Malware Analysis Report

2024-11-13 16:42

Sample ID 240127-srfshaefe8
Target 7a96d67a18be2760a733a25afcbe0987
SHA256 322fdc6d77dfe2aaf96c4075f9798da0709dc4418400f9c15171be24360fed1c
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

322fdc6d77dfe2aaf96c4075f9798da0709dc4418400f9c15171be24360fed1c

Threat Level: Known bad

The file 7a96d67a18be2760a733a25afcbe0987 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 15:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 15:21

Reported

2024-01-27 15:23

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\6y7qG\spreview.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\M9RwH\\FXSCOVER.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6y7qG\spreview.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1264 wrote to memory of 2696 N/A N/A C:\Windows\system32\spreview.exe
PID 1264 wrote to memory of 2696 N/A N/A C:\Windows\system32\spreview.exe
PID 1264 wrote to memory of 2696 N/A N/A C:\Windows\system32\spreview.exe
PID 1264 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\6y7qG\spreview.exe
PID 1264 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\6y7qG\spreview.exe
PID 1264 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\6y7qG\spreview.exe
PID 1264 wrote to memory of 2872 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1264 wrote to memory of 2872 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1264 wrote to memory of 2872 N/A N/A C:\Windows\system32\FXSCOVER.exe
PID 1264 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe
PID 1264 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe
PID 1264 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe
PID 1264 wrote to memory of 268 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1264 wrote to memory of 268 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1264 wrote to memory of 268 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1264 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe
PID 1264 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe
PID 1264 wrote to memory of 1548 N/A N/A C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll

C:\Windows\system32\spreview.exe

C:\Windows\system32\spreview.exe

C:\Users\Admin\AppData\Local\6y7qG\spreview.exe

C:\Users\Admin\AppData\Local\6y7qG\spreview.exe

C:\Windows\system32\FXSCOVER.exe

C:\Windows\system32\FXSCOVER.exe

C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe

C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe

Network

N/A

Files

memory/1060-0-0x00000000000B0000-0x00000000000B7000-memory.dmp

memory/1060-1-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-4-0x0000000076C56000-0x0000000076C57000-memory.dmp

memory/1264-5-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/1264-9-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-10-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-13-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-14-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-15-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-17-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-16-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-18-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-21-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-22-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-19-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-24-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-26-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-25-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-27-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-23-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-28-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-30-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-32-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-31-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-36-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-40-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-39-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-41-0x00000000026C0000-0x00000000026C7000-memory.dmp

memory/1264-37-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-38-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-48-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-35-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-34-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-33-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-49-0x0000000076D61000-0x0000000076D62000-memory.dmp

memory/1264-50-0x0000000076EC0000-0x0000000076EC2000-memory.dmp

memory/1264-29-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-20-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-11-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-12-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1060-8-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-7-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-59-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-66-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1264-65-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Users\Admin\AppData\Local\6y7qG\spreview.exe

MD5 49a328dc3123e068a04a0409bb8e4944
SHA1 fcb54507db46a4249d5606e45ef42d3d612b6a6e
SHA256 74359e58c5d3adac5db8c2e2cc283d63486a6306fa65588b1860db8221f7b20e
SHA512 a53316fb040b79cf206b81ab9bff933f6e3c5921f4ae9ec71e4e49822e2ebe816bfed9cf5da5c55f739d0cfa39efde0a5d1afdaf3629b3d1d67c0cd9509f8635

\Users\Admin\AppData\Local\6y7qG\sqmapi.dll

MD5 3e4480e8e630c18db403ade20f829483
SHA1 da40ee9fae2c120fd7b3026176d743239a8bbd14
SHA256 7c8a52298084de967bbf5f88f9709b1e860a47d7d683a2eabb88dd1ebc7422dc
SHA512 61df1ea806167965d152590c6f9ab9f9df53886262f915be44c8760e946373c14e5cba5f7b5daa378e977861277b2572238231d6c2c8a29e36a4aeccf8f0c8f0

C:\Users\Admin\AppData\Local\6y7qG\sqmapi.dll

MD5 bfeeb0db1b0fe23ed4059337a60f1c32
SHA1 ec56f2351f69f17465773c503b4af0b84a7aefb5
SHA256 53c11a22fe7c4a94cba22940b6dfa514cb95a512a3e632c83d974ad545e6c93d
SHA512 bed36b54f837c73fa190efe96ba1bdcc4fb6cd3850be4c11386be523d2c06b9c821f914d6aa2dbfbc71634ed4246557e2e2c2f4c7d72f1323be40bf18ed20f59

memory/2072-78-0x0000000140000000-0x0000000140176000-memory.dmp

memory/2072-77-0x0000000000100000-0x0000000000107000-memory.dmp

\Users\Admin\AppData\Local\6y7qG\spreview.exe

MD5 f2d8450375ada664ce46267b9452a845
SHA1 fb5bb7f2288791a9fa80f2257701bf8f5f6a48e4
SHA256 33978bfcf4bb7d9ada1460c0e9a494837d0f1a600aa94ff9770d05934e9f1a38
SHA512 1922c0258aab4abc905181e3a7e3d58444e171a226c1a8180a2ef6d75441e212c0f4448ce0760322d8f18b0c9863943a41d80402237444156b9fcf3b2de0c094

memory/2072-82-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\EJUTOJ\spreview.exe

MD5 704cd4cac010e8e6d8de9b778ed17773
SHA1 81856abf70640f102b8b3defe2cf65669fe8e165
SHA256 4307f21d3ec3b51cba6a905a80045314ffccb4c60c11d99a3d77cc8103014208
SHA512 b380264276bad01d619a5f1f112791d6bf73dc52cdd5cca0cc1f726a6f66eefc5a78a37646792987c508f9cb5049f0eb86c71fb4c7a2d3e670c0c8623f0522ee

\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

MD5 5e2c61be8e093dbfe7fc37585be42869
SHA1 ed46cda4ece3ef187b0cf29ca843a6c6735af6c0
SHA256 3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121
SHA512 90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

MD5 fb6efbd62bf00ae811ff799c0ce11e18
SHA1 d801058da595318c2f7dd43404669684007d4403
SHA256 910607f6fb0d1a9f61cdf85f29f05ec0851b59ccd0619501b8fec8f2beda3785
SHA512 3b11f0692c567a584ef49870dbad1a0baa0cbee18948a431991aebce32b1f64d55a9a2c289a2c55e996ce5c4c07233c5f28cff2e2119ad0a9ea261351deb00b9

\Users\Admin\AppData\Local\wM37uuni\MFC42u.dll

MD5 b4683a76616990432f8d7e0d544b7037
SHA1 91c1d57c0019d31e0a68216f68cdc0232c78abdc
SHA256 7d83d03a8c28f81f1cdb05dbefdbbdedead416cd566f70996f46b9eaf7136a24
SHA512 3ce14b0a19489653af7dc3629e7db09028f06d011b852b88f149e4dd28fbe39508fc92171754627d0d5e66d2d835bd4b500142960c42fc5c0c63b0d8a18c0f6e

memory/2884-94-0x0000000000170000-0x0000000000177000-memory.dmp

C:\Users\Admin\AppData\Local\wM37uuni\MFC42u.dll

MD5 3484e717f73a0ff2dcc808b55d5d06be
SHA1 e0e543987e7b378f0bc227536b7163d96208d315
SHA256 d77d4a6284361be90359a3030a8fe989c6ba2d30f413eb0b8968960a3b39ea86
SHA512 899d8ef6e5511512b4af62215f233df3a473e6daaf9490d301d1c813e53266e7db4a8d891dd80daa1b0fec3184a614dd323b121f404238314685527dd628b618

memory/2884-95-0x0000000140000000-0x000000014017C000-memory.dmp

C:\Users\Admin\AppData\Local\wM37uuni\FXSCOVER.exe

MD5 d7624dabe53e1a21fcc3f82156c19ee7
SHA1 1f84605ca0a8025976cafcd25938acf9b57306f3
SHA256 76818bc0327d32ccc4f7faf6ff10159ed8f9b0424c8b507f9db2c00cf2b76054
SHA512 9b81a9b7ad1b4b989ca36442ddd7ab26ad7d1401271b013432fb82c47a6629bd51288ded4c84ae647f83896069e08874170dccb0333deb9f7ec5d5223eaf6001

C:\Users\Admin\AppData\Local\JHrxz\WINMM.dll

MD5 849efd7563364efddadafa3a9e1538c2
SHA1 9f8c0501adf67c7a256664a404411d2b12c076d2
SHA256 ccb3606cb74614b5a727cf568b99960dcce3e4ca48691a369c36b27b59d18314
SHA512 d3db0a15149bba57b7d7ac4189ee7d97a511921cf5da61393564fed4817d08a8ba448f6fd69b4a822de1e56a2aef0165434cd6b0a5e65712ee9662b87e1173ff

C:\Users\Admin\AppData\Local\JHrxz\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 216fcee358ceddef053562ddd7350424
SHA1 25a994be261838f92c53da6ff786ea5dfd4f910f
SHA256 de6ce2dd54900f613555a34592f5404b9399e26a2aee9ef519a47a82a33aee91
SHA512 670afc5e93f78c29a408925c3d585473053ff2f96ff21b496336b3d86dd4271e6b07e6e7c9143ffcda113095c7684df1a92e1afc3833e5af48c9f025ed0be023

memory/1264-136-0x0000000076C56000-0x0000000076C57000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatCache\EJUTOJ\sqmapi.dll

MD5 e5883fabc54918b25cd3c6beb79c4de6
SHA1 242ddbed4134c6a81c8b0ddf7fe07aa4ad60d17e
SHA256 fea00faa4a606b618f40ae483ece9528e0de0c7013e2b89840e1c3c664c82391
SHA512 48fc8970a72a5b4eaa99502a69f3b64d17cc3deaf48c8f23edf2a674dc4963b8a34c35cabca45253dadbeca3607fa2d44abc9d3b6112c62f71879649415f5e6d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\M9RwH\MFC42u.dll

MD5 3b0247483656d6add4df27e3e81a5458
SHA1 fddc67bf6063706e517c28f302c00a917a8255eb
SHA256 82e2dd2f098c07ad0760cba9cc420be9ac0f10c48e44f29fc1575e7100bcba72
SHA512 0ff854a5ba9109c4c65cc1c063ef84b0f1c1fa09a4eb0dc258b915b50b2aee2c02c238e19b07223bc1b36f2e52c87a92d03bf89d579179627dba9fda7b75e395

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 15:21

Reported

2024-01-27 15:23

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

151s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\5mpUklxar\\tabcal.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4944 N/A N/A C:\Windows\system32\sethc.exe
PID 3524 wrote to memory of 4944 N/A N/A C:\Windows\system32\sethc.exe
PID 3524 wrote to memory of 3380 N/A N/A C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe
PID 3524 wrote to memory of 3380 N/A N/A C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe
PID 3524 wrote to memory of 4528 N/A N/A C:\Windows\system32\tabcal.exe
PID 3524 wrote to memory of 4528 N/A N/A C:\Windows\system32\tabcal.exe
PID 3524 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe
PID 3524 wrote to memory of 892 N/A N/A C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe
PID 3524 wrote to memory of 680 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3524 wrote to memory of 680 N/A N/A C:\Windows\system32\SystemPropertiesComputerName.exe
PID 3524 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe
PID 3524 wrote to memory of 3756 N/A N/A C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7a96d67a18be2760a733a25afcbe0987.dll

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe

C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe

C:\Windows\system32\tabcal.exe

C:\Windows\system32\tabcal.exe

C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe

C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Windows\system32\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe

C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1776-1-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1776-0-0x00000000013F0000-0x00000000013F7000-memory.dmp

memory/3524-4-0x0000000003060000-0x0000000003061000-memory.dmp

memory/3524-6-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-8-0x00007FFC634FA000-0x00007FFC634FB000-memory.dmp

memory/3524-9-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-10-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-11-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-7-0x0000000140000000-0x0000000140175000-memory.dmp

memory/1776-13-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-14-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-15-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-12-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-16-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-17-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-18-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-19-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-20-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-21-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-22-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-23-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-24-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-25-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-26-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-27-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-28-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-29-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-30-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-31-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-32-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-33-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-34-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-35-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-36-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-37-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-38-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-39-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-40-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-41-0x0000000003040000-0x0000000003047000-memory.dmp

memory/3524-48-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-49-0x00007FFC64D00000-0x00007FFC64D10000-memory.dmp

memory/3524-58-0x0000000140000000-0x0000000140175000-memory.dmp

memory/3524-60-0x0000000140000000-0x0000000140175000-memory.dmp

C:\Users\Admin\AppData\Local\7NrsZvKmB\sethc.exe

MD5 8ba3a9702a3f1799431cad6a290223a6
SHA1 9c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

C:\Users\Admin\AppData\Local\7NrsZvKmB\OLEACC.dll

MD5 2ba35f78dc89d5a48b42065ac7e87842
SHA1 ce712bdf3645e74f74d11535d1aceeec53ef74c8
SHA256 6a745be285b5e063d5be02c60483fd400109b015560c805774015ce65866578e
SHA512 4c60868fafd707bac36af28627fd3ebd80e32c7d049ca3e209cc2b1682be2e1fc47c4fd0f03f5c2b3a857922c10b2a8c9b070f29e7a8f47783c40cab3ef6856a

memory/3380-69-0x0000000140000000-0x0000000140176000-memory.dmp

memory/3380-70-0x000001C27F4B0000-0x000001C27F4B7000-memory.dmp

memory/3380-75-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe

MD5 40f4014416ff0cbf92a9509f67a69754
SHA1 1798ff7324724a32c810e2075b11c09b41e4fede
SHA256 f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c
SHA512 646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259

C:\Users\Admin\AppData\Local\ATBugJZ\HID.DLL

MD5 c5ccd7450e9094a8e99c8c33a75d8dc9
SHA1 a6ed1f089ac9957b65c3e1a65ca29a4969ad5642
SHA256 e37fea720b935433e3a3c55ba2d2dc86e404ee6e754df314022f0c74d3b0569b
SHA512 2acd911197ef4a1364e793dee8b7c0296df6215eccaf174d2c21fa75767c842abc80211f697c076a3e5dbaa6cdde28d6a0226309d8e98fe317c23fa70d1054c7

memory/892-87-0x000002432A0B0000-0x000002432A0B7000-memory.dmp

memory/892-92-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Users\Admin\AppData\Local\ATBugJZ\tabcal.exe

MD5 f775f99812e3478654cfe51c7624a3e1
SHA1 596a9265f299a6d2fcf9a6f26f34a16fc0381d43
SHA256 58d03f748eea6b8ee9defdb3e4822682550afb5437fbdd234e0752e90d785caf
SHA512 15c84af025ed5e54e3bf746a45c0d5b4347082cd09cd2298d604db255f6fa91b7b9f03dfb52cf3613c7fbd2e1c1935a34d11ac3ad8903b8ca25ef88dd6ce2b30

C:\Users\Admin\AppData\Local\86Q5p7Uu\SYSDM.CPL

MD5 16069e7e4a5b27d164a91239c05d1e67
SHA1 6493e8c243a12e8b4bba2be9367d5cdffbe418f9
SHA256 6e9498ac882d319058758f41338b7fd439986b04341fcddc92451d7747135d5a
SHA512 fbf871a952db62c09d11aebfb314d64ae16caf1b73b795b561d4f8919bbe426564ffbefa772a1001bfbfd34ae6778c2e08528419657b6ed3d0c6c9aca3be359e

C:\Users\Admin\AppData\Local\86Q5p7Uu\SystemPropertiesComputerName.exe

MD5 6711765f323289f5008a6a2a04b6f264
SHA1 d8116fdf73608b4b254ad83c74f2232584d24144
SHA256 bd3a97327326e2245938ec6099f20059b446ff0fe1c10b9317d15d1a1dd5331e
SHA512 438abd282d9d1c0e7e5db2ce027ff9522c3980278b32b2eae09c595884a8dcbfd5178bc5926b1d15f03174303382e13f5d5ecab9a5d8e31fc07ef39e66c012e8

memory/3756-106-0x00000228B0760000-0x00000228B0767000-memory.dmp

memory/3756-111-0x0000000140000000-0x0000000140176000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 b909a4689c2fcd8f4689a9c7bc536e38
SHA1 8e424ecd6c805a20fb1eae1664f48e670fae25fb
SHA256 f7450145caa4d07b5831b65331c4b22fed481efbd6f33e545e633ae00697b3ce
SHA512 b103becd10162f4b8cdac6d9e42cf916f365cd7a1c762fcdd056d4cb9d58b962ebd7d93a599a3614aa3fda20b7feed8f8bb995526f07673a64c0df5923d0e5d8