Malware Analysis Report

2024-11-13 16:42

Sample ID 240126-z5hycagabj
Target 786915fd97a5568543a2c219b4116abf
SHA256 a4c35298a6852c3e1ebec89e8d2c739c9dafe977cd2931af02f46f8d640dabe0
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4c35298a6852c3e1ebec89e8d2c739c9dafe977cd2931af02f46f8d640dabe0

Threat Level: Known bad

The file 786915fd97a5568543a2c219b4116abf was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 21:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 21:17

Reported

2024-01-26 21:20

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DV2\mstsc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\RBpPDAEJq\\OptionalFeatures.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DV2\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2584 N/A N/A C:\Windows\system32\mstsc.exe
PID 1284 wrote to memory of 2584 N/A N/A C:\Windows\system32\mstsc.exe
PID 1284 wrote to memory of 2584 N/A N/A C:\Windows\system32\mstsc.exe
PID 1284 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\DV2\mstsc.exe
PID 1284 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\DV2\mstsc.exe
PID 1284 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\DV2\mstsc.exe
PID 1284 wrote to memory of 2880 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1284 wrote to memory of 2880 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1284 wrote to memory of 2880 N/A N/A C:\Windows\system32\OptionalFeatures.exe
PID 1284 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe
PID 1284 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe
PID 1284 wrote to memory of 2848 N/A N/A C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe
PID 1284 wrote to memory of 3020 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1284 wrote to memory of 3020 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1284 wrote to memory of 3020 N/A N/A C:\Windows\system32\msinfo32.exe
PID 1284 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe
PID 1284 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe
PID 1284 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\DV2\mstsc.exe

C:\Users\Admin\AppData\Local\DV2\mstsc.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Windows\system32\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe

C:\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe

C:\Windows\system32\msinfo32.exe

C:\Windows\system32\msinfo32.exe

C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe

C:\Users\Admin\AppData\Local\5DT4\msinfo32.exe

Network

N/A

Files

memory/3016-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

memory/3016-1-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-4-0x00000000777A6000-0x00000000777A7000-memory.dmp

memory/1284-5-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1284-7-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-12-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-13-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-16-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-19-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-17-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-23-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-27-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-26-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-25-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-28-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-30-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-31-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-34-0x0000000002970000-0x0000000002977000-memory.dmp

memory/1284-33-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-32-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-29-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-24-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-41-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-42-0x00000000778B1000-0x00000000778B2000-memory.dmp

memory/1284-43-0x0000000077A10000-0x0000000077A12000-memory.dmp

memory/1284-22-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-20-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-21-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-18-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-15-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-14-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-11-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-9-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-10-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-52-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3016-8-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-56-0x0000000140000000-0x0000000140167000-memory.dmp

memory/1284-61-0x0000000140000000-0x0000000140167000-memory.dmp

\Users\Admin\AppData\Local\DV2\mstsc.exe

MD5 fbbbb1d192fdadb3c4016f55ecba6a7c
SHA1 0bf9174fec44c3887543edb46f0213aea56709cc
SHA256 f83e8a61cbc1be22a281e8b8e2222b3fd1f48969f4918f1533ef780b42d2accf
SHA512 1ae072fbd7d291e78658ffead31839ce9bb95709925208403058a00994ebb598f36447642e7c2f768657b0d6410810c1d78df582ceb1af0291a6c70e4bff596a

C:\Users\Admin\AppData\Local\DV2\credui.dll

MD5 ea5698226420f430a006eb5b952c8c20
SHA1 1154f1a1db16d0c747d628b1fd9de82176fdb76b
SHA256 62654eb11d50b303da9977bb7cf78328a9266f37e282aaefc523d7be94b0642d
SHA512 97c00d276bd1dc6d6b9b541d18510d55c02ddb21d122c159feee061bd0da3b779d76264f23de9a7f7e59e2d51f2ce560c3ad3f161d9091e98cc38b6485302361

\Users\Admin\AppData\Local\DV2\credui.dll

MD5 23a1d2165ccab4e449a37ccae26261df
SHA1 866ef28cc5d19d832a771944b89cbf515d0f4dc5
SHA256 7c5b4878ede5a2f895e8d1fe240f8eaba79d7126c3b5ef15ff8423512ad7aafd
SHA512 f93743bf84e13be09589283fd18de9761735322261234b3b87ad1919c2b1e1ade65adcde034637c3a04c6189b14496f033949e26e3fb4a8bc78f7a92397dc177

memory/2640-70-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\DV2\mstsc.exe

MD5 be4f3322feaed27ae5a582697e4d33e5
SHA1 5ef95ffba3e9803327cf49366cd5cb5d850ba7c7
SHA256 e454baa0a9682dec8a8ac84ca86b2c0c4aa65efbb0b5bd6dd27e0aa694743fca
SHA512 ef079c4fe6f0061ee00f4a69ea25e304edfbfae0a74b6761e9690abcd2bbfb2df66e12fe74cc16f972841d077c1932260986be26c7cf73c6ff9c3bffddefc35a

memory/2640-72-0x00000000001B0000-0x00000000001B7000-memory.dmp

memory/2640-75-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\DV2\mstsc.exe

MD5 e66090e446fd6b7bc5bee16ccc7f367a
SHA1 9c2a10f5e6b1ca9575aa0574a76bc8b1c18c49dd
SHA256 15c893034cb79fff6e920bfd15b4ace43cb05b031d326355dbaffec17c271da2
SHA512 0b84b727b7219bf2d5bd58bcce56a7867043181174a7de03e66367f1a6aa8f94cf3582a537d5ad195f9b59b23f14305d56134eff35849989e5c26bcc7418cc9a

\Users\Admin\AppData\Local\92WiHl\OptionalFeatures.exe

MD5 eae7af6084667c8f05412ddf096167fc
SHA1 0dbe8aba001447030e48e8ad5466fd23481e6140
SHA256 01feebd3aca961f31ba4eac45347b105d1c5772627b08f5538047721b61ff9bc
SHA512 172a8accaa35a6c9f86713a330c5899dfeeffe3b43413a3d276fc16d45cd62ed9237aa6bff29cc60a2022fba8dcc156959723c041df4b7463436a3bdabef2a9d

\Users\Admin\AppData\Local\92WiHl\appwiz.cpl

MD5 839b013c01c825d2666a31a40b399798
SHA1 30961b25377ba427b511e3bac5ee60f0d23fb35c
SHA256 1fe3840d6d15a2655f5f7d85e0d265b0933c22553fbe813794feb0633b9580ee
SHA512 15c67bd569aa1c596c897f0b6fa951ab4e659317cbd07ce986f138c5d298f3929ccdda7bd2069bbf5766f6ae02e37a3c2677f1da42f54e0d7e3d5d543ca112c2

memory/2848-88-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2848-93-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\92WiHl\appwiz.cpl

MD5 b2ae57d46c51e5ec79907bd2ad1b6536
SHA1 54f93a5aa0fe922d3f52280c49ca4edd5a443895
SHA256 571108b440b6b1da394fcdad94ea78759e932240c754d7dd8ffb0168b0ee3209
SHA512 c4c45b1cc91704dad8cefa9ce22a0a4343d8e911b3e1de1cc6841365767f2ef9f51601ea9913036ad62ce790e133561a92e1b269282250e176d1a2bda16bac6c

\Users\Admin\AppData\Local\5DT4\msinfo32.exe

MD5 d291620d4c51c5f5ffa62ccdc52c5c13
SHA1 2081c97f15b1c2a2eadce366baf3c510da553cc7
SHA256 76e959dd7db31726c040d46cfa86b681479967aea36db5f625e80bd36422e8ae
SHA512 75f9bcce4c596dae1f4d78e13d9d53b0c31988d2170c3d9f5db352b8c8a1c8ca58f4a002b30a4b328b8f4769008b750b8a1c9fda44a582e11c3adc38345c334b

C:\Users\Admin\AppData\Local\5DT4\MFC42u.dll

MD5 355362be283e498f71083411070a1fb0
SHA1 296ee323103fc25e2d15e5f250bd63837f081be9
SHA256 18c12b151413fad471e730cf0078d1d8750105461c4504e7f19e73ad39a7390f
SHA512 271120bbb2e2f517e41af676c01551779740c39a013c70e5723bf2fd0f9785a83c29946b51dfc29e9e9391dec9b8cc1d38d32be75eb11f605adc5194a9d6f78a

memory/544-105-0x0000000001B40000-0x0000000001B47000-memory.dmp

memory/544-111-0x0000000140000000-0x000000014016E000-memory.dmp

memory/544-106-0x0000000140000000-0x000000014016E000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 5340f66ebb69ebd062f232123ad92055
SHA1 61ff1612bd7f01b64f7c775a64b02002039ff139
SHA256 e80537ac58e440c7658d23661dc55076baf42ab8adf17712621439ded9257194
SHA512 4d41564bb7a5c2df2946911fb30fe48d74613d24980f12a0a0bf0c94d8f765b7d732805e5e2832da321e550f410bf20658942c24556ecd8aa93eda937678c55c

memory/1284-130-0x00000000777A6000-0x00000000777A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\MZ6UDikstQN\credui.dll

MD5 8e18160955028aa6e2ffb55e6e463e02
SHA1 5691dedeea2968a153e67e327e2eeae59a003ef3
SHA256 cf9b4080a333825697bdd52895789baddae7ec3ebc170716a10995c6bae52c02
SHA512 74725d9c956a5f69fbc7d1c7076cc085ce5a16163e832fe04e28e6347234c2240743d783749395840a94216bada625ec3007ff9efc023ec35acffd1cd4c23424

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\RBpPDAEJq\appwiz.cpl

MD5 8f8719e64180283621870ffb7334b5b7
SHA1 d21df765cfcfd41c64a2e605bc158669c60caae2
SHA256 1671ef6833cc12c0eea3e45beb7ed411e57886770f8e1a92ed8109f5b9825742
SHA512 10e2f3d309e2824ba4022f11213a602daa4e565af24d5b496d2783fcb26533d884b6751e047da368f08223b19a7b832271fcf93843909ca042d8163cfb8be826

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 21:17

Reported

2024-01-26 21:20

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\CloudStore\\xiLRQ9\\SystemPropertiesPerformance.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 3896 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3468 wrote to memory of 3896 N/A N/A C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe
PID 3468 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe
PID 3468 wrote to memory of 4468 N/A N/A C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe
PID 3468 wrote to memory of 3284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3468 wrote to memory of 3284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 3468 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe
PID 3468 wrote to memory of 1780 N/A N/A C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe
PID 3468 wrote to memory of 776 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3468 wrote to memory of 776 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3468 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe
PID 3468 wrote to memory of 2500 N/A N/A C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\786915fd97a5568543a2c219b4116abf.dll

C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe

C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesDataExecutionPrevention.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2920-1-0x0000000140000000-0x0000000140167000-memory.dmp

memory/2920-0-0x0000000002370000-0x0000000002377000-memory.dmp

memory/3468-5-0x00007FFEE030A000-0x00007FFEE030B000-memory.dmp

memory/2920-8-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-10-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-11-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-7-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-14-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-15-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-16-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-13-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-12-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-17-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-21-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-22-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-23-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-27-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-25-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-32-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-31-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-34-0x00000000027D0000-0x00000000027D7000-memory.dmp

memory/3468-41-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-33-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-51-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-50-0x00007FFEE04A0000-0x00007FFEE04B0000-memory.dmp

memory/3468-30-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-29-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-28-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-26-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-24-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-20-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-18-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-19-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-9-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3468-4-0x00000000080D0000-0x00000000080D1000-memory.dmp

memory/3468-53-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe

MD5 c2b47442b11544d310b48ac17b0ce799
SHA1 99cf9f4965e5cb10daeeb9f0f18b5fd44f04ff37
SHA256 44b1d058b093fdaf95994a0efa7d7d6b97d815f3d68adb76c4dbfc211b49882e
SHA512 6d9fb36a91dfa29427c1e3bf0fe2f80f8f2a857242e548eefa586b519031368b9c2f37625a32afd7f96e0873edf0594471ae337e52db181871b351d634380874

memory/4468-62-0x0000000140000000-0x0000000140168000-memory.dmp

memory/4468-63-0x000001EE51730000-0x000001EE51737000-memory.dmp

C:\Users\Admin\AppData\Local\1Jr\SYSDM.CPL

MD5 87d99fd6fe3586e8a5f3f3506dacf026
SHA1 df231005ec1c586a4a2461e9d3dff78b6b8e7226
SHA256 66b4282dbb2ce2ae9858be918f1261e1dca06f6dc0a7dab16c5b4ffdc0ba2975
SHA512 ebc1020c1ff76f725feaa7272a6b02a5bcfd89c96b32ba7e8ab49efa4c3c65cfcc41751243297c9f064c21d6d6a047b9dc03613aea9e3aa69f11e4fd9c7dce74

C:\Users\Admin\AppData\Local\1Jr\SYSDM.CPL

MD5 de2d0344d43f4bc280bf787d706706db
SHA1 ff99dea3d2f7b96d24bfb42e0ace9858a7ce114a
SHA256 45362ba34f0ef22ae2dcb2359bb278bc67a12b68b01518850101c9df5482011e
SHA512 aacae331a73e91deb653650ebcd45c299a9ac149605c4814f9b2436d7580829173f655547efd3023a8008e2a780f9f396ffd0a64f19d3ab06f208eab20988be8

memory/4468-68-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\7dqD3zTM\SYSDM.CPL

MD5 c14cdd357c64cf8f358ac36b000d216c
SHA1 affb276602034c97b8c6bec379a05d0b5b444426
SHA256 fe9e2b19ba46525c3b2a6d24dfc0aee2ccfa4332d04a7fc4fba321e50064826e
SHA512 0732727f614fea77feead6d3de6b24bb8fec0ca0a958229fc3b924f01face0869133576269182de76962224670e425e741b49946853d5eaea0c35b53f2815f51

memory/1780-81-0x000001E46F100000-0x000001E46F107000-memory.dmp

memory/1780-85-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\7dqD3zTM\SYSDM.CPL

MD5 40aa53dd1b76a076ef34f4527d945b52
SHA1 590f541c86d329e165cdeda1c42a5b0f307d15d5
SHA256 336760afa14920af1f657dda517ef1d9a994426ab8f7fdfc2c315a20320f221d
SHA512 7f9959e5e4994aa5df7b0eba45608d1a6f213aa8c6a20ebbd55cc5b61c9a46b0cd6c3194cd15a437c63d1476a565efec5d5623bb2a6b0df28e5fc2d242178bba

C:\Users\Admin\AppData\Local\7dqD3zTM\SystemPropertiesPerformance.exe

MD5 e4fbf7cab8669c7c9cef92205d2f2ffc
SHA1 adbfa782b7998720fa85678cc85863b961975e28
SHA256 b266318d45a4245556a2e39b763f2f11eca780969105f6f103e53dd0a492bb30
SHA512 c5c62578d04133352d6cb7b018df96a7b55c18d6111ab8bf2bfe232a3315a63b07047fa5b0b88551d152085776c66169b47566242c8c4c5e0333c55adc64e1b6

C:\Users\Admin\AppData\Local\wkWWol\SYSDM.CPL

MD5 f043c303c7030a1b295cf4991867bad8
SHA1 559236ee36894b67137ecad4fb425be17e8cea34
SHA256 24eb2954d9a9a9cc0500626b120efbf6b4edf75b53dc546820c25e62385ec7ea
SHA512 e347bb113ea8ebd98ffc7372aef8acf5e553d6c12368a9031e077ec9d5a5434d8669b99f970e540e5a34f2d9ef6fe2b5a50a3766bea03761f330080668c90c59

C:\Users\Admin\AppData\Local\wkWWol\SYSDM.CPL

MD5 28c06d75c1575da7300f65d7696becdf
SHA1 d2fc2f6acc2c2f6e91f93e7c5820dd7d0b240ee4
SHA256 beba11f1a54d4431a08a0861a72da23e96a26a790fae3eacda0eae48961a7855
SHA512 4bb5677ff99e1afdf6c2a652a3e7a62116ff28d48bb0f7760728e7dfdb2c3db5051ee19bd426a6bf0c416d4a7088be90517b50774cca610f4e6177033bfe4421

memory/2500-99-0x000001F19D370000-0x000001F19D377000-memory.dmp

memory/2500-102-0x0000000140000000-0x0000000140168000-memory.dmp

C:\Users\Admin\AppData\Local\wkWWol\SystemPropertiesComputerName.exe

MD5 6711765f323289f5008a6a2a04b6f264
SHA1 d8116fdf73608b4b254ad83c74f2232584d24144
SHA256 bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512 438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

C:\Users\Admin\AppData\Local\1Jr\SystemPropertiesDataExecutionPrevention.exe

MD5 de58532954c2704f2b2309ffc320651d
SHA1 0a9fc98f4d47dccb0b231edf9a63309314f68e3b
SHA256 1f810658969560f6e7d7a14f71d1196382e53b984ca190fa9b178ac4a32acfb3
SHA512 d4d57cc30d9079f4e9193ba42631e8e53d86b22e9c655d7a8c25e5be0e5e1d6dfff4714ddc23e3e392809d623b4f8d43c63893f74c325fc77459ac03c7a451ed

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk

MD5 7ce68d5202e98af3abc360048df6aa85
SHA1 4dc94e98c1cafbffe4564f0474e38f3bbf03f670
SHA256 50656b1e5d764d8837d1959563aa76bf113cca5f575ae73601636798efa8997d
SHA512 63e4681f67733b56d3aadbddecb1dfd1b61779d0b2e156aa191c870f10fcded8bd3f26847b101c550e62e8880981010db6d2e20ae2c88753d9e5ba1c37b00c2d

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\rxnkz\SYSDM.CPL

MD5 badabdfa4073bfd02c0bb1cc338fcc56
SHA1 585aad23e994cc1d75b4cacefb219c89151c4da7
SHA256 3743a4dd9e49d305b1f2cdf98e84465c3744838b6c95bed7c4d8356f9e1d90e8
SHA512 572368b01a33d6bf705832eed869ba49c8dc3ef28704dc5b49ba323a2a1b2de172f8bc64762506a28560eb1b566231db3b93bf86caaf36e748bbb9eeb8eaf76d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\xiLRQ9\SYSDM.CPL

MD5 bc07d76c057f9dd38ee477d838b7e8e0
SHA1 57e2abb3956c680ed6bd5f4ed9b92deaae8c725f
SHA256 71c8eea5e2cae90fa696a7554771b2c40149360c9509034da622ccde9d0be60d
SHA512 1e43774ab1036f01cd5940869cddb1f2a61161b1ced32aeeb3dab6929509ce27173dbedf290eb14f2f81660aa7e302c2bed8066b3ecc0eba534787ce9651be2b

C:\Users\Admin\AppData\Roaming\Sun\Java\RD\SYSDM.CPL

MD5 4b3f78c1616282df7a9f4e63a91c6038
SHA1 546454d6b7f43c10f6b16cc1ca235fd207bfb597
SHA256 6d752e313d63c421be77de25c75a89e0564515c477d6e2610aa6d766d4104207
SHA512 915dca94b8f67af7220e2de83db17953e30e76d0eb07a2f67744063889a04a860f60c97d67ae34c558de483d7df985f765ab1dd4de88491cb382645e73119e94