Malware Analysis Report

2024-11-13 16:42

Sample ID 240130-kf5y9adehj
Target 81f8648768d984dad73854085026281b
SHA256 f5a2a17ec58c0e535e888c046a88eb1703fd65111fff76073fa8b540702f5efa
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f5a2a17ec58c0e535e888c046a88eb1703fd65111fff76073fa8b540702f5efa

Threat Level: Known bad

The file 81f8648768d984dad73854085026281b was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 08:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 08:33

Reported

2024-01-30 08:36

Platform

win7-20231215-en

Max time kernel

149s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\649t\unregmp2.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\pfpb\notepad.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\ST5EPZ~1\\Netplwiz.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\649t\unregmp2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\pfpb\notepad.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 2632 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1144 wrote to memory of 2632 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1144 wrote to memory of 2632 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1144 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\649t\unregmp2.exe
PID 1144 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\649t\unregmp2.exe
PID 1144 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\649t\unregmp2.exe
PID 1144 wrote to memory of 1692 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1144 wrote to memory of 1692 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1144 wrote to memory of 1692 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1144 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe
PID 1144 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe
PID 1144 wrote to memory of 2136 N/A N/A C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe
PID 1144 wrote to memory of 2128 N/A N/A C:\Windows\system32\notepad.exe
PID 1144 wrote to memory of 2128 N/A N/A C:\Windows\system32\notepad.exe
PID 1144 wrote to memory of 2128 N/A N/A C:\Windows\system32\notepad.exe
PID 1144 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\pfpb\notepad.exe
PID 1144 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\pfpb\notepad.exe
PID 1144 wrote to memory of 768 N/A N/A C:\Users\Admin\AppData\Local\pfpb\notepad.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#1

C:\Users\Admin\AppData\Local\649t\unregmp2.exe

C:\Users\Admin\AppData\Local\649t\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe

C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\notepad.exe

C:\Windows\system32\notepad.exe

C:\Users\Admin\AppData\Local\pfpb\notepad.exe

C:\Users\Admin\AppData\Local\pfpb\notepad.exe

Network

N/A

Files

memory/2356-0-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2356-1-0x0000000000430000-0x0000000000437000-memory.dmp

memory/1144-4-0x0000000077116000-0x0000000077117000-memory.dmp

memory/1144-5-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1144-11-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-20-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-28-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-30-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-31-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-40-0x0000000077321000-0x0000000077322000-memory.dmp

memory/1144-41-0x0000000077480000-0x0000000077482000-memory.dmp

memory/1144-39-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-38-0x0000000002640000-0x0000000002647000-memory.dmp

memory/1144-50-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-56-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-29-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-27-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Users\Admin\AppData\Local\649t\VERSION.dll

MD5 7b120bb947cbf784bd16cd92d57637b6
SHA1 bb46b991af6d6d33ffd0f33cff3c45e4308a4ad4
SHA256 8161829f647e4cc5963beebf318d861251544a239fbe3e8e40ecf64700bf265c
SHA512 8295a197cc4af49a5bc5755c54c4c63b49f48c480a93579c12a791075b5e8bf8fc8ed333e7cbe0b3da7aa783dba20bcbac67c3c88d30c4d16384bd1892fcbf53

C:\Users\Admin\AppData\Local\649t\unregmp2.exe

MD5 6642f8ca5fd18b1d07a94bcc4989673e
SHA1 d4edb7d17103cc73a97acf421c0b88bd5e8f2dee
SHA256 d9acce294106703594d67b9e4aacffc6a056837ad4f8d55d554bae871f7fd0c1
SHA512 2ba27ffe89f2eae86c518f5a7110655ef45119fc562703061cf679fab1f099d8aee1a0e18bde25747771da33f88708f6c02c47ea165248099c283c07afd909bf

\Users\Admin\AppData\Local\649t\VERSION.dll

MD5 d5f584158410038388fbb548455564ef
SHA1 dee8d6c3dd6e1746969cc9bbd7a4092dbb562403
SHA256 41fc8696605915b2b8840123cf15b368e502e104a31cd693c5f4e806eeaf23fd
SHA512 5f73145ff78d5fe8f332ff3caf9801862fd0d17e897459e68a4562f77abaee0fbd1411d907c80276a65545c675757ae970669e6bbaaf53e77166a4f67b64b0d6

\Users\Admin\AppData\Local\649t\unregmp2.exe

MD5 73b8dcf6f14976335e48ed249f735fba
SHA1 e3803187c178b6884350f4320dce0e0139d85997
SHA256 8d3878a8a8e939a90b45537fd0b53def791339c10cd640ae1f30ad2316e59101
SHA512 f18dd9b3526a0f99a56a61acc92adb2f163e0bc1f300d99f92ca139f664b0b256eb6fa51e825262cbf17b49b349203216e0ec6a57e3513db86e06ee50c107e5c

memory/2664-68-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/2664-73-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/2664-70-0x0000000000420000-0x0000000000427000-memory.dmp

memory/1144-26-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-25-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Users\Admin\AppData\Local\649t\unregmp2.exe

MD5 80b492e86ec74937d83678f1b8578514
SHA1 c4e7a59720b2487b2fa744ccd1a97db51cf836a8
SHA256 b3f5d13477de7e2fa82d9731cb19bcbf16efeb5edc943b8f77b0a26505197f4b
SHA512 6ef8ef6c49c7b7d78d7d8f34c1664228b0c1a7f5abcbc027eb238302b3a12cb2258f2f1f18cecae2b9c821bcc67803596b41cb062e16389db4e59413533730fb

memory/1144-24-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-23-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-22-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-21-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-19-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-18-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-17-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-16-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-15-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-14-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-13-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-12-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-10-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-9-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/2356-8-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/1144-7-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Users\Admin\AppData\Local\qdv2Wme\NETPLWIZ.dll

MD5 b4a1f6edc0584c645e125df0bb3e6f30
SHA1 0e27108bafe31f678c9baa72f9744c9609b0ebcb
SHA256 ddcb9a06c4a827638fecc7cde5b71e178ae6d02c5833efcabb2b1e450d64fe2d
SHA512 c6879d9df039426391fc5f57601abc91442f33565cc934d67c75f86755d1ad67155b65bf476890cb44aba5f1098c4c8aac22e2af920facf561b7e3edbb430b0d

\Users\Admin\AppData\Local\qdv2Wme\NETPLWIZ.dll

MD5 c2149487d107939f3ec727a30e65453a
SHA1 ff18531f490ff46f827c79ee4cd7ed50e983cb1e
SHA256 b5ae9c8aae1f944a6c850989a4efa4c1abc4b35edbf8c67e6fe6ccad8231ab33
SHA512 0ba425be01561af9e2905894604c62b82bdb9449b93fc214b3db4b394633b5facf9e4222dd21c1b80cd571db2ff33f653dd9b5ac0c965ae547cde19ffc65513c

memory/2136-93-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/2136-90-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\qdv2Wme\Netplwiz.exe

MD5 e43ec3c800d4c0716613392e81fba1d9
SHA1 37de6a235e978ecf3bb0fc2c864016c5b0134348
SHA256 636606415a85a16a7e6c5c8fcbdf35494991bce1c37dfc19c75ecb7ce12dc65c
SHA512 176c6d8b87bc5a9ca06698e2542ff34d474bcbbf21278390127981366eda89769bd9dd712f3b34f4dd8332a0b40ee0e609276400f16b51999471c8ff24522a08

\Users\Admin\AppData\Local\pfpb\VERSION.dll

MD5 ebe212e32dec3bf17eebdf69d84f90e1
SHA1 14f556ff39766f19c5c32471e523c875f903af50
SHA256 fbe65ab92bbd696a0a7305c91e9668979280a241f871c64f05273201f5b21258
SHA512 dfd4ab90ec13cec5476db3c44f957ce0c274879306461e14fa173716c919ca4490f0edd9231691c79852ea5f824288e42849b5e6f65d2a70c53cdf0ab3e7ee38

C:\Users\Admin\AppData\Local\pfpb\VERSION.dll

MD5 cf83a55891ebf8b7f653b31442fa4ee3
SHA1 4402aaf22d1d51ff6a803f4c339951c79a4010a3
SHA256 6d0fa59bae77c235a792e428934b2fd8bb4cda8c098f1ed32e5e782b74f0b809
SHA512 921ee1eea913682faadeb5bb20f19f0143e9f6c376e7ede53617e27aa0d07f9a8a1af792369342be7d314ab5821177363ff87dfed25cd9e2a065e2b494c900f4

memory/768-110-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/768-105-0x0000000000280000-0x0000000000287000-memory.dmp

C:\Users\Admin\AppData\Local\pfpb\notepad.exe

MD5 e064e8f90f7712d3b4b4bebcc55fd5fa
SHA1 636643cfec151d4a1a2cad29e240bc097c71d1dc
SHA256 7ec0ac1deacd73b1b72ef302901cac2dbd9baf0f4ad09ace6b5f9d871243afaa
SHA512 ef0283a72be005929dc2317c146881d06c4e65bf782c0861c429d90bb19d43ab83ba6650f2b6299264d450ca1c4ec147dd57fa7ef84c23a0544e8f06a5b21e74

\Users\Admin\AppData\Local\pfpb\notepad.exe

MD5 a15971d8730726ad343be8c1ab50177b
SHA1 fb3ec53cf8499248867dd00334801ebdee24c384
SHA256 67ccce9703deaca0224332446c177490597087b0b8574151c8e44e8f6543f4cb
SHA512 50dfacfc09bd423d992e8f8fb8d3623d06aa235336fbdfc453c12c41d79c3f616dc159588ade92c35f70d79b140f973e8f805c36652eff990566c07f7004298e

C:\Users\Admin\AppData\Local\pfpb\notepad.exe

MD5 abe9a7b3c54c54cdb3ca799d13164661
SHA1 78dfb869f38b67cd1d5bdb3ddade8aab4d7c7495
SHA256 f50600bb967c845db4311a94ebf69447fffa989fe832e27c89d62a10c4951bf3
SHA512 38cd5f4fa21e93c581490d4414ca3960946ca6281623d4b331866df77badf96c076d9ce00d1b3509550851a6ae5d1598acc34ed2ee461e6b54fadc773b770508

\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\OW\notepad.exe

MD5 bdd930432e0329985fd6fdfcccecf9af
SHA1 e027abea767a76a581a7ef678de5c6014b13812e
SHA256 3f42c0d9a9e832beff2b2ae8eedcc7c93a6f626dd63fc21cbe2bbdc33469430d
SHA512 83e4bac65b88c75b631dbbe0006593666b8d0aa2be96be23de0ba17d939213858dc17ba10bed01972954d4542a10ce8b8717aa940012be430e9e1cb66b6fa92a

memory/1144-128-0x0000000077116000-0x0000000077117000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 66c8c8c52b30da23d78f308cc3c301e6
SHA1 ba2ef581e065171ec272d279f39b866ff40d8d52
SHA256 dd75dc0516bf0baa6253dd7333c91a6c51c749525e8d925bf31721ee681575b6
SHA512 fd87eb4e16af84bc731bf9b351f1bd18779ae20ce145c6fa5d3b957c6e142ee3800454b27114c936663808953506ab1039e838887f6a50d35cba4c362a52fb32

memory/2136-139-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\U0GqYeN0d\VERSION.dll

MD5 c119ca2853cb9e67044600f546a9b8e2
SHA1 e24a7a1e6c0498106b05337cfa3a23b44ba9d254
SHA256 e0d829c1e29e5cfd5a8ad4ba1e2bb9256336a3b3a75160bfcc0a783b895be8cb
SHA512 9c586e77097410e4183df37eac51f7ae8855632a9df982ecb97cfe366c35778d3a22a1fc04b8942fd2934fca2d6989412902722b02b814c70613180e2eae824e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\sT5EpZxBV\NETPLWIZ.dll

MD5 71169c51a96a7b0b4e57f8713a999410
SHA1 a5b7b7aabb51f2677b9d3d37078ae3d3ef487c1a
SHA256 2cd8479bb75fcfa46c3a64548154b2117cb5732ee79e3f90fa04e3e7d5c46cba
SHA512 8eaf0bd53afbd860689363a36c70e946b5303ebf4895d1e127e8ee7b0acfbf6622efabc7a0fe6d69b353a21c4d62646769d5876622624b1d2e508e1ec18f0bb1

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\OW\VERSION.dll

MD5 6de9df6f4bbd3650ba77b3f0701ce5bb
SHA1 62d623c154886a7dda913a5c7efe0b6677b22f5d
SHA256 d6e26b67b3b1732539ab6d9401f028bc921de95c5cfac09fc2b003f7008aa1e4
SHA512 4a56acdca2fecc6fe6952a199b4e7439d4709c60702e92b9735291583ed4b364e24f40cc3eac133fbcce982b9151bf5cafc40a878d066900afa679756f5b9b04

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 08:33

Reported

2024-01-30 08:36

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\LmJLI\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1136 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3480 wrote to memory of 1136 N/A N/A C:\Windows\system32\usocoreworker.exe
PID 3480 wrote to memory of 920 N/A N/A C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe
PID 3480 wrote to memory of 920 N/A N/A C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe
PID 3480 wrote to memory of 4580 N/A N/A C:\Windows\system32\rstrui.exe
PID 3480 wrote to memory of 4580 N/A N/A C:\Windows\system32\rstrui.exe
PID 3480 wrote to memory of 228 N/A N/A C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe
PID 3480 wrote to memory of 228 N/A N/A C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe
PID 3480 wrote to memory of 1768 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3480 wrote to memory of 1768 N/A N/A C:\Windows\system32\EhStorAuthn.exe
PID 3480 wrote to memory of 2432 N/A N/A C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe
PID 3480 wrote to memory of 2432 N/A N/A C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f8648768d984dad73854085026281b.dll,#1

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\usocoreworker.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Windows\system32\EhStorAuthn.exe

C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe

C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe

C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe

C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3268-0-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3268-2-0x0000021187020000-0x0000021187027000-memory.dmp

memory/3268-7-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-6-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-9-0x00007FFD11FBA000-0x00007FFD11FBB000-memory.dmp

memory/3480-11-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-10-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-12-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-8-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-13-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-16-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-17-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-18-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-21-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-20-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-19-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-15-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-23-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-26-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-28-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-27-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-25-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-24-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-22-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-14-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-4-0x00000000020E0000-0x00000000020E1000-memory.dmp

memory/3480-31-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-33-0x0000000000700000-0x0000000000707000-memory.dmp

memory/3480-30-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-29-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-39-0x0000000140000000-0x00000001401AA000-memory.dmp

memory/3480-40-0x00007FFD12DA0000-0x00007FFD12DB0000-memory.dmp

memory/3480-49-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Users\Admin\AppData\Local\x1y7nj\XmlLite.dll

MD5 71e8dec73738379659c9db9c7845d39a
SHA1 d9ab9aae07f485694fb80e54d5bc6dfd3f530636
SHA256 1f10d7d4167b788ad6b2d0c370bc5adcc4511c2166c20ee4c814874dfaf32e7d
SHA512 edba2d5f17c69dbcf53892ba600595ba3f3a0ef4c81b855cfbb5486571af24daea063891251457fba5f263275ac7f4fa41744bd3f986863caf6f4febf23c6e05

memory/920-60-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/920-66-0x0000000140000000-0x00000001401AB000-memory.dmp

C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe

MD5 b24b17dc01a17e1e8f5962c851862df3
SHA1 fa61e91ae0bd78688db8e2c5a6922e7e1bf999a8
SHA256 1310c5ee988d99efbaff366a474cb59fdb47a12a0a2441f863dad00f0b19bf39
SHA512 ac5bd4f2af7b4044ad8618293f52793f9f4b349d6efdf53ddc6e754671f97e357bcfb6196d09837ad58545eada447e82e390b25af8533bd0df759318f1101d82

memory/920-63-0x000002A09E1D0000-0x000002A09E1D7000-memory.dmp

C:\Users\Admin\AppData\Local\x1y7nj\XmlLite.dll

MD5 fe31cad26fc164d117941501eddba804
SHA1 54bb56b28f547ea01bfa8b956b9d05f6c6d3e4a6
SHA256 43fb17984ab4889eafe66cf27c1d1a858902875cf96ef1889ed9008caf84604e
SHA512 c36af5713817007a0393ff277e0ea3e27c17035aa96ab9b2a13bd560d9a728d95983fde2af6fccc9468cd8172dadb1c2c4b9262a940bf0e4f3db10cc35db1007

C:\Users\Admin\AppData\Local\6d0thiHU9\SRCORE.dll

MD5 b50731d2c099fa3ef07db0cf847c824a
SHA1 076806d99f650a81772442988b9faaf6433be4db
SHA256 2fef6b7d31a6f764439d62e965af6e27411324673fdfb25e5b1bc4dd6ff31a08
SHA512 3c4936c6c1d160c1f1203f738c4f77e4e1dcf6055a0f3ef65dc0b64a2bf586879d67852d75eb86993284c6f439c1921d746d547068a58d67095161d69118f417

memory/228-83-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/228-80-0x000001866B750000-0x000001866B757000-memory.dmp

C:\Users\Admin\AppData\Local\mSo\UxTheme.dll

MD5 1426522736a8c2d0f3ddeed0208ba8c9
SHA1 02b41a7faa55c48817028420eee1b2a63128bb70
SHA256 00496f202b9dbf2b1e45c7c6f835728656e16356d40d4af7f73e19f430db3f44
SHA512 b421f77ec2c6deec0d88262b84df40dd7319e33e7a7bee5ef1a923d963c9b291406e46ea695c67a9d97158ca0ba0b7dbc90a215b3926958793f45e185eb53cab

memory/2432-100-0x0000000140000000-0x00000001401AB000-memory.dmp

memory/2432-95-0x000001E6920F0000-0x000001E6920F7000-memory.dmp

C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

MD5 84585f0aacad6cd4cea6ad7f70331cd6
SHA1 7f09414206caedf673b994834cd8a49982ead768
SHA256 eaeb361c51d7082d24ceadeb36c3539a1011bd1427c2c7be253156961eeef7fc
SHA512 607d2b0383baeaf1571d5185e0ba5247a6618538f92f843af034b5b5c84473eaadca5206529cebb4d072f6e7f6ad49b03b2fb76bb32b39f41fee038e1fcc7944

C:\Users\Admin\AppData\Local\mSo\UxTheme.dll

MD5 9c8d1d303d29b6845305cae2f862192d
SHA1 d6c96966f7e8829b405edd59a11a798211f30c02
SHA256 e286ba710464a0b83f7e9f26214c2d5775b96d5616a4ef95fad912b2a1175212
SHA512 402dcb16087e0c5fe17ff08b470f95fa1f5eb9472433271d29f31a442d3c594c666b476768cd4d0447333bf83818f1f865192107f228a54b7c6602f2034a79e1

C:\Users\Admin\AppData\Local\mSo\EhStorAuthn.exe

MD5 bd3ad25a9f050cbe28433233476ef6c9
SHA1 4a2dbe376a631e9e4718f18b89786c1f9b6db6d5
SHA256 a175f44a0c62117cc36d24fe591935f6c2ebfe55e3337113abe018b202fb8db8
SHA512 0c851a66f6104110fdd62f6cc7ff2310878d20d9ed6bc8b43ea3e39e7d93fd0e71d2e3df3af90daa2f724a1832f7bcc769635bd6195431e666209eb34f7304b3

C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe

MD5 b9702639a523d362466dc9acd1f280ef
SHA1 c848fc6f27d3369645508cd5c6418daaae8e01a7
SHA256 8d314314ac5b629385a15017cdd49b47428d96ddf7f5515f42dd0d99829b4e60
SHA512 12a25f4a507145e8b4e82b8d22acf2a1d4fc91c298e00745771f1bdfba232adb70c59c1703007bec55b879c8d6c96acbcbe0469589eb5a6a78c3bb358eabda61

C:\Users\Admin\AppData\Local\6d0thiHU9\SRCORE.dll

MD5 67a493cadf34cdbe32904bbddd53d8eb
SHA1 7206f5affc12f074af5ad54b91b0613dd8ff3c25
SHA256 ec1cf2ec6b82810344a7a83b0a93f0521fdc778eded59f9adce79aa356ec3150
SHA512 b2b053b78d3f975fa42dc1dd0f083871b7ce8c861560bc43d2f0bc8ab0f5472189e9f04e1f146bdfd4218809769a26168d0a926e6579a1b69d13f4d8b15a0da5

C:\Users\Admin\AppData\Local\6d0thiHU9\rstrui.exe

MD5 babfeec2b422d6866878a7b640316f45
SHA1 ccf9b3653fa46b75e3100b0a1f95a58c751f0def
SHA256 a43089f5d230971c959d50425f2111766b7cac07656442f09ed03cfe3a918b1a
SHA512 da8b95bb93959613ca7935082d2ded544d50d7d84bfe2d2a1154e48f33f64ef6161e73911dbe586c6e5f242ab013eb83b460859f38c838d4763b7d4238860a77

C:\Users\Admin\AppData\Local\x1y7nj\usocoreworker.exe

MD5 18ac52ebbdc18216bed23a6176495e42
SHA1 47efd4300b3ea9dc187a53bf43a0253734af7fe2
SHA256 3d9a1325ba6abeaaede69984fb6fe0d813e8fdbe81e78b612e89520381e41bbc
SHA512 3e589a86acbc31a61961820da77ce6785f6e94f87367a17f44ca4a1d063a0ea3814435e3f81094ef9fa9cf45e5bcb325ce8e3ca8d21f6cdbc6c0c8c9c8cf84ef

memory/3480-51-0x0000000140000000-0x00000001401AA000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 022fc602cb526eca72602c5809ae3e09
SHA1 14772ab7faa65c0176bd3760187b5d926dfe6180
SHA256 67cb76bf0445051c5d7717450220159540c38f17251968ad921f1620ab25ed0d
SHA512 4a3677c85f11daec772244df24333cf143ca80114d4c26c82f36651e37b0d4dc1dc84f213ce1dabf79a0b72d19e647b829cd7bae9ac00102ad94505068b85830

C:\Users\Admin\AppData\Roaming\Mozilla\Z400\XmlLite.dll

MD5 12478287df165eb6e16307330512ddae
SHA1 a5ad952ea4873a37f49ae3bb74d7ddebf9ce6884
SHA256 82b3fa7ad1ecdf13a7c98fc166b23c037934c80c10fc98c6f67c2bf7211689f7
SHA512 225bb02a8befe337e197dfefa35e7d3989c6c1ffe10b3de41fd90cc37d43c3d588553da38b25151d9b5fe5632f96fd8bf193c6aa5cb8c87ddd26789e22ba4f5d

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\LmJLI\SRCORE.dll

MD5 510517f27dd9e9b19014869605ee7aa2
SHA1 0722ed65956f8b1dfec5cef85cb2b4396326dc16
SHA256 6dd2365e06b59ddb2aec5c5af8138014834f8071117e00ce122dedd9565fa2b7
SHA512 1e01bb67eca5d6809262b3cba64ef984f7337ce3e0ec32d5fabfe0d08fe339ae0586447618e0ea4695600aa062b8d8af90b3c0232939b8dbc06306b1b9b535d2

C:\Users\Admin\AppData\Roaming\Microsoft\Proof\C6wOn8bTok\UxTheme.dll

MD5 2422584c0bcba20017a616f8a37bb81a
SHA1 83e627ba24069f752c83eaed1536351381207fe6
SHA256 1eebc8c0dfb7d8c68c21f44fe842b743aaeb6a833836de21657f59ad3bbf5b96
SHA512 5cc257557fccdde0c17fdf658b4176b32ac5f52247900b52270c227dada4d2195d4bc11f62582f1714ac14032850ccbed1344f5af8aa5dd49768393cebf765a1