Malware Analysis Report

2024-11-15 08:50

Sample ID 240122-gb5adahegm
Target 6edcb3e9a95b87f3dd31d12871219ad1
SHA256 fcec9ee59606ca5763dd3f779b2fb2e60ec8a2382cf095b0b00634a4c5ff6bee
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fcec9ee59606ca5763dd3f779b2fb2e60ec8a2382cf095b0b00634a4c5ff6bee

Threat Level: Known bad

The file 6edcb3e9a95b87f3dd31d12871219ad1 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 05:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 05:38

Reported

2024-01-22 05:41

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\UPVinfCysLm\\DevicePairingWizard.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 1796 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1228 wrote to memory of 1796 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1228 wrote to memory of 1796 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 1228 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe
PID 1228 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe
PID 1228 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe
PID 1228 wrote to memory of 1664 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1228 wrote to memory of 1664 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1228 wrote to memory of 1664 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1228 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe
PID 1228 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe
PID 1228 wrote to memory of 2484 N/A N/A C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe
PID 1228 wrote to memory of 3032 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1228 wrote to memory of 3032 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1228 wrote to memory of 3032 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1228 wrote to memory of 3036 N/A N/A C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe
PID 1228 wrote to memory of 3036 N/A N/A C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe
PID 1228 wrote to memory of 3036 N/A N/A C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe

C:\Users\Admin\AppData\Local\4Ne\TpmInit.exe

Network

N/A

Files

memory/2524-1-0x0000000140000000-0x0000000140162000-memory.dmp

memory/2524-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1228-4-0x0000000077086000-0x0000000077087000-memory.dmp

memory/1228-5-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1228-14-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-13-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-12-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-11-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-10-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-9-0x0000000140000000-0x0000000140162000-memory.dmp

memory/2524-8-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-7-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-15-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-16-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-17-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-18-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-20-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-21-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-19-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-22-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-23-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-27-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-26-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-25-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-24-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-28-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-29-0x00000000029D0000-0x00000000029D7000-memory.dmp

memory/1228-36-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-37-0x0000000077291000-0x0000000077292000-memory.dmp

memory/1228-38-0x00000000773F0000-0x00000000773F2000-memory.dmp

memory/1228-47-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1228-53-0x0000000140000000-0x0000000140162000-memory.dmp

C:\Users\Admin\AppData\Local\wzL\DisplaySwitch.exe

MD5 b795e6138e29a37508285fc31e92bd78
SHA1 d0fe0c38c7c61adbb77e58d48b96cd4bf98ecd4a
SHA256 01a9733871baa8518092bade3fce62dcca14cdf6fc55b98218253580b38d7659
SHA512 8312174a77bab5fef7c4e9efff66c43d3515b02f5766ed1d3b9bd0abb3d7344a9a22cbac228132098428c122293d2b1898b3a2d75f5e4247b1dcb9aa9c7913b1

\Users\Admin\AppData\Local\wzL\slc.dll

MD5 4e894969f989fb8e7bc98273ed64ce24
SHA1 eb3bd1c1217dd622d485fcefabb34c00de435fb6
SHA256 1cf85f751986445565ada0424f4530549e2ec940d75372c646d80aa05021d10f
SHA512 91c3cd7b3f421cc28c3259d25bdad3be5e2cd1342934e23eb505efd3a166c9c0cb641a7c806d1bf8acc51c9fd4c7b90b393e6eb28ee409aa71915168156390e3

memory/2624-66-0x0000000140000000-0x0000000140163000-memory.dmp

memory/2624-65-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\wzL\slc.dll

MD5 5ddca64654e7e37fd357ef3c2876116e
SHA1 954a35290383c3900c30e79593e8883f0e991eb3
SHA256 f65626d967fe0f91986e667db87d4d79f80a413e3d1a1da698b43052a17cdd7b
SHA512 dca4a6810bcd1b8fb3dc49b3c482c90b1cf5a544fb8880ae92dc2f3660d54b3c0e44f6c29fbcec621949d0c70983b60c15dd7aa832206312f0b61aa7a68a5311

memory/2624-70-0x0000000140000000-0x0000000140163000-memory.dmp

memory/1228-56-0x0000000140000000-0x0000000140162000-memory.dmp

C:\Users\Admin\AppData\Local\ychYVY\MFC42u.dll

MD5 bd8d60f9767810b4d8231ec8ad0e7341
SHA1 9fe98631cd201bfd2b8216394714d01c0e609a22
SHA256 2b961fc86097b9a919e90e343592f13d0efa14acbab2f81c71f43eb6801353b0
SHA512 e8fd254a61cd986d307ce5337312073afe805bfaa343b8fef52d2be8ddbfc216d9f9d88a134d22321e5c4f0af962092506fd1771f8e4e5f0c8d51260ac9ed71e

\Users\Admin\AppData\Local\ychYVY\MFC42u.dll

MD5 2aa868b9a1d668c0101dbb992e5182e7
SHA1 c471c1ff6e721290d03c8af9ff273b03404874ce
SHA256 c34e7714e9a733cd7caf32808abadf5f6d6783b3e0cdb219d7da21e407fed650
SHA512 9bd9f0a42a3478b5c4311f06cd5d06d17ee3d9f0c76fa327fe96e9261a4eed467b843ebb3b1810f05cacd134436cb12d963dbb09913872919574ae518ca4715d

C:\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe

MD5 35e5c945b96057c572620a4bbe0500d9
SHA1 4dc483b7dd19323e47b8830d9130c21bf8ee317a
SHA256 0e0810be544e957f73fecb0f2cb1b8ff5b81ea8d2bc5871c6273c0708ad1a33e
SHA512 5222d97b56e5ac9d8f13eb5d1e532340e5b50b87dda0491516db15a7be10c876f308ca45532bbc3fd46d68479a29c6a83c6a98e1a5a22a9086379e834a094af7

\Users\Admin\AppData\Local\ychYVY\DevicePairingWizard.exe

MD5 9728725678f32e84575e0cd2d2c58e9b
SHA1 dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256 d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512 a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

memory/2484-84-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2484-83-0x0000000140000000-0x0000000140169000-memory.dmp

memory/2484-89-0x0000000140000000-0x0000000140169000-memory.dmp

\Users\Admin\AppData\Local\4Ne\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

C:\Users\Admin\AppData\Local\4Ne\ACTIVEDS.dll

MD5 132f99eecf5e54ab873fcfeaadec55b4
SHA1 b40978bf6c2e1962ed09c65cacf134e936e04fc7
SHA256 26fd23d965e04b30c85dd36046b343aaa85dce9704c02668d85446b810eaf08e
SHA512 bb3a77a1d454e77db1e5891f7a2203777f02a34a04e4025a8dcc015aef3696df85ae4d689640d427f621538d55b372e34125b144b4f8586c04709eb8a1a03cf4

memory/3036-103-0x0000000000090000-0x0000000000097000-memory.dmp

memory/3036-107-0x0000000140000000-0x0000000140163000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 a8155de67e25a43b4a6db05ed3f50740
SHA1 6130434ef041453b33859afab24bf8da3be1397f
SHA256 78d1ea12d159280d2f6964fd0d6ca95edae92a4ead2aa8b498a98b50d2ca098e
SHA512 a589eccf75cc56222a858210780801c4156a59a633e616449ef139e000e5c381c7a3318c65a72f62bce93a0cc4cc9d2df986ebd498479b09ecafcf5022463c95

memory/1228-126-0x0000000077086000-0x0000000077087000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\d9SM\slc.dll

MD5 e3811f428799ef0e1549ef6544b5f2ce
SHA1 fa25624a97af0deceb0cf5b2b275a4621ee5fae8
SHA256 5077e7211019b4da96d980f0e8ee82ce546853a7a43d9e4d93c298baa0678ad7
SHA512 36c0bdef26197d76616da79b1c3406e00be632978e6331b2a8e45e6ec84330d5333e4f75b2f03d0e4f7fbf009491ece8df2b9378e25205f6a9a96822e19ae952

C:\Users\Admin\AppData\Roaming\Macromedia\UPVinfCysLm\MFC42u.dll

MD5 93d73c749b402259eefee7541382b8fd
SHA1 f5d21c00580f48d7ada754063e0ad03435a0ec67
SHA256 2410496537f6a650c5d3738ed47f1cf98cc915b491ca91bb4176d1ee174de6f0
SHA512 07bf980ab63e0fa9abfc33fc29131482af6f6b5d654e5b931348237d25ceef4e3de8156b3c331281a77e5405c09fa46116f88a3f8c5ad752038b7cab9f83847d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 05:38

Reported

2024-01-22 05:41

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

147s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\pO\\SndVol.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 4800 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3520 wrote to memory of 4800 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3520 wrote to memory of 4676 N/A N/A C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe
PID 3520 wrote to memory of 4676 N/A N/A C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe
PID 3520 wrote to memory of 400 N/A N/A C:\Windows\system32\SndVol.exe
PID 3520 wrote to memory of 400 N/A N/A C:\Windows\system32\SndVol.exe
PID 3520 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe
PID 3520 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe
PID 3520 wrote to memory of 3616 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3520 wrote to memory of 3616 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3520 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe
PID 3520 wrote to memory of 3200 N/A N/A C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6edcb3e9a95b87f3dd31d12871219ad1.dll

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe

C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1248-0-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1248-1-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1248-3-0x0000000000950000-0x0000000000957000-memory.dmp

memory/3520-5-0x0000000003770000-0x0000000003771000-memory.dmp

memory/3520-7-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-10-0x00007FFE77E5A000-0x00007FFE77E5B000-memory.dmp

memory/3520-11-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-12-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-13-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-14-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-15-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-16-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-17-0x0000000140000000-0x0000000140162000-memory.dmp

memory/1248-8-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-9-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-18-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-19-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-20-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-22-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-23-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-21-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-24-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-25-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-26-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-27-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-28-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-30-0x0000000002E10000-0x0000000002E17000-memory.dmp

memory/3520-29-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-37-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-38-0x00007FFE789A0000-0x00007FFE789B0000-memory.dmp

memory/3520-47-0x0000000140000000-0x0000000140162000-memory.dmp

memory/3520-49-0x0000000140000000-0x0000000140162000-memory.dmp

C:\Users\Admin\AppData\Local\SgnCfEIg\MDMAppInstaller.exe

MD5 30e978cc6830b04f1e7ed285cccaa746
SHA1 e915147c17e113c676c635e2102bbff90fb7aa52
SHA256 dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512 331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

C:\Users\Admin\AppData\Local\SgnCfEIg\WTSAPI32.dll

MD5 a97d39df8ff8322318214005dc458fc0
SHA1 bcff69ced685479fc2efb6716453c88fd17456a5
SHA256 4aabb487058eb9ed69b4371fe9dad0aa002ef1e16b529b965f9068550eff70a8
SHA512 12b2d88cc44a317715a0743d6dc1f54736e4dc24121d719877365552cb8b4520bda3e198460dbd2a0bbf7fd6e49d58aa76cd8a5ba6b2b6932121331276867422

memory/4676-59-0x0000000140000000-0x0000000140163000-memory.dmp

memory/4676-58-0x0000000140000000-0x0000000140163000-memory.dmp

memory/4676-60-0x0000025B0E500000-0x0000025B0E507000-memory.dmp

memory/4676-67-0x0000000140000000-0x0000000140163000-memory.dmp

C:\Users\Admin\AppData\Local\KamUETej\SndVol.exe

MD5 c5d939ac3f9d885c8355884199e36433
SHA1 b8f277549c23953e8683746e225e7af1c193ad70
SHA256 68b6ced01f5dfc2bc9556b005f4fff235a3d02449ad9f9e4de627c0e1424d605
SHA512 8488e7928e53085c00df096af2315490cd4b22ce2ce196b157dc0fbb820c5399a9dbd5dead40b24b99a4a32b6de66b4edc28339d7bacd9c1e7d5936604d1a4f0

C:\Users\Admin\AppData\Local\KamUETej\dwmapi.dll

MD5 fce50cd6005d45803b4248f34e1d5ea3
SHA1 52b0b323d2c8b925dc166468e62149ea1a347ee0
SHA256 90f6973bb526879942b1fcb1aa26edd9f733e9a78ace866886bad6a8e5ab319b
SHA512 3c8420751e9d57639f91d96feb652167990ff0c0f61dd6ddde4c7e74a3dd67341740cae70fb7b72f2fa10a123d1f57e40abad0e448c8294b0b944d7d2ae8e503

memory/2064-81-0x00000227ADFE0000-0x00000227ADFE7000-memory.dmp

memory/2064-86-0x0000000140000000-0x0000000140163000-memory.dmp

C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

MD5 fa040b18d2d2061ab38cf4e52e753854
SHA1 b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256 c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512 511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

C:\Users\Admin\AppData\Local\5TsC3\SYSDM.CPL

MD5 1711c3466ef66b7807cbcdb475de4ae5
SHA1 49ef7be73198a3d7bd2d0f4c1377dde94f24af28
SHA256 4f5d8f6b202ad81721a8f868db46a594c7d7933b2c67fdf7e3ac51a784e88f1b
SHA512 46263a26a5dd9288868a29128e29099796b051cbe83e5ffba775bbc176bd897f7c83750ea87e1c5a6a25381dcee00d1374f0430f5aa263dfc3dde9ce2c38f6c5

memory/3200-97-0x0000000140000000-0x0000000140163000-memory.dmp

memory/3200-99-0x000001B6A1FA0000-0x000001B6A1FA7000-memory.dmp

memory/3200-104-0x0000000140000000-0x0000000140163000-memory.dmp

C:\Users\Admin\AppData\Local\5TsC3\SystemPropertiesAdvanced.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 03cedeaf4a2f8e931de5bad67087852d
SHA1 26f1c7eb1f3fe50caba78bb6b8351b57d64cc4bb
SHA256 24c2e13b77aeeffb39c598ad0321e4d1267c73d792114a61a5a509927636e479
SHA512 9649b5f9ac0f56b8be3502388c487058b3e19b45814ca8c7c69ef9bb3efca2b1c99494e6a362fc3f0c71e4ccd9d9dc89d7986dbdc0d1ae4045dcd8c6b90f90dd