Malware Analysis Report

2024-11-13 16:41

Sample ID 240128-hgqvlsddg5
Target 7c6984424b8af070581e59a97ed874d6
SHA256 abe02436407d423ba7d2ee6fb54b60261b85fb70c076afc60d906b1b4a5f569a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

abe02436407d423ba7d2ee6fb54b60261b85fb70c076afc60d906b1b4a5f569a

Threat Level: Known bad

The file 7c6984424b8af070581e59a97ed874d6 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 06:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 06:42

Reported

2024-01-28 06:45

Platform

win7-20231215-en

Max time kernel

150s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\xi3\WFS.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Srfjajs = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\USERPI~1\\IMPLIC~1\\YSQ67Sam\\rekeywiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xi3\WFS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2284 N/A N/A C:\Windows\system32\SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2172 N/A N/A C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2172 N/A N/A C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2172 N/A N/A C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe
PID 1260 wrote to memory of 2844 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1260 wrote to memory of 2844 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1260 wrote to memory of 2844 N/A N/A C:\Windows\system32\rekeywiz.exe
PID 1260 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe
PID 1260 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe
PID 1260 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Windows\system32\WFS.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Windows\system32\WFS.exe
PID 1260 wrote to memory of 2160 N/A N/A C:\Windows\system32\WFS.exe
PID 1260 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\xi3\WFS.exe
PID 1260 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\xi3\WFS.exe
PID 1260 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\xi3\WFS.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Windows\system32\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe

C:\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe

C:\Windows\system32\rekeywiz.exe

C:\Windows\system32\rekeywiz.exe

C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe

C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe

C:\Windows\system32\WFS.exe

C:\Windows\system32\WFS.exe

C:\Users\Admin\AppData\Local\xi3\WFS.exe

C:\Users\Admin\AppData\Local\xi3\WFS.exe

Network

N/A

Files

memory/1980-0-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1980-1-0x00000000001E0000-0x00000000001E7000-memory.dmp

memory/1260-4-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

memory/1260-5-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-38-0x0000000002980000-0x0000000002987000-memory.dmp

memory/1260-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-45-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1980-8-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-46-0x0000000077CD1000-0x0000000077CD2000-memory.dmp

memory/1260-47-0x0000000077E30000-0x0000000077E32000-memory.dmp

memory/1260-56-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-62-0x0000000140000000-0x00000001401B6000-memory.dmp

\Users\Admin\AppData\Local\P2F0hAd1\SystemPropertiesPerformance.exe

MD5 870726cdcc241a92785572628b89cc07
SHA1 63d47cc4fe9beb75862add1abca1d8ae8235710a
SHA256 1ab77fa1ee0cbe59ca185c228c3c11abeba2b2008a162c91a06d3c40542e7fc6
SHA512 89b961c2a2716fe0800e54e0206c8b349a26f1bc2a463ec9bd12f3ab22bfcb13e6402b4c20ddcf284d838a3c66e73335af8f6dc4554d76646382e387242c6f72

\Users\Admin\AppData\Local\P2F0hAd1\SYSDM.CPL

MD5 86de1c98430c88f8b7e38a72d0a2818f
SHA1 486daefa7f5c76e89081ae9e5b18f789c7672bf1
SHA256 d3fd0394725fba04f44d2e617669ff3e2dda112a7f8260cb73abcc676a30952d
SHA512 eaca93a8df66599f030a5fac4ee781030c3ef65c2400d5ba3e6c1c2ab13016cb8d2d42a7375cb7839c3c4d9d5db534921935b23d292614acab9166d0df344401

memory/2172-75-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2172-74-0x0000000000170000-0x0000000000177000-memory.dmp

memory/2172-80-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\P2F0hAd1\SYSDM.CPL

MD5 6d92e7f1e7422bd578e15b4f34758a22
SHA1 560317cfd786d0f8b85892ce015c0dfb630fd534
SHA256 807f89bac60869749033a836fa1daab765fd2856402f49ad2f8843ff5a946b9d
SHA512 de490d24d05c6969bf526fd77d8d203d4384db417146c18a8efc8f9e3a51f6a279a8994264bca58e48a58905311e64d250870549951a7a8a08783f4f572ed324

C:\Users\Admin\AppData\Local\LsMZ\rekeywiz.exe

MD5 767c75767b00ccfd41a547bb7b2adfff
SHA1 91890853a5476def402910e6507417d400c0d3cb
SHA256 bd70e504871a2ac1c883d19b87970c8d1b8b251c784bf777ba77ed764f5f2395
SHA512 f096043452a1aa213a5e4d62638de3ee4b0b3ad3d12b7ee0372d8c79e00e2e13b4fd0ebc4206bbdb5124bed292dd5b30ef1641288046ef835f89c332985154f9

C:\Users\Admin\AppData\Local\LsMZ\slc.dll

MD5 41c52b5ca619c4ced49806ce7ad5ef2d
SHA1 233f7af949c44c60fad542e8c53c7a784d6599d6
SHA256 69123a4c864aaf0c34223b31da3d88d3f5585b825b3c5062e4c213cfc637cc26
SHA512 e96dacc3ba76e22a1725209acc6f79cc4cc899aa5683910beed907f0b7d27a58905169afc0e7b67614c62a579c679c021081f40d0cd772014a4df6ecf84eb0af

\Users\Admin\AppData\Local\LsMZ\slc.dll

MD5 eb4e139975897eb7d432f96a4c087168
SHA1 2f54b8ae4ee0ddf3baec3abcc0e608a82b13ac06
SHA256 b1198346dc21a6950316b810d0926be1f46f5fcc11ef4bac1cd8a960cf4a8d72
SHA512 95a5e336509a5cbeb235dc3a56200ff6e5ceb2527813534ba88a3fdca44320cb86910e8279d92283f2f77ac8d5e13e1da0ec02d0096d0c3450e41a81c15eebf5

memory/2960-92-0x0000000001D30000-0x0000000001D37000-memory.dmp

memory/2960-98-0x0000000140000000-0x00000001401B7000-memory.dmp

\Users\Admin\AppData\Local\xi3\WFS.exe

MD5 a943d670747778c7597987a4b5b9a679
SHA1 c48b760ff9762205386563b93e8884352645ef40
SHA256 1a582ebe780abc1143baccaf4910714d3e9f4195edd86939499d03ed6e756610
SHA512 3d926ddead8afcb32b52b3eb3c416d197c15e5fff6ba9fa03a31a07522bdb9088b32500fc8b98d82af657071571d09cd336a65cf45c485ebcc145dea70b3a934

\Users\Admin\AppData\Local\xi3\credui.dll

MD5 3e1990217003de6f69c40882381d3f3a
SHA1 e9920dd1f570b27e683431a24482ee6fd795d274
SHA256 0da6de24e30a457974a2438d702285b54aa61a920141435329d9f944dd6617af
SHA512 0f5b4afb1c9525513791c951b19d4b81c641f80b5a47882fe2b1a62255be71f8b77d469cfd78f7c1dba37d81f43ffebf0736e93bd0c1d06b3570ded451d9565b

C:\Users\Admin\AppData\Local\xi3\credui.dll

MD5 2b965e5f24e2fc2be8d4227f265f4fec
SHA1 1a5ee0bdf52c7c4c224985d1b6835fb66711d455
SHA256 1ffffed27e437acfc7a6bfd4e9330fff94ad1c00d3ce0efcce57eb2c1b05a911
SHA512 962819ae2594431256d62690a7fb01272b1bb1e7d85b8e7004df820ae591762be584b1964ed600e361da662d6836f45e485e04b0e47476ea19a9e93bdd527056

C:\Users\Admin\AppData\Local\xi3\WFS.exe

MD5 8cfd4d317a8af7b13bd9c3897a67869e
SHA1 7ea9223a7a97f102846a92c639387595e90fea16
SHA256 0e076e054e76859f009bedaf865be526dc537dbccedd8661d514b949ff0d5a25
SHA512 99fcacbc843b4b674d3b762f5a30872ecffe759971aacdb9a734b0dd28aae886e5d3933cbb5eec9b715a433fb7f97307430fdc7de443d3bc135c26a668617617

memory/1964-112-0x00000000003A0000-0x00000000003A7000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\WFS.exe

MD5 2da433572d3974158a530ef148e5edb1
SHA1 c94e62b0e62d3c5a9a142dd4244b1283bf2d5936
SHA256 aaaa3fb247b21d8fabeadea5a6bb9f734c25893f60b5be45375985d7a31b6ed0
SHA512 9cb493012b12a9892c225d07b24a81efa8acad5252f574d39af6095f8b5e409033ef086891c806c9e90b0640cea6afd4daee08747e48a306ee949d678f2c5b12

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\WFS.exe

MD5 b26702799e644a19d52204db014aa11b
SHA1 dd3159037ef59fc6a2f67e900d60f934f654e7dd
SHA256 b345d4ffe79d4cd8d87ee0a579a9a58174ee570ca6ff5dd32f0a65ff032ed3c7
SHA512 02d9e98b21985b81772aafcf38eb0b355ceab42c27faa2712498c22911ca21c9b3f5cc558163426dd333bd7cc026b9e1e57985d9b029dc957007a02280f7c699

memory/1260-131-0x0000000077AC6000-0x0000000077AC7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ekhyqsv.lnk

MD5 98307f2c6dff9dcad14d67e824a0556f
SHA1 0adce53fa06183257146836c836c5a04a7272fe1
SHA256 9464e15d9a256e7ca23034a0d4b3739c13c0fec42ae3c29aef90d61778668d5c
SHA512 7d13d56659608c7979857a4342754a184a73e7f2a22120c4108268a34be0167de41ff4208086f986dd3839e273a7983327f35549e7853aac2d669c6b9190eb6d

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\x9N\SYSDM.CPL

MD5 0ff469de21a414915f480faad5f9060f
SHA1 228abc590d764546dc152f593f8639328a92d3ae
SHA256 00f71c1d3c4fe28384ba0e8ba140259503a939e3b79dac4bea91212c3a167f96
SHA512 62570014a2381196f42bc289edb6b886d53b1e50b1a812718144b573f375e947f72843a3fb3b2ff033dd2de2773f6b98573d7d41cfd1304244be8b86e366778a

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\YSQ67Sam\slc.dll

MD5 9701b5ab9601ef44a14345cf05b17a49
SHA1 c094542aa6f3b35b2c40edf0eef77881232766e0
SHA256 ee8a7d755de7e99110ab3c9d4e9ffb97eaed658f5bfbdb677411d54927742ad9
SHA512 361b9859408a6ac7ea02e92fbef3e6322e3fe799d2b3f781649ef746443a34dd691aafce7a3e7eabd7d95e071f64bd305b95a0d54b05e869c77b61d0a55852c9

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Sf1tAtG\credui.dll

MD5 d8674c78f2e0cf7d9e79cd3770950f6b
SHA1 d68cfc620c78ae98f3095b4f6d1cd744e618a0f6
SHA256 9c3b85aaf0196c7b8aead0cf7a5973286e1f11be91c0209cd0c4d860d3041203
SHA512 da0f94081ac0e2672d41da65a7316efb9b14480dbc85edbbab1d4f60edb6f151f2925e1aa0e9b9a45bf83878b45b094f8e146c211276f90b26035cc04bfe3ed0

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 06:42

Reported

2024-01-28 06:45

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mbfbagbrjs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\OneNote\\R6Od\\osk.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 1440 N/A N/A C:\Windows\system32\wbengine.exe
PID 3504 wrote to memory of 1440 N/A N/A C:\Windows\system32\wbengine.exe
PID 3504 wrote to memory of 484 N/A N/A C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe
PID 3504 wrote to memory of 484 N/A N/A C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe
PID 3504 wrote to memory of 4380 N/A N/A C:\Windows\system32\osk.exe
PID 3504 wrote to memory of 4380 N/A N/A C:\Windows\system32\osk.exe
PID 3504 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe
PID 3504 wrote to memory of 2072 N/A N/A C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe
PID 3504 wrote to memory of 1968 N/A N/A C:\Windows\system32\wermgr.exe
PID 3504 wrote to memory of 1968 N/A N/A C:\Windows\system32\wermgr.exe
PID 3504 wrote to memory of 4796 N/A N/A C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe
PID 3504 wrote to memory of 4796 N/A N/A C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7c6984424b8af070581e59a97ed874d6.dll

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Windows\system32\osk.exe

C:\Windows\system32\osk.exe

C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe

C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe

C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe

C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp

Files

memory/368-0-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/368-2-0x0000000000B20000-0x0000000000B27000-memory.dmp

memory/3504-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-9-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-38-0x0000000002D90000-0x0000000002D97000-memory.dmp

memory/3504-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-45-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-46-0x00007FFAD1660000-0x00007FFAD1670000-memory.dmp

memory/3504-57-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\RAlrZ3Bl\SPP.dll

MD5 a729fef85b60ffdef20fd592a09096f3
SHA1 535ebc8438bff63f4fe22cdb29605934ee1bf6df
SHA256 836d40ccc39949118d58c9c7eacac249c047ef484cd510a6e01f731cd2b57e65
SHA512 cf45b9a29c84028f66ba69f6cdc7702888e5b7b74281edd4b0c3e30a4f7e1e42aeb8411b89623f56810b24c430c6e8e5fbf16e4487d12973dac82423bc6962c4

memory/484-67-0x0000022A79140000-0x0000022A79147000-memory.dmp

memory/484-72-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe

MD5 395af89ad7ef78c034a3c32f1db8e609
SHA1 2b9577cecbbd6ccc34822fff8dd5924e74793c5b
SHA256 bf4d0d80ca13fd03ba1fed089a688f391399c8452d1ea9aa9e91dbb3eb986d56
SHA512 b39fa47021e50d0467fa6f4544609bac0108cbc86ab71ed9cf580b21554c50955e5f03bbb24c16e5c7293ced5a31df38ab9b4cf1638f1190ea229964d9b80382

C:\Users\Admin\AppData\Local\OfkVjzV3u\WINMM.dll

MD5 21c28197eed28d2f1eb788109c306112
SHA1 78d8d650adb474c5527a181d000aaffa553fddba
SHA256 b20e33b2c70b4947769f28ddcbbf8208c76e8857bb8a5bf0c994aebb2f64c80f
SHA512 0514dde9136d9d6b8b00db1d369c5a1b2e3193f5a0bf44c7d3a0a09289e9c834c57419f622900d5e7ce4be9799d5f25d574d912e0945ba4c941c78eeab0c1583

C:\Users\Admin\AppData\Local\OfkVjzV3u\WINMM.dll

MD5 6c321a34180bced0b4beda5c742602e4
SHA1 7cd1145a69fc18f1ac2b2230b099d087c80adf45
SHA256 49f82fd23e80d31719ead0389cc51a3ce31c5ce6299436684bf7dc22921c3d0c
SHA512 4ae976085f0ff2fcc8997b653678bef1b73f84fb1428c98128a63c0e3e4ba585fd0d85d8d94ec939117671aaddcf4e3f2cd2b0544241764a24e7f8561cac5f3c

memory/2072-89-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/2072-84-0x000001F199340000-0x000001F199347000-memory.dmp

C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe

MD5 900c1367db60154c3bbbb07342118ab5
SHA1 83e3113daff8086098b5e042788621879a555687
SHA256 2c1965f48c3f0b662a96866fe660ae48f83df8c360f4c070bc527fe5e6513ad6
SHA512 ecc1c3323ce42428a355628441a7f0d8ee652d4395e8005980574b22aba41d1fa1a0a010955af199c54c37a110275a24040ec10ad756c6c308f9a34bfad51979

C:\Users\Admin\AppData\Local\RRz9CFGsq\wer.dll

MD5 e64fb2ee507ba8ee8990022464e2f0c4
SHA1 09b009ede447aea0ada55ff24acbabe6afd26143
SHA256 136b0279adb053f8418e25a1eaf63023d85645e1edcdf9b50a016d00a8c15845
SHA512 591b9a9a0466bf5163007a75b79683de15a71c0fcbcad308a64f28029b0c71fa8491b844d34461dd499bfe757cfdd07334c8c0d125c97452c64609450c3704a5

C:\Users\Admin\AppData\Local\RRz9CFGsq\wer.dll

MD5 81f89616aebce00d18d4c1f47356b888
SHA1 4d39f1e251aabd805d0e8945d908517390eab859
SHA256 21ba026219c7142f909184f2d73e777f597e85424c4599f91e118cdb828da8fa
SHA512 542ebe34e345c44c76471f1eda330d507d9a735a3f143950b652cb62015b96376833366baba2c8fa3136a0ce92d2f18d6fb16fc6e852f8c0f5265e774eb79f51

memory/4796-106-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

MD5 ca02e312be7aaedfc0fa0b818098f7c7
SHA1 a5b2554b7d7fa017af7a3df88d4f351f2ce9589b
SHA256 f7f78ab6499e6c873bc1328defb8d9e4aa5bc79c893bfff4d78fccbbad813b2d
SHA512 fb0bc469014c20c3bef8191a5938483d335e7036e22c29627243cd70f3275d407046bba0d33b5f3e0dd103b525e6b8a44d77d28d354bc6de7c5b26bd714d85e1

memory/4796-103-0x0000025E2F920000-0x0000025E2F927000-memory.dmp

C:\Users\Admin\AppData\Local\RRz9CFGsq\wermgr.exe

MD5 f7991343cf02ed92cb59f394e8b89f1f
SHA1 573ad9af63a6a0ab9b209ece518fd582b54cfef5
SHA256 1c09759dcd31fdc81bcd6685438d7efb34e0229f1096bfd57d41ecfe614d07dc
SHA512 fa3cf314100f5340c7d0f6a70632a308fcadb4b48785753310a053a510169979a89637b8b4fedf4d3690db6b8b55146e323cad70d704c4e2ede4edff5284237d

memory/2072-83-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\OfkVjzV3u\osk.exe

MD5 c7b4b9944cebdbf3ebcd11cbe31988cb
SHA1 09c510dea634ee68f6d946b8b6b8089cf589bcaa
SHA256 ba2244077761c0d6aa1c32c6b1ccf773e95d600f167a51d73ada55c07460a52e
SHA512 50a1b3a399386680202faa95ae409cb5e6fadb504112a79753ee635c14d6c8e82300328a97ea785b17d436e93490efdc9d4629aa6ae229c6e4b06ae71c704e0d

memory/484-66-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\RAlrZ3Bl\SPP.dll

MD5 cf73c4d270dfe003038a1780e482725d
SHA1 811d03ec6ae8cfa3b46368ca3e09e683ec65ec78
SHA256 44e8ec7a2f39873d0a37c390a6be17805f9e5ad05f961c2ab10f530404b6f167
SHA512 7340adff2409d12fc94b0d7c7073141d76886f6dc10759d49968a0657c2f5436df4bcf9f9bc17650822f3427c69cf690ad3f8bd59295dca86fc736ff8ef93a2d

C:\Users\Admin\AppData\Local\RAlrZ3Bl\wbengine.exe

MD5 8b2479c9554a6abb7193fc2c105f01a2
SHA1 b3cb8c6809e6489a4cb4078c0167b21142d47b7f
SHA256 3c4276408edc02892b009ecd9471802bb83641d20193db1a4858ce818914bffb
SHA512 9537626a01e3058331deb1008b218c32da1e9c8aa6da7cef0cbf5e3b9d92922572b74052c783f60d33088ab72a205d9679e469c48269f9d49d82ae737d7a0a57

memory/3504-55-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/368-8-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3504-5-0x00007FFAD15CA000-0x00007FFAD15CB000-memory.dmp

memory/3504-4-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Wdush.lnk

MD5 0c5ff9fb2c7b0191974f47218bd4265e
SHA1 89d46132f7264bf509fbe6f089764ef8ddd6703b
SHA256 1086f843ce9b1b3b3c08d4bace531d1b3694153d44dc3e2191c5aa582e37e095
SHA512 7378bea77ab32d63408ea62730f1608fa765c60039df4d56cf642110083dde885e34ffeffaa1043b9dc0934648cc6022bd64d4c14e9bcee6faea2a0499084022

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\acSe\SPP.dll

MD5 da5939c641d372eb07d0322b038782e5
SHA1 2c4d063ec73c1f85ce1e3e2409227478e66251d1
SHA256 711ea12c6200dd07c33646ffe13dc7f4d79a6a9e2f65d7cd43752b5a3f518674
SHA512 d854c934b426c85710823489a845256e296f84b626d6a2c6cef4d5c370af65f46d281d6e93ea4f4267319d903487450f09613b89b1eddd50d806ecfc7c742bf9

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\R6Od\WINMM.dll

MD5 620b881007161068583a2699acf62320
SHA1 44eb1fbd44bcedad9fb8c2e54f26d54b7af8d1ec
SHA256 13c3a514f14d138548009784696a1f64761550e5282bfa90df42c17e075a2153
SHA512 33617be43680fe15a594fca7e40d81bc5ac7d2ad99a7c334db96dec583f04ce5eb48ad4d13e803ff330f76eaace9ed16872286a50a1bed4d8aedb549bc3854f6

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\Ilw7N0jCkF\wer.dll

MD5 109c9392cc6c3aaa2aaa0b13ff32f4f3
SHA1 732696b9d12d0b491c1f6d4f9bf8e5738212c7c9
SHA256 6f7b8abea170e0180a80fa3bea1f42f91b22b9a820fc66558bf64d27d35e358e
SHA512 173ca3346f77c775e66d93fb4b78923d9547b8fc82c0e0ac854b18b53b85472199e67e4102838dde15f8eba879b702baebc44aecce8a7b867a20d0d6425c5c21