Malware Analysis Report

2024-11-15 08:50

Sample ID 240123-3j4jpscfal
Target 70d941d4f0bc1d1f47611a7b8ce5c05d
SHA256 6f1a36b2dc535c3a9a2e9611c3261d7d5970599318c0811e556b9ee731865de2
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f1a36b2dc535c3a9a2e9611c3261d7d5970599318c0811e556b9ee731865de2

Threat Level: Known bad

The file 70d941d4f0bc1d1f47611a7b8ce5c05d was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 23:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 23:33

Reported

2024-01-23 23:36

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nmF\consent.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\FLASHP~1\\FHHWBY~1\\rekeywiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nmF\consent.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2780 N/A N/A C:\Windows\system32\consent.exe
PID 1336 wrote to memory of 2780 N/A N/A C:\Windows\system32\consent.exe
PID 1336 wrote to memory of 2780 N/A N/A C:\Windows\system32\consent.exe
PID 1336 wrote to memory of 2456 N/A N/A C:\Users\Admin\AppData\Local\nmF\consent.exe
PID 1336 wrote to memory of 2456 N/A N/A C:\Users\Admin\AppData\Local\nmF\consent.exe
PID 1336 wrote to memory of 2456 N/A N/A C:\Users\Admin\AppData\Local\nmF\consent.exe
PID 1336 wrote to memory of 1436 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1336 wrote to memory of 1436 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1336 wrote to memory of 1436 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1336 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe
PID 1336 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe
PID 1336 wrote to memory of 1200 N/A N/A C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe
PID 1336 wrote to memory of 2504 N/A N/A C:\Windows\system32\wscript.exe
PID 1336 wrote to memory of 2504 N/A N/A C:\Windows\system32\wscript.exe
PID 1336 wrote to memory of 2504 N/A N/A C:\Windows\system32\wscript.exe
PID 1336 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe
PID 1336 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe
PID 1336 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#1

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\nmF\consent.exe

C:\Users\Admin\AppData\Local\nmF\consent.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe

C:\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe

C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe

Network

N/A

Files

memory/2052-0-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2052-1-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-4-0x0000000077786000-0x0000000077787000-memory.dmp

memory/1336-5-0x0000000002730000-0x0000000002731000-memory.dmp

memory/2052-8-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-7-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-12-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-13-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-11-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-10-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-9-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-14-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-18-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-19-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-17-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-16-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-15-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-24-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-23-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-22-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-21-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-20-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-28-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-27-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-26-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-25-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-29-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-30-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-31-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-32-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-34-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-33-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-35-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-36-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-38-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-37-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-39-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-42-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-40-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-41-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-44-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-43-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-48-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-47-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-46-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-45-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-51-0x0000000002700000-0x0000000002707000-memory.dmp

memory/1336-57-0x0000000077891000-0x0000000077892000-memory.dmp

memory/1336-56-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-60-0x00000000779F0000-0x00000000779F2000-memory.dmp

memory/1336-67-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-72-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-71-0x0000000140000000-0x0000000140293000-memory.dmp

memory/1336-76-0x0000000140000000-0x0000000140293000-memory.dmp

C:\Users\Admin\AppData\Local\nmF\consent.exe

MD5 0b5511674394666e9d221f8681b2c2e6
SHA1 6e4e720dfc424a12383f0b8194e4477e3bc346dc
SHA256 ccad775decb5aec98118b381eeccc6d540928035cfb955abcb4ad3ded390b79b
SHA512 00d28a00fd3ceaeae42ba6882ffb42aa4cc8b92b07a10f28df8e1931df4b806aebdcfab1976bf8d5ce0b98c64da19d4ee06a6315734fa5f885ecd1f6e1ff16a7

C:\Users\Admin\AppData\Local\nmF\WINSTA.dll

MD5 20498b24731d8a6cf17865361ea8a819
SHA1 7799b23b9823af56cba2f20ec82ef76eff1ec73b
SHA256 0d36a6f3fa72984da71fcd0b69ba260ce3fbcba07c05fe41d067679c0c771587
SHA512 51acaa2a7599f9be226adf3db65938d3998125b8ba6c076a3e3ff83f158b199d4e8170090e41d0a93fd087dd07dd07d1e7f69e451010e75e74dfd0ca8fd46fff

memory/2456-86-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\n7jmwIl\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\n7jmwIl\slc.dll

MD5 96e2f0de131df664ea78ffbf61bd91f4
SHA1 dcc279d24bb93f6a8f36a8592a76bcdb6bc8ab3b
SHA256 80b640a5c7c622b0c20fe6ba7d73d61a197d07684b2e0b791707373b02e1f682
SHA512 08042bc5ed96f605d676d0bf7501dd6c0c27eadaa450673d89efcfa650c67e46e2a64a76d83d778c4723db21066ef0bc923a22ea11c1d40e2d3740a9d45f5755

\Users\Admin\AppData\Local\n7jmwIl\slc.dll

MD5 d1bdc2dc25fc70bc0196c0ff185cca28
SHA1 b3ab5ba55f6d9ef1f9c8e096ba5d066db6f0a90b
SHA256 408b8079536e714715966e950b60a24781f7ba2bfdf8c9992204d912b8710342
SHA512 ce6e78df07dda6e15f2dc97a991d4ef04ab85bfd2fa1786f4956932ee5059355e7d34f67384671de27a9777ffcb9a080103d5873d67039eb8eaa1ec3ce766fad

memory/1200-103-0x00000000002E0000-0x00000000002E7000-memory.dmp

\Users\Admin\AppData\Local\S7ob6AW\wscript.exe

MD5 8886e0697b0a93c521f99099ef643450
SHA1 851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256 d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512 fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

C:\Users\Admin\AppData\Local\S7ob6AW\wscript.exe

MD5 b464c81bbf5206b7eafe6c6d0a466e31
SHA1 2e38283f8d7e3cce25571aee0c7c047bb9e590d9
SHA256 8912cca64645c1b1b4339b6eb7824ff2b312fcc865d4e580252e45381a8e5719
SHA512 73e9b46174240bcdadcf6e410c0856179a9fae5d3ec8d875b08f190e357778675ccf801cc0b47f95ccc72f7069e2fe86f0edb6e27c3fe5789d228bcaa516e3cf

C:\Users\Admin\AppData\Local\S7ob6AW\VERSION.dll

MD5 2f50edab6ea1c65fa3881fd28a3c0b85
SHA1 d5cf691f8de06d7c4eb67031293436560f162d4e
SHA256 b17f7bc8962e1d9b71f6de690f42f5b0f38c33dfbb0b5b6bf1e84cef97f2350b
SHA512 2882cd79d6b86d0851eed2132c77b938bb5180468b653a5375d5a12b6f144aa50c577a820aa06ffb95b049cb871a0a04b8a12986edbbf6b517b987aa80d08d5f

memory/2660-124-0x00000000000E0000-0x00000000000E7000-memory.dmp

memory/1336-143-0x0000000077786000-0x0000000077787000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d254be37fc481cc40a9a1f27e10cf209
SHA1 7e7a6c9f28cf2a37e8b6c2298fdc4a2328cec7bb
SHA256 60fedac7b79c2e06f181609c24ff63ba91322b60472b37e479affd2e575b5343
SHA512 22b2694617ef1419b3a051b46ac1e3d54b957b4c48d1e606b3e85ba7191b27a8efa5e14ae20f246dc287b8e4c51b0975863b08fbe0bad94f96bb799993c47fe8

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\fhhwBy8kM\slc.dll

MD5 7d1ac477b19a81051d544b25fb83d3fb
SHA1 5e56b6a80f7d5d1b16adc0ff0999b3b6ae77c0ff
SHA256 04308e59f1b707bfba38e7d20424ffb219d3690674b63cda08505e7dbedba7d7
SHA512 41bd9fef9cc332fdaf4703a41dfed605823a301db861f6eb03761ad499c107dba504f7fcc98e45d4bccc06df9a8e590911d75b4c5c2c86e6b2759788c5f61145

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 23:33

Reported

2024-01-23 23:36

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IYOGOA~1\\wbengine.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 2228 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3420 wrote to memory of 2228 N/A N/A C:\Windows\system32\WMPDMC.exe
PID 3420 wrote to memory of 3088 N/A N/A C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe
PID 3420 wrote to memory of 3088 N/A N/A C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe
PID 3420 wrote to memory of 2256 N/A N/A C:\Windows\system32\wbengine.exe
PID 3420 wrote to memory of 2256 N/A N/A C:\Windows\system32\wbengine.exe
PID 3420 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe
PID 3420 wrote to memory of 1488 N/A N/A C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe
PID 3420 wrote to memory of 1192 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3420 wrote to memory of 1192 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3420 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe
PID 3420 wrote to memory of 2940 N/A N/A C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d941d4f0bc1d1f47611a7b8ce5c05d.dll,#1

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\WMPDMC.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe

C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe

C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp

Files

memory/2504-0-0x0000000140000000-0x0000000140293000-memory.dmp

memory/2504-1-0x0000000140000000-0x0000000140293000-memory.dmp

memory/2504-3-0x000001C78FC70000-0x000001C78FC77000-memory.dmp

memory/3420-5-0x0000000001F00000-0x0000000001F01000-memory.dmp

memory/2504-8-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-10-0x00007FF807ECA000-0x00007FF807ECB000-memory.dmp

memory/3420-11-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-12-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-13-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-14-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-15-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-7-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-9-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-16-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-17-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-18-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-19-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-20-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-21-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-22-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-23-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-24-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-25-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-26-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-27-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-28-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-29-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-32-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-34-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-33-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-35-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-36-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-31-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-37-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-40-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-39-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-42-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-41-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-38-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-30-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-43-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-44-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-45-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-47-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-48-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-50-0x0000000001EB0000-0x0000000001EB7000-memory.dmp

memory/3420-49-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-46-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-57-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-58-0x00007FF807F60000-0x00007FF807F70000-memory.dmp

memory/3420-67-0x0000000140000000-0x0000000140293000-memory.dmp

memory/3420-69-0x0000000140000000-0x0000000140293000-memory.dmp

C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe

MD5 49962542f81528145cd3cda238746aa6
SHA1 a3ad40353c83dcab970e217d6b5835c0452e735a
SHA256 4714ad5b0e6cc3054042b510e0d594a02c97f0429a3966749dfff6011631e55d
SHA512 1f9f167c3274abbad7bb1875022ad55e053c00597fe8aadca9d44f9b7b4203c55c47c0060aab79b38be4d97b00df47fbad732e9e79e12fcddc263e5b84c0f3ea

memory/3088-78-0x0000000140000000-0x0000000140294000-memory.dmp

memory/3088-84-0x0000000140000000-0x0000000140294000-memory.dmp

C:\Users\Admin\AppData\Local\QbEKq\WMPDMC.exe

MD5 8d4184e72cf1958ba8d0801b3d1dd587
SHA1 de09c8d315949b3a995a11d82ff85ed4a00bdec8
SHA256 265b572d68f2424baa98c5b15d5450a50e750b57a75b8359bdb142b18a9e1b05
SHA512 ecb5b9a2c99069f2e87d89f02069156789a15e1d20e976116caf9f6f6f885e234a6f2d9409308a63c98b8b2a2bed21c81fd9364eb29de20412234b9691b29c54

C:\Users\Admin\AppData\Local\KEKwB9\XmlLite.dll

MD5 f6cbdeb7fbe098b50ada4f5f504d6cc2
SHA1 bde49b91de8d72a75d45d379e84ed206c9d11933
SHA256 0a7e7a21d8f3454fbf4bd74496c43e8ba98fbae8495482e734f64330bb77860d
SHA512 95673344d7add14980de9531e5bc947e25149ca80001a54d92e453ba398ecba9afc794ad681eb197cfcfd33b73f2f990098b607fd5e4765299d1f24fa7e2b0a6

memory/1488-96-0x0000000140000000-0x0000000140294000-memory.dmp

memory/1488-98-0x0000013D3D170000-0x0000013D3D177000-memory.dmp

C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe

MD5 2fe2a1150f66da9fe541de948b8d0826
SHA1 7f73274b542d3d6c379271d1982ec63ef35f06e6
SHA256 adda884b2d4a27d0815ddd9c9320595f695cbdd3229e9544a2d2bc129dce1fd2
SHA512 93db05dafeb907b44dc37854d0f297a956dda032c8ed6250b13bbeb40192012eed5216053ad9e8cea258134df43df1b153b9cd7df6963b82cb1dc432a8ee4664

memory/1488-103-0x0000000140000000-0x0000000140294000-memory.dmp

C:\Users\Admin\AppData\Local\KDDMrF\UxTheme.dll

MD5 91760a547a469aa0224f80c4e94da8b2
SHA1 b73b9be814ecccd1117579fff841ac56e3684995
SHA256 efb5ade41a13875e68f6a8be44747c79b3859060798a879bc243d77e1d890d62
SHA512 f308b7bb51be0eb043f2bac4b9d65128476ab77f8ad59d8c0c36d76ee598c88a43c2b0316c443c6b25b81721c97399879eb56a8d07b5037f7f9778cc0aca959f

C:\Users\Admin\AppData\Local\KDDMrF\UxTheme.dll

MD5 82020c7761eacda5920e6b60e99e8779
SHA1 576506d82a0701fc3f9fe8b51adc80890802af51
SHA256 980d6ffbc37f1efb0e7f67a97dd4b255f6597aebd4f598fe8304f06c02997d1b
SHA512 6e8f0c4f6d4c0447e46ca3f26e09246468eb5ecd6789076e8abc2d78de3ce3441bbdfe1e0b0048ef72aee87b6e02230b2280c4002f2ac413936cfb494d2265e6

memory/2940-118-0x000001FA0DA90000-0x000001FA0DA97000-memory.dmp

memory/2940-122-0x0000000140000000-0x0000000140294000-memory.dmp

C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

MD5 52ade092db507528dc40c142fc0e44c0
SHA1 2a9586f571290df73f4718ad61fd62f36032e981
SHA256 c77cae909765589ea5edf000bd6cc6e47e10a321a9568f77c4117cc133cf4412
SHA512 1cae050d64d046e4f7e8ba0be63aafa7d9c81af8a3a057f670a621e0fbaf421cf9c868e51bd1ba91299d0d51a3030d9a931feb31f89936e08a2928a561fe453e

memory/2940-115-0x0000000140000000-0x0000000140294000-memory.dmp

C:\Users\Admin\AppData\Local\KDDMrF\RecoveryDrive.exe

MD5 9e07dddae4fe2fac394befc7f4766170
SHA1 95d7869750b18f3908445f5e5bd54709fcff45d3
SHA256 4e36f73a29533254cc44ec0e61714a290e4129cc66831eb6447993092c1bae1f
SHA512 e93500a09e42c7e61e7ad3287adff3561c1e1fe327c5fda3655b10f19f8608f61d87f6a0a70e2fb0a565035c3d54f282620180464b1424995f45a7e6e461b2f0

C:\Users\Admin\AppData\Local\KEKwB9\XmlLite.dll

MD5 562b9ee74a341ecb582e806465510656
SHA1 23a4fe9db4d13a2754f4e1a249bd1cbcddc45dac
SHA256 8ce831e4ffa5f3fc76c4c36b3d2a295573eec062adfc4597e29ddc8a8445464b
SHA512 1ec1e45b1a42f2a0d01c2df83841178ed9eddbed66e11d6e5d6be7053144dbf14fd2147c970ec791f5ea60dacbacf822812b8350a8f73887642c54d4865a7822

C:\Users\Admin\AppData\Local\KEKwB9\wbengine.exe

MD5 5f41a263d0a325c1515dc217040bf8a3
SHA1 b691b5cdc936a8e58d1ff39364987159099436d9
SHA256 1e47922237744c3fb3f484a06e0a650ea61b5dc341ea200be987108521b86fde
SHA512 909d4ce409d008fa3100e95dd090f3534d414779b45116e45dd1f9eed43b4762bd3434607067320f025325fabf3e2c9b33ba5efcf30fc0b5f2073bbc80a2c070

memory/3088-80-0x000002578C300000-0x000002578C307000-memory.dmp

C:\Users\Admin\AppData\Local\QbEKq\UxTheme.dll

MD5 2797de3c7bea458794a05e5c3fabfef6
SHA1 eacc7d7cf8faea4ab2395021fb78a14ae90321ea
SHA256 63292e2c36ff19fd5bd013e16c1f98306ade84342fb3674097621bcdaede6e23
SHA512 9923ca1d4c03b3ba22e4374f1b6536d2ae9ffdd5aaea529277ab68df47e3ac9a7c523bb5fce0a7cf6ad3069608381ed259b6f55582cf9ef97fbc09402ff53f9b

C:\Users\Admin\AppData\Local\QbEKq\UxTheme.dll

MD5 99f1edc3e0fa63da2f400197085fbef8
SHA1 4dc560fe5988d3e42cc26d0f45ed37a8dae80b31
SHA256 4e1fc97cac3db6120835f30787360c9c2b4544391f2880b8da28c8bf3557d026
SHA512 5ab8d3c227a362c8bacc498d074f3efb1299f79d835e83501164891710b932418c2bbc060baa830e0c9204c3ed9ad01b7023eae02354c749bf52778626c6851d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 2027f6d684167f0467856e4fc20814dc
SHA1 09364a18cf647d90c6b4b9c016ef86663a15b709
SHA256 092e8c2fa6b94c6bd5d4b3bf228dbdd74d5513fa3e7f72b684401666fe72ec0e
SHA512 06c9c5d3fd5262a27c9d6aa011dc1973fbfa6a152c5f9994a1f878c2042d6de8b017d1eb8bee64eeb66442f2f422cee818672b04dd6f7ebf5b29985664f995dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\27\UxTheme.dll

MD5 55a43a93aeb047ea7e848eb9e7e7b1c0
SHA1 9499c7c2db525fde3771e7936e567ba0f0227792
SHA256 98826b25fe1d109f1d2d9ab993fd57f9a26e6104550071a791c792d69118f692
SHA512 67f2c0b2519204497a52a857dd2e352b0428bb09a9dacb841ac301c582d5f6ad9d1152092c847c09641905e796c3d1b49027f677cf51d953cbf39c90b9f6501d

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\iyOgOacQ9LD\XmlLite.dll

MD5 d8483d37fa563e49ed2a3a51a17b83cd
SHA1 e63786ca7649262cb371bb7ed42bedd39f1eed59
SHA256 4e8c0572f402b59aa4e05b06bc55ed4894422779fe7042ac86599369250cfb36
SHA512 706f56ebc6e5af648d020fea1e23f8688344c6dd72ef9a5a036d9e60d0ce1d0a05cc0c2bcd0740978f4bd669c4651cb24e86f61cb76a61ad6c47311e310e8f00

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\w285\UxTheme.dll

MD5 63eea6391c95980c0394cfe5a1e7ffe4
SHA1 74d6bb67f5a4363cb64d57a44b69bb9467b2516b
SHA256 938622fb48c67b127b266b57b64e1a1e0fe00abffbf4e7f19a71610b623be4f9
SHA512 4ce8b83218d794d77defe45f54fcf73d554fd9210ca23672378701fd2fe28a6471a762f223f978cbe0133cb149b5c61b3556f72eb0db94254d53a1c472c5d764