Malware Analysis Report

2024-11-15 08:50

Sample ID 240125-ml8nfaefgl
Target 7477fc39b45ddb88b4ff0de5a954889a
SHA256 1bed54ab01a098e8eefee909a56a0ce2b4ffc50208869d313501680c11e05798
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bed54ab01a098e8eefee909a56a0ce2b4ffc50208869d313501680c11e05798

Threat Level: Known bad

The file 7477fc39b45ddb88b4ff0de5a954889a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 10:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 10:34

Reported

2024-01-25 10:36

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\96P\msinfo32.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\NNIYfTExpn0\\StikyNot.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\96P\msinfo32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1384 wrote to memory of 1680 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1384 wrote to memory of 1680 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1384 wrote to memory of 1680 N/A N/A C:\Windows\system32\eudcedit.exe
PID 1384 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe
PID 1384 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe
PID 1384 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe
PID 1384 wrote to memory of 1180 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1384 wrote to memory of 1180 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1384 wrote to memory of 1180 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1384 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe
PID 1384 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe
PID 1384 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe
PID 1384 wrote to memory of 1492 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1384 wrote to memory of 1492 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1384 wrote to memory of 1492 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1384 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\96P\msinfo32.exe
PID 1384 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\96P\msinfo32.exe
PID 1384 wrote to memory of 1560 N/A N/A C:\Users\Admin\AppData\Local\96P\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#1

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe

C:\Users\Admin\AppData\Local\RecUTez\eudcedit.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe

C:\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\96P\msinfo32.exe

C:\Users\Admin\AppData\Local\96P\msinfo32.exe

Network

N/A

Files

memory/2436-0-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/2436-2-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/1384-4-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

memory/1384-5-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1384-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-10-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/2436-8-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-7-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-13-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-45-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-46-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-51-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-50-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-52-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-49-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-48-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-47-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-54-0x0000000002AE0000-0x0000000002AE7000-memory.dmp

memory/1384-61-0x00000000771F1000-0x00000000771F2000-memory.dmp

memory/1384-60-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/1384-62-0x0000000077350000-0x0000000077352000-memory.dmp

memory/1384-71-0x0000000140000000-0x00000001401C6000-memory.dmp

\Users\Admin\AppData\Local\RecUTez\eudcedit.exe

MD5 35e397d6ca8407b86d8a7972f0c90711
SHA1 6b39830003906ef82442522d22b80460c03f6082
SHA256 1f64118bdc3515e8e9fce6ad182f6d0c8a6528d638fedb4901a6152cde4c7cde
SHA512 71b0c4ac120e5841308b0c19718bdc28366b0d79c8177091328ef5421392b9ee5e4758816ffb8c0977f178e1b33ed064f64781eaf7d6952878dc8aea402f035e

C:\Users\Admin\AppData\Local\RecUTez\MFC42u.dll

MD5 e879ed7a139445e4ddd2bbc06e196004
SHA1 5b4e528b6079276ba220ce7d7da367b910d4d716
SHA256 812b84acb47eedf17886b47d6a7edd4521d7d9310d583a1def224083d9c7f80b
SHA512 de0507314d4d1e73c29d08fe2ab7b22b35e223ea5c26decd916bdfd52fea777d891afeb83ea168a060bf14970709d3f40fa29c7fdcdeb421d254fbd9fccef5c3

memory/328-91-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\ZH6j2qFR\StikyNot.exe

MD5 b22cb67919ebad88b0e8bb9cda446010
SHA1 423a794d26d96d9f812d76d75fa89bffdc07d468
SHA256 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512 f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

C:\Users\Admin\AppData\Local\ZH6j2qFR\slc.dll

MD5 77711413fad9a5293ba0c7c1cf74c219
SHA1 27d9bb757f661239c3e242cd63031170b59e5a50
SHA256 ba1d3b43aa2684d13adc444ef3440e42c5e420093bf5894bf655f21238b0e075
SHA512 f42bccf6ac1082ec3e183b62e82a894d111d3c728ebb09e5e7ddddb9e8f60f31011643c263ffe50072c7e6501900854f48b9ab84ecca904ebf855241a238ab69

memory/2644-107-0x0000000000430000-0x0000000000437000-memory.dmp

\Users\Admin\AppData\Local\96P\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

C:\Users\Admin\AppData\Local\96P\MFC42u.dll

MD5 8c42d96a06f0c138f7be68b461ba1aca
SHA1 f781f66e2bb2b67077869213ee3303626dfbbf96
SHA256 55d0470e4494590cd6dea28d3f9f8160913ad252620bc0a960f922fe3198dc1f
SHA512 e23dd29de6aceddc9c30332f9678219edd0a25b7d087ae3760673ffa0cde6ff97e6cfdc9d8deb9757f92385db1d38a169a6e843766cca6e53f31bf08283da4da

memory/1560-125-0x0000000000170000-0x0000000000177000-memory.dmp

memory/1384-146-0x0000000076FE6000-0x0000000076FE7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 acf4abd5ce068a487b64473c8565c58b
SHA1 a1e5a670a6c61c4ecea68fc12d272c468595e09c
SHA256 d4abd97813bac609272772b6c495791bb7b758407e1e873d84229461326301c6
SHA512 63bef9fdae91564df23190bd8dcaf08d35ef0b14ad30a45c0429ea6fb717f65ae996c42f21eba6a670b3bd5c739becf94217f9618c274cade2b6447efc2c8aee

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 10:34

Reported

2024-01-25 10:37

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZOYqG7sjK N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZOYqG7sjK\appwiz.cpl N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZOYqG7sjK\OptionalFeatures.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\ZOYQG7~1\\OPTION~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8o9\cmstp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 3616 N/A N/A C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
PID 3464 wrote to memory of 3616 N/A N/A C:\Windows\system32\PasswordOnWakeSettingFlyout.exe
PID 3464 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe
PID 3464 wrote to memory of 3884 N/A N/A C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe
PID 3464 wrote to memory of 3880 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3464 wrote to memory of 3880 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 3464 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe
PID 3464 wrote to memory of 3876 N/A N/A C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe
PID 3464 wrote to memory of 2384 N/A N/A C:\Windows\system32\cmstp.exe
PID 3464 wrote to memory of 2384 N/A N/A C:\Windows\system32\cmstp.exe
PID 3464 wrote to memory of 3348 N/A N/A C:\Users\Admin\AppData\Local\8o9\cmstp.exe
PID 3464 wrote to memory of 3348 N/A N/A C:\Users\Admin\AppData\Local\8o9\cmstp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7477fc39b45ddb88b4ff0de5a954889a.dll,#1

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe

C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe

C:\Windows\system32\cmstp.exe

C:\Windows\system32\cmstp.exe

C:\Users\Admin\AppData\Local\8o9\cmstp.exe

C:\Users\Admin\AppData\Local\8o9\cmstp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp

Files

memory/4488-1-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/4488-0-0x0000019E7D6C0000-0x0000019E7D6C7000-memory.dmp

memory/3464-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/3464-5-0x00007FFCAA4BA000-0x00007FFCAA4BB000-memory.dmp

memory/4488-8-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-9-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-7-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-10-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-12-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-13-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-11-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-14-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-15-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-17-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-16-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-18-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-19-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-21-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-20-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-22-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-23-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-24-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-25-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-27-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-28-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-26-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-29-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-30-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-31-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-32-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-33-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-34-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-35-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-36-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-37-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-38-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-39-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-40-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-41-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-42-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-43-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-44-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-45-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-46-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-47-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-49-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-48-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-50-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-51-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-52-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-53-0x00000000008B0000-0x00000000008B7000-memory.dmp

memory/3464-60-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-61-0x00007FFCAC400000-0x00007FFCAC410000-memory.dmp

memory/3464-70-0x0000000140000000-0x00000001401C6000-memory.dmp

memory/3464-72-0x0000000140000000-0x00000001401C6000-memory.dmp

C:\Users\Admin\AppData\Local\eGcMl\PasswordOnWakeSettingFlyout.exe

MD5 591a98c65f624c52882c2b238d6cd4c4
SHA1 c960d08c19d777069cf265dcc281807fbd8502d7
SHA256 5e6ed524c955fb1ea3e24f132987143da3ec81db5041a0edcfa7bf3ac790eb06
SHA512 1999f23c90d85857461f8ddc5342470296f6939a654ac015780c2977f293c1f799fc992462f3d4d9181c97ab960db3291b85ea7c0537edcb57755706b20b6074

C:\Users\Admin\AppData\Local\eGcMl\UxTheme.dll

MD5 dd3d42654d5f0a2160f50089ada77961
SHA1 60ce289ee7e076688b1e74ef7c459cafba44987f
SHA256 2d051fca8b065f47662cab970fab271145aa8d1086d82f87d0cd7ad75044321e
SHA512 45f04399ebfb5bbc2e5fa13b7181630cc3d98c6e3a1d005305410d924fd137653547f3b505601462b7d7035c20fc7cb798876b65c066aa853a22a929a0e06202

memory/3884-82-0x0000000140000000-0x00000001401C7000-memory.dmp

memory/3884-81-0x00000255148A0000-0x00000255148A7000-memory.dmp

C:\Users\Admin\AppData\Local\6ndyrWFGr\OptionalFeatures.exe

MD5 d6cd8bef71458804dbc33b88ace56372
SHA1 a18b58445be2492c5d37abad69b5aa0d29416a60
SHA256 fa2e741416994f2c1bf9ef7a16b9c4dbf20c84267e3da91ae6f1ad75ee9f49b8
SHA512 1bed8af2cf99a7f3bb36a34f4a71c34787904bd072ecdc731fb7498290dcf4024b956fb8b6912ad050b74aa861f0b0349081b77088f72732bda5075413b1f83d

C:\Users\Admin\AppData\Local\6ndyrWFGr\appwiz.cpl

MD5 1e975a810a1010763c4ef98476955171
SHA1 3ea2206a4dd2139d2b024c7c9f4b0a88c803b370
SHA256 076a0adc4110fe04316bc651cd4126bab6c32492808799a27acb15c4fb7d002d
SHA512 acc180480e2cfd8ac2d22e16d9317e41e8009a0e4721547b119eae26b2a4809fec2ea558a31b5b8e8420a8b304f2429cff2d63a4542345df134cd1bacb22795f

memory/3876-99-0x000001A0E0830000-0x000001A0E0837000-memory.dmp

C:\Users\Admin\AppData\Local\8o9\cmstp.exe

MD5 4cc43fe4d397ff79fa69f397e016df52
SHA1 8fd6cf81ad40c9b123cd75611860a8b95c72869c
SHA256 f2d3905ee38b2b5c0b724d582f14eb1db7621ffb8f3826df686a20784341614c
SHA512 851ef9fa5a03ec8b9fea0094c6e4bfa0b9e71cee3412ee86b2dfc34682aa5fb6455fefe7fc0092b711956d7c880cf8a5761b63ee990aa8e72f3473086ac0f157

C:\Users\Admin\AppData\Local\8o9\VERSION.dll

MD5 9ecc2bc6779cae37cfff6282dbec4a7a
SHA1 e82b199fba7a58953e6cc4b1f9af252a3a516e97
SHA256 367ad3c11f6e4cf326f01efcc53271622af851d4bc16baeb6136dbee5a1ac231
SHA512 99d3c18cf1e9096a1cc458ae5fe36b01a338de7105b280409206ecb0f9a681ce3e9d330e712111e29230eee5090df33f55aa3f6cd6f29fe7b41deea3d532fe86

memory/3348-117-0x000001A309BF0000-0x000001A309BF7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 6dc4ebc4985c890b24ca556dcac9798f
SHA1 cf3d795cd026bf5316a7c24630bae5f08a4df1bd
SHA256 b9e35a0df8428f3c3f8cbb05f26f45fad317c57b9e4606a3317fc13c116fdc86
SHA512 88c104335e70e72a17d776ae97844b10ffc6ef06312db20afccae75c46c2552b571ee086bd3ae28a7d3f6f8bb86b0e250b77003a6527c04941b893429b45e266