Malware Analysis Report

2024-11-15 08:50

Sample ID 240122-slnk6ahegj
Target 6fc1300c924c848e73451dec1a26af99
SHA256 b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b18bf10683e2178f9b1f99b4ced10b08880b29eac55ba5d252c34e3b0d70833b

Threat Level: Known bad

The file 6fc1300c924c848e73451dec1a26af99 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 15:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 15:12

Reported

2024-01-22 15:15

Platform

win7-20231215-en

Max time kernel

150s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\xUyXBowgs\\Magnify.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2596 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1200 wrote to memory of 2596 N/A N/A C:\Windows\system32\MpSigStub.exe
PID 1200 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
PID 1200 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
PID 1200 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe
PID 1200 wrote to memory of 1508 N/A N/A C:\Windows\system32\Magnify.exe
PID 1200 wrote to memory of 1508 N/A N/A C:\Windows\system32\Magnify.exe
PID 1200 wrote to memory of 1508 N/A N/A C:\Windows\system32\Magnify.exe
PID 1200 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
PID 1200 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
PID 1200 wrote to memory of 2836 N/A N/A C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe
PID 1200 wrote to memory of 2128 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1200 wrote to memory of 2128 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1200 wrote to memory of 2128 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1200 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
PID 1200 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe
PID 1200 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1

C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe

C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\MpSigStub.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe

C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe

C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe

C:\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

Network

N/A

Files

memory/2108-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2108-0-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-4-0x0000000077756000-0x0000000077757000-memory.dmp

memory/1200-5-0x0000000003A20000-0x0000000003A21000-memory.dmp

memory/2108-8-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-13-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-16-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-23-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-30-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-33-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-36-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-40-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-44-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-46-0x0000000003050000-0x0000000003057000-memory.dmp

memory/1200-54-0x0000000077AC0000-0x0000000077AC2000-memory.dmp

memory/1200-53-0x0000000077961000-0x0000000077962000-memory.dmp

memory/1200-52-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-43-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-63-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-42-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-69-0x0000000140000000-0x000000014017F000-memory.dmp

C:\Users\Admin\AppData\Local\mQJ6BDuo1\VERSION.dll

MD5 13838a89f2e53c4899765056e774385a
SHA1 a718e55cd18b7af7af86c3caea7ee6d26deb8c26
SHA256 44a5d21e293e0fcc0bfc9e69716dc69af528ea531fb1f7fe56102211480bca40
SHA512 900ee8af6d2fe4dfd79ef5862e8a02f00d5850e165d679544dc2ee644c5bab2a6e8ea74b9e692f1877e576ca7d4a28a261834943001bf688192f8817ae19f44d

memory/2640-81-0x0000000140000000-0x0000000140180000-memory.dmp

memory/2640-84-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\mQJ6BDuo1\VERSION.dll

MD5 910c48d6c2ce35d9b8ad175b8a25e2e4
SHA1 98a3cb09d09f7b99912b80a4142990146fa84198
SHA256 17e9437f4b86f48ea3d8853fe9df5a20edd62496492fe3746fb865a214c002a1
SHA512 70cd1c864ce43d00b19cf1a59145cddf081100686fc0f7b043336d204256b30cf27afbc0abc8f9e52bd166d340527db71562bf579d3f97dfc955544d5fc07dcd

C:\Users\Admin\AppData\Local\mQJ6BDuo1\MpSigStub.exe

MD5 2e6bd16aa62e5e95c7b256b10d637f8f
SHA1 350be084477b1fe581af83ca79eb58d4defe260f
SHA256 d795968b8067bb610033fa4a5b21eb2f96cef61513aba62912b8eb5c6a5ff7b3
SHA512 1f37150f6bcbe0df54bb85a5ad585824cea9332baa9be1649a95c1dfb41723de85c09d98fb2ca8261a49c2184d3bda638b84b2b7b60b97fe42a15ab1620a2542

memory/1200-41-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-39-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-38-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-37-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-35-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-34-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-32-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-31-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-29-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-28-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-27-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-26-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-24-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-25-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-22-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-21-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-20-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-19-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-18-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-17-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-15-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-14-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-12-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-11-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-10-0x0000000140000000-0x000000014017F000-memory.dmp

memory/1200-9-0x0000000140000000-0x000000014017F000-memory.dmp

C:\Users\Admin\AppData\Local\V61vQ\MAGNIFICATION.dll

MD5 443afb161b51a0fc7f7919da764ed1f0
SHA1 65c39c309d626bec5ffb582e22dc1502e3c308f7
SHA256 102e79a1d1ebfe82d25476205a859238b321311be58d2800b5931c6d71774865
SHA512 f7d6a3b49f40e05b8b02f3368edd1e89708aa0cbbcb376766ba6ec80cec5b45ca43bca0780e6422ebf730aceb7f754d1b5da3bacff220666de178291ab0607af

memory/2836-102-0x0000000000130000-0x0000000000137000-memory.dmp

\Users\Admin\AppData\Local\V61vQ\MAGNIFICATION.dll

MD5 fe208b3c74a20468811be570c4f8c60c
SHA1 eeda6ea0c3dd012bc590f11102b0b54776922be9
SHA256 2d29b01562283bd5b7dc7533e9288af1e47f1e13d84d0246616c7db516b60ed6
SHA512 14c71d937adeb968b9736b242e70d4d3b3021e2a7b7692b2e48d4134ad13cc2a076c7e223bcda941949f68eafba56bcc92ee664e7228da3a8018e0fb977fae3c

C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe

MD5 bb189e398e1f7baf7c5ea75a69f7e06a
SHA1 45f769e84b3290ae8b0a3029a082740f29eb8b8d
SHA256 ee545400ad3c0c32bc8503647a72aebc893df4587f6cc96d6048d2cc07cb3116
SHA512 3a39d344f9cb72571969e6b24fc979f64b04e595fdba768220b02e2e122c84d2ca35d2371f9415a4e44e26b1d6fa960ef68c472036a835e276cd19b0be90bff7

\Users\Admin\AppData\Local\V61vQ\Magnify.exe

MD5 62ed47d318d148c700f88a1b843181ed
SHA1 f9c1012ec40f9dc3ce2c7d981072a1c14475914d
SHA256 06a3411810af492deedf81406a4fe84f48eb1c239ef01d3aac6ffc4723a07ccc
SHA512 4bb5dff25a3e7baa1e6545772b923b233342734f14ae86011139c6bf43924199c1e9c9fe36a333bdb87f516eda9055f9d5ab67e4674d3d09ea55d6978aab7e35

C:\Users\Admin\AppData\Local\V61vQ\Magnify.exe

MD5 0d8aeeefe9d95e647498859530c70bf9
SHA1 0ebcdb64d8e142e4a63e23f6c56e395f8025ede4
SHA256 c777a047cd8e99b1a07827657d18ad5d5a4f412fe88b2f4a1c5e1f6b8f77503a
SHA512 e2cf387896c5d71e499e2514287de3855e0a0035ecc38c5607f4ba54af52d5f71e55073eecc193d3c6d4e8ed0d4acca1a9c677c5da3a512d0bb43f54c6a35b25

memory/1200-7-0x0000000140000000-0x000000014017F000-memory.dmp

\Users\Admin\AppData\Local\1NMR1\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

\Users\Admin\AppData\Local\1NMR1\slc.dll

MD5 df31e22d3438239f7649d433f0c1fc30
SHA1 f8289fc1b582d458fb600dc6c6bbb5975450fdc0
SHA256 4775fa5304da47c2f91bcf98ac29d12a85bf665d3ea34e3400b034a9a16510a7
SHA512 e269def62bc6bce94e774b657591479a50f6e8cfe28360ea8b05e88b582abf6fc810d2f8c04bc5d6e7b1a003f1f2290cfb2d1e450ff6e155bb0ac702435e44b1

memory/2156-125-0x0000000001C20000-0x0000000001C27000-memory.dmp

C:\Users\Admin\AppData\Local\1NMR1\slc.dll

MD5 013d457ae3111ab1dfa0a8e8853bf61d
SHA1 92ed82292a6df64fa7a63ebcbbdd24b9bf1b030d
SHA256 00884b26164d293f7c72f4cc8fc596613c1950e7cd326abcbde23fd9d1f42792
SHA512 6f2a10c133f97c81b1b8c5bc8aebc1cbaccd154ea15ec8d18fe995ae94fe0e4451f67358699cc959fd41c3cb6249d40b37c9fcdb3cc4e9460d228423e403b189

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 08f45fedbdc3f3d5d8c8d6cfbbe7daa2
SHA1 f51620dcbd69238e055700750e0edd5a8c1da381
SHA256 a51955435f82f26327208d4a42710bacd57e375b193bbec36aef68cbb9c09792
SHA512 1ab517e4ae233de5a3ea3f070487dabb0654730d53c76b48adfeb41ec1fffe99b3a0d2dc3e5ba5b7fef56ca86dc434ad083264cf149a5f2be9aaf09cc6281ff1

memory/1200-147-0x0000000077756000-0x0000000077757000-memory.dmp

memory/2640-152-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\6Mk\VERSION.dll

MD5 c956ca66000ff6455f1f646fefc764d1
SHA1 05796b3d3389b0212f21aeffd360485df47d3e7a
SHA256 7e715eba02bbb8d7bc36186a47aecd6979d363ef702a0b4894c4ebc3e802dc05
SHA512 cc7078b027a511e80427ec85dd48b906f516a724ef2353275972883ea1832c58630a85931530afa70aa1eeda9c1288caa6098b2eec28b48b2980b28a07e4fbde

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\xUyXBowgs\MAGNIFICATION.dll

MD5 ea71c1fd5e7b0edddf97c9ca7d3661f9
SHA1 f305830c79470b9b32b07051c10e2c27a66f060e
SHA256 9434c21c2a06d2cf773e779495f339f27f0d2001eecad26367ada2381ffd1162
SHA512 45bbb6a8c8d68164b72a820fa132229b32590dc23d20d393d274891e58f368f59b29068bcae9f1f2aeffc4f2d32e94e365924d60a09882ee3380810b36f41265

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\GtBW\slc.dll

MD5 d3db31435367004bc910a39391724041
SHA1 3138ffe7fad70b6c9f39c6e942378b644448ac67
SHA256 450b1f12f1b9d80d1c297751c8db6a9912c0ae34c6575a6d8362d5fe581f9769
SHA512 5f96decca98e79578201359042f3397fde42b78a7bb1e7085f80e49db62b83655b5a34c214b0db547039a36044ea82cb2b1f83db6bd1c8caff49c960bcdc70b8

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 15:12

Reported

2024-01-22 15:15

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\kVNM3Eq\\sppsvc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2536 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3532 wrote to memory of 2536 N/A N/A C:\Windows\system32\dpapimig.exe
PID 3532 wrote to memory of 3844 N/A N/A C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
PID 3532 wrote to memory of 3844 N/A N/A C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe
PID 3532 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
PID 3532 wrote to memory of 5116 N/A N/A C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe
PID 3532 wrote to memory of 4740 N/A N/A C:\Windows\system32\mmc.exe
PID 3532 wrote to memory of 4740 N/A N/A C:\Windows\system32\mmc.exe
PID 3532 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe
PID 3532 wrote to memory of 1584 N/A N/A C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\6fc1300c924c848e73451dec1a26af99.dll,#1

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe

C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe

C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe

C:\Windows\system32\mmc.exe

C:\Windows\system32\mmc.exe

C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1856-0-0x000002A4FE820000-0x000002A4FE827000-memory.dmp

memory/1856-1-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-4-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/1856-7-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-9-0x00007FFAF3A0A000-0x00007FFAF3A0B000-memory.dmp

memory/3532-10-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-12-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-11-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-13-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-14-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-8-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-17-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-16-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-24-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-25-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-23-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-22-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-26-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-21-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-27-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-20-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-28-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-19-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-29-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-30-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-31-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-18-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-15-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-6-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-33-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-37-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-38-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-41-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-42-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-39-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-46-0x00000000027E0000-0x00000000027E7000-memory.dmp

memory/3532-44-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-43-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-40-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-52-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-62-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-64-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-53-0x00007FFAF3EE0000-0x00007FFAF3EF0000-memory.dmp

memory/3532-36-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-35-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-34-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3532-32-0x0000000140000000-0x000000014017F000-memory.dmp

memory/3844-73-0x0000000140000000-0x00000001401C5000-memory.dmp

memory/3844-75-0x000002270E0A0000-0x000002270E0A7000-memory.dmp

C:\Users\Admin\AppData\Local\CmtDliaq\DUI70.dll

MD5 dd34cc7eb08c3bf2519283502319b009
SHA1 81a60d3cb5f8c4f9b7b4d271339e3dbe79e3ac8c
SHA256 1d46e17ebf9fa98c8b9cc31a58dbc35812c3d163cdb0044c4be3ff8d3cac3ef0
SHA512 f78bf51fd21f89e25dabafaa1c1690fc2806b853267856c7269c6c4cc06055f778eae45f2432c7c1401abe98b639181abb6ca716508366e50e1e51f4d058711e

memory/3844-79-0x0000000140000000-0x00000001401C5000-memory.dmp

C:\Users\Admin\AppData\Local\CmtDliaq\dpapimig.exe

MD5 b6d6477a0c90a81624c6a8548026b4d0
SHA1 e6eac6941d27f76bbd306c2938c0a962dbf1ced1
SHA256 a8147d08b82609c72d588a0a604cd3c1f2076befcc719d282c7cbd6525ae89eb
SHA512 72ec8b79e3438f0f981129a323ad39db84df7dd14a796a820bdbc74ea8fa13eee843d1ea030a0c1caeda2e2d69952f14a821a73825b38dd9415047aca597b1fe

C:\Users\Admin\AppData\Local\CmtDliaq\DUI70.dll

MD5 1247fc3ec268fdf0feb31bd3ee4520b6
SHA1 b780f108dbf1d969463b7e7a408e0ccbd02b0b1b
SHA256 b6dbde4a851e09ae2e12f26127c362284e8ee096cba35e8c1c4fe6ab7ff776b0
SHA512 012a5f2234e00191f54e4722b864b3bcb36b0bd11e1e021a0a3584a00e8281f30b8636a7954a19539b0e85bb0cdb4e3d40e13f63bca60d07cde3ebd0026ae543

memory/5116-90-0x0000000140000000-0x0000000140180000-memory.dmp

memory/5116-93-0x0000022C79F10000-0x0000022C79F17000-memory.dmp

memory/5116-96-0x0000000140000000-0x0000000140180000-memory.dmp

C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe

MD5 be2083ae719c0131123a89c0b4218fef
SHA1 4bb54ea4c70c70b32f8d5d91b4e6335f1f2a0dca
SHA256 48ee402012f6501e23f54c373b6ce8c2c8bef908a30ab1576e155802e10394ec
SHA512 46e7e9c673233b436a529d6816e0a0584e86a80fd696fd3deb3460c5ed97ce171f349cda203a0487be632763bfeb77b0627eb0894a82f79889323f66258a8afa

C:\Users\Admin\AppData\Local\38pLgPaHe\XmlLite.dll

MD5 107d0533c5710f99caf763bd62c39530
SHA1 cf610e9361e0a1d35614da08e38e45abb5d8b68d
SHA256 f0b13484e027ae77030facaac26c87e1e0985c2181afd8a72fd476ab19d6e965
SHA512 d4af64372b78d56037731d85deb4b2bb99f6bd0429b0e8202bcd950a05092fbe02bfadbb34f3c8267b590f5d86143d1d8ebd836d96645e19115226f70dfd1e0b

C:\Users\Admin\AppData\Local\38pLgPaHe\XmlLite.dll

MD5 faa618074b32b1bbfa8b1b25f71c8cdb
SHA1 81515ad18f4948f63e04252d6fa11c46d9cb77cc
SHA256 4fb17da098a95484aeb3e3f218c89552ffece405734770f102dbd0aea6e5c274
SHA512 15ef82215045a55888a11c241a3ee63d4a3b7c999757f1c80a71f4bba36e78ad7c892a73943ed2445ed23a646cc89256939b2595c48944fbf2ea8b5f42fd34ae

C:\Users\Admin\AppData\Local\38pLgPaHe\sppsvc.exe

MD5 164eabbf0e4c1804e1a830f760cdff02
SHA1 2c58b490aab45bd9900a76d3dde56206dfef3fa6
SHA256 479338a06d1309d5fd9f435f43a9c1b92f26b34443ef89becbfcaad098981dab
SHA512 f020253511c955898ead469a26c91c2bab01f8a8cc0a7e84b29bbcb312685d6c809475223ed573a0f9322c99b0ee85333b81ead374e7feb262a3498274cb9950

C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

MD5 29d13cb15d3b390dda0f49b4f13f61ca
SHA1 7b2260d86a4aab5fd856e3149ee44275ee49125e
SHA256 bb4d7d43f1ff2f3ba8ab400199d1774eae3e04822692963a87586f92533de568
SHA512 0ded9713030fe10f051fc0665dfc3f0b58bd4a2e7342da23d0024121c9399be290cec3d10b00bc36466d1f307894c751fac317bd2f8b367d6c311f027f1597f3

memory/1584-108-0x0000000140000000-0x0000000140181000-memory.dmp

memory/1584-110-0x0000000002EF0000-0x0000000002EF7000-memory.dmp

C:\Users\Admin\AppData\Local\iwNTaDx\DUser.dll

MD5 427526ca19978f5b1e8b65a5cd74100a
SHA1 f396b3b391d6ef74fb170831194c8b3db59c7edf
SHA256 9aa47dc7297c4931388596ae2746240ee853b9e32ac3b27b642de09a6f189c9f
SHA512 ff4275d69bdcdc88765f904c9e7f4083bbf93a6b81c88b6d27ed381861b97075d7b1fd47e81504b89bdbb771f7e733498530c6fa22b53c41da9db6c2aaf091a3

C:\Users\Admin\AppData\Local\iwNTaDx\DUser.dll

MD5 ffd0c168b848f53a8fd60399ff2e291a
SHA1 da951318eabead3fd5f380536a07f0b226c1e53b
SHA256 78bc5f5793ea8c33ce57e3679ba555803f21eca0729109cd2cdc6331ed899540
SHA512 04e46f71d6897b5fcdedd19336e8ab8594f48f88de490ae27fc6912ce75d4a723bbb42a899bc126f14c5c1c047b653852fe83f57467f5b9714f3245e307e5172

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\aCrC2c\mmc.exe

MD5 7f9b28f43e5f4a64b5e5ac02c16b62ce
SHA1 503df090d1e8a646bd09117cd9327ef0932eba2d
SHA256 82d8dbed51c1881750acefe0e9a276643926245800fb87f53d967c23b450005a
SHA512 58aba44d90d4c7f5e2ca77b7ef5203ef56676dce5ffe39214fb19d91d9b2fe24e29e71d611ee10c2dbdf30767ae8c575cd508754cc15a40f2ae18a31c3a0399a

C:\Users\Admin\AppData\Local\iwNTaDx\mmc.exe

MD5 7900824645271a92c81898a3b54dddeb
SHA1 ef7027d99914b2dc2c7bdfb562782edc5e390d31
SHA256 f58fa282cf71e4beaa9ba475786c61dac50d662733e4594cc4607ee4b66d1bb6
SHA512 855bb5d52d7d88b18c8336e1774ae0921f430e08d29469f4afbd48155c958aafdb93127cf0f4d4320165cdd4a468b5ff23f342571cac3c45764f5d4b147527a6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 2bca0a3010dc597a59a2212f7a241614
SHA1 4e802c8bec46f9f8827bba59e4f2a8e5160f5395
SHA256 3ecac193f0a42b9a1ffa2fca13fee7feff2f8ee6b5159075e152f30ef6179996
SHA512 d7e96a5039fc90e683f3e25ddd9f82a5f5c9e79c9ab6285923f774b582b59a79d3488b1a1048b91a138ea4030fa862416a233aec698e0af9775eba6cc03e85a3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\fJ\DUI70.dll

MD5 af861a3fb539f715253efddf648bb76a
SHA1 7c76372d2d22d6c3b5f8ff4bd2077a4df2ddeb60
SHA256 d7ba348bf8901300e80ba192a26a358c3081a38e09931029ba9efe9fcf35243e
SHA512 095b83ca161041c6eb22d5cbfc2c898ba0aad2e2f87fda8e932c9a3b62ec091aaa6a78e1382510547cb1bfa5fc118f31fda22d2e56222655cc0fb47b8d5d9c23

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\kVNM3Eq\XmlLite.dll

MD5 668b6474544bbcc7c374c1ed002e487c
SHA1 e04182530a92e09b0dade56284f8b9bee8655c10
SHA256 e44ffe3d53cefa61f498885cc3ee8b0574863e16a922bbd17cc16d2596f2c25c
SHA512 1f785ea8332a16aab452ab555bf842629d9ad235e6da7d4633ebfa45921e8f577f0a886305e28ade17fe442978cd62e263b2f587697f026ecb1a88dad90af4e5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\aCrC2c\DUser.dll

MD5 0edcb38193388cfa04548f1bcc526eb5
SHA1 472a7b1db4605a0d392c5ff6302e1d8febfd4f80
SHA256 26676f72046ae85745a316249d59a2be73211735cd665e2c703a29899f4bc727
SHA512 0e4bb14feb2ec62b0c444b48755deac5764890e751327421417ffee4a626efd878e2eafb48f06a5155657bf454bdd453c1c65fd775251efcbc0b3c53e5dc92d9