Malware Analysis Report

2024-11-13 16:42

Sample ID 240128-flb6xabgh3
Target 7c364a9cc46fabb61560e9bb9ef588ce
SHA256 ac5e42f699e4e1efc7f7cd1f1b6516c4ff8405ff1e82aba21ed18cc8cf26efd7
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac5e42f699e4e1efc7f7cd1f1b6516c4ff8405ff1e82aba21ed18cc8cf26efd7

Threat Level: Known bad

The file 7c364a9cc46fabb61560e9bb9ef588ce was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 04:57

Reported

2024-01-28 04:59

Platform

win7-20231215-en

Max time kernel

133s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\QCib\TpmInit.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\4gKF6E8\\RDVGHelper.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\QCib\TpmInit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2608 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2608 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2608 N/A N/A C:\Windows\system32\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2596 N/A N/A C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe
PID 1196 wrote to memory of 2648 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1196 wrote to memory of 2648 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1196 wrote to memory of 2648 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1196 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
PID 1196 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
PID 1196 wrote to memory of 2340 N/A N/A C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe
PID 1196 wrote to memory of 3012 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1196 wrote to memory of 3012 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1196 wrote to memory of 3012 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1196 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
PID 1196 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\QCib\TpmInit.exe
PID 1196 wrote to memory of 2992 N/A N/A C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Windows\system32\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe

C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe

C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

Network

N/A

Files

memory/2536-0-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/2536-1-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1196-4-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

memory/1196-5-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1196-10-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-19-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-26-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-25-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-24-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-23-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-22-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-21-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-20-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-18-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-17-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-16-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-15-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-14-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-13-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-12-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-11-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-9-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/2536-8-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-28-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-27-0x0000000002500000-0x0000000002507000-memory.dmp

memory/1196-35-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-37-0x0000000077220000-0x0000000077222000-memory.dmp

memory/1196-36-0x00000000770C1000-0x00000000770C2000-memory.dmp

memory/1196-7-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-46-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/1196-52-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/2596-64-0x0000000140000000-0x00000001401A4000-memory.dmp

memory/2596-70-0x0000000140000000-0x00000001401A4000-memory.dmp

memory/2596-67-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\e3Fy0nv\AdapterTroubleshooter.exe

MD5 d4170c9ff5b2f85b0ce0246033d26919
SHA1 a76118e8775e16237cf00f2fb79718be0dc84db1
SHA256 d05e010a2570cdd5a67f62c99483aeeecb6a8d5ecc523cd49b158a460c9be5da
SHA512 9c85a9ea4002bd55cf9c51e470dd1bec527ff04b5d0d6f83094a998c541416cd47c9f42c6ca7e35ffa2842877f79e3c2e989489b9bf81644c5c57bb406b89608

\Users\Admin\AppData\Local\e3Fy0nv\d3d9.dll

MD5 52744a14a7f693f81eb79cce4469b25a
SHA1 006fd6813efb32f2650049ffcbb60ecec7ec4a89
SHA256 fd762fe4352b5bf0c123081bc5a798033f8d927bfad982094c7987df5dba012a
SHA512 6bed8714dceca8e569155aa18f49c5772db9064bbcfb0ed8faf7894bfa5e9a203e85923bb71e5a7082f6339f926db212367e3b315eb8ae10c664b6b2702c28aa

C:\Users\Admin\AppData\Local\e3Fy0nv\d3d9.dll

MD5 462f4e1a0c67f968856be2f1e70362ac
SHA1 4f66d2291c6dd79a824128c92039d70731b1c0c5
SHA256 68a6b40c799157f4a51dc8583594537fbe20a0c142498166d309e34da761e5d1
SHA512 a6aed16b3efff87e8aefb16a224615d509af8c72bf6972d8ddc8030f37c892d1e5b80a94ef5be670a4be5e6a6f2ef5c7d59f14fa60e4e6085cb8903c88e07dc1

C:\Users\Admin\AppData\Local\DI2Rso\dwmapi.dll

MD5 d851cd63cc9121c8ba1adb5da5ea5ed7
SHA1 67aa7cc843a8409da2b7d10ee20d5321392f804b
SHA256 37b69fbc887e9eb3e25ef5df784b4e6113db3f6685ba7cfcbd20c585da0afffe
SHA512 464d9a56916d3cf62a3abdc5f1dde39862ef9b949dcfa14ba283adb0f3aa96b425cc0c372d1cb867cf4b56f20c71ed4caf48ebe5d77a08173a530e297539722b

\Users\Admin\AppData\Local\DI2Rso\dwmapi.dll

MD5 a6de505eb6e21ea38fbdfe6ae7a7fed4
SHA1 6b6ef40579de2e5e15231f8963443183cff8c96c
SHA256 5d48102bf245b5dc33408957289f4f0871ebe6d4756ea479000857c75ebc37ed
SHA512 49dd647993e6b7ac0210f378f4074250d3afd253c27e0b9595f382e25f9746e080240721c81c3475213a084fbd57e38d35ed80a909bd834799e3ad5bacb94be5

memory/2340-86-0x0000000140000000-0x00000001401A4000-memory.dmp

C:\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe

MD5 ce6704500246ee13cd19ab108dbffce1
SHA1 10505da49da1d0453de1d0fe28a793cbf944ee71
SHA256 4c4288a0f07b5a796435982b550b2991ac02998b4c85506988e8d49e9ad44750
SHA512 b2890a01e9cc49a9204736d41e18f58e4df8de60b243fdb51ad5fbca536f898a4d187fcc7ac832efd64ab58af429ec633faf0f7020192c87c5414b9462350d97

\Users\Admin\AppData\Local\DI2Rso\RDVGHelper.exe

MD5 45172b5447822eedb94261d316f7cc88
SHA1 829a48efd232956df3bf7770da25cde7a5c8e3e8
SHA256 00bcec24c6e45f2f1f31560324c17da2b4fa01820687c6f7fe3d5081cd23dc0d
SHA512 38d455769ba7b58bcb4a8fd569fdf325fc54878c316246126a92470cf94c3e2264628d4a59c0c7eb63e7ad44e432e1e2af3508af1968a4b1ff0f9415bcf24360

\Users\Admin\AppData\Local\QCib\ACTIVEDS.dll

MD5 4c82ea2b20e692ac2c3cc8c2822be2bd
SHA1 12ecd10fd529e18b51530ac852d4ba75e4f9c024
SHA256 61b4ae9258ef4f74dc687e8ec4235d56ee216c45dfc438d4a96200710d405d2b
SHA512 c3d6b64fc689ffd5ff2fb7bd825e1f4ce702172accbfe10e3992ff42a525ba9596638ce37ee6fed74933dc6547b452861e113455d1fd615f76c28be484548b08

C:\Users\Admin\AppData\Local\QCib\ACTIVEDS.dll

MD5 e85a26f26e4d8d6eff6d87dec51c3962
SHA1 4ba946aa14482541fbf7f6b547f8d5a2ca5fbaf3
SHA256 472514a21cf69c1364fed1de700eb36f55f13d287907edcc53eae1398f0685e2
SHA512 715ad8cab54085efcd26a8c1202f70862228dce6c9957ff3e10e003221e780783e058f3f7aec89d43220862908bf05b60be34d818559a19d792c203be55ea053

C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

memory/2992-103-0x0000000140000000-0x00000001401A4000-memory.dmp

memory/2992-101-0x0000000000090000-0x0000000000097000-memory.dmp

C:\Users\Admin\AppData\Local\QCib\TpmInit.exe

MD5 edad2981231c1a42b8c7a7d3206cfdc4
SHA1 21ca15ca3be5c4caa81c8358174313341accc251
SHA256 480e8550b072a767c2ac9d086ed6bce08078fec4f95e784f5fc6772c2a277ccf
SHA512 04be414cd7e0b4813e7495404a0144942e5743b7d5a259bd819572f768c40333ddc12663589b89a7a8df1d48503201da037915308aec107346ca1ef521760d62

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4gKF6E8\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 cb630a3f56283f7cdea0bca1f7315518
SHA1 e7d51fdcea9103bf9d7f6941122d036d394ae252
SHA256 5235c4581459a3ca3997d44fcac983a4a34bdbd88eaee202ae5dfe9203da379b
SHA512 e9d1c4b646230a61a9f2d0b7f8a67558c293953c6497c0bef15d99931f235ea9295bde0a58b76f3702757d18547679beb42e8ae46a5f6bf5602a64289ec3e6fe

memory/1196-123-0x0000000076EB6000-0x0000000076EB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\ijtFw\d3d9.dll

MD5 04c597e5b87e69ded7a9cbc710371b55
SHA1 1fbf85f255835d0351cd46c40e138055f990c443
SHA256 820dbad229c9359844c097f215e59d86c4fd862311b2e0c64ba894ae353cc597
SHA512 fc8d2e30ccb8bf154826ffd1a3f28e8a304b66410716ba68774ffad56e1160fb73ed23f1b562dcb69c355301297ccb0fe30573dc6b0cbe7ce5b1abf7d2e89180

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4gKF6E8\dwmapi.dll

MD5 f4620ad1d3d15b04300fec0455048a45
SHA1 f64e57e0deb46d02d54972e13da92fc90b23b1a2
SHA256 a37bfdb4a09dd1032ba9ac6adcda671bd98076b4c19e4222492c09491532fc33
SHA512 c5124b385261cc26bcb2aff9f1e8282e3f77c3c5af905b11a6331d229983b52f7efbf86be1d887002c547855d209e8890d61a353aa53070a895c829dc84d8595

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\iGKdI8QN\ACTIVEDS.dll

MD5 b1546da3664afbad197d1a238fb227f3
SHA1 ab9abd07069539aa63e99b87644e93b6ce099e41
SHA256 edfe97461c577176d3f616fc93614809cbbd59f0f536010967841bcb379a2e7f
SHA512 ba1608544f0b6934af377cfa9f7c6d77cd3e056c8c29ecf318ff9b3f408a1453b757f89f8138b222acd81014960e83980f25365f8dc3dbb8ead17fd69f0c2dc9

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 04:57

Reported

2024-01-28 04:59

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\x1CaK4j\\sigverif.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2464 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3532 wrote to memory of 2464 N/A N/A C:\Windows\system32\bdechangepin.exe
PID 3532 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe
PID 3532 wrote to memory of 696 N/A N/A C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe
PID 3532 wrote to memory of 1772 N/A N/A C:\Windows\system32\sigverif.exe
PID 3532 wrote to memory of 1772 N/A N/A C:\Windows\system32\sigverif.exe
PID 3532 wrote to memory of 3292 N/A N/A C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe
PID 3532 wrote to memory of 3292 N/A N/A C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe
PID 3532 wrote to memory of 5060 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3532 wrote to memory of 5060 N/A N/A C:\Windows\system32\rdpinput.exe
PID 3532 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe
PID 3532 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7c364a9cc46fabb61560e9bb9ef588ce.dll,#1

C:\Windows\system32\bdechangepin.exe

C:\Windows\system32\bdechangepin.exe

C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe

C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe

C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe

C:\Windows\system32\rdpinput.exe

C:\Windows\system32\rdpinput.exe

C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe

C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/4264-1-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/4264-0-0x0000020B25C20000-0x0000020B25C27000-memory.dmp

memory/3532-4-0x0000000003600000-0x0000000003601000-memory.dmp

memory/3532-6-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-8-0x00007FFEDADDA000-0x00007FFEDADDB000-memory.dmp

memory/3532-9-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-10-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-11-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-12-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-7-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-14-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-15-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-16-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/4264-13-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-17-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-18-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-19-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-20-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-21-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-22-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-23-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-24-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-25-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-27-0x0000000003370000-0x0000000003377000-memory.dmp

memory/3532-26-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-28-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-35-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-38-0x00007FFEDB8E0000-0x00007FFEDB8F0000-memory.dmp

memory/3532-45-0x0000000140000000-0x00000001401A3000-memory.dmp

memory/3532-47-0x0000000140000000-0x00000001401A3000-memory.dmp

C:\Users\Admin\AppData\Local\e4H5E1a9\bdechangepin.exe

MD5 601a28eb2d845d729ddd7330cbae6fd6
SHA1 5cf9f6f9135c903d42a7756c638333db8621e642
SHA256 4d43f37576a0ebbaf97024cd5597d968ffe59c871b483554aea302dccb7253f6
SHA512 1687044612ceb705f79c806b176f885fd01449251b0097c2df70280b7d10a2b830ee30ac0f645a7e8d8067892f6562d933624de694295e22318863260222859d

C:\Users\Admin\AppData\Local\e4H5E1a9\DUI70.dll

MD5 101d8ae3751729fb93e7efde486c5ad3
SHA1 ac033f5c12b59972a2244e12c09080037c2006c3
SHA256 0806086d7f0d2ff2283e1050e2cece86ac849fb13e682f8a0c3139f88969f3eb
SHA512 d790e85c57644ae901fb8c8bc4ff64105fe4b51e2f3033f04cc2c1bb3d9db4da11593f56b11b1605208241f1593b28806c7a3a814661c7269411a36a2bb20600

memory/696-56-0x0000013344FE0000-0x0000013344FE7000-memory.dmp

memory/696-57-0x0000000140000000-0x00000001401E9000-memory.dmp

memory/696-62-0x0000000140000000-0x00000001401E9000-memory.dmp

C:\Users\Admin\AppData\Local\3Ka9vS2\sigverif.exe

MD5 2151a535274b53ba8a728e542cbc07a8
SHA1 a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256 064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512 e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

C:\Users\Admin\AppData\Local\3Ka9vS2\VERSION.dll

MD5 7b44685af911f7c2f6a3c32620b6f507
SHA1 d62866d5ad8108491800483c3bfc55a0402d139c
SHA256 ec4348bbed2c277f83ec6cfec96ab69189566b96a6142255138baa22186cf7c9
SHA512 cff566111c4cac5c30051eb8c2f1e98f5f557e65f721d261285b192316a1e2220d65d5dd0b7a51c6a70673d5cdd55ee66d24eab27ee02f4e8fee7c02cbda49be

memory/3292-74-0x00000285BDF30000-0x00000285BDF37000-memory.dmp

memory/3292-73-0x0000000140000000-0x00000001401A4000-memory.dmp

memory/3292-79-0x0000000140000000-0x00000001401A4000-memory.dmp

C:\Users\Admin\AppData\Local\cooXj\rdpinput.exe

MD5 bd99eeca92869f9a3084d689f335c734
SHA1 a2839f6038ea50a4456cd5c2a3ea003e7b77688c
SHA256 39bfb2214efeed47f4f5e50e6dff05541e29caeb27966520bdadd52c3d5e7143
SHA512 355433c3bbbaa3bcb849633d45713d8a7ac6f87a025732fbe83e259ec3a0cb4eabb18239df26609453f9fc6764c7276c5d0472f11cf12d15ef806aa7594d090e

C:\Users\Admin\AppData\Local\cooXj\WINSTA.dll

MD5 055c59f871d022ecd63bc526ffb986dd
SHA1 8e6bb2984aacad5879a7d283cf313f3d1e3e4d2d
SHA256 66ad6848a419087de8c869fd36f2c5c3b07a79ff222dbc28ae4f596db86f19ad
SHA512 89609c71eb723f208e11129cbb227da5b0fd54892d3ff05515642f1a8ae11094940f60678ecbd3a3847d3b3d83b1b9fa903473918d4c0b8ef6089d6a0f4c0e86

memory/1456-90-0x0000000140000000-0x00000001401A5000-memory.dmp

memory/1456-91-0x000002394A5F0000-0x000002394A5F7000-memory.dmp

memory/1456-96-0x0000000140000000-0x00000001401A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 d1a450e0c55cf7406a7479a23ef16012
SHA1 ee91d83e92febeb5833075057746f4616969f9b1
SHA256 63ae22c6f78759aafab1e04c2869e67fed48b6ce66e25f77001eb86a79c03407
SHA512 1ccabed7881057b8757522f8530f2c9677b0bb9a77c34aadfcd69fc3209e878e76ccd750f22dd1c3f96ebde1dc1c5f0401df139ba327ad568434c0617ce55bf6