Analysis Overview
SHA256
b656eba38e60d3e5cf61d0f7ee76348ec9053509d5c3fe2c3256eee34993cccd
Threat Level: Known bad
The file 8460ca6c008df062af50bb935cad86e0 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-31 12:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-31 12:09
Reported
2024-01-31 12:12
Platform
win7-20231215-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\00G\wisptis.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\00G\wisptis.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\FLASHP~1\\NATIVE~1\\0IDhvPYU\\SYSTEM~1.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\00G\wisptis.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1
C:\Windows\system32\wisptis.exe
C:\Windows\system32\wisptis.exe
C:\Users\Admin\AppData\Local\00G\wisptis.exe
C:\Users\Admin\AppData\Local\00G\wisptis.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Windows\system32\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
Network
Files
memory/2432-0-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/2432-1-0x0000000000110000-0x0000000000117000-memory.dmp
memory/1140-4-0x00000000775C6000-0x00000000775C7000-memory.dmp
memory/1140-5-0x00000000025B0000-0x00000000025B1000-memory.dmp
memory/2432-8-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-12-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-17-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-19-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-23-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-27-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-29-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-32-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-37-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-40-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-43-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-42-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-47-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-51-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-55-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-59-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-62-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-63-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-64-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-65-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-61-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-68-0x0000000002590000-0x0000000002597000-memory.dmp
memory/1140-60-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-58-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-57-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-76-0x00000000776D1000-0x00000000776D2000-memory.dmp
memory/1140-77-0x0000000077830000-0x0000000077832000-memory.dmp
memory/1140-56-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-54-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-53-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-52-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-50-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-49-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-48-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-46-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-45-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-44-0x0000000140000000-0x00000001402A8000-memory.dmp
\Users\Admin\AppData\Local\00G\HID.DLL
| MD5 | 0a306a5bcedc17525347bd2a170d4f37 |
| SHA1 | 647af58acab81025b36285d1f40f8df24f8ece40 |
| SHA256 | 36d9c4371e952086d3872ce5817cb92e06a9bd5e5a2b75575c0da84f9d16ccc8 |
| SHA512 | f259063384c8af2d3c76f42428208356c4fae21867619e2add82f3154825f2557afee5f27d52daf70058f6c8a0c05c1140fe7ff2899700b3f4a25972057f4526 |
C:\Users\Admin\AppData\Local\00G\HID.DLL
| MD5 | 1d1082f9e179e26536acd46f78daf515 |
| SHA1 | 2d794d1781716c7f2a0f0d74ec22233fc3d21454 |
| SHA256 | 2ad22fe2deca594a536fe4a10779123b7d237345aeddb8ccf707548e9320ae2a |
| SHA512 | 2f8f603381de007d1b3afdb33c09065d6e202534e65f49e6f7866c4baf6aa700adee89a9861dee6e207032c0afbe00cbcab4f97718488a568ef2a48eafb78a14 |
C:\Users\Admin\AppData\Local\00G\wisptis.exe
| MD5 | a4a7499a782ed6585f6b8d88ef42f93a |
| SHA1 | ed874b807a1567fdd84c8439a81f1df8498fa457 |
| SHA256 | a7761b3944193dfcbf9a27e4225087ff189ac6e2819fa701ce3dc0e279224b77 |
| SHA512 | c39444fa58e3fac433e5e1aea708a7ea44ff7488e9a2aff921a7734e32b711877ff6df414fecf26dc5abaa0cf83feaafed5c5bc7151dc09f8831454d6094fa66 |
memory/2892-105-0x0000000000390000-0x0000000000397000-memory.dmp
\Users\Admin\AppData\Local\00G\wisptis.exe
| MD5 | d6fe05dda45418b5b681df7792b3d3ca |
| SHA1 | 4af7831b5b645bf823acfa8c2cfe77f7062c9d2a |
| SHA256 | 132de2b1e63cdae8a88e129fb3c6cd25f2dbb51ec7330980241fa501c10ba9be |
| SHA512 | 0ba8f2d0cfb737e2a2b40ec9b9f4bb0ef5c974e161e527001300b021d9d9c6dc1f4e318530066c0d086390c09fb3d5a8b625a8b19b1ab897c93de63fdee81c21 |
memory/1140-41-0x0000000140000000-0x00000001402A8000-memory.dmp
C:\Users\Admin\AppData\Local\00G\wisptis.exe
| MD5 | 4f659d88e39bc08110095506488088d4 |
| SHA1 | 5d2637ad1d2dde6eb374db3299cc3128600eba82 |
| SHA256 | ed2e0b51d4ab8a0de43b7fd2a8bca70fc739ad0bbadfb721493012d5b8ae0080 |
| SHA512 | 73a091ce1ac346148962f0ab6abfe8963b2421ee6e48ae4fada4133427d12d9f0860ef9c71b1fd2403c456fac74fbc433d21b53d579608e52ca17f077de7c266 |
memory/1140-39-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-38-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-36-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-35-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-34-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-33-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-31-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-30-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-28-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-26-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-25-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-24-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-22-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-21-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-20-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-18-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-16-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-15-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-14-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-13-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-11-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-10-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-9-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/1140-7-0x0000000140000000-0x00000001402A8000-memory.dmp
\Users\Admin\AppData\Local\SEIo\SYSDM.CPL
| MD5 | 4afa442a4eacae826d79d85a2a103eda |
| SHA1 | df8ce952520743e13624d1759e3ca99522dabe0a |
| SHA256 | d1d3395d55ca00943b75c913589697c7a1f4fd4cadcbe2664c10c9d1eaa9ea25 |
| SHA512 | c933a6142866a34d9706ca1947af5a598cbf99af1c58d3ef68cdcf79a45df885d547b9cd31e8284e16cc3cb3aaff17b2a5a13a2df343da2f9b92a044273c8d8c |
memory/320-125-0x0000000000100000-0x0000000000107000-memory.dmp
C:\Users\Admin\AppData\Local\SEIo\SYSDM.CPL
| MD5 | 970258414dc9dd3543aee1aba6d6ebbd |
| SHA1 | d4cdef0bd8d5b41485dbdeb61248fb3d80959c22 |
| SHA256 | 5e3dda87c45a978c961a489b5b6932864dbba50afe717676f2d1ed2c1133c00c |
| SHA512 | 29fa03815342f399d7c6b42fb3caac04870d52bbb67f15ac377355c1f9775aff5b70b328f3fa477dcce95ce6492df04ce8565b02b94f0a2a912ec7626c61e488 |
C:\Users\Admin\AppData\Local\SEIo\SystemPropertiesComputerName.exe
| MD5 | bd889683916aa93e84e1a75802918acf |
| SHA1 | 5ee66571359178613a4256a7470c2c3e6dd93cfa |
| SHA256 | 0e22894595891a9ff9706e03b3db31a751541c4a773f82420fce57237d6c47cf |
| SHA512 | 9d76de848b319f44657fb7fbe5a3b927774ae999362ff811a199002ffa77ad9e1638a65a271388e605ab5e5a7cb6ce5aa7fcabc3ed583ade00eaa4c265552026 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SystemPropertiesComputerName.exe
| MD5 | 4805483cbda964b5055efb4537c1fd83 |
| SHA1 | 1e022ef80d4c09ccf971a5968464942e5ad61783 |
| SHA256 | 6fb20773446a91f1a767372edd428fdf6df1ee04be6fc81aa90b093bfa0e86a2 |
| SHA512 | ee03ece32fa0f26a2fbb010655ae46bda04087d65dfb853c1eb40912796ef746e1e029aaf0e851d1373883e0166e605ccfe10cec232b4c4fdcd9bd90facc79f3 |
\Users\Admin\AppData\Local\rnik5\SYSDM.CPL
| MD5 | 22d243a413e70a0fbd0bd4fd2d065dbd |
| SHA1 | f1ef6a70f503cfc3415b1b241517727388ffb5f9 |
| SHA256 | 115fa91ef2a73a845900503da4ee5a7b6dd90b0bacfe66d8d34e85c6645a1910 |
| SHA512 | ead88e96f838b128b1d18b9594fe96a857ba9bdfd640855ca3f956e183b72edae2e5e7782dbe35bdec913b469864ecc31d323254716c94ee5275905d8bdffc58 |
memory/2800-143-0x0000000000290000-0x0000000000297000-memory.dmp
C:\Users\Admin\AppData\Local\rnik5\SYSDM.CPL
| MD5 | fd811adff43f700f6c62ed939c72ed15 |
| SHA1 | 8180b5e3bbdd98e7ce32d4bbeff3fb1f415841fa |
| SHA256 | 5bf649678686fe161f8159db7758309f1b9085e3d52304457b205cdee7ec0aba |
| SHA512 | a2cdd64e32f70014e408810248544fba0273d2d769e859e9ae13c29c664d12135b7037debbd0a765448dbf28d3f69d45ec8c15d834447a4ec572e3c919c2ac3e |
C:\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
| MD5 | 05138d8f952d3fff1362f7c50158bc38 |
| SHA1 | 780bc59fcddf06a7494d09771b8340acffdcc720 |
| SHA256 | 753a43d8aa74341d06582bd6b3784dc5f8c6f46174c2a306cf284de238a9c6bd |
| SHA512 | 27fa8c0af3d01f0816852d04693087f3c25d1307d8857a7ea75b0bb3e0ac927d262f5ac5a335afee150142fa3187354d33ebbcf6c3cd5cc33cb4e6cd00c50255 |
\Users\Admin\AppData\Local\rnik5\SystemPropertiesProtection.exe
| MD5 | 2759d5e8fb493711b86225cd139aaeaf |
| SHA1 | 6fd55f11b6b2520e240c99e7ba4c5b7ef855b36f |
| SHA256 | cab43db2ab832822925b527ebd49e7e82111c677255d5df1e453494314725a23 |
| SHA512 | 7861868eef60ebc026d1c7cf8025ea0b7b8572211aac78df8bd7baf3740d43ee20a51dcce28589851e629e8da107573b8b73b418e7b52d9326f00756bfaf1adc |
memory/1140-161-0x00000000775C6000-0x00000000775C7000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk
| MD5 | bdbc3979dc1de247aa85858567f0f97f |
| SHA1 | b9c578eb9239f1543cd61c87b0a1af0b3c795525 |
| SHA256 | e084fa9c1082bc1aea625a7f5e44d869ccff3e385d18b52fdf4ddcbab897dcf8 |
| SHA512 | 971d5fdf442cdfe5f8bcd4e09285d6af9ba4f5790cc37c88a74bf6a14a0b1cf20a24e30ee065e8ce058ee630b664f4b300e9b0ea2b1a43dda610627733ba3705 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\jenIBBC2Gy\HID.DLL
| MD5 | 7db8b11e35aa3bd8ed0fd87bd63ab6da |
| SHA1 | 3b47ff073d8a33685e6a6a073636c7ff85e899a2 |
| SHA256 | 42e3352a84cf2b3ce9890dd3aafd6419e9e74e4c9d30ffa56c6d066b0a333781 |
| SHA512 | bc10d28de92ba904b5e4cded3e6f889df108a6095ac521f82741bd75c96f31ec682f1ba5e7e6e65ed17199216e447115d0bee11544c412f2e68f09661c5c38e2 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache\0IDhvPYU\SYSDM.CPL
| MD5 | 013d892b2972e197f166a8691af49d79 |
| SHA1 | c8174ce30cb793308893bfc099271dfdc95b730d |
| SHA256 | 28b52aee18388bacf4280054cca4d83d51f3fbd686f30394286932572c02909c |
| SHA512 | 97cf0b4db6cd31321c463de8bae9ca69f20c351f1d7224c2fd0d7c36870bb816a758501009b31b61cba99d7500cfac87b7dcf3f05be20668ab115a116343dac3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\uC\SYSDM.CPL
| MD5 | 1b1be9c45a0ba03c80b2a26c57a3c410 |
| SHA1 | cf5695f5b59bfd887c99b59c770b3788f90abcf2 |
| SHA256 | 8b11107701bb271586109bf2d62f076208adb6a21e6ce2846bec1b2223fcb542 |
| SHA512 | a383d51f25456d672e6bbfc1211a3405e292ab12a85e2699573714981ac8f2e56b1cfab1fa0e1b632cb4c634b5bc177be1d2b644a591ce596bcbc37b6b7b7baa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-31 12:09
Reported
2024-01-31 12:12
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hcbfaqn = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\HliaK1KxLc\\DWWIN.EXE" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3344 wrote to memory of 3036 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 3344 wrote to memory of 3036 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 3344 wrote to memory of 3852 | N/A | N/A | C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe |
| PID 3344 wrote to memory of 3852 | N/A | N/A | C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe |
| PID 3344 wrote to memory of 3584 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 3344 wrote to memory of 3584 | N/A | N/A | C:\Windows\system32\DWWIN.EXE |
| PID 3344 wrote to memory of 3728 | N/A | N/A | C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE |
| PID 3344 wrote to memory of 3728 | N/A | N/A | C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE |
| PID 3344 wrote to memory of 2316 | N/A | N/A | C:\Windows\system32\rdpinit.exe |
| PID 3344 wrote to memory of 2316 | N/A | N/A | C:\Windows\system32\rdpinit.exe |
| PID 3344 wrote to memory of 1776 | N/A | N/A | C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe |
| PID 3344 wrote to memory of 1776 | N/A | N/A | C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8460ca6c008df062af50bb935cad86e0.dll,#1
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe
C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe
C:\Windows\system32\DWWIN.EXE
C:\Windows\system32\DWWIN.EXE
C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE
C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE
C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe
C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
memory/3252-0-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3252-1-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3252-3-0x000001B6FDC50000-0x000001B6FDC57000-memory.dmp
memory/3344-5-0x0000000000B60000-0x0000000000B61000-memory.dmp
memory/3252-9-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-7-0x00007FFACB12A000-0x00007FFACB12B000-memory.dmp
memory/3344-8-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-10-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-12-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-11-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-13-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-14-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-15-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-16-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-17-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-18-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-19-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-20-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-21-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-22-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-23-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-24-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-26-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-25-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-27-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-28-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-29-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-30-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-31-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-32-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-33-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-35-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-34-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-37-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-39-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-38-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-36-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-40-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-43-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-42-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-44-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-46-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-47-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-45-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-41-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-48-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-49-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-50-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-51-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-53-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-54-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-56-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-55-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-52-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-57-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-58-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-59-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-61-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-60-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-62-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-66-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-64-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-65-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-63-0x0000000140000000-0x00000001402A8000-memory.dmp
memory/3344-69-0x0000000000B20000-0x0000000000B27000-memory.dmp
memory/3344-77-0x00007FFACBE60000-0x00007FFACBE70000-memory.dmp
C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe
| MD5 | cb37a40b2ac07e3dd2a8aa26824b9bcb |
| SHA1 | ec98fb90ca897bc7f02e772c38545673da3af525 |
| SHA256 | 8da28b2e62e464ff697b8063ffcce3222a15536de99de2f30b48ff10fea2916d |
| SHA512 | 68567d1e7f891894a646bc9ec1f091e27a15c3b7d063711cea22a3e9c7064b0b5b77ecdbb3f7ce9ff4dc37f9ed297928df527edd4299af3223ad80199e8bfe35 |
C:\Users\Admin\AppData\Local\8WDc\WINSTA.dll
| MD5 | 0db629ff51f6b29a540419f15d0463ef |
| SHA1 | cda2e6c24856293b9e3d282115004cde0ceb39c3 |
| SHA256 | ef139179e68155572a71976b580eac530c5bf3fd1bec18e3f2613b8cda7ce07a |
| SHA512 | 571aeb83df72958d78a58b6d1f27bdb78ec1eb04cd200f837967ab78e6a2482909fcaaf9fda76cc8a0bbd6f6ad3890f32f5f553a3490cfe28e01ba1a80c1f7f0 |
memory/3852-98-0x0000000140000000-0x00000001402AA000-memory.dmp
memory/3852-105-0x0000000140000000-0x00000001402AA000-memory.dmp
memory/3852-101-0x0000020C5A880000-0x0000020C5A887000-memory.dmp
C:\Users\Admin\AppData\Local\8WDc\WINSTA.dll
| MD5 | bebfb94035272a21a3ba28763cd024c9 |
| SHA1 | 3fd59d52c33a6cb392411ddb1af8fbc0537aecb3 |
| SHA256 | ec306971b953fe7f0b53528991f9183f8e2ce0bcadb03ea36609aba501e1937e |
| SHA512 | 689df3977476e9f589971bf648dae72821f8aaacd506a26c0986186295d59ca8edac59e7766bbffe87b425fb71c442ea5393881351ddec74669afc6f9401011b |
C:\Users\Admin\AppData\Local\8WDc\rdpshell.exe
| MD5 | f8f15bf82b501fc5413dca96a5f5ac70 |
| SHA1 | 831cfa1414a14ec005a9fb123fd40cfdb8b6ddad |
| SHA256 | 6688a6d6d130a6f8ecbe07d654cca2921cb24f01320e92a8ce801b27f992250e |
| SHA512 | cfc53925f7bad418cbb44a40ad0eec7119d9f2732b3a25d6b9ec57883d8cc23557647b9c5b3d0297413e22268972436868668b7a609e87128a0a70d304580e74 |
C:\Users\Admin\AppData\Local\hxE\VERSION.dll
| MD5 | 39f00bc67d94f532383ede7117a127ed |
| SHA1 | 001ce32beb24cc7dc6c92187582d92e3cf5c118c |
| SHA256 | 70cbaa79fb603c3522529597473ffa333f1d308d44fbcce11f257348f5032a49 |
| SHA512 | 2eb7d9b3133666a97a1aab61b388e94616f3a5ef8a1bbf9d0ab01598db6eca722dbc08060c9cb1587819be8d17925e28e169ce2525c666f5ebb3adeb1a2c56f3 |
C:\Users\Admin\AppData\Local\hxE\VERSION.dll
| MD5 | 32df6889d05ee3c0c8c926e3e4e3cab1 |
| SHA1 | 46ce2d92a58b499113b4689c608999bff0e4e009 |
| SHA256 | 63b83e1a99e7be60f5090351615b655cf53799cdba8a0252517273c3a32f87ab |
| SHA512 | 709c2ed0d279761ea48b970d8d481410d834b60db698dd23bf0edca8ca9237d3550654c5d6003e545e7900814746db416bf6db740d9c501b3fb651d1764b26f7 |
memory/3728-117-0x0000000140000000-0x00000001402A9000-memory.dmp
memory/3728-119-0x00000257F5FB0000-0x00000257F5FB7000-memory.dmp
C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE
| MD5 | 834be95372b0aebc0393ef7cc6e198f8 |
| SHA1 | 13831b3999fa5473f687e751ce5d729e6c06922c |
| SHA256 | 63311b274be14a353cb0e935954cabbbcc4b4742748d97bd0b85ab50f39dbd86 |
| SHA512 | 9ba9abadb89cf5c419f1290a402a710cb3f13aea7bbe40127313342cd0a94d702f9a1cd662dffaecad19cd0a082f3913c8c78e729f731142421221c572e18a29 |
memory/3728-124-0x0000000140000000-0x00000001402A9000-memory.dmp
C:\Users\Admin\AppData\Local\hxE\DWWIN.EXE
| MD5 | 635b6a05d5f9f72f0e9b7d8a45b704c9 |
| SHA1 | 0c9783c7ff8715668806e6ba4538eeca823ed40f |
| SHA256 | 651066e7bfe7dcfe60feb60def1b1986fd3f6b012f9cff3e74111dde6c29a23f |
| SHA512 | b9a9ceba97a9c393a444cae1c6ce96fd6aea17d37eb33e33152d171dccc25a899f11c512f752378a15a724180eaa86bfaeb4e21e6608463c25e94aba7f29595f |
C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe
| MD5 | 34832c2d300b89e20757c1939c3ebab4 |
| SHA1 | ac0a96a0d5217fefb4cbce1f56870115cd7ab8ba |
| SHA256 | b5e53d261f029f8dd4d00c2ecf2c4d8eda722dd9fdda8e27f8e9704fade583e5 |
| SHA512 | b23673020505189dc5594975f6abbb2ee408d486c261afc3ce8e913e3f484ad65037ff12b8a6b6841391de15e6cafa25efeb088fd03090d3f52ba50653638162 |
C:\Users\Admin\AppData\Local\F1m9fi\WINSTA.dll
| MD5 | 7bcbaf864e9eacc88e4d541d17ef22e7 |
| SHA1 | 1666efa591fb88ba3af27dcef88bd8215debb634 |
| SHA256 | 15a71ebdb7b0d59c91b60d227b04d98168be51b2293168414895db79041c2887 |
| SHA512 | 7d61325d1da78195ebec621e38dd4d2ff69f459a4c6dde0a0757c2767c8a1c389cc51410af01b13a145d5b6c718bc04fd2de3d7b747cb4afeda6efc2d428224f |
memory/1776-137-0x000001DACB140000-0x000001DACB147000-memory.dmp
memory/1776-135-0x0000000140000000-0x00000001402AA000-memory.dmp
memory/1776-143-0x0000000140000000-0x00000001402AA000-memory.dmp
C:\Users\Admin\AppData\Local\F1m9fi\rdpinit.exe
| MD5 | 186826c42b6f0d65daae6f003b79890c |
| SHA1 | f68d4cfbd936c8bd9f80c59df34607ea55446605 |
| SHA256 | 58679986da41f6a5466832365b0d76d2641bf4ad7cf5e40a8eb7e959065294ff |
| SHA512 | 77e18941bbd2132e824a4ddd117c541aae2fa7179b528fa47db4b717e00c8b5ed02d199786a09458d71868f21062af005110061dc384f032f813fc39686cbd35 |
C:\Users\Admin\AppData\Local\F1m9fi\WINSTA.dll
| MD5 | c17db059e439fb3b0da6ecc6c9c030a6 |
| SHA1 | b7dab8c100da81729b423dcf90c31e735b35b518 |
| SHA256 | 5d74000b954645e577a89a8b067416924d01ef96d7c37a80f7ff52dd690d4468 |
| SHA512 | 04fb12a75e73ca421b1e8b2a32738179f8450c520065239a54fe9b679d59f689a66ea5faffdfa9b455dc1f27de16d0363d8f0eb528943ca4f8a02b1b6a1516b7 |
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gvhynkxuzozqjys.lnk
| MD5 | 585090cd6fa8e9b1d0fa5fbd47a64dd7 |
| SHA1 | 49a0610b7a2508c37b3edf8507fb17a97037e04d |
| SHA256 | f481f461a7d5839cc56f7900cbd01bbe930a551d77576c98d9747aa8b3e2c81b |
| SHA512 | da5662505d6d6bab34abc4ebff998e1f734088f5437e089c8ce3dc9ae2db5a56a0956b1532c9dd7c329d7e44dc7ebcd7ef105456b71a5e8be9620ce602ffc05e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\men\WINSTA.dll
| MD5 | ee77f57fd4540d4bcbfb721f3ee5fc58 |
| SHA1 | 2abd50088ea29c58ce762918ca603f174d36aeab |
| SHA256 | 6687b4e2fa0b43f96bce1944404c469630c1b5edc927656b5d7911fe3f2371ba |
| SHA512 | df1a1c4e6dcf45dd5fa121c649b481a6c328e7f64ef2386fd726ad4cb0b8482869e9e0392170778fff0e7f7a5dfb8606e181f96a871d6d2e8d73e82933c0ad7e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\HliaK1KxLc\VERSION.dll
| MD5 | ff15024e50290f1b8461e6439d97fde8 |
| SHA1 | 83dbeb0f7be1d6be3428dc9ecd6824c95d35d968 |
| SHA256 | aa0fe4b6df92813a8c569a4e6890e0e7656ff6d2aa935f336092db92dc09c73b |
| SHA512 | 71657c013814d27b62a4b5bc80e01a5acd5375024510ff7b3105075159f744126a5d18dcdf44e6e08642a672d1adba479c809ff88e366f500c7ee903cd22946c |
C:\Users\Admin\AppData\Roaming\Mozilla\SQ\WINSTA.dll
| MD5 | 0c7249515aaa01e6931f9cc374452752 |
| SHA1 | c8b7779e3a96d51def81445e2599b52ebf83ee1a |
| SHA256 | 5a96efb4d92ceff6db68dc2eef9abd852baf9753ceaab3b72ed9b171cd520dee |
| SHA512 | 6acfffcca0bf7bd11dde93834f1df75cbd0180d6136d1358e598c1613748f6afd077dbbdcda9c2942833376792b9c7ac1f29327919dbdcc389222f559bb0f775 |