Malware Analysis Report

2024-11-13 16:41

Sample ID 240131-nbrgvacfgm
Target 8443322739870ab27a1db14eabc12b55
SHA256 caebc606f9cc00c645b3cc46aa6f0fc68cf20a2b832175b14965f5777b5981ca
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caebc606f9cc00c645b3cc46aa6f0fc68cf20a2b832175b14965f5777b5981ca

Threat Level: Known bad

The file 8443322739870ab27a1db14eabc12b55 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-31 11:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-31 11:13

Reported

2024-01-31 11:16

Platform

win7-20231215-en

Max time kernel

150s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\t7pg\mstsc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\jB5u\\perfmon.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\t7pg\mstsc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2848 N/A N/A C:\Windows\system32\mstsc.exe
PID 1208 wrote to memory of 2848 N/A N/A C:\Windows\system32\mstsc.exe
PID 1208 wrote to memory of 2848 N/A N/A C:\Windows\system32\mstsc.exe
PID 1208 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\t7pg\mstsc.exe
PID 1208 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\t7pg\mstsc.exe
PID 1208 wrote to memory of 2708 N/A N/A C:\Users\Admin\AppData\Local\t7pg\mstsc.exe
PID 1208 wrote to memory of 2608 N/A N/A C:\Windows\system32\perfmon.exe
PID 1208 wrote to memory of 2608 N/A N/A C:\Windows\system32\perfmon.exe
PID 1208 wrote to memory of 2608 N/A N/A C:\Windows\system32\perfmon.exe
PID 1208 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe
PID 1208 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe
PID 1208 wrote to memory of 2652 N/A N/A C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe
PID 1208 wrote to memory of 2152 N/A N/A C:\Windows\system32\perfmon.exe
PID 1208 wrote to memory of 2152 N/A N/A C:\Windows\system32\perfmon.exe
PID 1208 wrote to memory of 2152 N/A N/A C:\Windows\system32\perfmon.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe
PID 1208 wrote to memory of 2568 N/A N/A C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#1

C:\Users\Admin\AppData\Local\t7pg\mstsc.exe

C:\Users\Admin\AppData\Local\t7pg\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Windows\system32\mstsc.exe

C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe

C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe

C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe

C:\Windows\system32\perfmon.exe

C:\Windows\system32\perfmon.exe

Network

N/A

Files

memory/3032-0-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3032-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1208-4-0x0000000077976000-0x0000000077977000-memory.dmp

memory/1208-5-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/3032-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-19-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-32-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-31-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-30-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-29-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-28-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-27-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-25-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-24-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-23-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-22-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-21-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-20-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-18-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-40-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-39-0x0000000002E70000-0x0000000002E77000-memory.dmp

memory/1208-45-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

memory/1208-44-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1208-41-0x0000000077A81000-0x0000000077A82000-memory.dmp

memory/1208-54-0x0000000140000000-0x0000000140166000-memory.dmp

\Users\Admin\AppData\Local\t7pg\WINMM.dll

MD5 9100a5d03fed24c3becafee62bfbda5d
SHA1 a3e3e519ada34bf5f9890ad2550703e0ebbf81b7
SHA256 4ed0b53f096962cb02f24e9b6ef6221f5c09bf11f72e48238ce3f6cd46dd72f3
SHA512 df0fbe8e43bb4ce24d446c12a4c9e437f01333dafa74480613ae908cb47428d6ea64e22becab7640d205fa1fa81f11544339a484636f1ee5b9fb1b6586d205b5

memory/2708-68-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2708-64-0x0000000140000000-0x0000000140168000-memory.dmp

memory/2708-63-0x00000000001C0000-0x00000000001C7000-memory.dmp

C:\Users\Admin\AppData\Local\t7pg\WINMM.dll

MD5 978be70b42c696e94afb1238bea3784d
SHA1 4c31e45126db4269213e3a8c5c87d8209ccf4ff0
SHA256 0eab6ff231b19b3907141c51002aef0927e6774e36277275ba8864d1f55d5195
SHA512 541178020317fc0bc1df2f6b7f18f8d7a5f44d29235864e0866cbbe663efba1c27f4c82005804490b926d155e54970d3dace86a3ef8a6801ff91f5f2fc940bbd

C:\Users\Admin\AppData\Local\t7pg\mstsc.exe

MD5 08c53cb7b12bbbf3839b5ec7da603b72
SHA1 38d18b1a4b61ba458519f9befdb4b8ab3bbfda52
SHA256 477acb52fb6c86f6446f1d945e9497ea8e2a1e14827feeb15cc9ce252f14221d
SHA512 f9f78851e6d8fa2ab83e1d766dc182106a6c47e8feb1b60e2772a73d834a8ac0a33a2a45c5735897851c5451307346ab46e60263d0807aea8cf1ad29f5f3f70f

C:\Users\Admin\AppData\Local\t7pg\mstsc.exe

MD5 cc38ba6032596355c1fe001c817fd07e
SHA1 d462ff3c98bac5b742e53ffbeab56c4100794c2c
SHA256 a843758770a76a6b39acd68e2a05b15b23cd9a318f97e11b996747ca491a2b08
SHA512 30f38381679fc69f2b8999877e04fda613c70af9be776df277d52430b82252cbddfa0ab23b106105affecda59c0d02abe72b023efc17e72cbcd14e3713c4fa49

memory/1208-51-0x0000000140000000-0x0000000140166000-memory.dmp

\Users\Admin\AppData\Local\g9CCAoNP\Secur32.dll

MD5 499508f3c6168c5049f485e5ab5ccea4
SHA1 1ef34186af901d3c7c3fb4a0511f6f40027d1d19
SHA256 9afdb82fefc5ca7e5fd8382c03b15f0d978d85d2b4d180f290dc2b790ad88c30
SHA512 e4ad013f7af509346ef71041c48e5549e45f26e1e124a01858a139cab49dfa9e8e9f9ec12146c398d03d71c55499c8d85cc517a7468f56870369113632255329

memory/2652-92-0x0000000140000000-0x0000000140167000-memory.dmp

memory/2652-88-0x0000000140000000-0x0000000140167000-memory.dmp

memory/2652-87-0x0000000000120000-0x0000000000127000-memory.dmp

C:\Users\Admin\AppData\Local\g9CCAoNP\Secur32.dll

MD5 06d5968220e1ca58fdd9ce1b1bdd067b
SHA1 ee7ff43a511e1f93df69099ed4ce6f0a3126f2b9
SHA256 d7aab694224a16c31c07dc3790fc3bf8d32ca25381d5542ada5d4222baaa2a7e
SHA512 be2f5abf6329bdf7e26cede627eaf668f51e4068c8c5bd4b6a77b48826e05fc48925ae29a1b1af90f488062895c1328c174bb236d09cf1e376c31bc71458a494

C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe

MD5 3fbb6e4fd800badd87d00f4c35bc3310
SHA1 7fa510f6fe5819f9080746cdb924d3659f8986fc
SHA256 7f7cd09beb14de38e9b21551de68c6ac8b3329dbf71032d39ebd79571e20fa20
SHA512 aa6b03b6f04f3844672fc128cf6e6289a468a3e55fdb872accf8a6761fe10321c25244edaebb4832f92532f4c0159a5273669f6af07ee82ddd1d6815f1bc8c9d

C:\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe

MD5 efc43c316367a64889f12bcb6f96f116
SHA1 141a46b59eb874e319628de330636dd3e4c88020
SHA256 d12d0c9a6c0adcf9e15fd5e18f11d8f91cbc23c744730e716954b9da4d7859a1
SHA512 b436459069e664a68aec47a0bafde2b6910797eb0fc9080e2ec2982130edfb95a49026131f21fb20bac7566f626ef534b3359e19f07ad6e4dbbc5cf2231baa37

\Users\Admin\AppData\Local\g9CCAoNP\perfmon.exe

MD5 6d43ad9984308e14f9cfa41b825717e9
SHA1 e37b9c2a38c2907e57ac05cb855380a9d118d71f
SHA256 deed2fd9c9ea022e0681b6bccfd208ff249c8207a0ca13be0464b5f29a65252f
SHA512 66e775921e1553f56a467176dca5c55d8a73562a1e1d31daa1b736e5f850bbc52b5a902c7006eb9eb82c1a2b03624e55b41c1792c40b8b26a5ebcdd253174357

\Users\Admin\AppData\Local\4nxu94\credui.dll

MD5 4a7dccd94c16ba071fcd12310712479f
SHA1 4a23478338ec46c800fb8f0f190b72af74c0d4f1
SHA256 80151cb92bebf6079e5a01373cf1500d33b8dcc17da18a112d7efd236a6b086f
SHA512 d3102d05b1d237eb90d9582d7f933dfba7f51bdf6475b95e381227e7e4c9e100831d8d9031c4d58a1e84936d3ecb3f2497379ef3d631de91b536f2974dd5bd84

memory/2568-109-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\4nxu94\credui.dll

MD5 c5766ffd685806f0b5bcd18e98bb0ca2
SHA1 aaadacecdc5cab4e59f2f1a6d502e5b9fac1985b
SHA256 e654cc934650351dcd90c2eef91938986fc43047bd8dcb405515366797a685da
SHA512 f1df52b93559953fb61b7e6579c1185e087aaea3195f4d18af582234c2fa4142e70ecec647672ec45aa39a555a2d69d9ff5395ee0a7b3835788a186a46abc1b0

memory/2568-114-0x0000000140000000-0x0000000140167000-memory.dmp

C:\Users\Admin\AppData\Local\4nxu94\perfmon.exe

MD5 79082b91c5fb33b9a11a806eae6cd1ee
SHA1 d10dc650415d48b27dec6f1812d2a9fdd90eafde
SHA256 d72011a67cc4dcdf211af30213d8c1fd07a16f51d71475954edfe6acf11eabe9
SHA512 ee4c4b7e3fdc2712b817689108e73b9039278de2f0818388857019006a87ee41fd822a0dae5d1fbe590524f2f9bbc9485fb900e6f47c798333e01555c99b616a

\Users\Admin\AppData\Local\4nxu94\perfmon.exe

MD5 a922d1daff3ded8e0d7d071ecc714f7a
SHA1 9dce370210693a93a3c0b999b76b98682a8a1dce
SHA256 d6a7317835d5eccd057c27ae5628326b2dd8f2b1bdb983c8315643f0dd103ba3
SHA512 a981635a67d8d36a36891ce5a4700555d43fb1c273c63ec76e51a62b9de76f6f2bd01c41660a7f8dd14a4dea5b916f44c458ab1364c80f504ae37d0d123b4ec6

\Users\Admin\AppData\Roaming\Microsoft\fain\perfmon.exe

MD5 8d75b1cb25aabacd123835d59617c3c1
SHA1 3e14d2a3320065b10fdebad68be93311f2bf1db0
SHA256 006e2a19015a5550780162290a1a7b5c2713828f48d5bb425402d5295c0aa8de
SHA512 9991df8e192787d5df73dd6f25fde723c524031570d1fd3fa2dcb55c6f8044512ad3cfa1b7518d3bec5108df1564e526bde324f160767327dbf19d91ac7dcd3e

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 7366280da87bcdf37c5ec474e0b1d70f
SHA1 0a67ebef1da44e90fc101fe75500bdb75953f19f
SHA256 275a02588eed552c4282e0c76ced42497be1f4369e4560717a235e908a94dc39
SHA512 f708b4120cb7b954113cc8af6ae70be762acf13d04991b02b59bb4cd2cb9fa02f5959cf07ea4bd68e7978dd2b9cf5dd77f338692c20ad47cd0d14e83fded4925

memory/1208-139-0x0000000077976000-0x0000000077977000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\em02s0km\WINMM.dll

MD5 6621639fb6a471fee7a7a836d5be634e
SHA1 247bf26530e4a256e06fa87feb9321ad0ec3c14f
SHA256 1dc112d01e2e45d3981d9ba8028242f8f48ba6c75e1782b34ef59999dda8c794
SHA512 a6a3ef82290167bde7fc40a18baa04ff7e130c54c0207493b3e2f457efced71b6682c8febe4bd7824bc0507e3c4680431805ba1f96bb2bd90408a4d1bf610bfb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\jB5u\Secur32.dll

MD5 90d086a719b4b3aef5de38565a3539fc
SHA1 4c949e77d5278fd73dd0d5ca58f78543053cbbf5
SHA256 c2db5d5bf556d7ac5eba30f762ac61087b9305a6e3fdf7f846015e4560ba0995
SHA512 c5e0e40aa501b716f16de7ba8e8c927c363614132362655f3fc0f3037e7ec85442d9878a4213cc5c4a604ef3e065e946161cdd47dfd03df6b37d113e2a528a7d

C:\Users\Admin\AppData\Roaming\Microsoft\fain\credui.dll

MD5 ca4e72df803205d3a453288528152e9f
SHA1 bf8301a125eebcb3beb22865361286354a27fdcb
SHA256 12b7a73e90114d42177b70e679ccc93f357f9ec48d446ed22bd2bf96d7330f41
SHA512 00074de015df7e9c46cf70e78a8e39284277a42b16d6dd22bf3a5c6b26b60df92b60bc1c30834a55e2c01a3d9c3a4229437288f4e1fc72b118ccb68fe7aa9be0

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-31 11:13

Reported

2024-01-31 11:16

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\ACCESS~2\\MFLRTN~1\\dwm.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\htILz\dwm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 2612 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3528 wrote to memory of 2612 N/A N/A C:\Windows\system32\GamePanel.exe
PID 3528 wrote to memory of 3620 N/A N/A C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe
PID 3528 wrote to memory of 3620 N/A N/A C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe
PID 3528 wrote to memory of 2576 N/A N/A C:\Windows\system32\dwm.exe
PID 3528 wrote to memory of 2576 N/A N/A C:\Windows\system32\dwm.exe
PID 3528 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\htILz\dwm.exe
PID 3528 wrote to memory of 464 N/A N/A C:\Users\Admin\AppData\Local\htILz\dwm.exe
PID 3528 wrote to memory of 4900 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3528 wrote to memory of 4900 N/A N/A C:\Windows\system32\Taskmgr.exe
PID 3528 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe
PID 3528 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8443322739870ab27a1db14eabc12b55.dll,#1

C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Windows\system32\Taskmgr.exe

C:\Users\Admin\AppData\Local\htILz\dwm.exe

C:\Users\Admin\AppData\Local\htILz\dwm.exe

C:\Windows\system32\dwm.exe

C:\Windows\system32\dwm.exe

C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe

C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe

C:\Windows\system32\GamePanel.exe

C:\Windows\system32\GamePanel.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1180-0-0x0000000140000000-0x0000000140166000-memory.dmp

memory/1180-2-0x00000259E2610000-0x00000259E2617000-memory.dmp

memory/3528-5-0x00007FF9EA8AA000-0x00007FF9EA8AB000-memory.dmp

memory/3528-4-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/1180-8-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-9-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-10-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-11-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-12-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-7-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-13-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-16-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-15-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-19-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-26-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-31-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-33-0x0000000000B60000-0x0000000000B67000-memory.dmp

memory/3528-32-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-30-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-28-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-40-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-29-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-27-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-25-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-24-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-23-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-22-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-21-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-20-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-18-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-17-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-14-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-41-0x00007FF9EB020000-0x00007FF9EB030000-memory.dmp

memory/3528-50-0x0000000140000000-0x0000000140166000-memory.dmp

memory/3528-52-0x0000000140000000-0x0000000140166000-memory.dmp

C:\Users\Admin\AppData\Local\7VPBQXWmA\dwmapi.dll

MD5 456cd9acd64c2171db5ffe1b203aff61
SHA1 b9297f3c771f9ded20cd7ea2591897822f0f3452
SHA256 32989794afa11e4226bec989f2d6118aa1e7c2fea6f2398e995ec9a22a433237
SHA512 201f6e7dc40257f6ad5164511f99e8cf2fa943da07b3e15a967b227c9c37b8c7430cf5ade8a4e0c57e81079f72024837b03a12188488ef5fd52dc9d547310543

C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe

MD5 1e835f3b85741f25b8038c0ed4060d9b
SHA1 680b0082da4cfbaf33318dd049a5417c6aa96729
SHA256 ca5dc844975162d6f721e790b5ba85e31ecca6400bd225c78b19be6379fe9c98
SHA512 afc3a79ae45133d8e4f474108ffd2abfd8a71f02718880fbca678ce9ce931755fdfcce9d732ba0daa549126c8c22f973a67ff1a363c9b7984210bfdcd5ad0c94

memory/3620-61-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3620-67-0x0000000140000000-0x0000000140167000-memory.dmp

memory/3620-63-0x0000018FC03C0000-0x0000018FC03C7000-memory.dmp

C:\Users\Admin\AppData\Local\7VPBQXWmA\GamePanel.exe

MD5 bcdc4c163bd2bd0135feb539a92926b9
SHA1 be578f402a1731303ff8aa5836a86afb7ba512c8
SHA256 e6ea49ae0d54b0090cf8bd8480a570a016205c59ad049cafc16a7732472e9656
SHA512 605f5b71a1e0b7caa1c50a922abe9e17f7ffc840a2f0e5cad76c065cb48a79f916fc10f0a3382d4324bca5d11ec65076ae64429068d20031dc5da58994278fe4

C:\Users\Admin\AppData\Local\htILz\dxgi.dll

MD5 122258555cae8c0d93e0ac38d8262948
SHA1 a180596fafa2a0dfbdc13ec6be248b5d6559c5e9
SHA256 2523eaa9102ec0b80117a7c739fadad48619904dee8188745d60c22cfad0a93b
SHA512 6760da5f6ec6de48b22261993c3958c43973341fbd2c6d62a966ac52a8d0ab2fd3e0cb22d5144407f1201399667cabd614b1f889c051d5db6f40f2fce01b3e11

C:\Users\Admin\AppData\Local\htILz\dxgi.dll

MD5 e94c6cd36a9762948523962e88c0b1e4
SHA1 8547feb561c90b82475922a740d4f9b0b2a8c8c3
SHA256 d3bfd01bc45d72c049f695bcd27507dbf6b08b7a68f475592412d0d1854735ae
SHA512 f30b273822003d059e2732aa0010264d2a39eefcfb93b3ce9324957d7f9a322afe1b632a2b4847422d2abfaefa4a635ca5e55e520c387da9990dfcf1fb8fa652

memory/464-86-0x0000000140000000-0x0000000140167000-memory.dmp

memory/464-84-0x000001F581E50000-0x000001F581E57000-memory.dmp

C:\Users\Admin\AppData\Local\htILz\dxgi.dll

MD5 5542547040d260e40c47d795dccb5019
SHA1 d6c22f169d2e263ed703db7dda0cc4814333c5d1
SHA256 05f2fb8d80c173e992783cdaac0dabb3fa4f689cba092800dc047d2f395b2339
SHA512 7a20102d7a3a973700eab464fa0ea0ef5f8f58d571d2648d4bc8b44fe2fb3ca2a61109d873a52ae713faffcbc74fca2a015052ec6cce9895dbb9ec1faa13e778

C:\Users\Admin\AppData\Local\htILz\dxgi.dll

MD5 0add18f63b4d84f65bc9164328e5829d
SHA1 65eeef41bb27b5f041062e8e3666fa7516a5eb85
SHA256 5c74b67d720b97a69c6bcbb5d749b7a1e2477ed0c15443bf618a1b90bd38d9f2
SHA512 43dd2b633e7e3619043ee7f18176fa905bfeb7d0ceb77a9a1fa0255a15f9d1e940f27d3e0dd5c8137b0c74dad7d96cfdc8d0174a1e9806f1fb6449ccca760290

C:\Users\Admin\AppData\Local\OSuYS\DUser.dll

MD5 75d2ea39cdca6178c0b7471d641e6596
SHA1 46ba904760a383d3b407aced83af36ecf4891b1a
SHA256 292921a89e323c7f38751e34f43d6af35b02c68ef6f49665a718e367c18ccc72
SHA512 6b2b869134059fa86f4f976fb92a7082479ee13bb4edb5aa17e5069800292350866b8cf184b9792d6fdf458b41c04617358e2ff95e6bbe7b52ee8f3b79c2104c

memory/1736-96-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1736-101-0x0000000140000000-0x0000000140168000-memory.dmp

memory/1736-95-0x0000019DD79D0000-0x0000019DD79D7000-memory.dmp

C:\Users\Admin\AppData\Local\OSuYS\DUser.dll

MD5 3bb852559f4c04f46644fa5e6d4f0945
SHA1 7252263020fdac58814e32264bf2fafb7d4558c3
SHA256 58624d22df1162bb765c9601b276f3d7ecb5ba8ce5d1ce1c8392cdec3b41c7a7
SHA512 836487a0e40f0e1205a91332d2f967556c4a93d64f6453a8abbbeb02f2de9a80373d95a04835fe4f84fdbcc4122c229ff54cd60364a4dab7cf6585db1396e355

C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

MD5 c21c4ddd0c5a346c912204cf17dd885f
SHA1 4a81bafcb690038298fd386ae82b71b2855d089a
SHA256 2891ec65c660283c1f422475ac26ad7ab6601b794abaf30a4c753290b13c67aa
SHA512 b1314bff80f0191892250c7236c780e2683e565d42b6247d904461d6735420f5fcd9440cd03a1d6158be37f409720e1893d1229eef84a312c9dd46deeebb15b4

C:\Users\Admin\AppData\Local\OSuYS\Taskmgr.exe

MD5 69daa7a2622592fdac3ddb45a17d82cc
SHA1 978d75544fd942a5bd0777cde1799bd2bc84514c
SHA256 40d6bb940e9d21ada5208dd1c3ec08b955a2c6ec0571b27edff0a5aaeeef4d7d
SHA512 f5cded6e045bd242755764d25a81d68d8d44adfe2a641133d25b21340678e321078b980242a4f97920f88b1f92a52710d327b9bae51597ea5212dff114019e0c

C:\Users\Admin\AppData\Local\htILz\dxgi.dll

MD5 3c8cd65dd2ef708ec61db5110e88bc5e
SHA1 9bb6ab27f7ca21b55c002b7bb16cfda890bb814e
SHA256 b3cc96d9936f4cbf62ab5e22997b80f193fe32d4444d174f602ec7e0b0100046
SHA512 d59d37557685bfa5736875c089bffdcf515db5947d3054c0cdde477942c7d6cf90197bbac2feba71f0b560f1ade4a72b950ae282c02284b8abf1cc2dc00201ff

C:\Users\Admin\AppData\Local\htILz\dwm.exe

MD5 5c27608411832c5b39ba04e33d53536c
SHA1 f92f8b7439ce1de4c297046ed1d3ff9f20bc97af
SHA256 0ac827c9e35cdaa492ddd435079415805dcc276352112b040bcd34ef122cf565
SHA512 1fa25eabc08dff9ea25dfa7da310a677927c6344b76815696b0483f8860fa1469820ff15d88a78ed32f712d03003631d9aceaf9c9851de5dd40c1fc2a7bc1309

C:\Users\Admin\AppData\Local\htILz\dwm.exe

MD5 9123d6bfc2c6cc8268a09dfac95cdeb1
SHA1 6a11e75f48f5e9123231298a824210c821abfb2d
SHA256 43750b68ccb21e1351451c0490d80d75835b1fcbdeee5e3c38d916e4a7da24f0
SHA512 82e03bcaa5fa7bb0450dd00b426592aefb815c5c7cad72611895cbb037c6b8455e455110315c6e6185faf1332f4162e92ca605f3c227dc39249d51778c27273e

C:\Users\Admin\AppData\Local\7VPBQXWmA\dwmapi.dll

MD5 70c1f61a7b5d316f00b84c6669f5ebc7
SHA1 2a69b2293dd8c8fff6d03129bf7462e7671068cf
SHA256 990fe76a9376244f7bb5d693fe5ac42bbf185679673c7c4fb070b76c72886f42
SHA512 8d2c24f1eeaeefcc6fee80a3dd46a79c54e1e8d3d6592921ae63b163f7bc98c3fad07f595a5056ee897830b997c7ef684d543f8dc6a547b0bd55dd8a7f89a4bb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\MfLrTNicR\dwm.exe

MD5 32580fa4ce5829d9174405e8ed106c07
SHA1 f6d51f5ba5c3ded1e6369f7580e5b8270898ce4b
SHA256 221e44df28ec38e4d550a7a12e1f8525ddfb53f83b9859b5d55b5765259dc3ad
SHA512 84a8c17d3d240cd08f5056a48d5c42a5293e84471465d0104652425775959c6ddb3c9d21049eb79e38f420e2da81b7a941e8107b3d73e395cf48baf2506ce4c8

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 3a1917d44a437ad074509fa866eb62f0
SHA1 9858d0245e109b6dc30847f99167c0650c2bee0a
SHA256 fa31a3ee521dc153671434c80510d690c8afc7161fd35df0f811f89c600888f9
SHA512 a5e84c4eee9662f67d558cce901a5b9d2e8081afed7fe23b8c66644509a4d08ee9dd1872b3fc5f52427326063c2edf42ac3e80520eba6b915b2022df65942167

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\MV\dwmapi.dll

MD5 35e661bcad34693cabd180b875efab3f
SHA1 ac6289eed7f0b254556490596772032f58c68c51
SHA256 d81fd4ce85074493218866012f351e7f7cd02e09d6e5d138bfb6d65dc7101131
SHA512 03cd6a120961373014a9eae1d9d021c6376caee23b3cb307d80661fa13826f3b23d510b0b66e56d1ddd03482550b39c3ac72e6bc414f233edb895ed4d036c3fc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\MfLrTNicR\dxgi.dll

MD5 fc42867378cdb2888c7810897937f847
SHA1 72859c10295eab63bbe1ee6881fbbe6b30412b9d
SHA256 c37d8a23fa03a10f9ee41325099576b448aadfabfb0f2e6aca07f685f1b0a739
SHA512 71050e68c5628fbcfc48314dd9c0858545391e3b5f04b5643b7ea627733e834913af496782483801145816444031a879b8c8326801daca8befcb7d501e77acc9

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\w3cHL\DUser.dll

MD5 92eb4eab19aed31d463b4465687e30b6
SHA1 d7a326feeee658440f6b639f244c99f2008022d1
SHA256 9d6f28b82029059378a70fd35bb21a9e4bf5063b90a57352843c01bfda504df2
SHA512 fedc93df62b5f8a044ce65daf237222176fb9a83b54cb2c0d09fbb1e316172652684d50cf6838e8848a168f9d349d2ee9d0e5498c1118ea144bb76596c9e0fd6