Malware Analysis Report

2024-11-13 16:41

Sample ID 240202-dpaq5segdl
Target 88668b1d3f06f675f928f23dd79da143
SHA256 b211dfe06a94fe21d84592e03c8f26bc8529eccb6b4ee1bcc7784ffa27f1851a
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b211dfe06a94fe21d84592e03c8f26bc8529eccb6b4ee1bcc7784ffa27f1851a

Threat Level: Known bad

The file 88668b1d3f06f675f928f23dd79da143 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 03:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 03:10

Reported

2024-02-02 03:13

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Kqgfxymewp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Templates\\FVo\\ddodiag.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3088 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3492 wrote to memory of 3088 N/A N/A C:\Windows\system32\ie4uinit.exe
PID 3492 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe
PID 3492 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe
PID 3492 wrote to memory of 552 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3492 wrote to memory of 552 N/A N/A C:\Windows\system32\ddodiag.exe
PID 3492 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe
PID 3492 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe
PID 3492 wrote to memory of 1596 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3492 wrote to memory of 1596 N/A N/A C:\Windows\system32\SystemSettingsAdminFlows.exe
PID 3492 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe
PID 3492 wrote to memory of 1736 N/A N/A C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#1

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ie4uinit.exe

C:\Windows\system32\ddodiag.exe

C:\Windows\system32\ddodiag.exe

C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Windows\system32\SystemSettingsAdminFlows.exe

C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe

C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe

C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe

C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/4512-0-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/4512-2-0x000001E7B21B0000-0x000001E7B21B7000-memory.dmp

memory/3492-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-35-0x0000000001250000-0x0000000001257000-memory.dmp

memory/3492-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-42-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-43-0x00007FF9EA900000-0x00007FF9EA910000-memory.dmp

memory/3492-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-52-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-54-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-18-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\UJb\VERSION.dll

MD5 3242e3b0dcf1406d23d0780569e8e194
SHA1 fd5e6d44651f3d8feb65dd5e040274a070964bae
SHA256 7690b1fc7cca46d615f62a8331f3bf87203de00ff28291e2f7ce1c93e12548e5
SHA512 ddd1a22775f76114d622ce4bd7c4dd5584ca9ea9f485454a3807866ed6591e2f905b5d686bcc21ba0cdede7fbf3744e8578d13eed099fd6a3337acadec1026bd

memory/1636-67-0x0000017991200000-0x0000017991207000-memory.dmp

memory/1636-65-0x0000017990F50000-0x000001799114F000-memory.dmp

memory/1636-71-0x0000017990F50000-0x000001799114F000-memory.dmp

C:\Users\Admin\AppData\Local\UJb\VERSION.dll

MD5 11948bce6f29d1733ac160ec536ba999
SHA1 5f42abf57433f346a0e6039c4fa501361217b610
SHA256 ba8e335dc3acbccdcaad14d6af52ea44eba89caeb156e4eb57279133c443661b
SHA512 7d74ebd3dfa432e7acb634a60882739ef79e6a35b497198fa71879907775a5a3af20b6741efc55f3996c9b0ca4b0d0380e267d09b84776b815a8211b0322ad84

C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe

MD5 0024d8ffe842ce2d48bee896e22bdafc
SHA1 a6fa90b20123663f936d11dc9cab61fb7c846d97
SHA256 8f8a03e2f3ded5cc631c777410fd4ed6f71eae0b8e8261d04a34eefa60d8dde0
SHA512 5f622181eaec84d8bf8c1dd580cc300625ea1395997a6a69a049f1aee4a49c17b5309cf539f01da4a9148e02daedecf10b068b987a2a7f1ed72c4427e70b37a0

C:\Users\Admin\AppData\Local\UJb\VERSION.dll

MD5 4f340d6e45deac9509106cdb8648e08c
SHA1 06bbe24d8c009156649fd11edbbfdb29f06e5bb0
SHA256 e323f1d5f0226ce9546aba89a3314a1758d74bd8fec96a2135d52dde398293c7
SHA512 6ccf298c8d1114ab7b42efabb3cdfe2a72e9574039f69344410228db3f50a4e97fc33cd93a9512a6cb2a2a96fd284766db140688b4986d3bb2716c3c554ae59b

C:\Users\Admin\AppData\Local\UJb\VERSION.dll

MD5 bced4e56dcdeb16d699342d05184950d
SHA1 8f072044e2d95e54ff1f3398134c2388225440c6
SHA256 3d95f8f4743ee80315b02b7e785e75c4845f7960c442ac0bfc8cad74a81c1c4a
SHA512 c1d19da2441c2c89e1da0aa5bb4134291a3f0951e3593eff8a49529fee49298debd4d365572a2c19e56ee5ea823d6b62bf7eaf0dde048631fb0f8e84f2fbb60e

C:\Users\Admin\AppData\Local\UJb\ie4uinit.exe

MD5 a18887f7fffd958457db13671f892dba
SHA1 8da180a05e793bf0e1ab4fad417ab21bc9d6ce80
SHA256 77d81be85d71452b076bc75cbe4e5534b40a6a907cf4e4a0a92d61370550507d
SHA512 03f20ab266226241c2c05da8ace6b6dbc7993596f1788f6418aa5bc6053962f9d2c381af932aaedcd075230eff60e03d6467420b680fef34337cdbf64818291d

C:\Users\Admin\AppData\Local\P2kcu\XmlLite.dll

MD5 c60180e84c90d320b92789cc7721ca6f
SHA1 8b48683d8f97945e8e4d8e632e4c1a5878237e72
SHA256 b2d296c382b2c21074a4fbac5933f8e938171dab95d9d6ea3cd3223468622938
SHA512 a8ff5a3f201bb36530c8db76f39c9712763c2dee82725b8c6c7f5d4a4ac7f8942cd4f0885c45817a1b689fe3405e026f9775f2acdb15ef1df7f1b9d830240911

memory/2504-84-0x00000203386A0000-0x00000203386A7000-memory.dmp

memory/2504-82-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/2504-88-0x0000000140000000-0x00000001401FF000-memory.dmp

C:\Users\Admin\AppData\Local\P2kcu\ddodiag.exe

MD5 85feee634a6aee90f0108e26d3d9bc1f
SHA1 a7b1fa32fe7ed67bd51dea438f2f767e3fef0ca2
SHA256 99c63175504781e9278824d487da082da7c014e99f1024227af164986d3a27c6
SHA512 b81a3e1723a5180c5168cd7bb5181c631f4f57c59780bb82a502160b7874777f3eef1ebe1b14f66c97f9f1a4721af13b6fbcdff2045c8563c18b5d12540953ff

C:\Users\Admin\AppData\Local\dq3B\newdev.dll

MD5 e1db49e30bac0e2a5cae3a5a75ea2b9e
SHA1 51f682afc712ff979a14b37435a9eee863ecd622
SHA256 fa00abdac70735ae7c561b6e82495623a742b459cc60550211deb54e8cc09db2
SHA512 2553d7e4a6b6119d944b92da0f0071bb8b62bb28859aa0992d5857a3d0c863e43f2189033fcb0dab877b06d09cd1d6bc074ac1bafda66d33bc26cc321c1300bf

C:\Users\Admin\AppData\Local\dq3B\newdev.dll

MD5 da030710143952160134051ebf21d030
SHA1 943832ee23482f380dbe756ab23bdbd56f0d4314
SHA256 587ea16b623d56eab9f4dd2d6791e328798dd785ba50b0cca46a3b2c3a5e084b
SHA512 5f8d9a1af92246fcb03bbfe7c1b3942092c87a47fe35a71eabd7dd1edbe251f393ab9ed32e08d302222bb3e0b4a60cc21a32c7aea3e2abaf31955fe73fdb9688

memory/1736-105-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/1736-101-0x000001A83EAC0000-0x000001A83EAC7000-memory.dmp

C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

MD5 6338d0099ba676651e567cbf4dcbe5b2
SHA1 eed8e56364dd48af2aaa98c4cf8509f82f138b30
SHA256 9acfd4acd9029d9cae80a3314663013f057d51d73c0dfff35efd2eab0708013a
SHA512 6866ea12aa4d7caff27fe5eac3a1c1ecde2fceff4d219224b3f75a4c193c90bfff7c9d2084ec9016d1633e766754910eccb9d810234cf460c803fd4ab43733b4

C:\Users\Admin\AppData\Local\dq3B\SystemSettingsAdminFlows.exe

MD5 7051c9fa2bea81e0ac43994d89dd35f1
SHA1 e14bc7c3d1dd9b07b217ea4d373dceae9f10bd49
SHA256 372d1dd36ef41648d8bdaf4574903a486c619d6eb7fb88ae8b2a745514789966
SHA512 267015d8ac16bdd935c709d3decbb381a02269e5ebec90a42fe5cb090542cdb2e3b7373ea655a427e4e57f81f4050a6673170fcb1bc339356463529e7632fb3c

C:\Users\Admin\AppData\Local\P2kcu\XmlLite.dll

MD5 045058ca2fcbd2ac5193fcc3f4cee300
SHA1 12e01d71004f56d9b69c2285df3a2d361ec5a742
SHA256 644260e4d16276eeecbec613b1aa99c2b2e1a36879d7434e4983cb5c4faa108f
SHA512 2e3ccdfab1ace3cbd3bfff165d30cfafde8803632c3a66681dcd8bc5775920e91d076f40e3a7f35f0aac19778d551c674c999a80bb53e4236ce97e4822abb64b

memory/3492-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-9-0x00007FF9E8E0A000-0x00007FF9E8E0B000-memory.dmp

memory/3492-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/4512-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-6-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/3492-4-0x00000000030F0000-0x00000000030F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Psfjn.lnk

MD5 1d3aea7b755de0a26b13c77da1c152ee
SHA1 549dd5c34b0bbe8c3b3771d7628eb7dc10d69b07
SHA256 401700369e6c497ead14f7494578d01797bbfaa192413cb79fca83aa90e80b06
SHA512 aead37aa352e6e5ea31d87e3bf1b1be2716a2dbe6c950e49f5ae6b899dd081e2d4b6266f833ef646134bf12dc915ee17127c738762ed357f1f626cbbb88a64f3

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\Y7w9doSN6t\VERSION.dll

MD5 1ed5b0e58fb35276efd2cb6bf1094b3a
SHA1 972665476a92ac4aefaf20d5e851a093bc29bb2d
SHA256 bbdfc4f7f9ba1572b3967ce3fec9a40e47c39b2a7a1d841c8c69ec0683638694
SHA512 c27f2836d6eff1d64319a3d4832418d4703ff62d85a7853eb244f3e21014279ade77a226701da2ff4e9d24bd9cfa110a1ff281fbb797c3f8c45f2573720b0bcf

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\FVo\XmlLite.dll

MD5 26d66919f02dff6eecf798f2db57f169
SHA1 a6f0dab7b982c3b95477c18c684392db97bca05a
SHA256 124ee406256a87370035863f524aef29781e731cf031be05baf6218ae1dc249e
SHA512 53ac54107559ba19305d94488a21d04f368f75c22327d3062710b2777eb00b134073cfba89acc892d7a5fe2e0b0551057d37204aaeaebc7563f3eb8a5f88b553

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\2rgEfa\newdev.dll

MD5 cac5da366ab74789d864bc72f8a7d72d
SHA1 d918041b4474af282d8ceceeb1c6b113fa6ba531
SHA256 ccf16b328fd8c2ce997200129fc7c24d4f5d479cab3bd7d3cf604dd534da7365
SHA512 73889ee172d28f2a1dd867af5efc00c31f5ca502da42b20ba5b4e8462cdb38c5530600bcebe52c21e07f4ad3758e1a14547a4221d4c50c99631fe1ab5dc0a884

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 03:10

Reported

2024-02-02 03:13

Platform

win7-20231129-en

Max time kernel

150s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\BWL\rstrui.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Groztcac = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\xyL5TzoK\\dpnsvr.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\BWL\rstrui.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2704 N/A N/A C:\Windows\system32\rstrui.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Windows\system32\rstrui.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Windows\system32\rstrui.exe
PID 1204 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\BWL\rstrui.exe
PID 1204 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\BWL\rstrui.exe
PID 1204 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\BWL\rstrui.exe
PID 1204 wrote to memory of 536 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1204 wrote to memory of 536 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1204 wrote to memory of 536 N/A N/A C:\Windows\system32\dpnsvr.exe
PID 1204 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe
PID 1204 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe
PID 1204 wrote to memory of 592 N/A N/A C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe
PID 1204 wrote to memory of 1684 N/A N/A C:\Windows\system32\mspaint.exe
PID 1204 wrote to memory of 1684 N/A N/A C:\Windows\system32\mspaint.exe
PID 1204 wrote to memory of 1684 N/A N/A C:\Windows\system32\mspaint.exe
PID 1204 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe
PID 1204 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe
PID 1204 wrote to memory of 1112 N/A N/A C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\88668b1d3f06f675f928f23dd79da143.dll,#1

C:\Windows\system32\rstrui.exe

C:\Windows\system32\rstrui.exe

C:\Users\Admin\AppData\Local\BWL\rstrui.exe

C:\Users\Admin\AppData\Local\BWL\rstrui.exe

C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe

C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Windows\system32\dpnsvr.exe

C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

C:\Windows\system32\mspaint.exe

C:\Windows\system32\mspaint.exe

Network

N/A

Files

memory/2988-1-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2988-0-0x0000000000110000-0x0000000000117000-memory.dmp

memory/1204-4-0x0000000076B76000-0x0000000076B77000-memory.dmp

memory/1204-5-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/2988-8-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-22-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-24-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-26-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-25-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-28-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-30-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-29-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-31-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-33-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-32-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-35-0x0000000002D20000-0x0000000002D27000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-42-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-43-0x0000000076D81000-0x0000000076D82000-memory.dmp

memory/1204-44-0x0000000076EE0000-0x0000000076EE2000-memory.dmp

memory/1204-53-0x0000000140000000-0x00000001401FE000-memory.dmp

memory/1204-59-0x0000000140000000-0x00000001401FE000-memory.dmp

C:\Users\Admin\AppData\Local\BWL\SRCORE.dll

MD5 1e09c0c799dd0a321fe979ca408430e2
SHA1 f5708194750554e1e7d5ab7ab1b490ff8a4783c2
SHA256 43880b322735c3da6b9b5af60e7d975f6c50017103c3a4159d94eb53496dd673
SHA512 b4b8e35d2c47cae12d7ea4bdad654ce2743ff0916f2da18fe1f8e129e62c2dda9d98a326db779588a00185ffc56f097e07ffef382f4d6ef5e76c379e0cff2046

\Users\Admin\AppData\Local\BWL\SRCORE.dll

MD5 0cb5abfe22938b30efce6e1021c298b2
SHA1 7a7a83c6e13ac8109162afa071f7db57bf039a5e
SHA256 4081ffb25eef89f3f675792a20c87ab73498fe6c977ba0e70aad087267cf2b15
SHA512 cbaf9e73fcbc943c66754e4ae706428ece9b21e311b9670589cdbce42d7b90d08fc6964fd728eed6cbf7bd3dd049d872269840ca174dd6c11a930373d268d3c0

memory/2468-72-0x0000000140000000-0x00000001401FF000-memory.dmp

memory/2468-71-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\BWL\rstrui.exe

MD5 557efd19c2e8be32e690bf20fb8ac63a
SHA1 37bd206bc904d6b5d6477ad24a008c92a02f83b1
SHA256 011ca24aada7252886b8ffd61d772f7dbd2895f04a0474533755d8559d4046bc
SHA512 abfd7cf689502994c90f08a51ddf8b496d1c041e2a6d701d69137685222b7efcee4e99252bcaf8975d1cbbdbc43e3188f670ec03d3ecaff3b1fd756df3a984c6

\Users\Admin\AppData\Local\BWL\rstrui.exe

MD5 5023586af7318292809ce967a47861b3
SHA1 4a8ec9911cf4bec9323e23f6ad144f57b2f0391c
SHA256 ca03e0c72a2ca327e23c12d8c58d20c165c22e1f62808e9e94d0f35fb289177a
SHA512 3daed622a5de661acef914095ebebf0f78a01315a87684df5e5cce448081bf1bdf39aabfe8f94ed31ca17d46752df337201a5f2cb93b683ac9848d9683e283f4

memory/2468-77-0x0000000140000000-0x00000001401FF000-memory.dmp

C:\Users\Admin\AppData\Local\BWL\rstrui.exe

MD5 3db5a1eace7f3049ecc49fa64461e254
SHA1 7dc64e4f75741b93804cbae365e10dc70592c6a9
SHA256 ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49
SHA512 ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

C:\Users\Admin\AppData\Local\FQceQPXTt\WINMM.dll

MD5 7d1977b04f9df052a2125625ad126bfe
SHA1 9ad54cb94586d6704ea5197948acdbc4959a6c3c
SHA256 63f7132615149f5a1f3a0f03897c1d657018b5207f445b7f60b474911cfbd044
SHA512 5987741f50173c1a6abd538fd6167890ec5f44e9da9f52e43891ae1982960390747caa9e29245b2d18ca1a4f5ca22ea30e3fea3d81b0ac615276ae9a4f72a5ae

memory/592-89-0x0000000140000000-0x0000000140200000-memory.dmp

\Users\Admin\AppData\Local\FQceQPXTt\WINMM.dll

MD5 d79212067f1f707c91212a364ce1c40d
SHA1 55d969321d6d38fe380e7b682651987a7c1c3e1a
SHA256 dc99f15f982b6b032d51deca30e3e98d34772c861a1ab86db1256934871365dc
SHA512 f14cabbe92ab463ccbd7b6d948b5538970f26b6fd05b3a980de72910e0b3c57dc36d8a22aef54f37402105ae250369f12adaf8688d2db30b208af14c522b5ccd

memory/592-94-0x0000000140000000-0x0000000140200000-memory.dmp

C:\Users\Admin\AppData\Local\FQceQPXTt\dpnsvr.exe

MD5 6806b72978f6bd27aef57899be68b93b
SHA1 713c246d0b0b8dcc298afaed4f62aed82789951c
SHA256 3485ee4159c5f9e4ed9dd06e668d1e04148154ff40327a9ccb591e8c5a79958c
SHA512 43c942358b2e949751149ecc4be5ff6cb0634957ff1128ad5e6051e83379fb5643100cae2f6ef3eaf36aff016063c150e93297aa866e780d0e4d51656a251c7b

\Users\Admin\AppData\Local\VBKrWt\VERSION.dll

MD5 215dc18ac4c009911c7a1c0a9b41b961
SHA1 aa679328d89d9849f60cfc212a382d2f420b4247
SHA256 6b0efa350f85eb71bf47736fd3676a947b00502482b1eae29ffb280adfb6ed5d
SHA512 953c05b5a6d189d8bfbc661c3d5d996793e47b8b11627d16791e45bc58ac4c95ecaf2c85f633becb5f7a66877043b0156a2f7e0acb3622c84dd43851bff4fc6e

memory/1112-108-0x0000000000120000-0x0000000000127000-memory.dmp

memory/1112-111-0x0000000140000000-0x00000001401FF000-memory.dmp

C:\Users\Admin\AppData\Local\VBKrWt\VERSION.dll

MD5 fb112038a8d25a8897f1927d919afcd1
SHA1 0901c07d17f313cfff6d3465750b64caf4133188
SHA256 17a0285d35685c69943df42a8a2f7a0379639f348e4daa6f5aa2a37271b97d29
SHA512 9dac478336678468e9c4b62be0edbcedee03971b644f90046e962344bbc577289af0f53532fd6e5d32dd91fe094e4e7e2bd8e640b1c01e8d5759c9ff3453e272

C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

MD5 d113b2f0567c4a2d8ebe710d58972b93
SHA1 9d37bd4533d36cab5eb5cb415bffa4680496bfe4
SHA256 4c369609cd0ae2823444194adb977a5047a168117a73ddf9c3e06e2b32b21163
SHA512 c36d3475826875eae9cc19f559f158696507bf113dce78ccd052a334c2c9847397be641d5e9e169dea0aa84c557733c8b9f5fddc3504bc94da986163707ecc08

\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

MD5 ebef690903a19e24a03752fe7ad07ea3
SHA1 e63e14084454b64224c1bb866c9b4a7d28de88df
SHA256 5e860d78ac7b2143cfef41f17c7159b9649e4cb9892fc2e56cb8ad74bf74175c
SHA512 e28f0b4aae9dbd2b8f0fe627a67a51e256834afef8fdf29eb8f4a4053e2b0a7ed0c0905dd0c0d521b8e50dffc649b67f84c30c5996b6e5c2279a445c188d32b6

C:\Users\Admin\AppData\Local\VBKrWt\mspaint.exe

MD5 f02cc80df38e9c2bd2a807e747c3aeae
SHA1 8ea4f3ace23eabc113fa060a0f7b94b5b9557205
SHA256 407894e7425a49d084a8fa65bdbde66d20e649fd7f663353dd489768aa4d1eff
SHA512 1561c8e1bf1c2e0e7d749d226862803a7c1f11ecac0318b3953126e71bf90576e11d9af31e436ca6e4c652716d134d21e456408ee8b59912d476b4b14e3182ad

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zlGTFd2GI\mspaint.exe

MD5 fad5693684aad24c1591e5c7fbd149a4
SHA1 4864ce42320c56c3abafe6823b4f32d7c0af1e08
SHA256 a3cb4a57edf6e392bfc36a1e87638ad28676ad00ad174de9ca8ad46ab4156d9d
SHA512 1050048ce0eac0639353c76bf4153d20f20919c58848b808ba8625b0077e81451544b174257dbd701d1c7499493aea4a3f4f113e487d8ef0f298da33dba68391

memory/1204-134-0x0000000076B76000-0x0000000076B77000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Aqrvnhd.lnk

MD5 ca8b8c433c5982d9e98f97508d64bd88
SHA1 6f179c170cdd083677e9424086f1a455850e0d0b
SHA256 9383a7210fd53d47f475dcd69d9daa7883447e3ee42c0b855406fc3beaec9272
SHA512 a5df6cd9463b2f4000c7aa5b2b63bed02ceb27b8ee9f05d1a79eb6013616e1159cefaff0c4daa4a875fa3297050bbe45186f68f6932d4255b33d5ea63fb4422e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PrivacIE\QPW\SRCORE.dll

MD5 ac56b0b6c26615b97b5ac05daf6a6a61
SHA1 0a21621d0ae5a74613988eb977fcb708b8a6690f
SHA256 b1bb424ce28b4b58b17987d8081acda618d3ac795797531eb94b01a16a014b32
SHA512 2b4635a29a722d9c678dfd4007a5176c2b49a06e86365045a6d21fa56bfc75d6320daf82463471edee97d9d88a779005f8d85770ccf375aca6033fc3b0298de9

C:\Users\Admin\AppData\Roaming\Microsoft\xyL5TzoK\WINMM.dll

MD5 dc00b61505503068e952bda32127ba1e
SHA1 dc60475b6e45582ad1ec4a2d3d8bd05c30cc990f
SHA256 9b1bbeb53dd6ba04494dcb830c5b472a96561520c99e6c1fcb689b1ae4dc55a6
SHA512 563a841d9d8e0be85e585dfb720b53ee10601ea6566b68e16d9349c305abede92651634012c2ccee38a97658be460d9b81c11db476186d5f929fa1725f0d586b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\zlGTFd2GI\VERSION.dll

MD5 7737d321af612b966c7e05739caf731b
SHA1 1e219379bc349180b8e0d218dd36337efb4b4f78
SHA256 282a94dc47bfa2bfdb5e2e42ec1df4bf641f5dd140e73b15a8ea60e9991fd0b1
SHA512 735747520be333646ad7e3aa4e69eb91d353ec6f1aadeba2b870cc443e39176a8d4c43e673f27ce3f0002791804922b6bdd301021e0f1bdf9318081cb8629452