Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-116dhsfch6
Target 78833dc80091e76f426f64b576358fef
SHA256 c004c89e8e9190bf7629831fa4b9f1a6a90510777e4d233e119b0f4902f66222
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c004c89e8e9190bf7629831fa4b9f1a6a90510777e4d233e119b0f4902f66222

Threat Level: Known bad

The file 78833dc80091e76f426f64b576358fef was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 22:07

Reported

2024-01-26 22:10

Platform

win7-20231215-en

Max time kernel

151s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\zQ7qkwq7nP\\SoundRecorder.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 1348 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1224 wrote to memory of 1348 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1224 wrote to memory of 1348 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1224 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe
PID 1224 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe
PID 1224 wrote to memory of 328 N/A N/A C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe
PID 1224 wrote to memory of 2952 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1224 wrote to memory of 2952 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1224 wrote to memory of 2952 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1224 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe
PID 1224 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe
PID 1224 wrote to memory of 1556 N/A N/A C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe
PID 1224 wrote to memory of 1608 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1224 wrote to memory of 1608 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1224 wrote to memory of 1608 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1224 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe
PID 1224 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe
PID 1224 wrote to memory of 2776 N/A N/A C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#1

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe

C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe

C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe

C:\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe

Network

N/A

Files

memory/2008-1-0x0000000000320000-0x0000000000327000-memory.dmp

memory/2008-0-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-4-0x0000000076F16000-0x0000000076F17000-memory.dmp

memory/1224-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/1224-13-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-14-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-12-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-11-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-10-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-9-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/2008-8-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-7-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-15-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-20-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-21-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-19-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-18-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-17-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-16-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-23-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-24-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-22-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-26-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-30-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-31-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-29-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-28-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-27-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-25-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-39-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-38-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-37-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-36-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-35-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-34-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-33-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-32-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-40-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-42-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-41-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-44-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-43-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-45-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-46-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-47-0x0000000002A60000-0x0000000002A67000-memory.dmp

memory/1224-54-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-55-0x0000000077121000-0x0000000077122000-memory.dmp

memory/1224-59-0x0000000077280000-0x0000000077282000-memory.dmp

memory/1224-65-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-69-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/1224-75-0x0000000140000000-0x00000001401F3000-memory.dmp

\Users\Admin\AppData\Local\bIrnq\MFC42u.dll

MD5 bb61795bd6c8c8c641f4765eb37bcda8
SHA1 985921a06688a40046e5791b0d59af3420eb9691
SHA256 a82d82db6f65d26b1b9a00278e5ee009adb41b5940eacb2f57292442d91a9db5
SHA512 68e743521f9de49798e65fdef046fe24d8602c015464c49caf651736fb801ff4c1a4a0053815fd4a3f2e826ef043ba5ffd1af774d806a27b9b754ccadd3e27f1

memory/328-84-0x0000000140000000-0x00000001401FA000-memory.dmp

memory/328-83-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\bIrnq\MFC42u.dll

MD5 95f8e292be0e547be7c164d2862836c0
SHA1 7e587c8e804270cd9b165b74369fe570a5d1a581
SHA256 a632ba150ead8eba38a109f839c1fd6b9bb4192eb2aabab3b096b928ad5efbcb
SHA512 d33dccb872143aad15e7db5e525c99cbfea4565b28f44176c9641be7c56b35e726e232ba2bf2d72123f0fc00371000264e380b1910fdc24ba215bc836918f3a0

C:\Users\Admin\AppData\Local\bIrnq\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\LEpoW9c\UxTheme.dll

MD5 a1aa25aaea41d5d9a7e89cb3ae46eb18
SHA1 ed1c6b6b57b3becca6ade3e0e7207136fd74e945
SHA256 e6a6d24d94345ae6ebb1e9f02deee40037a7d317dd4ea97c551b2947bc553aee
SHA512 417ceadc05c2caa1608efafd8a3b36ff24d4b3ac523aa7c7afaa96759be856e09183820aec80c60fc4eb5bace829cf205a70604d7d6e5ced7007db1e4b89f7ba

\Users\Admin\AppData\Local\LEpoW9c\UxTheme.dll

MD5 4028fff5c8546308e37e2d3eada89545
SHA1 d2fff6699841555ba6ba5f7bfbea8b7d4411e92d
SHA256 dca70fe8754e0c90943d8ee3fc75c66618b85252b1a7123ea88e73b8fab15938
SHA512 e7c78131b3d16828ae14786f8eed1e3711b33c518f90bf2b8955596f0a7161e59e4b4594059fcef9364853358e3eb8b3146d991685cd135e9e9739048000ebd7

C:\Users\Admin\AppData\Local\LEpoW9c\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

memory/1556-100-0x0000000000200000-0x0000000000207000-memory.dmp

\Users\Admin\AppData\Local\UP5b0FH\shrpubw.exe

MD5 29e6d0016611c8f948db5ea71372f76c
SHA1 01d007a01020370709cd6580717f9ace049647e8
SHA256 53c868882ebc9e0d4f703afeccb172043069ccc0b5b6f7cac1d2aad9c4640930
SHA512 300216ab47ee44b8f68d4835bf26641f949039522b680af00fb602f57d31c38812428dc624461bc2cc7d6384cad396bc033718e41e11a65f7dd0eeb36ed924e4

C:\Users\Admin\AppData\Local\UP5b0FH\srvcli.dll

MD5 5a0c00a044d0dff1751584ba329f5c78
SHA1 f30974d22b803ddcf0bb3aa259683521f39578e0
SHA256 0e9d228489beef2847e2c83ab31c8c4f4fa7a3fd1e917042ea8c5abee9bbf915
SHA512 fe895a6b7e03fa0df934d412210c93bf58cff8c070330b0a9ebf8402c01686b5b5097699bf60d88becc61edb8112b8a0d85ed197dd7bec1e99500d71066b1d11

memory/2776-118-0x00000000000B0000-0x00000000000B7000-memory.dmp

memory/1224-140-0x0000000076F16000-0x0000000076F17000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 dee39ad5768114b7a77ea105be56a120
SHA1 3f3916c8070f8c25db6d4d372a4b3ab41b6eb2ec
SHA256 1a00a7ab2bb39515707d098f90b5c67354be5ad2c9770f17674526e5c23657cc
SHA512 a2545f9936c25d491ce33d2835855314bfc7377f21b4c3119ead4076575fb853ea843865ba7c215825a73807a9c6567c22a85d11932b766866ea9beff9a41b48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\gx\MFC42u.dll

MD5 758ae7980741f1689e2d4336f0c33096
SHA1 a22a928eab901c53e283f4e2266d58993511f6ae
SHA256 093cb631c21549f9c79e7fff99e8109b7e8951f8e7b709496beb27ccb9b6cea4
SHA512 bbc118159edf3ad6f8c96f09df7d20a8eae9ebc80a5e2b3460d26dbdfd5a2e8a540fbf05815708e8336c08c7d06a4b917c801601118aa2e31583cb381c3270c1

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 22:07

Reported

2024-01-26 22:10

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\KgQgoP2It\\GamePanel.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pkV\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 1808 N/A N/A C:\Windows\system32\raserver.exe
PID 3500 wrote to memory of 1808 N/A N/A C:\Windows\system32\raserver.exe
PID 3500 wrote to memory of 968 N/A N/A C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe
PID 3500 wrote to memory of 968 N/A N/A C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe
PID 3500 wrote to memory of 4124 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3500 wrote to memory of 4124 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3500 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\pkV\GamePanel.exe
PID 3500 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\pkV\GamePanel.exe
PID 3500 wrote to memory of 4816 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3500 wrote to memory of 4816 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3500 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe
PID 3500 wrote to memory of 1612 N/A N/A C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78833dc80091e76f426f64b576358fef.dll,#1

C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe

C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\pkV\GamePanel.exe

C:\Users\Admin\AppData\Local\pkV\GamePanel.exe

C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe

C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp

Files

memory/4952-1-0x000001FA89210000-0x000001FA89217000-memory.dmp

memory/4952-0-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-5-0x00007FFD765DA000-0x00007FFD765DB000-memory.dmp

memory/3500-4-0x00000000076F0000-0x00000000076F1000-memory.dmp

memory/4952-8-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-7-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-10-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-11-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-12-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-14-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-13-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-9-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-15-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-16-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-17-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-18-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-20-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-25-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-27-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-26-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-24-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-28-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-29-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-30-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-32-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-33-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-35-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-37-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-38-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-39-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-36-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-34-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-31-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-23-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-22-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-21-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-19-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-41-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-45-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-46-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-47-0x0000000003300000-0x0000000003307000-memory.dmp

memory/3500-44-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-54-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-55-0x00007FFD76F60000-0x00007FFD76F70000-memory.dmp

memory/3500-43-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-42-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-66-0x0000000140000000-0x00000001401F3000-memory.dmp

C:\Users\Admin\AppData\Local\EfSUafuH8\WTSAPI32.dll

MD5 59e4ea7cdbbb854d81910c2d7d03441d
SHA1 f880cb5424edb7fce5609177b5736d406d8b404a
SHA256 6ef3893145af64466e50f7e4b3bb798235591c16d6dbc0eeab287d416dfe6f39
SHA512 ed43cfe9fef58687319d4954d6b1aa6e2df4bd7c9f8a40b77eef07844c65d52d0a6c5cc02bf6338b5993c0b351118ac82c84f5d735d8ed14cf6a07fc993be8a5

memory/968-75-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/968-81-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/968-77-0x0000020AB6390000-0x0000020AB6397000-memory.dmp

C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe

MD5 1d3c0ed6df6157ccd8e6262dfa8d2cbf
SHA1 45cccd41b9f86dbf1c87e95fedfae1c7dd192c13
SHA256 eef504fa8d830f50b825744c862a0535f8d8342705b23a50dc21be117d21191e
SHA512 5f35587f3862f782b488acfe67823c9a5a34a89a35acad1a0a5acfaffc5268daf527d9d3743817a8f80afae909bd9ba0ee50f006f738048d0b3a4cb38b81c4ee

C:\Users\Admin\AppData\Local\EfSUafuH8\WTSAPI32.dll

MD5 3030c7a79d30887b4b19dd6c2ee26d30
SHA1 0020569b12db5247ff878909e7aa6b0f769f11cd
SHA256 e5905aecb74d8be2f0e681125d0d36f97e3526acd38ed10b6d904569a7c8b274
SHA512 6a47e06f332b5f40161063692688fe34c05a66af59cdc0ac2d6860d8d5d7c066b064130b3b9d614a36a2f595244570e60501244b591f2bc80f2d01e6ab343d0a

C:\Users\Admin\AppData\Local\EfSUafuH8\raserver.exe

MD5 a84f020d6ae51dc4c481bb34c286eab2
SHA1 4ad094ab6d1b874e709d9a34dca5663bc2198982
SHA256 a110e2f03030fd67752cdfbae6e940ae0d25b2e347ed716ca9017016d794e51c
SHA512 662373c646f20bf9f9f0de397c2f3432b6bb4743d3be58da56284c94b72c7737c9cf14ef8c148a62276fe74ea48c3446df1600f48eaed996b3f360df99d845a5

C:\Users\Admin\AppData\Local\pkV\GamePanel.exe

MD5 6a31226e58e7b5ee99f21a24f3806638
SHA1 009258799d942dbe201a341e2431ef6d79911390
SHA256 a6aba25e59a74efc5154132ceda2b623c5b502ddf9106cf1e1a4b91304521b89
SHA512 1fe278c1baafd6a227e7ac4b8cbddef80109be22dd04d2a87c76e03d14f21c533fe459c397f6b15e53400f9d83c05e7a08ce38815b2b79c51810bef5ecaeff58

C:\Users\Admin\AppData\Local\pkV\dxgi.dll

MD5 7d1f628d1f668220ed87aec090bc681a
SHA1 b812eff8c75c97181f380bce0eabc90776c59761
SHA256 abeb23abe628b376f34cb29b8d3562564ba38024f15b8e12a8a4ff2afd8a6683
SHA512 3935a1840480d61a3413fe7942c28b93b91693b1243a5fb24e1802eea407b3d6902a21133c1834ac5e0285564c858aac5120040908bdea7fd3e95272ac5c01c1

memory/4832-96-0x000001FE2A680000-0x000001FE2A687000-memory.dmp

C:\Users\Admin\AppData\Local\pkV\dxgi.dll

MD5 b9ab24e201d12db5f0bf6b5e716d6052
SHA1 28ff7d6e9208d0d2898368f580929a0f00fb5700
SHA256 b3a9f362a0ebbe3c8c85b786623065a02947a754101b2c14bb86512407e65a27
SHA512 cee665127bacf0cfbe568509615e4b63f48ff464085c884b1b86a49449b1163958c17059338b5ffe4b61136199c2bf80daeaa0fd8d82200500d936a52de747dd

C:\Users\Admin\AppData\Local\pkV\GamePanel.exe

MD5 9d7a80f85fcd59e9a4a922bcf704ab34
SHA1 596095995886fbb7510dd3086140518c5e95e537
SHA256 f69e4e96d88817e14d8a39fd46254414e09a3b902517fe04ebd685882a6765a0
SHA512 1d1c084ed775cc2fabdc9bb6372be46c4c416a83e9bef7ffba170c934a1f4c991f6f6fda4a04800079815a848f60583b4050d11bd9bc34e60aa813a5afbfb937

C:\Users\Admin\AppData\Local\pkV\dxgi.dll

MD5 12b9b88ce623fe85f14bdd7ee72d1dbb
SHA1 7e08a05d0995c30fc67ae1107fe9d9b57633cd0f
SHA256 df609eaa3be0bebc9c52aa62f188bcea66eec4c69739f0d627dd3aabb74e1258
SHA512 a815529c7a9c7b2a877b43ed4d8c704d957d10637e190616f1c8eab67e52572f1d50e413c83611bcaf0899976af859d84ade7602a41759ac836bf5700ca2cdfb

memory/3500-64-0x0000000140000000-0x00000001401F3000-memory.dmp

memory/3500-40-0x0000000140000000-0x00000001401F3000-memory.dmp

C:\Users\Admin\AppData\Local\3eOQ\DUI70.dll

MD5 464d7756b0ba689188afe23bc84f7fe2
SHA1 7a56ebdab7204fa7691a9e162048df067724afe8
SHA256 820292c0646218c37225b12c2786fdcca6e892338cc6dc92f70f66b52a4c1d16
SHA512 a4824d0504165f14d551825117b5c4370617e9bb6dae523dddffbe91a2f01c345355aafdcf24aa424a47772c5cd333d460fb4eb008a7d5c3a3b180c6bdb71bfb

memory/1612-112-0x000001E2A0B20000-0x000001E2A0B27000-memory.dmp

C:\Users\Admin\AppData\Local\3eOQ\DUI70.dll

MD5 6798a21b27de1172afab7aded7a877d6
SHA1 d3447fe4c629ada17528c904bc4d972fc4fcc9f3
SHA256 ec5e433e03a536a8b71da1d75d1c5adf92429f7e90baa9a47a919e72a68cc039
SHA512 30977999f20facec53004cdeab1581f2648fc80a274578271af6a61b90fb2aff93d6bf88258932c531e4d14a912d79abdbe413d7e981119d2dd0909b80236154

C:\Users\Admin\AppData\Local\3eOQ\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 7d3f334965a186468615510866ab2e5f
SHA1 4cf613b15680ec187605c97620a2a7bee95b1e6b
SHA256 0d2cb745c05cf01188b266eff3db913ebc759d935513b79cc385c33729046164
SHA512 458dbc2fdd0d294d64b5dbdb0a9ceab2efa43b1196943a12ef401b34a562fe92a173d8ecc15ca1f88ee91bb89df54d5cb8f3fd9c5ce4cd4533b6d097d7d30e39

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Qbhmw\WTSAPI32.dll

MD5 5ef51b80863f71f789e43a80be38db7c
SHA1 a571ab4bf059d23f295d884b557a6e796ea34314
SHA256 b52a774125737d484ccac47e99733d1f9ba800b0e0e4681755e03145450d7c9d
SHA512 77e5333e5858d489e33c155df30ff38147275e99fe2d331a0bc19a0fcb4111b725586743bb1b49d0c6debd742032f4aefb36721a47a257e2c7da368d4ad95a1e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\KgQgoP2It\dxgi.dll

MD5 fdc1e4e892c1f5bfd5239fddb5072a35
SHA1 832d0dd6b8af960f4f42f38059aef2431de28e01
SHA256 ff301db9fe1dc94f0c67ec9588919efe15e40a8f9ffa66ad5c7a3f82b91a36fc
SHA512 bf0b760482a601224201d8795cacbb41e2067d051b53f7e7b8b2a61fc4a42749905a23bab050830434d59aa40bc4e343fc162391782e339fe1f3de88f135c631

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\RKmR\DUI70.dll

MD5 88dfc57ad7075b8598558a61875ff9c5
SHA1 9e00c3955a5f7ec13482f87ee9cba297468afddd
SHA256 ddda48d78fd7deb18a50715908b49c9db2f56156b9ebe7ce3de2c39912b894c5
SHA512 1a81b17656196a9d5faf9a1ecc1c0cd342ae9d5ded303d98c2f10d39238aa89e9945f39671d512ff6314f7ee4fe83ad926f73c32f9380b922980f9e297c9f503