Analysis Overview
SHA256
b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b
Threat Level: Known bad
The file 6fc1300c924c848e73451dec1a26af99 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-22 15:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-22 15:12
Reported
2024-01-22 15:15
Platform
win7-20231215-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\xUyXBowgs\\Magnify.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 2596 | N/A | N/A | C:\Windows\system32\MpSigStub.exe |
| PID 1200 wrote to memory of 2596 | N/A | N/A | C:\Windows\system32\MpSigStub.exe |
| PID 1200 wrote to memory of 2596 | N/A | N/A | C:\Windows\system32\MpSigStub.exe |
| PID 1200 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe |
| PID 1200 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe |
| PID 1200 wrote to memory of 2640 | N/A | N/A | C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe |
| PID 1200 wrote to memory of 1508 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 1200 wrote to memory of 1508 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 1200 wrote to memory of 1508 | N/A | N/A | C:\Windows\system32\Magnify.exe |
| PID 1200 wrote to memory of 2836 | N/A | N/A | C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe |
| PID 1200 wrote to memory of 2836 | N/A | N/A | C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe |
| PID 1200 wrote to memory of 2836 | N/A | N/A | C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe |
| PID 1200 wrote to memory of 2128 | N/A | N/A | C:\Windows\system32\rekeywiz.exe |
| PID 1200 wrote to memory of 2128 | N/A | N/A | C:\Windows\system32\rekeywiz.exe |
| PID 1200 wrote to memory of 2128 | N/A | N/A | C:\Windows\system32\rekeywiz.exe |
| PID 1200 wrote to memory of 2156 | N/A | N/A | C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe |
| PID 1200 wrote to memory of 2156 | N/A | N/A | C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe |
| PID 1200 wrote to memory of 2156 | N/A | N/A | C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1
C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\MpSigStub.exe
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
C:\Windows\system32\rekeywiz.exe
Network
Files
memory/2108-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/2108-0-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-4-0x0000000077756000-0x0000000077757000-memory.dmp
memory/1200-5-0x0000000003A20000-0x0000000003A21000-memory.dmp
memory/2108-8-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-13-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-16-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-23-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-30-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-33-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-36-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-40-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-44-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-46-0x0000000003050000-0x0000000003057000-memory.dmp
memory/1200-54-0x0000000077AC0000-0x0000000077AC2000-memory.dmp
memory/1200-53-0x0000000077961000-0x0000000077962000-memory.dmp
memory/1200-52-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-43-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-63-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-42-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-69-0x0000000140000000-0x000000014017F000-memory.dmp
C:\Users\Admin\AppData\Local\mQJ6BDuo1\VERSION.dll
| MD5 | 13838a89f2e53c4899765056e774385a |
| SHA1 | a718e55cd18b7af7af86c3caea7ee6d26deb8c26 |
| SHA256 | 44a5d21e293e0fcc0bfc9e69716dc69af528ea531fb1f7fe56102211480bca40 |
| SHA512 | 900ee8af6d2fe4dfd79ef5862e8a02f00d5850e165d679544dc2ee644c5bab2a6e8ea74b9e692f1877e576ca7d4a28a261834943001bf688192f8817ae19f44d |
memory/2640-81-0x0000000140000000-0x0000000140180000-memory.dmp
memory/2640-84-0x0000000000180000-0x0000000000187000-memory.dmp
\Users\Admin\AppData\Local\mQJ6BDuo1\VERSION.dll
| MD5 | 910c48d6c2ce35d9b8ad175b8a25e2e4 |
| SHA1 | 98a3cb09d09f7b99912b80a4142990146fa84198 |
| SHA256 | 17e9437f4b86f48ea3d8853fe9df5a20edd62496492fe3746fb865a214c002a1 |
| SHA512 | 70cd1c864ce43d00b19cf1a59145cddf081100686fc0f7b043336d204256b30cf27afbc0abc8f9e52bd166d340527db71562bf579d3f97dfc955544d5fc07dcd |
C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
| MD5 | 2e6bd16aa62e5e95c7b256b10d637f8f |
| SHA1 | 350be084477b1fe581af83ca79eb58d4defe260f |
| SHA256 | d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3 |
| SHA512 | 1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542 |
memory/1200-41-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-39-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-38-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-37-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-35-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-34-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-32-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-31-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-29-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-28-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-27-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-26-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-24-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-25-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-22-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-21-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-20-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-19-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-18-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-17-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-15-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-14-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-12-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-11-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-10-0x0000000140000000-0x000000014017F000-memory.dmp
memory/1200-9-0x0000000140000000-0x000000014017F000-memory.dmp
C:\Users\Admin\AppData\Local\V61vQ\MAGNIFICATION.dll
| MD5 | 443afb161b51a0fc7f7919da764ed1f0 |
| SHA1 | 65c39c309d626bec5ffb582e22dc1502e3c308f7 |
| SHA256 | 102e79a1d1ebfe82d25476205a859238b321311be58d2800b5931c6d71774865 |
| SHA512 | f7d6a3b49f40e05b8b02f3368edd1e89708aa0cbbcb376766ba6ec80cec5b45ca43bca0780e6422ebf730aceb7f754d1b5da3bacff220666de178291ab0607af |
memory/2836-102-0x0000000000130000-0x0000000000137000-memory.dmp
\Users\Admin\AppData\Local\V61vQ\MAGNIFICATION.dll
| MD5 | fe208b3c74a20468811be570c4f8c60c |
| SHA1 | eeda6ea0c3dd012bc590f11102b0b54776922be9 |
| SHA256 | 2d29b01562283bd5b7dc7533e9288af1e47f1e13d84d0246616c7db516b60ed6 |
| SHA512 | 14c71d937adeb968b9736b242e70d4d3b3021e2a7b7692b2e48d4134ad13cc2a076c7e223bcda941949f68eafba56bcc92ee664e7228da3a8018e0fb977fae3c |
C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
| MD5 | bb189e398e1f7baf7c5ea75a69f7e06a |
| SHA1 | 45f769e84b3290ae8b0a3029a082740f29eb8b8d |
| SHA256 | ee545400ad3c0c32bc8503647a72aebc893df4587f6cc96d6048d2cc07cb3116 |
| SHA512 | 3a39d344f9cb72571969e6b24fc979f64b04e595fdba768220b02e2e122c84d2ca35d2371f9415a4e44e26b1d6fa960ef68c472036a835e276cd19b0be90bff7 |
\Users\Admin\AppData\Local\V61vQ\Magnify.exe
| MD5 | 62ed47d318d148c700f88a1b843181ed |
| SHA1 | f9c1012ec40f9dc3ce2c7d981072a1c14475914d |
| SHA256 | 06a3411810af492deedf81406a4fe84f48eb1c239ef01d3aac6ffc4723a07ccc |
| SHA512 | 4bb5dff25a3e7baa1e6545772b923b233342734f14ae86011139c6bf43924199c1e9c9fe36a333bdb87f516eda9055f9d5ab67e4674d3d09ea55d6978aab7e35 |
C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
| MD5 | 0d8aeeefe9d95e647498859530c70bf9 |
| SHA1 | 0ebcdb64d8e142e4a63e23f6c56e395f8025ede4 |
| SHA256 | c777a047cd8e99b1a07827657d18ad5d5a4f412fe88b2f4a1c5e1f6b8f77503a |
| SHA512 | e2cf387896c5d71e499e2514287de3855e0a0035ecc38c5607f4ba54af52d5f71e55073eecc193d3c6d4e8ed0d4acca1a9c677c5da3a512d0bb43f54c6a35b25 |
memory/1200-7-0x0000000140000000-0x000000014017F000-memory.dmp
\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
| MD5 | 767c75767b00ccfd41a547bb7b2adfff |
| SHA1 | 91890853a5476def402910e6507417d400c0d3cb |
| SHA256 | bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395 |
| SHA512 | f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9 |
\Users\Admin\AppData\Local\1NMR1\slc.dll
| MD5 | df31e22d3438239f7649d433f0c1fc30 |
| SHA1 | f8289fc1b582d458fb600dc6c6bbb5975450fdc0 |
| SHA256 | 4775fa5304da47c2f91bcf98ac29d12a85bf665d3ea34e3400b034a9a16510a7 |
| SHA512 | e269def62bc6bce94e774b657591479a50f6e8cfe28360ea8b05e88b582abf6fc810d2f8c04bc5d6e7b1a003f1f2290cfb2d1e450ff6e155bb0ac702435e44b1 |
memory/2156-125-0x0000000001C20000-0x0000000001C27000-memory.dmp
C:\Users\Admin\AppData\Local\1NMR1\slc.dll
| MD5 | 013d457ae3111ab1dfa0a8e8853bf61d |
| SHA1 | 92ed82292a6df64fa7a63ebcbbdd24b9bf1b030d |
| SHA256 | 00884b26164d293f7c72f4cc8fc596613c1950e7cd326abcbde23fd9d1f42792 |
| SHA512 | 6f2a10c133f97c81b1b8c5bc8aebc1cbaccd154ea15ec8d18fe995ae94fe0e4451f67358699cc959fd41c3cb6249d40b37c9fcdb3cc4e9460d228423e403b189 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk
| MD5 | 08f45fedbdc3f3d5d8c8d6cfbbe7daa2 |
| SHA1 | f51620dcbd69238e055700750e0edd5a8c1da381 |
| SHA256 | a51955435f82f26327208d4a42710bacd57e375b193bbec36aef68cbb9c09792 |
| SHA512 | 1ab517e4ae233de5a3ea3f070487dabb0654730d53c76b48adfeb41ec1fffe99b3a0d2dc3e5ba5b7fef56ca86dc434ad083264cf149a5f2be9aaf09cc6281ff1 |
memory/1200-147-0x0000000077756000-0x0000000077757000-memory.dmp
memory/2640-152-0x0000000000180000-0x0000000000187000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\6Mk\VERSION.dll
| MD5 | c956ca66000ff6455f1f646fefc764d1 |
| SHA1 | 05796b3d3389b0212f21aeffd360485df47d3e7a |
| SHA256 | 7e715eba02bbb8d7bc36186a47aecd6979d363ef702a0b4894c4ebc3e802dc05 |
| SHA512 | cc7078b027a511e80427ec85dd48b906f516a724ef2353275972883ea1832c58630a85931530afa70aa1eeda9c1288caa6098b2eec28b48b2980b28a07e4fbde |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\xUyXBowgs\MAGNIFICATION.dll
| MD5 | ea71c1fd5e7b0edddf97c9ca7d3661f9 |
| SHA1 | f305830c79470b9b32b07051c10e2c27a66f060e |
| SHA256 | 9434c21c2a06d2cf773e779495f339f27f0d2001eecad26367ada2381ffd1162 |
| SHA512 | 45bbb6a8c8d68164b72a820fa132229b32590dc23d20d393d274891e58f368f59b29068bcae9f1f2aeffc4f2d32e94e365924d60a09882ee3380810b36f41265 |
C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\GtBW\slc.dll
| MD5 | d3db31435367004bc910a39391724041 |
| SHA1 | 3138ffe7fad70b6c9f39c6e942378b644448ac67 |
| SHA256 | 450b1f12f1b9d80d1c297751c8db6a9912c0ae34c6575a6d8362d5fe581f9769 |
| SHA512 | 5f96decca98e79578201359042f3397fde42b78a7bb1e7085f80e49db62b83655b5a34c214b0db547039a36044ea82cb2b1f83db6bd1c8caff49c960bcdc70b8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-22 15:12
Reported
2024-01-22 15:15
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\kVNM3Eq\\sppsvc.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 2536 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3532 wrote to memory of 2536 | N/A | N/A | C:\Windows\system32\dpapimig.exe |
| PID 3532 wrote to memory of 3844 | N/A | N/A | C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe |
| PID 3532 wrote to memory of 3844 | N/A | N/A | C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe |
| PID 3532 wrote to memory of 5116 | N/A | N/A | C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe |
| PID 3532 wrote to memory of 5116 | N/A | N/A | C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe |
| PID 3532 wrote to memory of 4740 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 3532 wrote to memory of 4740 | N/A | N/A | C:\Windows\system32\mmc.exe |
| PID 3532 wrote to memory of 1584 | N/A | N/A | C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe |
| PID 3532 wrote to memory of 1584 | N/A | N/A | C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1
C:\Windows\system32\dpapimig.exe
C:\Windows\system32\dpapimig.exe
C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe
C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1856-0-0x000002A4FE820000-0x000002A4FE827000-memory.dmp
memory/1856-1-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/1856-7-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-9-0x00007FFAF3A0A000-0x00007FFAF3A0B000-memory.dmp
memory/3532-10-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-12-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-11-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-13-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-14-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-8-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-17-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-16-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-24-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-25-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-23-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-22-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-26-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-21-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-27-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-20-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-28-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-19-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-29-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-30-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-31-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-18-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-15-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-6-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-33-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-37-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-38-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-41-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-42-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-39-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-46-0x00000000027E0000-0x00000000027E7000-memory.dmp
memory/3532-44-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-43-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-40-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-52-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-62-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-64-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-53-0x00007FFAF3EE0000-0x00007FFAF3EF0000-memory.dmp
memory/3532-36-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-35-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-34-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3532-32-0x0000000140000000-0x000000014017F000-memory.dmp
memory/3844-73-0x0000000140000000-0x00000001401C5000-memory.dmp
memory/3844-75-0x000002270E0A0000-0x000002270E0A7000-memory.dmp
C:\Users\Admin\AppData\Local\CmtDliaq\DUI70.dll
| MD5 | dd34cc7eb08c3bf2519283502319b009 |
| SHA1 | 81a60d3cb5f8c4f9b7b4d271339e3dbe79e3ac8c |
| SHA256 | 1d46e17ebf9fa98c8b9cc31a58dbc35812c3d163cdb0044c4be3ff8d3cac3ef0 |
| SHA512 | f78bf51fd21f89e25dabafaa1c1690fc2806b853267856c7269c6c4cc06055f778eae45f2432c7c1401abe98b639181abb6ca716508366e50e1e51f4d058711e |
memory/3844-79-0x0000000140000000-0x00000001401C5000-memory.dmp
C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
| MD5 | b6d6477a0c90a81624c6a8548026b4d0 |
| SHA1 | e6eac6941d27f76bbd306c2938c0a962dbf1ced1 |
| SHA256 | a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb |
| SHA512 | 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe |
C:\Users\Admin\AppData\Local\CmtDliaq\DUI70.dll
| MD5 | 1247fc3ec268fdf0feb31bd3ee4520b6 |
| SHA1 | b780f108dbf1d969463b7e7a408e0ccbd02b0b1b |
| SHA256 | b6dbde4a851e09ae2e12f26127c362284e8ee096cba35e8c1c4fe6ab7ff776b0 |
| SHA512 | 012a5f2234e00191f54e4722b864b3bcb36b0bd11e1e021a0a3584a00e8281f30b8636a7954a19539b0e85bb0cdb4e3d40e13f63bca60d07cde3ebd0026ae543 |
memory/5116-90-0x0000000140000000-0x0000000140180000-memory.dmp
memory/5116-93-0x0000022C79F10000-0x0000022C79F17000-memory.dmp
memory/5116-96-0x0000000140000000-0x0000000140180000-memory.dmp
C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
| MD5 | be2083ae719c0131123a89c0b4218fef |
| SHA1 | 4bb54ea4c70c70b32f8d5d91b4e6335f1f2a0dca |
| SHA256 | 48ee402012f6501e23f54c373b6ce8c2c8bef908a30ab1576e155802e10394ec |
| SHA512 | 46e7e9c673233b436a529d6816e0a0584e86a80fd696fd3deb3460c5ed97ce171f349cda203a0487be632763bfeb77b0627eb0894a82f79889323f66258a8afa |
C:\Users\Admin\AppData\Local\38pLgPaHe\XmlLite.dll
| MD5 | 107d0533c5710f99caf763bd62c39530 |
| SHA1 | cf610e9361e0a1d35614da08e38e45abb5d8b68d |
| SHA256 | f0b13484e027ae77030facaac26c87e1e0985c2181afd8a72fd476ab19d6e965 |
| SHA512 | d4af64372b78d56037731d85deb4b2bb99f6bd0429b0e8202bcd950a05092fbe02bfadbb34f3c8267b590f5d86143d1d8ebd836d96645e19115226f70dfd1e0b |
C:\Users\Admin\AppData\Local\38pLgPaHe\XmlLite.dll
| MD5 | faa618074b32b1bbfa8b1b25f71c8cdb |
| SHA1 | 81515ad18f4948f63e04252d6fa11c46d9cb77cc |
| SHA256 | 4fb17da098a95484aeb3e3f218c89552ffece405734770f102dbd0aea6e5c274 |
| SHA512 | 15ef82215045a55888a11c241a3ee63d4a3b7c999757f1c80a71f4bba36e78ad7c892a73943ed2445ed23a646cc89256939b2595c48944fbf2ea8b5f42fd34ae |
C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
| MD5 | 164eabbf0e4c1804e1a830f760cdff02 |
| SHA1 | 2c58b490aab45bd9900a76d3dde56206dfef3fa6 |
| SHA256 | 479338a06d1309d5fd9f435f43a9c1b92f26b34443ef89becbfcaad098981dab |
| SHA512 | f020253511c955898ead469a26c91c2bab01f8a8cc0a7e84b29bbcb312685d6c809475223ed573a0f9322c99b0ee85333b81ead374e7feb262a3498274cb9950 |
C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
| MD5 | 29d13cb15d3b390dda0f49b4f13f61ca |
| SHA1 | 7b2260d86a4aab5fd856e3149ee44275ee49125e |
| SHA256 | bb4d7d43f1ff2f3ba8ab400199d1774eae3e04822692963a87586f92533de568 |
| SHA512 | 0ded9713030fe10f051fc0665dfc3f0b58bd4a2e7342da23d0024121c9399be290cec3d10b00bc36466d1f307894c751fac317bd2f8b367d6c311f027f1597f3 |
memory/1584-108-0x0000000140000000-0x0000000140181000-memory.dmp
memory/1584-110-0x0000000002EF0000-0x0000000002EF7000-memory.dmp
C:\Users\Admin\AppData\Local\iwNTaDx\DUser.dll
| MD5 | 427526ca19978f5b1e8b65a5cd74100a |
| SHA1 | f396b3b391d6ef74fb170831194c8b3db59c7edf |
| SHA256 | 9aa47dc7297c4931388596ae2746240ee853b9e32ac3b27b642de09a6f189c9f |
| SHA512 | ff4275d69bdcdc88765f904c9e7f4083bbf93a6b81c88b6d27ed381861b97075d7b1fd47e81504b89bdbb771f7e733498530c6fa22b53c41da9db6c2aaf091a3 |
C:\Users\Admin\AppData\Local\iwNTaDx\DUser.dll
| MD5 | ffd0c168b848f53a8fd60399ff2e291a |
| SHA1 | da951318eabead3fd5f380536a07f0b226c1e53b |
| SHA256 | 78bc5f5793ea8c33ce57e3679ba555803f21eca0729109cd2cdc6331ed899540 |
| SHA512 | 04e46f71d6897b5fcdedd19336e8ab8594f48f88de490ae27fc6912ce75d4a723bbb42a899bc126f14c5c1c047b653852fe83f57467f5b9714f3245e307e5172 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\aCrC2c\mmc.exe
| MD5 | 7f9b28f43e5f4a64b5e5ac02c16b62ce |
| SHA1 | 503df090d1e8a646bd09117cd9327ef0932eba2d |
| SHA256 | 82d8dbed51c1881750acefe0e9a276643926245800fb87f53d967c23b450005a |
| SHA512 | 58aba44d90d4c7f5e2ca77b7ef5203ef56676dce5ffe39214fb19d91d9b2fe24e29e71d611ee10c2dbdf30767ae8c575cd508754cc15a40f2ae18a31c3a0399a |
C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
| MD5 | 7900824645271a92c81898a3b54dddeb |
| SHA1 | ef7027d99914b2dc2c7bdfb562782edc5e390d31 |
| SHA256 | f58fa282cf71e4beaa9ba475786c61dac50d662733e4594cc4607ee4b66d1bb6 |
| SHA512 | 855bb5d52d7d88b18c8336e1774ae0921f430e08d29469f4afbd48155c958aafdb93127cf0f4d4320165cdd4a468b5ff23f342571cac3c45764f5d4b147527a6 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk
| MD5 | 2bca0a3010dc597a59a2212f7a241614 |
| SHA1 | 4e802c8bec46f9f8827bba59e4f2a8e5160f5395 |
| SHA256 | 3ecac193f0a42b9a1ffa2fca13fee7feff2f8ee6b5159075e152f30ef6179996 |
| SHA512 | d7e96a5039fc90e683f3e25ddd9f82a5f5c9e79c9ab6285923f774b582b59a79d3488b1a1048b91a138ea4030fa862416a233aec698e0af9775eba6cc03e85a3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\fJ\DUI70.dll
| MD5 | af861a3fb539f715253efddf648bb76a |
| SHA1 | 7c76372d2d22d6c3b5f8ff4bd2077a4df2ddeb60 |
| SHA256 | d7ba348bf8901300e80ba192a26a358c3081a38e09931029ba9efe9fcf35243e |
| SHA512 | 095b83ca161041c6eb22d5cbfc2c898ba0aad2e2f87fda8e932c9a3b62ec091aaa6a78e1382510547cb1bfa5fc118f31fda22d2e56222655cc0fb47b8d5d9c23 |
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\kVNM3Eq\XmlLite.dll
| MD5 | 668b6474544bbcc7c374c1ed002e487c |
| SHA1 | e04182530a92e09b0dade56284f8b9bee8655c10 |
| SHA256 | e44ffe3d53cefa61f498885cc3ee8b0574863e16a922bbd17cc16d2596f2c25c |
| SHA512 | 1f785ea8332a16aab452ab555bf842629d9ad235e6da7d4633ebfa45921e8f577f0a886305e28ade17fe442978cd62e263b2f587697f026ecb1a88dad90af4e5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\aCrC2c\DUser.dll
| MD5 | 0edcb38193388cfa04548f1bcc526eb5 |
| SHA1 | 472a7b1db4605a0d392c5ff6302e1d8febfd4f80 |
| SHA256 | 26676f72046ae85745a316249d59a2be73211735cd665e2c703a29899f4bc727 |
| SHA512 | 0e4bb14feb2ec62b0c444b48755deac5764890e751327421417ffee4a626efd878e2eafb48f06a5155657bf454bdd453c1c65fd775251efcbc0b3c53e5dc92d9 |