Analysis Overview
SHA256
ac5e42f699e4e1efc7f7cd1f1b6516c4ff8405ff1e82aba21ed18cc8cf26efd7
Threat Level: Known bad
The file 7c364a9cc46fabb61560e9bb9ef588ce was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-28 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 04:57
Reported
2024-01-28 04:59
Platform
win7-20231215-en
Max time kernel
133s
Max time network
118s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QCib\TpmInit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\QCib\TpmInit.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\4gKF6E8\\RDVGHelper.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\QCib\TpmInit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Windows\system32\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Windows\system32\RDVGHelper.exe
C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
C:\Windows\system32\TpmInit.exe
C:\Windows\system32\TpmInit.exe
Network
Files
memory/2536-0-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/2536-1-0x0000000000290000-0x0000000000297000-memory.dmp
memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp
memory/1196-10-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-19-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-26-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-25-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-24-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-23-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-22-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-21-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-20-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-18-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-17-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-16-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-15-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-14-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-13-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-12-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-11-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-9-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/2536-8-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-28-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-27-0x0000000002500000-0x0000000002507000-memory.dmp
memory/1196-35-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-37-0x0000000077220000-0x0000000077222000-memory.dmp
memory/1196-36-0x00000000770C1000-0x00000000770C2000-memory.dmp
memory/1196-7-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-46-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/1196-52-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/2596-64-0x0000000140000000-0x00000001401A4000-memory.dmp
memory/2596-70-0x0000000140000000-0x00000001401A4000-memory.dmp
memory/2596-67-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
| MD5 | d4170c9ff5b2f85b0ce0246033d26919 |
| SHA1 | a76118e8775e16237cf00f2fb79718be0dc84db1 |
| SHA256 | d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da |
| SHA512 | 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608 |
\Users\Admin\AppData\Local\e3Fy0nv\d3d9.dll
| MD5 | 52744a14a7f693f81eb79cce4469b25a |
| SHA1 | 006fd6813efb32f2650049ffcbb60ecec7ec4a89 |
| SHA256 | fd762fe4352b5bf0c123081bc5a798033f8d927bfad982094c7987df5dba012a |
| SHA512 | 6bed8714dceca8e569155aa18f49c5772db9064bbcfb0ed8faf7894bfa5e9a203e85923bb71e5a7082f6339f926db212367e3b315eb8ae10c664b6b2702c28aa |
C:\Users\Admin\AppData\Local\e3Fy0nv\d3d9.dll
| MD5 | 462f4e1a0c67f968856be2f1e70362ac |
| SHA1 | 4f66d2291c6dd79a824128c92039d70731b1c0c5 |
| SHA256 | 68a6b40c799157f4a51dc8583594537fbe20a0c142498166d309e34da761e5d1 |
| SHA512 | a6aed16b3efff87e8aefb16a224615d509af8c72bf6972d8ddc8030f37c892d1e5b80a94ef5be670a4be5e6a6f2ef5c7d59f14fa60e4e6085cb8903c88e07dc1 |
C:\Users\Admin\AppData\Local\DI2Rso\dwmapi.dll
| MD5 | d851cd63cc9121c8ba1adb5da5ea5ed7 |
| SHA1 | 67aa7cc843a8409da2b7d10ee20d5321392f804b |
| SHA256 | 37b69fbc887e9eb3e25ef5df784b4e6113db3f6685ba7cfcbd20c585da0afffe |
| SHA512 | 464d9a56916d3cf62a3abdc5f1dde39862ef9b949dcfa14ba283adb0f3aa96b425cc0c372d1cb867cf4b56f20c71ed4caf48ebe5d77a08173a530e297539722b |
\Users\Admin\AppData\Local\DI2Rso\dwmapi.dll
| MD5 | a6de505eb6e21ea38fbdfe6ae7a7fed4 |
| SHA1 | 6b6ef40579de2e5e15231f8963443183cff8c96c |
| SHA256 | 5d48102bf245b5dc33408957289f4f0871ebe6d4756ea479000857c75ebc37ed |
| SHA512 | 49dd647993e6b7ac0210f378f4074250d3afd253c27e0b9595f382e25f9746e080240721c81c3475213a084fbd57e38d35ed80a909bd834799e3ad5bacb94be5 |
memory/2340-86-0x0000000140000000-0x00000001401A4000-memory.dmp
C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
| MD5 | ce6704500246ee13cd19ab108dbffce1 |
| SHA1 | 10505da49da1d0453de1d0fe28a793cbf944ee71 |
| SHA256 | 4c4288a0f07b5a796435982b550b2991ac02998b4c85506988e8d49e9ad44750 |
| SHA512 | b2890a01e9cc49a9204736d41e18f58e4df8de60b243fdb51ad5fbca536f898a4d187fcc7ac832efd64ab58af429ec633faf0f7020192c87c5414b9462350d97 |
\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
| MD5 | 45172b5447822eedb94261d316f7cc88 |
| SHA1 | 829a48efd232956df3bf7770da25cde7a5c8e3e8 |
| SHA256 | 00bcec24c6e45f2f1f31560324c17da2b4fa01820687c6f7fe3d5081cd23dc0d |
| SHA512 | 38d455769ba7b58bcb4a8fd569fdf325fc54878c316246126a92470cf94c3e2264628d4a59c0c7eb63e7ad44e432e1e2af3508af1968a4b1ff0f9415bcf24360 |
\Users\Admin\AppData\Local\QCib\ACTIVEDS.dll
| MD5 | 4c82ea2b20e692ac2c3cc8c2822be2bd |
| SHA1 | 12ecd10fd529e18b51530ac852d4ba75e4f9c024 |
| SHA256 | 61b4ae9258ef4f74dc687e8ec4235d56ee216c45dfc438d4a96200710d405d2b |
| SHA512 | c3d6b64fc689ffd5ff2fb7bd825e1f4ce702172accbfe10e3992ff42a525ba9596638ce37ee6fed74933dc6547b452861e113455d1fd615f76c28be484548b08 |
C:\Users\Admin\AppData\Local\QCib\ACTIVEDS.dll
| MD5 | e85a26f26e4d8d6eff6d87dec51c3962 |
| SHA1 | 4ba946aa14482541fbf7f6b547f8d5a2ca5fbaf3 |
| SHA256 | 472514a21cf69c1364fed1de700eb36f55f13d287907edcc53eae1398f0685e2 |
| SHA512 | 715ad8cab54085efcd26a8c1202f70862228dce6c9957ff3e10e003221e780783e058f3f7aec89d43220862908bf05b60be34d818559a19d792c203be55ea053 |
C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
| MD5 | 8b5eb38e08a678afa129e23129ca1e6d |
| SHA1 | a27d30bb04f9fabdb5c92d5150661a75c5c7bc42 |
| SHA256 | 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c |
| SHA512 | a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d |
memory/2992-103-0x0000000140000000-0x00000001401A4000-memory.dmp
memory/2992-101-0x0000000000090000-0x0000000000097000-memory.dmp
C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
| MD5 | edad2981231c1a42b8c7a7d3206cfdc4 |
| SHA1 | 21ca15ca3be5c4caa81c8358174313341accc251 |
| SHA256 | 480e8550b072a767c2ac9d086ed6bce08078fec4f95e784f5fc6772c2a277ccf |
| SHA512 | 04be414cd7e0b4813e7495404a0144942e5743b7d5a259bd819572f768c40333ddc12663589b89a7a8df1d48503201da037915308aec107346ca1ef521760d62 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4gKF6E8\RDVGHelper.exe
| MD5 | 53fda4af81e7c4895357a50e848b7cfe |
| SHA1 | 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f |
| SHA256 | 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038 |
| SHA512 | dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk
| MD5 | cb630a3f56283f7cdea0bca1f7315518 |
| SHA1 | e7d51fdcea9103bf9d7f6941122d036d394ae252 |
| SHA256 | 5235c4581459a3ca3997d44fcac983a4a34bdbd88eaee202ae5dfe9203da379b |
| SHA512 | e9d1c4b646230a61a9f2d0b7f8a67558c293953c6497c0bef15d99931f235ea9295bde0a58b76f3702757d18547679beb42e8ae46a5f6bf5602a64289ec3e6fe |
memory/1196-123-0x0000000076EB6000-0x0000000076EB7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\ijtFw\d3d9.dll
| MD5 | 04c597e5b87e69ded7a9cbc710371b55 |
| SHA1 | 1fbf85f255835d0351cd46c40e138055f990c443 |
| SHA256 | 820dbad229c9359844c097f215e59d86c4fd862311b2e0c64ba894ae353cc597 |
| SHA512 | fc8d2e30ccb8bf154826ffd1a3f28e8a304b66410716ba68774ffad56e1160fb73ed23f1b562dcb69c355301297ccb0fe30573dc6b0cbe7ce5b1abf7d2e89180 |
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4gKF6E8\dwmapi.dll
| MD5 | f4620ad1d3d15b04300fec0455048a45 |
| SHA1 | f64e57e0deb46d02d54972e13da92fc90b23b1a2 |
| SHA256 | a37bfdb4a09dd1032ba9ac6adcda671bd98076b4c19e4222492c09491532fc33 |
| SHA512 | c5124b385261cc26bcb2aff9f1e8282e3f77c3c5af905b11a6331d229983b52f7efbf86be1d887002c547855d209e8890d61a353aa53070a895c829dc84d8595 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\iGKdI8QN\ACTIVEDS.dll
| MD5 | b1546da3664afbad197d1a238fb227f3 |
| SHA1 | ab9abd07069539aa63e99b87644e93b6ce099e41 |
| SHA256 | edfe97461c577176d3f616fc93614809cbbd59f0f536010967841bcb379a2e7f |
| SHA512 | ba1608544f0b6934af377cfa9f7c6d77cd3e056c8c29ecf318ff9b3f408a1453b757f89f8138b222acd81014960e83980f25365f8dc3dbb8ead17fd69f0c2dc9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 04:57
Reported
2024-01-28 04:59
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\x1CaK4j\\sigverif.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 2464 | N/A | N/A | C:\Windows\system32\bdechangepin.exe |
| PID 3532 wrote to memory of 2464 | N/A | N/A | C:\Windows\system32\bdechangepin.exe |
| PID 3532 wrote to memory of 696 | N/A | N/A | C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe |
| PID 3532 wrote to memory of 696 | N/A | N/A | C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe |
| PID 3532 wrote to memory of 1772 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 3532 wrote to memory of 1772 | N/A | N/A | C:\Windows\system32\sigverif.exe |
| PID 3532 wrote to memory of 3292 | N/A | N/A | C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe |
| PID 3532 wrote to memory of 3292 | N/A | N/A | C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe |
| PID 3532 wrote to memory of 5060 | N/A | N/A | C:\Windows\system32\rdpinput.exe |
| PID 3532 wrote to memory of 5060 | N/A | N/A | C:\Windows\system32\rdpinput.exe |
| PID 3532 wrote to memory of 1456 | N/A | N/A | C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe |
| PID 3532 wrote to memory of 1456 | N/A | N/A | C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1
C:\Windows\system32\bdechangepin.exe
C:\Windows\system32\bdechangepin.exe
C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe
C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe
C:\Windows\system32\sigverif.exe
C:\Windows\system32\sigverif.exe
C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe
C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe
C:\Windows\system32\rdpinput.exe
C:\Windows\system32\rdpinput.exe
C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe
C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/4264-1-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/4264-0-0x0000020B25C20000-0x0000020B25C27000-memory.dmp
memory/3532-4-0x0000000003600000-0x0000000003601000-memory.dmp
memory/3532-6-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-8-0x00007FFEDADDA000-0x00007FFEDADDB000-memory.dmp
memory/3532-9-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-10-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-11-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-12-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-7-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-14-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-15-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-16-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/4264-13-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-17-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-18-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-19-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-20-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-21-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-22-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-23-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-24-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-25-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-27-0x0000000003370000-0x0000000003377000-memory.dmp
memory/3532-26-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-28-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-35-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-38-0x00007FFEDB8E0000-0x00007FFEDB8F0000-memory.dmp
memory/3532-45-0x0000000140000000-0x00000001401A3000-memory.dmp
memory/3532-47-0x0000000140000000-0x00000001401A3000-memory.dmp
C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe
| MD5 | 601a28eb2d845d729ddd7330cbae6fd6 |
| SHA1 | 5cf9f6f9135c903d42a7756c638333db8621e642 |
| SHA256 | 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6 |
| SHA512 | 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d |
C:\Users\Admin\AppData\Local\e4H5E1a9\DUI70.dll
| MD5 | 101d8ae3751729fb93e7efde486c5ad3 |
| SHA1 | ac033f5c12b59972a2244e12c09080037c2006c3 |
| SHA256 | 0806086d7f0d2ff2283e1050e2cece86ac849fb13e682f8a0c3139f88969f3eb |
| SHA512 | d790e85c57644ae901fb8c8bc4ff64105fe4b51e2f3033f04cc2c1bb3d9db4da11593f56b11b1605208241f1593b28806c7a3a814661c7269411a36a2bb20600 |
memory/696-56-0x0000013344FE0000-0x0000013344FE7000-memory.dmp
memory/696-57-0x0000000140000000-0x00000001401E9000-memory.dmp
memory/696-62-0x0000000140000000-0x00000001401E9000-memory.dmp
C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe
| MD5 | 2151a535274b53ba8a728e542cbc07a8 |
| SHA1 | a2304c0f2616a7d12298540dce459dd9ccf07443 |
| SHA256 | 064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd |
| SHA512 | e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f |
C:\Users\Admin\AppData\Local\3Ka9vS2\VERSION.dll
| MD5 | 7b44685af911f7c2f6a3c32620b6f507 |
| SHA1 | d62866d5ad8108491800483c3bfc55a0402d139c |
| SHA256 | ec4348bbed2c277f83ec6cfec96ab69189566b96a6142255138baa22186cf7c9 |
| SHA512 | cff566111c4cac5c30051eb8c2f1e98f5f557e65f721d261285b192316a1e2220d65d5dd0b7a51c6a70673d5cdd55ee66d24eab27ee02f4e8fee7c02cbda49be |
memory/3292-74-0x00000285BDF30000-0x00000285BDF37000-memory.dmp
memory/3292-73-0x0000000140000000-0x00000001401A4000-memory.dmp
memory/3292-79-0x0000000140000000-0x00000001401A4000-memory.dmp
C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe
| MD5 | bd99eeca92869f9a3084d689f335c734 |
| SHA1 | a2839f6038ea50a4456cd5c2a3ea003e7b77688c |
| SHA256 | 39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143 |
| SHA512 | 355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e |
C:\Users\Admin\AppData\Local\cooXj\WINSTA.dll
| MD5 | 055c59f871d022ecd63bc526ffb986dd |
| SHA1 | 8e6bb2984aacad5879a7d283cf313f3d1e3e4d2d |
| SHA256 | 66ad6848a419087de8c869fd36f2c5c3b07a79ff222dbc28ae4f596db86f19ad |
| SHA512 | 89609c71eb723f208e11129cbb227da5b0fd54892d3ff05515642f1a8ae11094940f60678ecbd3a3847d3b3d83b1b9fa903473918d4c0b8ef6089d6a0f4c0e86 |
memory/1456-90-0x0000000140000000-0x00000001401A5000-memory.dmp
memory/1456-91-0x000002394A5F0000-0x000002394A5F7000-memory.dmp
memory/1456-96-0x0000000140000000-0x00000001401A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk
| MD5 | d1a450e0c55cf7406a7479a23ef16012 |
| SHA1 | ee91d83e92febeb5833075057746f4616969f9b1 |
| SHA256 | 63ae22c6f78759aafab1e04c2869e67fed48b6ce66e25f77001eb86a79c03407 |
| SHA512 | 1ccabed7881057b8757522f8530f2c9677b0bb9a77c34aadfcd69fc3209e878e76ccd750f22dd1c3f96ebde1dc1c5f0401df139ba327ad568434c0617ce55bf6 |