Analysis Overview
SHA256
6e2ba94de342be1b5ed71468cb2628106a823c38419cbb3fc6f612465523853b
Threat Level: Known bad
The file 7c0b7776d8e7e775fb646f2bf3c91c46 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-28 03:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 03:36
Reported
2024-01-28 03:39
Platform
win7-20231215-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eivoq6h\osk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\eivoq6h\osk.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\ctmlmJox\\unregmp2.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\eivoq6h\osk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#1
C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\SystemPropertiesAdvanced.exe
C:\Windows\system32\unregmp2.exe
C:\Windows\system32\unregmp2.exe
C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
C:\Windows\system32\osk.exe
C:\Windows\system32\osk.exe
C:\Users\Admin\AppData\Local\eivoq6h\osk.exe
C:\Users\Admin\AppData\Local\eivoq6h\osk.exe
Network
Files
memory/2636-0-0x0000000000290000-0x0000000000297000-memory.dmp
memory/2636-1-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-4-0x00000000773A6000-0x00000000773A7000-memory.dmp
memory/1256-5-0x00000000029A0000-0x00000000029A1000-memory.dmp
memory/1256-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-49-0x0000000001CD0000-0x0000000001CD7000-memory.dmp
memory/1256-48-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-56-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-61-0x0000000077710000-0x0000000077712000-memory.dmp
memory/1256-57-0x00000000775B1000-0x00000000775B2000-memory.dmp
memory/1256-67-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-70-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-36-0x0000000140000000-0x00000001401C9000-memory.dmp
\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
| MD5 | 45f90408b91d3ad51f833969944f4a9c |
| SHA1 | 05f4a31c17ff91aa13385454c7206889eef7c31f |
| SHA256 | 29ce6f9219d5fad505e2f032e4bec4a03968e1d0793ad2b19391e21a4a7e543d |
| SHA512 | 6a8944c1c67b874fcc538c7fd05e90877f629f1f04e3e61810913c0a8aaccd1bac5a8cfcc58ae09bed8b6ec0c41ec36b5d5a9f6826d2616f9ff5ec15de460344 |
C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
| MD5 | 37fa7da4810c10f5940564ccf5fdfdbc |
| SHA1 | b6ac471b0670f87fd8578058e883a31135913a68 |
| SHA256 | 9e05ddd9044df09a49082ed9fd01cf7429bb692a58a683dfcba63724f06cdd03 |
| SHA512 | 8fb8314bc2854aaaa0a5355b84840a61b4a725ab6aeb603630df25b8cd27e1cf3f7370ef599b845b5e8356182c259c6c7e1769b60a76caf95f4a4c599fe8b640 |
memory/1256-34-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\Br0Ir\SYSDM.CPL
| MD5 | 75b461a9f3af80e9e9bb2a813a74c6d6 |
| SHA1 | dbaa791cff9c1c84a54997f3f51a4d7e8d0b0bca |
| SHA256 | 717aded95a6154f66c1e93a592023422c6d72279e555afa328f5362215f51941 |
| SHA512 | 7be3af8cdbe42b42a574c781782bb4dbdfa16ebf3340a823050f7946fee9d7ea4df6047b6fb6453e4a0eee75927539d1db74509bd74033503582609a1e15477f |
memory/1256-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-32-0x0000000140000000-0x00000001401C9000-memory.dmp
\Users\Admin\AppData\Local\Br0Ir\SYSDM.CPL
| MD5 | 444a96a1e3459b278e9e68814e9582df |
| SHA1 | 52cca8c4f69b253e3b35d0ed977dcfb06a83fd22 |
| SHA256 | fc64041f6d9f703ff981d77677d3010ed4ed4ba5d2477c0110f050897a07c435 |
| SHA512 | 84b10b41ca2997a549382c5469c1b4a4ac3ebe7bbc0c06089ddfe57e2580bfe7597e01333641dbb970e50309bb3f38ac8700463727860a2024030cd9602aa14d |
memory/1940-85-0x0000000000280000-0x0000000000287000-memory.dmp
memory/1256-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-19-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\Br0Ir\SystemPropertiesAdvanced.exe
| MD5 | 116309b2d3057eb5f87fc4a85aaa51db |
| SHA1 | 9d4f18a8b693e607e296c30cf9912c81b06ee586 |
| SHA256 | 21b6d6fb58972dc05623ea606bc0533d7db3cdee2617446ae5468e5b944ceacc |
| SHA512 | 530ca913aaeef8f4c7a8dccea966e229bb15c65c8e809e3d4eed75ef4661d80b5c5e7ceef6099f393cc79f0c20050cea50bb80e045ad1038d569cdac157c2687 |
memory/1256-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/1256-9-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/2636-8-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\mOzU881s\VERSION.dll
| MD5 | a0c3afb4c22a779a54bb07eaad989fc6 |
| SHA1 | 2a373e462226635beb5078acfec8460968e04cc8 |
| SHA256 | 70aa4b43a770d3339ebf444b82daca28c875a7cb432f3bb37a79a834fac86cff |
| SHA512 | 9e2fd9e548dec8499113547cdcdde7b8e25ae7fcf3272918fc9fb1ea8c1cfde9c5798aef8f1ae627f429f6c9fb5e72062697e25d69a8330c7c5071c2b74caa4c |
\Users\Admin\AppData\Local\mOzU881s\VERSION.dll
| MD5 | 59a73b4f1869e38996cf4f67b8986833 |
| SHA1 | aad59f2bd204f2e958b340dd8b8d2c04d9a91f51 |
| SHA256 | ddc528a7bc1065b5f09774be1ffd72320df2821440ef746e96468ef6a5b43185 |
| SHA512 | 92de5db32c9d6006359282ab8193846d1625d1ecce1c583fcad52d6fa6834f610a206e5ee75718078655dd1a475b17e837cc85b0252b8b6e82cd35dae875b55e |
memory/2844-103-0x0000000000170000-0x0000000000177000-memory.dmp
C:\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
| MD5 | fc25e5af88252293ccefbc61e065ba5f |
| SHA1 | e598ec93f597d2337c53d3d8a712f48cd4d9d291 |
| SHA256 | 1c88b47094b366e8597f5776fb59a9820ee853c596071616b855835b5b47f31c |
| SHA512 | a1c6543ebe3c0bf4c5ab9c1d177a5dab2903372ce5bb191bddde57a099bcd96afbe3aaee47cb522fa38221222a2e642e02f9d922ca441d791ea3f639196469d0 |
\Users\Admin\AppData\Local\mOzU881s\unregmp2.exe
| MD5 | 59b2ae056c8e8b18a1026f60010a13ff |
| SHA1 | bfb1fa267f389316a4449dfca684d7adcd541b5a |
| SHA256 | e78e644b7c05376b3c43ae352aafb24883aefdfc8170eb4acc88d5af08219632 |
| SHA512 | 7c08798720f96fc74e3e14d9253fb0025ad45c01cba7fe8e28af809c35d4b5cb97c262eb055f2d5fe1cd42c62ab527593d938f169205d8477010e9143386c02b |
C:\Users\Admin\AppData\Local\eivoq6h\dwmapi.dll
| MD5 | 1bc43672b3459c229aa2e7912a46a5ae |
| SHA1 | 2bd87532355190d3daed7d11e81eec25ac726e26 |
| SHA256 | 8ac3f9b9f46f58630647fa8a6fd0dea1298b737edbd5dc415f8550581ac765a1 |
| SHA512 | 6cc989428cd12c18e9b898f47d8f7dc1f65dd501ab2462bb2a4b84745965ac7ea3375478b03373e65d75b928b87e1b11ffb322175df7c632767eab90dbc0fdb6 |
\Users\Admin\AppData\Local\eivoq6h\dwmapi.dll
| MD5 | 9a8a38f5e4cc9a1a18b74d5c183cee84 |
| SHA1 | 4fd8fdd3fa7fcc5a891cfb1dac2fc1fa84c6e79a |
| SHA256 | e55a4b6f68759d4d6f2ec2f9e8cb431ebf0f789bdd2b055e3b1374fc6bc09be1 |
| SHA512 | ec92ec336bd4887e8fcaecc01d78e6a52066f671a848797b6f3c2f4ba9245266a16949ddeb2da8b51dee378d769f7897230579c51758ca8c9066a3bec908b7dd |
memory/308-121-0x00000000000F0000-0x00000000000F7000-memory.dmp
C:\Users\Admin\AppData\Local\eivoq6h\osk.exe
| MD5 | 9ebbb090e274558004a628467ac6829e |
| SHA1 | 6912d669a25a9d1c5ad1e45cdb4d5359fcf82cd3 |
| SHA256 | 7973f8f27c13a5b18841cb9a5ee5ec00c09ac47a7f47d2787268126e002c54ad |
| SHA512 | 05b9458f14bc77602586a69164288c2dd40aed6937aea53f895a15c764aec86cff9f545dae618fe2d5fd84adc21cb9157c3bca12fc01f24910770155c81aaeae |
\Users\Admin\AppData\Local\eivoq6h\osk.exe
| MD5 | da39d6556bc0c1e94e793743297ef02d |
| SHA1 | 4927986cae0f07715ee14b76c973969ee1777d9f |
| SHA256 | 2a4a2c39fb527095835427a02b52cce8f433e8479b8b1306c7e3989d2d4c90c0 |
| SHA512 | a1c94acf63ecb432f66ebd69cc88ce1c580c12b4320167f19e017f556c7a680b8df555f5bbecdc3c2a7564bcfab27dcefec87701a0ff887a5a68c5b9aa9e08a2 |
C:\Users\Admin\AppData\Local\eivoq6h\osk.exe
| MD5 | c4441d3cb133ddfb35b1f0be187be9aa |
| SHA1 | 4fc63540806d93be1ca70587a17ec7091877e9db |
| SHA256 | 710c4f7984f78e7af0bea6193193483b3aa1a963174d154b5ca3da69bb243dcb |
| SHA512 | 57da2a5f58f5793d1a0cd0634b40b820a8e1c4fbe0379f75a56f20978343c601cbc7cc2f649ee841a24426f972e4d5c2525c4caca0d4ce8338f2fb260f15ffc2 |
\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\KShaY\osk.exe
| MD5 | 98a9be6237792bda26f6d26de3d8f278 |
| SHA1 | 8fdd1941b3da2a2e4eceda5e42198e9d738ac6ad |
| SHA256 | 8497de5d8fce79d15614872e421fa77839b5d9791c8157c8473180d6bb01fd5f |
| SHA512 | 8228fd0b07ecfc88231cc94de21799c886826091eae0d4cb811b60a2c1d4b4d05fc8d7566f4f73a41655b8efc94442044c3ef28c060d5da3731d27bcc75ca435 |
memory/1256-149-0x00000000773A6000-0x00000000773A7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk
| MD5 | 60dd1aa885393ea7cb7d058951f921f2 |
| SHA1 | 125567b1f3970fa93a55fea6bb027ae9f80f5d6f |
| SHA256 | 625c739a61eac29e48b95eded3ad7614418fda1c00e87e8d1d953ebed16a0867 |
| SHA512 | d61e421869898df6036cb4805087bacb490d78c318a855814517402e11b12468dceda828fa2bd995e599eabfbc7464df62a7d9bca55ba050380639a693e20d8b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\GKk\SYSDM.CPL
| MD5 | 48488d6df62d162c9c6de917807207cc |
| SHA1 | c5b01a5d30c04be29fa047536f8591cfdd5a3a97 |
| SHA256 | b364e12a918f82e2ac8c20bba2ae76cec350f777f0bc1b5ad849dfb3d781536e |
| SHA512 | 6fd9a7fd9585a192de9753c4d334a95e810ccab4e231dbf136c3f44a89678d7c12d1fe2c18ea40d65f1600cd1e21e9fc118b4476221f4ef90ce5358a4f8a45a8 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\ctmlmJox\VERSION.dll
| MD5 | 31cbfb419d45a55b51b3bc4341ca1cbb |
| SHA1 | 0bc84059d3637468774bc6765900cb0b1b995c52 |
| SHA256 | 7be7a1fa881efc6c9f24bc800c37ab0018836d986625b5478b613a5eb6e7f559 |
| SHA512 | f72f73043aaa32ef16508abd0c258f86ace5400c2d320ef3ae5e80b26b34a1556da27dbdde093c1695aaedd6ca611f35ded760d2fc405763a5c3082a1c9ef6ab |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\KShaY\dwmapi.dll
| MD5 | 130fde09bb8e2fa3449dc0ea08f93eee |
| SHA1 | 88258ca50d9080b0a223ba437b6d5dca1f38f6db |
| SHA256 | e3d3a199ddc4e17ca0327b8985dce74078d3714892b888fcd6672818edc98a7c |
| SHA512 | 13dbd06feda0f1424bc87a351198c5e48c00c3adcf3d9d944b8c0d5c91fe7b3d3e10d7045296c4d4b788ec15904bb09e8fb6775d2840148b67710cde2d692c50 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 03:36
Reported
2024-01-28 03:39
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\43C\AtBroker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\43C\AtBroker.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\MAINTE~1\\SGVLdslV\\BdeUISrv.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\43C\AtBroker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 4624 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 3408 wrote to memory of 4624 | N/A | N/A | C:\Windows\system32\tabcal.exe |
| PID 3408 wrote to memory of 4636 | N/A | N/A | C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe |
| PID 3408 wrote to memory of 4636 | N/A | N/A | C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe |
| PID 3408 wrote to memory of 4400 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 3408 wrote to memory of 4400 | N/A | N/A | C:\Windows\system32\BdeUISrv.exe |
| PID 3408 wrote to memory of 4896 | N/A | N/A | C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe |
| PID 3408 wrote to memory of 4896 | N/A | N/A | C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe |
| PID 3408 wrote to memory of 2952 | N/A | N/A | C:\Windows\system32\AtBroker.exe |
| PID 3408 wrote to memory of 2952 | N/A | N/A | C:\Windows\system32\AtBroker.exe |
| PID 3408 wrote to memory of 960 | N/A | N/A | C:\Users\Admin\AppData\Local\43C\AtBroker.exe |
| PID 3408 wrote to memory of 960 | N/A | N/A | C:\Users\Admin\AppData\Local\43C\AtBroker.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c0b7776d8e7e775fb646f2bf3c91c46.dll,#1
C:\Windows\system32\tabcal.exe
C:\Windows\system32\tabcal.exe
C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe
C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe
C:\Windows\system32\BdeUISrv.exe
C:\Windows\system32\BdeUISrv.exe
C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe
C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe
C:\Windows\system32\AtBroker.exe
C:\Windows\system32\AtBroker.exe
C:\Users\Admin\AppData\Local\43C\AtBroker.exe
C:\Users\Admin\AppData\Local\43C\AtBroker.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
memory/5028-1-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/5028-0-0x0000021ED6110000-0x0000021ED6117000-memory.dmp
memory/3408-4-0x0000000001260000-0x0000000001261000-memory.dmp
memory/3408-6-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-8-0x00007FFD96C5A000-0x00007FFD96C5B000-memory.dmp
memory/3408-7-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-9-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-10-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-12-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-13-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-14-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/5028-18-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-19-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-17-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-16-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-21-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-20-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-22-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-23-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-24-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-15-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-11-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-25-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-26-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-27-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-28-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-29-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-30-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-31-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-32-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-33-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-34-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-35-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-36-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-37-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-38-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-39-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-40-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-41-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-42-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-43-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-44-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-45-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-46-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-47-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-49-0x0000000001240000-0x0000000001247000-memory.dmp
memory/3408-48-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-56-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-57-0x00007FFD97820000-0x00007FFD97830000-memory.dmp
memory/3408-66-0x0000000140000000-0x00000001401C9000-memory.dmp
memory/3408-68-0x0000000140000000-0x00000001401C9000-memory.dmp
C:\Users\Admin\AppData\Local\KgDgCLleX\tabcal.exe
| MD5 | 40f4014416ff0cbf92a9509f67a69754 |
| SHA1 | 1798ff7324724a32c810e2075b11c09b41e4fede |
| SHA256 | f31b4c751dbca276446119ba775787c3eb032da72eabcd40ad96a55826a3f33c |
| SHA512 | 646dfe4cfe90d068c3da4c35f7053bb0f57687875a0f3469c0683e707306e6a42b0baca3e944d78f9be5c564bb0600202c32c223a770f89d3e2b07a24673c259 |
C:\Users\Admin\AppData\Local\KgDgCLleX\HID.DLL
| MD5 | d3612bc6eee20a2ff7cda0181c1a58b5 |
| SHA1 | ddac83dabd84c2703264d37bb06e5b12fb16eb02 |
| SHA256 | 9eccf2ac1cac8c0627a5a49f32327646540d11bd9665521b79264985adeea6b9 |
| SHA512 | d4211df62162c1910abd224d161c1c0036542af07fab092c70faa3ed1747062712eafc22dd002af0ce205db9828facee8288c50ec5a5b203d8eb990e0e1f6e76 |
memory/4636-77-0x0000000140000000-0x00000001401CA000-memory.dmp
memory/4636-78-0x0000020F3DEA0000-0x0000020F3DEA7000-memory.dmp
memory/4636-83-0x0000000140000000-0x00000001401CA000-memory.dmp
C:\Users\Admin\AppData\Local\ps3g\BdeUISrv.exe
| MD5 | 8595075667ff2c9a9f9e2eebc62d8f53 |
| SHA1 | c48b54e571f05d4e21d015bb3926c2129f19191a |
| SHA256 | 20b05c77f898be08737082e969b39f54fa39753c8c0a06142eb7ad5e0764a2db |
| SHA512 | 080dbcdd9234c07efe6cea4919ffa305fdc381ccebed9d1020dd6551b54e20e52387e62a344502fa4a85249defd0f9b506528b8dd34675bc9f51f664b8fc4d88 |
C:\Users\Admin\AppData\Local\ps3g\WTSAPI32.dll
| MD5 | b02cdb5b656541cb78958d358d40dc6f |
| SHA1 | 084ecd4932aa300c9d711f15ca3e49adc1fabb1f |
| SHA256 | ae0e4c90b8c07841001790b6caf1ed3eac1cae74bf0bdf244824c027be780099 |
| SHA512 | ed2e305d379ca352027e497a6e2ea9faffcb0fac48f7961de763e5051d6cc70b7112b86c44d9cc4c84cd5a8aea40bf28095493ca5e5a7577e8c45e7d579c1800 |
memory/4896-96-0x0000012A3D710000-0x0000012A3D717000-memory.dmp
C:\Users\Admin\AppData\Local\43C\AtBroker.exe
| MD5 | 30076e434a015bdf4c136e09351882cc |
| SHA1 | 584c958a35e23083a0861421357405afd26d9a0c |
| SHA256 | ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd |
| SHA512 | 675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024 |
C:\Users\Admin\AppData\Local\43C\UxTheme.dll
| MD5 | e1869764e0d2e79ca1973f305fb88cfa |
| SHA1 | 553ca6ac4c5e43d069b7b82cecd45b07cf981063 |
| SHA256 | 6098597b8235df47ef83d204c96f3056310691690796fb2fb187837db67d6f39 |
| SHA512 | a35f1fa6ad9dd9c2466f40adb8f428b7b436c08216f3d0b62a53fd4c465192fc34594e726d6d53a410fa67511bf56600bbc6b1fc51d47d4a9dbd265db6d829dd |
memory/960-113-0x000001AC7CA00000-0x000001AC7CA07000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | f21166e7f65374f6120da87470359c0b |
| SHA1 | 9a669feda974eb2c1c5d685d6aadd7319ede2e49 |
| SHA256 | 63fe54526deaf8292d3d23ebcf47a672f1d5b2305bc317428533e10a58e9a0b4 |
| SHA512 | 988074f9e7b5d44df3c347580bb32434b2a4d13d07454b29528883973ecf6b950a8d47e7eea40c2a752e6d2b925cf118e8c9b82d718ba0208053f275d45a6b8b |