Malware Analysis Report

2024-11-13 16:42

Sample ID 240201-3kxsjsgfb4
Target 87f4ff988b3efc9a3e0d996f68db1be0
SHA256 a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a7f598f265286347b55802674110210e08986dad0a49bdd83caf30ee6d6085f0

Threat Level: Known bad

The file 87f4ff988b3efc9a3e0d996f68db1be0 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 23:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 23:34

Reported

2024-02-01 23:37

Platform

win7-20231215-en

Max time kernel

150s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pfoxtyecp = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\Windows\\PRINTE~1\\UWEFXB~1\\ddodiag.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2276 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1204 wrote to memory of 2276 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1204 wrote to memory of 2276 N/A N/A C:\Windows\system32\shrpubw.exe
PID 1204 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
PID 1204 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
PID 1204 wrote to memory of 832 N/A N/A C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe
PID 1204 wrote to memory of 2964 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1204 wrote to memory of 2964 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1204 wrote to memory of 2964 N/A N/A C:\Windows\system32\ddodiag.exe
PID 1204 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
PID 1204 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
PID 1204 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe
PID 1204 wrote to memory of 2252 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1204 wrote to memory of 2252 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1204 wrote to memory of 2252 N/A N/A C:\Windows\system32\unregmp2.exe
PID 1204 wrote to memory of 292 N/A N/A C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
PID 1204 wrote to memory of 292 N/A N/A C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe
PID 1204 wrote to memory of 292 N/A N/A C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1

C:\Windows\system32\shrpubw.exe

C:\Windows\system32\shrpubw.exe

C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe

C:\Users\Admin\AppData\Local\wjfo\ddodiag.exe

C:\Windows\system32\unregmp2.exe

C:\Windows\system32\unregmp2.exe

C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

Network

N/A

Files

memory/2532-1-0x0000000000110000-0x0000000000117000-memory.dmp

memory/2532-0-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-4-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

memory/1204-5-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1204-8-0x0000000140000000-0x0000000140204000-memory.dmp

memory/2532-7-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-9-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-10-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-11-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-12-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-13-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-14-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-16-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-15-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-18-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-17-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-24-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-25-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-23-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-22-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-30-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-31-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-29-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-28-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-27-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-33-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-32-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-26-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-21-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-20-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-19-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-34-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-36-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-37-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-38-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-39-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-41-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-45-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-44-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-43-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-42-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-40-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-35-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-46-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-47-0x0000000002990000-0x0000000002997000-memory.dmp

memory/1204-54-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-55-0x00000000771C1000-0x00000000771C2000-memory.dmp

memory/1204-56-0x0000000077320000-0x0000000077322000-memory.dmp

memory/1204-65-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-69-0x0000000140000000-0x0000000140204000-memory.dmp

memory/1204-74-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

MD5 2d73937b3735925ebcacd04151459500
SHA1 115aaaccd01d1c8beaba6fd84fe30dbd84210597
SHA256 d05cf222f7fb9b6dd72b0ce7f13b0ce273a4a603ac390134273cca4664e746cd
SHA512 a34c7286f49c79b0e5ab63e5735c9f886641b7bf09138186f15145ef7e3e7ae5a32f21243d473d546ee4e5a3e80dc78de60460b61acf7d313553a1d24534a6d9

C:\Users\Admin\AppData\Local\9uWbol3Cc\ACLUI.dll

MD5 539ddddf6797759e820854ec54adf82e
SHA1 fec486d6e9a38a54963e01ac18b370c5173aaeee
SHA256 b59c25b7f8fa161e2ab78507dbe258e6b2c281d028790ebd1d321ce285186afc
SHA512 633d9b735144bbc79016e211a248830d6ef57bc232cd7de7c4d62934e0345b45218c233120ba5a61e9dfbbed572b4cafbfecc102ff35edcedf6aebbb2cefacb2

\Users\Admin\AppData\Local\9uWbol3Cc\ACLUI.dll

MD5 217e248ccbce89e478d531cf3bd89ae3
SHA1 332e074da0c9e44153bad6988c85e59987ea3a42
SHA256 70d14772f74b1868c75578c94f8ca43d091c14661ac1309c9b347a2baa1239ac
SHA512 7d27c4e15d13b0181a9f645d845234e4a164078c56e7603c5a7a9079760024dd26e05b09618338ec17d33d62648bb7ef90faf1b24164c81221657170248b0f0f

memory/832-83-0x0000000000120000-0x0000000000127000-memory.dmp

memory/832-84-0x0000000140000000-0x0000000140205000-memory.dmp

\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

MD5 088a1f2fbdcaf68235232d1ae12cdf77
SHA1 51a2569da0d9d567347b4a3e7dcbf07bc67a29fd
SHA256 08311273a69d5617aa35e6673f20aabcc8522acfdb300621ba3960157d827d15
SHA512 137f09863e717be1f997aa5c61752186beb1be858912745fc88df62bee35c497c924ab2367fb17865e0020efff49e8740cee0203dc57e4a38e422c2aa5e676cb

C:\Users\Admin\AppData\Local\9uWbol3Cc\shrpubw.exe

MD5 d19b9de6ac49b9604059136f3957d5b9
SHA1 28d8cd6ec45b553f529189989f2c85a78b615e3f
SHA256 b6100cbdd7bbf827653bcc69019cf33ad8c23ed1aa5fdd0a86c62a85f0bee760
SHA512 d3395863c6cf348b47583b606756f3fbc13cbff3151cce936cbb785f3e5283c16db4e17db99e61c33e05a89f86e18f8682f900304ebc52ddf0fde40ab8fb3b40

\Users\Admin\AppData\Local\wjfo\ddodiag.exe

MD5 509f9513ca16ba2f2047f5227a05d1a8
SHA1 fe8d63259cb9afa17da7b7b8ede4e75081071b1a
SHA256 ddf48c333e45c56c9e3f16e492c023bf138629f4c093b8aaab8ea60310c8c96e
SHA512 ad3168767e5eba575ae766e1e2923b1db4571bbeb302d7c58e8023612e33913dcd9e5f4a4c1bc7b1556442a0807117066f17c62b38fe2ae0dfaa3817b7318862

\Users\Admin\AppData\Local\wjfo\XmlLite.dll

MD5 0a18d673623d33e7746048d8f39a530d
SHA1 eab8bae2e4b0ef310de0e71b9321af1bee7b0dea
SHA256 d8772a41cc5d00bd518c1b88d8f9a278f586c4b8d6634a71d65f52653eac364b
SHA512 aeecb3b26e74fa4cadac3c36fda5b6588554b86a531944cd216fc82b1a78c99d32630be928e257b539bfc0a5be636bc159b6aa8fbd8230a6c729f6d405ac53ed

C:\Users\Admin\AppData\Local\wjfo\XmlLite.dll

MD5 1ac402c5cb88c684287132abae86623c
SHA1 4d0c6cfb802c2aeb03b4ae5772eb0f88e5d510d3
SHA256 00beee083fc2f58969734d7ae1a9a9bcf14e331c489a0a65107b66b02b14dec7
SHA512 5d7e84b1ee1c9d1ede22795dd2c251c667f8969945fe66a3af165b2b97cb2aeb28e9e66fdf1efdb28afa9d881fef78fe6234c491b735c96f12f2de799247c8f6

memory/3020-102-0x0000000000080000-0x0000000000087000-memory.dmp

C:\Users\Admin\AppData\Local\oVUV0nDe\slc.dll

MD5 15d41c9aa88d3a13c880b4d7a6772477
SHA1 40597f28624a1976da21dfccb3ef4d3801e176e7
SHA256 a45125550d80a397a6472fefed0c3bca25daa7cd7951b840405723e7a85f6128
SHA512 46f287574c0aff8dd94156132a575332836eb04b201da5b3a8b14ab0a49613136c411b3e2a168d3fe1f16582872be268bb8309d46dfdf264a2d3081df3862ddf

\Users\Admin\AppData\Local\oVUV0nDe\slc.dll

MD5 dbf594cb79d5fe4dcbfc41626a471e96
SHA1 d19b0f5606c9341235d74a324a2ba7480197cdf7
SHA256 6989166e3283c2d2053edafd2e5f441568a5a6135efe0294597aed5931a82b43
SHA512 bd8e0ed21d5620e1c649cabdb22beaa82bd0e2f331c9997b8b807fbc343497ef5f3491f7d30e217c6006a659e0c607fca8d5d821ca0db4d82334f41c922c42a5

memory/292-120-0x0000000000180000-0x0000000000187000-memory.dmp

C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

MD5 9121740ff1acfa9ac5f33b9dfdc1a8f5
SHA1 db47b4adc72371cd0978c0892fe3aeefc07de047
SHA256 9e29665d3b2d6c1b7f374875b79b304f89da162b41741c80db1eb4f25be1a6da
SHA512 b3df5c42edaa2f86ac0415f97979bebda7ae70d4e7c971e423dd85040f79d6e199324c4588367994f7a5a7584be83565c08bf1153a699b34be41fd4a4e5efb81

\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

MD5 4de9c366740815e266defc61b23092a3
SHA1 76a790f158e3f10a3ba1ec7ef33f70c1b118386e
SHA256 160b65c63f2947e074d69224d66ab0d599c6a87df6a8dd03267fb77d23bf9639
SHA512 6374c50e9c0a1620604cfc8643ac5917bc22e4dccfb0797f89301c70b961d806659a740829ccda79a78b02fdd305cb2a3d9ca52bc18d93e6343b5ffbfb33740c

C:\Users\Admin\AppData\Local\oVUV0nDe\unregmp2.exe

MD5 32b97eb34f4b8fa296839cc4f4c48377
SHA1 24ef8a039ecd35ea1780e17197ae37583869226b
SHA256 688c823234f46b7a264c8c2252a2b303239d42d751480f67bdc67e0d7c8bcd04
SHA512 3eef44c1ea009ba89a3351d0865028ef7e75e43679568585eda8161d76798f774a9e51816c0099f92907d40db906f2e187a40512bef20ec36803d56bf2273068

\Users\Admin\AppData\Roaming\Mozilla\Extensions\NpA\unregmp2.exe

MD5 5e2143090655d160d69119f6e2d39ff1
SHA1 fb804416a0809c27c137bbf51b14ff47bbb19ff5
SHA256 321bb5328e335b783df753413d2c26d18f4d057c7223d702d25606fdf44a1df0
SHA512 930543cb84e9060616238995bb8803ad3319030f648c74feba8effe5571c3a10c51c0f3b3835a564086eb768cb2b576851b32cc16a691b0a3420df5c351d86d8

memory/1204-143-0x0000000076FB6000-0x0000000076FB7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Gmfoo.lnk

MD5 82fba99901a34346a60d2876f5b7a1a1
SHA1 66ab939671763a5b745686b15ab109fe5c058d05
SHA256 6a2727bd99e05e6077da6f64c32d714892528edfccc1f8e8af9295359eefb083
SHA512 3df32f426ab3664c9b9ba1a3b2662f9ba987def014d6976976bb860d289a257b8b3d23180ae84442be60e94937d9326a33ba676588dea40482be5319a3eecb9d

C:\Users\Admin\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\6EPRn84PObd\ACLUI.dll

MD5 989e7e42fbd0fb346e45ac17b0f81a2d
SHA1 97b4f4d3aae15b65f3d4500e83ed8eb06caeece2
SHA256 4c27c652dd1fff3259ed15a82827ad7744a4a67dc4cf7318cc02c09e255e23bb
SHA512 bb4873fabcf501d77ac61882f5d43188ddb447bba7fc4e84febe0502978e12f1562765bf75ada90f9fb457a4018102ff2a9cc9d171ff35fab33c47bf7c058a06

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\uWefXBYPLRC\XmlLite.dll

MD5 791ea65fad082e86db609282b5472023
SHA1 937ab541f9b4cfb1b25e07fa0ca617c9dec417c8
SHA256 e61ed85b57d053eaf57d06274a08ab0de01d506ffe07ca1e94b9841bd539e5d2
SHA512 22f20a61d91d7b57e2c5d2e61690082e1aab4e83bb5b9c59003892d7a53e31e5a17fe99299b84c4527f24f8e67d13dea7eac024820cc626af6682cf46b11afec

C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\NpA\slc.dll

MD5 06b9dabd4677f9cbbf4c2b939c3f02f5
SHA1 adf61f5258063be5b97c2db0e4b6110db837ba2b
SHA256 d7c4e74c36629172139c9f1538287c2ffae6b04037955bd7a971df4376290d26
SHA512 07958b61765c885efdc13b3681a120b9960d2656064b4593572e1a77e9b03ec301a33af653ae5ad32e9254f8ae19c23adb365bf0d4cda00af1d825a00ee927b5

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 23:34

Reported

2024-02-01 23:37

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gdfgjdhwrlpouj = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\jpAhVM\\sigverif.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\xfp\sigverif.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 4380 N/A N/A C:\Windows\system32\recdisc.exe
PID 3512 wrote to memory of 4380 N/A N/A C:\Windows\system32\recdisc.exe
PID 3512 wrote to memory of 3916 N/A N/A C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
PID 3512 wrote to memory of 3916 N/A N/A C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe
PID 3512 wrote to memory of 2256 N/A N/A C:\Windows\system32\sigverif.exe
PID 3512 wrote to memory of 2256 N/A N/A C:\Windows\system32\sigverif.exe
PID 3512 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\xfp\sigverif.exe
PID 3512 wrote to memory of 2232 N/A N/A C:\Users\Admin\AppData\Local\xfp\sigverif.exe
PID 3512 wrote to memory of 3228 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3512 wrote to memory of 3228 N/A N/A C:\Windows\system32\RecoveryDrive.exe
PID 3512 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe
PID 3512 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\87f4ff988b3efc9a3e0d996f68db1be0.dll,#1

C:\Windows\system32\recdisc.exe

C:\Windows\system32\recdisc.exe

C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe

C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe

C:\Windows\system32\sigverif.exe

C:\Windows\system32\sigverif.exe

C:\Users\Admin\AppData\Local\xfp\sigverif.exe

C:\Users\Admin\AppData\Local\xfp\sigverif.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Windows\system32\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe

C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp

Files

memory/4528-1-0x0000000140000000-0x0000000140204000-memory.dmp

memory/4528-0-0x0000025B2A520000-0x0000025B2A527000-memory.dmp

memory/3512-4-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/3512-6-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-8-0x00007FF9D3F0A000-0x00007FF9D3F0B000-memory.dmp

memory/3512-7-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-9-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-10-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-11-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-13-0x0000000140000000-0x0000000140204000-memory.dmp

memory/4528-12-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-14-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-15-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-16-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-17-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-18-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-19-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-20-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-21-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-23-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-24-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-25-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-26-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-27-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-28-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-22-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-29-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-30-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-31-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-32-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-33-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-34-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-35-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-36-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-37-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-38-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-39-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-40-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-41-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-42-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-43-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-44-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-45-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-46-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-47-0x00000000006F0000-0x00000000006F7000-memory.dmp

memory/3512-54-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-57-0x00007FF9D5180000-0x00007FF9D5190000-memory.dmp

memory/3512-64-0x0000000140000000-0x0000000140204000-memory.dmp

memory/3512-66-0x0000000140000000-0x0000000140204000-memory.dmp

C:\Users\Admin\AppData\Local\LktVSnhJ\recdisc.exe

MD5 18afee6824c84bf5115bada75ff0a3e7
SHA1 d10f287a7176f57b3b2b315a5310d25b449795aa
SHA256 0787b37cf197595b8149ffe3784f9c59eacde3616011f185513ff5c075a5ac4e
SHA512 517356165b401dbebf15437d3b17746aef5a6a4cc62a0afe45966abc92b4cf377eee4514a36ee28b1e88e55a22a2f8a6c997df45971e7f354b66ac7d9e141845

C:\Users\Admin\AppData\Local\LktVSnhJ\ReAgent.dll

MD5 1fc3dab81aeebf591611ed194b253474
SHA1 acf6e6675e2eae91e1f2a2af5cc072041096e191
SHA256 ff6d0d7c75c5a24c55c1b66d8b2a57bb0e9a02bda73bf25cfcf3de878fec2999
SHA512 68671b46e86a18928b81617fc6340842a8b955377a2c4878b81ad31278de5a7ea6aafe50a41b5c7f85b602e2675f72d097e3450106e77489cc5ad4a18a941fab

memory/3916-76-0x00000167698D0000-0x00000167698D7000-memory.dmp

memory/3916-75-0x0000000140000000-0x0000000140205000-memory.dmp

memory/3916-81-0x0000000140000000-0x0000000140205000-memory.dmp

C:\Users\Admin\AppData\Local\xfp\sigverif.exe

MD5 2151a535274b53ba8a728e542cbc07a8
SHA1 a2304c0f2616a7d12298540dce459dd9ccf07443
SHA256 064de47877b00dc35886e829a697e4adb3d3cfdf294ddba13b6009a0f415b1bd
SHA512 e6fd520ee1bd80a5fe8a7c2ae6446dcaabd4e335a602c36356f85305abef751b7dffa7eaac1ec13c105ccd8c3e9070bd32ed4b14bc8a9e52dc5f47b936d69a9f

C:\Users\Admin\AppData\Local\xfp\VERSION.dll

MD5 7c913b1bdd914f5095423d140cfdb629
SHA1 f5ad9fc8c9ca0c0cc64948a50c7bd211de27c7bf
SHA256 65fadb8fc3668ab38b06e9023936e1ef21d1dbffb297405f40f28ac0046bcd55
SHA512 5a0dfce14dabd72d6ec81f1efdf73923421be552d2c44bd12eca2529054b698a45f4c64d19dfa3e0115ae0f24485550bb54139d4f85159d0a00a94a959abc96c

memory/2232-92-0x000001F8DD560000-0x000001F8DD567000-memory.dmp

C:\Users\Admin\AppData\Local\GxkBE1a\RecoveryDrive.exe

MD5 b9b3dc6f2eb89e41ff27400952602c74
SHA1 24ae07e0db3ace0809d08bbd039db3a9d533e81b
SHA256 630518cb2e4636f889d12c98fb2e6be4e579c5eeb86f88695d3f7fff3f5515c4
SHA512 7906954b881f1051a0c7f098e096bc28eddcc48643b8bf3134dd57b8c18d8beba4f9a0ac5d348de2f9b8ea607c3e9cb0e61d91e4f3ba1fefb02839f928e3e3fe

C:\Users\Admin\AppData\Local\GxkBE1a\UxTheme.dll

MD5 a7187e1b01918bdf95ebec459e683e77
SHA1 b8771c819a730929bc9dfc29939c4ed94fc665a5
SHA256 9c8d0ca9065004ee29451ae723c400bb6de7981d255a1e2b3e25bb9b0da63f11
SHA512 180c8acdf15cf575e766eaebcb3c96abe524e6282a32a3b6760359383775c2d01bad24357e154ce43953cfe23e91f4dda5534e778e27290ed475f1e2fcaa44a9

memory/1756-110-0x0000028AA7AD0000-0x0000028AA7AD7000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Btpzaqnqvnv.lnk

MD5 7882f51af209ebc104f8a198599e7841
SHA1 3bc43e7f92aa7aea9f8e5eee81b4d157fbf6b7e5
SHA256 2a32c2a6814b97c911cf1a48a4719106178bc128edda4f5442035d3e04ed7252
SHA512 e5bb24d8dd73002bdc991a726d2ce3f4b95ecbcc4b69bf0167be9910665549be9c435d21681c7d0cd461de63ca4ba14dd5ec91a3474949f7fba1911e5ef4b820