Malware Analysis Report

2024-11-13 16:41

Sample ID 240131-e99awabgc7
Target 837792f925aca842eba981ebc7aff9a1
SHA256 3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3806ec3c6ae591fb47c6b48f5dbfaf45d7500d6efb12c07311ecdc5e9c9d514d

Threat Level: Known bad

The file 837792f925aca842eba981ebc7aff9a1 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 04:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 04:39

Reported

2024-01-31 04:42

Platform

win7-20231215-en

Max time kernel

150s

Max time network

117s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bsfvntd = "C:\\Users\\Admin\\AppData\\Roaming\\Identities\\{4C0CEA03-C988-4067-9D42-5D4466084111}\\rgxk6\\rstrui.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2672 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1192 wrote to memory of 2672 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1192 wrote to memory of 2672 N/A N/A C:\Windows\system32\rdrleakdiag.exe
PID 1192 wrote to memory of 2016 N/A N/A C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
PID 1192 wrote to memory of 2016 N/A N/A C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
PID 1192 wrote to memory of 2016 N/A N/A C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe
PID 1192 wrote to memory of 3068 N/A N/A C:\Windows\system32\rstrui.exe
PID 1192 wrote to memory of 3068 N/A N/A C:\Windows\system32\rstrui.exe
PID 1192 wrote to memory of 3068 N/A N/A C:\Windows\system32\rstrui.exe
PID 1192 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
PID 1192 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
PID 1192 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe
PID 1192 wrote to memory of 1324 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1192 wrote to memory of 1324 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1192 wrote to memory of 1324 N/A N/A C:\Windows\system32\RDVGHelper.exe
PID 1192 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
PID 1192 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe
PID 1192 wrote to memory of 1964 N/A N/A C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll

C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe

C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rdrleakdiag.exe

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

C:\Windows\system32\RDVGHelper.exe

C:\Windows\system32\RDVGHelper.exe

C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

Network

N/A

Files

memory/2356-0-0x0000000140000000-0x0000000140232000-memory.dmp

memory/2356-1-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1192-4-0x0000000077816000-0x0000000077817000-memory.dmp

memory/1192-5-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1192-10-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-16-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-25-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-29-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-33-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-36-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-40-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-46-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-48-0x0000000002600000-0x0000000002607000-memory.dmp

memory/1192-47-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-55-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-45-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-44-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-56-0x0000000077921000-0x0000000077922000-memory.dmp

memory/1192-57-0x0000000077A80000-0x0000000077A82000-memory.dmp

memory/1192-43-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-42-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-41-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-39-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-66-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-38-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-37-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-35-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-72-0x0000000140000000-0x0000000140232000-memory.dmp

C:\Users\Admin\AppData\Local\yPjURgvo6\rdrleakdiag.exe

MD5 5e058566af53848541fa23fba4bb5b81
SHA1 769ce3bfc45e4d56ed01dbeeeca7be22f9b9eed6
SHA256 ae83b050fa722da7e4b19fc3d534f0126b1ec055643bb1f267b85b55160f4409
SHA512 352029cf0af7583a4c525cfd1da7467446bac410a885b2768d8052f39577ccce85b21d5bd946be6bf8341e7308c8e4f645e4d79232b93aaf6a92d6cd55f598d0

\Users\Admin\AppData\Local\yPjURgvo6\wer.dll

MD5 55b0050601f5e48c71ef3ccc9000d7e4
SHA1 7d468eb2a47ef93550512e4aee6886fa85bd8132
SHA256 263c52c98c6e717607226bfb14339a21fd59c516b93d0a26c8add64c99302c4d
SHA512 bb95138798343abefa6d6deb0403b7e6079f705a91b443828ab6857c31c631afb6d0d32a231e923960f6d19055bd84947fd104eed5e91239e47b2c48427a3243

memory/2016-86-0x0000000000110000-0x0000000000117000-memory.dmp

C:\Users\Admin\AppData\Local\yPjURgvo6\wer.dll

MD5 2686c9396a088eea4b32aa99962b1e1b
SHA1 638c3b7ed5684850f4addb2135de6b1a0a463b89
SHA256 cf2ae1d19d6aba263670301bba650a3388293a946e9a58bc147383d5cdfdac44
SHA512 5125607cfa4672218964ba9662b3d11c929aafca92b3187e058eeaf06ff619aefa414132ebd8e6f496f808f855fdb05853df1129bfd93ee59ebf7a898beb00a1

memory/1192-34-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-32-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-31-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-30-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-28-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-27-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-26-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-24-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-23-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-22-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-21-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-20-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-19-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-18-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-17-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-15-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-14-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-13-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-12-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-11-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-9-0x0000000140000000-0x0000000140232000-memory.dmp

memory/2356-8-0x0000000140000000-0x0000000140232000-memory.dmp

memory/1192-7-0x0000000140000000-0x0000000140232000-memory.dmp

\Users\Admin\AppData\Local\8a8gkC\SPP.dll

MD5 9e561f93c460125756daa7c9deb8c9e7
SHA1 d5d011008ce9da528b916743de29fb773cbc146f
SHA256 d278861ba638523ef5e56cf3737d16fc930ce920f439ca8ca81143667629433f
SHA512 6e8324203c5a816e4131b3f1421ea8e1626ac510c7ce772eeda01e7122b4fa7d555cbe8658c10e63b1cb65660e9f8cb6541c9b91e4bd7480de70c1b71a2dd68f

memory/3064-102-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\8a8gkC\SPP.dll

MD5 42d899924a17323b75cda36df53d4dfc
SHA1 a06a41885a9a5b5307a4e3ea4ee78e0832bf5582
SHA256 4d49673083ef17dcc4fdaa0b640e46fa88146e66a83b4b3446a4f36be32e93ab
SHA512 e51c7252131618a84932dda59a69e62cc2b81fb749a94003cc847976bcb4a29175635e311e48fae6d2d9babae3fb7763fafc17ea2bedf85213bb235407342715

C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

MD5 1c1c92ef23e19b28f74e05ca617c83d2
SHA1 ff03ffef96bb5bf7b84a9cc4bceea19e7b3dcca3
SHA256 2f34c4041e2e2a9573fbf8b5295475a79361421bc0bcf1454d73df975fd6dc35
SHA512 1bfc5f3c6698ebaa55ccf1a0db7f3c07bcef39f9296f8e57c0b6893195593c605a597a46b1d325674650394265ebd5aa20ce30bc49205d866d090cd18ecf9fbe

\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

MD5 a16075a2e705d64dd3d545f6d0551a59
SHA1 ee4783e097bd1a2514655641deddcd175d444504
SHA256 1eac6f17f0e2390869e3ab3497b8263b58b8f3ad1ec473fd1a6b9d18a860b0ef
SHA512 b1a8a75bc280bd38446aa2605c0a0272d05bb0e7c22523b36cefae00cca98bc22ba01366217900c0b8f8b4dcb9bceb09f71064707a3eac892b02d0b1556e807d

C:\Users\Admin\AppData\Local\8a8gkC\rstrui.exe

MD5 88eb800b34f2965fb1df4cb085f2da45
SHA1 c067887129f61141843ac71e3737bd013b3956d6
SHA256 5dc34600ea837e257e8ea75ade466b6258fa2c408768edee83fa588ed4770f5e
SHA512 cc889953b6d9a038891a95679585dd4be1ff9d293a6a540eb77281eb3c07165d45c6ff30893fd5020a955862785c2c2c812f2c2b6f3290540807e0952606d572

\Users\Admin\AppData\Local\dfCDb\dwmapi.dll

MD5 488228ac5bdc124ad457ae32bf412f5b
SHA1 36feb33fb14cb1a47369d289050275b3ef2ed234
SHA256 bfcfc9953d1026bd1d7930601e98786039318f6050596b3e225a114c9daf79a3
SHA512 a404903074de56bc40b25ef296f15e3b49726632c4cda1f6db9b07abfaf88f40c03e22e81a2a7696b71b467cf7773f3372d2a9b8217a47c24efe89df06ca6db5

memory/1964-125-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\dfCDb\dwmapi.dll

MD5 006181c98ffbc7ed2d934bf50261d91b
SHA1 e7d2acbca480a9fb47e077dc61a9fc00a4d70331
SHA256 36aca031bdc1e1788a9cd83f3ea5ec4701e030ce362e036fe2f62c259d4944ca
SHA512 ffe8dfab5a449fc926bb503c6c44bc7abb73567cc6903f032d872d7a7967bb01fd021173473b99b2fa41dd138fe0895a9ff06f7a72476f1967c4178f9fb8e36d

C:\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

MD5 8c88510b28fe119238eef0a004ec439a
SHA1 2f32df5e48de99babd13c83be9e5a56c13917268
SHA256 eee46a51c223a0d3b82662e1260d196a55160d6895166f541e9348554c8198db
SHA512 4fb3e4b23e6c4ce61e26014f4c2f66dbee345ab7db9959bd4b75eb717bea59b85940c775a3e4aeb8a571437fbd0fdfc551927597977a9b25446bd2eeb5b0cd50

\Users\Admin\AppData\Local\dfCDb\RDVGHelper.exe

MD5 53fda4af81e7c4895357a50e848b7cfe
SHA1 01fb2d0210f1c47aaf684e31a9fb78f89bba9c0f
SHA256 62ab8c2c5b5bd84fd07e96b6a3b87a4ea56946107ed9b7f8076580ae1fefd038
SHA512 dbbda90a57d27160c5a3a5e4e94cfc43b1663fcbfe424fdec851e52356f61492bdcf677c46be8aa4e8ccc8be7c389b6aa7bbbce8447e1fae32f03e5e409f4051

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\s6Y\RDVGHelper.exe

MD5 5b5434ab98c4f17f0b2dfdb09bbc91aa
SHA1 a117d43262a7bb84c96de5fc2bc91b2b41f3052e
SHA256 7bead478f9498447c09499abf4efaa8f66db1a51ab92c5a9d2bed7640b045e06
SHA512 9c6af6232df433ca023d8c82355fbb3689d6c0970ec53073ee3a7d85dd6bf31ed5e7f4a2403a94b3676ea0bb10d94b40df36221170fdd8af6147ddf420c9fb91

memory/1192-144-0x0000000077816000-0x0000000077817000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Cuhrqknkppepky.lnk

MD5 ef3f2daa69b28e0b0899db4634cde7b6
SHA1 f36d2d417a463e60dbfab41c7e79717fbe185b06
SHA256 7a00961f23a759984f1a9fee4392381ab5ae54fe055dd568e3348026113069ca
SHA512 4ef8eedbea537f0b41b04eaf45c106be915a5398ddd93dcc5c05703e91cc492ea47065a7ecc5878200470e4b2b7166b47a82f10ed954d2a4d5b59ad1cbda95fc

C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\AssetCache\H07\wer.dll

MD5 8f1a0a7921b468e13a5dca68f85853d3
SHA1 ca217f92ea3e19997da953b1cedc110b708e8b6e
SHA256 39cc768724dd38096e1d32dc01d138df6dfecbb017c2f24089a478191a6f1232
SHA512 803a031d984200e06683f76bbf374365561d085685b2f527ea13e12640a48ba17b9e2eb6e0aa5690ab3cf929bab8e264a9c2ac48ae2da006871fa2332b5b344e

C:\Users\Admin\AppData\Roaming\Identities\{4C0CEA03-C988-4067-9D42-5D4466084111}\rgxk6\SPP.dll

MD5 31b8815efeae55cd850c1016d46c2b03
SHA1 bc81712cab24ac15cabc5a185deb1e93dbcc2cf3
SHA256 7daa06831fc98560f8945f156c49652be554b9caf1861693560d255ad87e9503
SHA512 97148967cfc57d686affc5511a8764f30fe7ba904f665322fe79a7e60564696f12562ff5acd7ec7d80eec6e3a5b60a31e9af6eed5b1871df9397a17bfb642ac7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\s6Y\dwmapi.dll

MD5 1f26c5135ed449ef1af1a05b8a9999e4
SHA1 4de81a0cb9ff22195aecfd700eb45383398c4dcc
SHA256 e5aec39fa5f0ec235db7c635ffe40aabf0655232fbbf9f3717969bba7b364fbd
SHA512 02f7f0aa9d77a9877eb4950b99973310c25ed158736115520fe80f5876cb2c0a8ec9184a03ce18fe534555b82d47486385d19f9dfe0f63561ea4e466e69c9ad2

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 04:39

Reported

2024-01-31 04:42

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

148s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ADMINI~1\\H9db\\MUSNOT~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A C:\Windows\system32\regsvr32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 656 N/A N/A C:\Windows\system32\quickassist.exe
PID 3480 wrote to memory of 656 N/A N/A C:\Windows\system32\quickassist.exe
PID 3480 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
PID 3480 wrote to memory of 4832 N/A N/A C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe
PID 3480 wrote to memory of 4224 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3480 wrote to memory of 4224 N/A N/A C:\Windows\system32\MusNotificationUx.exe
PID 3480 wrote to memory of 4408 N/A N/A C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
PID 3480 wrote to memory of 4408 N/A N/A C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe
PID 3480 wrote to memory of 2316 N/A N/A C:\Windows\system32\isoburn.exe
PID 3480 wrote to memory of 2316 N/A N/A C:\Windows\system32\isoburn.exe
PID 3480 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe
PID 3480 wrote to memory of 1008 N/A N/A C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\837792f925aca842eba981ebc7aff9a1.dll

C:\Windows\system32\quickassist.exe

C:\Windows\system32\quickassist.exe

C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe

C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Windows\system32\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe

C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe

C:\Windows\system32\isoburn.exe

C:\Windows\system32\isoburn.exe

C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe

C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

memory/3904-0-0x0000000000810000-0x0000000000817000-memory.dmp

memory/3904-1-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-4-0x0000000001350000-0x0000000001351000-memory.dmp

memory/3480-6-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3904-7-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-9-0x00007FFE914BA000-0x00007FFE914BB000-memory.dmp

memory/3480-8-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-10-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-11-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-12-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-13-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-14-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-15-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-16-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-18-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-19-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-20-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-17-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-22-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-23-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-24-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-25-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-26-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-21-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-27-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-28-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-29-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-30-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-33-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-32-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-31-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-34-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-35-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-36-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-37-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-38-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-39-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-40-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-41-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-42-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-43-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-44-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-45-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-46-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-48-0x0000000001310000-0x0000000001317000-memory.dmp

memory/3480-47-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-55-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-58-0x00007FFE93140000-0x00007FFE93150000-memory.dmp

memory/3480-65-0x0000000140000000-0x0000000140232000-memory.dmp

memory/3480-67-0x0000000140000000-0x0000000140232000-memory.dmp

C:\Users\Admin\AppData\Local\4cnzpoY\quickassist.exe

MD5 d1216f9b9a64fd943539cc2b0ddfa439
SHA1 6fad9aeb7780bdfd88a9a5a73b35b3e843605e6c
SHA256 c1e8fda00da574e8759ba262d76b6edc1d5f4a80620730ef0be7527e0d803db2
SHA512 c5fd7d81d1d478056fcbed0ba887ce551832f0104e7c31753c3c8760b4d63f38324f74e996684042acc8f9682fce8a8c85172741a868257e87d5e0f988c4e567

C:\Users\Admin\AppData\Local\4cnzpoY\UxTheme.dll

MD5 ed5bf30ce05e3cff7854bf9ffaca08f5
SHA1 f5daaa1b33a039c224500c083bf8146eba59e97d
SHA256 d42eb85ce48c35c3da642ea90ca87df59c7986ce45c09c475303af8d9ed0a11f
SHA512 ff75b84b15328b5f5eb693c3fb0e75d673096701584aeb024f7302d2c02c675a97259911d92c5f0b3a0d2b0a16a14fb2c65261928402e41b0ebbe8502716f05c

memory/4832-77-0x00000253A2F40000-0x00000253A2F47000-memory.dmp

memory/4832-76-0x0000000140000000-0x0000000140233000-memory.dmp

memory/4832-82-0x0000000140000000-0x0000000140233000-memory.dmp

C:\Users\Admin\AppData\Local\3J8wl4c\MusNotificationUx.exe

MD5 869a214114a81712199f3de5d69d9aad
SHA1 be973e4188eff0d53fdf0e9360106e8ad946d89f
SHA256 405c2df9a36d7cfb5c8382c96f04792eb88c11a6cfa36b1d2ec3e0bec8d17361
SHA512 befcdeb8de6e68b9ee0bacd4cbc80f7393a0213d4039b239c98585e0cd5db1755c75559a62372374cbfb7132b6a7973ea9e6a31952e0e0ba007079c56e6d9012

C:\Users\Admin\AppData\Local\3J8wl4c\XmlLite.dll

MD5 dd3443ca746d2de4ad3fb6c39214650b
SHA1 b09b644b86a0ab18eaaaf942fdcb8b3f159baac5
SHA256 98cfdffaf902883364b3a625be4506ff6256507583b02fba5fc03071b775f517
SHA512 6830ea76c35d5ccacc7de010244be71c8c76cea870ddb15990b036d9fb1b980d5ab719e331e2512faeacdde30868b4e44f88c47b4c6ecadc3a38f98b4c618c4e

memory/4408-93-0x00000280567B0000-0x00000280567B7000-memory.dmp

C:\Users\Admin\AppData\Local\3ZobJ\isoburn.exe

MD5 68078583d028a4873399ae7f25f64bad
SHA1 a3c928fe57856a10aed7fee17670627fe663e6fe
SHA256 9478c095afe212bce91d2de1a3c3647109f2d54e46b9bf70843e839324458567
SHA512 25503a47c53fe83eeb56726b5a5eec5cb01bc783e866306f92242a7a8cbafa20a3209217e0f4561febfec78d2f64f1725727a6b2d3ee6da512618984d0bb0bc1

C:\Users\Admin\AppData\Local\3ZobJ\UxTheme.dll

MD5 eb00165aadcb47d6bee4a5d9dc587744
SHA1 3691011d5cb6bddc6f9a7f4d2e274b30fcb829ad
SHA256 86f8d6993e9a48698cd8cc161b443172a2ed10aef2608b0f1ccdf53f2c18f544
SHA512 c3699499943108e72e10f021b289c2d20d411c88f7ddfad4d01a2d85f8cc507c2cc914d1e28a761174cb0b34c57bbf958f2e1438c2c55d1d20732cdcf19194bc

memory/1008-111-0x0000026180B40000-0x0000026180B47000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 f1f71ccfe60d089abd759eb656643c89
SHA1 fb2aeecbf68609fa06fd80c529b72003d7a4a798
SHA256 74005608bb7afc7bbdd14824ea760fd2282855943f740147c3b1263a8332fb9e
SHA512 ee55544874138a3ff3a5b594d2ab3f639b730b87eab4ffa61412ffea2ef5f0a61576b09173eb5fdd4f29f488e45c17cfcbee4a4cc719bd485685dda77c188d4f