Malware Analysis Report

2024-11-13 16:42

Sample ID 240126-2q874ahdcr
Target 78978e5afac60e6f6b472c51b7fc6180
SHA256 36d11f59d8e8c07bc7d44ff589ff73669cd9794257680dab506d9badb7b80a47
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36d11f59d8e8c07bc7d44ff589ff73669cd9794257680dab506d9badb7b80a47

Threat Level: Known bad

The file 78978e5afac60e6f6b472c51b7fc6180 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 22:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 22:48

Reported

2024-01-26 22:50

Platform

win10v2004-20231215-en

Max time kernel

42s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E\WINMM.dll N/A N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E\PresentationSettings.exe N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\mi\\SystemPropertiesHardware.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mRb\sdclt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3456 wrote to memory of 1428 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3456 wrote to memory of 1428 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 3456 wrote to memory of 3772 N/A N/A C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe
PID 3456 wrote to memory of 3772 N/A N/A C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe
PID 3456 wrote to memory of 4796 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3456 wrote to memory of 4796 N/A N/A C:\Windows\system32\SystemPropertiesHardware.exe
PID 3456 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe
PID 3456 wrote to memory of 4972 N/A N/A C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe
PID 3456 wrote to memory of 2360 N/A N/A C:\Windows\system32\sdclt.exe
PID 3456 wrote to memory of 2360 N/A N/A C:\Windows\system32\sdclt.exe
PID 3456 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\mRb\sdclt.exe
PID 3456 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\mRb\sdclt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#1

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe

C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Windows\system32\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe

C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\mRb\sdclt.exe

C:\Users\Admin\AppData\Local\mRb\sdclt.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

memory/2196-0-0x000001A0560D0000-0x000001A0560D7000-memory.dmp

memory/2196-1-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-5-0x00007FFB4D05A000-0x00007FFB4D05B000-memory.dmp

memory/2196-8-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-7-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-4-0x0000000002670000-0x0000000002671000-memory.dmp

memory/3456-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/3456-74-0x0000000000160000-0x0000000000167000-memory.dmp

memory/3456-85-0x00007FFB4D280000-0x00007FFB4D290000-memory.dmp

C:\Users\Admin\AppData\Local\nYiqOsAm\WINMM.dll

MD5 d1b910a03b8f4bfe95720558a1975938
SHA1 342efe03db27b02d744ae0346718cf14b38a2cf3
SHA256 f831be563e728416089006de7dae879e0bb0a0252a71c29eaa8629e3d9e1b1d5
SHA512 738f5ecb27d5cb8ff768a75fab8c9d306a045ee920eb80678244c8fdae4e742daf06b99ede79923e4ad781947f8ed373584ee4a9b127db7609eebdaf79a1537e

memory/3772-102-0x000001498D500000-0x000001498D507000-memory.dmp

C:\Users\Admin\AppData\Local\nYiqOsAm\WINMM.dll

MD5 854db991d8c6f587fc6f1b75b79ff107
SHA1 74a38fb2a32e606e9a8552927b842b645a1a00af
SHA256 e7a8193697d5696c68a75e04091f5712f7040a9f45c7cde3c1776151dc9559bf
SHA512 e550e53cda4dd1b80088cd4dc909d643795b290c839b42678e06f208460010da9b23bb73b6cfa976daf0e10a8d3d824e44be1ad2a0bc0df6acde7f8088524445

C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe

MD5 790799a168c41689849310f6c15f98fa
SHA1 a5d213fc1c71a56de9441b2e35411d83770c01ec
SHA256 6e59ab1a0b4ac177dc3397a54afcf68fcea3c1ee72c33bd08c89f04a6dac64b8
SHA512 8153b79d4681f21ade7afe995841c386bff8e491ad347f8e7c287df5f9053cae7458e273339146d9a920ceaa2ba0f41cc793d7b2c0fa80efbb41477d39470866

C:\Users\Admin\AppData\Local\nYiqOsAm\PresentationSettings.exe

MD5 6c5002fa89fbd08956cc7ff5eec66e96
SHA1 82c2e8491ea107c5326067b8aeda6c1fa76aa48d
SHA256 df5f177c06449bdf9b192ae8c8201f7e930baf2fbf310826efcb4c7f1b3542be
SHA512 f653e6a3bd9ba3dfed4add719ae9633069db92fd0f8248ad00b8fb0afd762a2924ee976d1baecc2d5a61074b884c93cc4337db411f62ce7eed2cb22a2e17397f

C:\Users\Admin\AppData\Local\suukkMCsY\SYSDM.CPL

MD5 262255f1c91c1e487125efd25ef18162
SHA1 1d94eb0044dcb8085a60e084f725442031076f01
SHA256 3986dc12dcfceb488a6cebf638ef63e47bb2769aa63537018007ca636c4bffe3
SHA512 ecfb062a4634f89fe61c5d7a3bd20fdcb453121f24fbe26e7665f33285a2fda59a6f4a19a7ea6554a6aae13dc2c4815420d35f215bfdfac2e129cbf74cafbea5

C:\Users\Admin\AppData\Local\suukkMCsY\SYSDM.CPL

MD5 58a5a6f26575161a6a88b841b092b4d3
SHA1 f6738ae79e4f654b075ee233b490705596c01058
SHA256 8f68bb5ce74c600901e7f2cf9148abf8f6ac164a38e4ddfc09c37bc5562b6e77
SHA512 15250eeb68234321ace7668bcbed86bcb39dff0ed893c982d95fc16a9caec6b321db409cc09a212bd9213536514218c11b9301cb90c8f97c2170e88f5e87c3ee

memory/4972-121-0x00000138EAF00000-0x00000138EAF07000-memory.dmp

C:\Users\Admin\AppData\Local\suukkMCsY\SystemPropertiesHardware.exe

MD5 bf5bc0d70a936890d38d2510ee07a2cd
SHA1 69d5971fd264d8128f5633db9003afef5fad8f10
SHA256 c8ebd920399ebcf3ab72bd325b71a6b4c6119dfecea03f25059a920c4d32acc7
SHA512 0e129044777cbbf5ea995715159c50773c1818fc5e8faa5c827fd631b44c086b34dfdcbe174b105891ccc3882cc63a8664d189fb6a631d8f589de4e01a862f51

C:\Users\Admin\AppData\Local\mRb\SPP.dll

MD5 1177e35d69f6fe08fdc1dde3c6641636
SHA1 194249cc0af0ec01c131baff4e20740644a7b8e3
SHA256 7bad7e53ef664b11c4e165260a74952d0917c75917de38e3ed0875092acc03ee
SHA512 90d5f41bd01d9bd08a14be588a7fd2dd5333b391aabafc71231773b5abe8149e550c2475b332c608d208c3f36bde0a9cd46e7f935c0426be4bd026f1fd933efa

C:\Users\Admin\AppData\Local\mRb\SPP.dll

MD5 ccac2f4d762388488404b2d32eb97b87
SHA1 bb3be19671957cc4916c4560227ed78befef64a1
SHA256 964780d7b2fb7b912a3e5621be5260108face604f023e1c3e05343a90f693a4e
SHA512 718f1b43af9c51d1d4ed659721f69f904937cdb2c38682038a96baaa880ac1e12bdfaa7da42f283fcaf4826c34d9849aa1125aa716b5132061aa5e23e40809c8

memory/4480-138-0x0000020514550000-0x0000020514557000-memory.dmp

C:\Users\Admin\AppData\Local\mRb\sdclt.exe

MD5 8ddedf58c1953829dacbb26fd760be3a
SHA1 1bc115d12b8eeb49e79b7337614cc73a2930b423
SHA256 a85bee1606f4e07f24cb84dd6ab540e023caca4369fd28925138a00b79d329f5
SHA512 24d523c693f0b75e0b06c495ddbca269e26a6b87ecb4b021ca9c23b69e6d7f36b7c276b7020eee205ae8f92cb6c4183848ad406f38420646c7031add7f5b7679

C:\Users\Admin\AppData\Local\mRb\sdclt.exe

MD5 1b52289172a0a4ce3af4ec968ab2d4a4
SHA1 f214341cb25008afa5cd084213174ca838b27090
SHA256 5ff8d694cbd0cce076e760577ea29f70f5224f50edda1223948bbd5fcb09d324
SHA512 8bdc8c3d41812268c2dc9f5de09bde244ef08f1bcd2e1cafa16e00d7304284b7b94c2539a53daeb9ea8374f108e786561bfb2b70a00635bed9b8d6a5d336ade6

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 c841f81a4a07a848f4cdcdd18ef839af
SHA1 c52d4615e42be2c3dc2754d577e55473e368499a
SHA256 5412350925f8cff2bdc6bcc25a4186eff6ce5f37f3b6c3b681f1d16d18561268
SHA512 8fdf6ef7d05da54081446adcc1d2b3699b686b00e2f3d82ade2f85287b32fbd6a0f40776ea04539d3c94e3cc3884955fc3361a6dc425b5e450ae18a86d9bae80

C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\QNnZ2E\WINMM.dll

MD5 fa3f83acd3efccb75d8966e33172d4ad
SHA1 49f1025a0554bf6cf36fea8c9b8aecf8ae653326
SHA256 63956becdd55ec6cc9914b47c732c008d95fb5c6a3cd6cfdee9b6f3f43fa47b3
SHA512 e3d489d9474bed9cf183073c58558f27f343a001c82ce171e9f75870b41cd648174564cd6c9c55a70f05b1e8db07bd01d305def26777ac072b268c62a4393148

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\mi\SYSDM.CPL

MD5 e32320145b777baa7db3ed35d9532e8d
SHA1 b34db6e329ca94abb4d56602c6410ae8ee0d5941
SHA256 2cf54b07a4f510b1ff944a9368f91c585a9f976d3e9ea4d5144e88d011e4a92c
SHA512 6e69da05e4a3d9756cb4b730fd0aaccdb49e1972bf5c6927a786af0c38fab8910569bacaa3e40d4cdab333596b1b4b96cd8cecc7fe6e721c3aee0c88cb5bd450

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\Dqcm\SPP.dll

MD5 436feabfa766100fa40536199f90c569
SHA1 65730e06636c3ce65727e46c8d761e947e45c1b4
SHA256 5cfaea2b7140c823afd6e2cc924437f1ad39d40a6fe0200c3c19a7e0ad539dd3
SHA512 dc4784bb6f5f9cace0ec87ea0dba7f55a2b284bfeadc8eef6c75b701230a61e153475ddbbaef5f4e02d0843f25111e9e7abb6722a3262ad2917ac0b131465f15

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 22:48

Reported

2024-01-26 22:50

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Zqonzshwxyr = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\HGH57a\\TpmInit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2948 N/A N/A C:\Windows\system32\wisptis.exe
PID 1340 wrote to memory of 2948 N/A N/A C:\Windows\system32\wisptis.exe
PID 1340 wrote to memory of 2948 N/A N/A C:\Windows\system32\wisptis.exe
PID 1340 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe
PID 1340 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe
PID 1340 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe
PID 1340 wrote to memory of 748 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1340 wrote to memory of 748 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1340 wrote to memory of 748 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1340 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe
PID 1340 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe
PID 1340 wrote to memory of 1900 N/A N/A C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe
PID 1340 wrote to memory of 1704 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1340 wrote to memory of 1704 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1340 wrote to memory of 1704 N/A N/A C:\Windows\system32\mfpmp.exe
PID 1340 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe
PID 1340 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe
PID 1340 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\78978e5afac60e6f6b472c51b7fc6180.dll,#1

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe

C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe

C:\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe

C:\Windows\system32\mfpmp.exe

C:\Windows\system32\mfpmp.exe

C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe

C:\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe

Network

N/A

Files

memory/2856-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2856-1-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-4-0x00000000772E6000-0x00000000772E7000-memory.dmp

memory/1340-5-0x0000000002580000-0x0000000002581000-memory.dmp

memory/2856-8-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-7-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-9-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-10-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-11-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-12-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-13-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-14-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-15-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-17-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-16-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-18-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-19-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-20-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-21-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-22-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-23-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-25-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-26-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-24-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-27-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-28-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-30-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-29-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-31-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-32-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-33-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-34-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-35-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-36-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-37-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-38-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-40-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-39-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-41-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-42-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-43-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-44-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-46-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-45-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-47-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-49-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-48-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-50-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-51-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-52-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-54-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-53-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-56-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-55-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-57-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-58-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-59-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-60-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-61-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-62-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-63-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-64-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-65-0x0000000140000000-0x0000000140342000-memory.dmp

memory/1340-74-0x0000000002550000-0x0000000002557000-memory.dmp

memory/1340-86-0x0000000077650000-0x0000000077652000-memory.dmp

memory/1340-85-0x00000000772E6000-0x00000000772E7000-memory.dmp

memory/1340-82-0x00000000774F1000-0x00000000774F2000-memory.dmp

C:\Users\Admin\AppData\Local\OzrwcsQp\wisptis.exe

MD5 02e20372d9d6d28e37ba9704edc90b67
SHA1 d7d18ba0df95c3507bf20be8d72e25c5d11ab40c
SHA256 3338129ddf6fb53d6e743c10bc39ec372d9b2c39c607cbe8a71cff929f854144
SHA512 bcad8894614dcfc1429be04829c217e7c8ac3c40ea3927073de3421d96d9815739ee1b84f0200eb18b3b8406b972bd934204b7b31638c9fe7c297fb201ed4200

C:\Users\Admin\AppData\Local\OzrwcsQp\MAGNIFICATION.dll

MD5 ef4f0c33d8d7f7debf3556344f1bf88f
SHA1 d6d9a4ebdd9afd8feaac7a5d81ac423c5e552bab
SHA256 e183dff90c1a2dc5f9d59e3bf69a918e976bb63bb5de3abbc01aabbcc835b9c4
SHA512 41fd0122d67d3a700a69418be3420abd81f84dfcf9fd6c2c44bbd0676d4e3beeb1b2a30214004782922d3aac7d0e3db629c95ec4dd3e4794739f4a5c0774df58

\Users\Admin\AppData\Local\OzrwcsQp\MAGNIFICATION.dll

MD5 a4903cec68d63dbc1d3bc72b87d8b7ff
SHA1 90ee5225180538528f1bec5a3724dfc885a9382c
SHA256 21cb2c94596f185e632d69c0d2b2c2a48b1f70783eaa2dbaeb9a53f2b4a86f6f
SHA512 aaf222678167cb1702d63f156246ca2b4db4aef2e059707227de6b6cba8104dd727c6b3a6b57ee778c70517e0c62af0716877314924243ef081d1b14cc06f195

memory/2916-112-0x0000000000180000-0x0000000000187000-memory.dmp

\Users\Admin\AppData\Local\dkDQXTMC\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

C:\Users\Admin\AppData\Local\dkDQXTMC\ACTIVEDS.dll

MD5 24a91eddb1c9033379546124f7c4e0df
SHA1 e71e115ea1d754897360932bf7e76aedea48861f
SHA256 fc2a2a8d7cc12cf430618fd07ca6dece66b839e730723b14d7f3d674d7d90fae
SHA512 efbad0b125630a7b2ea282864253d2d8b93a4e7a8455ad7113e01ef520a9628990a7355e1ae74dccdf4f6998ecc108b8752275e213ad3cad7d3171d414c20ba9

memory/1900-129-0x0000000000090000-0x0000000000097000-memory.dmp

\Users\Admin\AppData\Local\srMXQTuB\mfpmp.exe

MD5 2d8600b94de72a9d771cbb56b9f9c331
SHA1 a0e2ac409159546183aa45875497844c4adb5aac
SHA256 7d8d8918761b8b6c95758375a6e7cf7fb8e43abfdd3846476219883ef3f8c185
SHA512 3aaa6619f29434c294b9b197c3b86fdc5d88b0254c8f35f010c9b5f254fd47fbc3272412907e2a5a4f490bda2acfbbd7a90f968e25067abf921b934d2616eafc

C:\Users\Admin\AppData\Local\srMXQTuB\MFPlat.DLL

MD5 e24df9c436584ce6f79cfc680e641a28
SHA1 2446c94b9e6570e739da1f1411fee720033a486b
SHA256 5e49093c8635e1f513583bcf319e775f04eaed8df14dc44f9b642ce1aa5a2704
SHA512 9c51e995537485f0e98845818034169f24c9297e4a2f9fbcd7d67198b233e2cdca4e1fbe476ab96e13a0b63d1f849f9dc8d84a1e76dd4c6aab3a08bb56348f86

\Users\Admin\AppData\Local\srMXQTuB\MFPlat.DLL

MD5 39d25c4147a07b834f4d928b189bb5ac
SHA1 2993b204937db9cb3349d72b4f36b164711444c1
SHA256 522ab76d3c2237d153f9010bff29ed1bc737c9af9ac4180d56ad951d11c141ca
SHA512 ae74263ff5c5bcd87265104be624511efe3df3c311eac95ff2bd3158580d6f3ca3470eafc0f7a52a0a6a06cc05400e1f64854ca49eb70c13bcdb8478a494ed05

memory/3052-147-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ercyejwqgvsruoy.lnk

MD5 fdb320f19cabc05ab3961741ef0aa517
SHA1 1dd53e13da9bb830c4ed1401c23759cbfe515a3f
SHA256 f123b485dac882d1664866a2e16f57e80eb8c2fa937fe6bcc318da05ad3a1e29
SHA512 303a63ac63a19a95d14a273e815e0df24a17c5acb52535942879ffb395bf7bc3d7c9ba03c3167f70992223f8623f516898a1a7ec620d757c59fe1dee4587e761

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\7OufGq\MFPlat.DLL

MD5 468dd9d9bff25c57a05f0cb38fbe7a69
SHA1 387164f9121889b0a9bc1d25aeed213b8cf46239
SHA256 0097fcffbada442cad1f0116d2466fce643c62c3cdacef574e0871c0c7bfea4c
SHA512 3ad01a2086723c7548cf377ac9cea17048bb19bff53b2db3d6a73a46b63cacd996eb86f278a42df0376178821ef8f8d14930d3ad7aa4785ae7cb8e39d2abb031