Malware Analysis Report

2024-11-15 08:50

Sample ID 240124-21hg5abbck
Target 7315a7e24b903536485987c77dc91956
SHA256 17b5bae1fc1b7efdbcd4dc107c246ffe24201cdb7e3bafe80e23b7e5f3c1169b
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17b5bae1fc1b7efdbcd4dc107c246ffe24201cdb7e3bafe80e23b7e5f3c1169b

Threat Level: Known bad

The file 7315a7e24b903536485987c77dc91956 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 23:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 23:02

Reported

2024-01-24 23:05

Platform

win7-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\gMz\wscript.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AUG\icardagt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\ZJw\\msdtc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gMz\wscript.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AUG\icardagt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 1036 N/A N/A C:\Windows\system32\wscript.exe
PID 1336 wrote to memory of 1036 N/A N/A C:\Windows\system32\wscript.exe
PID 1336 wrote to memory of 1036 N/A N/A C:\Windows\system32\wscript.exe
PID 1336 wrote to memory of 860 N/A N/A C:\Users\Admin\AppData\Local\gMz\wscript.exe
PID 1336 wrote to memory of 860 N/A N/A C:\Users\Admin\AppData\Local\gMz\wscript.exe
PID 1336 wrote to memory of 860 N/A N/A C:\Users\Admin\AppData\Local\gMz\wscript.exe
PID 1336 wrote to memory of 1564 N/A N/A C:\Windows\system32\msdtc.exe
PID 1336 wrote to memory of 1564 N/A N/A C:\Windows\system32\msdtc.exe
PID 1336 wrote to memory of 1564 N/A N/A C:\Windows\system32\msdtc.exe
PID 1336 wrote to memory of 940 N/A N/A C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe
PID 1336 wrote to memory of 940 N/A N/A C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe
PID 1336 wrote to memory of 940 N/A N/A C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe
PID 1336 wrote to memory of 1552 N/A N/A C:\Windows\system32\icardagt.exe
PID 1336 wrote to memory of 1552 N/A N/A C:\Windows\system32\icardagt.exe
PID 1336 wrote to memory of 1552 N/A N/A C:\Windows\system32\icardagt.exe
PID 1336 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\AUG\icardagt.exe
PID 1336 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\AUG\icardagt.exe
PID 1336 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\AUG\icardagt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#1

C:\Windows\system32\wscript.exe

C:\Windows\system32\wscript.exe

C:\Users\Admin\AppData\Local\gMz\wscript.exe

C:\Users\Admin\AppData\Local\gMz\wscript.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe

C:\Users\Admin\AppData\Local\Hjs7J\msdtc.exe

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\AUG\icardagt.exe

C:\Users\Admin\AppData\Local\AUG\icardagt.exe

Network

N/A

Files

memory/2288-0-0x0000000000430000-0x0000000000437000-memory.dmp

memory/2288-1-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-4-0x0000000077786000-0x0000000077787000-memory.dmp

memory/1336-5-0x0000000002730000-0x0000000002731000-memory.dmp

memory/1336-12-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-13-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-11-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-10-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-9-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/2288-8-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-7-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-14-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-16-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-15-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-17-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-18-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-19-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-20-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-21-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-23-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-24-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-22-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-25-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-26-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-27-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-30-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-29-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-28-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-33-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-32-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-31-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-36-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-37-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-35-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-34-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-38-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-41-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-42-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-39-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-40-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-43-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-44-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-45-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-46-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-48-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-49-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-47-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-54-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-53-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-52-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-51-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-50-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-58-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-57-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-56-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-55-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-59-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-65-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-64-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-63-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-62-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-61-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-60-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/1336-71-0x0000000002700000-0x0000000002707000-memory.dmp

memory/1336-79-0x0000000077891000-0x0000000077892000-memory.dmp

memory/1336-82-0x00000000779F0000-0x00000000779F2000-memory.dmp

\Users\Admin\AppData\Local\gMz\wscript.exe

MD5 8886e0697b0a93c521f99099ef643450
SHA1 851bd390bf559e702b8323062dbeb251d9f2f6f7
SHA256 d73f7ee4e6e992a618d02580bdbf4fd6ba7c683d110928001092f4073341e95f
SHA512 fc4a176f49a69c5600c427af72d3d274cfeacef48612b18cda966c3b4dda0b9d59c0fe8114d5ed8e0fec780744346e2cd503d1fd15c0c908908d067214b9d837

C:\Users\Admin\AppData\Local\gMz\VERSION.dll

MD5 f301ce161f4e5901bebc84edd901b633
SHA1 5f83391c8e688a7e44ee5fb6502db12bf59c7490
SHA256 0ca37c01232d26c506161be201a8a5685a970f6c3745410b26dc6ae16ace56c8
SHA512 55a6a833c688aefe89fe6d68d30f8ee95578d97f148a737bd009f8c086d7a789d945b390a9cacbab68f811bfd3e1976f8e1deb3d34e8f5403f22d4e4f1387bed

\Users\Admin\AppData\Local\gMz\VERSION.dll

MD5 9bf0a0010974f2e6c7e2ab90066b57aa
SHA1 4710d39a533d994acefea96074bb2a45985a36b5
SHA256 ded74e8affe0ca3f41904cb0c98b233d3eab76d85644c31e154c99babf4289a7
SHA512 6947f0fb7c011f7e6e76d90bde2cebb0e192a8666f008b4eae0d1a08542175836ef85ac727661294fe7073ff814aaded71f3f52c33a70463cbdeac126af618e8

memory/860-110-0x00000000001E0000-0x00000000001E7000-memory.dmp

C:\Users\Admin\AppData\Local\gMz\wscript.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Hjs7J\msdtc.exe

MD5 de0ece52236cfa3ed2dbfc03f28253a8
SHA1 84bbd2495c1809fcd19b535d41114e4fb101466c
SHA256 2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA512 69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

C:\Users\Admin\AppData\Local\Hjs7J\VERSION.dll

MD5 6cb5da01b3c308053acc932a666da9b4
SHA1 24ae405cd4f9e64ef4ee71cc0060ca1376c0bf3f
SHA256 513e685cb234c597bfc0b1fd5943a134ad43347a7cd052fb61651df1e3d2b7c6
SHA512 c684358c469b2b9c3379fb3cfe500f02ccd4e191e4c7ed87600fae8f6f130b3d4893eff876c7045e6f84221e31d13cb58f00fcf79ec4f86a7322935903aa8a80

\Users\Admin\AppData\Local\Hjs7J\VERSION.dll

MD5 647d63dd709fea183e7ff4abd4beeddd
SHA1 781aba8a06fe07f331a8142d7b9057292d571d20
SHA256 175503d866f535352d45f9b657f7e503cb71fa605683963876c08a975a52282e
SHA512 12f90397896c7877c74e1a641042b2d2c5a4547d520638368eb312a9cfa67032c968a78f476b9c5fbe30cfe1b253a6d964429aac3135485decdc6d5324328e12

memory/1336-130-0x0000000077786000-0x0000000077787000-memory.dmp

memory/940-132-0x0000000000170000-0x0000000000177000-memory.dmp

\Users\Admin\AppData\Local\AUG\icardagt.exe

MD5 2fe97a3052e847190a9775431292a3a3
SHA1 43edc451ac97365600391fa4af15476a30423ff6
SHA256 473d17e571d6947ce93103454f1e9fe27136403125152b97acb6cad5cc2a9ac7
SHA512 93ed1f9ef6fb256b53df9c6f2ce03301c0d3a0ef49c3f0604872653e4ba3fce369256f50604dd8386f543e1ea9231f5700213e683d3ea9af9e4d6c427a19117a

C:\Users\Admin\AppData\Local\AUG\VERSION.dll

MD5 1feced945acdba9cffa5857aaf4cf3b1
SHA1 f2e6379208a8805cffdc5697d81039fe7c1acd5e
SHA256 0a57215cfc9614a7a1e91fd0c2c783558e2c90f8074d2508a683346905715e70
SHA512 7f875feef529cba7895a82507fc97645da754d61531d8efbaf3609efa412ff2a0c40d6d735cecce2493ac51528ad7e845c8650b9182509a893b4b9d7ef179e86

memory/1612-149-0x0000000000210000-0x0000000000217000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 d7560a198e835b762d7f29ad7948b4f0
SHA1 de190517f4235553696fe11da3c35df232cb31a6
SHA256 e8b1f13dad3831f33dd01fff3956d8f3bffc67fa705bd93090464d625234210c
SHA512 acfc3b4c9d70618a54444883c04c31e200048e2c364f0ce9257bedb13f8ad1c3f5848ce9a270670bf12280c8c9bc9fd62359f71f5b2250fe006820c8049f341f

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\S0\VERSION.dll

MD5 91f2f20b0cec218466f6022cb7092aec
SHA1 f115a3a5367492dcd7f75c45a9cc9860f6ae0ba5
SHA256 50cca8d5eb9493a36055935c91f0dfd73bde6f61d1eb1fc6458eedbc1a6130ef
SHA512 094a50e80ca34fd62303fa912e501d05fb8d743897c542d53872ed41d53dd3f93c796abe5b978377ff5201d1ef4f10d817fc64d5a9b00441861b609574aa72aa

C:\Users\Admin\AppData\Roaming\Identities\ZJw\VERSION.dll

MD5 86730aa899ad6b76e3af31a5aeb6ea0e
SHA1 e76113e2615dfb8eceac823c439d2f2be3dd5763
SHA256 9541a2e6b0ea8e86a5c25687e67a2b00d494cfad903f717cce643822ac961c1c
SHA512 8461a7b9dc262db561143c34b704ac599e147d7e5358d4aebfc0c0f8b3bfa7b288d4a36dec1c8cd496ffd2dfa41c1a2bb220e7141eee70fdc1b583bba1f0ba77

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 23:02

Reported

2024-01-24 23:05

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\hWbJ7o9\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 2196 N/A N/A C:\Windows\system32\wermgr.exe
PID 3560 wrote to memory of 2196 N/A N/A C:\Windows\system32\wermgr.exe
PID 3560 wrote to memory of 1140 N/A N/A C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe
PID 3560 wrote to memory of 1140 N/A N/A C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe
PID 3560 wrote to memory of 832 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3560 wrote to memory of 832 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3560 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe
PID 3560 wrote to memory of 3664 N/A N/A C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe
PID 3560 wrote to memory of 8 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3560 wrote to memory of 8 N/A N/A C:\Windows\system32\WindowsActionDialog.exe
PID 3560 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe
PID 3560 wrote to memory of 944 N/A N/A C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7315a7e24b903536485987c77dc91956.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe

C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Windows\system32\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe

C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp

Files

memory/2540-0-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/2540-1-0x000002432E7C0000-0x000002432E7C7000-memory.dmp

memory/3560-5-0x00007FFBEB9FA000-0x00007FFBEB9FB000-memory.dmp

memory/3560-4-0x0000000007AE0000-0x0000000007AE1000-memory.dmp

memory/3560-8-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-9-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-10-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-11-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-14-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-12-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-13-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-15-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-16-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-18-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-19-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-17-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/2540-7-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-21-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-20-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-27-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-30-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-29-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-32-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-31-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-37-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-36-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-38-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-34-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-35-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-42-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-40-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-44-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-43-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-41-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-46-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-45-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-47-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-49-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-52-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-54-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-55-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-58-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-59-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-61-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-62-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-64-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-65-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-63-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-60-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-71-0x0000000002E60000-0x0000000002E67000-memory.dmp

memory/3560-57-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-56-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-79-0x00007FFBEC400000-0x00007FFBEC410000-memory.dmp

C:\Users\Admin\AppData\Local\hfh2T\wer.dll

MD5 89699660c36e2f026cf5419b90c685f4
SHA1 297ac8a9c23a48fa41fe18189a3b87abc35e5a11
SHA256 9f43af45382abe74baebd1a49bb979ff9ecd861a730ee31e3eee1fd4bc909153
SHA512 c54ceee340137e61925875b5ad28d808ff9eb20121998289964139542726bb811677ff195f3f37d803210d1123b3b97ffb122da0520fb66d59ec0498b2da5dd9

memory/1140-100-0x000001F8C56D0000-0x000001F8C56D7000-memory.dmp

C:\Users\Admin\AppData\Local\hfh2T\wer.dll

MD5 30036a22f610fba4cba7a6e73f29b0cc
SHA1 d81de8a459b18939f127176bf6079864024b7717
SHA256 45ac2a17e2cb0eeac42a91cef1ef65e83405a8f90bdf7935d74b3385684de27a
SHA512 1ca05fb5bb7ab6392d0b37c812ba895aa606c5a381ad657916d83269b0a58226e928eee241a568451a72abd4336f464639e053c93dd8cd0fda773508595dea49

C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe

MD5 230ef8b1058b75e97f084989c74dc96b
SHA1 f6e1a353feae755573ecb1d31f255c42dd2665b6
SHA256 d6ae5bfd214bd94d4b9984a689c188e814d0513a8eb3c5211c33526f9388772a
SHA512 9a1a0b3f6cd7b6ab58f44dfa20f736475795888ccc13ad894a07439a158956fc8d4e84c19a3af522d4124ee3ed89631b0869e04dfb1e5b8c9787c3a9536b0f91

memory/3560-53-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-51-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-50-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-48-0x0000000140000000-0x00000001402E3000-memory.dmp

C:\Users\Admin\AppData\Local\hfh2T\wermgr.exe

MD5 81eb3cae0925383c3f6ea5ce082adc6a
SHA1 fea6e79f859ceeccdce73ed1a6bebe14564251b8
SHA256 7b091829e990568a6b42f482b3163895e36bd5654f4fd0eca370e3033429ea22
SHA512 33bda227dac25b17d6f7bd7a3ce74f6d6bd9647af8c7bbca03921e4fb92d80808f3295265d5cb1ae30e3a52728540313904d563f3b7dcdabd61e17aaf09d2d33

memory/3560-39-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-33-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-28-0x0000000140000000-0x00000001402E3000-memory.dmp

C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe

MD5 dd4ca15d85b439dfd9a0defb21597de1
SHA1 f85f568a6150bea37cb3b408f5d1fa0515d676f4
SHA256 79d3f31067d0d1583769f4ad37f52e641c5e2c2519763ec05507ea13c692b85a
SHA512 aa2b96297d8311b35bb7b4882646a229ba60a4e53db724a5cc8de04c923dd36dc3ecfd782b7e1971a1a2de1411342fd753e07a6548a7e829f4faf3bb7197e29e

C:\Users\Admin\AppData\Local\XMFFPoOS\SYSDM.CPL

MD5 7eecc70a2af6c67cbf073a1a9877a8d2
SHA1 298ea5133202bba47d16a7bffe92c0d079913b7d
SHA256 9545225d34644d38838307a53c4bad67c8e0b875a3492976d794e37e847a2b08
SHA512 06e79c88db8cdd8ca64c415c0635ebccf786a60c0afb0d52540e4d30576bfb2d2d9a63f15e04c0ecd1510ed154683967ebb4b71404a78d8be417cc61ab14b9e2

memory/3664-117-0x000002474BA20000-0x000002474BA27000-memory.dmp

C:\Users\Admin\AppData\Local\XMFFPoOS\SYSDM.CPL

MD5 ce33dad82399d6ac36fc44c84068a255
SHA1 9d8ae4c44ed4ab3dc7437fcebd2214cf90ab9bd8
SHA256 cc77a05cb6bbe2f6485fb0705444525f316ceb94aad066b929fb0f6e306d64d3
SHA512 beb46d76e4a60d13ef872ca9fa60ca289fef6692a946c6a221411c31efdfd0150dce4d8a4e21b616183b74228f1c65bf2fcc402a5bf7a89293a35ef932185a78

C:\Users\Admin\AppData\Local\XMFFPoOS\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

memory/3560-26-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-25-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-24-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-23-0x0000000140000000-0x00000001402E3000-memory.dmp

memory/3560-22-0x0000000140000000-0x00000001402E3000-memory.dmp

C:\Users\Admin\AppData\Local\q9oRT1OQu\DUI70.dll

MD5 2cd7579f6042e8f71f4109c109c6bab0
SHA1 d239821a4201902114faf58ae60a47063de836af
SHA256 d2ab351d90dfc440a0229930d0e03141226f77b702ed189fa4e094da1055403c
SHA512 be6c467baef91e196efb3b215904c0756f8b1e2b3b933dc387afdbfef07a29ab686cee37f52415a0d4030e0a62a371e222ff6abc29c208b606ba3bddfaa04591

memory/944-135-0x00000210CE280000-0x00000210CE287000-memory.dmp

C:\Users\Admin\AppData\Local\q9oRT1OQu\DUI70.dll

MD5 7af5e968c0ca0ad5cc33dc0538bb782f
SHA1 7ea7d55ccf187e8baea28031481f75f4180e4280
SHA256 9eae608108dbfc93a752d04e8fe30cda745e717c9c139586a5e9a039833375dd
SHA512 4fdaa2886cb869104c29dc525bf61bb45662bf03e054961c3a55bbe3bbbdcfa6f61207bf230c05fd7a67425730a1d95b11659fab03dc60a5ff434e8a8b38a75a

C:\Users\Admin\AppData\Local\q9oRT1OQu\WindowsActionDialog.exe

MD5 73c523b6556f2dc7eefc662338d66f8d
SHA1 1e6f9a1d885efa4d76f1e7a8be2e974f2b65cea5
SHA256 0c6397bfbcd7b1fcefb6de01a506578e36651725a61078c69708f1f92c41ea31
SHA512 69d0f23d1abaad657dd4672532936ef35f0e9d443caf9e19898017656a66ed46e75e7e05261c7e7636799c58feccd01dc93975d6a598cbb73242ddb48c6ec912

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 8bfa0d03b77f9343a47c9aa3e42bac58
SHA1 4f9564bf241bfca52ea4d3023617fef8d3a7b047
SHA256 f2d4425ac4a58a52c8485c64b900471bf0ccca1781a1c778d5a2a24f283abb56
SHA512 26ed47dbc5d73465c44e017b5f947ef62b3c69750dd9826f33a87127f34db6b49ad8719e48b253d185ae946e7e974bf6d9c1db1e368b57aadd811f61ecfb1cad

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\9w16\wer.dll

MD5 4779f3f8fe070c35bfe0c2a4d69515e9
SHA1 8121a4bcbdb0685bd81e4599026615cbe30e870d
SHA256 67e14e9ac4cd27fa45496d73b9bff74a09e0548783538b98888fa38bb6fdae6b
SHA512 9668f4933008f9ac95ceac1a3c833ebd9dcd2bd5a68ce59e0331020e4632e7426f6e037a678188b12af8a0b87c9697f3ee8a01e48a005b3ff6d786c570e81961

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\hWbJ7o9\SYSDM.CPL

MD5 c1691a80aed6ac9ee6bd27b02f829b6f
SHA1 36e73f92b63faca833c2226b70913c27d7cae48a
SHA256 636978bff1f2258f21a5d8660e095b20c8341fcdc891692f82bd5a2d63fba15d
SHA512 d8b03f7950a98449b9bd169e84ff0406f048af0615d0a7f0effb9b84789d1f29570666117631f36f175fd77050e32c88a62f9d3cc0b308ab89b867eac8ede4a9

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Collab\g8NH\DUI70.dll

MD5 7a9b84a8a91d94fa1b9200421dec2df4
SHA1 86de5b54956dae1c805c4f12a8eb62e7a9399b1b
SHA256 12ba51f62ae8f3d2554f88dedacabc193e8ab5eed3a70b7f9324cb67128ba6a2
SHA512 0af9754e0a657b05bde0f76586d58b7b534248c9180f426264872b429f9cc3ff3a40d1948676039521192130751bc52760d5cef5badd9cdd5b08c5815ced9329