Malware Analysis Report

2024-11-15 08:50

Sample ID 240124-kjc3msecb5
Target 71c41494c927e33c33dadf1925c47cd5
SHA256 6a19ea54058dfc1a9678abc823f1ed3697c8e77fba5279d998dadaef5e7ebf04
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a19ea54058dfc1a9678abc823f1ed3697c8e77fba5279d998dadaef5e7ebf04

Threat Level: Known bad

The file 71c41494c927e33c33dadf1925c47cd5 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 08:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 08:37

Reported

2024-01-24 08:40

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\dQYhzbi1rd\\WindowsAnytimeUpgradeResults.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1212 wrote to memory of 2344 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1212 wrote to memory of 2344 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1212 wrote to memory of 2344 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1212 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
PID 1212 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
PID 1212 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe
PID 1212 wrote to memory of 2924 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 2924 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 2924 N/A N/A C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 2996 N/A N/A C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe
PID 1212 wrote to memory of 1248 N/A N/A C:\Windows\system32\iexpress.exe
PID 1212 wrote to memory of 1248 N/A N/A C:\Windows\system32\iexpress.exe
PID 1212 wrote to memory of 1248 N/A N/A C:\Windows\system32\iexpress.exe
PID 1212 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
PID 1212 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe
PID 1212 wrote to memory of 1960 N/A N/A C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe

C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Windows\system32\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe

C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

Network

N/A

Files

memory/2524-1-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2524-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1212-4-0x0000000077996000-0x0000000077997000-memory.dmp

memory/1212-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1212-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/2524-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-44-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-47-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-48-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-46-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-49-0x00000000029C0000-0x00000000029C7000-memory.dmp

memory/1212-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-57-0x0000000077AA1000-0x0000000077AA2000-memory.dmp

memory/1212-58-0x0000000077C00000-0x0000000077C02000-memory.dmp

memory/1212-56-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-67-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1212-73-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\8QBgwy\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

\Users\Admin\AppData\Local\8QBgwy\TAPI32.dll

MD5 0e8580bb505f37f55a9ccc6410025006
SHA1 c63e91ab81aa134484710977167d7a3b5c243601
SHA256 d0524353ecaec64f35fe6d35a8c97fbc344ebece3c41245c4afb091229580cd5
SHA512 8ee29562c447b9bb90ab992cdfce22c6a30591c9f0464a663861da45d05ad71a6e3f4d15d3141b5340123ec9db00902a2f7381e8384819422deaf26c073f278e

memory/2272-85-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\LTcJmDDfC\WINBRAND.dll

MD5 62e80ab94e81f2ba8314581ea90247af
SHA1 82ad70c55b862ce01224d523f692fed5c2b65f0d
SHA256 a4d500538c235461fa99eb5ecb2b79ed2dff241bb0ef0a7457572d1fd892d0de
SHA512 5a59138394ab3f243991d963c912d5969f5d97e718c87d7d3b416b5338516ec79c78efe4f463cab3eb950fb259eef44c347739fcef8ba6e4eb44240d8816d141

\Users\Admin\AppData\Local\LTcJmDDfC\WINBRAND.dll

MD5 150675ee71427332e1efa4ef3936b201
SHA1 99b97e3ec7a07b783a67be2a330f67fb8c4d3538
SHA256 9c0cbffcb730fcf4c5e22d6085eda94289735a31d3ec8711aaa8c3ab6731268c
SHA512 d8494a7f9e507b061b1955e2c530dd17b3179e8cc769c95ac0dc4573428e524ce15a1d9dc330ee0d43b7faf9d8c344c3a2c090699880b0693a4816a6b50ae013

C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

MD5 4ce30803fe1b2f91a4c50a736dd8ea5e
SHA1 f6cfd96b319162da2e3e0173e7ecb0d4cefd70ac
SHA256 04034e248d35c49ff3db4a8f1ea73a4c80ba295f91e4e5060fc97786a040740b
SHA512 00a1392b715ff0ff86c055e0fa010dea6829b92b6e5b163e8c5269277203ea2d2e16c02a461e07f34db8975aaf9694e69580423b4ecc823a7c4d074206c9d2be

\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

MD5 6e3cd2b208d684c37038107cb1193320
SHA1 cd00bfab8a32c17ccf39b1e097369c894349e3ce
SHA256 b9295b2141b35234a68e60b826af20677295435adc3eee5a36e3963e8a16693d
SHA512 ba0429147fbf71c4a894c188ff097855790e7fc7d929c6b6e46b7a7d139cd060b9b699c8a3615e83266bca378905aa37516fca66b95bc88b67a22a49a249edc7

memory/2996-104-0x0000000000090000-0x0000000000097000-memory.dmp

C:\Users\Admin\AppData\Local\LTcJmDDfC\WindowsAnytimeUpgradeResults.exe

MD5 f5b608370ff97e655c584bc84e92b08b
SHA1 214597b0a6c4eef50ef68b5fd7e247ae234b132c
SHA256 5fdd03790ea41a631a0b9cbb5893a8bd6c793aa5e885bdf1c79b2e6e5bbecfcb
SHA512 930d7dfcdbb772845b0d742f11cbe9be0b2ac6f9a1a4220ad99326a2ba12fed1972a446281041f3697c6b12cbcc3588416d659af856fa06648c4b037333579a7

C:\Users\Admin\AppData\Local\Sh4si\VERSION.dll

MD5 70355dafda1ad274740c6f8aa1a9bdc8
SHA1 4134311e39a83ab92cb7a41d10634c3d019f6766
SHA256 7ad16e800ca65642cfa8f708304c9f4b6069e87818b038818263704ad26ae923
SHA512 4d244aa7c8fc5146df63b1534013747be7a6f65aa93afd4302f27dd7b6842c0c43074e6c184e157dce9219abda34db9ec08918d1dace6021743b9ad6a6534244

C:\Users\Admin\AppData\Local\Sh4si\iexpress.exe

MD5 b477b89e38889a8d36afa6552d7566cd
SHA1 bef192a09e78ae0c5bcf9de3b55edbd7f7c46971
SHA256 9a7dc98c3406fea6429b35f7d6edb8b06de74a7164498f7016756ef2d6672c11
SHA512 87f527eddeae665e5e8532fec04de0e96fa36aecdb2ac668996d69aeff96dd9e968c6e0f31010773e4be56f7aae7b32866425541545838274ac934089579b549

\Users\Admin\AppData\Local\Sh4si\iexpress.exe

MD5 7e4922fba02f84e550aaba4932097b59
SHA1 d84aed8d3faf480f7e41e7e5291854793311492c
SHA256 ce49ac77a5536549ea398f53917457918b02857c207b424c23e4ff7e4035a238
SHA512 f2bbf5dae69ee9a85bdd2258f0b39906e091e0669db6160d8b746eb441237bf32a72c9ffec51b8ad1aa6f337518ff2a6a0dba8f91bf8ef6fb7e1baf33178b254

\Users\Admin\AppData\Local\Sh4si\VERSION.dll

MD5 e424e5b5f27e99dc7d70641d10633010
SHA1 83fc389674aac7d797d1926dbd9510cc66a26413
SHA256 ecd8875e1034788c812e4747f9a64532aad5142e2173056fb69ba76b6f16cc70
SHA512 e031594389b6971fa05111c8369062b036a661cc4313040ef4dd6bf30ce97933e190560fb282e2b19ff64cbf8b47387bb0931a06c34aab78cbd4a4016189856f

memory/1960-124-0x0000000000380000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\iexpress.exe

MD5 f58a4a422453cbde4a28416a42b6f8a4
SHA1 a991911500174def40026385282f162c15879f80
SHA256 7267b1f60c0b24d7554c6edb1a600f36afed921ff1d46654aa1bd2f229d1dd49
SHA512 0c0cee49238c5cd47915e234140eef0d63b748ba76aa03692a2e1fc8ffd1607c35ed7f04c179f9cacedc60b4c06bde6167655dd9616f7e99b97421777189ffae

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\iexpress.exe

MD5 c6ab788e4ffdbf72567f967a696d6de4
SHA1 174075b0bf4d2cb25139ad413af9a0b01fae8f80
SHA256 2abedddaf86b25562675c636c0abc5d6dd65ddde66b4533ba45927748c434947
SHA512 dc2bbadd503d2d174c042404d774f26544450aeda58a90b574c30eadb981fba5a2d0015aed90d9085994e7a20299e0a48f4b5abd3a6c9e8749d740aac9870e72

memory/1212-145-0x0000000077996000-0x0000000077997000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 04b2a26562a12c8d17a9e1ccb05a3979
SHA1 03807408d3643b30cc27f0edf73504e4e1f6e3ce
SHA256 608cc1a569ab1174b426bcac88811c3103920b0dea546bde5369dcf942f74eb7
SHA512 0ad9c8866bfbe60639df0c779bf3ba32284b982a887ffbc64b0a211306f56ae4cc9f5e44b9799ac32af59e9c3ccda0201900f2df65faa42c6bfe2b6deec42565

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\kAs\TAPI32.dll

MD5 79b47f8b6428b181596c68b50d5d4190
SHA1 1f63e25da12c47289cc91c0c1f673c55911f800f
SHA256 e277c110a0254cf5a0c367a58c10f06a61bcdd51e0adfbe696d6c2aa25fab8ca
SHA512 ade9146ca5b89def6d38964c29e04d96598cce53a462ad02b0662e072a9b308873cf7a7f11d40b35d5f22b30ef4cf8c0439af1e5ec5d4a2c8fe8ff08b3a1eb6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\dQYhzbi1rd\WINBRAND.dll

MD5 2980575998a8a21f7a1f3fecb4accbdc
SHA1 b9f9060689ad9dcf4a3969de23818a72ea26dc47
SHA256 29d34e78b031d33b6fed294738a03fd74a15b0466c4c50a3a2b724267e9e94a4
SHA512 7df68c27efb99e2f72eb0ec709f209af41203df55db09aac634944ebf6b16354a1be0f6323e7c1005a0e00fc09a9f0aec331604fc5753d07e22f8fbf5389cf8b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\IidO\VERSION.dll

MD5 6fa2f6f34feeff9da50297744a175815
SHA1 e9f936f7abc7a05ff93c8809e8d4e9f356abcc76
SHA256 3db7789c331823216fcc0b84dc839762877f5ef2f1e7d6302f156bc87655411d
SHA512 0124167f1411250a32aa71c09da05cfa2fcacb7307ccaf2d9b386f5cbbf8e9eab85581f4e544d243bbc432d50dae1bf302581b764106a22ae842a21014b78353

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 08:37

Reported

2024-01-24 08:40

Platform

win10v2004-20231222-en

Max time kernel

145s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\hI5\\SystemPropertiesRemote.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3iD\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 3256 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3528 wrote to memory of 3256 N/A N/A C:\Windows\system32\CameraSettingsUIHost.exe
PID 3528 wrote to memory of 4588 N/A N/A C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe
PID 3528 wrote to memory of 4588 N/A N/A C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe
PID 3528 wrote to memory of 4956 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 3528 wrote to memory of 4956 N/A N/A C:\Windows\system32\SystemPropertiesRemote.exe
PID 3528 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe
PID 3528 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe
PID 3528 wrote to memory of 4164 N/A N/A C:\Windows\system32\msconfig.exe
PID 3528 wrote to memory of 4164 N/A N/A C:\Windows\system32\msconfig.exe
PID 3528 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\3iD\msconfig.exe
PID 3528 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\3iD\msconfig.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\71c41494c927e33c33dadf1925c47cd5.dll,#1

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\CameraSettingsUIHost.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\SystemPropertiesRemote.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\3iD\msconfig.exe

C:\Users\Admin\AppData\Local\3iD\msconfig.exe

C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe

C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe

C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/1568-1-0x0000000140000000-0x0000000140185000-memory.dmp

memory/1568-0-0x000001B9BFCB0000-0x000001B9BFCB7000-memory.dmp

memory/3528-5-0x00007FF95885A000-0x00007FF95885B000-memory.dmp

memory/3528-4-0x0000000003150000-0x0000000003151000-memory.dmp

memory/1568-8-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-9-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-7-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-11-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-12-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-14-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-13-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-10-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-15-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-16-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-17-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-18-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-19-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-21-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-22-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-20-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-23-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-24-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-30-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-31-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-29-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-28-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-32-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-33-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-34-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-36-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-35-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-40-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-41-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-39-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-38-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-42-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-47-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-48-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-49-0x0000000001200000-0x0000000001207000-memory.dmp

memory/3528-46-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-45-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-44-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-43-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-37-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-27-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-26-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-25-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-56-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-57-0x00007FF95A700000-0x00007FF95A710000-memory.dmp

memory/3528-68-0x0000000140000000-0x0000000140185000-memory.dmp

memory/3528-66-0x0000000140000000-0x0000000140185000-memory.dmp

C:\Users\Admin\AppData\Local\ScD4cQi\DUI70.dll

MD5 f92f1050d95019205d5f7f87c2d80d25
SHA1 b86df951973b15cf890a8ba4fbb03d095583529e
SHA256 ba45548f7d48b0cba559cd7137751133dee9c2169a7e055d2861a4f59917e89a
SHA512 3d47ddb87660c4365eaa91b99082003236179ad948188f3adab2bf3b06ac3f5506cf2801ad8a2aa3d80b3407407236e05dcfca91780a967d9f39b847ee1608a1

memory/4588-77-0x0000000140000000-0x00000001401CB000-memory.dmp

memory/4588-83-0x0000000140000000-0x00000001401CB000-memory.dmp

C:\Users\Admin\AppData\Local\ScD4cQi\CameraSettingsUIHost.exe

MD5 9e98636523a653c7a648f37be229cf69
SHA1 bd4da030e7cf4d55b7c644dfacd26b152e6a14c4
SHA256 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717
SHA512 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78

C:\Users\Admin\AppData\Local\BwtEj9usD\SYSDM.CPL

MD5 dfef82c0eace71cca863f867aacb9cda
SHA1 8baa0574d4de5faefd9698d59817e840cb506aca
SHA256 7ab5f1cf80a172b74faafb21723ba85db97ab1caad5dcd22afce4cac1bd3ad90
SHA512 a17a4af5ba253b7b7bcfce27260af245e43feffb1bcfc39126ce73702ddf1eceb034578494c662e5d6dcdf4aeadee2880be409ea22c34c819c94165239d0bfc9

memory/2404-94-0x0000000140000000-0x0000000140186000-memory.dmp

memory/2404-96-0x0000020513280000-0x0000020513287000-memory.dmp

C:\Users\Admin\AppData\Local\BwtEj9usD\SYSDM.CPL

MD5 9722cb2b36f7d441efcf3b72196e210e
SHA1 1ae58447b27384adc631eaecda83900ca8eb60cd
SHA256 79bbe56abdf96a2c37f1253e03b91dafabd5672fdbc0482ddb61ba2035f3e5cc
SHA512 e1c8a743e4668ab74187d22e911ee2ecae4692590df10826b8a94bb3db8821de816ff1155861e99eff37d5c3f61c5dec826b29b4f3f2fc5474ac657748323b08

C:\Users\Admin\AppData\Local\3iD\VERSION.dll

MD5 280a008cc497b3756d267e129590f935
SHA1 f504575191a04be79f51b3bf94d7034559d579f3
SHA256 1543de373d133b7711a1bb32e171edef9e0f1f3cb514171b1c708e188619a8af
SHA512 6efec5e86239e1d82e94f4aadacbd7ebdcdca41b96a0c4e6aaa1402925982103c3f7147c28480670c7db473c087b1259868d00649fc40a9847f446481e519b94

memory/5076-114-0x000001FBC4A50000-0x000001FBC4A57000-memory.dmp

C:\Users\Admin\AppData\Local\3iD\VERSION.dll

MD5 1aee5b4955fd78d91f15bdff3a89cc88
SHA1 b831931db52930b8163bd68b00518a70c5621aa5
SHA256 409eca704520ac2423fe0b0b8aa45de7ada4ee964e07e2013de1fdf4848ffca7
SHA512 f8633404f9b172f9fb0fb8984872998f445dc0b37cfbda0ceebb5185b2edadacb143eaa413f9e8901b993a6789797310f098ddecdc10008656af0d92385d337f

C:\Users\Admin\AppData\Local\3iD\msconfig.exe

MD5 1dc9e45df7a22351dbe5835170a6a03f
SHA1 a4afb671dd9137e0ff7c7c4775dd9c5131fe4dfe
SHA256 a5967098ed910c84a610fb6bc796fb192dfd116a59e1e9530b037cddbad661d6
SHA512 3bbb431a8b671850ad36446e282c679ab0390adff1a7e3eafe6fef720f86531670d760cf5de631f3601d1df31f999c096f7298ec4530c779542751b50e9c627c

C:\Users\Admin\AppData\Local\3iD\msconfig.exe

MD5 f576ed4f0a554be5e398a2d7b311b479
SHA1 6220bc8c54a11245d8fd2ff6840ecbf1d1e39bd8
SHA256 6e979a8f00f11e4d472af88282fce095998f541f00662085e0e417aca32379d7
SHA512 f91e1eedb94b99c185e35e8edb4c7040397b1f31a5bed155fe9018858f3d840da9bb83bcce222ff571a8b15d54b41afee6ce1910f6b6b34b23cb75db663cfb2b

C:\Users\Admin\AppData\Local\BwtEj9usD\SystemPropertiesRemote.exe

MD5 cdce1ee7f316f249a3c20cc7a0197da9
SHA1 dadb23af07827758005ec0235ac1573ffcea0da6
SHA256 7984e2bff295c8dbcbd3cd296d0741e3a6844b8db9f962abdbc8d333e9a83932
SHA512 f1dc529ebfed814adcf3e68041243ee02ba33b56c356a63eba5ef2cb6ede1eda192e03349f6a200d34dfab67263df79cf295be3706f4197b9008ccdc53410c26

memory/4588-79-0x0000026622DF0000-0x0000026622DF7000-memory.dmp

C:\Users\Admin\AppData\Local\ScD4cQi\DUI70.dll

MD5 8c092427a27850dc9a24e96f3e2e6194
SHA1 753eaf9238dd26f7076197ffe0833153f5b7b8d6
SHA256 38305049e4dc03c426eec8267e625b21f2df4920b0bb94855c07665449604ca3
SHA512 4fd1801a3845008af8aed403df9c05e68d350fd48cb752f35b973456fca89d4623942aad84a5a0f2df4d4f5c09fa2398834fbb82dcb5a6eef8e6cf44946d901c

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 cd0819c619a82d965f36ee93b53e2e5e
SHA1 b91df3556970c43b15260a150cef7dd621c3c62a
SHA256 4f6cca3a1433386c9be275b6b6ec4b872d84e2ba728cb514dbcb5778cf5eaae9
SHA512 9133b873a0226c939229885fc2919f969befecf99b0c6bf9dd73e6de5cdecaefe463046cd498dafd2b2241a3440f7c0027f4d73bfe9d33c791d55347dc8ffce5

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\7zAIyhcteJ\DUI70.dll

MD5 43dee0324e066addfb97533de3b2c21b
SHA1 9e46139a484b0e93b4d062fa0efd82ccad426ca0
SHA256 f196e624cb7627d4fbda346f215b82c3e4adbbb9df9cc03d9c0a98a2f55ab8a2
SHA512 1932487dc84f289948949fc98542235fb438f91c6c7903ac0d26c7bb6c0a7e6ca1ed777ba5796a8555e6ec883b8e51a7c9d73016bb44fab1afc1ff1c56ab2e29

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\hI5\SYSDM.CPL

MD5 ab75a06fa6df3c7d7592a7bd6fe1fe4a
SHA1 cf766e66bb1d13a3ce4d0e576de41e7c1e817f75
SHA256 4aa91b86986e2be027d32294d0dafab16f9ec1b787b73b0a5aab372cf39fabdd
SHA512 93708e84d562971f8b93b6c3a28e72f3d23b67f4cb42dbb388556934e11193ee518d1b5e9928ddc2a2d288271fe70184e8d4c077f5db9b133032e077a9684e02

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\QFFMG\VERSION.dll

MD5 82dd187e5474fae89c3f5a71157b0075
SHA1 e0034fdd7141826f7bcc27cbd6d05d1e45ae2b6f
SHA256 a267c62bddb6b58f7f363c527df7632f4b8ab83b36a9b9b55b196b20dcb6f26a
SHA512 01343992b1a84e7a0d4ea515d6b49da1195bd9cafa481798ce48181719b113f70615c06b7f8a37475ed8699b9c7d1b0aa758e11c9b9da40992b756199797d0c2