Analysis Overview
SHA256
35a57a2f4ae0a954f51d0b5da7bbebd60fbd047b7d9dc92da62bc442eb26429e
Threat Level: Known bad
The file 868df0fad643001bb45bb8b38cfd7ec2 was found to be: Known bad.
Malicious Activity Summary
Dridex
Dridex Shellcode
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-01 09:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-01 09:36
Reported
2024-02-01 09:38
Platform
win7-20231129-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IECompatUACache\\Low\\HOK47D\\DisplaySwitch.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1
C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Windows\system32\WindowsAnytimeUpgradeResults.exe
C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
Network
Files
memory/2372-0-0x0000000140000000-0x0000000140235000-memory.dmp
memory/2372-1-0x0000000001D90000-0x0000000001D97000-memory.dmp
memory/1340-4-0x0000000076D96000-0x0000000076D97000-memory.dmp
memory/1340-5-0x0000000002D20000-0x0000000002D21000-memory.dmp
memory/2372-8-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-7-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-12-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-16-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-24-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-26-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-28-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-30-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-37-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-40-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-42-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-45-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-49-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-51-0x0000000002D00000-0x0000000002D07000-memory.dmp
memory/1340-48-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-47-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-46-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-58-0x0000000076FA1000-0x0000000076FA2000-memory.dmp
memory/1340-59-0x0000000077100000-0x0000000077102000-memory.dmp
memory/1340-57-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-44-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-43-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-68-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-74-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-73-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-41-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-39-0x0000000140000000-0x0000000140235000-memory.dmp
C:\Users\Admin\AppData\Local\DnWGgH\WINBRAND.dll
| MD5 | d031fb5ee9e6951cf6fb11c4a6ebc4cd |
| SHA1 | be7f43f92221007444aad5f894f96557d7a6b12f |
| SHA256 | fbf80714def3f7a4c667a096130dc3b67be07467b64c6defae6bf259d3faa6ed |
| SHA512 | 0c9b394b00d37ec535fdcd4571d3cf495ef480b9e8497a0d904aef44033fe0f80d18b19a551dc436cf8b742c84028c5f48dd6b92a3be35aa8db499d4f3557e0d |
memory/2752-86-0x0000000000110000-0x0000000000117000-memory.dmp
\Users\Admin\AppData\Local\DnWGgH\WINBRAND.dll
| MD5 | 75a1ff996cd67c62aa82e7819f163764 |
| SHA1 | a07c0a8f60fb1c622e0a1c37afd0cd2bbaa20744 |
| SHA256 | 00431b028d95739d1d3a870caed364954a3c2e9510e5f970c238ca0c5435fbc0 |
| SHA512 | a0ee062da0ad521d331043b5576ab9c934f41af778c5e5e56df0380f8904a480c11517fcfc16883c7022a32e61229187caa844af50e90350114506b6bbb30492 |
C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
| MD5 | 20e60cf11b90f4eddeaa366bc24c5bb2 |
| SHA1 | 37da21e9a1869a702f9d236ec0050891b5ce4607 |
| SHA256 | 1a62a3ada4bf83fd8ecfab574f6682ef772188e58f48dbedcffd339deb3cf1b6 |
| SHA512 | 977cf46bf206da5ec0e5907e20f9a676579b6d60c1ea78599b261a64eb34d7ce5f85c21e1de730fe878b144b4b69ba951e24a65b302bb950bb1807ae35880156 |
\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
| MD5 | bf51290cf3b61042e2a96f7b7d1eb155 |
| SHA1 | ee6101dbe9e0c85bb93cb33bbdcdadfef1fcf0d7 |
| SHA256 | 96c3e3ecf3e7486401b24d94d4a17bcf0176edf0d4e218feebb8d9f02e3e93b2 |
| SHA512 | 1d963b9e9d5caf39f9521d85f6f698dcb2bcb05987e1047b565d0208070aed898386747d2e97d6d17579fdf01167c94268974e44f073ad869a0693519227cfed |
memory/1340-38-0x0000000140000000-0x0000000140235000-memory.dmp
C:\Users\Admin\AppData\Local\DnWGgH\WindowsAnytimeUpgradeResults.exe
| MD5 | 8cd690b45937427b6b5e21e3061d28d4 |
| SHA1 | c12c6d1bbac7cb6e4cef50b7168c4d8dccaa47d6 |
| SHA256 | 2cb91010998e51e0b3ca08e0a5d1af6c2ad89063d5ac801f6bdca7d899af13f2 |
| SHA512 | e2290f7c1627db80547b9f125e676e8210d4853af854dff7cdf3dd2dec494cdba9ebad0c57e46ce07a21db6dccec13d4ce26ca666171365521d56edbfbca2d64 |
memory/1340-36-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-35-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-34-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-33-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-32-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-31-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-29-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-27-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-25-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-23-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-22-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-21-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-20-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-19-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-18-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-17-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-15-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-14-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-13-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-11-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-10-0x0000000140000000-0x0000000140235000-memory.dmp
memory/1340-9-0x0000000140000000-0x0000000140235000-memory.dmp
C:\Users\Admin\AppData\Local\3clGYl7X\slc.dll
| MD5 | 8e62a307c83a9543e0de744ffc9d6cbb |
| SHA1 | 8f40e09cc77aa1f315d564d28d7de94726c1ac6b |
| SHA256 | 89e90fe75ec609307e90cf5fe46ee639debaa63eb7c7d87ff020e4cbd4f13cd8 |
| SHA512 | 6be59f59bb7c4987127f00273c253d8bf28ecd1833a726ba8b67112692e922a1c8824005bc278b858b912320f71eef97368dcc2627986184de5206303ffd7ecb |
\Users\Admin\AppData\Local\3clGYl7X\slc.dll
| MD5 | cbf66a15bf1039503d092dab1abe0436 |
| SHA1 | 2135fce96d3457c3f5ccd8a8c751a495a8a0812e |
| SHA256 | 55a462acb269a02eb025be05554f45eb3786fb2d472d1eba48ecbd457f22fa23 |
| SHA512 | c5d720e96146da21f2f9aebab16270cbe6bf91106b1397fbe099f69d195d5308d505d43372cde538a533734934670b2ec4dfa521ce765bace211852e764b889b |
memory/2440-108-0x0000000000280000-0x0000000000287000-memory.dmp
C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
| MD5 | 11d86d4d7425ce220c022e156507c25b |
| SHA1 | 7296aa31ca9beaece281167122f9b82de8fcb1e1 |
| SHA256 | 2d8eb9cf23785f90a89aadefa0eb480131dad0ff1eebf0ea0dc7072394bfda86 |
| SHA512 | 77657cab66ea5c2bf798106937b3827fe8335793e35f85cb2249747cbc5c3a29f33ac798c9c34f0e25695b0110a81b11cdbf52b618c40c8ffb06f678330e8642 |
\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
| MD5 | 045640cfa4317b88c65a3cea3e99f6fd |
| SHA1 | f547e40c04f14c2dc8ca88ddfda28cc4c8c311a3 |
| SHA256 | b7f132285b26f6df1909087002eaef7bceab5cb9ed7f15c71d1e7e7138d1f195 |
| SHA512 | 943bf7a1544f5a353cf34cc59981f85aa43f83ab4a378d7cebd563f873a0224fbf83619bd871ceb21dd0cb71f12972c22fb84186ad8a9c313b8d3d5d3b57fd00 |
C:\Users\Admin\AppData\Local\3clGYl7X\DisplaySwitch.exe
| MD5 | 5ed2103185309b94fc0c2b8692fb3997 |
| SHA1 | e9c026891eafb9b0a54cf761be52204e19b38e1e |
| SHA256 | 7d83d1c9b2092945fd7308eb921a14bfb796b827e937a7035ad674ff5728f81d |
| SHA512 | 74421cf4afd8f84516d8045765b04638831b7a5759da5d500fc6d8927962eb323c5f929fb74ef1ab01e439398b4af84a7c8da77b75679f33d1276e45fd4899ca |
\Users\Admin\AppData\Local\4Jv\appwiz.cpl
| MD5 | ce267730c6482a667bb3f97d425ff622 |
| SHA1 | 710a5896e652ed9d30e443a82213effc5af076cf |
| SHA256 | 5afe4d86a3f60b4055de742ce5181f060ed59f531c66c68e3bbcddf19d2dfe39 |
| SHA512 | 0104d59fce5c525c9af9e71bd23b430850113f5278cf50abec955e180cd93e87784107f5caf5cadf90a2c562c06334620234f769de655541e21d925dba4bc98f |
memory/1532-132-0x0000000001F20000-0x0000000001F27000-memory.dmp
C:\Users\Admin\AppData\Local\4Jv\appwiz.cpl
| MD5 | 060ac1669a10ea750aa266ca5e8ef86d |
| SHA1 | da5c83b212cadecf28c9c7125038a60ad933f477 |
| SHA256 | 64a292109bfad018e355c5ada730843949d4bb0f6f579506cf0565bf57a33159 |
| SHA512 | 18a2d2a1bf0800a8be8116466052d9d1985dda9db4d98c1a1ec7640485961a1b5ac11a1ecba6df660b60a9d5647898558b80a523d79da1b73cff68fc09036a69 |
C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
| MD5 | 86bd981f55341273753ac42ea200a81e |
| SHA1 | 14fe410efc9aeb0a905b984ac27719ff0dd10ea7 |
| SHA256 | 40b194be2bad2d3d4d1b69f9aec2853c8b663130810a11607ff72a9e3a06d5b3 |
| SHA512 | 49bb6d4bf7a9356fadde7f6165af6973630827d28b69db10ad477a84d98b08fb82e4daae777166e1ddddb5b5efcdf634e4e9bd34b255dae87462ba32e8bba143 |
C:\Users\Admin\AppData\Local\4Jv\ComputerDefaults.exe
| MD5 | 0551023b51f71ddc980c910e15fa3dd4 |
| SHA1 | cbe88079c8f42d18104c5f3d312211a77548ea89 |
| SHA256 | d86fb375b7ba52974d9f2eb5f09e97736b21ee1ad9b451b03fecff10192e60ae |
| SHA512 | 8ff4725b169ed6691f2411d5a4727e2e9d1c8d6e53a2dcd0378080a846440c174075af8e0db55a1857e461a014b2a38e2734468ba0479feb19132552b9400882 |
memory/1340-151-0x0000000076D96000-0x0000000076D97000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk
| MD5 | 4848138dc93e8a65814b698ca8322627 |
| SHA1 | ba9b30bc23971429c41aca93746c7d315ec1336e |
| SHA256 | 933b6805327a91455086f0ef4d51782e0aef403bddae3a51b80da245f6684101 |
| SHA512 | 0ee3e0d9bcb14c19068312f1c2d41eda2545b2c04e48b81cc0810fe2585185decc0bb18d0d78538c7f4eb753a95523c9ac6f3ad8a6d196aa6b0efd1e6c8637d7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\JY0lT\WINBRAND.dll
| MD5 | da15cc19cd66cdbc39614d0294bd6c4c |
| SHA1 | bce06039a7e8ea875f9e09a30d12b5baa295dc1a |
| SHA256 | 34002f55b3d769f153aba81be2584823e9fac91c3692fc6bfe64db7bc347e9ed |
| SHA512 | 900313e7fb8a6d2650e1f4f0e07ea4a61b7d784ca7835f2b13a92295bae96422c09333861c69f8f74301fb25c41911ee1120a688309f43c3bffc026db0c53d6e |
memory/1532-164-0x0000000001F20000-0x0000000001F27000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low\HOK47D\slc.dll
| MD5 | bb3a50cca8d525bf8a7420b7240669c5 |
| SHA1 | f44e505e03dfc014a62bb97cd5d9cf2d61856c3b |
| SHA256 | a6244fae4fecbc7532efdf4037d839cc624b04ff4768215cc6077c09bb97587c |
| SHA512 | 7a88d00b17a40a246ea2266653e9b948065696fd07cd199712480847f4175007b0b32b0aceca671c2ad706103a6228c1655361ae239f8e52a967e73213933bb5 |
C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\nBfA\appwiz.cpl
| MD5 | 682e1fea84d3fc6e0090791254ecb398 |
| SHA1 | 02364698c4255b98bc75645f9c02d377fb9b967d |
| SHA256 | 30ac1676610e66e167b2b8e41397a20945c974c075869c790989b8e218fc7a76 |
| SHA512 | 3d292073f35070622d24d346fffbb6d8753495369c5a080c40853e5642ba60da65e247bb47c4306313e698eb550a22de72fb6c43f2c25a07f68c68f3b10ba04c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-01 09:36
Reported
2024-02-01 09:38
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Dridex
Dridex Shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\3lgk\wermgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\3lgk\wermgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mmiwstgfcubwacq = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\0gF4kz\\rdpshell.exe" | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\system32\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\3lgk\wermgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3408 wrote to memory of 3444 | N/A | N/A | C:\Windows\system32\wermgr.exe |
| PID 3408 wrote to memory of 3444 | N/A | N/A | C:\Windows\system32\wermgr.exe |
| PID 3408 wrote to memory of 4692 | N/A | N/A | C:\Users\Admin\AppData\Local\3lgk\wermgr.exe |
| PID 3408 wrote to memory of 4692 | N/A | N/A | C:\Users\Admin\AppData\Local\3lgk\wermgr.exe |
| PID 3408 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 3408 wrote to memory of 2812 | N/A | N/A | C:\Windows\system32\rdpshell.exe |
| PID 3408 wrote to memory of 1616 | N/A | N/A | C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe |
| PID 3408 wrote to memory of 1616 | N/A | N/A | C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe |
| PID 3408 wrote to memory of 2120 | N/A | N/A | C:\Windows\system32\CameraSettingsUIHost.exe |
| PID 3408 wrote to memory of 2120 | N/A | N/A | C:\Windows\system32\CameraSettingsUIHost.exe |
| PID 3408 wrote to memory of 1400 | N/A | N/A | C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe |
| PID 3408 wrote to memory of 1400 | N/A | N/A | C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\868df0fad643001bb45bb8b38cfd7ec2.dll,#1
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\rdpshell.exe
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Windows\system32\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe
C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
Files
memory/3236-0-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3236-2-0x0000026840380000-0x0000026840387000-memory.dmp
memory/3408-4-0x00000000015C0000-0x00000000015C1000-memory.dmp
memory/3408-7-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-9-0x00007FFDE7C5A000-0x00007FFDE7C5B000-memory.dmp
memory/3408-10-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-11-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-12-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-8-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-13-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3236-6-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-14-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-15-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-16-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-17-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-18-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-19-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-22-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-23-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-24-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-25-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-21-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-20-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-27-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-26-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-28-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-33-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-35-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-36-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-34-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-32-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-31-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-30-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-29-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-37-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-43-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-48-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-50-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-49-0x00000000014F0000-0x00000000014F7000-memory.dmp
memory/3408-57-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-47-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-46-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-45-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-58-0x00007FFDE8CA0000-0x00007FFDE8CB0000-memory.dmp
memory/3408-67-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-69-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-44-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-42-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-41-0x0000000140000000-0x0000000140235000-memory.dmp
memory/4692-78-0x0000000140000000-0x0000000140237000-memory.dmp
memory/4692-80-0x0000017F7E980000-0x0000017F7E987000-memory.dmp
memory/4692-84-0x0000000140000000-0x0000000140237000-memory.dmp
C:\Users\Admin\AppData\Local\3lgk\wer.dll
| MD5 | d80f79e5b1eac19dac428df5da4210d9 |
| SHA1 | 037a777c7482c40a5d29d12640a24e33509bc1f1 |
| SHA256 | 29b44bfc8ad46b3d6c2583e5be8b043a199b1abce5709ca69c941cfe12e953a1 |
| SHA512 | da06bfda132c5c411054cc6ea8bac1737c97030fc882b8d56501fa8379d780c11b52981eb040305a082421805eb0eda50828eaf46b824d90010077ebcf74c8f8 |
C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
| MD5 | d3963f52f8c0abf67f229bfa8ad0d73a |
| SHA1 | c9f90ebbc9b6f4b34f823378bfe4e1108a3be92a |
| SHA256 | b5764e757f94aaabb0fa958c1358eed33d6fd81a593b04c64f82b3273a3f883d |
| SHA512 | 6c2c470cc190f31d76e22440c47ff104430cc4f06d8a2acd990c8e7ae9a09fe8e9fcd2ff2ae5cdf7e3c4c940e8abb5a6f3cf555575f4fe3b231eb83a9fb1769a |
C:\Users\Admin\AppData\Local\3lgk\wer.dll
| MD5 | cc85ca465742d3255e9990b59cb10b69 |
| SHA1 | 7f7b8c2cdea5d9ac2736ee597a1f713519bd062d |
| SHA256 | 8fe06c39c610a82619a9bba3c09f83ed764839676d7aec90f0e2ffd783b983b9 |
| SHA512 | ab0a47c0c424c2bc605d1ee5098ea9a814fe10e94aba6ed4868d423536abf654474f54077086df86eff4c979ecf28c3ea8c0391c7661b0b2c999dfa8495c5b28 |
C:\Users\Admin\AppData\Local\T0A7R1we\WTSAPI32.dll
| MD5 | 5edba5994b49f14fc6bef0b74c71d7ef |
| SHA1 | f37177cd4e721b829df67d7a8fbdb3a04babff92 |
| SHA256 | f8427baaf2480c1d44768c31771b2aa13636470a6fd99092bec0e14a0e3a1c2b |
| SHA512 | cd4089e2b37bc3487a17147c502db752c33e0c88f92d18a625b32e656b697d027c73fe211a0c87d6f0ed02c19698ec6623dd98fd1ba849217576b06fc127565f |
memory/1616-96-0x000002B3E8D10000-0x000002B3E8D17000-memory.dmp
C:\Users\Admin\AppData\Local\T0A7R1we\WTSAPI32.dll
| MD5 | fcdc3243d4476c7ee5aca417c7a87bb5 |
| SHA1 | 545e885c5e33e2f4fd852e233a27c7a1cb12954d |
| SHA256 | b306b19e0d60bba3342cfdc210c54115a9fa73f041e8be989cf5a7ba2f966b35 |
| SHA512 | 83c159d436462d050458df052b1b3da4401904a92498bd0d8d8aec6471e0ff2237780ea69302fc0f3aad403872c247abd319f0eb844426aa0f2420dae68faf34 |
C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
| MD5 | 5b4a14d793b24d89b0be96b5713c980d |
| SHA1 | 496fa4f9fea7479ebbfd727ea1487b5bd33bef49 |
| SHA256 | 810856a5877f380d353f595be7c653485293de01bf8987d30f13012eee7f6cd1 |
| SHA512 | fbfd6a6ae33f868304a27385bc04cef5500618e27373d8dff3e4c1fc6ff356a8c390de615888762cca8515d9488f4f1cda04f6071beb3356d28a020eed8d8fa2 |
C:\Users\Admin\AppData\Local\T0A7R1we\rdpshell.exe
| MD5 | df327a60a368d75cb46ce0ad48ea4a1e |
| SHA1 | 5bc83e186c1b87f606253431b7d8b0ae90344a76 |
| SHA256 | a250660ca0413cab558b7c1aa7f2a9304eb02ad1ec258d611ab86575e65f3052 |
| SHA512 | 6677670afdf39b632c41b760ddc5453bbbde989dccb8a31dbf315fd083f3eca177d0e4fe49fe93a6798cc7c2e290252648c74f85707bb91f6a6674fc8309bad0 |
C:\Users\Admin\AppData\Local\3lgk\wermgr.exe
| MD5 | f0290d52ed1be017930790f9dfbd4c97 |
| SHA1 | 5c960668c6b1213259736a93b24c118314bec560 |
| SHA256 | 5cbb932752f9e5624f16f2dc0f5d33487984f424f12ac0e5e87ff856505279ac |
| SHA512 | b0022e3e9056287aaa63513ed8e09d43c346ed3d511a3c1781dd8b0557cd260b9d6a3f63f7a3425129684ef8e7125d626ec523d66c3e7ac20633ec30cb86e4c7 |
memory/3408-40-0x0000000140000000-0x0000000140235000-memory.dmp
memory/3408-39-0x0000000140000000-0x0000000140235000-memory.dmp
C:\Users\Admin\AppData\Local\Zrkg\CameraSettingsUIHost.exe
| MD5 | 9e98636523a653c7a648f37be229cf69 |
| SHA1 | bd4da030e7cf4d55b7c644dfacd26b152e6a14c4 |
| SHA256 | 3bf20bc5a208dfa1ea26a042fd0010b1268dcfedc94ed775f11890bc1d95e717 |
| SHA512 | 41966166e2ddfe40e6f4e6da26bc490775caac9997465c6dd94ba6a664d3a797ffc2aa5684c95702e8657e5cea62a46a75aee3e7d5e07a47dcaaa5c4da565e78 |
C:\Users\Admin\AppData\Local\Zrkg\DUI70.dll
| MD5 | 791076ab34e22acbc7976f3b53caf8cc |
| SHA1 | 2d38e0fb1660143bcecc2357cfeee83399f0fe4c |
| SHA256 | b349954ab2e72b34f99db204136f30d86613655cf00fab65e02e02ac7d8ffc1d |
| SHA512 | 7965f5287f4f38aceca7608b17e49a631427e9a5492a551a2d69551fe3e14da5effcf68c526590860d03c6ce5b8e8059dd2cd0a23104f2910828233aadf5a1db |
memory/1400-115-0x000001A288800000-0x000001A288807000-memory.dmp
C:\Users\Admin\AppData\Local\Zrkg\DUI70.dll
| MD5 | 1d8450348de10657d793211c01e1423b |
| SHA1 | ac1d6105eed9703da5d63ab0d4bd0a47cc545e59 |
| SHA256 | f69ca0691f6fbd8ae6d3af1f8883f24975e90e8b0806922f6665687443e52789 |
| SHA512 | e5defa660a73f893690c2b7881f0097d9302bf4d094368c32f6036898dc1e5283a9af4ecf0c4e9898ee4af991eb9c226547604d31464f1dee25564490d0ce676 |
memory/3408-38-0x0000000140000000-0x0000000140235000-memory.dmp
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Ocuuy.lnk
| MD5 | 0c9e8c90bd569b766ee0d8f81bb2185c |
| SHA1 | ad568e549361f8314612597b8cbf6e4d0c03781c |
| SHA256 | 0c845afd25468e6bc6b94d32f54292b02e961efe41089ff65622763aebe2898d |
| SHA512 | d269b4c4337b298e65787d6ce286fdfb0e5035a9c22eda0c8066cc0accddc70416733be05476606abfdfef44f115eaa7185ff4f8a32c84fba938095f59ca5d22 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\1wd\wer.dll
| MD5 | 8283232934a41d7452eed2b88e208dbc |
| SHA1 | 23cd6227871c2191037a4953c8c15f647fef21f0 |
| SHA256 | 49a551d977cf770ad59b318394604e5d49f46af59186cb4dd4789a7bab9dbbd0 |
| SHA512 | b6ed9e07754629caa7ed31cd1f98bc1240e56df7b8ff85493969dd2fa44c500f1f8a9d8766cc170becece1defb17eb8714f7e4ffd7024f32fd51ee4db45d7976 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\0gF4kz\WTSAPI32.dll
| MD5 | 1ad6773b5d92bc290ef6a07b451ea749 |
| SHA1 | 37fa77626267b31afb7a67fecd3cda6fcaa189da |
| SHA256 | f29c80a5fa69278eb998839b4d076fceccbee186a380ff650e76e0fa38bded61 |
| SHA512 | 37cb1eb4ea06e37fa677002e275f7cd683f688bb602848974d749e88f101e7a3fcc979fa68621fe95ed5f9375efb0c937bd803e975fabcdba89cf03f5d710ad4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\Q20r690eNLh\DUI70.dll
| MD5 | 7d89922aa33d13c03b554e792e8fc7c6 |
| SHA1 | e8631ca5423577ab4a6767fad2f8fce33f80a771 |
| SHA256 | d12b282c79a9005a19f6eb1e613a5fd9fe36a74fb50de808f83037b97528ac55 |
| SHA512 | c9daa9e4ed099ce3893494e0e7b97e78e00e8504556c042f1623360b097628ce204b887f8210b7bc32a3e622ce71e5aecb396877507cec41ccaa50b501dd7a5d |