Analysis Overview
SHA256
2841518b5acc66a9fdbea00ba90c5775124fca822a3ae725b7dc86d68bfe4689
Threat Level: Known bad
The file 785ce10521b549ee5b635b6aaebf7f7f was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 20:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 20:54
Reported
2024-01-26 20:56
Platform
win7-20231215-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xm2\perfmon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Xm2\perfmon.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\gskfRJB\\Utilman.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Xm2\perfmon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2684 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 1196 wrote to memory of 2684 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 1196 wrote to memory of 2684 | N/A | N/A | C:\Windows\system32\ddodiag.exe |
| PID 1196 wrote to memory of 3052 | N/A | N/A | C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe |
| PID 1196 wrote to memory of 3052 | N/A | N/A | C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe |
| PID 1196 wrote to memory of 3052 | N/A | N/A | C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe |
| PID 1196 wrote to memory of 2860 | N/A | N/A | C:\Windows\system32\Utilman.exe |
| PID 1196 wrote to memory of 2860 | N/A | N/A | C:\Windows\system32\Utilman.exe |
| PID 1196 wrote to memory of 2860 | N/A | N/A | C:\Windows\system32\Utilman.exe |
| PID 1196 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe |
| PID 1196 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe |
| PID 1196 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe |
| PID 1196 wrote to memory of 1976 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1196 wrote to memory of 1976 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1196 wrote to memory of 1976 | N/A | N/A | C:\Windows\system32\perfmon.exe |
| PID 1196 wrote to memory of 1312 | N/A | N/A | C:\Users\Admin\AppData\Local\Xm2\perfmon.exe |
| PID 1196 wrote to memory of 1312 | N/A | N/A | C:\Users\Admin\AppData\Local\Xm2\perfmon.exe |
| PID 1196 wrote to memory of 1312 | N/A | N/A | C:\Users\Admin\AppData\Local\Xm2\perfmon.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#1
C:\Windows\system32\ddodiag.exe
C:\Windows\system32\ddodiag.exe
C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe
C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe
C:\Windows\system32\Utilman.exe
C:\Windows\system32\Utilman.exe
C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
C:\Users\Admin\AppData\Local\Xm2\perfmon.exe
C:\Users\Admin\AppData\Local\Xm2\perfmon.exe
C:\Windows\system32\perfmon.exe
C:\Windows\system32\perfmon.exe
Network
Files
memory/2184-0-0x0000000140000000-0x000000014019D000-memory.dmp
memory/2184-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1196-4-0x0000000077836000-0x0000000077837000-memory.dmp
memory/1196-5-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/1196-10-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-17-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-24-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-30-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-35-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-37-0x0000000002D70000-0x0000000002D77000-memory.dmp
memory/1196-36-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-44-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-46-0x0000000077BA0000-0x0000000077BA2000-memory.dmp
memory/1196-45-0x0000000077A41000-0x0000000077A42000-memory.dmp
memory/1196-34-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-33-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-32-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-31-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-29-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-28-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-27-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-55-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-26-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-61-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-25-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-23-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-22-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-21-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-20-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-19-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-18-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-16-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-15-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-14-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-13-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-12-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-11-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-9-0x0000000140000000-0x000000014019D000-memory.dmp
memory/2184-8-0x0000000140000000-0x000000014019D000-memory.dmp
memory/1196-7-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3052-73-0x0000000140000000-0x000000014019E000-memory.dmp
memory/3052-79-0x0000000140000000-0x000000014019E000-memory.dmp
memory/3052-76-0x0000000000100000-0x0000000000107000-memory.dmp
\Users\Admin\AppData\Local\mWsxs\XmlLite.dll
| MD5 | 06b87f62e6c1ff6d6d755a77a2c2f824 |
| SHA1 | 11704ea6e9caa84605263a5e269ecbb4178fe001 |
| SHA256 | fb421645d619e52229a4c3b21f22d9423a7ceef1ec6251298269454ffc3102cd |
| SHA512 | 2be6606c853c33d9dc0ebf6cfdcfa9f6c31c8feb99964d4a933ed718a798a0f8bb6f9e16029c77fe8fa6e0785f76d25da96727fd305f4e20f723fc317ac6d88f |
C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe
| MD5 | 509f9513ca16ba2f2047f5227a05d1a8 |
| SHA1 | fe8d63259cb9afa17da7b7b8ede4e75081071b1a |
| SHA256 | ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e |
| SHA512 | ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862 |
C:\Users\Admin\AppData\Local\mWsxs\XmlLite.dll
| MD5 | 320ecf0ac8e58bcc8f389ecef5e043e2 |
| SHA1 | 6dbfe03d6f49d8f5c3833669d52b057e30784f1a |
| SHA256 | 6ad5c43a37dce4f890d4d6b8120e72a860a2fe38fb2125b6000df0a1adebcdac |
| SHA512 | badc2cbcd04b8442ecdc0f720177c9d5cdd7feebcce63186e854c51978a86e536f7f88bfc446393f70e48a2339b0aed7092e857c26644dc674fa813e9c17dd15 |
\Users\Admin\AppData\Local\SDfUtMnc\DUI70.dll
| MD5 | aaa398861c109e9e3ed9a4195399eee3 |
| SHA1 | cf0fb5271d1eebff03cfa245f6f47e814a8d9638 |
| SHA256 | ae48ad183a36960325787431a23495b26026dc6c2be769a125ae231dba28c27b |
| SHA512 | c04a82de025ee221faf704254ce7663a1486d278d58ceefb7d44468181cd78e2b8b4b3cc77dbf4c712326e6131aad3bf616802b76539d245451101a7eb2221b7 |
memory/2872-91-0x0000000140000000-0x00000001401D1000-memory.dmp
C:\Users\Admin\AppData\Local\SDfUtMnc\DUI70.dll
| MD5 | bf73e69cca856db8e26730b1bfef25a9 |
| SHA1 | 58d9c96cc039561df5f2c197f9a463c4df09e886 |
| SHA256 | c6e41943b8f28abaa9224235d445b2dff6b6962ff5b48c90cb20480618df2ab6 |
| SHA512 | 9d1627ccfc7293b9046f66e5d041a367753375d9900187d1ec9e20e349cc85dca48eb63ef4e05dfb4418ae34028368c04d86baef0ceec9a78a3819e2687fc3e2 |
memory/2872-95-0x0000000140000000-0x00000001401D1000-memory.dmp
C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
| MD5 | caa87f2ac8968644287e672bcfa13956 |
| SHA1 | ca6033641e2c508b8d7a45739519b66fb6cedf6b |
| SHA256 | 2b736de9a5892882dfa5100498c181a6e117645f8bc59f8ce8308eb430e66943 |
| SHA512 | 97b329c7e169640ada4d6a2a1a8ffe4b3f8f7def44cf21741c331420135c7f66badc4978f514bc74207a0edd6fb18407d4d317a124a476cc7db755e0af5f28ec |
\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
| MD5 | e0fa3b2b928553be21f6aabda84f3905 |
| SHA1 | 2663d44ddbe3523d5937a4e54a0220152ed027c0 |
| SHA256 | a4a838f8676f446c3ea54b524a6e4d5e597a16eb3b3777a7844626b894179a60 |
| SHA512 | 2b416442a19ac8cad20183e1a9fc8ed30ae05d937d66eef92d2c048a2afdb6fc21312916a8c05b11ce8d6b3bd749df28dedfc7fdddb78f8b28579abd80fb2df7 |
C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
| MD5 | 98640b5853fee7afb1d33828b6cdd6b0 |
| SHA1 | 8f8d3c4e546a4d4a84bd6b451880965c10127ff7 |
| SHA256 | e664e2e334f7d528b22b7e9640d5f3d97346f831d6717ace093ed272e47b40fa |
| SHA512 | 77bb8483bf1e68567c5d4d2164f5cb03913ad1587a22ab3f062a563e6ca6039a7f82f73508c595f5fe008deb5236260ee562af3ee2c8ca962dc802fa7aa2a040 |
\Users\Admin\AppData\Local\Xm2\perfmon.exe
| MD5 | 3eb98cff1c242167df5fdbc6441ce3c5 |
| SHA1 | 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69 |
| SHA256 | 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081 |
| SHA512 | f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35 |
\Users\Admin\AppData\Local\Xm2\Secur32.dll
| MD5 | 5df98aec37418781e2aa1d1d1ee6ef83 |
| SHA1 | 34f0fd4ec3d0f197952533bef3acf1f910755463 |
| SHA256 | 4fa165665d098b688a54d6742639f5e44a287e2d6387c0f8c86a8a69eeefb311 |
| SHA512 | cb748a6974a255bff269cc49994083e860e1f6361dd4d292ae8a4a676de2f85393bc8fb999d8e789da22c55a9d422df0779d41dee4e2ab569a6a98e02dcf4485 |
C:\Users\Admin\AppData\Local\Xm2\Secur32.dll
| MD5 | 84e5744aae7eae075666ca2ead7b6798 |
| SHA1 | 79bbb86193d507ffbf9aa9d8b9eabafb6d9ce248 |
| SHA256 | c8703c71916de189b07637f9ebbbe414eb33debdc91d81f463592191bb4b9047 |
| SHA512 | bf9bf6a9d232a5150b47bf4f8ce8177ed4f55e8be174443b3f5f7ac31755e8191a7dcccb2af55a44ce50110591a516fc6769cc59c929f3343a0f16cc13dc21b2 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\yCQ41miA8\perfmon.exe
| MD5 | e485de53ce437a45e5d3463ee648e1ac |
| SHA1 | c4404a4160de3bd0bb3781de5bb6ae7e60098d37 |
| SHA256 | cb73e11d6bba6713e047718b64240a8b09d110dfa032fc37796e003e55d4fb3d |
| SHA512 | 993ebb8b190e5d63abf516ab0bd05b8dbe0933deee0c00536f668c8bdf216a97275481824830780deb1993b9f669e217b46621a6a437b494b74d84adcfc41def |
memory/1196-133-0x0000000077836000-0x0000000077837000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk
| MD5 | be774044cc78cf0abaa85064fc734efd |
| SHA1 | ad6610981fdfad37372c38d50c9fa01a26bc7bf3 |
| SHA256 | b27b5a75f62c2a6a5c678d1947b15b7c2582bd1e398be2462fbdb8663c0a14ac |
| SHA512 | 4be73b9e00f2f2123f2eb7a175311ede91ffc9d0449c10196dc04c1a9c0854fff2376735e49efe391524bb3c38fdc8087b9efb847603bf469f2d32aade9f8c5d |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\wvqGLVRC\XmlLite.dll
| MD5 | c113332801e08061281b6a5f62f7e1bd |
| SHA1 | e75b03d36e3ea670978aff5ee971c9730171a14c |
| SHA256 | 0165a691a9ab37bacfd78ff06d125a4a80403e14ce7f97a2af1601f36575556d |
| SHA512 | 5e77525350fa687df75df0814acaa58906d2aef5527f930f4b42c1ca791ad5d01dd24df6df4e0d3883dd554afb20bb514b05d8e718470be73648fbedc248044b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\gskfRJB\DUI70.dll
| MD5 | a299cbaeecaa1ae87de43799544d222d |
| SHA1 | 23f4962226faf713ed83bbf0545dd50f3a2d014c |
| SHA256 | 5a68b867bf6e8cad76e832b9e55b1f193741da526a2be562abb6265de5631d53 |
| SHA512 | ae54423db57196278902ac61668743a901a919fdcd92b6d7a0e968be6e75ee1ff60ea36697c2bd822fb5b8f6eefc69c7f04fb781a22745d351386079f03a937e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\yCQ41miA8\Secur32.dll
| MD5 | c9f7f43566584afeb0efea06c8e3451e |
| SHA1 | 2cdd7ea1715b0ac9f6e51ae48030119efe05f34e |
| SHA256 | 107d1f936fa6689df6c71a4478ea1e155f183e2b9fea55d2a19a85804cf36f2f |
| SHA512 | 9496dbf0d6d0c9233f7ac3e1e36fcd2204f0f988ff4226c4401408af5ee5b83fac214aefe532b3a7bef931b8d98bd26aedd04c14b0282d7d92ab375d1fb6f426 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 20:54
Reported
2024-01-26 20:57
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
146s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sr19H\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\sr19H\Magnify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\OQAs9mgz\\Magnify.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\sr19H\Magnify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#1
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe
C:\Windows\system32\Magnify.exe
C:\Windows\system32\Magnify.exe
C:\Users\Admin\AppData\Local\sr19H\Magnify.exe
C:\Users\Admin\AppData\Local\sr19H\Magnify.exe
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe
C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.178.17.96.in-addr.arpa | udp |
Files
memory/2428-0-0x0000000140000000-0x000000014019D000-memory.dmp
memory/2428-1-0x0000000140000000-0x000000014019D000-memory.dmp
memory/2428-2-0x00000177991B0000-0x00000177991B7000-memory.dmp
memory/3520-5-0x0000000002E20000-0x0000000002E21000-memory.dmp
memory/3520-6-0x00007FFE77E5A000-0x00007FFE77E5B000-memory.dmp
memory/3520-8-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-11-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-12-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-10-0x0000000140000000-0x000000014019D000-memory.dmp
memory/2428-9-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-13-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-14-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-17-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-16-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-15-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-18-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-19-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-20-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-21-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-22-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-23-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-24-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-25-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-27-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-26-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-28-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-29-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-30-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-31-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-32-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-34-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-35-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-36-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-37-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-38-0x0000000001350000-0x0000000001357000-memory.dmp
memory/3520-33-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-45-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-48-0x00007FFE789A0000-0x00007FFE789B0000-memory.dmp
memory/3520-55-0x0000000140000000-0x000000014019D000-memory.dmp
memory/3520-57-0x0000000140000000-0x000000014019D000-memory.dmp
C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe
| MD5 | 26640d2d4fa912fc9a354ef6cfe500ff |
| SHA1 | a343fd82659ce2d8de3beb587088867cf2ab8857 |
| SHA256 | a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37 |
| SHA512 | 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc |
C:\Users\Admin\AppData\Local\jvy\SYSDM.CPL
| MD5 | 4687de80f22c03b182cd5eaa50fd7547 |
| SHA1 | 0cd5e596ef4a0a7f7f19878c6ceedb5288e71d06 |
| SHA256 | ff14a9e36a7e4b88cc53ef1150a1a897e41936947f8acd3076a0758380def005 |
| SHA512 | 57771a509fffce35de8b0686528ff2852539c27b14663acb5d7546b9ee14df5d8b0a69126aa142dfc5496d10052a3bb20223d8909a7ba5c0c01002436135e4e1 |
memory/4532-66-0x0000000140000000-0x000000014019E000-memory.dmp
memory/4532-69-0x0000022F358A0000-0x0000022F358A7000-memory.dmp
memory/4532-73-0x0000000140000000-0x000000014019E000-memory.dmp
C:\Users\Admin\AppData\Local\sr19H\Magnify.exe
| MD5 | 4029890c147e3b4c6f41dfb5f9834d42 |
| SHA1 | 10d08b3f6dabe8171ca2dd52e5737e3402951c75 |
| SHA256 | 57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d |
| SHA512 | dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d |
C:\Users\Admin\AppData\Local\sr19H\MAGNIFICATION.dll
| MD5 | b8b52c9e3c69c8de33ad11d612750590 |
| SHA1 | c2728c121a80fd03e75c1c4fd75dae89d9817ddf |
| SHA256 | 30f688aff1efced9538ce4f663de74f55c2525d81d93103aefeaa620077f570e |
| SHA512 | 037a736a4ec06b40c1d4a7a0fb11afeaf6134da4c9a53d92e34e1239d617b4bc4f98a1139a4aca2543a067e81ea4195295c583833da40ba225fe8eb5826da609 |
memory/4936-85-0x000002A6CE920000-0x000002A6CE927000-memory.dmp
memory/4936-90-0x0000000140000000-0x000000014019E000-memory.dmp
C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe
| MD5 | a6fc8ce566dec7c5873cb9d02d7b874e |
| SHA1 | a30040967f75df85a1e3927bdce159b102011a61 |
| SHA256 | 21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d |
| SHA512 | f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc |
C:\Users\Admin\AppData\Local\VmImW0n4T\VERSION.dll
| MD5 | f5b89e13278cbc8bb4eda6b6a65acd49 |
| SHA1 | 2a31a6d51d8db015713113f6937f2263b801368e |
| SHA256 | b64ed8b5e6cbc720ce824bea0ae48e1ef9851501c99617a651ea39962371dc40 |
| SHA512 | 6fbc016d6f18b1d5c00f58ce7694da194969621285687b227308d96399c0a856fe0d7f8a91e3c030be8e1b87a4da1454e2237196b4d02826cb8f55c8fecc93fb |
memory/1380-106-0x000002754C280000-0x000002754C287000-memory.dmp
memory/1380-111-0x0000000140000000-0x000000014019E000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | 32faeb7a0ba72a4f700326c6e8f5d3b3 |
| SHA1 | 005395b4585649b331888953560da24517623ad8 |
| SHA256 | de71595fd4a6d05503a7cb0161139db6bf1ff23a4c922eb841b71a7e13c3955b |
| SHA512 | cde5a8e50d0d0967fd9f30f4a021ff3164018ad42d7e2f089a79ff95399aacef5a9eb3be9505a40ca1e6892e91ea3677f168bb3056bf1f324ebd8812a73b7cc9 |