Malware Analysis Report

2024-11-13 16:41

Sample ID 240130-kfdj1acbf9
Target 81f7894d5f57875aac520d9601f29693
SHA256 a6f1f005d6597eeaad112e697cdc23a870332a42fd7f897df28d80450d8f1801
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6f1f005d6597eeaad112e697cdc23a870332a42fd7f897df28d80450d8f1801

Threat Level: Known bad

The file 81f7894d5f57875aac520d9601f29693 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 08:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 08:32

Reported

2024-01-30 08:34

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\Niubkzso = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\UserData\\Low\\JtlScQzd\\BITLOC~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2440 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1244 wrote to memory of 2440 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1244 wrote to memory of 2440 N/A N/A C:\Windows\system32\TpmInit.exe
PID 1244 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe
PID 1244 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe
PID 1244 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe
PID 1244 wrote to memory of 2144 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1244 wrote to memory of 2144 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1244 wrote to memory of 2144 N/A N/A C:\Windows\system32\BitLockerWizardElev.exe
PID 1244 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe
PID 1244 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe
PID 1244 wrote to memory of 2148 N/A N/A C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe
PID 1244 wrote to memory of 2152 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1244 wrote to memory of 2152 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1244 wrote to memory of 2152 N/A N/A C:\Windows\system32\fveprompt.exe
PID 1244 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe
PID 1244 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe
PID 1244 wrote to memory of 2784 N/A N/A C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#1

C:\Windows\system32\TpmInit.exe

C:\Windows\system32\TpmInit.exe

C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe

C:\Users\Admin\AppData\Local\K5Rk\TpmInit.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Windows\system32\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe

C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe

C:\Windows\system32\fveprompt.exe

C:\Windows\system32\fveprompt.exe

C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe

C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe

Network

N/A

Files

memory/1700-0-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1700-1-0x0000000000330000-0x0000000000337000-memory.dmp

memory/1244-4-0x0000000077606000-0x0000000077607000-memory.dmp

memory/1244-5-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/1700-8-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-9-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-13-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-14-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-15-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-12-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-17-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-18-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-19-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-21-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-22-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-23-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-25-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-26-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-31-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-32-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-29-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-34-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-35-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-40-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-38-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-42-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-44-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-45-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-43-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-46-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-47-0x0000000002BF0000-0x0000000002BF7000-memory.dmp

memory/1244-41-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-39-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-36-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-37-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-33-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-30-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-54-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-56-0x0000000077970000-0x0000000077972000-memory.dmp

memory/1244-55-0x0000000077811000-0x0000000077812000-memory.dmp

memory/1244-28-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-65-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-27-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-24-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-69-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-20-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-16-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-75-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-11-0x0000000140000000-0x00000001401B9000-memory.dmp

\Users\Admin\AppData\Local\K5Rk\TpmInit.exe

MD5 8b5eb38e08a678afa129e23129ca1e6d
SHA1 a27d30bb04f9fabdb5c92d5150661a75c5c7bc42
SHA256 4befa614e1b434b2f58c9e7ce947a946b1cf1834b219caeff42b3e36f22fd97c
SHA512 a7245cde299c68db85370ae1bdf32a26208e2cda1311afd06b0efd410664f36cafb62bf4b7ce058e203dcc515c45ebdef01543779ead864f3154175b7b36647d

C:\Users\Admin\AppData\Local\K5Rk\Secur32.dll

MD5 6cbedd406eee67125836ca80fb49cd9a
SHA1 56a40c238d2cbca6daeacfd5a041a3b33477bf7b
SHA256 9b136493759655a014b53128a0ee0e275bdf45f00c0b2ac97ab1ab8c5022060d
SHA512 a6807b4c7985fef7ee8173792b27eaefdefd230ce74caa63c5a5e55ed21c9dcea227ae0bb829db6aa925106909b7eb7deda37770366227046e811c8952b8e604

\Users\Admin\AppData\Local\K5Rk\Secur32.dll

MD5 8ac961b25b6340b16bdfb2bd8f363970
SHA1 8f62305c73e4ffada75f30bd10fe356d73fb0fba
SHA256 f9f37dbcf81dc9c099949eae343550a353552269e6f842022a6412883b56f9db
SHA512 435bb4d1751fb9e6d001aee269143005896dee30ad80a35c26be0d176210ab89431f18149e9050dff4fa868516ea5af11aab9be2863026b361312b6aac2492f2

memory/2572-83-0x0000000000090000-0x0000000000097000-memory.dmp

memory/2572-84-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/1244-10-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1244-7-0x0000000140000000-0x00000001401B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Macromedia\v4cMZ\TpmInit.exe

MD5 f85aa5ae4e3c1e52f610fd0a61e90743
SHA1 1fcb61d04c986ac9a6ac43f9dad2c87ff67e2dce
SHA256 ec2462ab80ac9f2e1d5b32bd9a38da4d7c49dbf4dcfb2de5ebc8cfc5234687d1
SHA512 035800fa1e4218dd77903890735b9a4f104d5f728602b5198eb3f388586703522922cded89003f312bf5429afed02222630e1068d5dec5f7ff875bce1e01a146

C:\Users\Admin\AppData\Local\0H66b\FVEWIZ.dll

MD5 02d9f5bf31dd8faa6f4bd5589cbdffdc
SHA1 2690442db09a6358a7fb4b89473f5859c8bf0d9a
SHA256 3a6a103e04853cc77532a1d7b49e009b62044a5dc2e074127539e5c95f92805f
SHA512 21ab4afd95de5d061f77a2d6a013dcd5758a079c3bf75e9f2d489d209f95e70181d497d95c06b78fd8275af0e87b00ecb10c7cd166639cfc7833f27cb5d3581c

\Users\Admin\AppData\Local\0H66b\FVEWIZ.dll

MD5 783fdcd25012ad1d0dfc4c4092ea1cf9
SHA1 4e6ab35bbc7e1787e6afda2905025b4c7471db42
SHA256 2a9e54781231c4c29e8959aaea75fcb32bde66ba99df5d69043b8f7067bd5254
SHA512 61efba1869bd0d461b397807b8a67423ab2b896dfe31984e955fc80dc2ff1f230b3e45d6e8b3ce3d28a156d09d07dc9875d543b95b495863eb932230be5e4bd9

memory/2148-100-0x0000000000190000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\0H66b\BitLockerWizardElev.exe

MD5 73f13d791e36d3486743244f16875239
SHA1 ed5ec55dbc6b3bda505f0a4c699c257c90c02020
SHA256 2483d2f0ad481005cca081a86a07be9060bc6d4769c4570f92ad96fa325be9b8
SHA512 911a7b532312d50cc5e7f6a046d46ab5b322aa17ce59a40477173ea50f000a95db45f169f4ea3574e3e00ae4234b9f8363ac79329d683c14ebee1d423e6e43af

C:\Users\Admin\AppData\Local\uXAK5Vf6\slc.dll

MD5 d3e6be2623673bf93522feda1f6c00c7
SHA1 b446c9218103cc1ba4bd0e7d2169fb7d64f80726
SHA256 3ca85aa36be384f0641ba879f5ae850709a3d9d46ee50401f65bb39f42706ee5
SHA512 d7bae1230116cc012010db451955289ef2716e2dc3e30edf3370acaca6362d393ff13bee0ab46854b6d438ad6d7c98452d54d0ebda1029129c7f19f10bd814c4

\Users\Admin\AppData\Local\uXAK5Vf6\slc.dll

MD5 b8efc9757f89bbba43ed0a59e5fa5507
SHA1 180d880f7242084f1c68fb55a5841c4db7aabad7
SHA256 e5e22597c6c41d172f14a4edf1cce1cc795bcb2f8639148e7d5bde44fde3f9cb
SHA512 1c66d56703d4bae41e5d3762a0f4eda6afb633627104451b6343e7b8df04924262c87e4dc4def26ecd7adf4e02d0d0e68f8adedf0eaf1c22a87bd821503801f6

memory/2784-118-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe

MD5 dc2c44a23b2cd52bd53accf389ae14b2
SHA1 e36c7b6f328aa2ab2f52478169c52c1916f04b5f
SHA256 7f5b19f2c6a94833196ee1929d48094889b33b504d73d3af88dd857ceaf67921
SHA512 ff083f74777a9cfc940d4e0cb55886397e27c85f867de9a5dd9ea2c2751d2a77bf75fe0734e424d9678c83e927788d07d0b3072024f7e5a9848c7ff1aa4090dc

C:\Users\Admin\AppData\Local\uXAK5Vf6\fveprompt.exe

MD5 1dbe430b61992fddcfb619c0c985c2b0
SHA1 f25679aadc70d9a163e83f3c88920aa139fb0c42
SHA256 548ffedb55cfd4b365fd850c5f8ca68fd866ceb0faed145ad78b6f9a3e80a61b
SHA512 314ade0f6852b9c52b444e33edfa3cd44fbcb3f7d868d419c2e437b013d043eecfb13b8bf6ed50a8beb7338c3b526ef5241f347fdcbcc6814089a7fa8958a5d2

memory/1244-140-0x0000000077606000-0x0000000077607000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Efrsxj.lnk

MD5 3a8c634976c2aaa259f461c88cf77ff6
SHA1 447f4213a158c156e37ad1a85fa9e5b48a083a47
SHA256 cdf80913f8fb3c7d5d0159b1e7e768e5c73477c3a8251568b9787e9071477371
SHA512 6e852af45b5f53e147f57848c880cec276eca52df28a84993bde7a04a5bec1b3cd8be15d971d8182b5839e16c3cf25ff5f7742ae61c4ce2cac1906d97c1b34fc

C:\Users\Admin\AppData\Roaming\Macromedia\v4cMZ\Secur32.dll

MD5 8cee3c93272c8fd10483694b6a10e1fc
SHA1 b14d192cf0412d45e74c5e457bf723b7dc19f9a0
SHA256 7d95db42a54cf28c66877e2c8dec570991d29c724aa21ddea45990502e07a6d5
SHA512 e340a31f71d1d12020c518ffe0f6e2127f0b6665f573687ddc2721128ac096436a95883422cde9397a5b1068775777757dfb10de299a6648de946d3b49aec5bb

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\JtlScQzd\FVEWIZ.dll

MD5 a41f70f3a346045d67e98197c6a02a12
SHA1 d8abd87faf0c1232b023984040bc6cafb2cc9667
SHA256 e8e4110636570a4a731443f66a9a03ce295cf79f998194d501bd35c78eaa29fc
SHA512 655a78b80c9cef4eaf40cd2cf3bf75baf8d834507924982320872d010806e8e6781383304fd31fbc992a8ef7c0116b15db762b9cd43cb0f45de896eec451ec42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\03lFWmCx\slc.dll

MD5 00a80b3c6332cd0d84e8be834df1881c
SHA1 69560c24876b1907762dcd2e96c6aa94d82b8329
SHA256 f5fd420b26110c888877748b6bb13339fc7c320dde830f3ede6d457ef8f48d8e
SHA512 b9e1faeac16095f85888ccf0af6560cf9e0135bc40ddd6efc37020c45a5870b9f1d06098663ed4145528c53567e1c53baeecf652e96d4226638b8abb042b6ee0

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 08:32

Reported

2024-01-30 08:34

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qzenv = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\iDoJf\\SystemSettingsRemoveDevice.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 1104 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3328 wrote to memory of 1104 N/A N/A C:\Windows\system32\unregmp2.exe
PID 3328 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe
PID 3328 wrote to memory of 5108 N/A N/A C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe
PID 3328 wrote to memory of 5016 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3328 wrote to memory of 5016 N/A N/A C:\Windows\system32\SystemSettingsRemoveDevice.exe
PID 3328 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe
PID 3328 wrote to memory of 2608 N/A N/A C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe
PID 3328 wrote to memory of 4896 N/A N/A C:\Windows\system32\omadmclient.exe
PID 3328 wrote to memory of 4896 N/A N/A C:\Windows\system32\omadmclient.exe
PID 3328 wrote to memory of 3364 N/A N/A C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe
PID 3328 wrote to memory of 3364 N/A N/A C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\81f7894d5f57875aac520d9601f29693.dll,#1

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Windows\system32\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe

C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe

C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

C:\Windows\system32\omadmclient.exe

C:\Windows\system32\omadmclient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

memory/1136-1-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/1136-0-0x0000021A9AB20000-0x0000021A9AB27000-memory.dmp

memory/3328-5-0x00007FFF7792A000-0x00007FFF7792B000-memory.dmp

memory/3328-4-0x00000000015B0000-0x00000000015B1000-memory.dmp

memory/1136-8-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-7-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-10-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-11-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-15-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-16-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-17-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-14-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-21-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-20-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-25-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-27-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-26-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-24-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-28-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-29-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-30-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-33-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-34-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-35-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-36-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-32-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-31-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-38-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-37-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-39-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-41-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-40-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-23-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-42-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-22-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-43-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-19-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-44-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-46-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-47-0x00000000012F0000-0x00000000012F7000-memory.dmp

memory/3328-54-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-45-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-18-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-13-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-12-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-9-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-66-0x0000000140000000-0x00000001401B9000-memory.dmp

C:\Users\Admin\AppData\Local\VdD28pZRG\VERSION.dll

MD5 08d08b3234f0495bcc9e0a437dcb570f
SHA1 c590778300e7212b4ffc50f15695129d5ef3fce8
SHA256 6332745a8bffe8defb44b9984a304ebc01759ed53de857fa00c31bd651e91c41
SHA512 989ea470fa75f0ba0d8478d66f2235a51d7c2a39d65a87acebd12485722ad16d7d95aede765d4d15fa5cda08e69160c3a03bbd934ec3753f9180f16d0121b52f

memory/5108-76-0x0000015CA9890000-0x0000015CA9897000-memory.dmp

memory/5108-81-0x0000000140000000-0x00000001401BA000-memory.dmp

memory/5108-75-0x0000000140000000-0x00000001401BA000-memory.dmp

C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe

MD5 d10c86d5ab418e44caf08959c5be8a65
SHA1 7465d53bcc1133ffc56863e328da4b6a0bf7af8f
SHA256 a3278c54361b3657a6f936cbd1a0f55380c8ac74a2965d1b742b89dcbd88a704
SHA512 9df5764f0b00f05c786c340cd060d899b2381ee0a67ff4185473ffad303b417d870c9fe405c343f85fed23a51846790436ff4242a434e6d80b9880d2b262ebc4

C:\Users\Admin\AppData\Local\VdD28pZRG\VERSION.dll

MD5 797bef31f72031a86ab349a594b18098
SHA1 8858975c3d4e52b219fdedb46e53d440b0cecbcc
SHA256 efbeee090286a8f3ad7bc706078de7e096c59df5d19a95b6f25395dd3329c377
SHA512 5c26d10e8a4f45c60323ecb7f20c6f8d903e82bc6367de548967b5e3181f56541bc11a5fc3b0998d78364896dc6820ffee7b73b0650cc696530e114f41f357e4

C:\Users\Admin\AppData\Local\VdD28pZRG\unregmp2.exe

MD5 d0a1b8450f44d0cb58d5bf46c7cc92ee
SHA1 3da138ca0431109eaade623728b4b9549124f11a
SHA256 cf6408b3cf8df4f85cc22d81cc479908f2836100155a52eb42b52eb5cc3ab731
SHA512 3f1321e711a87c0e97ea7855567312cd2c0f85696b7d8f4fd1e5d6417a43961f817f991026ff47e667dfee3888fb9f60f382a9e1968294251e38a17e96467160

memory/3328-64-0x0000000140000000-0x00000001401B9000-memory.dmp

memory/3328-55-0x00007FFF78A80000-0x00007FFF78A90000-memory.dmp

C:\Users\Admin\AppData\Local\WvpJnY8zA\DUI70.dll

MD5 f010b10b1bd8748909c7961f43389ca7
SHA1 8276ab24607f93368f014564894ae2a4bd70f22d
SHA256 776b92945b6b1c241dc8e397d7a88089aa8db6732c93f18433f7620831b3fcbc
SHA512 70f2e9101a48b6fc7d25d908dbff71cbee75dc65b3434bfe273deaafadc8c4256d41a64766b3ea15d75808c099017e4897a1352d1480aa78d89711b9b3062140

memory/2608-93-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/2608-92-0x00000273F0D10000-0x00000273F0D17000-memory.dmp

C:\Users\Admin\AppData\Local\WvpJnY8zA\DUI70.dll

MD5 400a4ee39f99640d6d419ee4e59a98cd
SHA1 3d9f0d64a67e95b3edd3f650ab79188c068c1265
SHA256 57cc9b75c19dbb579ebffac6061020e55e50ca6a5042ab60dff144365aeea37a
SHA512 a457156b7e30d428cf7fe0110f5ffa9afa6302087ae7effe92bb72d08d0f5448c035eca68144f0954b20d68c6181744b899390e71d75378b7b0c038c3e5ead9b

C:\Users\Admin\AppData\Local\WvpJnY8zA\SystemSettingsRemoveDevice.exe

MD5 7853f1c933690bb7c53c67151cbddeb0
SHA1 d47a1ad0ccba4c988c8ffc5cbf9636fd4f4fa6e6
SHA256 9500731b2a3442f11dfd08a8adfe027e7f32ef5834c628eed4b78be74168470d
SHA512 831993d610539d44422d769de6561a4622e1b9cb3d73253774b6cecabf57654a74cd88b4ebe20921585ea96d977225b9501f02a0f6a1fc7d2cad6824fd539304

C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

MD5 ba1cec90191f1a8b20da53334d5bfa20
SHA1 bfb1fb6c9d3b3641fcf5cb4c6961bbbc5f350aec
SHA256 a26eb2a5904e92846aa6d12e863ea5f1885e91d824ec83aeb30b77de38a25e94
SHA512 25e548f04f164a3237a62c02c9b6680282806a7372cca234fe8ed4a751cd0fc20ccea37b824ea87344c7e5f8ad28b22cf94ecf38ba9d6fd2bbf6b77b4c23ca89

memory/3364-114-0x0000014B242D0000-0x0000014B242D7000-memory.dmp

C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

MD5 9cf34faa56f6605fe3767f11e10c1a06
SHA1 90a85049292d5700fdec001babc5afab6b2d8122
SHA256 2fd0053e925ca9ed1ebff358cb5fdec870fcb1f414578d538f198e7d0693f7e2
SHA512 a36545482bdc1383ed5e5d176cd1319a7eb333b12baadfe78a6687acfdc84c563fdae57b4f4fb981741df44bb3b55268137d003191ddba8784f8d8131dfa9f63

C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

MD5 1ef83946bcd8823a19ddf7b4cddcd7fc
SHA1 b57863d45d32d4cc7ba6d2dce4a78b48da202fd3
SHA256 a3110dc6b6cd638d0c3c0d3d224db085528118001a9a54f9e8d9698d2dd7fd83
SHA512 f19ac7071961bb940c74efb3641e463a8870ec07e09e110cdab2f7487718b2629d997e838a0b2214136e1a0695319ffc80baeb2346f6f8f2efd8115bcb569593

C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

MD5 ff3f8a929746a725cf85b1d510a1e1f4
SHA1 3eceab234664a92ae6e98cc5a706e39f1de40bb8
SHA256 6e6a004023f2f84d5def2aab053ae7f4566a01e2a5a7570c0d10d62c672e1f47
SHA512 488581ace358ad8bf428f4fe2dfecf0aa3542ba797a4a1f8b7f0c0b838e486c547c912474547a791c388292b9a9d892055b0b70dfbe9959fcbf59a0e9cfff56b

C:\Users\Admin\AppData\Local\m4fl\XmlLite.dll

MD5 fb7d33ee4a20af72ecc6ea965678535d
SHA1 36db5d468f20aac8d632a7fa9751b23a627423aa
SHA256 d5830d02ee4316c47d52bd1823ddebc2b7cfecb381777eebd738d9ccb8800490
SHA512 cea51d60109dee14d05cc258e7876c08caeb415939dcbbbc2930cf7979678f3d88bde8ce876ddf76c08a5c3f630bc8e60c000e7569189fa21632f78f311409db

C:\Users\Admin\AppData\Local\m4fl\omadmclient.exe

MD5 ddd43e4cd14f00464bcccac07377ef3d
SHA1 23fa6a289c4a0cf8bb86d80a99d86a3f19d4e83a
SHA256 f9d707e837f90b461347b1b47536c2cd9fff57df93857b40db6fafb4d9995d4a
SHA512 6b75f579e52488d4e4f5feb40c43bfab4b23bfdc004ee6cf22eb938519e4d29205ffe968698b0147368fb92855b6c7128dbb12063ec638c0b686e23fbcf069b1

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Iydemppuyghrhln.lnk

MD5 a7169a125d656f9894788e516f65b449
SHA1 5aeffdc0bf69cce74c6780d70c90fe30a026194c
SHA256 4d9e9ab009c8cd607ecdddbece2b262ac261d5a3f3680c05574440152ecb0611
SHA512 b74662d1b3dbb54520a775fb28aee9f235ffca65916614cd05c028afe59c92c21d931e1eb7457c053619af607a46e7071110bcd9f7e9bc537ff464ba6799a397

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\9wDq\VERSION.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\iDoJf\DUI70.dll

MD5 6037a7e861928571deaac5a97714c20f
SHA1 80e54e1d63ee2386ccb09aa5d4e1ab6926c928ee
SHA256 60aec2c5caf467cff223fb899a84104ffd8fcf503e0aad95cf660db5f1148c07
SHA512 0b4701b9d14b4a0cd08f0436bfb6514dc8ad6c74b1d9eff0acc29d2c07beced4f524414ce775bc1c3ed3bb29f6cb26749aaf20bfdf24a6db496099a82b8ca0e4

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\G89CEFtxeqh\XmlLite.dll

MD5 b03fe2b4fc5b44f3a712195fe25d01fa
SHA1 eebba9382e9acfd1aec05a75791d33c0249ee960
SHA256 2395e6cfba5ee8f2383907e8cc1a6db701e0005f11ae22029e24a77cd69b5c8c
SHA512 86129b92d8192646065ff95086adca22fc9d4772fb5982b2db0800f345dcf60f9868966ee8c9f449383e652d1af75aefe6528a9199f6275e725796a0e277a950