Malware Analysis Report

2024-11-13 16:42

Sample ID 240126-zp14zsecc5
Target 785ce10521b549ee5b635b6aaebf7f7f
SHA256 2841518b5acc66a9fdbea00ba90c5775124fca822a3ae725b7dc86d68bfe4689
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2841518b5acc66a9fdbea00ba90c5775124fca822a3ae725b7dc86d68bfe4689

Threat Level: Known bad

The file 785ce10521b549ee5b635b6aaebf7f7f was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 20:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 20:54

Reported

2024-01-26 20:56

Platform

win7-20231215-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Xm2\perfmon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\gskfRJB\\Utilman.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Xm2\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2684 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1196 wrote to memory of 2684 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1196 wrote to memory of 2684 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1196 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe
PID 1196 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe
PID 1196 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe
PID 1196 wrote to memory of 2860 N/A N/A C:\Windows\system32\Utilman.exe
PID 1196 wrote to memory of 2860 N/A N/A C:\Windows\system32\Utilman.exe
PID 1196 wrote to memory of 2860 N/A N/A C:\Windows\system32\Utilman.exe
PID 1196 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
PID 1196 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
PID 1196 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe
PID 1196 wrote to memory of 1976 N/A N/A C:\Windows\system32\perfmon.exe
PID 1196 wrote to memory of 1976 N/A N/A C:\Windows\system32\perfmon.exe
PID 1196 wrote to memory of 1976 N/A N/A C:\Windows\system32\perfmon.exe
PID 1196 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\Xm2\perfmon.exe
PID 1196 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\Xm2\perfmon.exe
PID 1196 wrote to memory of 1312 N/A N/A C:\Users\Admin\AppData\Local\Xm2\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#1

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe

C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe

C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe

C:\Users\Admin\AppData\Local\Xm2\perfmon.exe

C:\Users\Admin\AppData\Local\Xm2\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

Network

N/A

Files

memory/2184-0-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2184-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1196-4-0x0000000077836000-0x0000000077837000-memory.dmp

memory/1196-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1196-10-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-17-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-24-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-30-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-35-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-37-0x0000000002D70000-0x0000000002D77000-memory.dmp

memory/1196-36-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-44-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-46-0x0000000077BA0000-0x0000000077BA2000-memory.dmp

memory/1196-45-0x0000000077A41000-0x0000000077A42000-memory.dmp

memory/1196-34-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-33-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-32-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-31-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-29-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-28-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-27-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-55-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-26-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-61-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-25-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-23-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-22-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-21-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-20-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-19-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-18-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-16-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-15-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-14-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-13-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-12-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-11-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-9-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2184-8-0x0000000140000000-0x000000014019D000-memory.dmp

memory/1196-7-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3052-73-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3052-79-0x0000000140000000-0x000000014019E000-memory.dmp

memory/3052-76-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\mWsxs\XmlLite.dll

MD5 06b87f62e6c1ff6d6d755a77a2c2f824
SHA1 11704ea6e9caa84605263a5e269ecbb4178fe001
SHA256 fb421645d619e52229a4c3b21f22d9423a7ceef1ec6251298269454ffc3102cd
SHA512 2be6606c853c33d9dc0ebf6cfdcfa9f6c31c8feb99964d4a933ed718a798a0f8bb6f9e16029c77fe8fa6e0785f76d25da96727fd305f4e20f723fc317ac6d88f

C:\Users\Admin\AppData\Local\mWsxs\ddodiag.exe

MD5 509f9513ca16ba2f2047f5227a05d1a8
SHA1 fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256 ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512 ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

C:\Users\Admin\AppData\Local\mWsxs\XmlLite.dll

MD5 320ecf0ac8e58bcc8f389ecef5e043e2
SHA1 6dbfe03d6f49d8f5c3833669d52b057e30784f1a
SHA256 6ad5c43a37dce4f890d4d6b8120e72a860a2fe38fb2125b6000df0a1adebcdac
SHA512 badc2cbcd04b8442ecdc0f720177c9d5cdd7feebcce63186e854c51978a86e536f7f88bfc446393f70e48a2339b0aed7092e857c26644dc674fa813e9c17dd15

\Users\Admin\AppData\Local\SDfUtMnc\DUI70.dll

MD5 aaa398861c109e9e3ed9a4195399eee3
SHA1 cf0fb5271d1eebff03cfa245f6f47e814a8d9638
SHA256 ae48ad183a36960325787431a23495b26026dc6c2be769a125ae231dba28c27b
SHA512 c04a82de025ee221faf704254ce7663a1486d278d58ceefb7d44468181cd78e2b8b4b3cc77dbf4c712326e6131aad3bf616802b76539d245451101a7eb2221b7

memory/2872-91-0x0000000140000000-0x00000001401D1000-memory.dmp

C:\Users\Admin\AppData\Local\SDfUtMnc\DUI70.dll

MD5 bf73e69cca856db8e26730b1bfef25a9
SHA1 58d9c96cc039561df5f2c197f9a463c4df09e886
SHA256 c6e41943b8f28abaa9224235d445b2dff6b6962ff5b48c90cb20480618df2ab6
SHA512 9d1627ccfc7293b9046f66e5d041a367753375d9900187d1ec9e20e349cc85dca48eb63ef4e05dfb4418ae34028368c04d86baef0ceec9a78a3819e2687fc3e2

memory/2872-95-0x0000000140000000-0x00000001401D1000-memory.dmp

C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe

MD5 caa87f2ac8968644287e672bcfa13956
SHA1 ca6033641e2c508b8d7a45739519b66fb6cedf6b
SHA256 2b736de9a5892882dfa5100498c181a6e117645f8bc59f8ce8308eb430e66943
SHA512 97b329c7e169640ada4d6a2a1a8ffe4b3f8f7def44cf21741c331420135c7f66badc4978f514bc74207a0edd6fb18407d4d317a124a476cc7db755e0af5f28ec

\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe

MD5 e0fa3b2b928553be21f6aabda84f3905
SHA1 2663d44ddbe3523d5937a4e54a0220152ed027c0
SHA256 a4a838f8676f446c3ea54b524a6e4d5e597a16eb3b3777a7844626b894179a60
SHA512 2b416442a19ac8cad20183e1a9fc8ed30ae05d937d66eef92d2c048a2afdb6fc21312916a8c05b11ce8d6b3bd749df28dedfc7fdddb78f8b28579abd80fb2df7

C:\Users\Admin\AppData\Local\SDfUtMnc\Utilman.exe

MD5 98640b5853fee7afb1d33828b6cdd6b0
SHA1 8f8d3c4e546a4d4a84bd6b451880965c10127ff7
SHA256 e664e2e334f7d528b22b7e9640d5f3d97346f831d6717ace093ed272e47b40fa
SHA512 77bb8483bf1e68567c5d4d2164f5cb03913ad1587a22ab3f062a563e6ca6039a7f82f73508c595f5fe008deb5236260ee562af3ee2c8ca962dc802fa7aa2a040

\Users\Admin\AppData\Local\Xm2\perfmon.exe

MD5 3eb98cff1c242167df5fdbc6441ce3c5
SHA1 730b27a1c92e8df1e60db5a6fc69ea1b24f68a69
SHA256 6d8d5a244bb5a23c95653853fec3d04d2bdd2df5cff8cffb9848bddeb6adb081
SHA512 f42be2a52d97fd1db2ed5a1a1a81a186a0aab41204980a103df33a4190632ba03f3cbb88fcea8da7ed9a5e15f60732d49a924b025fe6d3e623195ec1d37dfb35

\Users\Admin\AppData\Local\Xm2\Secur32.dll

MD5 5df98aec37418781e2aa1d1d1ee6ef83
SHA1 34f0fd4ec3d0f197952533bef3acf1f910755463
SHA256 4fa165665d098b688a54d6742639f5e44a287e2d6387c0f8c86a8a69eeefb311
SHA512 cb748a6974a255bff269cc49994083e860e1f6361dd4d292ae8a4a676de2f85393bc8fb999d8e789da22c55a9d422df0779d41dee4e2ab569a6a98e02dcf4485

C:\Users\Admin\AppData\Local\Xm2\Secur32.dll

MD5 84e5744aae7eae075666ca2ead7b6798
SHA1 79bbb86193d507ffbf9aa9d8b9eabafb6d9ce248
SHA256 c8703c71916de189b07637f9ebbbe414eb33debdc91d81f463592191bb4b9047
SHA512 bf9bf6a9d232a5150b47bf4f8ce8177ed4f55e8be174443b3f5f7ac31755e8191a7dcccb2af55a44ce50110591a516fc6769cc59c929f3343a0f16cc13dc21b2

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\yCQ41miA8\perfmon.exe

MD5 e485de53ce437a45e5d3463ee648e1ac
SHA1 c4404a4160de3bd0bb3781de5bb6ae7e60098d37
SHA256 cb73e11d6bba6713e047718b64240a8b09d110dfa032fc37796e003e55d4fb3d
SHA512 993ebb8b190e5d63abf516ab0bd05b8dbe0933deee0c00536f668c8bdf216a97275481824830780deb1993b9f669e217b46621a6a437b494b74d84adcfc41def

memory/1196-133-0x0000000077836000-0x0000000077837000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 be774044cc78cf0abaa85064fc734efd
SHA1 ad6610981fdfad37372c38d50c9fa01a26bc7bf3
SHA256 b27b5a75f62c2a6a5c678d1947b15b7c2582bd1e398be2462fbdb8663c0a14ac
SHA512 4be73b9e00f2f2123f2eb7a175311ede91ffc9d0449c10196dc04c1a9c0854fff2376735e49efe391524bb3c38fdc8087b9efb847603bf469f2d32aade9f8c5d

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\wvqGLVRC\XmlLite.dll

MD5 c113332801e08061281b6a5f62f7e1bd
SHA1 e75b03d36e3ea670978aff5ee971c9730171a14c
SHA256 0165a691a9ab37bacfd78ff06d125a4a80403e14ce7f97a2af1601f36575556d
SHA512 5e77525350fa687df75df0814acaa58906d2aef5527f930f4b42c1ca791ad5d01dd24df6df4e0d3883dd554afb20bb514b05d8e718470be73648fbedc248044b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\gskfRJB\DUI70.dll

MD5 a299cbaeecaa1ae87de43799544d222d
SHA1 23f4962226faf713ed83bbf0545dd50f3a2d014c
SHA256 5a68b867bf6e8cad76e832b9e55b1f193741da526a2be562abb6265de5631d53
SHA512 ae54423db57196278902ac61668743a901a919fdcd92b6d7a0e968be6e75ee1ff60ea36697c2bd822fb5b8f6eefc69c7f04fb781a22745d351386079f03a937e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\yCQ41miA8\Secur32.dll

MD5 c9f7f43566584afeb0efea06c8e3451e
SHA1 2cdd7ea1715b0ac9f6e51ae48030119efe05f34e
SHA256 107d1f936fa6689df6c71a4478ea1e155f183e2b9fea55d2a19a85804cf36f2f
SHA512 9496dbf0d6d0c9233f7ac3e1e36fcd2204f0f988ff4226c4401408af5ee5b83fac214aefe532b3a7bef931b8d98bd26aedd04c14b0282d7d92ab375d1fb6f426

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 20:54

Reported

2024-01-26 20:57

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\OQAs9mgz\\Magnify.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\sr19H\Magnify.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3520 wrote to memory of 864 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3520 wrote to memory of 864 N/A N/A C:\Windows\system32\SystemPropertiesProtection.exe
PID 3520 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe
PID 3520 wrote to memory of 4532 N/A N/A C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe
PID 3520 wrote to memory of 636 N/A N/A C:\Windows\system32\Magnify.exe
PID 3520 wrote to memory of 636 N/A N/A C:\Windows\system32\Magnify.exe
PID 3520 wrote to memory of 4936 N/A N/A C:\Users\Admin\AppData\Local\sr19H\Magnify.exe
PID 3520 wrote to memory of 4936 N/A N/A C:\Users\Admin\AppData\Local\sr19H\Magnify.exe
PID 3520 wrote to memory of 2064 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3520 wrote to memory of 2064 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3520 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe
PID 3520 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\785ce10521b549ee5b635b6aaebf7f7f.dll,#1

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Windows\system32\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe

C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe

C:\Windows\system32\Magnify.exe

C:\Windows\system32\Magnify.exe

C:\Users\Admin\AppData\Local\sr19H\Magnify.exe

C:\Users\Admin\AppData\Local\sr19H\Magnify.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe

C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.178.17.96.in-addr.arpa udp

Files

memory/2428-0-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2428-1-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2428-2-0x00000177991B0000-0x00000177991B7000-memory.dmp

memory/3520-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/3520-6-0x00007FFE77E5A000-0x00007FFE77E5B000-memory.dmp

memory/3520-8-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-11-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-12-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-10-0x0000000140000000-0x000000014019D000-memory.dmp

memory/2428-9-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-13-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-14-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-17-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-16-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-15-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-18-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-19-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-20-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-21-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-22-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-23-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-24-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-25-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-27-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-26-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-28-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-29-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-30-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-31-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-32-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-34-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-35-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-36-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-37-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-38-0x0000000001350000-0x0000000001357000-memory.dmp

memory/3520-33-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-45-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-48-0x00007FFE789A0000-0x00007FFE789B0000-memory.dmp

memory/3520-55-0x0000000140000000-0x000000014019D000-memory.dmp

memory/3520-57-0x0000000140000000-0x000000014019D000-memory.dmp

C:\Users\Admin\AppData\Local\jvy\SystemPropertiesProtection.exe

MD5 26640d2d4fa912fc9a354ef6cfe500ff
SHA1 a343fd82659ce2d8de3beb587088867cf2ab8857
SHA256 a8ddf1b17b0cbc96a7eaedb0003aa7b1631da09ebfe85b387f8f630222511b37
SHA512 26162a3d9d4a8e3290dbcf6fe387b5c48ab1d9552aa02a38954649d877f408cb282e57580f81e15128e3a41da0eb58328d1d6253e1b57232f9a8cecdd99991dc

C:\Users\Admin\AppData\Local\jvy\SYSDM.CPL

MD5 4687de80f22c03b182cd5eaa50fd7547
SHA1 0cd5e596ef4a0a7f7f19878c6ceedb5288e71d06
SHA256 ff14a9e36a7e4b88cc53ef1150a1a897e41936947f8acd3076a0758380def005
SHA512 57771a509fffce35de8b0686528ff2852539c27b14663acb5d7546b9ee14df5d8b0a69126aa142dfc5496d10052a3bb20223d8909a7ba5c0c01002436135e4e1

memory/4532-66-0x0000000140000000-0x000000014019E000-memory.dmp

memory/4532-69-0x0000022F358A0000-0x0000022F358A7000-memory.dmp

memory/4532-73-0x0000000140000000-0x000000014019E000-memory.dmp

C:\Users\Admin\AppData\Local\sr19H\Magnify.exe

MD5 4029890c147e3b4c6f41dfb5f9834d42
SHA1 10d08b3f6dabe8171ca2dd52e5737e3402951c75
SHA256 57137f784594793dc0669042ccd3a71ddbfedeb77da6d97173d82613e08add4d
SHA512 dbdc60f8692f13c23dbed0b76e9c6758a5b413bd6aaf4e4d0ba74e69c0871eb759da95c3f85a31d972388b545dcf3bb8abbcbedd29a1e7e48c065130b98b893d

C:\Users\Admin\AppData\Local\sr19H\MAGNIFICATION.dll

MD5 b8b52c9e3c69c8de33ad11d612750590
SHA1 c2728c121a80fd03e75c1c4fd75dae89d9817ddf
SHA256 30f688aff1efced9538ce4f663de74f55c2525d81d93103aefeaa620077f570e
SHA512 037a736a4ec06b40c1d4a7a0fb11afeaf6134da4c9a53d92e34e1239d617b4bc4f98a1139a4aca2543a067e81ea4195295c583833da40ba225fe8eb5826da609

memory/4936-85-0x000002A6CE920000-0x000002A6CE927000-memory.dmp

memory/4936-90-0x0000000140000000-0x000000014019E000-memory.dmp

C:\Users\Admin\AppData\Local\VmImW0n4T\unregmp2.exe

MD5 a6fc8ce566dec7c5873cb9d02d7b874e
SHA1 a30040967f75df85a1e3927bdce159b102011a61
SHA256 21f41fea24dddc8a32f902af7b0387a53a745013429d8fd3f5fa6916eadc839d
SHA512 f83e17dd305eb1bc24cca1f197e2440f9b501eafb9c9d44ede7c88b1520030a87d059bdcb8eadeac1eaedabcbc4fe50206821965d73f0f6671e27edd55c01cbc

C:\Users\Admin\AppData\Local\VmImW0n4T\VERSION.dll

MD5 f5b89e13278cbc8bb4eda6b6a65acd49
SHA1 2a31a6d51d8db015713113f6937f2263b801368e
SHA256 b64ed8b5e6cbc720ce824bea0ae48e1ef9851501c99617a651ea39962371dc40
SHA512 6fbc016d6f18b1d5c00f58ce7694da194969621285687b227308d96399c0a856fe0d7f8a91e3c030be8e1b87a4da1454e2237196b4d02826cb8f55c8fecc93fb

memory/1380-106-0x000002754C280000-0x000002754C287000-memory.dmp

memory/1380-111-0x0000000140000000-0x000000014019E000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 32faeb7a0ba72a4f700326c6e8f5d3b3
SHA1 005395b4585649b331888953560da24517623ad8
SHA256 de71595fd4a6d05503a7cb0161139db6bf1ff23a4c922eb841b71a7e13c3955b
SHA512 cde5a8e50d0d0967fd9f30f4a021ff3164018ad42d7e2f089a79ff95399aacef5a9eb3be9505a40ca1e6892e91ea3677f168bb3056bf1f324ebd8812a73b7cc9