Malware Analysis Report

2024-11-15 08:50

Sample ID 240125-fxp7xahac7
Target 73d3e10fa82e2301bd8fb5cabf77c864
SHA256 bdec67160c740cc4f649a1688c8cdc2467729c086df711606600d9967c967641
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bdec67160c740cc4f649a1688c8cdc2467729c086df711606600d9967c967641

Threat Level: Known bad

The file 73d3e10fa82e2301bd8fb5cabf77c864 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 05:15

Reported

2024-01-25 05:17

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Office\\Recent\\CWCyC\\ouKP\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 2164 N/A N/A C:\Windows\system32\isoburn.exe
PID 3504 wrote to memory of 2164 N/A N/A C:\Windows\system32\isoburn.exe
PID 3504 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe
PID 3504 wrote to memory of 2284 N/A N/A C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe
PID 3504 wrote to memory of 2072 N/A N/A C:\Windows\system32\isoburn.exe
PID 3504 wrote to memory of 2072 N/A N/A C:\Windows\system32\isoburn.exe
PID 3504 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe
PID 3504 wrote to memory of 1412 N/A N/A C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe
PID 3504 wrote to memory of 2472 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3504 wrote to memory of 2472 N/A N/A C:\Windows\system32\mfpmp.exe
PID 3504 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe
PID 3504 wrote to memory of 2404 N/A N/A C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#1

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe

C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe

C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4948-0-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/4948-2-0x000001F454CB0000-0x000001F454CB7000-memory.dmp

memory/3504-4-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

memory/4948-7-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-9-0x00007FFAD15CA000-0x00007FFAD15CB000-memory.dmp

memory/3504-10-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-11-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-8-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-12-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-6-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-13-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-14-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-15-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-21-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-23-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-24-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-25-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-32-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-37-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-38-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-39-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-40-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-47-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-49-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-48-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-46-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-51-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-53-0x00000000029B0000-0x00000000029B7000-memory.dmp

memory/3504-54-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-52-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-50-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-61-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-45-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-44-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-69-0x00007FFAD1660000-0x00007FFAD1670000-memory.dmp

memory/3504-43-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-42-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-41-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-36-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-35-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-34-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-33-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-31-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-29-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-30-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-28-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-27-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-26-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-71-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-22-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-20-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-73-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-19-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\mslkdfAq\UxTheme.dll

MD5 30f3913caebdcd0081d900c4b0192a4e
SHA1 54b29d951346f292ae0e43064c7a9c2eb0aaeb1f
SHA256 a7529b76c5043ac8967f5573a44891033ee711e9165ebacef636c174f06358c0
SHA512 484b2678c993d8cd5a51043f1cb5379c908b32f8df0297c585342a4ac64c9879b2046a64f769b7472bfb70e55481fb6ec5ef2d2715d854b5f77ced17bf9abd21

memory/2284-82-0x000002312E5A0000-0x000002312E5A7000-memory.dmp

C:\Users\Admin\AppData\Local\mslkdfAq\UxTheme.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe

MD5 41bfad340d11aff8e50c88de84d28b4c
SHA1 8d5a76bda3a584755d19a4f4a9f8a249637b8d63
SHA256 05eff330eef9b282c3457a6923f76fc837c23fc12145c04e56bc4c768523e534
SHA512 ef095ac1809d219a34d7f3abf2753924edf5c0aa9638a4097a495be6c3341feffc0d09bdd4ef52f38414d18d9a1f95c7865d336074cfd55429adaf5b8fbb6e33

memory/3504-18-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3504-17-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\mslkdfAq\isoburn.exe

MD5 f3cc8445e6753cb30ec83e58ac59d25f
SHA1 3dd6f18971d944475a12fbbd85d4cd829fda3720
SHA256 152a8b970a9676dc3af349dfea66ba83cdef15f4c4931f7de84b8c6b7a948217
SHA512 209058d04a90c98bceb510cff9785c1ef36823d57b415bdefcd34b8278979b461c54f3c5ce56e5000b99b720e1113f479e5b81f7281a51369a39e4182e32a48f

C:\Users\Admin\AppData\Local\gvgm8wZiN\isoburn.exe

MD5 c6c36c4b03b120d1729a7c6d1d133f0e
SHA1 34a936148f7db694b30773ba5d05b8936a97f00b
SHA256 1593c2a41473e78d0132e9c392d0db03de540ecb23e28721680b9d2c23ae964c
SHA512 11921c3aa80a1219394e47291ea5439e34e95b75965574a60ae0920a87e22eba8257493664b5ecf4fdebad8eb4c711070edb77652e90f2cb8832f57f657603b2

C:\Users\Admin\AppData\Local\gvgm8wZiN\UxTheme.dll

MD5 07628c7eea55e8ea1d92e6a5c800a179
SHA1 6a942af764efbdbc75aa119f93533cb19d99e180
SHA256 acb0332c9d8d0ce5035cdddce2e0ca4f4fde9bcb62d1dfacf991d26237cc51af
SHA512 94ed070a7cd339dc7bb2d51f84dfe39a8c50b1bf10acf74d2c37b695ad461df595fe0bfe592fb98e02688685d7d3a0dc96dab6670912f4a7ebb4ac7f3197701e

memory/1412-102-0x00000226349B0000-0x00000226349B7000-memory.dmp

C:\Users\Admin\AppData\Local\gvgm8wZiN\UxTheme.dll

MD5 15e8d2e818b6ad64d7c36234aed2d7be
SHA1 15417d4070fce1aa88b9ccd971dcdce8eb3879b0
SHA256 50ab7c606f24d71081f45dd1b780c36d64c8ca7fdf4d6aaf0f9bae9613706eeb
SHA512 7442becfa2d3aeeec71e1bfe07e58b21ce585b9b4ee176da97b38ae6a62520b7985325aa23a62de306120a7587aaf0734370f7ef65adc29d2f693cd3b42e8a3f

C:\Users\Admin\AppData\Local\n3NOY\MFPlat.DLL

MD5 3413984e77be21626bf83b7b85665cd6
SHA1 6eb4212ce0d8452cda09ebc42b58f1ab9877f3bf
SHA256 c66fc32105b47c46fa6dc5a59b2a00f1f67b049bd209b4b31b54a4bf8835ce89
SHA512 c22b353bd9ee4a8be03da624a4ec9bb7e88741732d6bd538fe3e4d4771ff6ea0b8996a820da5ce1305243d584bd05eb5534b1c48d990b7fac1735b41e6d04216

memory/2404-116-0x0000021484170000-0x0000021484177000-memory.dmp

C:\Users\Admin\AppData\Local\n3NOY\MFPlat.DLL

MD5 ca94b6cb71349a463eac16b0a329bfc6
SHA1 ad56dea15c0a17753d3977ebfffc81b3139b70c3
SHA256 db01b8e242b4cd843c1947b123217bcb68c3d2039f0402868594bd924b45c883
SHA512 fc74dc23e944939b926b064962705462333d8920be833727e595c96afb0dbcb5d3bc1e4d28717f36756b4e5f73fc3f96fcad435cb10cf59c2c0ce07fb80dc9d2

C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

MD5 8f8fd1988973bac0c5244431473b96a5
SHA1 ce81ea37260d7cafe27612606cf044921ad1304c
SHA256 27287ac874cef86be03aee7b6d34fdc3bd208070ed20e44621a305865fb7579e
SHA512 a91179e1561168b3b58f5ca893bce425d35f4a02aec20ac3d6fb944f5eb3c06b0a1b9d9f3fb9ea87869d65671d2b89b4ae19acf794372bdbd27f5e9756c5a8ab

C:\Users\Admin\AppData\Local\n3NOY\mfpmp.exe

MD5 2ff57e7d66bae3d21677592a3d1ddd2f
SHA1 969c1bf3c8808efa66a4ced4b6a136074fc1db56
SHA256 db390f6f4e344617b9bc3bef92d745cb8f9859bda4773bb07b345db63d0cbc79
SHA512 dd2d8113d6995d1de4c32acc72885833741e66f1af7ee17b4a717fcede141041370b05c329c984855336724c0d9b1522146f3442291c936b896b68ab77d7a2f4

memory/3504-16-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 404e6c92c428b627361da81ec542776c
SHA1 a5e33c72261afe54ea0b7912c2d1a65e8e2d3f27
SHA256 45ee3583d979ca2d5caa884ab1f7b458b2d2f4f3197d17860973ab8cde33c059
SHA512 ccc011a710310370ad7b0be723de27dab0a10aef98e3ec8fc6a4bbc8c5aa4ae731b9963c6a8aeb6863b0ea50b13bddeecbb483fcbee6f1ba799d160895f43ff7

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\CWCyC\UxTheme.dll

MD5 9ecf31d7088b51e001aa8cb02e373bf4
SHA1 081920d046bb2d3fe747d1a44328e303a50df101
SHA256 b849fcb1345d334e85c4db081d4e23b8757552456e7b139aefd0281548a17500
SHA512 117eadade9f63c4f2e52e8b82f319f7a4ae09c303ce6dfc915f5d71b231b41adb5b9972fbbc94c20f26d07b1ea8d60fe81eb041beb6d5024d581233e45133d7e

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\CWCyC\ouKP\UxTheme.dll

MD5 2e1583a5837e56cdb9c33cf16afbfff6
SHA1 46b6c6de029c3ddd8cd3b5bf6eb1e4fbe66b1f01
SHA256 2abe0c8a5de2c562a9627e4e214317daf90c42aca9012f16968d0dc94cfe70fa
SHA512 6d4e7e353a0db64be250e01a69959c54ef43e1559dd3427c1930be5701cad0b966ea63e359744a5856198a3a0228aaa6a249745dd95f0fb2c3951c6b710cf3bf

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\JPChet5\MFPlat.DLL

MD5 ca28274475764cd6d8075474c5574e3e
SHA1 a4c57beb819ab936fa1d765b0cd1194dcbcf5d1b
SHA256 21052531521f0f38b2482599c6f82decf2890df1341989ea24fb2f3b7374387f
SHA512 08e70731de840db82ab07da3bb2ca782ce267843673a4f3870a4209402f38c148838e20e28a3a7dd03fdb67de8a84495a5d45bbb04827fa0c1207f1a35cbc586

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 05:15

Reported

2024-01-25 05:17

Platform

win7-20231129-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\O60FA2\\iexpress.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2624 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1256 wrote to memory of 2624 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1256 wrote to memory of 2624 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1256 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe
PID 1256 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe
PID 1256 wrote to memory of 2764 N/A N/A C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe
PID 1256 wrote to memory of 1700 N/A N/A C:\Windows\system32\iexpress.exe
PID 1256 wrote to memory of 1700 N/A N/A C:\Windows\system32\iexpress.exe
PID 1256 wrote to memory of 1700 N/A N/A C:\Windows\system32\iexpress.exe
PID 1256 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe
PID 1256 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe
PID 1256 wrote to memory of 948 N/A N/A C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe
PID 1256 wrote to memory of 1068 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1256 wrote to memory of 1068 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1256 wrote to memory of 1068 N/A N/A C:\Windows\system32\tcmsetup.exe
PID 1256 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe
PID 1256 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe
PID 1256 wrote to memory of 1824 N/A N/A C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\73d3e10fa82e2301bd8fb5cabf77c864.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe

C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe

C:\Windows\system32\iexpress.exe

C:\Windows\system32\iexpress.exe

C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

C:\Windows\system32\tcmsetup.exe

Network

N/A

Files

memory/2188-1-0x0000000000390000-0x0000000000397000-memory.dmp

memory/2188-0-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

memory/1256-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/1256-10-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-19-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-29-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-32-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-37-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-42-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-49-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-53-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-60-0x0000000002DB0000-0x0000000002DB7000-memory.dmp

memory/1256-52-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-61-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-63-0x0000000077640000-0x0000000077642000-memory.dmp

memory/1256-62-0x00000000774E1000-0x00000000774E2000-memory.dmp

memory/1256-72-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-51-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-76-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-50-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-48-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-47-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-46-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-45-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-44-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-43-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-41-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-40-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-39-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-38-0x0000000140000000-0x00000001401C7000-memory.dmp

\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe

MD5 67458fce22e3ac3e6a13662fc914af5b
SHA1 83ba7b4ae0a2e97c95abef3af1d73a619aa5ac80
SHA256 43a31a2842ba1f414bd64bd7baf119fbd301ec9a81fbad5dc92b191a3c6453ff
SHA512 7a9f7322c04a2f121fea7cbb865d6084d43fc8bfeac8a461a4795a3739ca0ebedc69aa6654d33564e33ccd7756e169c6b50959cd974ca408f30fab790831bdd9

memory/1256-36-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Local\oVAOIMn3u\WINMM.dll

MD5 ac055faf85f34a7a4fa9cc285ed443ad
SHA1 222815a74c9af8748ff116455536560f0f71cb14
SHA256 cb30ab88fe515ad47a63b9f4e2b3895b42434bbe7c67c1bd102eb05f065c6513
SHA512 5095963469beaea86993ff59a21e2784b7f7366b8af5110be2b43a1a6826a6ee91d32e25b06792e070afe49ef450ce3831d8b476a580ddab00af4826a06e4ab4

\Users\Admin\AppData\Local\oVAOIMn3u\WINMM.dll

MD5 5c31f8b21a416a2781bf7fefb9aebf5e
SHA1 c789a6a96fc743b7c7ab1c1f06f1f61f424e34f4
SHA256 12eb45a3b5ec71dbb2ff430016eda3124e3383fc3a1af9ed3c204d02011c0be5
SHA512 cda5d113ebc2d259a5106e49a26e484aaeeb5aab5d98b759eb87d85a09d3bddd861993d1b0e8892fda0370f0d605c52d18a8a141e93dc08c3858253510688318

C:\Users\Admin\AppData\Local\oVAOIMn3u\PresentationSettings.exe

MD5 2dc2336d9661bd0c0a3410b30feedc5c
SHA1 56d3f8b24f3c8d8cd626ad1b654a5d48e6dae211
SHA256 b91d1f53d6171beedd044d0e5e8148112efa41274be644d890d959501ee7811e
SHA512 0ae2adfa3937bbe6ac098b4fcc345ce32df2da5437ef384c958e4c3e4b4eb5f83147f07b50f7882d6453df2c1ede5baac3d929c11fb35cc7d4c5ab10cffbe971

memory/1256-35-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/2764-90-0x0000000000100000-0x0000000000107000-memory.dmp

memory/1256-34-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-33-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-31-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-30-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-28-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-27-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-26-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-25-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-24-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-23-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-22-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-21-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-20-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-18-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-17-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-16-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-15-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-14-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-13-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-12-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-11-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-9-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/1256-8-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/2188-7-0x0000000140000000-0x00000001401C7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\iCqj\PresentationSettings.exe

MD5 eabe8bd7d7c4cda27cfafdcad83df71a
SHA1 070320c8622024b87d64c2d34b1903e3c8f19535
SHA256 3e7769f937369a90fa467945f097cddd37f89210cb3b2f24aa04c1b168d7f850
SHA512 f83589f10d03b639fdf12220309e7a32c3eabdcf2fbcaa924ce6dabaa4028a04620b580184c34af0b7f8d7a84749bc85dc5028dc34567253d439f6fe1319e01a

\Users\Admin\AppData\Local\nUt4bjZ\VERSION.dll

MD5 7d56de3c545e8a1527f2d62cb19fe762
SHA1 7b51bba11a2f6c64ea3af6e6700183e340c30778
SHA256 c703687dff0fbb84b4580f9d24db35903ccd24b9553f232bfbd9ca6666977cc9
SHA512 6a38541e300d7cf60793025cb6aab47ec2a7da9913fdfcb8cf8359f2d266131f1a085ebb2da4ac34f301dc5b40a2465931c3562a9718876c76e6ba3120f7bdd0

memory/948-107-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\nUt4bjZ\VERSION.dll

MD5 3f1f0bfab2bd73c1dd3a185a12834754
SHA1 db114d9e8b98dd8697d764f500dbc129dd1e2e89
SHA256 ffd3d764f0e922321d933e311e928374f3ee58e81b3a58ee5302be0a5ad0a620
SHA512 3006bc25d445aed9b058bbd779a3665b790398951f593900499ff13e6bef33329ed44ae6c0b3e34dad9c79faadeac407ebd1670f4c85955105965211bb04db83

C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

MD5 e9810113a0227ee3c2e866f74230faab
SHA1 7b37f03123dab70357e6a23904d5a0fa32211a13
SHA256 fe460ac2fe97c4fb8a5bc3e61fb6b1c3b05cdb78dbf745e2764cf4dfec3ea9b7
SHA512 4be92515750fa5f592a19b2b83ee6fd5dd3dcd272cf97b9eba5e57e2f2c7139b3b8b3ee4b94976dc8fd3df62e2c9938056ae3ad387a5747c56caf35af210fec2

\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

MD5 47cf6057d543a387014ea38243c130dd
SHA1 887f31468257a688bee14dae50d333e5ba6e7bac
SHA256 6012cac0c9a5e30012d9d8d8ca027938e63158edda0fee2d76c29e295b49319d
SHA512 52ad14826480d366d52d52ac44d6929b4a719e173e5bc5405aa65fc1c536b05cf1d82db7b16500a83fc7705302ef55b5b6cf25902aceb875fcdafcce5637a95c

C:\Users\Admin\AppData\Local\nUt4bjZ\iexpress.exe

MD5 62758063351e1779b2f43c8a3d4afcce
SHA1 764dd1da15e99aa1e5e73eff440af0a0c8f49fb3
SHA256 03c7a11e071ea7d4f938de4584f8e0a235b64efb4864b3e65ba4816173338a48
SHA512 f875099a3953e8147c219d45da39488cf53ed3a0117c805e15c5cf4922dcdb52e513d751c034fcb5e6ac54cbd151f3d791388f4388864b7d391bf9c60598e9c6

C:\Users\Admin\AppData\Local\bhrUSAnk\TAPI32.dll

MD5 8cdff0acbc15aab78b5c6cd664f60f2f
SHA1 1f28b10bcab530438e49d7db8e929863fdbc0648
SHA256 40ec756adca9f18693267782a5e7f7e7e7dd758ec0138b9c4a84d4cbd0278c57
SHA512 5e12b9649569f4977b9318f25b6ed727e2e30a04ee54ac02f114902c3f753b1b43c996f8843039704fda0c5c63b06f5ecd197cf518d3bc60331d088608879a3b

memory/1824-128-0x0000000000110000-0x0000000000117000-memory.dmp

\Users\Admin\AppData\Local\bhrUSAnk\TAPI32.dll

MD5 0d8ac2a3dee9404410435ddef9782222
SHA1 5fbbe3d5ff1eab1a079ea59f8f8e7ce533a81686
SHA256 de2314ceb3d6dc3a3ec2b825585994f2116aaa0e7fb6c76e0d8e4c3696881a0f
SHA512 14ead813bad4efddc8cbe3c9b8611740475835d288026c8aec2f26ba92211ef177c302cddd9cba56e10f6a1bc87856d1219d69ebfac05124d119705a57ad0904

C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

MD5 c47df0f0fafc67840e5308ca47fb34eb
SHA1 67e7ba565c6661c863304f329151866843fee13c
SHA256 f820ba259fe1e0f6e8ece35b938a14ca7544c175c15db1f9b128fed2513feb35
SHA512 0f34eb0bca098344d1ed79bab42757c05152158bee84b63a5a51b570fcd36443c3d5b4bb06b6129ca8d9f32e3ab870c3eeafc216ee5d0e8d0d59cdb5917e78a3

C:\Users\Admin\AppData\Local\bhrUSAnk\tcmsetup.exe

MD5 0b08315da0da7f9f472fbab510bfe7b8
SHA1 33ba48fd980216becc532466a5ff8476bec0b31c
SHA256 e19556bb7aa39bbd5f0d568a95aec0b3af18dda438cc5737f945243b24d106e7
SHA512 c30501546efe2b0c003ef87ac381e901c69ddfc6791c6a5102cff3a07f56555d94995a4413b93036821aa214fc31501fa87eb519e1890ef75b2ec497983ffd58

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 277c50e4065b2485579acc0f2bcbe2d8
SHA1 52fc91536b88dfe89427bfac32584f4d41d5a109
SHA256 94182697fb108b76b17c23ca1aedd2ff60887fc66e9860d1426553720cc06b13
SHA512 52ddafafd4ae96cb477328127b8b8536da2c88e659150e8d429a030ad01f5a6306fd1b62f63710f85f51c974245bb69f0877d56df68eee38f409c2b3f0d9fd96

memory/1256-151-0x00000000772D6000-0x00000000772D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\iCqj\WINMM.dll

MD5 e9a403fa5e80c89ca13994fef2f18fe8
SHA1 e1b1ad7431204a105c4f2d6807fcb6be1a5fad9b
SHA256 2693d7de76f7dbae7c7fb558157036eec23a995a3d6f72dd23e61e9553b4845e
SHA512 f65fef13b38b6ef707c02633b0915b7cd529e5e0f58a35438f6896ec25b8024ea444bcb1cd63192e890ebd9c6fd97e9487841e59f7667c3f3ef9df740bddaefc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\O60FA2\VERSION.dll

MD5 050f35d3e6f7f7b56465e52c9b13d6ed
SHA1 eca1c7f71981a4b78980b9dd03ee6d984ae39a32
SHA256 2aeaab8a6ebb6313aaeb67c77f61fbd25e943e55e13c0dda93d65d6199334b5d
SHA512 5e575cb18b6cd4a764672ef074eab513779dafa72d3b8f069df7f65879ed7168291fef3cc792f8167e3377fe3d094ad927d9a0b860a42a92cdb2d836bde10105

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\Low\joiiHQ43\TAPI32.dll

MD5 fa2df8248f211ddb2edb3ffe0b474dc4
SHA1 61cfe95357423020ca3abcacae00af9c0395f336
SHA256 040bf7a4a6ad1e7a93d881a23d1c932ea4a8acf7ff5d97681046f7c9783e6d9f
SHA512 b3c70abd63849bf3aa70bbe21566329af9bfdfd040cfd4619f8424f259b6c1e3558d4e628d0f95632b258ca9140fa17f758e30dc2ebccee265a1d50ac5e7b7d2