Malware Analysis Report

2024-11-13 16:41

Sample ID 240125-pcbcpagbbk
Target 74aa7a7b1a55a686da6fb64c99496b53
SHA256 e12d72cce77128cc87490c508bb9e32003d1141cf5ccc962117961d65c2d71ab
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e12d72cce77128cc87490c508bb9e32003d1141cf5ccc962117961d65c2d71ab

Threat Level: Known bad

The file 74aa7a7b1a55a686da6fb64c99496b53 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 12:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 12:10

Reported

2024-01-25 12:13

Platform

win7-20231215-en

Max time kernel

150s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\rZIGC5s8\\icardagt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1280 wrote to memory of 2408 N/A N/A C:\Windows\system32\dialer.exe
PID 1280 wrote to memory of 2408 N/A N/A C:\Windows\system32\dialer.exe
PID 1280 wrote to memory of 2408 N/A N/A C:\Windows\system32\dialer.exe
PID 1280 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe
PID 1280 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe
PID 1280 wrote to memory of 1748 N/A N/A C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe
PID 1280 wrote to memory of 2860 N/A N/A C:\Windows\system32\icardagt.exe
PID 1280 wrote to memory of 2860 N/A N/A C:\Windows\system32\icardagt.exe
PID 1280 wrote to memory of 2860 N/A N/A C:\Windows\system32\icardagt.exe
PID 1280 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe
PID 1280 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe
PID 1280 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe
PID 1280 wrote to memory of 572 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1280 wrote to memory of 572 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1280 wrote to memory of 572 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1280 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe
PID 1280 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe
PID 1280 wrote to memory of 2896 N/A N/A C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe

C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe

C:\Windows\system32\icardagt.exe

C:\Windows\system32\icardagt.exe

C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe

C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe

Network

N/A

Files

memory/1968-1-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1968-0-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/1280-4-0x00000000772B6000-0x00000000772B7000-memory.dmp

memory/1280-7-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-11-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-13-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-15-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-14-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-16-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-17-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-18-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-19-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-20-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-12-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-21-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-22-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-9-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-10-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-26-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-27-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-25-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-28-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-29-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-33-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-35-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-36-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-37-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-38-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-40-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-39-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-41-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-43-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-44-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-46-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-47-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-50-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-51-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-52-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-53-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-55-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-56-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-58-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-57-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-59-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-60-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-61-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-62-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-65-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-63-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-64-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-71-0x0000000002910000-0x0000000002917000-memory.dmp

memory/1280-54-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-48-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-49-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-45-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-42-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-34-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-79-0x00000000773C1000-0x00000000773C2000-memory.dmp

memory/1280-32-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-80-0x0000000077520000-0x0000000077522000-memory.dmp

memory/1280-31-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-30-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-23-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-24-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1968-8-0x0000000140000000-0x000000014033E000-memory.dmp

memory/1280-5-0x0000000002940000-0x0000000002941000-memory.dmp

C:\Users\Admin\AppData\Local\FzFtepNFE\TAPI32.dll

MD5 5622f39e4960cfd322f1db1fc8e3ff32
SHA1 2293249f3049e67e7524cb48ef5ee700f91d73e5
SHA256 722e128961be7028de08500b837c166a6dfdd2b76c11e4b7ce80ea3bb706c37c
SHA512 c9088091c00b762c688e796eddbb19e0c806b1f1624d1d561bae7289731054c59d407ea6793c541fb578a8373d6b39703c6490b619e3962c725d7757452b7e73

\Users\Admin\AppData\Local\FzFtepNFE\TAPI32.dll

MD5 55ffeb9abdfa40569c9e0741e2d31e36
SHA1 2e82c7f16c6a5d031854f153c0eeaad64371322d
SHA256 63adc73067fc01298e7d07bb2b6d426ba257737dcb17dbfe6afd015182ee0a36
SHA512 648a69b4dbcbec93ce4cac5890efe9e1dabf139c14886ebb32b8a687737cb678844e7fe6f81c84b26bbb7555bfc5bbca2ac05ea296c4392b6d1877f17ff90e17

C:\Users\Admin\AppData\Local\FzFtepNFE\dialer.exe

MD5 46523e17ee0f6837746924eda7e9bac9
SHA1 d6b2a9cc6bd3588fa9804ada5197afda6a9e034b
SHA256 23d8a6a1d847a324c556c30e10c8f63c2004aeb42ac3f5a5ca362077f1517382
SHA512 c7117c3778650864e685bd89df599d7cdd9319d757344ddc7cfd9403d6673964127f6ff0c5ac48455fd3097af31a6ff09173f85dfa7be2d25f395cdf3692bb9a

memory/1748-107-0x0000000000310000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

MD5 ebd853ae26e9d29184b5de8ed4236d64
SHA1 0852cf6e980991a04ba1f69dfc84c44777a32d32
SHA256 7f89f1e4b24dbc16fe8a87125d9ec2beea3eda8d12d759589163e29323bbf1a2
SHA512 79cdfac83a3a5bc150f9e4c4afd6dad55e859c0f69b355b16891b29727c8b52e5e458cea80df4b7d1aeab3e336cd6b21d8e862ee9e1f3df02ebccdc19b3d5249

C:\Users\Admin\AppData\Local\HF74NVWB\VERSION.dll

MD5 61fa9b176faa456ae210521ce2e50fae
SHA1 526d59e9e5f1c95c4af603fbff74fc1f9fd1c52e
SHA256 d5b52ceef582983341fd72e66d8d83cfd9d9f6bf1c17780916cb60ee94db6441
SHA512 3d200c68f16ee6b7fea615e6b952ac819fdfaac98f1bd8c90e62b772a6c7868805d36a0bdcd7e1f007522176c63945b3d05673ff8465e9e55bce58d4dd51b51f

\Users\Admin\AppData\Local\HF74NVWB\VERSION.dll

MD5 33e283f4d56a71618ace2c17b99d03cc
SHA1 287306d4177968d996a9ef92c82e5432771e4a48
SHA256 24bc320b3c4e75d919af24c6c19d86526ab3a68d42a263181eb273fc553cce7d
SHA512 e9219c271d7297e550214aed2556d4a00dcf1dff086b678757c557cf9d146b72f108d830f92f1499737d8119b5fe09151060140be47d29d13e67c9b2742a0ba2

memory/1696-125-0x0000000000210000-0x0000000000217000-memory.dmp

\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

MD5 a4d190d2541640ed09ece5930ceb8b5d
SHA1 a7856071120df5752b8de9709e180db0f7c653a9
SHA256 dea2d025bb9ba57903467c7d91210f911463379ce971d0d8ca867c4ab494c6b4
SHA512 94fed021fc7eb348c7ce516be76ce37a639c40d63387b6f7ecad24064c74b1f1a8763358cb18f63073a1595e3b663f9fb8c592b4e8fe5b7d09bf0f525f7668b1

C:\Users\Admin\AppData\Local\HF74NVWB\icardagt.exe

MD5 03157c9dba02bfce4f263d88b2d9bb3a
SHA1 f7576353b6bfe36f7d92b5501a7eeb950a722bd7
SHA256 36560d970185c3e20e201e834ef2eef950b32b40b377366970e2fe6949ee9ecd
SHA512 c6a763c6d124cf119be643335d05b3b3351a9d5543508afccd2ab6497d51e151778587f9eb3bc852b13ac753bb32d85b06d7367051e66175603366b2b552b344

C:\Users\Admin\AppData\Local\I12\WTSAPI32.dll

MD5 4962828dbcbba0781e87932d853f1ac3
SHA1 9684b11ce11d99aaff0f39988195044fef3fb1de
SHA256 22d6d7a934a87017208afab0fce5e41ca97303281d8f9f9e2a3e7fcef8addc7d
SHA512 9981f996268f122ce7ae8af96df94ffd42ef0c6d3ff9f844e7a2493ab53ba8c0cb4568b8238d547231bf4ac480453972b8e5362d3556b49df70619efe9ee8885

\Users\Admin\AppData\Local\I12\WTSAPI32.dll

MD5 02dd54cf2bc29a3bf40648c9bc01a6cc
SHA1 06ef037fe3f982c2d34708b2bddcd9ae665d4287
SHA256 f60905a55996f5c5140766f18ab7fae2daaa6ba339651ef02f0d30d73413be05
SHA512 30b6a90798d21434145e7c86121d228d323b27371c5487ba572394eca2dd552f1025bc888bc8fcae1ff8a890afaa15989e468c33d1a4cafc798e6c89b0d66a87

C:\Users\Admin\AppData\Local\I12\BdeUISrv.exe

MD5 1da6b19be5d4949c868a264bc5e74206
SHA1 d5ee86ba03a03ef8c93d93accafe40461084c839
SHA256 00330a0e0eb1dbb6ee84997963f8e15c7c15c1df787f1c7f109609d7b31bd35c
SHA512 9cee858c55eb0852e5bad53a675a094ae591b46b07afe9fb4224cac32e0be577fe36c1ed3e9f6bda4d4eb0c924a773d00e3181cd97f07e24c6c68c70f2b002c6

memory/2896-149-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Protect\smpwSrZPA\BdeUISrv.exe

MD5 22128497245eebd711a8902ca1391814
SHA1 6a1212e03206e6f7f48078c982311be4e59cb427
SHA256 e185b210eef21c8a0cca2c1a66515c44f892a1b1d0c59900236391fd6e986b56
SHA512 b935fa6c4bce155c4ecd3ef5fc107248046116f7d276132a964317b51b5a28d382bb59612e2783fd0ec0995dbe9493df3c52dbe89b886953d7748bf412f31184

memory/1280-171-0x00000000772B6000-0x00000000772B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 00fc1eec0ab09f1f230689ac12b8de8d
SHA1 aa2eb969bc3afd198986097a5e1a282602e016ad
SHA256 18cef11707b90141b11c73614ace3d687a34e3d36c7b6b3a85d977877ae71183
SHA512 74e790d763905de75fa9893495b111e83d5eb74db85e7d607b19680eef1897c399cf2aab8dbac9fc794c53d21f09329135125d496e85d042c48190396b362626

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\TMYkDBNP8J2\TAPI32.dll

MD5 4e71519e160975cb6363f49148ae252e
SHA1 374174971c12e1e7209ef4242ab17e9eabc6df6a
SHA256 ea50cedc1cf31105534104a68029eb20e24789233be6ab19098bca73423a12a7
SHA512 52960643fe3f11ee0c52e137e3765ca9952b0deeb00499c6ca1407579a3b96172888bd4c51e300413eb627f536b482a10fd65690a01e0318d79b54f65d19ef20

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\rZIGC5s8\VERSION.dll

MD5 b406385583f9347ac7b402df5e35c28d
SHA1 d4d51a0b4c2dad4fc1e8fcf642eab0ee6fe1929d
SHA256 fd2cf877b7a2b9a321d183c254398542b5f66e916969aeeaba7e1b703e86c2e3
SHA512 ca1622585be55766b86de7d58b6f269262ee8de82c4e67e57066b9e156c359f14065b7a18db59108d99bc01d31f46b2c58656bfaa309d00ef53224b8d60b0a30

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\smpwSrZPA\WTSAPI32.dll

MD5 63224b144cb1bfc690c666cf5dc72309
SHA1 09ce6affe35f4e8938bc9c8bc51981b5786698fb
SHA256 87fb6382d9d4746783a4a10bcd3b29b895e7bd8743194364a96406727832d912
SHA512 cb36d4d36d280ff3fb058effeaf8545ab2cb779de56d3de7210e0c2baa6f9a5ce2043a30a39519d2dedf9e70395c8d3647b3371d85326f58977616adda455ea7

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 12:10

Reported

2024-01-25 12:13

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs\OLEACC.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs\Magnify.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tgnmvdx = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\OVcMs\\Magnify.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3488 wrote to memory of 1740 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3488 wrote to memory of 1740 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3488 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe
PID 3488 wrote to memory of 2656 N/A N/A C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe
PID 3488 wrote to memory of 5112 N/A N/A C:\Windows\system32\Magnify.exe
PID 3488 wrote to memory of 5112 N/A N/A C:\Windows\system32\Magnify.exe
PID 3488 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe
PID 3488 wrote to memory of 4080 N/A N/A C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe
PID 3488 wrote to memory of 2532 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3488 wrote to memory of 2532 N/A N/A C:\Windows\system32\DisplaySwitch.exe
PID 3488 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe
PID 3488 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\74aa7a7b1a55a686da6fb64c99496b53.dll,#1

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe

C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Windows\system32\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3424-1-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3424-0-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3424-3-0x000002A917BC0000-0x000002A917BC7000-memory.dmp

memory/3488-6-0x00007FFBB098A000-0x00007FFBB098B000-memory.dmp

memory/3488-5-0x0000000008B20000-0x0000000008B21000-memory.dmp

memory/3488-8-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3424-9-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-11-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-12-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-14-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-13-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-15-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-10-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-16-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-17-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-19-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-21-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-22-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-23-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-24-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-20-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-18-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-26-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-30-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-31-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-32-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-34-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-33-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-36-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-38-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-39-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-42-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-41-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-40-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-44-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-43-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-37-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-35-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-29-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-28-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-27-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-25-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-45-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-47-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-48-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-50-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-51-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-52-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-55-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-56-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-59-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-60-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-57-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-61-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-64-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-66-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-65-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-63-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-62-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-58-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-54-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-53-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-49-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-72-0x0000000002F50000-0x0000000002F57000-memory.dmp

memory/3488-46-0x0000000140000000-0x000000014033E000-memory.dmp

memory/3488-80-0x00007FFBB0A20000-0x00007FFBB0A30000-memory.dmp

C:\Users\Admin\AppData\Local\yXJ\UxTheme.dll

MD5 18de228734bda5f4204c6017d039eefb
SHA1 0bce34d79a07fbf533e59440e985088d37dbdf36
SHA256 e63fe511780c3adb2cbddb95ea3c728d0ac37d85d3fd91a44a88d12f930cfb83
SHA512 1ffb4affdbe439994868b4c007f96c75f9cc5033d4cf3d255a7f971cb563d9289f43cf3a45ef6e56b95db7d022bf0d4a33ebb60eaf41008d7bb81d8d28dfea65

memory/2656-101-0x0000000140000000-0x000000014033F000-memory.dmp

memory/2656-103-0x000001D0917F0000-0x000001D0917F7000-memory.dmp

memory/2656-108-0x0000000140000000-0x000000014033F000-memory.dmp

C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe

MD5 714add8cad098e4cc8b5b6ea6243b468
SHA1 6dc8eea3cfdb9b3d1b0bc9127760eb5573c55462
SHA256 0e05f2799dc5044c228f6a5ac3d9cd84b6139005da26c5be1b95f883b716204a
SHA512 c9baef1d4417e88eb36e6555632ac53ad6f8ccf9c84e06e369335507c7539c320b994eb12e7d497266fa3c29ad22a49b6bddfccb529b8883af1871ba077394f2

C:\Users\Admin\AppData\Local\yXJ\UxTheme.dll

MD5 91f7a3214f77b36e2d11f29a64912313
SHA1 90fa67b99df3606dbd33bcf84ec6f6d3155539ad
SHA256 7c0fa92783d3d91f3251484ad04f08cab55c6c4a857e5f21c72658b4e13ce282
SHA512 7726c9fd2ee4bb7683fdaed48d121d6a47e0112e1eefc2d96f787cf1c1dfcba5b4d4d37fe186271ffee081f325d85e6a3c83f1a410ed7376575c94962b6bc786

C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe

MD5 5da5e2cbe72d985f0f1292ed1bafacf0
SHA1 41d36867961c0693e187e018e077e7b49aaab87f
SHA256 9774bc5d8dc26260232a7b7d692c6b2d4b6ebaab95e31e0eaf0d198b98039676
SHA512 d55a522cf064ba879f32d29240d22fe99ad209f56ff026197a4202838d74f662ba431f3259cc756aaeceb31fb755f56134c6ddf651332d7f5ed862aa38fe52b4

C:\Users\Admin\AppData\Local\DWMDW\OLEACC.dll

MD5 9ab6a16141a441aedfb775e91d706e70
SHA1 8510537bac495fac273a287efde91f833cccc1f4
SHA256 ddacfa9e484fe133c55055210cf24f48625cfbaa07a3cf26801df41fe78a1adb
SHA512 5a1e3607a9f5966fb4157f7fabadf02e65cd74e6be39c03f8484ce90448200030acc0874b3d00d0b891b9f9682fe91726448b8db539744f0b2735c3142b7b2e6

C:\Users\Admin\AppData\Local\DWMDW\OLEACC.dll

MD5 3daf82f38febfb846ff31d2fde3d0261
SHA1 752df68973e944cce9bc108aaffdf169e9e0c344
SHA256 75df4874486770d9e9e8009b2b6c884c3d549763361a707b9f4f710cfd4f8b3a
SHA512 15e4b87da1091985b015eac0502fe7d07463fdc5a8e02aa6d93a939707f6909025a51dce32d8903292c9eab61d385c4083151fef720143391929c9fa329be58c

memory/4080-120-0x000002B1A4F30000-0x000002B1A4F37000-memory.dmp

C:\Users\Admin\AppData\Local\yXJ\EhStorAuthn.exe

MD5 d45618e58303edb4268a6cca5ec99ecc
SHA1 1f8049fc5ea8b57bb68e19fb55cb9dc1e18e9513
SHA256 d527323643be9df4d174c3169c6f2c7854a59b781654bcaebd154cb51fb4219c
SHA512 5d7ae663dcfedfaf00836dc018131851e5a40778bd582b417b9f0bbd4bb6d1b2eb8f37f7f5a01cd2beed78b6037ef6eb2a3290248d5e901173b1407990a202bd

memory/4080-126-0x0000000140000000-0x000000014033F000-memory.dmp

C:\Users\Admin\AppData\Local\DWMDW\Magnify.exe

MD5 899e3acc33ebad157869cca44f246c17
SHA1 fb7bc664dcb05c8b374a6a6975fe98d1ff759c3a
SHA256 5e82e2db83b30234e55f53d6f9e515732035dbd6fa8429c5523d73b8bdc5f753
SHA512 c7c1ff5cb58509042553b186c7fbd2f9a52804a3b87c75a45a977efa6b3d1b7ec5edf97cd7fe5d104e8d1b33087b76cba601efaba1f67c70e06c61817ea29b2a

C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

MD5 c456f9456ab2c10e6a450774a0c5f12d
SHA1 ef1a4693f0422b5e33fe05607a40efdac223291e
SHA256 304e4bee3e97ee224f61ee69586117de32c4aee6a1d4670d7bc5ac4fdf877407
SHA512 8d690cf8b403111dcedbadbe72768c2d22f3d83dc2ed7e6d734c6d142d6ee008baa5062dff8450d5ce9ba4ea4547a1d3c966975528c184d84c8f9e8cdd22c2f0

C:\Users\Admin\AppData\Local\33RqMbJFy\dwmapi.dll

MD5 f1db6aa239bc086024781eec7677854b
SHA1 b77e055837df699913e3fb0d1b865897e3716677
SHA256 201315ec402af52015717be57b18d8849d30b0faed1c2d97519e8ebee42323ad
SHA512 47556054bce21112365e59341e857c8138dabcdc9098c4c2da9ceb6fed2ae4573010a38fcc46a82b6e22f5cc8953b60ed8149ceb5f3d9feb001d26e77571afa1

C:\Users\Admin\AppData\Local\33RqMbJFy\dwmapi.dll

MD5 299a69a9d497dd1412d3ab0b9dd19842
SHA1 3f6f3d975d3f80b940fa5e20357973980a8b59c1
SHA256 71a6f6a1270be185841f216578a12d4bcf4da3124c856c299c99d421cef058cf
SHA512 187904f53fb9d29fe18bfee786e9dcd640da801fbb16f1377af5001579d7240d13b17a0d6a044ef4251a5866aa230077c01fe0fce00faefdd98fc7af782df70e

memory/2804-138-0x0000000140000000-0x000000014033F000-memory.dmp

memory/2804-140-0x000001D55EE10000-0x000001D55EE17000-memory.dmp

memory/2804-145-0x0000000140000000-0x000000014033F000-memory.dmp

C:\Users\Admin\AppData\Local\33RqMbJFy\DisplaySwitch.exe

MD5 927469bd68cffc984c7d8a4f70d3e27a
SHA1 1816a60271cf6ed0e33b0698375ba6e8481135bb
SHA256 70cb5ab064921c435646b71c3e4f8fb2a58abf6b9d91f63a7e105250d77d76a8
SHA512 4e8c34a3b915f79fcd4b8124f1f1b778aa067f617ff08f1a44ec965ccb91a4beee225ce4d5b05b03cb14bc692c20ab7e364de7849ef9770eb00f10454c746fd5

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqwbkkvq.lnk

MD5 a544a2705e4b77593278b9533df83d7b
SHA1 df08981052acc2dca538d693e708470d0664d315
SHA256 a265f133e04ee2c60277e2098f22365cdb43073df8af45f36d0af24808dab6a4
SHA512 8f1abe3b1226688c65728a01ec8d3fcdda7970907f7bcea9d3f30e02471d7d367952b135d512d64b557aae766227606e58a274c4c47564ac478b77b6e7af64e0

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\OdSJwHJVq\UxTheme.dll

MD5 1ec502e4532cf2074eac46988cd8e261
SHA1 bc9246ba7381da74c2d39db7f44da27550c79c0e
SHA256 0a0b4f0d748b8867dcab18d84195dccab762394134ebc504a72ea33f42a243b9
SHA512 1396b4369bb562f9f955ec86b6bab2c65d870ed4ac84a0b45a0b0471b73483db26f16657dee0c7a8425de0eb2ca7f7bc744400812b58632385d77f37682a055f

C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\OVcMs\OLEACC.dll

MD5 3c6e5614b2e26c85b365d150c874b67c
SHA1 76b2dab45ec1a217a9189fd2296a9781b9312781
SHA256 8023573b7c19dc8120d712a9f1f4cb3526532f6a89d76b39048b45c1bff98496
SHA512 2394f07628f7dc0c8e7aa9016937de5bdbfb3d4194ae02f3f16da1f1d23753e85e465a32152b8a3b95a198676b4f947b215d68ef0d2859e51e869b034c340919

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\OdSJwHJVq\3i\dwmapi.dll

MD5 50490958d2000be16f9095e1680e966a
SHA1 67490d6b8a704912b75ae843e5a63218cfef5a74
SHA256 84acc5efc3f82c8864f391b7aaa617cac870e08aadf555d1cee9add153f1c693
SHA512 e0a4e9b6a58184b743594e9b75034d6042f37d0b0aa1cf17b6c3f1dad2f09b433c21eb562be3d0f631fd2b0a78a1ab8a7eac82728c29a5349096f64ad699f36b