Malware Analysis Report

2024-11-13 16:42

Sample ID 240130-k73cfachd3
Target 820d38a0c687ab0b550fe547c7bb1d6a
SHA256 9ddd12552dc5850ed10c847816d6e5f80272a66117d765587662065ede3435c5
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ddd12552dc5850ed10c847816d6e5f80272a66117d765587662065ede3435c5

Threat Level: Known bad

The file 820d38a0c687ab0b550fe547c7bb1d6a was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 09:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 09:15

Reported

2024-01-30 09:18

Platform

win7-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{EE07B9B8-79CB-4B35-87AB-D4E1BF99C984}\\N25vjPXg\\xpsrchvw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1252 wrote to memory of 1412 N/A N/A C:\Windows\system32\msdtc.exe
PID 1252 wrote to memory of 1412 N/A N/A C:\Windows\system32\msdtc.exe
PID 1252 wrote to memory of 1412 N/A N/A C:\Windows\system32\msdtc.exe
PID 1252 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
PID 1252 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
PID 1252 wrote to memory of 2076 N/A N/A C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe
PID 1252 wrote to memory of 2960 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1252 wrote to memory of 2960 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1252 wrote to memory of 2960 N/A N/A C:\Windows\system32\xpsrchvw.exe
PID 1252 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
PID 1252 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
PID 1252 wrote to memory of 1632 N/A N/A C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe
PID 1252 wrote to memory of 2188 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1252 wrote to memory of 2188 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1252 wrote to memory of 2188 N/A N/A C:\Windows\system32\dvdupgrd.exe
PID 1252 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe
PID 1252 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe
PID 1252 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#1

C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe

C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\msdtc.exe

C:\Windows\system32\xpsrchvw.exe

C:\Windows\system32\xpsrchvw.exe

C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe

C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe

C:\Windows\system32\dvdupgrd.exe

C:\Windows\system32\dvdupgrd.exe

C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe

C:\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe

Network

N/A

Files

memory/2088-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2088-1-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-4-0x0000000077256000-0x0000000077257000-memory.dmp

memory/1252-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1252-9-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-39-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-40-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-42-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-44-0x0000000002600000-0x0000000002607000-memory.dmp

memory/1252-41-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-51-0x0000000077361000-0x0000000077362000-memory.dmp

memory/1252-50-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-52-0x00000000774C0000-0x00000000774C2000-memory.dmp

memory/1252-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-61-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-65-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-13-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe

MD5 8d0d0b42476449211e2ea9c4aed1b16f
SHA1 de9b4f5cf5bf5a975da5f343791a264e152c4e2d
SHA256 9d70f548379eaf1916fbfb5b3c04a05419885a8c0078027ff196e7fd921a9c83
SHA512 877b59c824e648a990700c2f0449feaacaf25d2c3284fcca2b3ebad0d5607c04a2d80195a637a6750a92ed1c3ec0399e2573c56ec1c11a6de3a67fd8ab256eb0

C:\Users\Admin\AppData\Local\rmMTk\VERSION.dll

MD5 52f8a5a54b41ca32c40a6916e73197ce
SHA1 01ef11397d73f279faf22addedc73eadb900d45f
SHA256 bc567c5f7a0fdc576b562168def556bd7edaa09c2cd64cbc4d923cfa9dc7f944
SHA512 aa54d1e7f4727ae0420821baa9c83cc12a21582072b44acb460eb71f479cda3329a167685fcc8584785a3d44264ec007c547545283ef62cdee83691f7ea98786

memory/2076-79-0x00000000000F0000-0x00000000000F7000-memory.dmp

memory/2076-80-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/2076-85-0x0000000140000000-0x00000001401B6000-memory.dmp

C:\Users\Admin\AppData\Local\rmMTk\msdtc.exe

MD5 04f9770f8c428db3a7c5fd5024e2e773
SHA1 779a87a6359532e8efcb4d73937a665e953f2237
SHA256 81a24f85a8e976c180ebc8a17d332a0d3f96a315e649dedf0e5651fad85f5d5d
SHA512 c0d8ae404c5fc85890c68b5e53b1c530626a03cc4c7a63e35b22d5b8b99d282345d530ba2709b45cb0b0a52087f94c38afe4d3aab86b9c4182439178cbee2f12

\Users\Admin\AppData\Local\rmMTk\VERSION.dll

MD5 e8a4711c70110f534df903f74c385d43
SHA1 a2a38c864830d40e48a6c133174e362bf7a3800d
SHA256 2a94850ec9f9e20a70de062a634a75196899aad6c2c5da660f19b36462f43c91
SHA512 21954e66782bc2e66be77dc194a5bbeaabd36c28ad5997b2ceb3823fdb5d3dc299f14c5292cfa7143a75c6aafa86f4b99412062b5a63de15168839d83ef8a3cd

\Users\Admin\AppData\Local\rmMTk\msdtc.exe

MD5 de0ece52236cfa3ed2dbfc03f28253a8
SHA1 84bbd2495c1809fcd19b535d41114e4fb101466c
SHA256 2fbbec4cacb5161f68d7c2935852a5888945ca0f107cf8a1c01f4528ce407de3
SHA512 69386134667626c60c99d941c8ab52f8e5235e3897b5af76965572287afd5dcd42b8207a520587844a57a268e4decb3f3c550e5b7a06230ee677dc5e40c50bb3

memory/1252-70-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/1252-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/2088-8-0x0000000140000000-0x00000001401B5000-memory.dmp

\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe

MD5 84c667411eb48a55d85110ccfa8b66e3
SHA1 eab28a3548c6b8d9363d2ab0229331cb75d93b33
SHA256 c45c4a1ccaa0f70bc30fa7d5f95a8ea5c22520b0bfad6a365b8913d805a61279
SHA512 fa490be19eb18dc52913623a86eaa547fb46dcde6f6b2e773a8af94cf0852c80f380e8e55f2d726849f001d3dd15ff405ef07d056ed5616777696dda7e3536c1

\Users\Admin\AppData\Local\bDxi\WINMM.dll

MD5 ea3d8c37c78f2a613539f3dcceb68282
SHA1 1a44a18cb4fec329cfb4dcf0074712c693e583da
SHA256 428a724f11082b06ee0e0377cf512dada65e1405966a7b4f7cabe1a702377c05
SHA512 9c3fa5aa16b271b29616d49025f3313a46064e0dd1582d9ee3c1d8b61d10468f83264f85940a10cd6b6a80ba1c520f6109a49729e16e3b79a195f8d7f3c814b2

memory/1632-97-0x0000000000320000-0x0000000000327000-memory.dmp

memory/1632-98-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe

MD5 8a338de9707bf3074d52792f3a4f63f7
SHA1 c881b28391d8356aec51e921bdddfb6e9d0ce10d
SHA256 9d510d9cb87dd7715e6c7d23ae6263d42acbbe1cc8ac0af73c2c094ed41bb5e2
SHA512 57c91bacc0190f48efe616804318e0689b5e14980c9d206197aa2758294e669e729074a8b5d6594a723674948a4e87981280f9c5a681a610eb50a2a87d615421

C:\Users\Admin\AppData\Local\bDxi\WINMM.dll

MD5 6444714a86acf918262446a41b131b98
SHA1 3945fc27b26fc68dbadeaaf8a4d59dd7135329df
SHA256 26c0b88b4fc45448fa9d4b96524aeea0dd81c6f95024a3a204bae605dc851d80
SHA512 3351fd7637243929beb4be3acf4a75656624426d0061e9271dc3bccaad098d1a851f69c450d49a9eeeae140676d509b647574fe957056e21d0da5c4d48972bc4

C:\Users\Admin\AppData\Local\bDxi\xpsrchvw.exe

MD5 3e2646f3d1a868e0774bdd6bf0e3fdbb
SHA1 a4ad399a09cbec61d66bd54fddef7c746d06b331
SHA256 b93ce0e56607aca153204c2f5818bccef6b06281de99af7edbc11b15afbd5b21
SHA512 ae262b118eaeb06798d45f1f609ddf4f5c678f441cd48f71e3bb4b457a03c41fdd0ca5813d7a75a4ed1a70bd6bec97edd8c47f64fe5e372be2116ef71dc79536

\Users\Admin\AppData\Local\HeBC\dvdupgrd.exe

MD5 75a9b4172eac01d9648c6d2133af952f
SHA1 63c7e1af762d2b584e9cc841e8b0100f2a482b81
SHA256 18f9f520c7157023b0e7dfe7433a63c4dedd47b04d24aac4038b795893050736
SHA512 5a7a2c7f184efd9c84256a1a0a5e7aeb95432d63a567196be54e7a9437a5ada9b922983c5fc0cafb16eab4493665d8e56e2f646f9f6a2d6179986925ffcdf769

\Users\Admin\AppData\Local\HeBC\VERSION.dll

MD5 fdc0988d1be75ecf8ca94637eafb9d17
SHA1 259e4c5b15ebbf6c2bd1c32e67659e71d1e02950
SHA256 ab7d21de90a43de9723ad062e26326690ce8b72d5768e6583318dc6ec384a5ff
SHA512 b6c1c69eb81968fcb4cc4948b6580d753d88be552875d82a6f3d1159997210a68ac3e9f541e6b43165135e0eaf8ad7c332d3ba886908efc7014babfbe101a7de

memory/1732-121-0x0000000000220000-0x0000000000227000-memory.dmp

C:\Users\Admin\AppData\Local\HeBC\VERSION.dll

MD5 58cbfac6abadc2d92aff1c5c5aa86879
SHA1 c160e19ac173df690ec73da52922ea6abd395833
SHA256 f0db1da855ef94cb20981108b374d4320d84461c62caf2071dd0a4562f7fad41
SHA512 32d05690c639377cab09b7edc1f1ee365257f6efffc8b18cfc7576bd69ebb9302ec57a45e358eaa2daffd04774f85664bbba0cfed23446428ba971ffcf192373

\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\vR\dvdupgrd.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 444afa9370f304f2a7246432a51b8188
SHA1 15964e83c411589d86c480cb86b34bad1765bd57
SHA256 d6c054ca01e14f68363dca9d7dd448211d1b4bd92ace134fd9f12d3d4579046d
SHA512 e19cc76999cca62a6be62fb207ef8fdf62327cb5df468844b66fa33c7e24399979b04550b4ca7c3fd56523fe8c90752f8bde0fffa38edd107a538e63286dbe6a

memory/1252-146-0x0000000077256000-0x0000000077257000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\BtuQfAZZER\VERSION.dll

MD5 30ee7c135b5e11f6d07a50f7fad01ee1
SHA1 3913fd92a91185fbe731a3b8bea5eb68edf91cb2
SHA256 67956266b4948bf6e3cf27746b5522a6f22a809c5c660004798212c2ce2ba843
SHA512 7bf8d139fb7a685b08c667cacf4d1a599f597c08b657fa027a530a865a9e0cfda3af1e84bc3ff38e0c17184145425cbf2311a0af7e2f6970e956cfd7cde8d7ca

C:\Users\Admin\AppData\Roaming\Identities\{EE07B9B8-79CB-4B35-87AB-D4E1BF99C984}\N25vjPXg\WINMM.dll

MD5 c6a8780b9094a4c9e576f25e0f203808
SHA1 726b0512a2118a0c08e68cc1e6f5eeffb1cf0008
SHA256 4ab0fa46684644ea21357747ea3d115d76e0e38808fb4ecc52da49a9058338ec
SHA512 1f0dbc64709a895a36303cda98e3fdaa617d0bdde582cf797993aa62ce2be16e53ec1c14f0fe1ff667dbcccbf4f2a4bbd070ab407bcc6bd09bd44015c2f84c24

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\vR\VERSION.dll

MD5 62c6aa0a49457b866379408ba07e52a2
SHA1 06a5034b12012e61359a8b8afee1ef21daa26067
SHA256 3d68c0a1a91c9fa7dcd896d239922995d78d8c23d79ce249557d769ced376bd1
SHA512 20a6948f44d5c10bbbc012b3d162173443496ad98757561474df4fae95be1dc730f30e1f1963a17dde14bbb49ea3584bb1e8708493951d44a82da96ef127c8f9

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 09:15

Reported

2024-01-30 09:18

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-3073191680-435865314-2862784915-1000\\iyIaUtBpiiz\\dccw.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3884 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3444 wrote to memory of 3884 N/A N/A C:\Windows\system32\sessionmsg.exe
PID 3444 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe
PID 3444 wrote to memory of 4576 N/A N/A C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe
PID 3444 wrote to memory of 1824 N/A N/A C:\Windows\system32\dccw.exe
PID 3444 wrote to memory of 1824 N/A N/A C:\Windows\system32\dccw.exe
PID 3444 wrote to memory of 4332 N/A N/A C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe
PID 3444 wrote to memory of 4332 N/A N/A C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe
PID 3444 wrote to memory of 5048 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3444 wrote to memory of 5048 N/A N/A C:\Windows\system32\MDMAppInstaller.exe
PID 3444 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe
PID 3444 wrote to memory of 1260 N/A N/A C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\820d38a0c687ab0b550fe547c7bb1d6a.dll,#1

C:\Windows\system32\sessionmsg.exe

C:\Windows\system32\sessionmsg.exe

C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe

C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe

C:\Windows\system32\dccw.exe

C:\Windows\system32\dccw.exe

C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe

C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Windows\system32\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe

C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/808-1-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/808-0-0x000001EC62F40000-0x000001EC62F47000-memory.dmp

memory/3444-4-0x0000000001080000-0x0000000001081000-memory.dmp

memory/808-8-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-6-0x00007FFB68C7A000-0x00007FFB68C7B000-memory.dmp

memory/3444-10-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-7-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-9-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-11-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-12-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-13-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-14-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-15-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-16-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-17-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-18-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-19-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-20-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-21-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-22-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-23-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-25-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-24-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-27-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-28-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-29-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-30-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-26-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-31-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-32-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-33-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-34-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-35-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-36-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-37-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-38-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-40-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-41-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-39-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-43-0x0000000000E00000-0x0000000000E07000-memory.dmp

memory/3444-42-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-50-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-51-0x00007FFB69840000-0x00007FFB69850000-memory.dmp

memory/3444-60-0x0000000140000000-0x00000001401B5000-memory.dmp

memory/3444-62-0x0000000140000000-0x00000001401B5000-memory.dmp

C:\Users\Admin\AppData\Local\wpn\sessionmsg.exe

MD5 480f710806b68dfe478ca1ec7d7e79cc
SHA1 b4fc97fed2dbff9c4874cb65ede7b50699db37cd
SHA256 2416cd4aa577dbb2f8790a61e36fbab2b30bff81a4e1f67a5151c2fec29585bc
SHA512 29d3d234ebc45049a533b6a91b246ac043a56b9af67276aaf493b014ae34d73000f99a6b0c0b85d2dfb7fba54811cf8bbdfd167a9eed01a8617b7f05bf2971db

C:\Users\Admin\AppData\Local\wpn\DUI70.dll

MD5 8ce13a32b1bc8d8bb19d1981b63cc083
SHA1 61f2d66a79d35dcda913dfcb9878011e2b07d95f
SHA256 be23c8c28d6e2930f67e78af7230c2dfaf40219e2f6e7d982abb82981b8b4d34
SHA512 7e2136aa018c06703e0d35dab08796419d3859202651836c42cac033234cb67238c535966c280eadd5edb0a9e8b891023a74e195a97b3165ab3319c3db289ff8

memory/4576-72-0x000001E5DDCE0000-0x000001E5DDCE7000-memory.dmp

memory/4576-71-0x0000000140000000-0x00000001401FB000-memory.dmp

memory/4576-77-0x0000000140000000-0x00000001401FB000-memory.dmp

C:\Users\Admin\AppData\Local\R1h0gsZFF\dccw.exe

MD5 cb9374911bf5237179785c739a322c0f
SHA1 3f4d3dd3d58c9f19dfbb414ded16969ebd9f74b9
SHA256 f7f3300b78148a34f6a35796c777a832b638b6d3193e11f4a37f45d4c6dfa845
SHA512 9d47521538148b1823c0a17baa86ddf932f06f46d5d8b63fa87b2cc220fb98ce3f933e32d771222937bb8e41c88030839d489d1cd78b062bffeb2980dc6864be

C:\Users\Admin\AppData\Local\R1h0gsZFF\mscms.dll

MD5 8032a92f3ede3f3542a8802771de4d7e
SHA1 300a1d579bd19d70d0a4d199fa99b63d422207f9
SHA256 21b8c24ffc372558361325d00e4525b8d51c52d0354019b9ef2e7297566f003f
SHA512 8331352ae78bb534e52d16fbc4b4825e61f0fb8c1803a29a878ff92c9d2c26033ae70cd2a872296646f7067c557ce49f53322d55f4d90c6e6db3f9bbb11b3602

memory/4332-88-0x000001C649DB0000-0x000001C649DB7000-memory.dmp

memory/4332-89-0x0000000140000000-0x00000001401B7000-memory.dmp

memory/4332-94-0x0000000140000000-0x00000001401B7000-memory.dmp

C:\Users\Admin\AppData\Local\qVQpmj3\MDMAppInstaller.exe

MD5 30e978cc6830b04f1e7ed285cccaa746
SHA1 e915147c17e113c676c635e2102bbff90fb7aa52
SHA256 dc821931f63117962e2266acd3266e86bf8116d4a14b3adbebfade1d40b84766
SHA512 331923fa479f71c4c80b0e86ea238628666f95b6cf61cf4d741ae4a27ea2b8c636864dfac543d14599b4873f3b2ab397d07c4e4c17aca3f3b4e5871e24e50214

C:\Users\Admin\AppData\Local\qVQpmj3\WTSAPI32.dll

MD5 e75203ab9f762c9852de779891c2ddca
SHA1 7c9001ab6b7dba99c54fe1a352a54c6676666155
SHA256 9c75e61519315306935d5b3f0173cfd82ebe89144a19ec7c45f5096532c481a0
SHA512 bd234c922234dc86eee62588537a09662f675414a3340c29d7cd5b92a45f217e093a5dedc03d71fdaccc9f1eaa0f2c1862d64199ab8456e0f441a0a0dbbb21e1

memory/1260-107-0x0000000140000000-0x00000001401B6000-memory.dmp

memory/1260-108-0x00000181E0100000-0x00000181E0107000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 550d3b2e73425dba59bbd3a29ce1ec65
SHA1 154f363d646ca05959bafec385ef3b480fa8f2b0
SHA256 e706e5d87e304e17747815909027c76296b61f63d477e33e2627dbca187e3194
SHA512 183c416b9ac67dddc11379bce8578eda851a56ce8f29cc02281a55029428185d23c617083ec2b2cd1a8d5e0b069ee09ff21d93039d4509f206f6724eae0e4c65