165fb59360683122125271d668cfb28c3ad9502d559e491856005178fb22a254

Resubmissions

29-04-2024 17:56

240429-wjgllsgg29 10

17-04-2024 14:59

240417-sc15wsef8y 10

16-04-2024 14:20

240416-rnxq6sdg3t 10

Analysis

max time kernel
1809s
max time network
1820s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29-04-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Banking-Malware/Dridex/Trojan.Dridex.A.dll
Size

628KB
MD5

97a26d9e3598fea2e1715c6c77b645c2
SHA1

c4bf3a00c9223201aa11178d0f0b53c761a551c4
SHA256

e5df93c0fedca105218296cbfc083bdc535ca99862f10d21a179213203d6794f
SHA512

acfec633714f72bd5c39f16f10e39e88b5c1cf0adab7154891a383912852f92d3415b0b2d874a8f8f3166879e63796a8ed25ee750c6e4be09a4dddd8c849920c
SSDEEP

12288:2oXYZawPO7urFw4HLLDOeLSwg4ULeHOuCqA8:2oXYFIuh5HjhSwiJ8

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

pid process

1408

pid	process
1408

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uxhwu = "\"C:\\Users\\Admin\\AppData\\Roaming\\7fiJt\\rstrui.exe\""

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Windows\system32\Prr74d\rstrui.exe	cmd.exe
File opened for modification	C:\Windows\system32\Prr74d\rstrui.exe	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1948 schtasks.exe

pid	process
1948	schtasks.exe

Modifies registry class 9 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\fd2lH44.cmd"
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open\command
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open\command
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile\shell\open
Key deleted	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\MSCFile

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2460	rundll32.exe
2460	rundll32.exe
2460	rundll32.exe
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408
1408

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1408

pid	process
1408

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1408
Token: SeShutdownPrivilege	1408
Token: SeShutdownPrivilege	1408
Token: SeShutdownPrivilege	1408
Token: SeShutdownPrivilege	1408
Token: SeShutdownPrivilege	1408

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

eventvwr.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1408 wrote to memory of 1884	1408		rstrui.exe
PID 1408 wrote to memory of 1884	1408		rstrui.exe
PID 1408 wrote to memory of 1884	1408		rstrui.exe
PID 1408 wrote to memory of 1236	1408		cmd.exe
PID 1408 wrote to memory of 1236	1408		cmd.exe
PID 1408 wrote to memory of 1236	1408		cmd.exe
PID 1408 wrote to memory of 2548	1408		rstrui.exe
PID 1408 wrote to memory of 2548	1408		rstrui.exe
PID 1408 wrote to memory of 2548	1408		rstrui.exe
PID 1408 wrote to memory of 2772	1408		cmd.exe
PID 1408 wrote to memory of 2772	1408		cmd.exe
PID 1408 wrote to memory of 2772	1408		cmd.exe
PID 1408 wrote to memory of 2932	1408		eventvwr.exe
PID 1408 wrote to memory of 2932	1408		eventvwr.exe
PID 1408 wrote to memory of 2932	1408		eventvwr.exe
PID 2932 wrote to memory of 2008	2932	eventvwr.exe	cmd.exe
PID 2932 wrote to memory of 2008	2932	eventvwr.exe	cmd.exe
PID 2932 wrote to memory of 2008	2932	eventvwr.exe	cmd.exe
PID 2008 wrote to memory of 1948	2008	cmd.exe	schtasks.exe
PID 2008 wrote to memory of 1948	2008	cmd.exe	schtasks.exe
PID 2008 wrote to memory of 1948	2008	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1540	1408		cmd.exe
PID 1408 wrote to memory of 1540	1408		cmd.exe
PID 1408 wrote to memory of 1540	1408		cmd.exe
PID 1540 wrote to memory of 2400	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 2400	1540	cmd.exe	schtasks.exe
PID 1540 wrote to memory of 2400	1540	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 768	1408		cmd.exe
PID 1408 wrote to memory of 768	1408		cmd.exe
PID 1408 wrote to memory of 768	1408		cmd.exe
PID 768 wrote to memory of 2264	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 2264	768	cmd.exe	schtasks.exe
PID 768 wrote to memory of 2264	768	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 2124	1408		cmd.exe
PID 1408 wrote to memory of 2124	1408		cmd.exe
PID 1408 wrote to memory of 2124	1408		cmd.exe
PID 2124 wrote to memory of 2544	2124	cmd.exe	schtasks.exe
PID 2124 wrote to memory of 2544	2124	cmd.exe	schtasks.exe
PID 2124 wrote to memory of 2544	2124	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 3064	1408		cmd.exe
PID 1408 wrote to memory of 3064	1408		cmd.exe
PID 1408 wrote to memory of 3064	1408		cmd.exe
PID 3064 wrote to memory of 1048	3064	cmd.exe	schtasks.exe
PID 3064 wrote to memory of 1048	3064	cmd.exe	schtasks.exe
PID 3064 wrote to memory of 1048	3064	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 2644	1408		cmd.exe
PID 1408 wrote to memory of 2644	1408		cmd.exe
PID 1408 wrote to memory of 2644	1408		cmd.exe
PID 2644 wrote to memory of 1828	2644	cmd.exe	schtasks.exe
PID 2644 wrote to memory of 1828	2644	cmd.exe	schtasks.exe
PID 2644 wrote to memory of 1828	2644	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 2944	1408		cmd.exe
PID 1408 wrote to memory of 2944	1408		cmd.exe
PID 1408 wrote to memory of 2944	1408		cmd.exe
PID 2944 wrote to memory of 2976	2944	cmd.exe	schtasks.exe
PID 2944 wrote to memory of 2976	2944	cmd.exe	schtasks.exe
PID 2944 wrote to memory of 2976	2944	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1624	1408		cmd.exe
PID 1408 wrote to memory of 1624	1408		cmd.exe
PID 1408 wrote to memory of 1624	1408		cmd.exe
PID 1624 wrote to memory of 1356	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1356	1624	cmd.exe	schtasks.exe
PID 1624 wrote to memory of 1356	1624	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 1608	1408		cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Banking-Malware\Dridex\Trojan.Dridex.A.dll,#1
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\Z8iH.cmd
1⤵
PID:1236

C:\Windows\system32\rstrui.exe
C:\Windows\system32\rstrui.exe
1⤵
PID:2548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\lhsR.cmd
1⤵
- Drops file in System32 directory
PID:2772

C:\Windows\System32\eventvwr.exe
"C:\Windows\System32\eventvwr.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\fd2lH44.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /Create /F /TN "Trqxvscxs" /TR C:\Windows\system32\Prr74d\rstrui.exe /SC minute /MO 60 /RL highest
3⤵
- Creates scheduled task(s)
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2332

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:3052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1584

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:240

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:956

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2776

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:2588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Query /TN "Trqxvscxs"
1⤵
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /Query /TN "Trqxvscxs"
2⤵
PID:1100

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6YH5EE3.tmp
Filesize
628KB

MD5
5d528ead026c16a5fd4b61394d49ee21

SHA1
2e10fd784274bfdab0a5d3248d807929338d58e9

SHA256
6cb62e0f2754105b70132adf10b77198c1beaa6f7cea267ef402e4c725a730c3

SHA512
7c838a7321199571376c9aa1656674356914537c58d43eae413af08604ae809c824bd93618a8bba97f9981f700899ec6c5f43dd350bac1a2fe81b295975455e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z8iH.cmd
Filesize
228B

MD5
dc64d7a03ed2eb7e5496f4f9ed78bf49

SHA1
7a6ecd154a3cf899bedd9e89846b9dcbeb0a7020

SHA256
e32977e1d394940c458ce1546494e4235b58b44d0821b9a97774076f24217b58

SHA512
33ab57d9a3ece9e963c44952950bf30b357cf1963b8fa9c92a8766fbbdab39c1a182680127ebb6e5324040ab474a99ce5eb1a800903874001d58643943f16c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZRr3582.tmp
Filesize
628KB

MD5
13175af1f427f7e94995b17c7a4c38ac

SHA1
68d00e4b3c6d5fddd1b21fa68bfff24f7daf804b

SHA256
f205699b554e0372dd269cde6eaac524670847cf9bda9c765ad91582cd9cb4ae

SHA512
4e09c0c03eedbbc8fd99a0cd70aeaead7f8cc6f9bdbfe5de7d479b0132295685db9f11e83d732bcfcb5016738b41bcefcdee7398ee9d01da395751d624ec4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd2lH44.cmd
Filesize
126B

MD5
603910fc1f38e48a651cd9d8112be932

SHA1
76248fae7a6e0d61ee22a23f56133f6c13053c1d

SHA256
27ee7d6062833a28351e8a9ef32cb1eea2954b02c299fd11e53391f7acccf475

SHA512
56dedc06e65c39dbc4f28be4ac19b35d8ff1f046b6b1454d98a2250c8fe595540e7ba2c5604249cbc732dbe2821392bf771c3db543261d4c92ff92bb37d3394b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lhsR.cmd
Filesize
195B

MD5
5c7b92f6b87ecc4a20bdf7cfd29a0cf7

SHA1
2d7707b93a955af070be8818fa748ad1aebd9384

SHA256
3b07346df481abbc6fa93d22cd3f58c6d6744c824b21480c3b59c65667708518

SHA512
0d5c499c7f2c3781a054b4d53ec389a27b36860c0f07a2a0d560c4c9f573dc57068d4876851f7e9ca6d46c4aaed5f8cf05c549744d08bc556f90f9647b95f13f

Download Submit
C:\Users\Admin\AppData\Roaming\7fiJt\rstrui.exe
Filesize
290KB

MD5
3db5a1eace7f3049ecc49fa64461e254

SHA1
7dc64e4f75741b93804cbae365e10dc70592c6a9

SHA256
ba8387d4543b8b11e2202919b9608ee614753fe77f967aad9906702841658b49

SHA512
ea81e3233e382f1cf2938785c9ded7c8fbbf11a6a6f5cf4323e3211ae66dad4a2c597cb589ff11f9eae79516043aba77d4b24bfa6eb0aa045d405aabdea4a025

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Uxhwu.lnk
Filesize
870B

MD5
635353984f38d466aae0017f160e8b98

SHA1
b38a94173bddf093c7371008cc6d8a842bb07a64

SHA256
41f1c62ae84de930bc81279fd72bdafbd2f7626d3acda896243e5ba0d39af85a

SHA512
01d2227b4ad3dc88866500a72d5fb5f68fe18eda56eedcb3fac3ad70243fec5d37857e233b00df0c08678f9d351c361875780d4b405b6f98d56d0fc894f380bd

Download Submit
memory/1408-9-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-33-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-13-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-21-0x0000000002990000-0x0000000002997000-memory.dmp

Filesize
28KB

Download
memory/1408-23-0x0000000077550000-0x0000000077552000-memory.dmp

Filesize
8KB

Download
memory/1408-22-0x00000000773F1000-0x00000000773F2000-memory.dmp

Filesize
4KB

Download
memory/1408-20-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-12-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-11-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-7-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-32-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-8-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-36-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-38-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-3-0x00000000772E6000-0x00000000772E7000-memory.dmp

Filesize
4KB

Download
memory/1408-14-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-10-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/1408-53-0x00000000772E6000-0x00000000772E7000-memory.dmp

Filesize
4KB

Download
memory/1408-4-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2460-6-0x000007FEF7760000-0x000007FEF77FD000-memory.dmp

Filesize
628KB

Download
memory/2460-0-0x000007FEF7760000-0x000007FEF77FD000-memory.dmp

Filesize
628KB

Download
memory/2460-2-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads