Malware Analysis Report

2024-11-13 16:42

Sample ID 240126-qwrz8agbfq
Target 77810543496dc906d195460796a0219f
SHA256 3df740c27f3febda3ee2de2dfb8825fec9efdf4017ef648ff61b91d77f76f8ba
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3df740c27f3febda3ee2de2dfb8825fec9efdf4017ef648ff61b91d77f76f8ba

Threat Level: Known bad

The file 77810543496dc906d195460796a0219f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 13:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 13:37

Reported

2024-01-26 13:39

Platform

win7-20231215-en

Max time kernel

150s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Acrobat\\ebxK\\rekeywiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2588 N/A N/A C:\Windows\system32\sdclt.exe
PID 1200 wrote to memory of 2588 N/A N/A C:\Windows\system32\sdclt.exe
PID 1200 wrote to memory of 2588 N/A N/A C:\Windows\system32\sdclt.exe
PID 1200 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe
PID 1200 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe
PID 1200 wrote to memory of 1792 N/A N/A C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe
PID 1200 wrote to memory of 2628 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1200 wrote to memory of 2628 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1200 wrote to memory of 2628 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1200 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe
PID 1200 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe
PID 1200 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe
PID 1200 wrote to memory of 2912 N/A N/A C:\Windows\system32\rstrui.exe
PID 1200 wrote to memory of 2912 N/A N/A C:\Windows\system32\rstrui.exe
PID 1200 wrote to memory of 2912 N/A N/A C:\Windows\system32\rstrui.exe
PID 1200 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe
PID 1200 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe
PID 1200 wrote to memory of 2492 N/A N/A C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#1

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe

C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe

C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe

C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

Network

N/A

Files

memory/2140-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/2140-0-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-4-0x0000000077706000-0x0000000077707000-memory.dmp

memory/1200-5-0x0000000002210000-0x0000000002211000-memory.dmp

memory/1200-10-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-16-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-23-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-31-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-34-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-36-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-40-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-44-0x00000000021F0000-0x00000000021F7000-memory.dmp

memory/1200-39-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-49-0x0000000077911000-0x0000000077912000-memory.dmp

memory/1200-50-0x0000000077A70000-0x0000000077A72000-memory.dmp

memory/1200-48-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-38-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-37-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-35-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-33-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-32-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-30-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-59-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-66-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-64-0x0000000140000000-0x00000001401B7000-memory.dmp

\Users\Admin\AppData\Local\rPIrD\sdclt.exe

MD5 2c2c1b7ab248604574360de489e8d06b
SHA1 819535e0636457fb5f5f2b3716d55c9ece064243
SHA256 dcd432ecefcf65a64e78582b28d9e1d8b85e8c86b3177f8f22722ceaaef06e81
SHA512 d0b021028c445c14d567bcd4902837a7ac7c2b0e32343f6281d7d6daaa3d061d966072ee0ae7e2b062e5976e67c7f39c4d7cc104c060cf79b164291b285625ea

\Users\Admin\AppData\Local\rPIrD\Secur32.dll

MD5 c3b6459c89b91aa9ff4fdc20045d0a6e
SHA1 8be63136ffb4d30742a4584e7eadab4a70ffd80c
SHA256 d682ec0f0f8d50adce18c6a87e38c1093fceaa1e157cb3e4d66e9692880d1158
SHA512 6a237dc057c2a8f366f2ca0449f6a355869ba172c90c821fddd3fc50962216c85ae406ba9902c738f59206cee0ddec54d955a35952c0be199402998e5844dea0

memory/1792-77-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1792-82-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/1792-78-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\rPIrD\Secur32.dll

MD5 759a1552bb11b444aac50ee3337fea97
SHA1 b3b97e1da25d3f0803e4add64de210ed187e0ba5
SHA256 3cab7025db18a6c2a86a097fd77b58bedd5dacded30afbfe2877d3f68dfe5299
SHA512 8f5d69838e02fe3e52a2d8e9898b6e46b4b4dccd65e5be399ae085e6f4aa1f935db5b98301f433d414b1c250de2cc92f65da76838d353773b5d02fd43dd1701e

C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe

MD5 1163292404c87d6eded602fb8ed3befb
SHA1 2523b6862ec4d2b2bfe662a4f84ac2ef105f5d88
SHA256 8b4354eb21b2f47a4a4004ef2dd74d91a23520d9bce362c5a400d9895b8703a0
SHA512 7988623abe98261e2e739e6821068edff25b61eb35aa4c8c85e70c53463e72e1b529df4e2e355ead0089cd4d1d9cd2451d64258a66438eae1d99a6bed2956c17

C:\Users\Admin\AppData\Local\rPIrD\sdclt.exe

MD5 7c61a9afc3eb453bac76d740b04c557a
SHA1 db8e5696cc5f13fdf71fa9a8e8cebeee4d7e6abd
SHA256 f5cbcc8e781ebe299c11082017933ca60eb77cc25493f95cce9b8f5faf5b2cb7
SHA512 1d68b2c8dfbd144285b2898ed33f386233b9991b35b469cefb221485ab5d2778fb4fc9edd389de063d0eaf7b621fcee62ae00849034afc8ec4b56b2ccde6087b

memory/1200-29-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-28-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-27-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-26-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-25-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-24-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-22-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-21-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-20-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-19-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-18-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-17-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-15-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-14-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-13-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-12-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-11-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-9-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2140-8-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/1200-7-0x0000000140000000-0x00000001401B7000-memory.dmp

\Users\Admin\AppData\Local\2ipIWk\slc.dll

MD5 5fecaff146cb69f5892cce74c6f86636
SHA1 fd5fea48bbf1c2f721c105af6445ec119b4f73d0
SHA256 0f2ebd5097c11f190c6e4133c374d308950674f22a6c8e21732181e865bf9fa7
SHA512 4cbccc36ddd3694485a49e654b54e96b4a6c37d30bd09044cd783a39f86dd6816204e597cce70a850b90b19a343142b5aff6d385c03052b5500ae995a061113a

memory/2660-104-0x00000000001F0000-0x00000000001F7000-memory.dmp

C:\Users\Admin\AppData\Local\2ipIWk\slc.dll

MD5 58cfa68b97770a7f969a96920676a45c
SHA1 cbfd60488271d82d90dfe3b1935da8c454bf2301
SHA256 3f35599fc2b9aa9f9aeb1309f633627ceca29665f0259028e93529fa7056d740
SHA512 d3a440af4d12840e553b515392010ac5ce6a794b3fa9d7267f4dd5ed16947b4781777db2f7336f45aea6c48bad72548637ba4f29f017ec6435600172957079de

C:\Users\Admin\AppData\Local\2ipIWk\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

MD5 f1684e6c16e233879f90830ac7965abb
SHA1 c8ec3f7838497b54793bc515d5d5798c90018bfb
SHA256 d16e9d1bbf007fce0b1f5b7d0fe9dd05546a39dddc35b3c7b0f93e441464e3ab
SHA512 d406ed5db6c265e2e846d9550abaa7bc5c687f98ae42306192a38f29eebe5b1094e78ddbfd2f3930bd5b774851631107f3770b58a3e163fdc15db59ef18402ce

\Users\Admin\AppData\Local\Ovzd\SPP.dll

MD5 8bd0c05a23dd20469a17ff1818ff689e
SHA1 a726a1ee88399c62da3c4b28c6920d00b16b1b88
SHA256 545c8ecd3f238f3a44545dca4f51e01351b253269077036aa83899f1d8e8b94f
SHA512 092a74ce31b44ebaa703b4d6711c204c276f33523b1f5dbf48f4de6248ef17e2c0e81511fab578af367fae1c7d141013f4af20120287a11658ada3ab160a3001

memory/2492-118-0x0000000000380000-0x0000000000387000-memory.dmp

C:\Users\Admin\AppData\Local\Ovzd\SPP.dll

MD5 1d237d48070457444927a19193eae76a
SHA1 466e61a51f2dabff2ffec7742efa5c5f71b29b01
SHA256 7828b6b5a7990736572563aab8f04d0113da5cad2a3ddfaa460ce283997a517f
SHA512 ad312519d3d917ae2c5b11b09444f8483b55dfab755feea48a652e4244b179e6658bc0d891782546a8f06ab51d79fcb521d5666c16ba61b88120cdea0b16c5b0

\Users\Admin\AppData\Local\Ovzd\rstrui.exe

MD5 88dd12cc6797b17c61e2abbacf17dd4c
SHA1 cd87e6f720f1a8e0df61366aa2a70dc5c640cbb6
SHA256 e139a84bf991bd3ccf1dd849365259547f2fdac80f6abc9f98309bb0eff955e5
SHA512 1645ea75875793031215d1fe0186d1b346eb11398e2107a6ac2125aaa3947d9afeaa74f7ccda3ed6eba067c07998e2660c0652c4ef0282fd51dd6ecf292caa28

C:\Users\Admin\AppData\Local\Ovzd\rstrui.exe

MD5 4dc3ec61408834916a3dcdf6b91b134b
SHA1 08b84f218e16036584931acd9cd010ac687c3a0a
SHA256 cc067ccea02f18d87d9337d3c5fdc1a839a6bceb35b2404f6828ab4f21dfb911
SHA512 c8a87a3acc4f8170ad18539523c2d9581fd25a1feceaf6e5e3c190fb3d9ed8152b242bdb9425cd11821137123c3bcdd8506f9913ac357c53b986ab3c8a40dd1e

\Users\Admin\AppData\Roaming\Microsoft\Protect\PWJ2lwcTmcq\rstrui.exe

MD5 b69136323ea51425c31bf6fcfd64b637
SHA1 1c0272f77499ebeb684a96e30c3f3148cb4b4aab
SHA256 06168bac05ad12c59d824d67f41ef647712cf7bcf71ca6e788d7f6e9b2a2d8b2
SHA512 d01adc1ee80428ca57b24cc9b6cdb5bec74d9fc5aebbf2f18ea6106b5b3b0f6fb0a831920b7c8cc3b15be89108061576a907c36ab88b289d86eedbb3f4e5adc3

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 358b160f1242223920b2e5ea27048228
SHA1 a6b9f46aab3c4ac4318d27d3fdf944feb88be05a
SHA256 fb79ba6be2306c2b04cb214111a4000284517e4f4a6bb50832b8c6c609156edd
SHA512 4aa8f4d75783361646f206ec2ac31cad745d9efd3fe880fbd6d8fe5d0cc562675269a094711df85317342c58a308a1d5003203f743f1f16dbc605127f2c1c7e7

memory/1200-146-0x0000000077706000-0x0000000077707000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\AQu\Secur32.dll

MD5 228fcd0e9b8225bab7d1ef1733561cd2
SHA1 3c38cf65a9e6a05f391ba75a0d715787cbdb9d2b
SHA256 d07ef0d722ed82aeca0f8d9584a322e5978cc82c0f8a5c90f4a72f0cce495f3e
SHA512 08f4ce8059bae12eb52eb7b2c7396448a436fd82cd61489aa645b7d3ad23d2468dbd86ec94fdc2edd09ec7f694c325bd8b711ebb3223660f6b3f03faf7153936

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\ebxK\slc.dll

MD5 4094b514a056fa26b348cd2300aafcc6
SHA1 b8e1529fb4282d72d9a00f27bc3c8e76ed228a7d
SHA256 95f926cb5d8f3ac7bf5e472461778d6524b2c9b6701ede37c8f353a8464f59e7
SHA512 77929d203929e4191980731f2b0a3f4ba56854fe765438090dd219dc1edfe256ff38c517a8ec1bade42e612b2cce70e01b7a8b9831aa40d81a93c21f7baff526

C:\Users\Admin\AppData\Roaming\Microsoft\Protect\PWJ2lwcTmcq\SPP.dll

MD5 8cd243505f4ad2a151e49a47065ef8db
SHA1 338055b18dc059b4082f79226f8761b5404e84cf
SHA256 12fe0d872ed7b61a07700c7bf2d6b09b43465a971e38d1404b5462532b8b6a41
SHA512 cb49b8d614a82f4b972bfc1cb5e1b37ad6af0584b66f1731fb95bb563214fd3aa9911e5a3cf5d3d539826f748ec0821b980e182bb99f563dcb6e8875d97137e8

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 13:37

Reported

2024-01-26 13:39

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\ODA5IqI97Q\\systemreset.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 4932 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3428 wrote to memory of 4932 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3428 wrote to memory of 988 N/A N/A C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe
PID 3428 wrote to memory of 988 N/A N/A C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe
PID 3428 wrote to memory of 4132 N/A N/A C:\Windows\system32\systemreset.exe
PID 3428 wrote to memory of 4132 N/A N/A C:\Windows\system32\systemreset.exe
PID 3428 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe
PID 3428 wrote to memory of 412 N/A N/A C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe
PID 3428 wrote to memory of 3484 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3428 wrote to memory of 3484 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3428 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe
PID 3428 wrote to memory of 4548 N/A N/A C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\77810543496dc906d195460796a0219f.dll,#1

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\systemreset.exe

C:\Windows\system32\systemreset.exe

C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe

C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe

C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe

C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp

Files

memory/4020-0-0x000002481AB70000-0x000002481AB77000-memory.dmp

memory/4020-1-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-4-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

memory/4020-7-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-6-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-10-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-9-0x00007FFF882FA000-0x00007FFF882FB000-memory.dmp

memory/3428-11-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-12-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-16-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-17-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-18-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-19-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-20-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-21-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-24-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-30-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-31-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-29-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-28-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-27-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-26-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-25-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-23-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-22-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-15-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-14-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-13-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-8-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-35-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-38-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-37-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-39-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-40-0x0000000002180000-0x0000000002187000-memory.dmp

memory/3428-41-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-48-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-49-0x00007FFF89F00000-0x00007FFF89F10000-memory.dmp

memory/3428-36-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-34-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-33-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-60-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-58-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3428-32-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/988-69-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/988-71-0x000002578E8C0000-0x000002578E8C7000-memory.dmp

memory/988-75-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe

MD5 bbe0e6ab91825aaec6024603775d974a
SHA1 005ad3b471504b42070707a8a848872e63abf912
SHA256 31b14add5d9c1cbb77ac1cdaa41c27a7c01a89d628331f077f5b815a191a8212
SHA512 908190231c68f2a4f4cf3886b8927ab0010f78cd4d7ac5883ae5430865c9661d7a4745af98abe192fd38da791cfb7dc2c64ad60aebe8bab202807eb3fca4d08c

C:\Users\Admin\AppData\Local\QdZ5Bwt\UxTheme.dll

MD5 f92e228a04e07c36d532ce876346eef2
SHA1 99b5060a3bb68c0b305eace35d6a9d033fd9fdd9
SHA256 152ea844ebe7e5705a7fa080ef95ddd1604d019da02f584227606c3b00559362
SHA512 4390f93fbee75a956681051879d3019587c3da1b6937c1db11ab0c27a9b9c60f0636cc1782cb229bf72e9fbdf4601bb2b248d23461523b276fe50a9b5dc57c69

C:\Users\Admin\AppData\Local\QdZ5Bwt\UxTheme.dll

MD5 126c0a0246f19fdd40515507e41e7150
SHA1 4ec21a3e2b6c14b57d577fcbfd734826604a31c2
SHA256 5271c6d1548a1f0d58313f180c7d67e7a05d95cd107acd30c7362022c3756ea1
SHA512 833b308332496e8bf44e84f276b0ce7aca4f9f08b1d2d097f8d36671883f1824b987dd00b633cff170b7e5030e616bad5a037b90e9fbf1a4499a6f333ff01e36

C:\Users\Admin\AppData\Local\QdZ5Bwt\AtBroker.exe

MD5 d7316d8d8c2f6b190d064dc78ea35097
SHA1 977e46dccdc9370063e3d79b72e7e3bbadc1bad4
SHA256 e6c7adbeb656493e80678c39a9aeeb7f661115e9f2ef68a72c94c4ca8fe23a5a
SHA512 6f225ee0c45cfc1b7497e199b2bcca1ca1302d4b36727381fce9b60f81ac6979e3a9007bf3d739baf485234396b458ca4298aaf85e5d951a52fd1a06aa4a5042

memory/412-86-0x0000000140000000-0x00000001401FD000-memory.dmp

memory/412-92-0x0000000140000000-0x00000001401FD000-memory.dmp

C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe

MD5 3a23d0827667afbdcca619b4941db045
SHA1 eebb3430d31493e0ed821b34ca3add851fa66124
SHA256 002413f7f9faac9b4a85fa7c937bf4808fbd665f030d7c99408ca8a9c3c92e0a
SHA512 288a07c4173a714a6f49c035f7a3c80f29f2d50568e01f41a34f5f9d73fac2149af0ba60bcf0aa5b4d45b593915d946778c995cc1fe869114720b865115a85a7

C:\Users\Admin\AppData\Local\dJgTvRi\UxTheme.dll

MD5 9883de854a2311f419bc5137c2d6e50f
SHA1 eeadc55ba781bd7e0aec977b68db76c41d30387d
SHA256 94acc7abc7bacfd5309ebaee5f45cb8bb80eaf61a66b4a26a99693a3fcaaaaca
SHA512 b1c6a03b49fbbd76fb1a93549fad3351e6662739175d20e8c8bf66e00906d9da8704c94275475151bb031dee1f23120057f9d50f313f2e333ddee58614a7be19

memory/4548-103-0x000001CDC0910000-0x000001CDC0917000-memory.dmp

memory/4548-109-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\dJgTvRi\UxTheme.dll

MD5 f4a9b2db3eeeb4bda7e66eadd878931a
SHA1 cfbe561b55f2ad19edf136fed14d57ac5de47b4b
SHA256 d085a13dfa2a0152f0bff75dfa48cba606f1fe287f0ac67c3a2b2e9e8d17b97f
SHA512 dbf9fceb00dfe264ab92d7cbb069b6b584def2f9f36557ca69d7ee271a9d0d03c765eb9a4eaf305d8f3b0f86a521f8457d3c04af724533f6522bb0732089eb80

C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

MD5 44d518b25536fc18a1d557e740c5f8a5
SHA1 6a13afbc4246355f67d7645db3e2d22ca9c374ed
SHA256 78f4d467ff54df8a57dc75297a8df123dd37796be33b6381bcf49d7e07e00954
SHA512 b8929a99228a28cdb17b1f3ecc1cdabd5867a1b29b74f6d9acda254da08569d6e6e14aef63be51a867af152813104d56e9df46987d4c433c329e3a30251cc14f

C:\Users\Admin\AppData\Local\dJgTvRi\EhStorAuthn.exe

MD5 7eb67f31850799483f270fc5e8aff05c
SHA1 ccabf97839e6258a354baf023fbf4c84117b96e3
SHA256 edd7c265d7e5d049ddb73b49bb646574b9bdab7778335c8f101685b9136b078a
SHA512 b3a0d83aa03cef6431b0de4b9f06f47c6acc5e71be6d2a9f75cb5c016ce8516019a5934581a465c615ab31026a9dd180271fb8fd155888c511f9efa2911c2fa8

memory/412-89-0x00000167F30E0000-0x00000167F30E7000-memory.dmp

C:\Users\Admin\AppData\Local\5G7xm\DUI70.dll

MD5 c1fdef9cb5a486cec13ab0a0b9c1ec47
SHA1 73050dfd82610eaf4aab94132ea987cca0c3b448
SHA256 346e505adba442e4ed24ed0a5411c8cba5c1f6116d4f5d39f781577e9b4f57fa
SHA512 c985ea62ab99b95de8ed2334a59e60a51f245a3d91adaa4b402fd3a646fa60d067a43d02978d339c549ace264ce17fe3c144e701c362e6362bb86535396e73ea

C:\Users\Admin\AppData\Local\5G7xm\DUI70.dll

MD5 762310ea2eca4622b44e466283371c07
SHA1 7dfbac795fd290b31ac89780a922bb5b3d8c74e4
SHA256 f1fd6074901f0087e75c75868f8624a4d44a4340a9d2bb3c2beade7015fe303d
SHA512 74501fd37804cb8ccde169449cc5bd35fce5b8f1a6996677dbe9bece901045f7b5d0feec289be5a563af4f08a7b3d5a099824a735d78d7f8d2c512877351a1d4

C:\Users\Admin\AppData\Local\5G7xm\systemreset.exe

MD5 7a3610f4791f1f830fd63ae3639f125d
SHA1 8fe74c2d138e9ee5994ccb77d51fb53815eaa24b
SHA256 799e6366b1e99ea1375f36ba30a0f33f28c6ad51b0fa39c86d06d105455029dd
SHA512 30724274283679377ba394adbf239fe0a3d2e4afb0bf97a081af8a33119b058b33288fc447632bdb634c7b596c94b3ff3476ab378621d67fcedd32a5d90e8982

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 b25f89916aae7d6a8b62a8ba7dcabdb6
SHA1 e86f5cc16de4e72df2d21a1f11a0ecfd0910f1aa
SHA256 4fd8c91cbf481a21a8d40bd2391c620b293e857a1b223e91c4a0673684797d6d
SHA512 fe00fb02de8a5754e1a1d46ad8281efcc33909d2e2f02081083e94fdbb547d7e5129de75928784bf10d88793a78e4068d1871d211a5364d3f8c869ce861ed95e

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\dU1spxDPWv3\UxTheme.dll

MD5 c71cdf92725e5b349a59687bf85d8eab
SHA1 feffb41918733c6a00cf932335da645b9bb41017
SHA256 4ac0bdf4659028729ea81a27de3a4f50704fb509980ffe996028520cb1fbef6f
SHA512 39855c39066e66fd11bdda2bc7db4ae9f80579bd0a4527a688279b3a21eadccaf12f3fab879305bd759cf7a3ee7129a66b2d80f11fbdc10daeff73be9cf49ba0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\ODA5IqI97Q\DUI70.dll

MD5 9e1407d0219abcbd5a5b156110b31284
SHA1 e1942a4783f8153ab6169e5e5b5f6f85db37d3d3
SHA256 fa67e693965b7cdede23075c6274a5dd2a41d78e60c677ef6f1c787c2c1bec4e
SHA512 7c530986db1ac2253f6658d144ebcdd821963781f210d75ef4cc736cb6d09727b7d613838c5d9f4918749ba0e8fd42426977254df5855269cc2f74f7f03dd1f1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\zByGk0uRM5B\UxTheme.dll

MD5 670dbf9a7310cb70fc963709ce8bf323
SHA1 46dafadd88d37da81380797f134645c9f95a5835
SHA256 a5813a8bef1057eca38239a46df47526c19eff8e6185b24098a3d225501b7524
SHA512 1ef536618d12cd92cb13c5ead31516d16d02134fa598ecee31e99fd7d307be67c5662df6765d658ab7f79833a9c45e51c10a0813b7596d0c6c75fa6e34e179af