Malware Analysis Report

2024-11-15 08:50

Sample ID 240124-degrpsghf2
Target 7142569287a29d07ca328243db7a1f74
SHA256 6d6b79a6bb6023fd10ffe393db35e78b77bc403f068b5ac7cfece64692b2edc1
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d6b79a6bb6023fd10ffe393db35e78b77bc403f068b5ac7cfece64692b2edc1

Threat Level: Known bad

The file 7142569287a29d07ca328243db7a1f74 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 02:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 02:55

Reported

2024-01-24 02:57

Platform

win7-20231215-en

Max time kernel

150s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\C6PQ\dialer.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\Pge2m\\msdt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\C6PQ\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2776 N/A N/A C:\Windows\system32\dialer.exe
PID 1192 wrote to memory of 2776 N/A N/A C:\Windows\system32\dialer.exe
PID 1192 wrote to memory of 2776 N/A N/A C:\Windows\system32\dialer.exe
PID 1192 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\C6PQ\dialer.exe
PID 1192 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\C6PQ\dialer.exe
PID 1192 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\C6PQ\dialer.exe
PID 1192 wrote to memory of 1628 N/A N/A C:\Windows\system32\msdt.exe
PID 1192 wrote to memory of 1628 N/A N/A C:\Windows\system32\msdt.exe
PID 1192 wrote to memory of 1628 N/A N/A C:\Windows\system32\msdt.exe
PID 1192 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe
PID 1192 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe
PID 1192 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe
PID 1192 wrote to memory of 2872 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1192 wrote to memory of 2872 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1192 wrote to memory of 2872 N/A N/A C:\Windows\system32\DeviceDisplayObjectProvider.exe
PID 1192 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe
PID 1192 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe
PID 1192 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\C6PQ\dialer.exe

C:\Users\Admin\AppData\Local\C6PQ\dialer.exe

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

C:\Windows\system32\DeviceDisplayObjectProvider.exe

Network

N/A

Files

memory/1268-1-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1268-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1192-4-0x0000000076C06000-0x0000000076C07000-memory.dmp

memory/1192-5-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1192-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1268-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-9-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-39-0x00000000024B0000-0x00000000024B7000-memory.dmp

memory/1192-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-47-0x0000000076D11000-0x0000000076D12000-memory.dmp

memory/1192-48-0x0000000076E70000-0x0000000076E72000-memory.dmp

memory/1192-46-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-57-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1192-62-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\C6PQ\TAPI32.dll

MD5 87dce7f113ce1244076dc611b1cc1181
SHA1 6e6deddc0ab65e69c684ff66176968cb4df98c7d
SHA256 714ee2009d9869bdf43f843af2d920367cb4e0d4e62f45ffdc40953730600dfd
SHA512 0bb0d229895f68aed4b8cf124f370ebcc14a14e4e3b4726050c65be8b068ad972bef56764657442c3bf99013d3f9a749d4a8b86475c4bdb957e52b8c9a70e5a8

memory/2544-77-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2544-81-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2544-75-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\C6PQ\dialer.exe

MD5 46523e17ee0f6837746924eda7e9bac9
SHA1 d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA256 23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512 c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

\Users\Admin\AppData\Local\C6PQ\TAPI32.dll

MD5 8228889237218d499bfbc8a83044b376
SHA1 957fe603593cbdc6b8be1af573b123a7f9ea1acb
SHA256 57326ffe1a199bd4896af98fb3dfa62f956c4526cd6693db3b439c570da0ec16
SHA512 5d44b84ba3bc504f0574cfb067f52af02c15ebc81906df02e1337416115a571216f1ebbf6ba92ad7ad2d508d8c8e111d2086d35a406921b90e9ffd4ee0d77352

\Users\Admin\AppData\Local\nlcR62a8n\DUI70.dll

MD5 058d610496e851e5b6b32d639e25e315
SHA1 4031ead23c79e423311dbf50fadd62738eb4a315
SHA256 a73fbf9ea33b0299e88ca6452eb6dbf0a931db450e598ab86b305ccf01bc44fe
SHA512 02adeecdfc97c458a59aad7cecf31766316a22325c9f84ef1a3f821f8f947b39ee2f0d49511ff9b4297b0a7ec7afd16204f8262a879fdece1f3e36a9a8282607

memory/2920-93-0x0000000000280000-0x0000000000287000-memory.dmp

memory/2920-94-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Users\Admin\AppData\Local\nlcR62a8n\DUI70.dll

MD5 1fb46e9d47984cda565618dc11399684
SHA1 895f9076c58df7415e4cbc7f3922c85720ae5d04
SHA256 b1e92baafe232d0f52302404633539cff0fa1c48bcacce99f50f79be8e5f8086
SHA512 be42a38f24a2bacd2d2b3915f964de595bdd9b854cd6aa92de44c8622bc560dbbcff274b844c41f9c83d62d02287399f860023d48541e8c64f2668a2e7e14d9a

memory/2920-98-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

MD5 1662e5a4cf1c0cd5e63244b35f3bd2a3
SHA1 a303fd86075be7ef4466506e23de608b5940b01a
SHA256 2c254699ab821031465e70005ac496ab6b1da3c2da1d4ac79cb80849a42e3a6b
SHA512 10fe194c07ac0ab2cfcb182ed2625f61ffdb53f1112486df6f7598b6426bd4ccc1016acbe2427b5c9f89516c306e8d97a5636c16d99b366a350fdc67220db7bc

\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

MD5 530211fdd0e6ed7bbdf74a3af4c2c767
SHA1 0155adfc9d4a8088f82d8ee999cb53300112b822
SHA256 62a34bb8c0252836309da6dd079cb040c447339407c45fae5b80758ebf1947b0
SHA512 306a190d2b29765173a763928acee2dd571ac84cb9aad107c22dd0bb1b23925853d120f75417b02cd55235b7a95b62b00c00675f8ac08b606af9a50bbc325e2f

C:\Users\Admin\AppData\Local\nlcR62a8n\msdt.exe

MD5 0a552f1e62fd5328bb83db3d273c3db3
SHA1 44f9ef4e39b002265ebc190c27b30f38c42dcd2a
SHA256 04b2e2e11d44069379eb61b1a9c0bef8a1a3dc71ea7d81f20110e3368f9285ab
SHA512 fcd2e48539f39fcc0574d7fbf14e3f9c54b12f044af5d19220ec066bec7c086ce1f3c7119a5d2fb72277fe1e2cd7b3cf4002b3e876e91142f8db61775dc8d0a3

memory/2864-118-0x0000000140000000-0x00000001401B6000-memory.dmp

\Users\Admin\AppData\Local\juqf81\XmlLite.dll

MD5 0102165a38c46c3e9ed2a791fb18960c
SHA1 3b5f6cbdc92f355f08247f505869dcbc66b463c8
SHA256 dfefb88736426933cce32efaa10a02967064ebbb5be4985f75e91e0bf5d5db8b
SHA512 737570e00f4a6fe076ded9fe5633f6fd2a39a56aa12ace7eda076782ef4603c3b35ab18d0ce3c5936cedfb0113d2d0c94e2b77cb955754e8f009e08b4ce41e19

C:\Users\Admin\AppData\Local\juqf81\XmlLite.dll

MD5 897af3f9f864ebb548223b96d1c726d3
SHA1 0af783d3bf6faa7368eae6d090d06e13ca6d7815
SHA256 47031299ba92d377e11dc98785b77a36449dc1e5551ac31f6353054149d93b53
SHA512 f9c225ba1018a4b94ca6cc835d44db84588c15404d3ef2ff299f7b1acc198e64f0edbb67962db48c41893b9607e0fb21689c48b0ed42ebb0d65cb5026a5bdd3b

C:\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

MD5 766bdc76c172eca7198e88bc35002825
SHA1 ef8ec7ed9f08c0b12b52fefc9f6a84548281dd3a
SHA256 d011aa8821ca757fe05f9678cfea839b68f3db7878d99fdefd667fafde2b8c6c
SHA512 edfea7f08a6b76b237e744f106ea2ffa848d34190475f73b911cc30abe00200ccbfa5c652bb3f632a1b450eba22bc6b32cd4d04d27d5d965ab211ea6be6c5251

\Users\Admin\AppData\Local\juqf81\DeviceDisplayObjectProvider.exe

MD5 65948731d59506bffe9157e6c357c8e3
SHA1 0daeb62efc36e43f1b0f526054bfb8acd3eaa40f
SHA256 488cb5d908475911dc8569543cbe5696b214aa5f439b2409d4984f2fe9d3d5ab
SHA512 9591a746ce17a418feb851e46aba242974463727f9bf51c696c22222e325f4325d5454e611ae49fe981e5f7f3a185100ad69e1a53c1f628c13cc8b0235fa89b7

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5H5HnADA\DeviceDisplayObjectProvider.exe

MD5 7e2eb3a4ae11190ef4c8a9b9a9123234
SHA1 72e98687a8d28614e2131c300403c2822856e865
SHA256 8481a8ec19cb656ce328c877d5817d317203ba34424a2e9d169ddce5bf2cd2b0
SHA512 18b1a0637f48929972a463d441182307725ebf1410dd461a1966bd040ac5dcced138155b7c713bfc924ea2f7b39527a084a08b44fa24c3eb9c654871f99caabf

memory/1192-138-0x0000000076C06000-0x0000000076C07000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 31939b4d300f13c796c322003cf4f287
SHA1 c32efbd993355c8ac324122ea7475fd9962b1cfa
SHA256 89695c4d6d5fbdd602694943837a6ab8b0b2e4700db7b2adcfaac5dc78c30cef
SHA512 dd52c114054ab222ff299ae9ffb0ae343d5e184ef1d10c180961ae2bb989ca52b808bb714b55f5990c2ccbb937332e361374418f7405d749f919c89340d94c72

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GivzTUJV\TAPI32.dll

MD5 d6c41a675080bd6ecbce53aca58aa24f
SHA1 5beb48e5ae1a596b29d622564fb7fe1838f2d79d
SHA256 8c9ad5e4e9e1a21e05e48787a64d533b44a7c40fd213e9695ed96c765955884b
SHA512 39743f90250b5d778a67f49690aa66178cbae108525c3ab586a4b82711ef37ebf5c9a3a781358aa7c52550230653b2538710475d265ee930ffa06af2b66cd145

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Pge2m\DUI70.dll

MD5 3ca7e7aff10214a70e9ca994261686ba
SHA1 8dbf76d5decd99de5462911b13c1489c7d1f76d3
SHA256 e3f884816a4ca4770059bedd158713fd54d306f1b53873c5e82c1b6c5738d31b
SHA512 2100672b3dc1d84f022f71cb78353ea71e13840d1d26b5806158d206a358d2c220c8d00ca937a9fd97a26de2d453aebfd15d367d03e15beba32db08f66ebfc0e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5H5HnADA\XmlLite.dll

MD5 5fd2cea554adc4518e494f95c2b16b05
SHA1 096d7c2f71e624d5141847116de3d415271a1f24
SHA256 df376156000d2db0387a1413c8581d4d81215a8f6d90eb223ccbd928b4cb2988
SHA512 cceb42344d0290d81dbda7ec25d0109c5c2c36209b491b34196afe3fa47ff909eafc32b116fb743f1c5252e87689896cdea3ebb05b3492407275add2a3f14f39

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 02:55

Reported

2024-01-24 02:57

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qoccyyzfzcu = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\NW7CDrfd\\SYSTEM~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6GS\systemreset.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3304 wrote to memory of 4824 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3304 wrote to memory of 4824 N/A N/A C:\Windows\system32\FileHistory.exe
PID 3304 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe
PID 3304 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe
PID 3304 wrote to memory of 3700 N/A N/A C:\Windows\system32\systemreset.exe
PID 3304 wrote to memory of 3700 N/A N/A C:\Windows\system32\systemreset.exe
PID 3304 wrote to memory of 3844 N/A N/A C:\Users\Admin\AppData\Local\6GS\systemreset.exe
PID 3304 wrote to memory of 3844 N/A N/A C:\Users\Admin\AppData\Local\6GS\systemreset.exe
PID 3304 wrote to memory of 3660 N/A N/A C:\Windows\system32\WFS.exe
PID 3304 wrote to memory of 3660 N/A N/A C:\Windows\system32\WFS.exe
PID 3304 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe
PID 3304 wrote to memory of 2828 N/A N/A C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7142569287a29d07ca328243db7a1f74.dll,#1

C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe

C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\FileHistory.exe

C:\Windows\system32\systemreset.exe

C:\Windows\system32\systemreset.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\6GS\systemreset.exe

C:\Users\Admin\AppData\Local\6GS\systemreset.exe

C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/4812-1-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/4812-0-0x000001BD5C0D0000-0x000001BD5C0D7000-memory.dmp

memory/3304-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/3304-9-0x00007FF82CC1A000-0x00007FF82CC1B000-memory.dmp

memory/3304-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/4812-6-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-39-0x0000000002AA0000-0x0000000002AA7000-memory.dmp

memory/3304-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-46-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-47-0x00007FF82DC40000-0x00007FF82DC50000-memory.dmp

memory/3304-56-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3304-58-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\WzbTceo\UxTheme.dll

MD5 fa27cf48d0e5c6b98a06f57b8c1aa4d5
SHA1 fef062c25c82718d3044ec4c74ee68795e3fd1a2
SHA256 35ed88b10eecffe46bcc900ada74b722e899e826218b01343fecde47fd91232d
SHA512 4e1ba7505fd157d1bbd8fe4cbe9f3657e31dea98369d0308ac1c153d1096a5c6f07d6dd0e06cf0ad74d985f6b6482690eb5167f386e08045a87bd063880d6696

C:\Users\Admin\AppData\Local\WzbTceo\UxTheme.dll

MD5 0110bfdbd98d5d71e2151d428fb5b509
SHA1 04934c22cb9fc4fce48d50e48d51730133921bf5
SHA256 668aa0e521c016871b166b9613a36fa623c72ce29700e96e46e33714b4c1b06a
SHA512 05aed0f37627ad4875b677bf708f947c984f82b534f16e5c3ec808515c622cb7679f422e92ac13ca13b7aed2cd6795682503449c7750288b47c386940ea48b63

memory/2240-67-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2240-69-0x00000155047F0000-0x00000155047F7000-memory.dmp

memory/2240-73-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe

MD5 9c89a8c52e1e7b9af55df36ee6ee9b06
SHA1 a302aee07e67c112cdb83ba24ddf2e454642d39f
SHA256 90f277f3d3082ad84b2269197eaaf933a82c685f9b697e781258d1838957eb5e
SHA512 d7cf08c3a5a5dfeca089d2e8bfb452b419c226125ce408595158f35951f236f1ff6d1493411dcb118d8f0cd6b95363fdc89f3107aa8ae36fcaef09e823a364f3

C:\Users\Admin\AppData\Local\WzbTceo\FileHistory.exe

MD5 eeba3dd643ced2781ec1b7e3cd6fa246
SHA1 2d394173e603625e231633fc270072e854bac17b
SHA256 bee0799a52fe65b8dc291de32f0c8b03b5a067915b1868bc8ba2a1b139c90b87
SHA512 222d4fbc7ee57d75889698a0660996293a0143518fdecc1b222618796d76d40f2d3b00b071f92ab917ac8847f195d7de02df55b5e89dad8a80d110e464cd3271

C:\Users\Admin\AppData\Local\6GS\DUI70.dll

MD5 92f5e99a4a522a8909911485e63143a6
SHA1 6114b6105c17695a3880613e07d1ae15f452acbe
SHA256 982e5cc7a5620d5b0b46c8194de3137d409f02b47ae8b35beaec674f34ca7d5e
SHA512 2660319c8b848e37f3dac0c7c2ad3f90073b59ec43d08ecaabca095910cfd02bb65624babafffda81180595d284943534e31caa1520f2f715d8cc11d20e32fc9

C:\Users\Admin\AppData\Local\6GS\DUI70.dll

MD5 527f3aaad52f2930a2e8da15135e74fd
SHA1 315e1cf40d9728f5ef596f035c350831f54f2206
SHA256 2e46587067b9b8a3a19a4b6bc3364009599cb36df99eedf3733b7ab077bdba78
SHA512 82af0626490fcaabe8ec617b3217c2f6ce9be942b959706c87262c0bc37ee5ea7b9254423aad947cd52557a2860b4fb76ac74d4ce8adc1828c4dde383ca6a9a5

memory/3844-85-0x0000000140000000-0x00000001401FB000-memory.dmp

memory/3844-84-0x00000109D8150000-0x00000109D8157000-memory.dmp

memory/3844-90-0x0000000140000000-0x00000001401FB000-memory.dmp

C:\Users\Admin\AppData\Local\6GS\systemreset.exe

MD5 8f99945e5223e90e81efd8e72eb3f452
SHA1 b85fd92e3363e5dbbe57b415ead3b54ee68fd25e
SHA256 33374307d0c9eebf3901afebf1ca437c8aff9986d9f7595b3ff94b390eec757a
SHA512 83d6ebc08714a8a8500cae571d4aeb2ef660e9fbf1d25d770990108119f41428ac87a3ccddaef40a339bf4c89c08b73cd4842e4268d0849d55b7763f9cc87944

C:\Users\Admin\AppData\Local\6GS\systemreset.exe

MD5 52e879fb51b863a6dbe7eb3036cce68e
SHA1 12d26c7684a5d946fe3bc5273342ef762d1eae2a
SHA256 03da89c6ba52f123fa5683784a5a852ab0a8785ceaa8f12aef372acdd2f61055
SHA512 2cd17b6b16d7585f994f3e0144ed2bcb8649c334c3d65b8524ea4de5cffcdd4b3845060efe857c5e080e3e764995c43a5165735c40cb4bf5b7358b94f8b6a619

C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

MD5 367f85df1166a09707e78a1b06f339fa
SHA1 f9c4b2e589c5c32b1af2fb12ff604e51606f69dc
SHA256 0cad7785ad5c70810a6efa05ce4330a3474705879985469bb4a0e641a3954656
SHA512 51a5a215bc9fc3d6fcf913794df297bfbaa2b97b76deff1fa2104e19fd3c09ed18da861ab6e27214b6e81c9f62126da3dcdbd2520ed7b6c47251e322d1f199fc

C:\Users\Admin\AppData\Local\l4fQZS\UxTheme.dll

MD5 c54554a391b230327222f6646e08740f
SHA1 c8f21f2eeb9ad4dc725ad02b0e78ff39718b7f60
SHA256 cdd95cfee1c5e10ca66dc7b11519c107b10cc52e7057a734ace44485526fff72
SHA512 3cbae839160804c35f070cd6bd93d416a1414c6a95e70ef61bb9f51fc2a5ce5a75b70c36f25ffc6f8aea38b8f38c9138f50b519f3f0dc8abe01e3b1387a0abcd

memory/2828-101-0x000001B547920000-0x000001B547927000-memory.dmp

memory/2828-107-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\l4fQZS\WFS.exe

MD5 08082633606d27676c9a3d3f8c3d82b9
SHA1 2f0854d72a34f6b2f8c2dc8bde7d4080dcf544d2
SHA256 fa10e3bc6dd79970b4ef1f5bed292329eaa1727aa50c53c8b54ee1dae7679a43
SHA512 052935a56d5811bec180a2ad275abe97e97ace2f4fceaf58d930741038f71511f0b66d89949a724a6a682e24d2f49090cf0599ed8b832d411d75afc2487a86e3

C:\Users\Admin\AppData\Local\l4fQZS\UxTheme.dll

MD5 da297fc614602b88d02353ff1bf8e08f
SHA1 d1c24b248e3fea81aaea1c76b04b29896f63b513
SHA256 0285df44856608f6d342fda8847e9f361cac65d3590bf7d1c02a3b541aceef52
SHA512 cf0cb8f4f8a64343b66ab4c8e060f425e4b08001f0075cccb4c2a636bf172fcbd39e276a649e380b9f183ff94de3fe55ecae4ec0147da706e91a5359c793901c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hxquhu.lnk

MD5 214d5f9c37fe233401959b9cd51258e2
SHA1 c284c61f3a0c810be628ea353fa78bd14f06b38b
SHA256 00317b4cd8b40fd3ce6ca51d4ca53688b5beaa8015add7dfa8e6a75326c1538f
SHA512 53f6172096ad0bca09fef9961a2369568d14fff6e2b61b14230ff3141b7e473cd02ef8d5e2de6447c8a8fbe1722ac67cf0171461e3488804cc1d62a98f835674

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\iCrBTM3tx\UxTheme.dll

MD5 7f02ca767aa8fbd52b0d3d6169e81361
SHA1 1cd2d25d308e8c7223ee22917e10c2fa3a5e1fcb
SHA256 c7969081a4c2119650fe5d49c6bce14a0921c5060a5998a50fd6e07605feb77c
SHA512 174d385e832298a2004efe70ac7c4f9c6df614b34064cbf1704fb9c97581d84ecd1e0e07af5226ae10131890dffe391aef8f3a88f1406259400da107b856b9be

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\NW7CDrfd\DUI70.dll

MD5 92ba508ae41108aff9383af2f2106e20
SHA1 35a4a9cd6c601797f1ad8072c808504b285d6b4d
SHA256 73f2496461fd8e3988a0782eef3ed63e16418f1c87ce91f7d6e63a310df2027e
SHA512 f28c5799c085afe2e888cd932a078dd9f93f4d73629358efd42c42fbad994f77130e9320da4f8ec20bbad5f68320a69a25b2507523d9734eeefa37c896b64224

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\57C5XogC\UxTheme.dll

MD5 fb47cdbfc9ffb6f91f9637ca9d533bc3
SHA1 c423635f166c15224c9dd62418c4cf9345ab485f
SHA256 ad4ce9f173e7c91f00a61bfd48b3def22b93c63afe4096cf07f526f3d2d7c9e6
SHA512 1bcde188fa8b51124560474e05da71bf12255d5da9d55a7336bb6302e3028a00a3f521be52dbf4d4c1d0705d26c0c8f61f42fb0dc332a86a384c8032621819a6