Malware Analysis Report

2024-11-13 16:41

Sample ID 240127-pg4vssdfgn
Target 7a3a76153e2caa54fc663d0fdc121d17
SHA256 4566f8ee1f24d26293566ff8f5bd093244cd716536def070a0cc36ef83be64dd
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4566f8ee1f24d26293566ff8f5bd093244cd716536def070a0cc36ef83be64dd

Threat Level: Known bad

The file 7a3a76153e2caa54fc663d0fdc121d17 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 12:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 12:18

Reported

2024-01-27 12:21

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a3a76153e2caa54fc663d0fdc121d17.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\BBvDswG\\sethc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 1876 N/A N/A C:\Windows\system32\javaws.exe
PID 1276 wrote to memory of 1876 N/A N/A C:\Windows\system32\javaws.exe
PID 1276 wrote to memory of 1876 N/A N/A C:\Windows\system32\javaws.exe
PID 1276 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe
PID 1276 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe
PID 1276 wrote to memory of 108 N/A N/A C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Windows\system32\sethc.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Windows\system32\sethc.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Windows\system32\sethc.exe
PID 1276 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe
PID 1276 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe
PID 1276 wrote to memory of 2416 N/A N/A C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe
PID 1276 wrote to memory of 1008 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1276 wrote to memory of 1008 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1276 wrote to memory of 1008 N/A N/A C:\Windows\system32\DevicePairingWizard.exe
PID 1276 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe
PID 1276 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe
PID 1276 wrote to memory of 1868 N/A N/A C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a3a76153e2caa54fc663d0fdc121d17.dll,#1

C:\Windows\system32\javaws.exe

C:\Windows\system32\javaws.exe

C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe

C:\Users\Admin\AppData\Local\ZXcjph763\javaws.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe

C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Windows\system32\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe

C:\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe

Network

N/A

Files

memory/2128-0-0x0000000140000000-0x0000000140196000-memory.dmp

memory/2128-1-0x0000000000130000-0x0000000000137000-memory.dmp

memory/1276-4-0x0000000077116000-0x0000000077117000-memory.dmp

memory/1276-5-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/1276-7-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-9-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-10-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-11-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-15-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-14-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-18-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-19-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-20-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-16-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-21-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-22-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-23-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-24-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-28-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-30-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-31-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-29-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-36-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-35-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-37-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-34-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-38-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-32-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-39-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-33-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-26-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-40-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-27-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-42-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-43-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-45-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-49-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-53-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-51-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-55-0x0000000002B40000-0x0000000002B47000-memory.dmp

memory/1276-52-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-50-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-48-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-47-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-61-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-46-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-62-0x0000000077321000-0x0000000077322000-memory.dmp

memory/1276-44-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-41-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-25-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-17-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-13-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-12-0x0000000140000000-0x0000000140196000-memory.dmp

memory/2128-8-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1276-63-0x0000000077480000-0x0000000077482000-memory.dmp

memory/1276-66-0x0000000140000000-0x0000000140196000-memory.dmp

\Users\Admin\AppData\Local\ZXcjph763\javaws.exe

MD5 f94bc1a70c942621c4279236df284e04
SHA1 8f46d89c7db415a7f48ccd638963028f63df4e4f
SHA256 be9f8986a6c86d9f77978105d48b59eebfec3b9732dbf19e0f3d48bf7f20120c
SHA512 60edf20ca3cae9802263446af266568d0b5e0692eddcfcfc3b2f9a39327b3184613ca994460b919d17a6edc5936b4da16d9033f5138bcfd9bc0f09d88c8dcd52

C:\Users\Admin\AppData\Local\ZXcjph763\VERSION.dll

MD5 2c967f8c59ea31ab67599cde387021c8
SHA1 658154c8ee1bdc4185387c5918a3287fa0a4622a
SHA256 98f96dbd1de8d8cb8991368eb151b9af6139a437e8bd3a93a0e560a227429f23
SHA512 f8289d2b15005d41671d3ee712c56e2991c5d7cd57cbf646d33818061eccfbf6e27b43091905053213ea9a86e79e23fdbf0ba4a8980e2a608f05ac756a3a7fbf

memory/108-85-0x00000000000F0000-0x00000000000F7000-memory.dmp

C:\Users\Admin\AppData\Local\F27T8lB6\sethc.exe

MD5 3bcb70da9b5a2011e01e35ed29a3f3f3
SHA1 9daecb1ee5d7cbcf46ee154dd642fcd993723a9b
SHA256 dd94bf73f0e3652b76cfb774b419ceaa2082bc7f30cc34e28dfa51952fa9ccb5
SHA512 69d231132f488fd7033349f232db1207f88f1d5cb84f5422adf0dd5fb7b373dada8fdfac7760b8845e5aab00a7ae56f24d66bbb8aa70c3c8de6ec5c31982b4df

C:\Users\Admin\AppData\Local\F27T8lB6\UxTheme.dll

MD5 d45923380cf0b736c95c326d8845be2c
SHA1 47942b70d41a0b0b306e57cbc4ae29f7e02ff49c
SHA256 23c73de36853df35eef8557a562dc503689ab8ec1589d66f515dd5333a8c4722
SHA512 a58b16c27e234987d788be245b080cb5432f16d093bc6877af28eef18dec158335d305cf8c9719f1fde2c9e15ac13d374247daa1514e40aefbc1a23b60a5ac8d

memory/2416-102-0x0000000000330000-0x0000000000337000-memory.dmp

\Users\Admin\AppData\Local\scHWaI\DevicePairingWizard.exe

MD5 9728725678f32e84575e0cd2d2c58e9b
SHA1 dd9505d3548f08e5198a8d6ba6bcd60b1da86d5c
SHA256 d95d3aa065a657c354244e3d9d4dc62673dc36c1bed60650fade7d128ddab544
SHA512 a5d22240450e7b659cba507f9abe7e6d861e9712ca2335ea5ceb69e3557362b00f5d02bf84c3a6fed82a09eda555866dcab43741ad9c6db96e1e302ef2363377

C:\Users\Admin\AppData\Local\scHWaI\MFC42u.dll

MD5 8519c97c3cd05e5e55581d631ae539c1
SHA1 d1c3808f6a628d3d7bf30313ffede54f9674354b
SHA256 909d6411e607254e2ce85b3e48e533a5af8173ab601970bf4493e190437e1541
SHA512 d82c9566d44917e37a570861c450cc4c0e8fa7450ed321c2ef74e0c49c06dbe738f432f58c3e3b9159ab5df4547b85929d17c3323bdad87332473ac1dc4582c0

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 af359e2071289bc6d671dd025a79e93b
SHA1 dd163a0e769e8735258773909f74ec62b1e063ef
SHA256 f177200030cb24a557068d1843649454a8fb9fe06e986fab5f75c56b5a66ad4c
SHA512 a10782e0c95930b696d42a04a7818fd923a5353e038410344424d45be81ef7401b0ea72097c596c38566685c588020500973e0c548ebe17b46e5965c869c8fa0

memory/1276-144-0x0000000077116000-0x0000000077117000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 12:18

Reported

2024-01-27 12:21

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a3a76153e2caa54fc663d0fdc121d17.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\TaskBar\\8wJ0BYT\\BITLOC~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LY8KCin\msra.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 3508 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3296 wrote to memory of 3508 N/A N/A C:\Windows\system32\SystemPropertiesAdvanced.exe
PID 3296 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe
PID 3296 wrote to memory of 2556 N/A N/A C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe
PID 3296 wrote to memory of 2896 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3296 wrote to memory of 2896 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 3296 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe
PID 3296 wrote to memory of 4856 N/A N/A C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe
PID 3296 wrote to memory of 2880 N/A N/A C:\Windows\system32\msra.exe
PID 3296 wrote to memory of 2880 N/A N/A C:\Windows\system32\msra.exe
PID 3296 wrote to memory of 3992 N/A N/A C:\Users\Admin\AppData\Local\LY8KCin\msra.exe
PID 3296 wrote to memory of 3992 N/A N/A C:\Users\Admin\AppData\Local\LY8KCin\msra.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7a3a76153e2caa54fc663d0fdc121d17.dll,#1

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Windows\system32\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe

C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe

C:\Windows\system32\msra.exe

C:\Windows\system32\msra.exe

C:\Users\Admin\AppData\Local\LY8KCin\msra.exe

C:\Users\Admin\AppData\Local\LY8KCin\msra.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 81.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp

Files

memory/1496-1-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1496-0-0x0000011D79750000-0x0000011D79757000-memory.dmp

memory/3296-5-0x00007FFD7D9AA000-0x00007FFD7D9AB000-memory.dmp

memory/3296-4-0x00000000038F0000-0x00000000038F1000-memory.dmp

memory/3296-7-0x0000000140000000-0x0000000140196000-memory.dmp

memory/1496-8-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-9-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-10-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-11-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-12-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-13-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-14-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-16-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-17-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-18-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-19-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-15-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-20-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-21-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-22-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-23-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-24-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-25-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-26-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-27-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-28-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-29-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-30-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-31-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-32-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-33-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-34-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-35-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-36-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-37-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-43-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-44-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-46-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-49-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-50-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-52-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-54-0x0000000002DA0000-0x0000000002DA7000-memory.dmp

memory/3296-53-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-51-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-48-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-47-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-45-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-42-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-41-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-40-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-39-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-38-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-61-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-62-0x00007FFD7F780000-0x00007FFD7F790000-memory.dmp

memory/3296-71-0x0000000140000000-0x0000000140196000-memory.dmp

memory/3296-73-0x0000000140000000-0x0000000140196000-memory.dmp

C:\Users\Admin\AppData\Local\rI0CG6efH\SYSDM.CPL

MD5 f639c5ee445a2dab4768616969ae4a8b
SHA1 e8c48ae686c560dadbd167491089dd099d9d1a86
SHA256 8c33f00e874accb229788dbd2a788030e00ffc950562de03f7c04c57414e2a9e
SHA512 1241d96d6b61fa3633ffae15d7cd185d673a6dac4b92fe4e1f7844cffcf96e60a1e6669b25cedcffba8a001a1da7ff31a79cfd99d09fe5d3ac2d5ab406a7e648

C:\Users\Admin\AppData\Local\rI0CG6efH\SYSDM.CPL

MD5 3123265084b8049c00dd468f13a5df89
SHA1 7e45cbff66ebe4b104eaa500ca8ef60d129a5f97
SHA256 24b8b1a6480507869de48b6d5ca2a0f0bcae0f55313c8e0ee05f4198c585f046
SHA512 ff95dc8418f18024dcc6ba510f69e57596dbe73d2efff69dca4e88a1af43df2539aa87e289dbab6168612cffe37fa6f1bd627b8db2c95f8e7fe98f9bfd613cca

memory/2556-82-0x000001E553C40000-0x000001E553C47000-memory.dmp

C:\Users\Admin\AppData\Local\rI0CG6efH\SystemPropertiesAdvanced.exe

MD5 fa040b18d2d2061ab38cf4e52e753854
SHA1 b1b37124e9afd6c860189ce4d49cebbb2e4c57bc
SHA256 c61fa0f8c5d8d61110adbcceaa453a6c1d31255b3244dc7e3b605a4a931c245c
SHA512 511f5981bd2c446f1f3039f6674f972651512305630bd688b1ef159af36a23cb836b43d7010b132a86b5f4d6c46206057abd31600f1e7dc930cb32ed962298a4

C:\Users\Admin\AppData\Local\6XTLQ\FVEWIZ.dll

MD5 0881bd0bb7e90785adf62a7b86a29991
SHA1 5da5693401d8704239a841b3fd65214ff0d89544
SHA256 f26de7002583374d0f5417351009a371d154e216fc32f961b862076759af671c
SHA512 988340e29a7a13c7fb23a77130ef55c28079ffa25428132e8985ca53618640be78c0e95f198edd62f325b2ceeb44444bb9f2e214689fe4b9e6755fcc8b57782c

C:\Users\Admin\AppData\Local\6XTLQ\BitLockerWizardElev.exe

MD5 8ac5a3a20cf18ae2308c64fd707eeb81
SHA1 31f2f0bdc2eb3e0d2a6cd626ea8ed71262865544
SHA256 803eb37617d450704766cb167dc9766e82102a94940a26a988ad26ab8be3f2f5
SHA512 85d0e28e4bffec709f26b2f0d20eb76373134af43bcaa70b97a03efa273b77dd4fbd4f6ee026774ce4029ab5a983aea057111efcd234ab1686a9bd0f7202748b

memory/4856-99-0x000001F05CA20000-0x000001F05CA27000-memory.dmp

C:\Users\Admin\AppData\Local\6XTLQ\FVEWIZ.dll

MD5 d129354d26d7079ea15e0fcc8c213fc7
SHA1 266cc02c3392af551a1c3f1af10b605c106379aa
SHA256 344ee2c2a2f2b9b8c7c6020fa560d9d5ac8106ad49a4bd4b1fda628d33ec2f41
SHA512 b9385cdb480dd5fae855ec3752195b70159cf9b56371bd335c5087591505d0d2b4b88810d1cbe7c2b31c57bf4a5eb87c019b3f1c43898ed5227737ef0a5f20eb

C:\Users\Admin\AppData\Local\LY8KCin\msra.exe

MD5 7b87c6796a2d7e5de9cd9c8296e03dbf
SHA1 5ac568d80e455718d4c0c7e3db03e1e5a456eba1
SHA256 a7c7b645fddf4d436c4c068ba9e0bb7a7ccfe7821e636bcdc2a1110788636e1f
SHA512 70527ce3ae68a2118ba7b8f21d78a360c54b05ec385a76f3dbef4d218f4af8e4e068621a151234f44a9eb532c1999083c6344de2cdfd0cb493db753f31198d61

C:\Users\Admin\AppData\Local\LY8KCin\NDFAPI.DLL

MD5 ef724c7b63693bc92b0333d3ee0a3338
SHA1 3f1614a6aeefdc53388b067508fc29940842b1b0
SHA256 275332764d06f8ba73a36ea997e67bcede1d9689fa8352ff00135721a6fd2f35
SHA512 fe80924b9b5f27e8e4a824e42b64fe57ab91a9adc46bbfa5de7ccf12b3baa2c46583dea043b77c63b8a5979181e0c373a4eb0a6cc8407948ceab1a0af51ea2b9

C:\Users\Admin\AppData\Local\LY8KCin\NDFAPI.DLL

MD5 38bae3d075bbe75ce96d372f529b7134
SHA1 96c046593a006f96cf3d65ea3e7986cbf974858c
SHA256 28f3167e7896bca1dc162906a144e6b97e6f1c74dfb7e5e6cd5eaa6e56a8e86c
SHA512 efa20be4364505d20e1369db4e214dfa583ecc54f4e248162aa338dc9a1f0f96b65dbe28b70b04705ee030da49c5618b93867d78f337f4d0a3a4e50b95f847de

memory/3992-116-0x0000019208F20000-0x0000019208F27000-memory.dmp

C:\Users\Admin\AppData\Local\LY8KCin\msra.exe

MD5 23334362588f6b10e5a58f1ec1b5cedb
SHA1 f594c338ce33dbf74c86a2650e6227eb8b6fec23
SHA256 57cc160efb221fb3eb4fc57df88432ef933cdfaa3e51e502cb3e4439cdd82405
SHA512 72e66119b5ee5b3fd919c39735e03d1ea4f2a2ccaa56194ebb1f93495ba2a3f970861b12b47865fcaac81d2f73d33d3cbd99d6963361496ab4ae872f390cd0b1

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk

MD5 12aa063da2e151cc0d0858f1b71c2c0f
SHA1 884c1e2a92a07d7942feca57a26bf17e0c272678
SHA256 1a5f39b1dfb5e61052b58420a97f2852247d696ee8adec8e4d47c5df750fa951
SHA512 9ca84af97583fc4dfe3c0d950dd51b8e5b16616409deeeec5700a3c432c8333606392fb22deb5b4ce8969dda743c941881325a72d890a4061b011bb8ad71428d

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\nsS3StjpZWj\SYSDM.CPL

MD5 d1adb1ff5f4e49c8e1f763756318e270
SHA1 7e53c7a9941168b7971093225da16ea32e91a357
SHA256 b0a56fa17035d8e1efc446f85da52f6a8a34f73328e4cc664595e56e7c2cf49b
SHA512 e68999aa311a7ba12a9e112497c21f0a928c15158554947f6b3e0f064f98593ddd07f29b19a6b0be7f5d92b3988d4253df14ed943927f01ed02d49b30cc1b52b

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\8wJ0BYT\FVEWIZ.dll

MD5 593297ceda2fc50e55aff253d1d75d95
SHA1 124cacd89ceeceb0a4ae608e6d8cdcf0ccdf892d
SHA256 464491f646b956e42da47d9fc35623dedcd2cc2f96384bd0a3ce4ff5ed7d1cf3
SHA512 ee42dfad2d99a8fb7d10c17f36aaa15a1cbc9fe9fd8856dacf69d92307cbce4976782ada52588686c4f0211500f16122b78ae0a65d35a41ca2d26d5e70c68d9f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\CloudStore\jaTILllj\NDFAPI.DLL

MD5 8f2ea99727f33dec0820f20509351ea8
SHA1 b7507b1f3c8697c1e8d11838985dd825fca13a6a
SHA256 2e44fed26aa40188f50675ea355cf88d354b65c48f9164f62c2fcf6b6055847b
SHA512 17b987ededd96d0a7ae1c3679f9a6ab9c563bf2526ba404be82f712f03b5b394a9ddc703e748f9aa03cdda20c0cf6a70db339360fb2e708bbc6c08cddd683ac4