Malware Analysis Report

2024-11-15 08:50

Sample ID 240125-mngmqseaa4
Target 74792d6438fe27a6b4efb9c1142f875c
SHA256 91f4e0d55b25c852d48512dcc4852c2aa7d950cfb08fbcc53c1f373202032dae
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91f4e0d55b25c852d48512dcc4852c2aa7d950cfb08fbcc53c1f373202032dae

Threat Level: Known bad

The file 74792d6438fe27a6b4efb9c1142f875c was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 10:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 10:36

Reported

2024-01-25 10:39

Platform

win7-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Macromedia\\zmknj\\SystemPropertiesAdvanced.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2676 N/A N/A C:\Windows\system32\winlogon.exe
PID 1208 wrote to memory of 2676 N/A N/A C:\Windows\system32\winlogon.exe
PID 1208 wrote to memory of 2676 N/A N/A C:\Windows\system32\winlogon.exe
PID 1208 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe
PID 1208 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe
PID 1208 wrote to memory of 2820 N/A N/A C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe
PID 1208 wrote to memory of 2232 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2232 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2232 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe
PID 1208 wrote to memory of 2200 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1208 wrote to memory of 2200 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1208 wrote to memory of 2200 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1208 wrote to memory of 2368 N/A N/A C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe
PID 1208 wrote to memory of 2368 N/A N/A C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe
PID 1208 wrote to memory of 2368 N/A N/A C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#1

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

Network

N/A

Files

memory/2536-2-0x0000000000310000-0x0000000000317000-memory.dmp

memory/2536-0-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-4-0x0000000077276000-0x0000000077277000-memory.dmp

memory/1208-5-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1208-14-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-13-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-12-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-11-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-10-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-9-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-18-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-17-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-16-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-15-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/2536-8-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-23-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-29-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-32-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-31-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-30-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-28-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-27-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-26-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-25-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-24-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-34-0x0000000002550000-0x0000000002557000-memory.dmp

memory/1208-33-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-22-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-21-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-41-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-20-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-19-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-43-0x00000000774E0000-0x00000000774E2000-memory.dmp

memory/1208-42-0x0000000077381000-0x0000000077382000-memory.dmp

memory/1208-52-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-59-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/1208-58-0x0000000140000000-0x00000001401AC000-memory.dmp

\Users\Admin\AppData\Local\pU9jsk\WINSTA.dll

MD5 ad1508fca0cb4f714f13b4bb53e020da
SHA1 4fcac2b7801a1a38b88f645ade7921878f6290e0
SHA256 bd8d0fb70fd03c0e02a0f7fb47732ed91009ef211fea86cf103eb34839d7dfff
SHA512 69f5dc4940539480ea864a2197f5b4b08ce08f6b60ebd5eb2c86d86cc0dcf8651517c1ec9266d2d84a309e69e8af8399844d4937fa23fa80812fcf99d42c9162

C:\Users\Admin\AppData\Local\pU9jsk\WINSTA.dll

MD5 3fb8b7f309a8f39ec3ee69b3766da8e9
SHA1 2005a7575f1a26fa410af1c931e19ccdf4f100e2
SHA256 1f434ff41e051bc7f17abceb8426a040aa36a98fca5a05bdbb829c89cd0d4984
SHA512 d83343ae730bda46024fdb430ef9b9437d383c7641220eb7938a08a2c9740540b187308bbc4c603feaca0a5ff14f57e3124f704c98cf36642596993169c96e70

memory/2820-75-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2820-70-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/2820-71-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

MD5 584838eb0a99ef98b7671deab8059862
SHA1 f4591ce1e60e4a5cfdedf5ec08369aafe270d81d
SHA256 b4f62c8203213e5b000ee55f07283c667409d8c32bea39a454e70c52140f38ca
SHA512 d6c6dcf7240e7c743404d44d9fce23c794f6faf51106e0fef0a8ec12420d3f9c76903bf8c30f60e88c4057031092cd590b00177a65585ca2ca1ce3f5c8b37aa5

C:\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

MD5 6dac19a27825c8d786c7f665ceab18a4
SHA1 df0f6c4ccdea6de5ce93346b34e9de3b5dae2ce4
SHA256 7e264b7ab05c3595d7bda1764bf3339ddf16ec4332b1452805de4a37028401ed
SHA512 e37d98481259fee73c2792764e3a3b77454433a1462aeaf80e1f0e8afffe468ea65533c9103c14314b1fbf8223ef8213b2e0cebb2427e8dd8979aeae48379e7a

\Users\Admin\AppData\Local\pU9jsk\winlogon.exe

MD5 5209369b4aa1fe15361e93db06db32c9
SHA1 8f035cac4d29c6f8881ef356547ae695df915218
SHA256 2cd8b43074281119d01200819255c3a817c80d311d99ac97ce64d902657509eb
SHA512 55d8eb5b638027f38c372f3bc59c0d299e1577dbbd9cfb55273dda66fe3ba1d66153cf3d39e6d2d20f6ca06ff29ae8ab3aa1f8605f41f5cf453cb1e5ffa5c20a

\Users\Admin\AppData\Local\H0An\SYSDM.CPL

MD5 d74bb68fdbb4402016ef8e9e713c6117
SHA1 399999eba7547122617eba5aac1062d9a009a18b
SHA256 03d0f89ff64affe19fe50ce92d84828b377e9d858622039167f32e4b2dbae82a
SHA512 dc3207968cd89f49c996dd8eb826d42e06c3e0bc9eb45ec9b692f59a1ebdd1df2c96dde55816559e58aa5461f3de1e152c14bb4f1bf3ac318e37a612203c37ab

memory/2188-95-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/2188-91-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/2188-90-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\H0An\SYSDM.CPL

MD5 e6e3cb87f89a9ce2b6c94ce28143c2d7
SHA1 d4d94490d51cc91e44b730169619258448fba289
SHA256 a8969f110c5d9b347f869f979b20260a9f07f16fd083e8df3c6529dcb8c2518b
SHA512 6b0867a4605e154b5537ca147c5ab8d6b072e1c46da8f0d7e2f5efcbe71ecd1a8c813aeff10e6ca5c1e5f9e854c75b68ca718af0489c4aceee43e9ef5fc437ae

C:\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe

MD5 3ecef6876be90cbec79fa0261ae52bee
SHA1 e90593c99da3dcbc59f7990772c44b69e0c98595
SHA256 cc68b431e946bce41da378f5a2bfbe5cc749a1df4930434f7c68b1b4c1c271fe
SHA512 9d43bed82d032beb9fc30f4e263ecfbaf0275e1abca7ab0fa7e8dc9a7016b645932e5b347505a49740a68e62795bd1424920e0e19c908191c4359f0bfdd6430d

\Users\Admin\AppData\Local\H0An\SystemPropertiesAdvanced.exe

MD5 5df46b0258fd63b9f1f0b049341aaa93
SHA1 96685dc71fa5f64450d715d0d2a5fdc1dc960f5a
SHA256 581f806288cb2cb2ac07f24c6836f9fdb6192641b25bc4b33bbf57c7d064a269
SHA512 5d92fc7f9f07e801db35802bb359eeea95d98012a260dcdc19078a239cc2cf2f95a251e42840ad0bee68a5f99f592ff77ea39855d0a89686b4276cc8c6feec9d

C:\Users\Admin\AppData\Local\kyp\FVEWIZ.dll

MD5 261121504d8c23c8cdc10da9b92db42c
SHA1 ecce1f62ebc07de4d15009b1ece9558630a421f6
SHA256 6b3610e492f4bd44692470dbd4ed6b5d971592f532993e2cd7e6526f96cf4b83
SHA512 93d1dd06d4ba583174f09e184d43f69720f23f08e570a358a80a40e4deb26ebb69f6564a45d1e00a531d5d49cba264cafc8d823a7b3ea2dbed97ee124aaaadeb

memory/2368-111-0x0000000140000000-0x00000001401AD000-memory.dmp

\Users\Admin\AppData\Local\kyp\FVEWIZ.dll

MD5 2a4f2b687e242e5c57824a3c0150121b
SHA1 d6c7dd46b77078d29f1d15937ac8505559b0c37a
SHA256 60ca1d09b5df029f13e0585e92b2ac3ebac599d0cbdbd89642a4e43c8a857a3d
SHA512 28512861fdd8d135018d185653b9a3c5712109cc7c8f7ffc834c27210fbc8d09ed9fb1c62eb9ac0be01139b398dc94d24b8051a438a4ba39820ab062aa2bd216

C:\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

MD5 08a761595ad21d152db2417d6fdb239a
SHA1 d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256 ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA512 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

\Users\Admin\AppData\Local\kyp\BitLockerWizard.exe

MD5 757b9fdacb0c6ab6bc3668eae7a46a96
SHA1 870ec8800facbcdd26d16d592fba4aab8e7d2951
SHA256 9990a26084131ef374b9190adaa2465cdfe691c879d743ceeba15ebff7085b8a
SHA512 adf703f058177c124d370e53b31dd8281ff700b6a24cc1e91afc835e8e6225ecef3d00b2396310ae65311424c6924b2dadde2cbb62175b2c36ad947553be0a1e

C:\Users\Admin\AppData\Roaming\Macromedia\zmknj\SystemPropertiesAdvanced.exe

MD5 25dc1e599591871c074a68708206e734
SHA1 27a9dffa92d979d39c07d889fada536c062dac77
SHA256 a13b2ba5892c11c731869410b1e3dd2f250d70ff9efd513a9f260ab506dd42ef
SHA512 f7da9ce4c3e8aea9095fcc977084c042f85df48fca0b58fb136dfd835ce69b5b1e68f3c11eeb14c617ffcec7011ffc7e5d5a948f49dde653a2348b28e10adb72

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\3S5PXE1\BitLockerWizard.exe

MD5 1cbbfd698f3a17006cca66179a5a2cea
SHA1 c21e677de216b0b99f974ec4618d8ed9347e4c8d
SHA256 fe249d4ae54975fae42a79ba57cb4af2e0bafb9f2a5f7ed7e77f35177ba1f749
SHA512 8b6b23598ef4ec2b47ee74ee564c71c29e6cdf95cec599b4771612c50f41a7770523cdfec13b9c0355197c63f06f99717ba34e0bff1c07b7a47a5b72f4d30205

memory/1208-127-0x0000000077276000-0x0000000077277000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 9ee86ca8c1dc92d82444f206c40169d3
SHA1 084f60ea22f35d08f7df1c306fcb23cd07e458a5
SHA256 e9598f41eec8af63fcdf039457399fa653e98defd0c7a3694048fd298fe30e5f
SHA512 1d8896757799a322988fbc0abcaf5f64948003f5382ef0e82a9ba36e18c85d4f2e17aed99a6e5a865c793a604497432275b83e6f2a0e94bd2c98961ed666fc32

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\Ik\WINSTA.dll

MD5 d2922ad17fa034c3d0f5a417ab07d03b
SHA1 c5584e37e05db791b370d6df13ea06a388479782
SHA256 cf3ebc731508687fcc257907b605b431e1381e731cc3723ece74fa70125d7382
SHA512 4f71b6490298d429d64dfd5429acbc2205450edc4e75dade67cbad19d7e02bc5a78ce6ad717eff9121f3869cdebe857776dd5daaf4a34ba8ed277baf95f0e9a5

C:\Users\Admin\AppData\Roaming\Macromedia\zmknj\SYSDM.CPL

MD5 2d93fdf5bc81c96bd3233db367cf6095
SHA1 acee813c6d17bcab555d809f57b3749ed9660919
SHA256 e4ab35215c45f0946dd2a47c06b9a2870708cf234eae4719c32b6e77915c5aa5
SHA512 c451b3bf40d01fa635e5d42d4a7abd252511e52be43e23769ab72391dec1f710b646ece91c04d99582e7f1f5699e4657a2647364f7cee791ea015869fa40444e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\3S5PXE1\FVEWIZ.dll

MD5 9670179df2e800d87ae511da048e0d44
SHA1 71bf33f0e84bf78d7cb5b63d6dddbb9c62145b6c
SHA256 112cbd58fa53073423f387df4b9a94c2faf15df8240a30957c7e79a27a9962c0
SHA512 ca3ff38a942fa7ff4b354fa5bb59fe558def915b7376a9483a8d659ed0cf2390c7ec1787f0c72e9e7778f8cca037114daae2232798c11f28c703d7211f4cd4a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 10:36

Reported

2024-01-25 10:39

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\SYSTEM~1\\SOP45Z~1\\IRBIIF~1\\rdpinit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wFCjt\msdt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 1140 N/A N/A C:\Windows\system32\msdt.exe
PID 3512 wrote to memory of 1140 N/A N/A C:\Windows\system32\msdt.exe
PID 3512 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\wFCjt\msdt.exe
PID 3512 wrote to memory of 3400 N/A N/A C:\Users\Admin\AppData\Local\wFCjt\msdt.exe
PID 3512 wrote to memory of 3412 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3512 wrote to memory of 3412 N/A N/A C:\Windows\system32\rdpinit.exe
PID 3512 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe
PID 3512 wrote to memory of 4524 N/A N/A C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe
PID 3512 wrote to memory of 716 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3512 wrote to memory of 716 N/A N/A C:\Windows\system32\RdpSaUacHelper.exe
PID 3512 wrote to memory of 3476 N/A N/A C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe
PID 3512 wrote to memory of 3476 N/A N/A C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74792d6438fe27a6b4efb9c1142f875c.dll,#1

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Users\Admin\AppData\Local\wFCjt\msdt.exe

C:\Users\Admin\AppData\Local\wFCjt\msdt.exe

C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Windows\system32\RdpSaUacHelper.exe

C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe

C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe

C:\Windows\system32\rdpinit.exe

C:\Windows\system32\rdpinit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4692-0-0x000001942D9B0000-0x000001942D9B7000-memory.dmp

memory/4692-1-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-5-0x00007FFFFBC9A000-0x00007FFFFBC9B000-memory.dmp

memory/3512-4-0x0000000003390000-0x0000000003391000-memory.dmp

memory/3512-7-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/4692-8-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-9-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-10-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-11-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-12-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-13-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-16-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-17-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-18-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-23-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-29-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-30-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-31-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-28-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-32-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-33-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-27-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-35-0x0000000003370000-0x0000000003377000-memory.dmp

memory/3512-26-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-25-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-44-0x00007FFFFD200000-0x00007FFFFD210000-memory.dmp

memory/3512-41-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-24-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-22-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-21-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-20-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-19-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-51-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-53-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-15-0x0000000140000000-0x00000001401AC000-memory.dmp

memory/3512-14-0x0000000140000000-0x00000001401AC000-memory.dmp

C:\Users\Admin\AppData\Local\wFCjt\wer.dll

MD5 855d1850dbadfdc6641f2c011d69269a
SHA1 9dcd844a81972566621b4736e869dcbfa3a7cc29
SHA256 4690875a323e8ca0081c1f6ae1b49a90e96be025922ed9712e571bf9d99428fb
SHA512 a715e246869988d6cb057b042bc3441d96829fd130f9a5f17a93ccdf46e1f994535feaa76b2f87e58f68c5788a53184ed5fc6465b31f5c28044c1fee99e1deb4

memory/3400-62-0x00000163F8A50000-0x00000163F8A57000-memory.dmp

memory/3400-68-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3400-63-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\OTzaI\dwmapi.dll

MD5 389d09e01fb9184888d04112f16bc466
SHA1 6a13f97f998cbace5050baa06bcd21d496e8a435
SHA256 e55df530bdb56471f87431b481e9042a739ce68eda871148099d389388102698
SHA512 a0c64576a32cc654cbd902244b12c26f4f80c1eed0a9e90e0d07851e19be70fd3c7b356c91720552a9c02835664fb915b632dd7b1b26340e1c2dab639fdfd333

C:\Users\Admin\AppData\Local\OTzaI\dwmapi.dll

MD5 5aac2c1f8045fe332460af9584dfa868
SHA1 5022435fe9f0f40d6749a72f8482215336c2219a
SHA256 7481672e5828384dcc3a01b5410a97bbcfded7cfd656014af01aea09d08b0cac
SHA512 5e70e64f91738ec79f61414416e9bf2f4961a562ceca566321adc340ea8a6c9ef440133b46642fdf27e32d57ff2a5d0747bee91b01c6be69d638333f46494f4d

memory/4524-85-0x0000000140000000-0x00000001401AD000-memory.dmp

memory/4524-80-0x0000000140000000-0x00000001401AD000-memory.dmp

C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe

MD5 38aa845daa16cddd9556f16ddbb4fabf
SHA1 37231f69e432cd55fcf654c16557762b96b9a70c
SHA256 21218dacba7caf5c9fa53c1fff4996d25ea018e2391c9d625616467f67886b0d
SHA512 264ab0d3bf1060f8ff2090c80f3799e45ac60a100e1edb2c0cca28ce74a02c64b9d49d77bdf44e9784f863d220d4bd067f43838528d5d19bc71d074fa193cba5

C:\Users\Admin\AppData\Local\FfnzqlJK\WINSTA.dll

MD5 9d0681089dfd83a892eeb6cc29b021a7
SHA1 f115ec028ec7824df238bbc3d5ff901d76a36000
SHA256 af2f19e1756e9df9f182ddc6deebd5129ded534d0ca032d3c64acb483f1ffdc9
SHA512 f5952d9ad122f44636861f5d83275f407654a84a8c179f0f4b407072064a9adec785cd431f2a41fc5a74504e39be97fe7265207573cf474208a397a0ce7a2f41

C:\Users\Admin\AppData\Local\FfnzqlJK\WINSTA.dll

MD5 6d0581515307fc6b7e26202d77b4e063
SHA1 62090e1859ee09d8994b0c42d9195f385d9d934a
SHA256 7a06114c305de2940833e12b62940cac8a3c2256979b49f1b88b0e61a91797a3
SHA512 247974de8d24e2767693b36f3adc270c2b6844fa3549cd38c0df70dd8eca1a06f7559727bb23190ecdfa136f87f26ed31949e66c88c851a639b3a8e0fd901a8e

memory/3476-102-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\FfnzqlJK\RdpSaUacHelper.exe

MD5 0d5b016ac7e7b6257c069e8bb40845de
SHA1 5282f30e90cbd1be8da95b73bc1b6a7d041e43c2
SHA256 6a6fdd834af9c79c5ffc5e6b51700030259aeae535f8626df84b07b7d2cee067
SHA512 cd44d8b70fc67c692e6966b4ad86a7de9c96df0bade1b3a80cb4767be159d64f3cc04dc5934f7d843b15101865089e43b8aecabddc370b22caf0c48b56b3430e

memory/3476-98-0x0000024CE8C20000-0x0000024CE8C27000-memory.dmp

memory/4524-79-0x000001E277C80000-0x000001E277C87000-memory.dmp

C:\Users\Admin\AppData\Local\OTzaI\rdpinit.exe

MD5 416ba0e9f3f62db4bde9b94d580d5223
SHA1 1ea83ba6ed5e7a2efd31ee84b3586b873160ae50
SHA256 173a296ee7a3908135016746a171ab7c4ddd77fb6831270d9162891f5325be66
SHA512 338ab600b46ea44ed7d6b7873b59a7cd12cce5a2781ca86d55d289daf83cdd30214c98ce623b0e80f724cfc719fd4bc58b0009d14d719bf908847fadcc207b41

C:\Users\Admin\AppData\Local\wFCjt\msdt.exe

MD5 dccd8dd3a5c247d80602e949aa2772d9
SHA1 1b635cc5629f2c7ede0f06970170d36e42ecf831
SHA256 90b80b978416f2276ae418e03ccc29c55b14fb2cd8161398761305a88a8785d6
SHA512 7011d8674b80951417a7d83900da38f283abe37087e1c6fac792afae6cff086156be4a2151642fab692f9c6989c06b7173386f011cecbb6e7411984375aec2dc

C:\Users\Admin\AppData\Local\wFCjt\wer.dll

MD5 3196a3d3df9e20023f534b81348e2e9c
SHA1 cc9a4912655657ba6b779e88936287b83cce9303
SHA256 e237ad3108e8f9b5027247381e8ffc96e922621a643afa5b1d61a2c023083ff2
SHA512 8a7b7481024a507eabc4df318e65f85bfc904eab20a00e530d414f3a7636b2895ae8b51dd9fad31ed1ed5d7b538f555b5a880dfc1778e640af20d0bd16267fe5

C:\Users\Admin\AppData\Local\wFCjt\msdt.exe

MD5 1dc6a652c33b05a63a9b85d14b292623
SHA1 e5df0ff8400a0dfaf19894614abe5bd34d8624af
SHA256 4eee00466b15e374522456e2cafec9449c6582b6d1eb0687f5e3b1d969b20f28
SHA512 52da262c5e34ec56fbd5f6c61482db639ddcb9c865062f902b768eaa12a98643395bc361c84ef057b82e941f8ce5626d6c58c1a453f793a1e88874caea43d51d

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 d5850ddea424a6a861fe5e4af86f0537
SHA1 662909397e3d155c790168b1a089b94dca7c145f
SHA256 f363a2ec38f3a8d4df28df2216c75057cf4dae836c5dd8bca6b46d2f16aecdb7
SHA512 762506c97ca35198f14c11de67b503cbeaf0803bf0ff331ae923655d15218a21e2c53a330e08021b0cf8043bb995734ac00ad139fcb235c995c8808cad63c618

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\sOP45Z1AI\wer.dll

MD5 0def2204fca1bc7279d41059036d6d4e
SHA1 40a0df8a2af05667101da2a41b29d1140da4ffb3
SHA256 cb6c4db8e86f4bf044c9e5f1b122cbf5d678cf4513e63471f1e1013afa1c2ece
SHA512 7a90b68caaba96c6f4f27c9606875528e470e9ac1f60782c961b02353ee07c7264705f558e3a9cb20406d3ffb77b52688e3b64776b6cc1fdba203da3d169f582

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\sOP45Z1AI\IRBiIF9rz\dwmapi.dll

MD5 0b562cc32bc649840aa297a0edf3b589
SHA1 76d4d5be8737b37548db0be0ae7830ac7e3179cc
SHA256 f2990ec7cf3d3499cd0dd1e421f9e45f491830a1241c8fa4b42cc12a8bb2f7db
SHA512 f0e7ef0e95207f190ecfc0060109829681a2f30561b0f6aae596a73f23c4aa4ab999c8f773dad8c6a0b946de284b88cac083f35a4a2cc7700dc97f39b0eff25f

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\6w\WINSTA.dll

MD5 15245ed1a2eab75e90beab958e2efc76
SHA1 54242bb7bf665e07d3c7f82ec89d353531ec5096
SHA256 4fb6083df9dd0c0a6d61f9bc5c04781fcc82209955d194987af5e76329765002
SHA512 06cdbbe63aede531e02ebd4849e15033938f7680e4510a35026c185d9aa58219e468187204ab87d493d577a2cb6dd219b0a026b555c3f074edfc242eb4b1bcf6