Malware Analysis Report

2024-11-13 16:42

Sample ID 240202-m51ryacdd7
Target 8958de5c2bf9701d5a7d93d25444c447
SHA256 f07f4994e0fb57cc2f550e7cc7059b2eb27470c13df7ff76e488626d7e8c5efb
Tags
dridex botnet evasion payload persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f07f4994e0fb57cc2f550e7cc7059b2eb27470c13df7ff76e488626d7e8c5efb

Threat Level: Known bad

The file 8958de5c2bf9701d5a7d93d25444c447 was found to be: Known bad.

Malicious Activity Summary

dridex botnet evasion payload persistence trojan

Dridex

Dridex Shellcode

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-02 11:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-02 11:03

Reported

2024-02-02 11:06

Platform

win7-20231215-en

Max time kernel

149s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\iOCdW\cttune.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rtxtioiynm = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\bZKo\\PresentationSettings.exe" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\iOCdW\cttune.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2616 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1244 wrote to memory of 2616 N/A N/A C:\Windows\system32\SnippingTool.exe
PID 1244 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe
PID 1244 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe
PID 1244 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe
PID 1244 wrote to memory of 1220 N/A N/A C:\Windows\system32\cttune.exe
PID 1244 wrote to memory of 1220 N/A N/A C:\Windows\system32\cttune.exe
PID 1244 wrote to memory of 1220 N/A N/A C:\Windows\system32\cttune.exe
PID 1244 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\iOCdW\cttune.exe
PID 1244 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\iOCdW\cttune.exe
PID 1244 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\iOCdW\cttune.exe
PID 1244 wrote to memory of 2272 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1244 wrote to memory of 2272 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1244 wrote to memory of 2272 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1244 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe
PID 1244 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe
PID 1244 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe
PID 1244 wrote to memory of 1588 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1244 wrote to memory of 1588 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1244 wrote to memory of 1588 N/A N/A C:\Windows\system32\PresentationSettings.exe
PID 1244 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe
PID 1244 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe
PID 1244 wrote to memory of 912 N/A N/A C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#1

C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe

C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\SnippingTool.exe

C:\Windows\system32\cttune.exe

C:\Windows\system32\cttune.exe

C:\Users\Admin\AppData\Local\iOCdW\cttune.exe

C:\Users\Admin\AppData\Local\iOCdW\cttune.exe

C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe

C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe

C:\Users\Admin\AppData\Local\ItBpr\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

C:\Windows\system32\PresentationSettings.exe

Network

N/A

Files

memory/2236-0-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2236-1-0x0000000000190000-0x0000000000197000-memory.dmp

memory/1244-4-0x0000000077786000-0x0000000077787000-memory.dmp

memory/1244-5-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1244-9-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-13-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-17-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-18-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-25-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-30-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-32-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-35-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-34-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-37-0x00000000024F0000-0x00000000024F7000-memory.dmp

memory/1244-33-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-31-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-43-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-44-0x0000000077891000-0x0000000077892000-memory.dmp

memory/1244-45-0x00000000779F0000-0x00000000779F2000-memory.dmp

memory/1244-29-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-28-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-27-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-26-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-54-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-24-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-23-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-22-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-58-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-21-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-20-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-19-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-16-0x0000000140000000-0x00000001401AE000-memory.dmp

C:\Users\Admin\AppData\Local\SRXzyi\slc.dll

MD5 f0616031e2d92405428e1523381bf0a8
SHA1 78584949e898fc5764c7ff30577db3e0925cf2f9
SHA256 430538534d2d679924f7096c60573acc2d907f71f11aa740a0e7568461702658
SHA512 871fa01e5e40b8673da1ca9982593a71435c1731de0b4d2b2b5d01607756408bdd755f1c342e82f2249804cf8a20f48a47354c5dd2db05fea53befebdf48c88a

memory/2648-72-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2648-76-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2648-75-0x0000000000120000-0x0000000000127000-memory.dmp

\Users\Admin\AppData\Local\SRXzyi\slc.dll

MD5 dd4f039e9de5256b3bb7344c8519d54e
SHA1 0cf0200c334520ac68c5abb38b24d5059a73da53
SHA256 896028cbba224bd203b1fb408ffe540ac271871c5aff224c48dfbc68e07840ef
SHA512 078f8d1c31351897a198b7fe7765bc5eca6440f1e0b8d8821467790ed63e697baa7bffea585e7d2e41d8d70d4dbb91fb6bb796a21aec87b2824432fb20fe7bac

C:\Users\Admin\AppData\Local\SRXzyi\SnippingTool.exe

MD5 7633f554eeafde7f144b41c2fcaf5f63
SHA1 44497c3d6fada0066598a6170b90c53e28ddf96c
SHA256 890884c7fe7d037e6debd21d1877e9c9c5e7790cdba007ddb219ae6a55667f78
SHA512 7b61b6736c2c4f49d80f53c839914ad845f86a7d921fee1557e49aa7b4e9713e3483417d6c717eca155229bb6a90fc2253e1543cf05192aaf08262dc761fa203

memory/1244-63-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-15-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-14-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-12-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-11-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-10-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2236-8-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/1244-7-0x0000000140000000-0x00000001401AE000-memory.dmp

\Users\Admin\AppData\Local\iOCdW\OLEACC.dll

MD5 04cfa1254ef862a22e4ad5df281a34a1
SHA1 9a3d8a99870dae4b1c1d6e231ee8aed521e8251c
SHA256 7e2d328a063c4ffb99e0537e6ebb5a1c4576c79155729230888c99359c1c75ff
SHA512 444db194f6548d57fd2a4f26768bad78026b9a707bd2cc94a3f1ad83524ef510ae63e6f679ae481e66492c5b73f8ebd7a8f76df52e7a97c596ca179206f471ed

C:\Users\Admin\AppData\Local\iOCdW\OLEACC.dll

MD5 cea085ff91e448542f035bc304707252
SHA1 d883a79665760cebe251b5165f966c0a8d64117c
SHA256 c132717af6bd7a3d737ab75a54bf4159bf13a84f8e5b0f473dfeb6ae22055794
SHA512 76e5134473dd55d46a47c1b2023c76e25dd85f3620f831d4a3d95311a13d89ad2cf487c90d7d5523aff80cba475e9305fbd574be1c4f53e8075924e903e96a16

memory/1808-91-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/1808-89-0x0000000000320000-0x0000000000327000-memory.dmp

C:\Users\Admin\AppData\Local\iOCdW\cttune.exe

MD5 7116848fd23e6195fcbbccdf83ce9af4
SHA1 35fb16a0b68f8a84d5dfac8c110ef5972f1bee93
SHA256 39937665f72725bdb3b82389a5dbd906c63f4c14208312d7f7a59d6067e1cfa6
SHA512 e38bf57eee5836b8598dd88dc3d266f497d911419a8426f73df6dcaa503611a965aabbd746181cb19bc38eebdb48db778a17f781a8f9e706cbd7a6ebec38f894

C:\Users\Admin\AppData\Roaming\Macromedia\Ocvfj3TAV1\cttune.exe

MD5 995393aebc86e588c5f1287e76fe171e
SHA1 5e097f11268e8d27644ea1edbd3a7d5a05dd32ce
SHA256 46862b904d9ae4131ddd4e70a9e00555987de22951a0616d0e919b9b5c4e0bf4
SHA512 f10b321bab62d98cd9154ab094c9e59a5979aeb21093165df8ec884fba975527136ff9ab65ef295bb22a29f9c76c7280ce64ae5316b020dff7c1c57b4960b230

C:\Users\Admin\AppData\Local\LHMKz\PresentationSettings.exe

MD5 a6f8d318f6041334889481b472000081
SHA1 b8cf08ec17b30c8811f2514246fcdff62731dd58
SHA256 208b94fd66a6ce266c3195f87029a41a0622fff47f2a5112552cb087adbb1258
SHA512 60f70fa8a19e6ea6f08f4907dd7fede3665ad3f2e013d49f6649442ea5871a967b9a53ec4d3328a06cb83b69be1b7af1bb14bf122b568bd1f8432ee1d0bfee69

\Users\Admin\AppData\Local\LHMKz\slc.dll

MD5 baedcfb72b0fa00d8d9256a644f9a893
SHA1 b4d411c4a936cd9715740937d6a80f15d117873b
SHA256 fc9a484cd0811ffd600ed437e354e37e3b858d2e66a269bd98caf8871c0b09a4
SHA512 2e56c0c0927c2f3854bc3e7a6c3a94780281746b2e4b1de7311f071e34ff3e2cb768aa2738bc58f0fc24649425f233f5e218c52180d32130094005384051d558

memory/2592-109-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/2592-106-0x0000000000100000-0x0000000000107000-memory.dmp

C:\Users\Admin\AppData\Local\LHMKz\slc.dll

MD5 75846ccddb80ea6219f2f3761ef6c4b0
SHA1 57b6cba57d4124f133d1bdb1414268915df2fc30
SHA256 1066234f2d72cd39694c61eb23912df0f4ec44de76eaa0f29101d92e63aa692f
SHA512 709dd35f6165f1662f46034ad3319cafd4a750ec0f5f8335cd37668087921c0c22cabf70e01038fb835e151785832a460f57308953d495b8a07900daf1094a5c

\Users\Admin\AppData\Local\ItBpr\WINMM.dll

MD5 929597a589a62794bd5a22b0dea738a2
SHA1 8314f48d5c029fcc6820b271f51333a07e685bd3
SHA256 6d540b0dbe29c0c131b7e2ac6f991d932a5636358202fc29e80f756a9a772fee
SHA512 44fb628a72f16cc9bf7360e1b10e4e90b2273449d7fdba0c060c1b091490711ab0772a37ffa2b43918e6e327b0cf93ca996d83632e6e56b6c10545f0542c19ab

C:\Users\Admin\AppData\Local\ItBpr\WINMM.dll

MD5 9109253d7a17c74b4c8d495fe395ee35
SHA1 7b978e24e770a9e409c62905e8c8f79ab9626ae8
SHA256 35d341826652c18776cc1f42901d3bc599cdb4adf36e30b2938a5d44931daff2
SHA512 a067136ee4ab2c0f651ecf29f7b41026f3c97f4eb89547363486d0b9165994e15977680f79ed29bb613e960194bd204505e2ad84e9fedab93bf16629aa117048

memory/1244-141-0x0000000077786000-0x0000000077787000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Tiizeasb.lnk

MD5 a7e4921c4025c4750be2ca5347bb18eb
SHA1 0a2f442c62738af7047b8d7d9f157bab2b5e5726
SHA256 ddf9ec42d1765e2654c85241a43bf151800169ee4440c2a056e4a27a58fe8dc2
SHA512 e2142415956d0efbbd222191f80172db947418f873b6625a8d464accdecd5f47b76ca60f57d0e770b0c6848670c2af450bf32e8fc58af4e313a6e4c8dd85f53e

C:\Users\Admin\AppData\Roaming\Macromedia\Ocvfj3TAV1\OLEACC.dll

MD5 a86fcd14ec7889a26e9b6d14bb7f9db5
SHA1 a7df96408ab58a155abb3605729795a2fa633de1
SHA256 49054dbec85fe42cdb55c7d6163d98b3f5ff7aabcbd09984b19828e4214a1d00
SHA512 9517a1fe6da5f6c68a00495543e2b6ba158d248581e6c42e578a0ad35df14a98cf89e0e3960ae956fa1998f50922dee0a1e45ec6ab662fd1b45fb2e3edd231b9

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\bZKo\slc.dll

MD5 a9cd7939aea0cf330d5cf8739ed6cca5
SHA1 d31903d5544a99d1e9f6ee439dbeb005e613f7c4
SHA256 0b959521bf34b5ac5e8b6cdf73233f191c5d6dbbc46d391705b6c23386592bd4
SHA512 9bc5fc84ca585a45d77991e8daddca5b1440a15b873d5585e1b6c68845f413ec78074d0262dc0def0db15626cf6e8e993893681639bca2dd69ce966663d66983

C:\Users\Admin\AppData\Roaming\Adobe\hpd\WINMM.dll

MD5 609c45031adcc93aa84a3f9e8acd434e
SHA1 50ad1b535bbf913c5e8302e2ec6de49f3902b7b8
SHA256 d8df96b78b1481b47bfa397d29d5b3383e563f77411761adf30185e80f47e691
SHA512 d67439ec84342dd90eb40ca1ae184ee6efd2b95cf778089f8e11039017647f706d1c7076a37976df769caf828698ec0d5eca84011d80067fbc30b0d12d57c964

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-02 11:03

Reported

2024-02-02 11:06

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#1

Signatures

Dridex

botnet dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Hwtkseldaftjsj = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\INTERN~1\\QUICKL~1\\4GUS\\SYSRES~1.EXE" N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 3760 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3496 wrote to memory of 3760 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3496 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe
PID 3496 wrote to memory of 736 N/A N/A C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe
PID 3496 wrote to memory of 548 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3496 wrote to memory of 548 N/A N/A C:\Windows\system32\SysResetErr.exe
PID 3496 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe
PID 3496 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe
PID 3496 wrote to memory of 1600 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3496 wrote to memory of 1600 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 3496 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exe
PID 3496 wrote to memory of 2208 N/A N/A C:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\8958de5c2bf9701d5a7d93d25444c447.dll,#1

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe

C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe

C:\Windows\system32\SysResetErr.exe

C:\Windows\system32\SysResetErr.exe

C:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exe

C:\Users\Admin\AppData\Local\Uv0DTXN\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe

C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 224.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/2508-0-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2508-2-0x0000011ABE280000-0x0000011ABE287000-memory.dmp

memory/3496-6-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-9-0x00007FFBCA79A000-0x00007FFBCA79B000-memory.dmp

memory/3496-8-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-10-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-11-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-12-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-13-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-15-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-14-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-16-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/2508-7-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-18-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-19-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-20-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-17-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-21-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-4-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/3496-24-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-27-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-29-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-30-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-28-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-26-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-25-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-23-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-22-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-34-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-33-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-35-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-36-0x0000000001220000-0x0000000001227000-memory.dmp

memory/3496-32-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-31-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-43-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-53-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-55-0x0000000140000000-0x00000001401AE000-memory.dmp

memory/3496-44-0x00007FFBCC620000-0x00007FFBCC630000-memory.dmp

C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe

MD5 520a7b7065dcb406d7eca847b81fd4ec
SHA1 d1b3b046a456630f65d482ff856c71dfd2f335c8
SHA256 8323b44b6e69f02356a5ab0d03a4fc87b953edcbd85c2b6281bf92bc0a3b224d
SHA512 7aea2810f38d1640d4aa87efbbe20783fe7b8e7f588864a3a384a37c91108d906abd89b235672608c98c46ed76db2b0039462098a1064ebe4108ec37b6087914

memory/736-64-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/736-70-0x0000000140000000-0x00000001401AF000-memory.dmp

memory/736-66-0x00000169CCD10000-0x00000169CCD17000-memory.dmp

C:\Users\Admin\AppData\Local\8Vpo4\Netplwiz.exe

MD5 557f87abe6078231780f728adfa930b1
SHA1 9c55be79aba51648568540bea4b351bbc8b5f9ca
SHA256 982351cf4f7064f361b46b063de1cec3d16518a11b89aa737132ee19c4d61e3e
SHA512 c1c3e0ba3b771937edb1d7543c8cab63dd1b62d3366c90ea85f84d3e27fc85fba4dcde4996a45217563aa197a65544b63f7744d694f56ca9fb55243ff144cb78

C:\Users\Admin\AppData\Local\8Vpo4\NETPLWIZ.dll

MD5 62c3d0c77bf5179d3c31758823d7b052
SHA1 f68f389c94604f5928aa88ec4df7b6ac03669935
SHA256 00539bd73b878507a79f4fc0baa1ba7a5a33ec3e3c2243d08028499beece873e
SHA512 e045af7316c3023edd32cc41951fffd9e6c272a0d93c571a0fb55f11cab596559688dab945d66433dc3f33da37d66cc386d79eba768a6beda098d8b498b2e0fb

C:\Users\Admin\AppData\Local\8Vpo4\NETPLWIZ.dll

MD5 aed00e8471456737c620d2f80839b93c
SHA1 d27b1d890abd587bd4866832775a555951fb4542
SHA256 119ab458476a0fe6e6a518c06b963d75c95502ee11d38e12fa8fe1db65a18d5b
SHA512 a7a59e118acd8f7e906551dd399137d77f3959408ac3a419e404943e6be0ec9965eafc363373c45503dd80f7233b8b59d793b0c83d5b3431f45e6076d5e87ad1

C:\Users\Admin\AppData\Local\bDWwEIYm\DUI70.dll

MD5 9d817a5feabe94dd9780283cca3330ba
SHA1 3d33590d509c6beabf469d98bd4c37cbfd08da46
SHA256 b796fe31ecfaa2e0f577d62ada7cd8bf011d4f1e539effbb6bbb697c98f9ae1b
SHA512 31af88a03e9fd72efd49030e3752a2114e3ccc3915e4733b7521918ae9c219a6eb34c763ea460b2ecbf77309f516afd839a7bae117acb903886be4ae84e9ef4d

memory/3020-81-0x0000000140000000-0x00000001401F4000-memory.dmp

memory/3020-87-0x0000000140000000-0x00000001401F4000-memory.dmp

C:\Users\Admin\AppData\Local\bDWwEIYm\SysResetErr.exe

MD5 090c6f458d61b7ddbdcfa54e761b8b57
SHA1 c5a93e9d6eca4c3842156cc0262933b334113864
SHA256 a324e3ba7309164f215645a6db3e74ed35c7034cc07a011ebed2fa60fda4d9cd
SHA512 c9ef79397f3a843dcf2bcb5f761d90a4bdadb08e2ca85a35d8668cb13c308b275ed6aa2c8b9194a1f29964e0754ad05e89589025a0b670656386a8d448a1f542

memory/3020-83-0x00000270F0030000-0x00000270F0037000-memory.dmp

C:\Users\Admin\AppData\Local\Uv0DTXN\NETPLWIZ.dll

MD5 dfe8901172a1c4ab473b2eab3ef45500
SHA1 e5e36692328506298b896e012d8de46d679d2012
SHA256 6371c0fc50a80b872247c81be13cc05d1e9f33de9e8024e06623e1f85641dada
SHA512 2464298d9447d6319b0f24b033b6d6b2d31e6d21d48f2b68efe5748eb1cef53b41b6494b01132b702eea478416a5b44737ae79bca06946b7dd2141838cd52ae3

memory/2208-98-0x0000015E51550000-0x0000015E51557000-memory.dmp

memory/2208-104-0x0000000140000000-0x00000001401AF000-memory.dmp

C:\Users\Admin\AppData\Local\Uv0DTXN\NETPLWIZ.dll

MD5 1ed82a44ce8ec81aa18e4fb8b1680715
SHA1 e0270267e49c5b76f08bb86acfcad6e5442f816a
SHA256 6c815c7f2506069748b73e97a5a5a4a3342df97aa97aaba335656bb5e93aa5cf
SHA512 21cf0388ecd3cb897721aac35eada417e9a4ccccd3be2d70704e1c07c46ef45ccbffb6a5663d24e1ef774e7da6878d01abd0689dd9c62c9b115d1aba9706ff49

C:\Users\Admin\AppData\Local\bDWwEIYm\DUI70.dll

MD5 a85872effffd98b9f9011dde07335f0b
SHA1 b085261a5ebbb713db282f3ca6a1db28215e2c5d
SHA256 b54205a209de778cb852be731224f0aae7d0ab2b8f4093bdc094076f50324dd9
SHA512 23c40403e732ad98cf850814597a9774d7bcb0f504cc49fb835e841898d7b87157b509c773a24bf76d816a3138c9f3f7b9b9f69ce643efe09c7f092fa06083a2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mkzwiunlad.lnk

MD5 80aa05f1524fa83cb51dfc3dbce96d1e
SHA1 52c135b44a2a4222ef2d100b70a115f89456aeb3
SHA256 583283f161c2a184815edfda3b825d682d6e37629fe1e71c32f4f7493d0e00e4
SHA512 3d71175a2e628662c97181faca41550d952b04a94e535f62e947330dede413a6b1831d72c4dcdebf5b64b99997bbf9ce5c110e9a7bbdc67ab5e25488747b03f9

C:\Users\Admin\AppData\Roaming\Microsoft\Proof\KOn\NETPLWIZ.dll

MD5 f81a683aec0a74626f8945043acd965d
SHA1 104400609b2024a9e9dee795bd1d3cb0b78db4ea
SHA256 c7c456481ed06c4578b462dee6e2277a8b6e09edc4fe7e17499c15ee2a042d92
SHA512 916cef5a0bf730a56df2e168a3aafc8171f4fadf0b75a66b2f0391d3296a99aa8458554d3db64abf3ba1cc7dca587b79329a6888c41091e27a340c0ae22b5efd

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\4GUS\DUI70.dll

MD5 427ef53bb09581f767c697c3147f7e2c
SHA1 43ad8b1f2213b166e508376e4f96fe8d155c4766
SHA256 46482d08805a889da37c3fe7e8c07f564613555a95a67b2294b7620cb4a17d08
SHA512 3313d5c7954c470255d0764f5b02e35a29c30e8cc7394b49cd098967faf18c4054239fdeae8aa7ad203ee87d278d37f05164e37d5b7ec89d1257010bbec0bcb1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\tDNPr89K6bi\NETPLWIZ.dll

MD5 27d34f39b88d5f2895983de165c72f5a
SHA1 0f5e1b131b69c0c90c6a6ee77483c4d9c8538362
SHA256 32fb0c879820b5acc5361a2ae6d436bb9fd1f39b3691ddcf858dc0518924d62d
SHA512 d48eafeba2200955bf3d6e705adb39d738c1a62a6cf3ec34531179cd5429bdd8278b9c76de5cdf88d9837b7b70ae14714f960acfba66b41e7dc839728a1edd84