Malware Analysis Report

2024-11-13 16:41

Sample ID 240128-zshf2sbfen
Target 7dfc5de3055bae2c2056b13cdd47a090
SHA256 d95cc0433afb03437c023c244ea84af4d4adb9e3f99de177b77f27dde047399e
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d95cc0433afb03437c023c244ea84af4d4adb9e3f99de177b77f27dde047399e

Threat Level: Known bad

The file 7dfc5de3055bae2c2056b13cdd47a090 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 20:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 20:58

Reported

2024-01-28 21:01

Platform

win7-20231215-en

Max time kernel

150s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Xkgbzoakajt = "C:\\Users\\Admin\\AppData\\Roaming\\MACROM~1\\FLASHP~1\\MACROM~1.COM\\support\\YK1MFK~1\\isoburn.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2588 N/A N/A C:\Windows\system32\slui.exe
PID 1208 wrote to memory of 2588 N/A N/A C:\Windows\system32\slui.exe
PID 1208 wrote to memory of 2588 N/A N/A C:\Windows\system32\slui.exe
PID 1208 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe
PID 1208 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe
PID 1208 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe
PID 1208 wrote to memory of 2676 N/A N/A C:\Windows\system32\isoburn.exe
PID 1208 wrote to memory of 2676 N/A N/A C:\Windows\system32\isoburn.exe
PID 1208 wrote to memory of 2676 N/A N/A C:\Windows\system32\isoburn.exe
PID 1208 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe
PID 1208 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe
PID 1208 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe
PID 1208 wrote to memory of 3048 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1208 wrote to memory of 3048 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1208 wrote to memory of 3048 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1208 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe
PID 1208 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe
PID 1208 wrote to memory of 2168 N/A N/A C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#1

C:\Windows\system32\slui.exe

C:\Windows\system32\slui.exe

C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe

C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe

C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe

C:\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe

Network

N/A

Files

memory/2012-1-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2012-0-0x00000000002A0000-0x00000000002A7000-memory.dmp

memory/1208-4-0x0000000077706000-0x0000000077707000-memory.dmp

memory/1208-5-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/2012-8-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-37-0x0000000002C70000-0x0000000002C77000-memory.dmp

memory/1208-36-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-44-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-45-0x0000000077811000-0x0000000077812000-memory.dmp

memory/1208-46-0x0000000077970000-0x0000000077972000-memory.dmp

memory/1208-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-51-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-54-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-7-0x0000000140000000-0x00000001401B6000-memory.dmp

\Users\Admin\AppData\Local\56dWecyrk\WINBRAND.dll

MD5 774d310e1190f90ffed9ad7534d3eee1
SHA1 a0fc04635e4ac8e3c910f89306bf84d8372a056f
SHA256 802bb19f2963ed50a4b4833c222dd9237a1819ee8023741d480232e08a2358f9
SHA512 b5c6e7c1e76491679e16fc44264dbf3c8d265a2500c6a540b633fbc82ed6f54da21877b74fe67fc7119aae56405be2b5feeafd887387abfa90f9153414acef37

memory/2652-70-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/2652-69-0x0000000000120000-0x0000000000127000-memory.dmp

C:\Users\Admin\AppData\Local\56dWecyrk\WINBRAND.dll

MD5 19e451b1d34267f08486e0acc71a4c10
SHA1 9666f6b31937751a71e90bc5a4a31f6c6af3251d
SHA256 8b1c3f677ea1833664fa8fe555e2d3c29d9769af1772d4a3fd0fdb5c5d3f0332
SHA512 dcbe52aa4dbcfa885b93b3e51766ce2b121ffb1baaeff4a49e73d0a801b52928a711cdfc3e22332f4f61aae269df85efdb8a2f8849c3f4a37e9b9d88127de295

memory/2652-74-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe

MD5 d94fe069c00712fa80114ee29519685d
SHA1 322ffcbab982fe3a3c423f6359fa8a8c255ddcb0
SHA256 dc697b2960c10325fb55e5246f75c538b4a61a62b1cdc461f1d02260dcef68ae
SHA512 be361fe0845b78c35088c9c29e6fabb3822ca4108db1612e314edb71500559998db8e931f0449c362765a8610b18cf36c5f9b14921b1c2de5f03eb215b5170d1

\Users\Admin\AppData\Local\56dWecyrk\slui.exe

MD5 ec8098883cf0d1c83269fc0447d67c78
SHA1 5f661f61311403ea7c684b0e0658cc8d0e095091
SHA256 c8363a5f3db5724e4652d83440d028b9b7bdce89eeb3297bfd1567f1d680e293
SHA512 052417a887d4e137a6b1b6bdc5649b09013f1694ab776f87f2b59221c651e87318d418faaac8a72fd893dd17963c2c18ccf788c00444a0c4ff31f53409cc151a

memory/1208-60-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1208-9-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\56dWecyrk\slui.exe

MD5 9c9ea25f8cbc3088927fc2e9700c5acb
SHA1 e11439586de20229774eff0a6c544fa900088396
SHA256 329e4d2edaaf8067096933292a05fea07592b27dc1e14a19685e9dd0b816be00
SHA512 9717570123bc731fc88d328caf93706a6c51122dd026cfc4faa06874eb1acbf9fc4e9c547ca72eca5133934e895855a8af81bf45e9673ee640cdee8391c9c214

C:\Users\Admin\AppData\Local\WO6eRUK4\isoburn.exe

MD5 f8051f06e1c4aa3f2efe4402af5919b1
SHA1 bbcf3711501dfb22b04b1a6f356d95a6d5998790
SHA256 50dcb4be409f50d26c0fc32dd9cdbf96bff4e19bf624221cb566ebeb3e09ce1a
SHA512 5f664d937abe4426ee7e0d8491a395f9ef4ffe7a51dba05b54b7ba27e80c9be37833400911c5878d3dec659f4fa1579ec8ba4cfc485fb2ce24dd37c321006daa

C:\Users\Admin\AppData\Local\WO6eRUK4\UxTheme.dll

MD5 5cc7999742ce93bcba0df5a602a38b02
SHA1 f941e025a50b764b9b7a332918fa021e7a5c92fc
SHA256 1c94e674a78895a0788db82c864ac2865ecd53b7b20e927a81fc91e2dd1a1bd8
SHA512 4625dd58f2b1a902ac700b311b93f7161cf5fb890cce387d0a2a1b3d9df1622884d515934939e0e2772a987a816076579c5531b3512400757ef0cd258be2b174

memory/2792-87-0x0000000000370000-0x0000000000377000-memory.dmp

memory/2792-93-0x0000000140000000-0x00000001401B7000-memory.dmp

\Users\Admin\AppData\Local\WO6eRUK4\UxTheme.dll

MD5 24127704d1a9a21c2161b3ae486f77e0
SHA1 f529147e03eed8a4476fa252c3a5b21e6f72dd16
SHA256 8998b8101fbf7c0c5548f6d488538fc90dd9e51d85d4fca1bffa9044918adc02
SHA512 e911fbb2a405c7730029195e31f04779a3bcc6635f292e51b2a467164ef3683565040551acef8576d3c24e3d915487869689791280ea94aee3cc56c121a28282

\Users\Admin\AppData\Local\Qwp\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

C:\Users\Admin\AppData\Local\Qwp\dwmapi.dll

MD5 30b5d555dfdb235ecf8c54816bd12b49
SHA1 e42c7226dd95080ce1f02f0dcc93d4f9448bbd9e
SHA256 977252eed40b67675977edf0931d72440bd7924e0d1cc086ce97aa05c5e1c89e
SHA512 1be552415d5d26fd25e7403b4b0d3c77506f8e4d593db4ba5968e8bd7e2613e7995f17a470f990c85f95e6d52dea83c955361357158d25b305a75c0cb5699104

memory/2168-106-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/1208-127-0x0000000077706000-0x0000000077707000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Hbeids.lnk

MD5 48a3aa339e7ebfee3dd597b34b681ff3
SHA1 775e10c37a6358c67fb6e3fccf8b69a75506b014
SHA256 dda6944e75dbdf8b85b39a6ef4ab9838919cb690807c0e20a9aa4e12053923da
SHA512 bb80d0b6254c3ed712e5cd6324644353ce04759043b6a869512eea3acd3aa33cabb8c7b03474c4c7727e4a48f0be1af1468cc813c1542731c06a26bdb045fda4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\ZTUjzGS\WINBRAND.dll

MD5 082c5c6b143fe28534607c4d5ccd15d0
SHA1 de7715dd2ea48dbe1b39199ad1852dada35b6ccc
SHA256 01fe2292b4baa3454742f3d9a67af50081ad85eae985af1070b1e21c21aad977
SHA512 6ffcaaf18c3954d36707bb84cd4af3e94cbbd5190012a3035808d62807544732e8f53f6bf1bf4c584a4d795671ca2042d2842a98e5907b98b91a79c77f5809c4

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\Yk1mFKxt3i\UxTheme.dll

MD5 ae8de4fc88369a8775e1a53b5b547a96
SHA1 bfc45855ba52cd5c1cc1be5bc67cb7d48cfe495d
SHA256 c76503842e4d472c561761d55b1bf7dc0f54f6151e399219cee7913e85c1988e
SHA512 b1183d936ecf9a1e1d1d70bc112c7bea56210eae3e3283208074b700c1ec53811f3258f02a23bf1a98f30b0d51a0bc0efb45d2de34b1de4e2e0cf4104e0ff56e

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 20:58

Reported

2024-01-28 21:01

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\QbXMe\\sdclt.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\i5h54\sdclt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3tl\AtBroker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 1332 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3532 wrote to memory of 1332 N/A N/A C:\Windows\system32\CustomShellHost.exe
PID 3532 wrote to memory of 3752 N/A N/A C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe
PID 3532 wrote to memory of 3752 N/A N/A C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe
PID 3532 wrote to memory of 3764 N/A N/A C:\Windows\system32\sdclt.exe
PID 3532 wrote to memory of 3764 N/A N/A C:\Windows\system32\sdclt.exe
PID 3532 wrote to memory of 4656 N/A N/A C:\Users\Admin\AppData\Local\i5h54\sdclt.exe
PID 3532 wrote to memory of 4656 N/A N/A C:\Users\Admin\AppData\Local\i5h54\sdclt.exe
PID 3532 wrote to memory of 2332 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3532 wrote to memory of 2332 N/A N/A C:\Windows\system32\AtBroker.exe
PID 3532 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\3tl\AtBroker.exe
PID 3532 wrote to memory of 4664 N/A N/A C:\Users\Admin\AppData\Local\3tl\AtBroker.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\7dfc5de3055bae2c2056b13cdd47a090.dll,#1

C:\Windows\system32\CustomShellHost.exe

C:\Windows\system32\CustomShellHost.exe

C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe

C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe

C:\Windows\system32\sdclt.exe

C:\Windows\system32\sdclt.exe

C:\Users\Admin\AppData\Local\i5h54\sdclt.exe

C:\Users\Admin\AppData\Local\i5h54\sdclt.exe

C:\Windows\system32\AtBroker.exe

C:\Windows\system32\AtBroker.exe

C:\Users\Admin\AppData\Local\3tl\AtBroker.exe

C:\Users\Admin\AppData\Local\3tl\AtBroker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/3216-0-0x000001F8973C0000-0x000001F8973C7000-memory.dmp

memory/3216-1-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-4-0x0000000003380000-0x0000000003381000-memory.dmp

memory/3532-6-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-7-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-9-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-10-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-11-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-8-0x00007FFEDADDA000-0x00007FFEDADDB000-memory.dmp

memory/3532-12-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-13-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-14-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-15-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-16-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-17-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-18-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-19-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-20-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-21-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-22-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3216-23-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-24-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-25-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-26-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-27-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-28-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-29-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-30-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-32-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-33-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-34-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-35-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-36-0x0000000002D30000-0x0000000002D37000-memory.dmp

memory/3532-37-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-31-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-44-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-45-0x00007FFEDB8E0000-0x00007FFEDB8F0000-memory.dmp

memory/3532-54-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/3532-56-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\Qk9\WTSAPI32.dll

MD5 4fc6488de9e47ed1d300e266f2bb3204
SHA1 3a99d3bf374914b100a5ecbbb5a6fc7b459c3fb0
SHA256 53b9194d4fa5520100d9d662d494095f46d7c7959315b840358267f554dae3ef
SHA512 f0f83cfdada877036deceb9c69994c1ef16663ba32bfa91799714b666b1072dc179a32ce365e9ce2397b29925945ff8520f1df5b00dfe6b5b56c62a2ad8977e5

C:\Users\Admin\AppData\Local\Qk9\CustomShellHost.exe

MD5 70400e78b71bc8efdd063570428ae531
SHA1 cd86ecd008914fdd0389ac2dc00fe92d87746096
SHA256 91333f3282a2420359ae9d3adf537688741d21e964f021e2b152ab293447f289
SHA512 53005dda237fb23af79f54779c74a09835ad4cad3ca7b9dcec80e3793a60dd262f45b910bef96ab9c8e69d0c6990fea6ca5fee85d7f8425db523ae658372959e

memory/3752-66-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/3752-65-0x00000255A0930000-0x00000255A0937000-memory.dmp

memory/3752-71-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\i5h54\sdclt.exe

MD5 e09d48f225e7abcab14ebd3b8a9668ec
SHA1 1c5b9322b51c09a407d182df481609f7cb8c425d
SHA256 efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3
SHA512 384d606b90c4803e5144b4de24edc537cb22dd59336a18a58d229500ed36aec92c8467cae6d3f326647bd044d8074931da553c7809727fb70227e99c257df0b4

C:\Users\Admin\AppData\Local\i5h54\wer.dll

MD5 55b6042f7ff53d44b98b2c7d0a3f9beb
SHA1 f8ed9656553aa656cf5f17f45776abd26828e2d1
SHA256 62e532a62acef71066ddb5f451a4a537bd650940e5e4a75ea69eb344ef1844b0
SHA512 ed95d0251144e318a719aa666f4d05d3621f49836c52ccf37875549d0ab2b57d7542d75a49da1ed7413f2e3582cae805b7a72e0633ea7e3df7d928109f5ec553

memory/4656-83-0x0000000140000000-0x00000001401B8000-memory.dmp

memory/4656-82-0x0000016003B30000-0x0000016003B37000-memory.dmp

memory/4656-88-0x0000000140000000-0x00000001401B8000-memory.dmp

C:\Users\Admin\AppData\Local\3tl\AtBroker.exe

MD5 30076e434a015bdf4c136e09351882cc
SHA1 584c958a35e23083a0861421357405afd26d9a0c
SHA256 ae7b1e298a6e38f0a3428151bfc5565ede50a8d98dafaa147b13cf89c61f2ddd
SHA512 675e310c2455acf9220735f34fa527afe87dac691e89cc0edc3c4659147e9fd223f96b7a3beea532047aa0ebc58880a7010343019a50aa73ce69a038e3592024

C:\Users\Admin\AppData\Local\3tl\UxTheme.dll

MD5 3f62658d9a8e62b732b8b9cb5d2f3272
SHA1 46bb84a50f367ecde2651ebb0da3dabeb65aed96
SHA256 760df1abaed86030f23218417ca36cca22982ce4e7459ba197289ad5933edf33
SHA512 c15cc4bab4999a73b1575dac81253a4b348b62c6b7ac57ec643509ec90db16c615eb7ee2aa8e785cce560630e5c9c5a42005f9dceb40631b967a810ce07afc4f

C:\Users\Admin\AppData\Local\3tl\UxTheme.dll

MD5 7bd3e5a0bad0b0fd6c1633dd3b543ca1
SHA1 78a528c80ced2c9aebc6a7c2605bfab15c33563d
SHA256 b5a23d3fb74326dbaeea4c127aa3cd7e7ae018725842b70a33f81864f9435b3e
SHA512 c2d23948392d958fd54e32318f98706bf5a2fda9db5cd76131dc17cd10e7bd55f16f1bec0909c32f2e3b0fc9fc1b238c7d490bd1f8e35a8b320c59a2473d12a2

memory/4664-100-0x000002B11ADC0000-0x000002B11ADC7000-memory.dmp

memory/4664-105-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 19cd86f36c13a19cef26997fa7b148e5
SHA1 3a2a8e04c3cc0ae76afe7365a06c0d8afc20ecd3
SHA256 3da33f52e037648f7feb453d30d0f7542341b322f130951c6db49bc39696a1dd
SHA512 951e24497a0c6926cb35a6a544f89ad233d39d720d3f30b286fb767726f71953246eaa46915db73299e73a73e1c94b7a9d7ba4b72940fb35d29f7f14f6173d01