fdd7c3a404f182f3070944 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 03:23

Reported

2024-01-22 03:26

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e98953bf2fdd7c3a404f182f3070944.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\mkeYyQPRag\\recdisc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 3028 N/A N/A C:\Windows\system32\calc.exe
PID 1228 wrote to memory of 3028 N/A N/A C:\Windows\system32\calc.exe
PID 1228 wrote to memory of 3028 N/A N/A C:\Windows\system32\calc.exe
PID 1228 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe
PID 1228 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe
PID 1228 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe
PID 1228 wrote to memory of 1172 N/A N/A C:\Windows\system32\psr.exe
PID 1228 wrote to memory of 1172 N/A N/A C:\Windows\system32\psr.exe
PID 1228 wrote to memory of 1172 N/A N/A C:\Windows\system32\psr.exe
PID 1228 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe
PID 1228 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe
PID 1228 wrote to memory of 1276 N/A N/A C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe
PID 1228 wrote to memory of 988 N/A N/A C:\Windows\system32\recdisc.exe
PID 1228 wrote to memory of 988 N/A N/A C:\Windows\system32\recdisc.exe
PID 1228 wrote to memory of 988 N/A N/A C:\Windows\system32\recdisc.exe
PID 1228 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe
PID 1228 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe
PID 1228 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe
PID 1228 wrote to memory of 2628 N/A N/A C:\Windows\system32\tabcal.exe
PID 1228 wrote to memory of 2628 N/A N/A C:\Windows\system32\tabcal.exe
PID 1228 wrote to memory of 2628 N/A N/A C:\Windows\system32\tabcal.exe
PID 1228 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe
PID 1228 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe
PID 1228 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e98953bf2fdd7c3a404f182f3070944.dll,#1

C:\Windows\system32\calc.exe

C:\Windows\system32\calc.exe

C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe

C:\Users\Admin\AppData\Local\GukUKJE2\calc.exe

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe

C:\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe

C:\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe

C:\Users\Admin\AppData\Local\SuPZMa\tabcal.exe

Network

N/A

Files

memory/2772-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2772-1-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-4-0x0000000077176000-0x0000000077177000-memory.dmp

memory/1228-5-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/1228-10-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-11-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-9-0x0000000140000000-0x0000000140126000-memory.dmp

memory/2772-8-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-7-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-12-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-13-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-15-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-14-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-17-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-16-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-19-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-18-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-21-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-20-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-22-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-24-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-23-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-25-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-26-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-28-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-27-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-29-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-30-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-31-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-33-0x0000000002730000-0x0000000002737000-memory.dmp

memory/1228-32-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-40-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-41-0x0000000077381000-0x0000000077382000-memory.dmp

memory/1228-42-0x00000000774E0000-0x00000000774E2000-memory.dmp

memory/1228-51-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-55-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-56-0x0000000140000000-0x0000000140126000-memory.dmp

memory/1228-60-0x0000000140000000-0x0000000140126000-memory.dmp

\Users\Admin\AppData\Local\GukUKJE2\calc.exe

MD5 10e4a1d2132ccb5c6759f038cdb6f3c9
SHA1 42d36eeb2140441b48287b7cd30b38105986d68f
SHA256 c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
SHA512 9bd44afb164ab3e09a784c765cd03838d2e5f696c549fc233eb5a69cada47a8e1fb62095568cb272a80da579d9d0e124b1c27cf61bb2ac8cf6e584a722d8864d

C:\Users\Admin\AppData\Local\GukUKJE2\VERSION.dll

MD5 bde6641292d720dd56057a18e50922f5
SHA1 98f6913079c749af587c26852d5f27738277b351
SHA256 24720d623864c0f590d9dad00114c20bf621bede64bc02ae765f62d72643d8e0
SHA512 0dc6d040ace983fde7f82f72d5af7a334cce266817c00cfab699ffc59bce425e12ed30e961e83098b079e7a77c9347bfdd022e736144cf5544c8c9a24ff9e471

memory/2404-70-0x0000000140000000-0x0000000140127000-memory.dmp

memory/2404-69-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2404-75-0x0000000140000000-0x0000000140127000-memory.dmp

\Users\Admin\AppData\Local\ZGEKhbfKL\psr.exe

MD5 a80527109d75cba125d940b007eea151
SHA1 facf32a9ede6abfaa09368bfdfcfec8554107272
SHA256 68910f8aae867e938b6a3b76cdf176898ba275d9ade85b4ce00b03232de4c495
SHA512 77b86a597c33af8d3fbd9711f4abe6e0ca33b86279b1d28a25dcf3545a34b221be1ad7d11004d016203809cead1ebfd4b7e889ee9df2efc100eabf77963c1774

\Users\Admin\AppData\Local\ZGEKhbfKL\OLEACC.dll

MD5 954ce73f0386a69a3335b4432b12e343
SHA1 7c6b3ee8c8e868c43253f1d6a857976e1e92ecb3
SHA256 d69dd0208a409d4b1a2d5566bbccad1d780b23bae4f9d812b2659474c371c81d
SHA512 5da3d4469c6d66c16abe166ff7cf320df6feb1288700289198b147b41108854e667e3ebeddfc6bdeb5bb660b6e0cd665f6cbe9972eb566c0bde2d995760ef00f

memory/1276-87-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1276-91-0x0000000140000000-0x0000000140127000-memory.dmp

\Users\Admin\AppData\Local\Y39E0mafX\recdisc.exe

MD5 f3b306179f1840c0813dc6771b018358
SHA1 dec7ce3c13f7a684cb52ae6007c99cf03afef005
SHA256 dcaeb590394b42d180e23e3cef4dd135513395b026e0ed489aec49848b85b8f0
SHA512 9f9ec4c2ca6373bd738bf415d059f3536390e46e5b0a560e9ee1b190407a6d0f481c38664c51b834a9e72d8878f71c3c19e427e3a6b5ca4ec6b02d1156eb9ef4

C:\Users\Admin\AppData\Local\Y39E0mafX\ReAgent.dll

MD5 adf6b7f83f587ff6a4f2702c60a3a0b3
SHA1 768cd893c31c1f29b447a467b23a772b0decee1b
SHA256 4388a8b5332e0989261e0205bf948361ee2ac4e169f003220ff248f9216460a2
SHA512 fac2cee79a20e89ac2ced81252c42284f4ae1156f94281213d9622b2b24cb7bdebb56a168e81e0ba8f1bcaaa9b04b9fae7878e106ef51f0785e29020f96dafc8

memory/2872-102-0x0000000001B50000-0x0000000001B57000-memory.dmp

memory/2872-107-0x0000000140000000-0x0000000140127000-memory.dmp

\Users\Admin\AppData\Local\SuPZMa\tabcal.exe

MD5 98e7911befe83f76777317ce6905666d
SHA1 2780088dffe1dd1356c5dd5112a9f04afee3ee8d
SHA256 3fe8b63367b4298e70d46e87ce04cc7af5f30dfdb86b79eae41d0731d9415ea1
SHA512 fc0226381d9a6984cccac8282697c78966524e1359f7f6044559b8223e773d3c108dda08a2dd283aa171dca3390801f2c92a5d1dbb978dd7f92a67bd8877b8b6

C:\Users\Admin\AppData\Local\SuPZMa\HID.DLL

MD5 ea59b40082dd620886c253cc44b756bf
SHA1 4945943bba6cd323c3f7a57ee103c7ec1eff6881
SHA256 f3256ed7f6e6d45ca4b2ec6f81aab0b8928dee84097f88848a6b480712c1b225
SHA512 0021d3d67b1ff435ce65e45613f1223d4d1ffd6830c7290e5406d889fb0b44ba2e4570065d8474034ca9b68d6041ff21d9aa4bf3173f872a23872beb1e791545

memory/2156-121-0x0000000000270000-0x0000000000277000-memory.dmp

memory/1228-141-0x0000000077176000-0x0000000077177000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 66a497b400e738e6be2e940e775d4993
SHA1 12b3c17e250da0387ab2d418d5646e84a7343d50
SHA256 d31d2da9d91444670f407be7d258c244357474be667409de60282c2bc42ff674
SHA512 6b768b21c2f6ddde11eb2045f772a173c04e4c0859e8420e0144c38dcabaab4b8d6b17159a7e30798289ed7a2f1092d2ba469b9c0411981d7e2ddbbf419d8d3b

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 03:23

Reported

2024-01-22 03:26

Platform

win10v2004-20231222-en

Max time kernel

116s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e98953bf2fdd7c3a404f182f3070944.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\iut\WFS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Kkz\rstrui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\z3\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Kkz\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iut\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 1124 N/A N/A C:\Windows\system32\WFS.exe
PID 3428 wrote to memory of 1124 N/A N/A C:\Windows\system32\WFS.exe
PID 3428 wrote to memory of 5068 N/A N/A C:\Users\Admin\AppData\Local\iut\WFS.exe
PID 3428 wrote to memory of 5068 N/A N/A C:\Users\Admin\AppData\Local\iut\WFS.exe
PID 3428 wrote to memory of 4944 N/A N/A C:\Windows\system32\rstrui.exe
PID 3428 wrote to memory of 4944 N/A N/A C:\Windows\system32\rstrui.exe
PID 3428 wrote to memory of 228 N/A N/A C:\Users\Admin\AppData\Local\Kkz\rstrui.exe
PID 3428 wrote to memory of 228 N/A N/A C:\Users\Admin\AppData\Local\Kkz\rstrui.exe
PID 3428 wrote to memory of 1880 N/A N/A C:\Windows\system32\sethc.exe
PID 3428 wrote to memory of 1880 N/A N/A C:\Windows\system32\sethc.exe
PID 3428 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe
PID 3428 wrote to memory of 3216 N/A N/A C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6e98953bf2fdd7c3a404f182f3070944.dll,#1

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\Kkz\rstrui.exe

C:\Users\Admin\AppData\Local\Kkz\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe

C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe

C:\Users\Admin\AppData\Local\iut\WFS.exe

C:\Users\Admin\AppData\Local\iut\WFS.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/3456-0-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3456-2-0x000001E3203A0000-0x000001E3203A7000-memory.dmp

memory/3428-4-0x0000000007290000-0x0000000007291000-memory.dmp

memory/3456-7-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-8-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-10-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-16-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-17-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-18-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-29-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-31-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-32-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-34-0x0000000004570000-0x0000000004577000-memory.dmp

memory/3428-40-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-41-0x00007FFB039A0000-0x00007FFB039B0000-memory.dmp

memory/3428-50-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-52-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-30-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-28-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-27-0x0000000140000000-0x0000000140126000-memory.dmp

C:\Users\Admin\AppData\Local\iut\WINMM.dll

MD5 a7f65e73a6fe5c9c783e64fe43e4424d
SHA1 41a71b82252bd43565e7876713306aa14e5875b0
SHA256 0a98d055822bdf0c80035e9909746f5d40d7ff9970e3b5b3e0f719c86e33b30b
SHA512 bf3c0e00006bf142c0db4a1ea8a0b5121363a12d149abb1d2ad120059f08dbfa1f8b2eacc07b8f2b7172ac5601230bf77c424010d0b8ad87a5018c718ac0a24d

memory/5068-62-0x0000018FB37F0000-0x0000018FB37F7000-memory.dmp

memory/5068-67-0x0000000140000000-0x0000000140128000-memory.dmp

C:\Users\Admin\AppData\Local\iut\WFS.exe

MD5 90d5823c587ea2c8ec7a695ed239a0cc
SHA1 3ad791314004950982731e42412fd293d83ce570
SHA256 d14a8db9d7b7a36aa79e0c3102f6bd4d40761e072653eeb7bb102cd05fdfcf25
SHA512 e605beef8c526de28f1c6289232532d784e4f0ac955fca19f7b7e88deb3d72cb23d69622c117cf0cb73b2c73a7dc1976ebc714a859abc2545a0f095418bd15a2

memory/5068-61-0x0000000140000000-0x0000000140128000-memory.dmp

memory/228-78-0x0000000140000000-0x0000000140127000-memory.dmp

memory/228-84-0x0000000140000000-0x0000000140127000-memory.dmp

memory/228-81-0x000001E8E1600000-0x000001E8E1607000-memory.dmp

C:\Users\Admin\AppData\Local\Kkz\rstrui.exe

MD5 32d6cf901d7752735367b4976844974a
SHA1 765f14689e961116ffe99abe3ebe7a40fc33f8af
SHA256 b47e91523630573637d7b5c9ff6b824efe9047990710b9901704b57c01dab38c
SHA512 72b078498bcb523a58db1165ca683a94090f297a122249832f00b7f2e1b7088148b9654b3a838436831804c73a34c31e20a4ef8147a88ebb781f8933f35bea55

C:\Users\Admin\AppData\Local\Kkz\SRCORE.dll

MD5 bff8e34c2f6492620d8a0979713eae54
SHA1 56d36a11ed6905d7d50d837fe0ed954d08ef1f47
SHA256 f7901d2ff0b1d6b68f67c80d7dcecbaca57a1615d14ca518823ee8006bc3d08d
SHA512 d0a1b96b7a6a525d5d1d28c973726689d6e21b5ddba9d70b5b90cabd1bf09209c5f5af1407951bed10507029c1422a7c8af74d73dd1e7a70922c27d8b273c478

C:\Users\Admin\AppData\Local\Kkz\SRCORE.dll

MD5 7d50517077b285bfad935a11fe7bc83e
SHA1 14140af2234709a1149bb2c35280926b10929fbc
SHA256 740997aeb4debbc4e4d4299a6c4a825ce38c87df1b3886a255d884b4fdef42eb
SHA512 4074569f38d9d26435791c41829bd5a665b2a1d72b7dadf40fe03eef690e6ba5100db53ba395cf2d15ff51dae07b8a63f7d2a17aad578a0870d9b4de23672fb4

C:\Users\Admin\AppData\Local\Kkz\rstrui.exe

MD5 0ba8f09df2fd0e2e9148bd0d1de9b1cd
SHA1 fe87d619c5f49bd36b0f7d7474fabf420278ed23
SHA256 ac224c01bb348fc4f0e670438cd1d0a62298107652d2e43050a4a11615010bde
SHA512 6c44482211d372ab1cf02fe6624c1b74232e19b8dcf668a89bc1482368491dea19c1bc3591351a16ddbf351be83472530bdada1ffa965c5c9dc3524b536697cb

C:\Users\Admin\AppData\Local\iut\WINMM.dll

MD5 bf397bb1b7969a6f5514eaaa4be3bd9a
SHA1 572a5c0814f42488c00104bf26e0ee91cc7c95a4
SHA256 fe0ac2411e671428ffe12b560c7b6635267e838f2614cb6550ef75aae6208236
SHA512 019396ba7b297160d019fd4e7724e8a10f277cb254f89418335dd8050e6bd186164f4dd66893fff0d5eca4a351cb086d63e114056f649ed40f2decee6379b8b9

C:\Users\Admin\AppData\Local\sdxSbZFdt\DUI70.dll

MD5 decbafee4625fbc38334eb6de3ec3515
SHA1 ebb9697316988b224a6c06359bdabe925153e3fb
SHA256 832b056b9efc9c43af6575747209f21fd3daec97ffd3e683256467bacc899ae1
SHA512 c906cc250d27dba098f54506bb6717eb4719de614c41ac0bb53c21c383586aba0523dea934976c272267fa35dd41c2dafe1832c5ef0d7c06ad19e290f496be38

memory/3216-96-0x0000000140000000-0x000000014016C000-memory.dmp

memory/3216-101-0x0000000140000000-0x000000014016C000-memory.dmp

C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe

MD5 d5dc2bac66aca20a282e040c1d5040b9
SHA1 405fcef1afc13b586ac35bfa9f3e51299a4ea31e
SHA256 f0b2410d617d485982c420a72becb1098ac3012e3feaa62d7c9e2be7556f0a7f
SHA512 cb1f6d02be59789fd90be2f8b167b79daf7c3f0189f9e967c88675971667739d987011f3c737966466cdee0f5ec4fef3ac6a28c51066c1ebc2f2e277e8c0cc84

memory/3216-95-0x000002CD15FE0000-0x000002CD15FE7000-memory.dmp

C:\Users\Admin\AppData\Local\sdxSbZFdt\DUI70.dll

MD5 5d4247c9f46145d42de830b374803126
SHA1 f9f9a4a67bc7bc7d1f91957ce5331db74bbb9603
SHA256 0ea9e20c36abbbedf665d781e0fc2bf32f1e2e601b7b22ae6fe4f87986f872c1
SHA512 34b819bcc43d8e670599aea3bdedb488bc5c61e502653d19f7bee3e5e2f802774d106850c6dfb957a34da90cba60554a9ef1631741007a23b53e731c69c8a754

C:\Users\Admin\AppData\Local\sdxSbZFdt\sethc.exe

MD5 d59cdf3b56d8298752630036c5cc0727
SHA1 26a437b816a57ce279c686f4a7e596f2749cf096
SHA256 0c3476bda52dfd750cf7ccf017999a3c1060234c3733caf3620f90042716846b
SHA512 d1aba923152fc066982458e9219cf51d7f4b87fe745d922e9355a4d107a7ce22d1275116f1922110297ef5b197969d598af1aa0764a1cc2d6707926d741e7d4d

C:\Users\Admin\AppData\Local\iut\WFS.exe

MD5 400e259a1f4eb109d00825933098f5ef
SHA1 6c9921cd911dca95ca7cca3fc2a0c7019f83b363
SHA256 b06420b9a5627b5d76d619a9b8a25dca7e65f8661e69560614bb4f528879ad6b
SHA512 13190b6bd688307fc2937019dacdba81beb5fc9f7eed1291cec6ef481f2804ff5fbfafefd2303e241e27f0f7d26560ac8a00b748d647b29c9e733be4c0af9fec

memory/3428-26-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-25-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-24-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-23-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-22-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-21-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-20-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-19-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-15-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-14-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-13-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-12-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-11-0x0000000140000000-0x0000000140126000-memory.dmp

memory/3428-9-0x00007FFB01BEA000-0x00007FFB01BEB000-memory.dmp

memory/3428-6-0x0000000140000000-0x0000000140126000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 2cf347ef0a14b8e3a1854c76180397e0
SHA1 5f32c7fb474f16a97dc0a0537f3a4175cc36314c
SHA256 b6dcb0eea0c46997fde5016b80429f57cedbbff09b22169ab5df7af0f890c68b
SHA512 1b7ceb988093521321016c774f8468433b1e830b8600d87e555898ce1649373e10b983700011f1615d4aefad82242e69dc46ed0c6a71777e92a3c4d7beb7c6d4

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\W5d7b\WINMM.dll

MD5 286f203d81e85c5a2bed2b5351cd16bd
SHA1 3090ea425abee75bfcbb9ecbb279b3bff3a4eeb7
SHA256 c3af4909612fb7ac7fb92c36e5adbf4e87be347d6bfa212e5ff47a68d2d34ffe
SHA512 aea9f4343f556c29edf286599fc47c5ab38d93faffa3b5ef77a6fa7647bf08484d2d244365510aa04cc186877ceb4a154354c3ff7e14a0a7a414ae23ff3af40b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\z3\SRCORE.dll

MD5 9eb22c096730416b3c514dee8f66498a
SHA1 72537d2c1dea46e341e432a8356646271315b746
SHA256 5bcc524dbf9d8aee8d61444a3787d5975e508be359e4bb4f39f1183a8c082ab2
SHA512 269da078294ebd140a8b90d3de7961998b400f5f82e7a1bb91d60e9a4bfcc32a366f5f602228a4c8f79d34140e6a573b3dcb528dbcd5f5aa8c549ccc58f7bfe7

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\p5S\DUI70.dll

MD5 ce2bd648fc67d6dc71627ff45ade3bca
SHA1 069a0c102297721ec616cdf9c971f65062023c60
SHA256 2aa109b99d14a1f011a5fd822309bda49451b71c9012870157c41c36c0c8066c
SHA512 f5eb4d7f7ac5b85f91eeb7ceb3f455a6f099bee0378cddd4824b8b1a21ac37e6c3332882d01415c869a52c4e66b35d2c72107b5074d73c7b338041ed823e9deb