Malware Analysis Report

2024-11-15 08:50

Sample ID 240125-b8jgaadfc5
Target 736aa5c70532729a4ab7c493762c3d38
SHA256 fa34c06663e6fca8921608ebcdb3bd6056258c39f2270a46397eb552e3396575
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa34c06663e6fca8921608ebcdb3bd6056258c39f2270a46397eb552e3396575

Threat Level: Known bad

The file 736aa5c70532729a4ab7c493762c3d38 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 01:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 01:48

Reported

2024-01-25 01:51

Platform

win7-20231215-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\9N8Um\\dpapimig.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 3020 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1220 wrote to memory of 3020 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1220 wrote to memory of 3020 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 1220 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe
PID 1220 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe
PID 1220 wrote to memory of 2360 N/A N/A C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe
PID 1220 wrote to memory of 2572 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1220 wrote to memory of 2572 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1220 wrote to memory of 2572 N/A N/A C:\Windows\system32\dpapimig.exe
PID 1220 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe
PID 1220 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe
PID 1220 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe
PID 1220 wrote to memory of 1800 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1220 wrote to memory of 1800 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1220 wrote to memory of 1800 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 1220 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe
PID 1220 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe
PID 1220 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#1

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\dpapimig.exe

C:\Windows\system32\dpapimig.exe

C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe

C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe

Network

N/A

Files

memory/2252-0-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/2252-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1220-4-0x0000000077266000-0x0000000077267000-memory.dmp

memory/1220-5-0x0000000002530000-0x0000000002531000-memory.dmp

memory/1220-7-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/2252-8-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-9-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-11-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-10-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-13-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-12-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-14-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-15-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-16-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-17-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-23-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-22-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-21-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-28-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-36-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-37-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-39-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-40-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-42-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-41-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-38-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-35-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-44-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-49-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-51-0x0000000002510000-0x0000000002517000-memory.dmp

memory/1220-50-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-48-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-47-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-46-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-45-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-43-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-34-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-33-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-62-0x00000000774D0000-0x00000000774D2000-memory.dmp

memory/1220-61-0x0000000077371000-0x0000000077372000-memory.dmp

memory/1220-58-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-69-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-73-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-32-0x0000000140000000-0x00000001401D2000-memory.dmp

\Users\Admin\AppData\Local\00RNC\SYSDM.CPL

MD5 a32ae6808847c5d7074533b3b7644eae
SHA1 26399c2ebdabf1fd09e70eb09f6d84fa726c5c64
SHA256 dbf129520fac05ca38965a7784a8507012757a6789e1f971935b6017eacfb178
SHA512 7e1c298ffbdd4da830e4ce1a12b9b65aafbd45aea9e078a8d7f2adff8d1913d3d86618e6c7c24f00e71e360429013109fdf1ffef56d34a51c575c58b131b7b5a

C:\Users\Admin\AppData\Local\00RNC\SYSDM.CPL

MD5 0bb0823b481b0b97b74b35b71b19156e
SHA1 52879d5b981f845a251de624ccabd8688c75fbb9
SHA256 7c33191d9f5ccf08704a1cb9d057a13862c526a6ca13cccd05674033582943cd
SHA512 d37ce0c5162b6db04bd8c695f165de40af3b738208dd971160a7a9330b0a412a238d40baaf556dbf6e8a0a72decf690b4e1be623c603d767032a80b5076f7f8e

C:\Users\Admin\AppData\Local\00RNC\SystemPropertiesDataExecutionPrevention.exe

MD5 e43ff7785fac643093b3b16a9300e133
SHA1 a30688e84c0b0a22669148fe87680b34fcca2fba
SHA256 c8e1b3ecce673035a934d65b25c43ec23416f5bbf52d772e24e48e6fd3e77e9b
SHA512 61260999bb57817dea2d404bcf093820679e597298c752d38db181fe9963b5fa47e070d6a3c7c970905035b396389bb02946b44869dc8b9560acc419b065999a

memory/1220-31-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/2360-90-0x0000000000180000-0x0000000000187000-memory.dmp

memory/1220-30-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-29-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-27-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-26-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-25-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-24-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-20-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-19-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1220-18-0x0000000140000000-0x00000001401D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Vq0xh9bSyx\SystemPropertiesDataExecutionPrevention.exe

MD5 2ddfefe103ac36e66dbbb090c65aca36
SHA1 a4a0edd6c62d0ae89cf3002d01e4b8c1bed357c4
SHA256 c0edc59b6d8f5c2e45f206f6fba063765046554d660cefb3913431f5957b5ba3
SHA512 dac3ed3b7a18ec3e5b89db5b4609c453d5249179b3b72bf151e498884c5f4a7e70b88cbce2fb1ad6fbb6861f8c98bfd8ed9f7052a567097b47658b9c17b3567f

\Users\Admin\AppData\Local\6tM5LZ\DUI70.dll

MD5 371033d8e2678acf0a4e9bfb02a82613
SHA1 67c581ff407df093fb5286c91ca641dc48ec2aeb
SHA256 6bfd6d69dbf34c6200a63741c848991bc6cb9ea15c33e96e22050c1bb1c73b86
SHA512 7b18d19da234babecd14f5717d3e5e590e9418c91113ece6ebaa81435a90bcddeeec58a8d3acecc3e017774a271dcaa9bf9410a176e95ff9343af17d7cd7256d

memory/2780-104-0x0000000000200000-0x0000000000207000-memory.dmp

C:\Users\Admin\AppData\Local\6tM5LZ\DUI70.dll

MD5 39face98b70bc6d3a868038ae31d650f
SHA1 4d4ab5d441d8b1372b9a606913573a57176bed47
SHA256 2dd26da89b864a38e7c02fefa84f5b56737e757f58e8a2f791e902eb5b0459a5
SHA512 66ea181b92116aee8ae5831afc66a11d8ecfa9b4537ad89c52a9e29824283177e205625e5822ddb7048da303c25f8cfc3e44d5eb98253c3b4902b001513401bd

C:\Users\Admin\AppData\Local\6tM5LZ\dpapimig.exe

MD5 0e8b8abea4e23ddc9a70614f3f651303
SHA1 6d332ba4e7a78039f75b211845514ab35ab467b2
SHA256 66fc6b68e54b8840a38b4de980cc22aed21009afc1494a9cc68e892329f076a1
SHA512 4feded78f9b953472266693e0943030d00f82a5cc8559df60ae0479de281164155e19687afc67cba74d04bb9ad092f5c7732f2d2f9b06274ca2ae87dc2d4a6dc

C:\Users\Admin\AppData\Local\AvqdswrJa\SYSDM.CPL

MD5 c4a16d510b419b1fecdb254fc5420343
SHA1 7948508a401329cbe1951fff7b1e1ab82e4ac247
SHA256 c4db01fb8117104abda79d4ccf1e650dc77ac697c4b353639d09b5783b9e2bb9
SHA512 035ff28c0e0708050c0e4ecd1c04dac8517c8cc3957830812f7d0c8543122dea17e922f3b76e7cdffca3d5ece2a33c9f7d9c7b3f799d8659276a2ebc73c05eee

\Users\Admin\AppData\Local\AvqdswrJa\SYSDM.CPL

MD5 1528bdc7e86baadbe372807e265bc996
SHA1 028cad64b057e284541812fc66bc4bc4fa03661f
SHA256 53cb4d6413238defe88c31e93494389fad6f1210027cb46aa478745a8f3f5cbf
SHA512 9bc8201ed6f757dfdcf03a8ec46d6d6a3724eaf8a8cd8ae0f675be081af341d7f9c8713002eb04ebe1bf05166b1f1f2638ed1d15778e2253b53433e953e49da7

C:\Users\Admin\AppData\Local\AvqdswrJa\SystemPropertiesProtection.exe

MD5 05138d8f952d3fff1362f7c50158bc38
SHA1 780bc59fcddf06a7494d09771b8340acffdcc720
SHA256 753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd
SHA512 27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255

memory/1976-123-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 a94806f29d68c5699a978d39592e4482
SHA1 b1d6118c1c357b7c5d18ec2ba52ef6c52d861827
SHA256 a9cb9352103d8567d3971fcaca51ac88d4a11ce6bd1b61367b5208b949c01c19
SHA512 5eeaea2466a52b2cbe4a4f195acc51a2143909022d6677592fa7d19c4f712fd80bd8e9ee1428f2c528f59f1a32b4b9dc41182b43a296a58799ad1f399fe56144

memory/1220-146-0x0000000077266000-0x0000000077267000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Vq0xh9bSyx\SYSDM.CPL

MD5 2f32bc3d2662852a9e9869b770c3299b
SHA1 efa523cfb7ba2b6c139152792ae21aa3885d2eec
SHA256 59b9a449539feb7d79cbe7f9f16b87ada31faf592843be52ccb2c99bfa979d26
SHA512 11f5eb782f5aa26120c445871bac2a95c352e3c167c85850797dd20bbadc91d951378b5b8668cb3f6ddcd3dfe9e497429c242ed3364a38e90aa7f486d05c6c9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\9N8Um\DUI70.dll

MD5 595c0ce0524000309d584db4a4301127
SHA1 bff374f90fb4b7ed464deda9f1928971101a7d6c
SHA256 7a5a71f69dee905d9e7dff76d0f456b7829570beffabb356dbfa7d1edb258c68
SHA512 740c6be3a62785d30e4af2243d6bcf42cf53518565d44206df53322f88c5c028fb3b7b1b6bdd0aadf7615cc1aeb00ab57731d6f0eeab2080600af07561863ca8

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\6MCRrQx\SYSDM.CPL

MD5 9256781cb2a6f40dfaa9c1377436858d
SHA1 8d8340293b65f10210891c66ee3bf2a68b4ab0d6
SHA256 faa14d29c4554755188f027d40ebb41700829f1e86f39d15172850f9fff29cb2
SHA512 71e3817ec7aae10f34358665a05121aeed0ec4a942e26041ff56c49087d9fd536bf5e17a6b730b08b0e6e3f4ceb82d65b7b71ca31a5ea4951924b286135d0b0f

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 01:48

Reported

2024-01-25 01:51

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\IWLFXJn1gD\\tabcal.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6IK\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4212 N/A N/A C:\Windows\system32\consent.exe
PID 3368 wrote to memory of 4212 N/A N/A C:\Windows\system32\consent.exe
PID 3368 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\R6V8l\consent.exe
PID 3368 wrote to memory of 5016 N/A N/A C:\Users\Admin\AppData\Local\R6V8l\consent.exe
PID 3368 wrote to memory of 3360 N/A N/A C:\Windows\system32\perfmon.exe
PID 3368 wrote to memory of 3360 N/A N/A C:\Windows\system32\perfmon.exe
PID 3368 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe
PID 3368 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe
PID 3368 wrote to memory of 2572 N/A N/A C:\Windows\system32\tabcal.exe
PID 3368 wrote to memory of 2572 N/A N/A C:\Windows\system32\tabcal.exe
PID 3368 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\6IK\tabcal.exe
PID 3368 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\6IK\tabcal.exe
PID 3368 wrote to memory of 2176 N/A N/A C:\Windows\system32\mspaint.exe
PID 3368 wrote to memory of 2176 N/A N/A C:\Windows\system32\mspaint.exe
PID 3368 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe
PID 3368 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\736aa5c70532729a4ab7c493762c3d38.dll,#1

C:\Windows\system32\consent.exe

C:\Windows\system32\consent.exe

C:\Users\Admin\AppData\Local\R6V8l\consent.exe

C:\Users\Admin\AppData\Local\R6V8l\consent.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe

C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Users\Admin\AppData\Local\6IK\tabcal.exe

C:\Users\Admin\AppData\Local\6IK\tabcal.exe

C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1628-1-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1628-3-0x000001EEEF410000-0x000001EEEF417000-memory.dmp

memory/1628-0-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-5-0x0000000002610000-0x0000000002611000-memory.dmp

memory/3368-9-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-7-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-8-0x00007FFA6C4BA000-0x00007FFA6C4BB000-memory.dmp

memory/3368-11-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-12-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/1628-10-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-13-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-14-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-15-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-16-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-17-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-18-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-21-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-20-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-19-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-22-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-23-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-24-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-27-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-26-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-28-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-29-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-30-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-31-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-32-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-33-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-34-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-35-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-25-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-36-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-37-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-39-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-38-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-41-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-40-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-42-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-43-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-45-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-44-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-46-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-47-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-48-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-50-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-49-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-52-0x0000000000400000-0x0000000000407000-memory.dmp

memory/3368-51-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-59-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-60-0x00007FFA6DFA0000-0x00007FFA6DFB0000-memory.dmp

memory/3368-69-0x0000000140000000-0x00000001401D2000-memory.dmp

memory/3368-71-0x0000000140000000-0x00000001401D2000-memory.dmp

C:\Users\Admin\AppData\Local\R6V8l\consent.exe

MD5 6646631ce4ad7128762352da81f3b030
SHA1 1095bd4b63360fc2968d75622aa745e5523428ab
SHA256 56b2d516376328129132b815e22379ae8e7176825f059c9374a33cc844482e64
SHA512 1c00ed5d8568f6ebd119524b61573cfe71ca828bd8fbdd150158ec8b5db65fa066908d120d201fce6222707bcb78e0c1151b82fdc1dccf3ada867cb810feb6da

C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe

MD5 d38aa59c3bea5456bd6f95c73ad3c964
SHA1 40170eab389a6ba35e949f9c92962646a302d9ef
SHA256 5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c
SHA512 59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

C:\Users\Admin\AppData\Local\t8Irx\credui.dll

MD5 357276d19be2fcce36116c0fcb693b46
SHA1 9e8c6bf3b9f9d935268b92d7c9cd7cde2e4d8572
SHA256 37afbc207ad20c5904c01765a79d38dd3941814f24cda62388d5951d5e6493e9
SHA512 e3ada519d8edff655860f9ab523557811d0d552842521712ed00715222b103f4e6710db73c0659d6ec6baff5b75cfc1da7442f010d9c2f1724bb9b48a24b5509

memory/1984-89-0x0000000140000000-0x00000001401D3000-memory.dmp

memory/1984-91-0x000001311E8A0000-0x000001311E8A7000-memory.dmp

memory/1984-88-0x0000000140000000-0x00000001401D3000-memory.dmp

C:\Users\Admin\AppData\Local\t8Irx\credui.dll

MD5 2e6eac83b1c28747493f3c82d6459dc6
SHA1 54aff036806a238258ab7315586b1d85767b3c34
SHA256 b178ccea4e052d5b6bf0e9466601ccbd791db5a593789fa5af48f090d99c8961
SHA512 803ad88e765905da6aac8bca8cbb1163d05b6f755f42b7b89d9e496e4776054b10da10a7bac777b85fe45780e38c940dc99ba6b61e32139741f237caf7b68367

memory/1984-96-0x0000000140000000-0x00000001401D3000-memory.dmp

C:\Users\Admin\AppData\Local\t8Irx\perfmon.exe

MD5 f4f9a2c0fd8cdd76bdd0d08f7695cd07
SHA1 f74397795f6a54b20198d7b1ff54e64730800d47
SHA256 6201fd292638b5b00182d98f0bd48247fa654bcc78803669a8d944bcaebc653c
SHA512 62431302cdebbab357e25173320824b5ed5b8359edeb00f5c11715837386ac247f5d0f492f32958e2549c59986c8c7ebfa8118d2c811e188484f582b7646046b

C:\Users\Admin\AppData\Local\6IK\HID.DLL

MD5 f2f4fbef7c9d65ffa977c9b9cb4f898c
SHA1 f67c424289864f6324fedcf50c3d8b455e9d9e69
SHA256 54feaa2a3b5fecf31b7965e6c8ed6dee41401da3087ce98042b0c18925904559
SHA512 b447277861dd4d0943bff73ca82f9da27d5a392ca2b9c94695c3cf30256b898b3e1ae9e27fb46f28de65175d99abefc36adacecdb7ff989aba823d1fbdf5ce25

C:\Users\Admin\AppData\Local\6IK\HID.DLL

MD5 7ed1431b8b5ee5500db3ff397e36d893
SHA1 0110a6efc457986e33b2df409e3159de901a2b1c
SHA256 48d24aa440b086ee74523ec19b8ee1015562dec7b7a90b0b8e2e4a48ff4574a5
SHA512 9a39ddc98f61449077b198649ba540a0056161d60ab872391b23ef24a6b416e99194799895a91ad88bbc3551a84e82ccedf981df411cde97590ecf067266deb5

memory/5000-110-0x0000024D08C90000-0x0000024D08C97000-memory.dmp

memory/5000-107-0x0000000140000000-0x00000001401D3000-memory.dmp

memory/5000-115-0x0000000140000000-0x00000001401D3000-memory.dmp

C:\Users\Admin\AppData\Local\6IK\tabcal.exe

MD5 40f4014416ff0cbf92a9509f67a69754
SHA1 1798ff7324724a32c810e2075b11c09b41e4fede
SHA256 f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512 646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

C:\Users\Admin\AppData\Local\TGkLKW\MFC42u.dll

MD5 a67f6c0c5b7664f5a2aaf056c494e6c2
SHA1 52ae78be4e41376b83f7be835334974c84a2db6c
SHA256 bb1094665225e5c8eb42bb16a68c4f6f2bce5b16c6a8cac781c2278ffe7bbcc1
SHA512 9621669a34135205d6328c1dcbe176a57a966d1c1872665a128cce17b71c24c6dcfb7c0e1d285456e9b7d6de80a5bc40e2ccfb8352b4150cad776489d5806144

C:\Users\Admin\AppData\Local\TGkLKW\MFC42u.dll

MD5 326bdb872bf4c18bdbf05f85d73abaae
SHA1 ce763ea71276eb13396783fa1641827759980de3
SHA256 894d9eefcfcd5c33d8d4cd64ac28aa566e4f26b63e9a29d73ccb91ba6b6d961c
SHA512 b88af2871af13abe8fa029cb3e6e10cbb9d5246ceb19ae750209b0cd07fa74a05886143159605925385442029f032610b4447b8043cfd92cb5c554ee6b1a8a5e

memory/2864-130-0x000002A89BA80000-0x000002A89BA87000-memory.dmp

memory/2864-127-0x0000000140000000-0x00000001401D9000-memory.dmp

C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

MD5 e166e34dedd8688d836afd921314d6d1
SHA1 81b13421919d41eea362e582fc123bbdaa79d2c7
SHA256 55efdea9bcc3b41c4d4ff3739df58786fb7d8b4922a12af6936a5417f5427445
SHA512 f66d8ef1bba62b38ba45d8c7bc14df57b2d57dc89185962c6d29f00e71a8f4a05ce60c985b652bd029d933d58934961ebaf1d2c53e31f03ff726ebe0b098b041

C:\Users\Admin\AppData\Local\TGkLKW\mspaint.exe

MD5 42684e8605a33d33e4707ca9e5ab3da9
SHA1 3847f868319bed6db65c0a113eb0fd0ee1977682
SHA256 9af583e4e016595fac497f5c536f67d198e27b847af1ab90c0ec39d9cd081524
SHA512 7a85eeb0cbbbaa275a86797b6829f15b163f5735465d427c5cf90f7b8172cbaeca47217a6b8aa75a06ca8837d35daa561d238070eb4dc32838fcb65728864b90

memory/2864-133-0x0000000140000000-0x00000001401D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\ckpDAQ3F\mspaint.exe

MD5 b33df8683fc4cbff364a8a1b91adb5c9
SHA1 fde72cf5f9c7300402375e71563e1908db5d3a05
SHA256 d2ce468f6f374d60f488da2c28cb625f9b70323424e3ce638235a7f88b176f1b
SHA512 4322f7f87f8e04725e184facdf78d95bb03093a232ab134696f368b57bf097fe44d9cd44b2cfe8e898f6ed6ff917034d31f364e8da6f81ba03cdcb58e4ecb801

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 9f53967e1c293653faa833eed3b78aa5
SHA1 356a08b6ff5254967f756d825ab3023960c5d452
SHA256 bd63a8aa3b580cec7e5a6e2a19e924e10da6c290b5428c9a3b4ae9b778eac749
SHA512 862332b7cc78db6abd6da30d312a242ee459b9286e9f580c54f4ca3fca68ec51aaa9c5a2d9a12b407e180a076cbd36a7cb84a8349965390d9e502b02dab9693a

C:\Users\Admin\AppData\Roaming\Adobe\uuQQDoCZ\credui.dll

MD5 5648979db1f3fee886cc2ad3b3373548
SHA1 540ee4fbeed1f4508a368edf8d106ce7f260f804
SHA256 e86d31d808570bb6100b4ff6495fce74e310e7d5846fbc63a29bd67331fa7be0
SHA512 032ce43d4435cd963c375e6a0c8f908beba8833e2cf28a4eee81181a59fdac481879329cd36daaa8ab4831ba6ed4258c0de12825049d0b7e6234b112d1d56bb2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\IWLFXJn1gD\HID.DLL

MD5 319c412643df6904316145a6c05ea9a7
SHA1 c044196d9cc517dfd0b015f176b4b34e95b9a6aa
SHA256 3d95bbfcd29ae12a732f426f13235608a52843e7f61b1c15eceae31bb0c676f0
SHA512 7e0e372fc31b449367bb8d3f3374791aa144a153e2c27b87c5c915a5698181f8f1b362f26483200a9c6866f60e4d10c286468af034109ded21402041fd34a69d

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\ckpDAQ3F\MFC42u.dll

MD5 03e31b0416674efa7d9f74c0ba890289
SHA1 c5ff2ca131b7fbba3bb01f04fb97396409d93d46
SHA256 c1a2dfc8222074db49dc1a074fecada3e74ef50892a5c23850dab950b6e6cf8c
SHA512 3e9deb984d1f0425b868ef2e80f4bad48ddf03b2902d201a424b9d2dcb72ea52a3e21f8c1f71e4b2561011c171f62fe694e03d5d8f5e22126ee776133e5eb32b