Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-fyxclsgbaj
Target 767b661339f842a24584de1cfd7ff58a
SHA256 12f891dd73ef13029a6cb2422c35d390835c149c627ec7f52a985633b4ec14d4
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12f891dd73ef13029a6cb2422c35d390835c149c627ec7f52a985633b4ec14d4

Threat Level: Known bad

The file 767b661339f842a24584de1cfd7ff58a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 05:17

Reported

2024-01-26 05:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fYk\msconfig.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\UxkMfgDlgWS\\msconfig.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fYk\msconfig.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2612 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1244 wrote to memory of 2612 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1244 wrote to memory of 2612 N/A N/A C:\Windows\system32\SoundRecorder.exe
PID 1244 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe
PID 1244 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe
PID 1244 wrote to memory of 2564 N/A N/A C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe
PID 1244 wrote to memory of 732 N/A N/A C:\Windows\system32\msconfig.exe
PID 1244 wrote to memory of 732 N/A N/A C:\Windows\system32\msconfig.exe
PID 1244 wrote to memory of 732 N/A N/A C:\Windows\system32\msconfig.exe
PID 1244 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\fYk\msconfig.exe
PID 1244 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\fYk\msconfig.exe
PID 1244 wrote to memory of 1084 N/A N/A C:\Users\Admin\AppData\Local\fYk\msconfig.exe
PID 1244 wrote to memory of 1452 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1244 wrote to memory of 1452 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1244 wrote to memory of 1452 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 1244 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe
PID 1244 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe
PID 1244 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#1

C:\Windows\system32\SoundRecorder.exe

C:\Windows\system32\SoundRecorder.exe

C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe

C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe

C:\Windows\system32\msconfig.exe

C:\Windows\system32\msconfig.exe

C:\Users\Admin\AppData\Local\fYk\msconfig.exe

C:\Users\Admin\AppData\Local\fYk\msconfig.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe

Network

N/A

Files

memory/3048-1-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3048-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/1244-4-0x00000000772D6000-0x00000000772D7000-memory.dmp

memory/1244-5-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/1244-7-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3048-8-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-11-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-13-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-15-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-14-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-16-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-20-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-19-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-18-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-21-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-22-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-23-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-26-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-25-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-24-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-17-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-27-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-29-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-30-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-31-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-28-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-12-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-32-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-33-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-37-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-38-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-41-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-44-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-46-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-47-0x0000000002A60000-0x0000000002A67000-memory.dmp

memory/1244-45-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-42-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-43-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-54-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-40-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-39-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-58-0x0000000077540000-0x0000000077542000-memory.dmp

memory/1244-55-0x00000000773E1000-0x00000000773E2000-memory.dmp

memory/1244-35-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-65-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-36-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-34-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-69-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-10-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-9-0x0000000140000000-0x0000000140203000-memory.dmp

memory/1244-74-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\oFMo\SoundRecorder.exe

MD5 47f0f526ad4982806c54b845b3289de1
SHA1 8420ea488a2e187fe1b7fcfb53040d10d5497236
SHA256 e81b11fe30b16fa4e3f08810513c245248adce8566355a8f2a19c63b1143ff5b
SHA512 4c9a1aa5ed55087538c91a77d7420932263b69e59dc57b1db738e59624265b734bf29e2b6ed8d0adb2e0dec5763bfbf86876fd7d1139c21e829001c7868d515d

C:\Users\Admin\AppData\Local\oFMo\UxTheme.dll

MD5 2d1d00ffe9fd6ae701c8568e0c20fc1d
SHA1 b5f81ba738dbcb294db4f888ae2d28c7df1d2bd0
SHA256 f1c98ec49cb9fa17e39923bc56208e02735cfdf225cd813452cd43e4de53afac
SHA512 f61bde3b44c56d08beeb0b7b7cce5f2d25f64fd9908f5487b34da23fc909b86e761e414a6b378325203a56bef50a7d12f93cc4be2390f0db79979ea6ea23bfd2

\Users\Admin\AppData\Local\oFMo\UxTheme.dll

MD5 1958d2b610a44686c13e715c40cbdb85
SHA1 7635419f9bb2f4a4362e3809c3a380fb98a8d330
SHA256 da22a6cbae9508dff317f228b0901312fab925225050b1a16533bb1748716035
SHA512 8690b29f974a9cb9c41ea0b3772bc1e032535cf063f27eed9ab3ce7e820e1b63da5012b31e94d6642fda968adec955cf6f7dca38b98ee138af7af55f24dedf21

memory/2564-83-0x0000000000100000-0x0000000000107000-memory.dmp

memory/2564-84-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\fYk\msconfig.exe

MD5 5634ebcf7905c20817331419031fa5a4
SHA1 9f9a1f83cc2dc5b511ceee2fb4917fe89601b145
SHA256 5927128afdd8cd9a1d1a23075ed20cbe1ca41ed70e64053622aedceb622e56a5
SHA512 e5fc82f26e7009bdfb0f511870b731f6f3453fd139b8686ce47feed128449ba6f94ca0b6359c82778b5d21528e1a7d95d9c72ec84d820eac32e5f8ce4b46816f

\Users\Admin\AppData\Local\fYk\msconfig.exe

MD5 e19d102baf266f34592f7c742fbfa886
SHA1 c9c9c45b7e97bb7a180064d0a1962429f015686d
SHA256 f3c8bb430f9c33e6caf06aaebde17b7fddcc55e8bb36cec2b9379038f1fca0b1
SHA512 1b9f1880dd3c26ae790b8eead641e73264f90dc7aa2645acc530aad20ad9d247db613e1725282c85bca98c4428ac255752a4f5c9b2a97f90908b7fe4167bb283

\Users\Admin\AppData\Local\fYk\VERSION.dll

MD5 c8a3860e5f9f8c7f08111b604a28bf3c
SHA1 b2954e3ead5007d14d747919c7619fd13067937c
SHA256 ffc046f77a7066f30ba558a6b16c03bd58a211a26d7111e76ca6ac2a22208578
SHA512 ac481f2e4c4cf1115ec92dea334bb2e88e1879a31e881792bde49a300f5a7722a806b364c40eeb9f4493d05a3aae637ec484ff7d8ccc3f86dafb157d58abcb1e

C:\Users\Admin\AppData\Local\fYk\VERSION.dll

MD5 d077a7c8a72a4c38242d9f9006f3ec64
SHA1 75b51aedb3bba8b777193252412204d9ea9bfd57
SHA256 0e10cdef30f77054f779e0f30b8d5211811348dd9dc9c2740ab71897c69e3180
SHA512 dab8f8aca4394394cdeee0914a8d00b849d6fc5b25d665a724d7d7e201fe2940a3f0aabf79de4c65479e454086a1523437b80238fc3d4d78fa7ca509ec4aad32

memory/1084-101-0x0000000000190000-0x0000000000197000-memory.dmp

\Users\Admin\AppData\Local\1EiEYL1K\SYSDM.CPL

MD5 35f6cc30a6071d65903d099e339e313c
SHA1 a6484f372904c0e6781f61086169d91070a40dff
SHA256 87c4a990c1b6bfa1391c38e7a91b3f51322e705c84a7f177ae587f4f23e61ad5
SHA512 150f59c19bcb5fbc5ce062c3ca8a94fda7514ee066948ccb09ebd3821652799fcf1679d69d362ea7398b2ff648cea35c9c603fd82ce33ba3c874318f0a235ed1

C:\Users\Admin\AppData\Local\1EiEYL1K\SYSDM.CPL

MD5 0c8d9b455aa11e7dc816e8d38a4d02a3
SHA1 9bb035f745e8b8b5c2fed292732bbdedf484c791
SHA256 f63046aca45b95b373350d49615056838b1427677595015f30b85946f73e4d48
SHA512 6e722e304f2bc95db22a4351049d7656770754d1b44f03c7d2e42c4090fbcafa678354e75a6f986a1e4681c352308990c9fc2f42fc0a575e4926a8966f9228cc

C:\Users\Admin\AppData\Local\1EiEYL1K\SystemPropertiesComputerName.exe

MD5 bd889683916aa93e84e1a75802918acf
SHA1 5ee66571359178613a4256a7470c2c3e6dd93cfa
SHA256 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf
SHA512 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026

memory/2144-118-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 387f9ef34fe7e26fb9d4e968c43f78c9
SHA1 3b02dbc7afb972985cc847061bcd242b216e8ef8
SHA256 0bf196619616bf11a8692ffd64836fee6aae505bbc185869e7862d421b2d9027
SHA512 56221d2b89129b908833da5fd7dd3341797cdf85f379496200e6f957d8d98fffe09a440bdd67698659db4b9a20406fb272606aa7bb3d84def09cf843aebfa609

memory/1244-143-0x00000000772D6000-0x00000000772D7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IETldCache\Low\M0\UxTheme.dll

MD5 f7a68cfdd1ae28a7cc4ad3f3a625ad67
SHA1 08ecded9f291b9e23bc8fd7567c41fd008cec7c1
SHA256 def08bf29a1119052d06d367a93f77843b0924bbea639f332741bd2d012a1ca5
SHA512 5f257662b397fa320981292e0e5466e04f11a9c4b36dc1a2b75b2c6874f83e2056c563a62b46b26b6cddc7deb0d38ffaba53a5d3a40bfc46c79acdebbb1fb22b

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\UxkMfgDlgWS\VERSION.dll

MD5 b0f443613e2ed42b8e03a875ea5f3ec4
SHA1 8991ac75af6d4b3a7945cb4eb3bb9a29aa46b10c
SHA256 23874b39912c1f8fce8a4341bf6000120f1775ef0399258804d43123a83a16bf
SHA512 154b8c624bcd9e622fb8b979ecf512b5f0542a4a4f9b5077f0f4306288b33c9d1238c15ef9939eb3532700904c5ba9649b3a9d6488ce2367319498ecda399d29

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\7WZg\SYSDM.CPL

MD5 abb0d2475979dc8ebafdb514b56a2e86
SHA1 827a6e7608e0f968dc4ffc8bb5c0e8dac2345d41
SHA256 e06ea96c87d9c8c0d68fe144e3d3f01cf11f56eeeee8cac86707f9296387492d
SHA512 091b77204b64510658ac205bb61dbb018798c6d01582299027a0749b652e156b86b3e8de51430379f817dcae6aa2aa5dfc921d5f81e93d958c0836db5373dee1

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 05:17

Reported

2024-01-26 05:20

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Loeeeopgcaia = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\ICxF9fmWOMp\\RecoveryDrive.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\zczKA\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 3336 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3464 wrote to memory of 3336 N/A N/A C:\Windows\system32\MoUsoCoreWorker.exe
PID 3464 wrote to memory of 3864 N/A N/A C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe
PID 3464 wrote to memory of 3864 N/A N/A C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe
PID 3464 wrote to memory of 4520 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3464 wrote to memory of 4520 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3464 wrote to memory of 3900 N/A N/A C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe
PID 3464 wrote to memory of 3900 N/A N/A C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe
PID 3464 wrote to memory of 3340 N/A N/A C:\Windows\system32\perfmon.exe
PID 3464 wrote to memory of 3340 N/A N/A C:\Windows\system32\perfmon.exe
PID 3464 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\zczKA\perfmon.exe
PID 3464 wrote to memory of 2320 N/A N/A C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\767b661339f842a24584de1cfd7ff58a.dll,#1

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Windows\system32\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe

C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4740-1-0x0000000140000000-0x0000000140203000-memory.dmp

memory/4740-0-0x00000193959C0000-0x00000193959C7000-memory.dmp

memory/3464-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/4740-8-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-7-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-9-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-10-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-11-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-12-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-6-0x00007FF84726A000-0x00007FF84726B000-memory.dmp

memory/3464-14-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-15-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-16-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-17-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-18-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-19-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-13-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-20-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-21-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-22-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-24-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-23-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-26-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-27-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-28-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-25-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-29-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-31-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-32-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-36-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-38-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-37-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-35-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-40-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-41-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-42-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-43-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-45-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-46-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-47-0x0000000001030000-0x0000000001037000-memory.dmp

memory/3464-44-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-39-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-34-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-33-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-30-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-54-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-55-0x00007FF848260000-0x00007FF848270000-memory.dmp

memory/3464-64-0x0000000140000000-0x0000000140203000-memory.dmp

memory/3464-66-0x0000000140000000-0x0000000140203000-memory.dmp

C:\Users\Admin\AppData\Local\hun60\XmlLite.dll

MD5 2b8149b75caf86521bdd3888ecd6fb7f
SHA1 49b9248e1419bc0ba206b38c0a6e64eba60875ff
SHA256 09eaad9c5c60064016ff94b0b569806693b14d630a5c6115dc15ae84333dd8a5
SHA512 b354110cc4549ec17510a20f152496025433ceaca330c149fa350229cb2a4fa5fc917342084147607d4a1c6a22d9c69f30dfee3e6afa60a51656a9d50d5c8e8e

memory/3864-75-0x0000028964C30000-0x0000028964C37000-memory.dmp

memory/3864-76-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3864-81-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\hun60\XmlLite.dll

MD5 d9788eb9c606dc0e1026594b54b8586c
SHA1 03c1eb8f5f69a249bac3bdfdfdc50321ccb4a666
SHA256 962a72967037d6a7b6aa02a48a0f61a13528e7d859f0b23cf250d5b0ec0db079
SHA512 54dad99dd5024e091a6c11978b7629e09265db9cc674928b91766983a246c3fabf8163680916d1424d6ea4d7266ff5b1d9840aca9f954c89bebd7b75a7325fde

C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe

MD5 a9f832070aeb475b2c506c2d68ad5225
SHA1 9663de78c286e25430211a79fb2046d6b113c8a4
SHA256 6b6a76f581f6d4749e5ee7c8db4953674645604473dcb9ace3845812ab8342c6
SHA512 a3ed2ec5534e1884a5c6c20faa979b9bcaf43b6c27c426bdb8145238b1cbec9ee83af6293d28e4a5707d1bbea194605978e2c93241db25c4e957ca0bb4c801f8

C:\Users\Admin\AppData\Local\hun60\MoUsoCoreWorker.exe

MD5 ffb0966c6bcdf74f3d829337e69adb22
SHA1 982e88941a43ada22d4cfc289812700b03d05b1d
SHA256 e476fa9a77feb177033a8260fff32a17adc7b3dd5aa1e1b866a1ad3d46084bf6
SHA512 5048f3fbb84eaca777d2f83f11d6e5c983bc06bb6dacc6fe6d58bc01c097543f4ab174f509c6b4a2fcc8c0004a7d411e2f086592178e0a455af1224868275ad2

C:\Users\Admin\AppData\Local\c3hKHAicR\UxTheme.dll

MD5 6b116d5069c93bb6e6951999f7e299e5
SHA1 3efa069904f2b15808619f7782ea5a0cfa70b61f
SHA256 ade3ad486310bd4fee2998e94d102ec2bb6a581bab23efbb40d9badd14871e16
SHA512 34b2e858870993a0e7ccf612556e08db1f56c648a7d9d93b0712737497b11826ba82e610aba6d339d0886f9be1df5dafd849d5957f86642f76c8daa19ff457f4

C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe

MD5 64b8099e4a6b1f7a1c36671d0c10352d
SHA1 9b53b23f8e3502c5615c60b68d5a6a5a318bcb65
SHA256 ef5d2a55f33c89e3beb65fd9cd7511231ecaf19a2cd863f84d9d8c6f838f1d5d
SHA512 8b6057320af434c7d2aeb698511f850c058e1d9d37e0c168e9daedb5e45e6b29b64531db44ddfe1db06a21267381c48f083c0c7d1d12cc779f0ee00fd116cd7d

C:\Users\Admin\AppData\Local\c3hKHAicR\UxTheme.dll

MD5 fd5f4081ee8502d29506ffab9226f0ea
SHA1 4ac3c1e43655c61283c1d8b0fb2a4952f6fc8e34
SHA256 14a0740d8d0d4a2ca2574450c40253ddad48bbd5526535f6ea267892acd6c932
SHA512 c4592fa92549894f9991ded78b2c43f64f86258f869fefba400e5ca546ce6f8d79549c3511eb6fd72e778473676c7de3d6130fae92abd7bb2a53b37918bfe731

memory/3900-92-0x000001C84F5A0000-0x000001C84F5A7000-memory.dmp

C:\Users\Admin\AppData\Local\c3hKHAicR\RecoveryDrive.exe

MD5 8412a15bcbb2617d77b0ca3a054dae32
SHA1 ce1c1abe24fcfa0707de26399f3a390dfd21a1ff
SHA256 ff44ce6e99fc581a53fc00b4e3ddd7a05b99c226f2371b4704aa4e121af95011
SHA512 b2572d5dc34ac549b611f1060f4faa2c9ebe7de85d17199463ad6893c37fa48c114c5f01c20ff7d185d119fc91acd8520b7a2daa0a0f8c9d6610a4a047801159

C:\Users\Admin\AppData\Local\zczKA\credui.dll

MD5 0e92a19a4ca1a01c699c9651217bb13c
SHA1 56bc35b7886ff63bb8307338af3c1a951d3a4fee
SHA256 ffc4b90ace75d99d962c30c7c1139dcf3c0ec34a9372de52c181b0d7eaef0971
SHA512 7254e0333b05cef9904801543f5641efb6f18a7f0193ac7394b45601d0c84b51cfe7313a507385e158c710cfd967a8911c7a637015b6e3742dd2c3f091ac7f65

memory/2320-111-0x000002798B950000-0x000002798B957000-memory.dmp

C:\Users\Admin\AppData\Local\zczKA\credui.dll

MD5 0ea23e2f4c476502961fb7473812b8a4
SHA1 be47fc151f2662af71fe4ac2685135012b96fec7
SHA256 abe3adadb2a3f3b29eb6d441fff1a54f8bb0011128a5e25f33ce8ee56b854c4c
SHA512 45ca94ad5e9ea171fb89dbd0f185f253a0b6c1ecf9a67e20f7615e50a9067339b04650543acc80438b797b130a0402f2f1fe1c3e1a189cc40da76c4a9123e5b2

C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

MD5 ad8d568e60982d26fa53c86c08149f33
SHA1 733d7c010ef44f654dcfb5417f7be17053481b53
SHA256 6439b5ed226205bea9287102b604bad9bf6ccfc636c5cea196a5e1167afc53fc
SHA512 93e05a2a88c0768332ba64d63c7bd5118bee0cd9b93ba809b9d0098f96c92be20102793ae54334f431f7ca0f9fb3e6fa62bccd72daac7c15b6190ea99f215e0e

C:\Users\Admin\AppData\Local\zczKA\perfmon.exe

MD5 d38aa59c3bea5456bd6f95c73ad3c964
SHA1 40170eab389a6ba35e949f9c92962646a302d9ef
SHA256 5f041cff346fb37e5c5c9dab3c1272c76f8b5f579205170e97d2248d04a4ea0c
SHA512 59fa552a46e5d6237c7244b03d09d60e9489217b4319a212e822c73fe1f31a81837cb906ae7da92072bd3d9263fe0b967e073110ba81da3a90126f25115fff68

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dyngdiaoitf.lnk

MD5 1adc4e2e7197b16a8ba64d5ee6f2887b
SHA1 46d03f3ca8c688746d125c699728f9e2c4eb4d7e
SHA256 8da6da494d52b68c9a9f4d90c1fd8e42caae8061c0e28d46a49600ff5a3eb678
SHA512 9ae6aead995b45e956ce6c12521697c03242110487adf622452123941b6d7ad82d6974605462862378af2fb778dee9d079653629780b014e81c27f8bb94145c5

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\rxyG9hn\XmlLite.dll

MD5 ca2f6123acb29c389ed27e7501c41340
SHA1 26b5e1f05284199684982b5203907a4885d50587
SHA256 d07dad79d6ef019fb88d02fba0bd4d1001cf0c80e21b49e8a8bb50282db7d0b1
SHA512 0397f0f9a3cde818e98b9cb0a0a9a1a89bd8d4ee6449a9d558e96a42ecadf325a363a21ea7e3fbc43788ef41117bb75412f8a8738d5643bc5bab2452231eb6f3

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\ICxF9fmWOMp\UxTheme.dll

MD5 9c1833e2a0babc939c6945a3d76ec900
SHA1 2737b5715ea9497656482f45882b5a39332541e1
SHA256 2cb7976e0501232818963f95aca412cd162a06db4e2e0aeaf52eb46f01bb57e4
SHA512 95f7f255d8631f1e94f342b1e9cafeedad2cb64176fad33789afdf5c3df2dd43ebaf380508e1c694176446b7fc375b5773320d4dfeb01d3507c17a6bdb69b4ea

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\CsIZGcz\credui.dll

MD5 7c3d532854c1583d1dafdd19a325d240
SHA1 2579363112f72461e9c7f27be95b80d3c73a4896
SHA256 c77333e92b5cd0ee200e2d45899b101052bab5e19d78baaa6e7b8b1cc8d3fbe9
SHA512 8e1732257fa5b65be8c20d380d529ec62cf9ab480c8f276af56b751183da7f50148c99cc89fc9cc6f3a736c89da0c49d3cdf96a5f0ec4aabfd87001c6b41e7c0