Malware Analysis Report

2024-11-13 16:42

Sample ID 240130-1m3qgaedgr
Target 82a4bc5335713f3201927604dc1c17fa
SHA256 b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b24b5a97da7b45c297575085b7e6a6812e70391a8460609e4ab225c8b8c421b8

Threat Level: Known bad

The file 82a4bc5335713f3201927604dc1c17fa was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 21:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 21:46

Reported

2024-01-30 21:49

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fskzoiv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IEDownloadHistory\\o6T6Cp0b67\\Utilman.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1260 wrote to memory of 2560 N/A N/A C:\Windows\system32\raserver.exe
PID 1260 wrote to memory of 2560 N/A N/A C:\Windows\system32\raserver.exe
PID 1260 wrote to memory of 2560 N/A N/A C:\Windows\system32\raserver.exe
PID 1260 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe
PID 1260 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe
PID 1260 wrote to memory of 1924 N/A N/A C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe
PID 1260 wrote to memory of 616 N/A N/A C:\Windows\system32\Utilman.exe
PID 1260 wrote to memory of 616 N/A N/A C:\Windows\system32\Utilman.exe
PID 1260 wrote to memory of 616 N/A N/A C:\Windows\system32\Utilman.exe
PID 1260 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe
PID 1260 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe
PID 1260 wrote to memory of 2792 N/A N/A C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe
PID 1260 wrote to memory of 1208 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1260 wrote to memory of 1208 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1260 wrote to memory of 1208 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 1260 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe
PID 1260 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe
PID 1260 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#1

C:\Windows\system32\raserver.exe

C:\Windows\system32\raserver.exe

C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe

C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe

C:\Windows\system32\Utilman.exe

C:\Windows\system32\Utilman.exe

C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe

C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe

C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe

Network

N/A

Files

memory/2480-0-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/2480-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1260-4-0x0000000077366000-0x0000000077367000-memory.dmp

memory/1260-5-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

memory/1260-9-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-7-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-11-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-13-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-14-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-16-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-17-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-15-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-12-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-18-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-24-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-26-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-25-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-27-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-22-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-32-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-34-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-38-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-40-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-39-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-41-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-42-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-43-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-37-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-45-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-46-0x0000000002B70000-0x0000000002B77000-memory.dmp

memory/1260-44-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-35-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-36-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-53-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-33-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-31-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-54-0x0000000077471000-0x0000000077472000-memory.dmp

memory/1260-30-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-28-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-29-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-23-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-21-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-20-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-19-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-10-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/2480-8-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-55-0x00000000775D0000-0x00000000775D2000-memory.dmp

memory/1260-64-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1260-70-0x0000000140000000-0x00000001401BD000-memory.dmp

C:\Users\Admin\AppData\Local\BwjLVSh\WTSAPI32.dll

MD5 40e79bcdfceb9abc774cd4ce1913f167
SHA1 7c7f99c9ba975704ecc63c64045f595f8fddaf10
SHA256 70849c9108b9049ae1b1e152ba10227a55d4050608f27e0f07fe8376f189d3fa
SHA512 681eebf8044eb7dd21fe72396c399541bf38f18529e1f4684536fe26bdd3fef3fb45066b951b6221aaf1ef08f07dbb9cefd63e4f932ee319dadcf1d7fb449db3

\Users\Admin\AppData\Local\BwjLVSh\WTSAPI32.dll

MD5 2056825fde299eab944562db6d64c66c
SHA1 9709850fb65fe760f92e0ad5c90c6e6de7e45b76
SHA256 d59ce7a7ff891e279e52ad379147b9678c91042c0046d33b0a132aef82cab7f6
SHA512 e780a6572a28a5d5d6c754eb4023ad10b44bc8badebf10da8388b1ce6188955158c56fbfa55c616d5d00e61ac219bdecb80bf482222da08d6645df172649d2e9

C:\Users\Admin\AppData\Local\BwjLVSh\raserver.exe

MD5 cd0bc0b6b8d219808aea3ecd4e889b19
SHA1 9f8f4071ce2484008e36fdfd963378f4ebad703f
SHA256 16abc530c0367df1ad631f09e14c565cf99561949aa14acc533cd54bf8a5e22c
SHA512 84291ea3fafb38ef96817d5fe4a972475ef8ea24a4353568029e892fa8e15cf8e8f6ef4ff567813cd3b38092f0db4577d9dccb22be755eebdd4f77e623dc80ac

memory/1924-83-0x0000000140000000-0x00000001401BE000-memory.dmp

memory/1924-82-0x00000000000F0000-0x00000000000F7000-memory.dmp

\Users\Admin\AppData\Local\HpCcfb\DUI70.dll

MD5 515f26508b41412a0d07895b7981b421
SHA1 ea1bdb5e336803c5a0ead032e52beb2fce37765a
SHA256 2d0fda983f9c9d8365401e98f2b6c2b3386745bf6f3235be8027e9ce3eb7ee60
SHA512 809f8c4bc72ee53a3886f3c34e246163d216be695abc43e6e90796ce745f3a7f0e62081dee37e8f7cdc4d18f95e61b40a611d7891496cdf01b9ed26a7674cfe6

C:\Users\Admin\AppData\Local\HpCcfb\DUI70.dll

MD5 94b82b06ef00aac47ddbc60a782d9d92
SHA1 3bad39eab79fcdaa86d9b5ad693d944595d320e1
SHA256 0379dca29ac143aa5d91125106f46ea9f49c84b7b87ecf08c207324c4935a097
SHA512 4f3c07b5127c6445a5053ef7404c4ea08dc27320efb55a99b58ddcc1eb7767e79ae2f329d1f4101514eaa5f4fcbaea4baa235d16351244d1d299c81fdbf47494

memory/2792-101-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\HpCcfb\Utilman.exe

MD5 32c5ee55eadfc071e57851e26ac98477
SHA1 8f8d0aee344e152424143da49ce2c7badabb8f9d
SHA256 7ca90616e68bc851f14658a366d80f21ddb7a7dd8a866049e54651158784a9ea
SHA512 e0943efa81f3087c84a5909c72a436671ee8cc3cc80154901430e83ec7966aac800ad4b26f4a174a0071da617c0982ceda584686c6e2056e1a83e864aca6c975

C:\Users\Admin\AppData\Local\fUkKHw\BitLockerWizard.exe

MD5 08a761595ad21d152db2417d6fdb239a
SHA1 d84c1bc2e8c9afce9fb79916df9bca169f93a936
SHA256 ec0b9e5f29a43f9db44fa76b85701058f26776ab974044c1d4741591b74d0620
SHA512 8b07828e9c0edf09277f89294b8e1a54816f6f3d1fe132b3eb70370b81feb82d056ec31566793bd6f451725f79c3b4aeedb15a83216115e00943e0c19cab37c9

C:\Users\Admin\AppData\Local\fUkKHw\FVEWIZ.dll

MD5 c6e7d0ebbf7ebc4a01f50207d50d2442
SHA1 560a7587255e027f37d7f44cda8ac5eccaa9fad0
SHA256 13a64706754cb79f8c42b4595a1afd24e50bee4e905f02559ab486146b5752d3
SHA512 7b7020372974da34c1ebe047e0aed6b71e0ca2712a4dc382f44c7e6a0871109559f1e9e9ba2c921dffab02bdae5c79931027004af5c855fda535740907cae00a

memory/800-122-0x0000000000080000-0x0000000000087000-memory.dmp

memory/1260-143-0x0000000077366000-0x0000000077367000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Zrkibbhbsqvuoso.lnk

MD5 2709b8e6adb741768c5304b14638a600
SHA1 6402622a4ac56907a89c57f3a1c91700d695e8ff
SHA256 e18cc7b8de30041765d5df88a6f3950341890524d17164a86b00c5f7430ce70c
SHA512 82287263e903a17f75ec704a95441a0d424850df6209b84fa4c56f9bfc239d0876694b47f20566f28385b8638dca7fb23dcaba874a4e0eaf07b707804448d758

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\4xmVg\WTSAPI32.dll

MD5 3be5ef623e8882cf49366c54c260663e
SHA1 fe90098027f39a097ecb7413b192bfef6c297664
SHA256 ba9c20af25a4d4245a761ecd9de367e18d0fdb720759f390cdd561587676fac0
SHA512 e103fef057e923bfd14818f983efb8670e9227c616105e51c6754b77cd243431460d154c176792663bbf09e9a003091dc1b8c7afba56210193cc8db311535d3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\o6T6Cp0b67\DUI70.dll

MD5 714f3bc478bfe98ecd4a9ccc595720ce
SHA1 7c3587b9a1f2cc1eefe71c1afd2989e7dfb9e021
SHA256 81e62aab7ec80d454eed0f2b39e1769338a7cbee884433659487b2fe1ec95269
SHA512 cc72e1f110aeee89fa2f117dd263b10396a5fe83160a6c2986e3f5705decbf8769150c0d0025c815cb2eadb31a8c6ea70c8c025129ba4b5602dcecd807a0cf51

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 21:46

Reported

2024-01-30 21:49

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\FT8X\\mstsc.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\i9gJ\upfc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 3896 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3396 wrote to memory of 3896 N/A N/A C:\Windows\system32\EaseOfAccessDialog.exe
PID 3396 wrote to memory of 396 N/A N/A C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe
PID 3396 wrote to memory of 396 N/A N/A C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe
PID 3396 wrote to memory of 2212 N/A N/A C:\Windows\system32\mstsc.exe
PID 3396 wrote to memory of 2212 N/A N/A C:\Windows\system32\mstsc.exe
PID 3396 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe
PID 3396 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe
PID 3396 wrote to memory of 4024 N/A N/A C:\Windows\system32\upfc.exe
PID 3396 wrote to memory of 4024 N/A N/A C:\Windows\system32\upfc.exe
PID 3396 wrote to memory of 4680 N/A N/A C:\Users\Admin\AppData\Local\i9gJ\upfc.exe
PID 3396 wrote to memory of 4680 N/A N/A C:\Users\Admin\AppData\Local\i9gJ\upfc.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\82a4bc5335713f3201927604dc1c17fa.dll,#1

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe

C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe

C:\Windows\system32\upfc.exe

C:\Windows\system32\upfc.exe

C:\Users\Admin\AppData\Local\i9gJ\upfc.exe

C:\Users\Admin\AppData\Local\i9gJ\upfc.exe

C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe

C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

C:\Windows\system32\EaseOfAccessDialog.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 197.178.17.96.in-addr.arpa udp

Files

memory/1620-0-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1620-2-0x000002B18B840000-0x000002B18B847000-memory.dmp

memory/3396-4-0x0000000001020000-0x0000000001021000-memory.dmp

memory/3396-6-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-9-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/1620-8-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-7-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-11-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-10-0x00007FFEE197A000-0x00007FFEE197B000-memory.dmp

memory/3396-12-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-13-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-14-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-15-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-21-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-22-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-23-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-20-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-24-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-25-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-19-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-18-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-17-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-29-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-34-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-36-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-35-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-38-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-40-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-41-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-39-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-37-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-42-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-43-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-33-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-32-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-31-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-30-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-28-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-26-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-27-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-16-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-45-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-46-0x0000000000D70000-0x0000000000D77000-memory.dmp

memory/3396-53-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-54-0x00007FFEE27E0000-0x00007FFEE27F0000-memory.dmp

memory/3396-63-0x0000000140000000-0x00000001401BD000-memory.dmp

memory/3396-65-0x0000000140000000-0x00000001401BD000-memory.dmp

C:\Users\Admin\AppData\Local\iEagISx\OLEACC.dll

MD5 fd14c81d8fac96acb897f5d8201089c3
SHA1 d654b8eb02c7e140e01a36c7670a8eb6e61148e4
SHA256 fce595c6ad60e3e9c96713b8cbf1d48cb3914e7cff99df6fb22c8d650b064deb
SHA512 0c68ed7618566c70c195e7ab7f6072ac67b6c7eda4601294d6d97c6d4970202dd9f8fd48391f07b65271ea0e5fbb14a36b02d8b78b08c783c66261d2929aed2b

C:\Users\Admin\AppData\Local\iEagISx\OLEACC.dll

MD5 1c1740535d4ea400f1cd3a3bf584480f
SHA1 1a80f5670ef776bec8e41d458a436ca017b2f68b
SHA256 e2b2a5eb67cc86fd212e5dd2b77d979315a8f84923287e0febf21a3fb1b7a313
SHA512 92b34045cc7a979dbdc378d664ea586f8628d4dc6c23c012fe8a5f1de08f739d6f130bf259cf2558068d190b8b4401a67bf91878686765262736a5f2997d68e3

memory/396-80-0x0000000140000000-0x00000001401BE000-memory.dmp

memory/396-75-0x0000000140000000-0x00000001401BE000-memory.dmp

C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/396-74-0x000002132C4E0000-0x000002132C4E7000-memory.dmp

C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe

MD5 00b508692379115ac383d92faf8d1868
SHA1 2d344795310f2631dc6e28edb8cf940bcac28806
SHA256 bfbd64bee04fa33d1c82a49ab4ea63e3d563125c21081adc65c98d36e20de316
SHA512 bf1386a868b39e3d528517f69f68ee3bb490bd1dde9112f7c311078f021e61e30c56c66ad6e83b095758cbf970213997e3ac3fc161c7f4dc9f1c788b98c9a930

C:\Users\Admin\AppData\Local\TfRbDfp4\WINMM.dll

MD5 d4d3d6ec5bfdb05b1ef2b2eb85e339e3
SHA1 21fd78f4678174aae76673af507c987ce7bc88a8
SHA256 5ab6fd06c55f45177b1e54c2dbd9a39f464ea12512e933e59432a2243ebb0a5b
SHA512 dec142f63fd6f88036b3e8673e4c92f38018d0915dfd933d586e29e0d26fff5c4aed4f2780eb79f5a220a5850959df2d5a07bf200836c49deb8f957bcc5ca5fc

memory/1324-97-0x0000000140000000-0x00000001401BF000-memory.dmp

memory/1324-92-0x0000000140000000-0x00000001401BF000-memory.dmp

C:\Users\Admin\AppData\Local\TfRbDfp4\mstsc.exe

MD5 c7d713bd4aba673c83f9fb665171cf51
SHA1 36fbde331b2cd8c9a807e32bef3c4932e43872f9
SHA256 eec09ef1b74fed7d07f712fbd7b349afb7e4c5b5a2718547b003a7b8351d8a1d
SHA512 48a9488a0abed492c52a96f5c0a17a4f4e52fb0f2e3313d64e0c29e25ee7b770501e1f5be8b7b88b5795b6306830f2d11a67b7d69e6d2d02c4038d80b1554adc

memory/1324-91-0x000001A913AF0000-0x000001A913AF7000-memory.dmp

C:\Users\Admin\AppData\Local\i9gJ\XmlLite.dll

MD5 2ce0bf3feeb2e2aa8ed57a118dd919b8
SHA1 5ef6a589d75d4ff9fa411e6c4f995f4a0ccf64c9
SHA256 6cba442d9decd238527b6711b9ad532ac8abc32574dac4c47d8bb30a0120c0fb
SHA512 701dd27b066d0970564a8a6c0aa74543259d2ee420e000366344e5dc28a647915c383ec9dbe507448a3007b7b59af29cc20ebf98b23609c13a5b904fdc7cbeb7

memory/4680-111-0x00000192074D0000-0x00000192074D7000-memory.dmp

C:\Users\Admin\AppData\Local\i9gJ\upfc.exe

MD5 ccb5f8e0a3f33e175eed68d279c015b8
SHA1 3ed6917d81640392864b0fef440d30e124ac5fc5
SHA256 c13aa7baafa38dc3f01ec647234735d3025d77ff3500ca5344f80885e808b7f0
SHA512 d8dee3e115f1e110483f6c54cb850fb69ccd8b22f8f2ba4363522391197b747186dc032ea4367b2e354aa4b9588a08be11ba3b6a26ce02e70f6611fcfa417609

C:\Users\Admin\AppData\Local\i9gJ\XmlLite.dll

MD5 c94a3705212a3eabf30de321b14c2c00
SHA1 a3e11603c65ce0b04ff352fb708486ca12edb58b
SHA256 7abfca055c8238e3ab567aaf1cbfe41492fe1b28fa4aa100ef16a52919ecfd5e
SHA512 cbf1b8b9a8eb07efc85c3e73d78c7de667d4249c620cb3c1938d75f791690324c0ca3369693301157b2da46893db0cfcc3cbeaf4e98e9d68b5c02f96b4fd20cc

C:\Users\Admin\AppData\Local\i9gJ\upfc.exe

MD5 299ea296575ccb9d2c1a779062535d5c
SHA1 2497169c13b0ba46a6be8a1fe493b250094079b7
SHA256 ee44fe14df89c4e5eaf8398f8fb4823fd910c5a94d913653d6b9e831254f6cc2
SHA512 02fc2b25167ebd7dfcc7b8aa74613e7004fdf33dfccccba6c3427434cca981c2eb50f4a801969b3a40c495a9bb0eac8176f4f2ec9091916cf3509a7f909b30fa

C:\Users\Admin\AppData\Local\TfRbDfp4\WINMM.dll

MD5 7eeeea1f01ca1821db0cdb96fd910a77
SHA1 e8f144b2775a5858026c3804b18b5b5b738473e6
SHA256 1c5bfbd247b2622b83c264d8dc686ccbec524e86366183863b92d0c80c995eca
SHA512 46c6a2db7c2314f4c3d5ca19a4cb1a534f9b6896f7a50a649e507ea13152224778282d84bd9344cb2b31d0e17199bfbf319e8fdb9d2b84ed381a7b3c2700a1cb

C:\Users\Admin\AppData\Local\iEagISx\EaseOfAccessDialog.exe

MD5 e75ee992c1041341f709a517c8723c87
SHA1 471021260055eac0021f0abffa2d0ba77a2f380e
SHA256 0b1731562413eaa972b373cd7388c644a3059940ce67eb89668e4073f3e068dc
SHA512 48c3a8531df6bcc5077367cdf32af104c94cf7701118a85e8beabba2e9c4f511ae14e47b6d1b57d11a2bc1e8b4f6d5bacae27a8d16fcd09a8f9e0018f5a6370a

memory/3396-44-0x0000000140000000-0x00000001401BD000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 82c2d1d75cc37efe9f20f67b8cb507f8
SHA1 a1d805f6a002488b70f2dbdf1afc03b8c75c1bfe
SHA256 8d0d6c0b30af944fdd2784c0d36b34d7f51ffe4600ecb7be4b158bfd7672dd63
SHA512 19955b2c9c7860944cdd2d9a9507a42bf9a4385334e5117f024a183341c8530f2adb456d04c2ff9811a8e0e77f20b9ac0870a73f7864878e2ad7157da325ad76

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\VKZHCQTs\OLEACC.dll

MD5 d79e3141bde94bb765e89bab5d8dcfc4
SHA1 90595b153fdf35d3b688a2c12f14d0c753a27131
SHA256 90973d8a881df50270951223c8690d88732424c6c4de5425ea5454404ca4bdf3
SHA512 fc1bb8b19efb3a28905b1c52f15d87bf30b78c500d7abf71ec67e5a7c2c9b5c27b0d67e5967a4630321eb9b854780c2948fb0afd3b11590a3e132f18c2add786

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\FT8X\WINMM.dll

MD5 7a1a7f6d034783ba95b9cbc248b94ce0
SHA1 272d650eba17ef3d0fef8b2384ec0513405711dc
SHA256 26e754809ec92b81b899a1ec57f818c55681f9a51cf26a586e55587f3f397ba4
SHA512 450910e1f20ef61568310e9b09fbb11fa46e94500f36e9773b1ae4d41be3f8e2c5c27d400c372e7a8ad3ac4678f8e536c285eb87c58b2688b10b9cb544231c4b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\YdM\XmlLite.dll

MD5 2f5265f786e6af60cef8e087ff0df9fc
SHA1 a33e140859b3e6ab6707c84474e24928447eaedc
SHA256 f69646382003d9e22952d91c664b8f7260333563a79d2084b23ec7b82130f5e7
SHA512 3b71a1c781cee63aad873671d503e765bef5afbe1bdc997959ad5bd096af9c4d67ffc595e07bb724730157ade28bb97216aa249da6f1c4115273100794565c56