Malware Analysis Report

2024-11-13 16:41

Sample ID 240126-nzpyxsedak
Target 7747f0093a61bd648a9356cf2797bc88
SHA256 2a93a9d8dcfa728e06e4cde541d13154ee6a07f1439f177e54d31dea176dc681
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a93a9d8dcfa728e06e4cde541d13154ee6a07f1439f177e54d31dea176dc681

Threat Level: Known bad

The file 7747f0093a61bd648a9356cf2797bc88 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 11:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 11:50

Reported

2024-01-26 11:52

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0bPa\wisptis.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\VkxLniYdti\\OptionalFeatures.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0bPa\wisptis.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2708 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1200 wrote to memory of 2708 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1200 wrote to memory of 2708 N/A N/A C:\Windows\system32\fvenotify.exe
PID 1200 wrote to memory of 1272 N/A N/A C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe
PID 1200 wrote to memory of 1272 N/A N/A C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe
PID 1200 wrote to memory of 1272 N/A N/A C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe
PID 1200 wrote to memory of 2200 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1200 wrote to memory of 2200 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1200 wrote to memory of 2200 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1200 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe
PID 1200 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe
PID 1200 wrote to memory of 1676 N/A N/A C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe
PID 1200 wrote to memory of 1812 N/A N/A C:\Windows\system32\wisptis.exe
PID 1200 wrote to memory of 1812 N/A N/A C:\Windows\system32\wisptis.exe
PID 1200 wrote to memory of 1812 N/A N/A C:\Windows\system32\wisptis.exe
PID 1200 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\0bPa\wisptis.exe
PID 1200 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\0bPa\wisptis.exe
PID 1200 wrote to memory of 1052 N/A N/A C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#1

C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Windows\system32\fvenotify.exe

C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

C:\Windows\system32\wisptis.exe

C:\Windows\system32\wisptis.exe

Network

N/A

Files

memory/2076-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2076-0-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-4-0x0000000077936000-0x0000000077937000-memory.dmp

memory/1200-5-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-18-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-17-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-16-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-23-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-25-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-26-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-24-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-21-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-20-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-19-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-30-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-35-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-39-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-41-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-45-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-46-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-47-0x00000000029F0000-0x00000000029F7000-memory.dmp

memory/1200-44-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-54-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-56-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1200-55-0x0000000077A41000-0x0000000077A42000-memory.dmp

memory/1200-42-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-43-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-40-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-38-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-65-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-70-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-37-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-71-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-36-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-34-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-33-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-74-0x0000000140000000-0x00000001401BA000-memory.dmp

\Users\Admin\AppData\Local\HxQ5f\slc.dll

MD5 af9a68a3e01f7f211c7d4b121e62e811
SHA1 c9b7ff3368e04fde8d9992f041264a78c4858d17
SHA256 aa15d52b77ac696d9ff202948bb41a77934ddd67a1b9c32e8d7d6d0c4555c166
SHA512 fac6bdf782dde40cac15fab983860e6d822fa58fb2c5fb912df2eefbb7db4260dc61ea9c5ff7f9435e76fdc656f22235dd717a75c5af2c5949376534aa5c7d36

C:\Users\Admin\AppData\Local\HxQ5f\slc.dll

MD5 f9c76c892da470d035f4cf35a273bb11
SHA1 56696489f9cef68e27661053a9848ece877ef25a
SHA256 f8555ef53c96e8e0c5dce8f219e9c3e6d7f38cb10594e60687ddb9df276101fa
SHA512 0d61cbbf9d716c7e517eab49544baf44499841ce6bf467f392f3520882e632530101875c141098a6c0c562ef803500985a7fdb43e0e3e3d226678c4baebfe40c

memory/1272-84-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/1272-83-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

MD5 e61d644998e07c02f0999388808ac109
SHA1 183130ad81ff4c7997582a484e759bf7769592d6
SHA256 15a85cd6fbcb1ec57d78f986d6dd8908bd56231ce0cf65775075512303f7e5fa
SHA512 310141b73394ae12a35f8d4f0c097868ee8a8045a62dd402a5dfbe2151980dd4fe18409ae3ca9422e3b88b2fa9afb04c1acbf8ec23a937a0a242b32a9a1e9272

\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

MD5 7131ad4a12df34d0e567a9413a77283b
SHA1 2524a23e913a54c0523058bb419885b8bf32ad27
SHA256 49ed5b1c177f4917bf3e848ca94b93bd11ffdfc64c613b5cb3aa8ca5b2694c08
SHA512 956d38f8faebbae0c9cf15d243f59a2e27893e210b0ba4a2ff28a6b57a13c7fc9ccacb8a538495f65237046254e05f3c691b1e67b520d34867586788a6a239e6

memory/1200-32-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Users\Admin\AppData\Local\HxQ5f\fvenotify.exe

MD5 b266d79ad87fd2edcdc6a64f7caaa18a
SHA1 7a67208f878217d2f164fa4e3dee4aa10efeb51b
SHA256 5ae190208ad66ae21fc7696843e6d92fe78e1d03d77488e989cb17e8c13d8bce
SHA512 6be3fd27966769c04157c907f04c0aaaaa472976f2126755a168008cbe258bb986ee67fc04892ba806d5bb798d12599cb78c2f803e3c6e4e43191d3c49289a10

memory/1200-31-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-29-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-27-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-28-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/2076-8-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1676-104-0x0000000000220000-0x0000000000227000-memory.dmp

\Users\Admin\AppData\Local\E7vDW6Ff\appwiz.cpl

MD5 4452b41ddc6186378ecba67550600199
SHA1 6a5f5c58682339d7c9f4d2a13f77e68082284230
SHA256 b3ff19a18d332b851ed6c1eebc74d08ad0790e30b75e4d658be9ba63e940e75c
SHA512 d3edf04a56bfd5b2b324c41b784b5b7c59d788cda9c7f1170b397ed054faa9178d006cd757c09cc7e1620b8e9485bdb118e346908334451d53af4da363ea9a94

C:\Users\Admin\AppData\Local\E7vDW6Ff\appwiz.cpl

MD5 84916e2ab92b5fd4a21e9da202a4f5e7
SHA1 aac4f64a36c7acb26662f878bdbeea128a84779e
SHA256 6bcbe0bbeeda09f9095c78edb1e279d61ee0ce53431908712a542ee57f80e56c
SHA512 688216a6ee2a48c3c572c1a79a0b8d729b587a5562c39d7aac74b405c09f106b05f6c730d05ff500936e93013145131ed4b3168948bf4b0a6069b5cff5a076f6

C:\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe

MD5 2098f9e5f964089dfdb02f2a86eae1b0
SHA1 fbbaac160ac1a8ea4bd681d3b96cb9a4f163e95b
SHA256 f319f4fb7f351f87b8a43d878b390bf148db2632bfaba0a589c0830b34d948be
SHA512 e294eb7412f8b661657480688c3634ea163471932d3b8d3a8f831a1b997a7b19e862c9a2fddc0d16f22a10f0141598aaaf5496f662de7b7e1cf612ae302e5547

\Users\Admin\AppData\Local\E7vDW6Ff\OptionalFeatures.exe

MD5 d26e5d3013049fa2df28f560ce87e84d
SHA1 fa92eea122ac6d47360c47eb4ef09e06bd2899ae
SHA256 5a0d92c397f413647f6c2b007789c8aa90dd87d25bc6e27bb9ca60af3617c37e
SHA512 e01a0e27799b493001d71b83f196c1c4bc8d327bb0a6eb835c942111779bb2a2728d88ec145bb8e8a69fe0c54c917244b940c8b9ce26ec6801422bceee4342b3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\VkxLniYdti\OptionalFeatures.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\0bPa\MAGNIFICATION.dll

MD5 a5253ceb3ef871026150fc39d8210c00
SHA1 6dda88557951075dba52502d7ca435b4c9ea0565
SHA256 b8f96dbec068a942ba478773e31b27b9e4fd824aaa3d095d46d6d4e3fef08b66
SHA512 eaf7f5502a0324310448fc2ebba2947c1722e6370cf0ae719570dfd2142408ec18a642172e769496ea4416a8a11842a22589fd1a2b24b1f0652b250f0d89f8ce

C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

MD5 c157117e072112b1ba8b13a1e008305b
SHA1 93ec97d1fb8223003146fb53c6a504d07cd5f8a5
SHA256 214eba3e76e0db9e946bb2c33207e7be999d15888f75f528bbbe33ea0258b1a1
SHA512 e46006b6c745f0f3a88ed7f937d07b2f2a999283416c191ef7a9f0f6105311574218e12b51316301d454352b7ba6a99f563d0823b889546692e59c6c465dbd23

memory/1052-120-0x0000000000420000-0x0000000000427000-memory.dmp

\Users\Admin\AppData\Local\0bPa\wisptis.exe

MD5 3a35e48f365545a5152c07a2d1d5fc21
SHA1 138ab5b33ddd0f0159e8ab36ec515f94f5da1984
SHA256 5b2dfb639daf8455c18f87549901a52e6c62cfa9c3d2042885a3f58d5a5ef907
SHA512 bb8d6cc40e5f1a1cdc105af667d3fb3b8ddb93763c8c74df7078adc075a7c8682b30b5e9a6a34d37aff1202c9be7a7cd4bb75b275646eb2b447cd9e3f8ddb361

C:\Users\Admin\AppData\Local\0bPa\wisptis.exe

MD5 84e36bafa0f5b763e8d6417e16964b5f
SHA1 82d0a025f86743704809a4f814f9336977a6c903
SHA256 d9589c39eac05be04fbf0fc85e04f06f5f9e30025a3b09217571125c9a887355
SHA512 e8b7e54a6591f57d81a4409682445d87f0c02af54d48e4a4fc6b64ca0badfb74eed94dd5e4c96bb159207151c3182e3d61688a1c9d357ac372d5dfd9840645d0

memory/1200-149-0x0000000077936000-0x0000000077937000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\YUSPOJVh\slc.dll

MD5 07da27c96e63838cd7f2b243d92063fe
SHA1 3b00792d7eeb81663781b92a35b8960cb2dedc1f
SHA256 e4886cdad647b16151cc0255e4cf229108f135252c43ff74bc1ec8771b2f965e
SHA512 c29e4c4678cb27ced665353dde3c47fa9bc9001f1c1fdbe8c0fe623c330b7284983d7baa312e77863441c6bd6836273bdb9c7ef64bd670cb40f69a28fa1d2b19

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\VkxLniYdti\appwiz.cpl

MD5 e572e7a377695e6d436a4e6aa11e6193
SHA1 e2c1b105ad3a3eb0d24ef3f26f217374981cbc1a
SHA256 64e33d8a4d50812933de39a6992da64d92074f953a1c511d54ee449e1191221f
SHA512 0d6c9a281cd3997bcb526e2535877915b16b8114fe97582f1c4c2ad40af13a20de9727049b145877ac071ae66c0c900e5eb12b5d2a8ad550d7c65434501db94f

C:\Users\Admin\AppData\Roaming\Microsoft\Credentials\DBzm\MAGNIFICATION.dll

MD5 72bc675d77a744b1f951e553c2816ea2
SHA1 36d00a3d4ed648925fce64816bca4b7f69bc2d79
SHA256 3415c0f9b27c7113e8d7a5f21385677ba1a7f9a845fab0687d0947c3759695bf
SHA512 c14947625d3a8b2080c65e1257d1985d77b884ac4829d590c825dc44d0d77fb26a153c6386c934fa111cbd98331299d3844de547766d373749a4d3326945c273

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 11:50

Reported

2024-01-26 11:52

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fidpgamyc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\lp5CtG\\eudcedit.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\KHa\quickassist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3380 wrote to memory of 4888 N/A N/A C:\Windows\system32\isoburn.exe
PID 3380 wrote to memory of 4888 N/A N/A C:\Windows\system32\isoburn.exe
PID 3380 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe
PID 3380 wrote to memory of 2788 N/A N/A C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe
PID 3380 wrote to memory of 1276 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3380 wrote to memory of 1276 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3380 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe
PID 3380 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe
PID 3380 wrote to memory of 4488 N/A N/A C:\Windows\system32\quickassist.exe
PID 3380 wrote to memory of 4488 N/A N/A C:\Windows\system32\quickassist.exe
PID 3380 wrote to memory of 4088 N/A N/A C:\Users\Admin\AppData\Local\KHa\quickassist.exe
PID 3380 wrote to memory of 4088 N/A N/A C:\Users\Admin\AppData\Local\KHa\quickassist.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7747f0093a61bd648a9356cf2797bc88.dll,#1

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe

C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe

C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\KHa\quickassist.exe

C:\Users\Admin\AppData\Local\KHa\quickassist.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4868-1-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/4868-0-0x0000014258850000-0x0000014258857000-memory.dmp

memory/3380-5-0x00007FFB5BB6A000-0x00007FFB5BB6B000-memory.dmp

memory/3380-4-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3380-7-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/4868-8-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-9-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-10-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-11-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-12-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-13-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-14-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-15-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-16-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-17-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-18-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-19-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-21-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-22-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-23-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-20-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-25-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-24-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-26-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-28-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-29-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-27-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-30-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-32-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-33-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-34-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-36-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-35-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-31-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-37-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-38-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-40-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-43-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-44-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-45-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-42-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-41-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-39-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-47-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-46-0x00000000030D0000-0x00000000030D7000-memory.dmp

memory/3380-54-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-55-0x00007FFB5D7A0000-0x00007FFB5D7B0000-memory.dmp

memory/3380-64-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/3380-66-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Users\Admin\AppData\Local\fzQ1UvIMV\UxTheme.dll

MD5 7dd72ec1fe877bf9667e63860e11b8b1
SHA1 b13e8a928de3af87208949c024d20d000880df1f
SHA256 7d8dda363470163994ccdc381f6231bd7dc3ba9655bb619a15f135d3b8c9860f
SHA512 238899be24cbde891ce48fcdd9fef7b92773b50c1ccdaae6deef27018b549524deae18b9d476501be2a455865a73753083f3a0c77e987aa836decc9a016478d2

C:\Users\Admin\AppData\Local\fzQ1UvIMV\UxTheme.dll

MD5 c4ae0c89306390bd0c132b1a366ed683
SHA1 67743a161fa42f19d86bca2f306fb56a49af1710
SHA256 fe27d49f45c771c8e3a9c4a4655643352dd27545031ae0a5854d21b99a96c239
SHA512 347410dfd97107e9672931e90d8f203146cf9e9909e2aea30428fe685b8b07d0a7cd8d1b8eb8eeade995fd217c2a7e48ade8cec33136791b17b37c67ded62c93

memory/2788-75-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/2788-81-0x0000000140000000-0x00000001401BB000-memory.dmp

memory/2788-77-0x000001721DC40000-0x000001721DC47000-memory.dmp

C:\Users\Admin\AppData\Local\fzQ1UvIMV\isoburn.exe

MD5 68078583d028a4873399ae7f25f64bad
SHA1 a3c928fe57856a10aed7fee17670627fe663e6fe
SHA256 9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA512 25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

C:\Users\Admin\AppData\Local\p7Fxwh3\eudcedit.exe

MD5 a9de6557179d371938fbe52511b551ce
SHA1 def460b4028788ded82dc55c36cb0df28599fd5f
SHA256 83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA512 5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

memory/2800-92-0x0000021108470000-0x0000021108477000-memory.dmp

memory/2800-93-0x0000000140000000-0x00000001401C1000-memory.dmp

C:\Users\Admin\AppData\Local\p7Fxwh3\MFC42u.dll

MD5 b033b5ea88f9c68e78d36a86f9e5a857
SHA1 9ee0a8ffaf696d744fb2c939536ab40ab0741fb5
SHA256 be0da881793ca1975ca3996417951a65a578f758e04c7bfbed85bb9601b28552
SHA512 30faf690cc124b04aa1e0a160fa71790f478b8ee5a54362e97da48dd1fc0393e2b0eb7808b6411d8d973a67fe69cc83b1823d7aaebe69df843fb771e8e1b99a5

C:\Users\Admin\AppData\Local\p7Fxwh3\MFC42u.dll

MD5 6027b47258cbd04e04381400faa9ed80
SHA1 7545f2da4a6f70c07ea378593a6cf8c904b0cda8
SHA256 b2824f2a80c7c79cbfd20731a097cec51b349e8b9e8d68aa8e7020d2c834c715
SHA512 31a4109271f3228faf43cb573d9a6fb5a3003260a51858d604d26925cf640e6605ffacd9b2a2d7da2096f08481adcf7c15313fb727a4d15b53bcad9d90a42dbb

C:\Users\Admin\AppData\Local\KHa\UxTheme.dll

MD5 aecfb8a223946b5d005cc07fb5e85e0c
SHA1 43f4e23bb4b62b4c994a00d32f5cf595b86926f7
SHA256 dc4970b703b65c3c31c7392e63470a0bdca54794a55112b14dcaf811a7fb43b1
SHA512 25d9e1266123c056a4c7f5d062d656c832371fb95bed8b947562aa0928f6e55cfdc16f2c68659c7fac7490d8fbbbd2995f5060939b805b1b6a0ce05ad8867bc7

C:\Users\Admin\AppData\Local\KHa\UxTheme.dll

MD5 213c40d094b5fbe42b2e571842d509da
SHA1 e9976d39656009e618af27c46629ec1c3caf4f3f
SHA256 b4e4a1082b770be47ef79b6dc3db3677adc14daae328dda0dad4af4c39df117a
SHA512 c16190a7dade514051ab3ad5b5979520bcfd939c68ee34b3a0f47533b55a692d7bc9692ca1df891d5cb1c0584109fad5d3d57ff0d7db9e9f864c899838b60db1

memory/4088-111-0x00000261FE6A0000-0x00000261FE6A7000-memory.dmp

C:\Users\Admin\AppData\Local\KHa\quickassist.exe

MD5 d1216f9b9a64fd943539cc2b0ddfa439
SHA1 6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256 c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512 c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Enpllr.lnk

MD5 57e6455139b7dad256543f59de4e6369
SHA1 b420fe8580101b3bce9429a8c558008de4fc859e
SHA256 a42d731a250b877906113fa8cc6fa8d288185e6c9d58764c6886df05e1f40c71
SHA512 97a59e269f5137b785332a8c7b18a03e44161c9523149edd22a2bc8baa8fa4ba7b5e1b6069e6df085d008b95aa2397ecec5de206f0bcf549139ec470aa3d4c01

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\T6iRqx2\UxTheme.dll

MD5 de1dadcaa1ba24b0e19457b39e750416
SHA1 9b249407252d92e6cf30390687745901d3a3ca77
SHA256 18cb5f964acba5dff393b3b10933993612918e8041f735fbe874e2fd06bc879a
SHA512 f24fb23856249b8f970cc44d94e2b4943c12748fc05f7f6097fbf421b78c3a1f85b75b17d2c423e3077dfa7fca7ec3b00e3be8e40f5080d52a80ef18afbb7247

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\lp5CtG\MFC42u.dll

MD5 86563819e97e99f877cca706b07c8edc
SHA1 38c9e6c27bc1129966ac722a5f89abe3cbd03cd9
SHA256 56e9f74e3345f1a608724b2f475a80033f70160e2085dee7b4e877b6dfb1df1d
SHA512 a6e140018488d41e0a66636403485f99f9b360cc16561a59b2926b918a1f6e551be72c04aa9806d2ceb46c1da6c67bdd8e6ae253bbfb6d3c5419962edc18e77b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Lvq\UxTheme.dll

MD5 0e821ba42f3184fc0abae1193d5cb101
SHA1 f86cbec6000dab84b0e8ef97e941c01f14a7d692
SHA256 24dd8879f44db9214d0de70b0760849665ff37accfa6084178fa0294f0fa5f33
SHA512 cb976c84413714040b919115ac423bf3a54808688d333402eefbf355b538512b3a536f0263bd2d8d47b7494302c12fa5201318cf59af35923980c3fc0bf5bf0f