Malware Analysis Report

2024-11-15 08:50

Sample ID 240124-j6md6adgcj
Target 71bb36f4bcc6b93c90c000f353db7173
SHA256 bad6364c6a3a60c2e7982bb223a06f05ec95abf264dc500f75d2454642d84034
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bad6364c6a3a60c2e7982bb223a06f05ec95abf264dc500f75d2454642d84034

Threat Level: Known bad

The file 71bb36f4bcc6b93c90c000f353db7173 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 08:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 08:16

Reported

2024-01-24 08:19

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\9os\psr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\FEi\\wextract.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9os\psr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2808 N/A N/A C:\Windows\system32\psr.exe
PID 1264 wrote to memory of 2808 N/A N/A C:\Windows\system32\psr.exe
PID 1264 wrote to memory of 2808 N/A N/A C:\Windows\system32\psr.exe
PID 1264 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\9os\psr.exe
PID 1264 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\9os\psr.exe
PID 1264 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\9os\psr.exe
PID 1264 wrote to memory of 2900 N/A N/A C:\Windows\system32\wextract.exe
PID 1264 wrote to memory of 2900 N/A N/A C:\Windows\system32\wextract.exe
PID 1264 wrote to memory of 2900 N/A N/A C:\Windows\system32\wextract.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe
PID 1264 wrote to memory of 2932 N/A N/A C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe
PID 1264 wrote to memory of 2164 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1264 wrote to memory of 2164 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1264 wrote to memory of 2164 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1264 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe
PID 1264 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe
PID 1264 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#1

C:\Windows\system32\psr.exe

C:\Windows\system32\psr.exe

C:\Users\Admin\AppData\Local\9os\psr.exe

C:\Users\Admin\AppData\Local\9os\psr.exe

C:\Windows\system32\wextract.exe

C:\Windows\system32\wextract.exe

C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe

C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

Network

N/A

Files

memory/1648-0-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1648-1-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1264-4-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

memory/1264-5-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1648-7-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-8-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-11-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-15-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-13-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-16-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-18-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-20-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-22-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-24-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-27-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-28-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-25-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-29-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-31-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-34-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-36-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-37-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-35-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-38-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-39-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-41-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-42-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-44-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-46-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-50-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-52-0x0000000002960000-0x0000000002967000-memory.dmp

memory/1264-58-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-64-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-65-0x0000000077260000-0x0000000077262000-memory.dmp

memory/1264-61-0x0000000077101000-0x0000000077102000-memory.dmp

memory/1264-49-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-68-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-48-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-47-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-45-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-43-0x0000000140000000-0x0000000140193000-memory.dmp

C:\Users\Admin\AppData\Local\9os\psr.exe

MD5 5c99e4193dd3aa88141ca929f6a3c4e8
SHA1 783fa2e62d23337686e3947e0ccadc21e96d0f13
SHA256 05da904e47cb862e42d242756c1aa93ae8a2b8bebed97f750c3337d3e2015d4f
SHA512 fb2f92b8536c1773272d33752150d62f9e3b78138bf3eae48bb9375b8e3e734ecb830190002eec55d3adcefc7a08be12080a871235cb76bb1071a13007cb30cd

C:\Users\Admin\AppData\Local\9os\XmlLite.dll

MD5 ae4d9a51ab197f4deb6233644b38371d
SHA1 7e9a6267db2f7d30431c7cd1628b77b9337f462f
SHA256 9621a190c389556bcfe9f41a9571ebcb9ebb63b0eca5608a1caa0ff42ffe05eb
SHA512 ad7045298330ebe18ba566b0f270e559d8c981ce1b67c1d77c2ea42e84149b0b9816a3b7feb8efa5f440ed8534da157f5f7d7786b0df173369c2823bda5a84e4

\Users\Admin\AppData\Local\9os\psr.exe

MD5 f2bee034b9ca681c49d46af20aa88b22
SHA1 944ea645b56ebc232b43c7756c70f095539a234a
SHA256 3608d15002a3ba1fef18e8e66e87031a6635957af8eead65aa886e9d79134c8e
SHA512 ec9f22341ad141355c69b01830d8ca596e2623fb2aff799070d5abee77b09eef5cdbf01bfb6e96ec1c42f76ba385a3c4d0064f63e4c290a55ffde66bcf6da509

\Users\Admin\AppData\Local\9os\XmlLite.dll

MD5 d113579ab4c7113df0e1eb2de68aacbc
SHA1 dc9a63635878427b0c6f46bd7a4560e041824df6
SHA256 004331c8cb4532b1b29ad0a92ed23a9836714306bec423f56bdac176ae5a1169
SHA512 4ecd774375e0e5fb67e2e28cb5d6f2dec56b603e4fe358bdcce1a7786f53513bee9085dbb598ddd7fb2200ce8f9e4172ecf5e0c4d77774216b1e3e730ad60e70

memory/2492-83-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1264-40-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-33-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-32-0x0000000140000000-0x0000000140193000-memory.dmp

C:\Users\Admin\AppData\Local\9os\psr.exe

MD5 086a6fc0ea8b87ef2ef5fb9c70669e2e
SHA1 4e3cb3173428dea8e8801e0c3cb9511396907b86
SHA256 c4d36fbadf57642b750fce90bf9cad4de4d4c13bb6ec60292b9f8e5dc74b2dfd
SHA512 08e77eef5c32f39e4b7d4b428fd7c7504ef6a6282307f775eec3a6a53859db48fa48de5250126fd6036d2f14e2a22446ca59f37bc459f466b2d6f14eb197b4a2

memory/1264-30-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-26-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-23-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-21-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-19-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-17-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-14-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-12-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-10-0x0000000140000000-0x0000000140193000-memory.dmp

memory/1264-9-0x0000000140000000-0x0000000140193000-memory.dmp

\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe

MD5 4141b588a2ea8c13de997f22fe2332fa
SHA1 5647b2782b44a90974509e7ebd9fbcdc26c19e36
SHA256 05996ee65769b30ddf8d7d2b2bed21fceccb568a83ec579624ffdb59290a6257
SHA512 3ee31b8a439df37a96358ecc5919804e23af90e26ee6815406ea1b5818410457a838cf7b97259a6b370874be93c010b08e67b10908b4046e8f162a5ffea80a5d

\Users\Admin\AppData\Local\mlkMx4Vdt\VERSION.dll

MD5 4858be73da7e2d68290ecf8e90f4b178
SHA1 fdd1ff52b606a9a935f08f2ddf0680c6eb748af5
SHA256 9a6dc28d9471ade2f5723f0cf30d255d2b13e503ac705edabca2a0162af9bd25
SHA512 9bf47afcf824e1e204b69439bbcebc79d39e86a498b7a6dd51730b1c5106b300760b5f0e8c49554941e2861c3752cfc14537e1d32bdcb1c55d8211462c5a656d

memory/2932-105-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\mlkMx4Vdt\VERSION.dll

MD5 dd08b4fb2af05ec48bad2034e79ad1dc
SHA1 48d2438243a56c00c18393e2b1b2abc6fd46b2e2
SHA256 1c7bff58abf981c1fb1aa20adcabeb252e3dec3910b5011df76ad45e5a2b66db
SHA512 4633b70ce095aff6c791068534d11935c04b9a48770ba063baa09263e8cff99ec8eceeac6bf9e8100f0c700d058acdad0d7978cfd8fcd3b1b661e6e8b3cf95c0

C:\Users\Admin\AppData\Local\mlkMx4Vdt\wextract.exe

MD5 1ea6500c25a80e8bdb65099c509af993
SHA1 6a090ef561feb4ae1c6794de5b19c5e893c4aafc
SHA256 99123d4e7bf93aa7f3315a432307c8b0cbaf24ad2cfb46edc149edbe24de4ca2
SHA512 b8f9f1ab48671e382d1385c34f0f19fc52fc0061e00db53bbbc2cdaee6d8a3f245707329f98e9167c53721aeaddcebfe66632729b6bcc98892031fd9914fb1fb

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\FEi\wextract.exe

MD5 386bedd3e9297b6698694935315a3a75
SHA1 d21656301f3c8c9dc7eef447c585566dcf1d5a5d
SHA256 83901776daf724e0801e8ee46d4e7e539f3b147d9dd7c05cfd0375b94b099f6c
SHA512 89f56acb215ba8345eb06901457b35d61ceb9ac82cd70795cb6c2c1e2a381edc673a8c348910eac39ef02f3efe0866372545a7fb5debad86f099b7128edefe40

\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

MD5 82bde8cccd8456883ea3227de6b2772b
SHA1 6e92ecddf9ba3a8ccda6a15b4e37c3d4d1b5753a
SHA256 13acda1155b61c8cd642f4c2112145d4e8fa91f7845eaec362e348cb66d50990
SHA512 8daf96db9b05246798e6ebcacf0a9b0d3c274f6fd665ed08b30628743803fa3111cfe1ee81c12cdfebf50edf73b0b4ec02a9619e1467dcf663337a1640c51fae

\Users\Admin\AppData\Local\o3T\appwiz.cpl

MD5 859d83a8236cd5af5bf206cec8ef21c2
SHA1 934ac7c8013010d5e6618cfaf37381a69ff5cd62
SHA256 fa1ae4993775b1e2d04c48fd0a7bb45be02931739cfc6eeb2e36a1cc4df7ab19
SHA512 a319c6468b75019a197b36f5c13c6a167cd222ae9610bec46b13f327c5b04bc3cb5817caa609b401160f2868fe61552ffa0a6a9c48c140faca0dffe23c49af67

C:\Users\Admin\AppData\Local\o3T\appwiz.cpl

MD5 0c33b412526e9097ad60baa514d39eb5
SHA1 41e92cab83764eec5c799dc4b2570616b66f4ef2
SHA256 1b01efcdd9147da56a932ae32ff3857094bc12e80a8f730f06c4723865943e45
SHA512 8465d6f6ea5acbbbff85d1692c0020d3dbb37e91ec241ffaad20d80e1822e7be895cc8a0b915be8c01fb98f703a51d8088bcffd7c3dd1d05a684cb2a74d02df6

memory/1596-122-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\o3T\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 58b98de503c5a8fa03e6c683eccb8c3e
SHA1 cc203352d8f9d6510a1f481f6c045bd54a9e8e1f
SHA256 62fcb79a114671eb9ce17dc74d248c56d2625534cd2b3dae899e052cb8c33650
SHA512 40300b2579b3147f24d2e177f944e664ae03a0f59103341ba6118d940a5e6326e9ceb4102e0ec642c0acbdca6b15b86de9d864748e5dd30880dddfd3ff7752f9

memory/1264-150-0x0000000076FF6000-0x0000000076FF7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\rj\XmlLite.dll

MD5 24f103741537dc80c61eeb162dab5b9e
SHA1 aa63c903a6494e96c0c540a20ca0f8cd04761988
SHA256 0fd80968bc3438dc82905920983fa4d8dd312854bb31134d86214ea0f67460b0
SHA512 4e06ed0cc0406a2cac12861024f651902258ce84f33acafdc580a44e390a840c79feaff64ceb8a3297681c29f9650a67558fb8a81233cc502e47cba7b94ef984

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\FEi\VERSION.dll

MD5 bd635950f3935de24fafba42ce9cde15
SHA1 9281963e4c06c3573f08bfa478a5785340828e23
SHA256 b45e22f67760ef733c16aeedc06db7a7cd6818b45c1baf3a456381c0d4cf11c0
SHA512 728de018277c67786cdd65f65a7920367f6d467c360013bff5ce79c1aefa19803eec0b0901d3c909dd78a8c24d1da655935cf472b6a9c31e254763aede1a47db

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\K0vm\appwiz.cpl

MD5 efa5c77ac313c6d2b5972342e1315f33
SHA1 163445d2b7dbd824d5713815634f165794cc2328
SHA256 674591a92da6840ca90eb6702d6ef62145f6c8a310e777466fcd9d30f7ee214d
SHA512 05a21da39db8170556a46b0ce562dfec53bd850f84fefcfb1579992783352d4aea1e87461ee3555c339ffc1144c53b2032cd0ef6eb0911e161289a09f0bba4c0

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 08:16

Reported

2024-01-24 08:19

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\bf\\ApplySettingsTemplateCatalog.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3568 wrote to memory of 4224 N/A N/A C:\Windows\system32\mblctr.exe
PID 3568 wrote to memory of 4224 N/A N/A C:\Windows\system32\mblctr.exe
PID 3568 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe
PID 3568 wrote to memory of 216 N/A N/A C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe
PID 3568 wrote to memory of 3128 N/A N/A C:\Windows\system32\ApplySettingsTemplateCatalog.exe
PID 3568 wrote to memory of 3128 N/A N/A C:\Windows\system32\ApplySettingsTemplateCatalog.exe
PID 3568 wrote to memory of 1376 N/A N/A C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe
PID 3568 wrote to memory of 1376 N/A N/A C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe
PID 3568 wrote to memory of 2416 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3568 wrote to memory of 2416 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 3568 wrote to memory of 4252 N/A N/A C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe
PID 3568 wrote to memory of 4252 N/A N/A C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71bb36f4bcc6b93c90c000f353db7173.dll,#1

C:\Windows\system32\mblctr.exe

C:\Windows\system32\mblctr.exe

C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe

C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe

C:\Windows\system32\ApplySettingsTemplateCatalog.exe

C:\Windows\system32\ApplySettingsTemplateCatalog.exe

C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe

C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/4104-0-0x0000000140000000-0x0000000140193000-memory.dmp

memory/4104-1-0x000002DBD57C0000-0x000002DBD57C7000-memory.dmp

memory/3568-5-0x00007FFE7742A000-0x00007FFE7742B000-memory.dmp

memory/3568-4-0x0000000007E40000-0x0000000007E41000-memory.dmp

memory/3568-7-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-9-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-11-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-13-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-14-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-18-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-19-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-17-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-16-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-15-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-21-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-20-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-12-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-10-0x0000000140000000-0x0000000140193000-memory.dmp

memory/4104-8-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-22-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-30-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-37-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-43-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-47-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-49-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-48-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-50-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-51-0x0000000001F00000-0x0000000001F07000-memory.dmp

memory/3568-46-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-45-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-44-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-42-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-58-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-68-0x0000000140000000-0x0000000140193000-memory.dmp

memory/216-79-0x0000000140000000-0x0000000140194000-memory.dmp

memory/216-80-0x00000236B9080000-0x00000236B9087000-memory.dmp

C:\Users\Admin\AppData\Local\fyoiHUH\WTSAPI32.dll

MD5 d9d5686b623ebd5e502552beab13e1b7
SHA1 b07c6e788fe8c2f1e70b4a199d032808e5210aa2
SHA256 51e01f2dbc21d193e6b57b563df2db001a643a4d2174a3e89d6e3da1c5ae73cf
SHA512 022d4ca4c39a329db2d8b8328871944db9ed0d4d1f14e2dc6861044abaf9b596d619d065352bea4139eb1cd703eb9baa301e020edae310035fb5a2781c477096

C:\Users\Admin\AppData\Local\fyoiHUH\WTSAPI32.dll

MD5 8d6dad690a9bfaa023cef1efa56d66db
SHA1 e2246baf53d7ec696d3d955aacb153b96b54b16f
SHA256 60574a54197367fcadfbc37ee2e791ac6753b93a3a3f57e4d656994fa978ab1d
SHA512 b1c51970bd92886eb3f8375f0ca23c79d2c3b06935468b8c122bb47f6dbd836d54726ba566a8224f9c7f0fa24a1f409a4f03fc3e76fd99c91c3eabf2497c9a87

C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe

MD5 ebb094ee735e2148f70944bc99aa988d
SHA1 7b4d94e3487815ecfce0f95c1b1e6f3086c0a04c
SHA256 c92529afbf01d9a0ef45d50a7d8c52a4ef051e29e2c2e22b12d713edd12bb40d
SHA512 e61faba18a213088a1f0fdf2de1353fb669a8ccec20cec2b6b5ef06d0995290da7f22f9bf5bfbd577b4cbcf144cf7e37f142a1c8fc2131c32dee7494d343ee3c

C:\Users\Admin\AppData\Local\fyoiHUH\mblctr.exe

MD5 ca27c46cfde45c526bfc7468ebc176bc
SHA1 b9627d4aec68c9335407c6fbb722630a5c7f996f
SHA256 2e59635834b06ea3b71078a1c3014e5025be0c35cb5744213d710ccf0cc1317b
SHA512 4995c5f66c2cff918f0cd2602344b6d62078c43530d4bae804ced30a79319a4e37108401d8317c5565c792c446b3774e7acd887717aa6182070c0e19e6cdc0aa

memory/3568-70-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-59-0x00007FFE77E80000-0x00007FFE77E90000-memory.dmp

C:\Users\Admin\AppData\Local\wIzru6PhH\ACTIVEDS.dll

MD5 722386c8c9297b09a2e9d94a45503ec0
SHA1 9c475333698ce74b43f73602ae759f24a75e6e4a
SHA256 2c73b547df5401a307eb8de97a64645ea7aad583f3b0b7529adccb4385b01676
SHA512 17eba0cfb595e008caf9908d8c53a76c1765f295fe957c186c0b867248c95ac3c8ca847d44f1e5c7a14a3b5ab48d147c3acc02b1e653bac50eb9b6e1ad91bc7d

memory/1376-98-0x000002A4AA680000-0x000002A4AA687000-memory.dmp

C:\Users\Admin\AppData\Local\wIzru6PhH\ACTIVEDS.dll

MD5 12aea8f25b78db5cae16b0898f2d6168
SHA1 1dcf592b8fd961d418b1c212ebcbef96f761356b
SHA256 acf4312f9d5ee67bca9919b63082c419dc6ca1da6377a7fe857189be9239d0c4
SHA512 f300cc05a6eacdcbc4294b6197bffe1d8d6d0670eeec8db5751853a14ab2c141c526d31c9d298b43fffbdc7ac9cdd0ac283a9be713a7f2abae16a8e6c9644ad2

C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe

MD5 61af8973de81bdd904335d887206f0e9
SHA1 441eb9dd71368d7d1df1fc8a531a7fd9c69bae77
SHA256 f01c9ce442b4aa439a84954c14b735a347ff51b4337fedbd9e13ff2ad1577f06
SHA512 a4f86afdb49f987d7edae9ffa8bae3d517836822b711e33e4d27664d1e841ebbf8a2336397837485be54dc0df68c4f844c569ab58808c067cbcc7ad392c9801c

memory/3568-41-0x0000000140000000-0x0000000140193000-memory.dmp

C:\Users\Admin\AppData\Local\wIzru6PhH\ApplySettingsTemplateCatalog.exe

MD5 03b685b3b5cc75961c104348158f4da4
SHA1 48e9151614630f960956eec156c62a44f868a385
SHA256 e640ef8e5fb077d36af548e25d532de52188bfd4b268b3bb96b427e75d5886d4
SHA512 461a12aa73c5809088ce990573682316c12023b3b08332be05c0fb6e7e0341460cc5bcd651cf226fff0a522a0a6f3197f4ba9db48e0c25b1588a89814dc974a4

memory/3568-40-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-39-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-38-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-35-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-36-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-34-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-33-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-32-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-31-0x0000000140000000-0x0000000140193000-memory.dmp

C:\Users\Admin\AppData\Local\V6ALARLt\MFC42u.dll

MD5 169fc68af57622948b8add9a2787d7d6
SHA1 f234c1bfb534f386507dd18731aab216c0e6aab4
SHA256 3a6c128699383137586ae8a96f422e0d352f04e68b46d123dfce3eb8268b6663
SHA512 6af9d390591074393fd4b7a7894db8c66033f6e7f8420b16d9a756f439e3dd49ba299c7c8b52e956d64d827b7ab62dfa04e90454364b203ea46758dbd9f2b1e9

C:\Users\Admin\AppData\Local\V6ALARLt\MFC42u.dll

MD5 03559cfcb23cce149625e1d45e7cfacc
SHA1 70982f958a8ee4392eb8f315a8c62830855df35f
SHA256 0110f5826d6892311cd8bf1966d6e985e73ad2481097fbd0a7a38063360075ad
SHA512 8226e3a50990202545e6dc40d4d9aaf1d754bd1bc141c172aa4f0e159eaf1541647bb08687e10e0ce825276c3b317bda2f587288b863a7271c2259de5fbdde75

memory/4252-115-0x000001D33F210000-0x000001D33F217000-memory.dmp

C:\Users\Admin\AppData\Local\V6ALARLt\DevicePairingWizard.exe

MD5 d0e40a5a0c7dad2d6e5040d7fbc37533
SHA1 b0eabbd37a97a1abcd90bd56394f5c45585699eb
SHA256 2adaf3a5d3fde149626e3fef0e943c7029a135c04688acf357b2d8d04c81981b
SHA512 1191c2efcadd53b74d085612025c44b6cd54dd69493632950e30ada650d5ed79e3468c138f389cd3bc21ea103059a63eb38d9d919a62d932a38830c93f57731f

memory/3568-29-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-28-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-27-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-26-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-25-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-24-0x0000000140000000-0x0000000140193000-memory.dmp

memory/3568-23-0x0000000140000000-0x0000000140193000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 a3bb3cd635636283e53adc5a7de6446d
SHA1 437514f9b89b006ce969df23930e3a9f84db64da
SHA256 d93ad0d17e76d89ae7300106d029ce3c53b1a7ffb6e33f5cd6d67586c269a464
SHA512 23f3f984ebca5ffcc9a5003deaa567945a6075d3f30fbe06ffdff15d4cc7e5d40184168b3b79c485e84c799670891983c8fe21f2972337209c213e70cdf62285

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\wSArnh7L\WTSAPI32.dll

MD5 facb62c12ac78217a8a63bad5870ce9d
SHA1 5721b62dfc1058096afb1162f35a460fd802127a
SHA256 dfe1f64e671e3961c8bc96155e188ed25cc745837cd3a140782ab0a9be416983
SHA512 976c42145dc6634b4b4a58c64706b0dc27fb1f0c3799af572b9609a8d081094ea443feed8355a72d7e1007b1c8138e44ed114ed5508fcd0b42e5575b3f4b70cd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\bf\ACTIVEDS.dll

MD5 be745c43d1e5fcda08db22902047c7f0
SHA1 f55b67bb848a035e277c1bba433a046a74f4b789
SHA256 97a0124b2ff29ef23aaf57002525c62e6cf92c0b618dc0accafc56079b269d99
SHA512 57417bfe61fa76e33f632426be697fb6a2644f1c2930e112d4982eabd3ab916f31197e419d6b67ac5a35eb038fa2d7fa7ee57037fb6062217fc6346bbb921704

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\5lcAp0\MFC42u.dll

MD5 1036b97b23e0cf6eb216734c275110e5
SHA1 8dd74e54c975a5c172e9e0636eb4e84f6485f491
SHA256 ca5d649a82e516738cb4d8ff1ff94fcd46b2157cc1c70711b062e2959c009a97
SHA512 c3a7acd27ee15341da17bc7a20235fea7fa93c129a120f5cc1f777926d5b9ecf9f2dd4d238e8ca55d7abaf4ccd78bcc56971651a8db952fbdaff7fc8b5b5083d