Malware Analysis Report

2025-03-14 23:55

Sample ID 240603-frcdvsdf98
Target e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce
SHA256 e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce

Threat Level: Shows suspicious behavior

The file e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:05

Reported

2024-06-03 05:08

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pruztwesow = "\"C:\\Users\\Admin\\AppData\\Roaming\\LRknwnN\\BitLockerWizard.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\5126\SndVol.exe C:\Windows\System32\cmd.exe N/A
File created C:\Windows\system32\5126\SndVol.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\6py.cmd" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 3812 N/A N/A C:\Windows\system32\TSTheme.exe
PID 3500 wrote to memory of 3812 N/A N/A C:\Windows\system32\TSTheme.exe
PID 3500 wrote to memory of 5108 N/A N/A C:\Windows\system32\RmClient.exe
PID 3500 wrote to memory of 5108 N/A N/A C:\Windows\system32\RmClient.exe
PID 3500 wrote to memory of 2716 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 3500 wrote to memory of 2716 N/A N/A C:\Windows\system32\BitLockerWizard.exe
PID 3500 wrote to memory of 5104 N/A N/A C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 5104 N/A N/A C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 728 N/A N/A C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 728 N/A N/A C:\Windows\System32\cmd.exe
PID 728 wrote to memory of 3112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 728 wrote to memory of 3112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3500 wrote to memory of 716 N/A N/A C:\Windows\system32\UIMgrBroker.exe
PID 3500 wrote to memory of 716 N/A N/A C:\Windows\system32\UIMgrBroker.exe
PID 3500 wrote to memory of 3836 N/A N/A C:\Windows\system32\SndVol.exe
PID 3500 wrote to memory of 3836 N/A N/A C:\Windows\system32\SndVol.exe
PID 3500 wrote to memory of 3192 N/A N/A C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 3192 N/A N/A C:\Windows\System32\cmd.exe
PID 3500 wrote to memory of 4732 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3500 wrote to memory of 4732 N/A N/A C:\Windows\System32\fodhelper.exe
PID 4732 wrote to memory of 3512 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 4732 wrote to memory of 3512 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 3512 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3512 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1

C:\Windows\system32\TSTheme.exe

C:\Windows\system32\TSTheme.exe

C:\Windows\system32\RmClient.exe

C:\Windows\system32\RmClient.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\system32\BitLockerWizard.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{662183c3-7773-ee8a-f0a9-0ccd273a9b7a}"

C:\Windows\system32\UIMgrBroker.exe

C:\Windows\system32\UIMgrBroker.exe

C:\Windows\system32\SndVol.exe

C:\Windows\system32\SndVol.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\6py.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Fdxhngjjnp" /SC minute /MO 60 /TR "C:\Windows\system32\5126\SndVol.exe" /RL highest

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4796-0-0x0000000140000000-0x0000000140083000-memory.dmp

memory/4796-2-0x000002368D9E0000-0x000002368D9E7000-memory.dmp

memory/3500-3-0x0000000000710000-0x0000000000711000-memory.dmp

memory/3500-6-0x00007FFAF74EA000-0x00007FFAF74EB000-memory.dmp

memory/4796-5-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-7-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-23-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-34-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-46-0x00007FFAF8000000-0x00007FFAF8010000-memory.dmp

memory/3500-44-0x0000000140000000-0x0000000140083000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6py.cmd

MD5 d3e52e132cec5afee05e3a822cdee50b
SHA1 38109f39817cc95e6e245929032428e4c51b1a67
SHA256 39522953cea12991cc7f26327bb77dfc53579c1b9acf2ddb4322d5787693d056
SHA512 6732fa9b3250a59770d9e2bf942b77a540a9a6d75bf51e82157eae198422e435afec7ca2f903f1049535fee62ce0e752101c55d68402e0d894c2d8b414c18346

C:\Users\Admin\AppData\Local\Temp\htr5843.tmp

MD5 1d649482fce95f3b8e05e8b1098692ee
SHA1 a8125d02e3965972bebc9a01fb227849cd140e06
SHA256 55b4c4727f2d7118fa951b8502fc517914ca37f8aabce1ff8d51d52adfc76a8c
SHA512 306de546a12e90b4532053e1c432e8dc6b54d5e36db1152bb47f5954d2b626748bbe56fd0dc7044f263aab461e91a29313a8a0c684410bab6e0ed31cdac11418

C:\Users\Admin\AppData\Local\Temp\mPEGq0.cmd

MD5 a19de6e6dd8fa90f757f4d06c37954e9
SHA1 e210e4814d36b044a5fb8be6399fb34112d646ea
SHA256 c0102fa98fbe242501707b3a5fda266a58b2a26990ab61ee23514768cf4c45d5
SHA512 d93d98f64c728f539fa5cbfe2d3f6808c4aeccd279fc88466f13d7ca4d75e920d1591a769e26ae7148f19e71c07c86dcbd9986df68c5b2018f3eaa6b02b6f865

memory/3500-55-0x0000000140000000-0x0000000140083000-memory.dmp

C:\Users\Admin\AppData\Roaming\LRknwnN\BitLockerWizard.exe

MD5 6d30c96f29f64b34bc98e4c81d9b0ee8
SHA1 4a3adc355f02b9c69bdbe391bfb01469dee15cf0
SHA256 7758227642702e645af5e84d1c0e5690e07687c8209072a2c5f79379299edf74
SHA512 25471b0ac7156d9ee9d12181020039bf551ba3efe252b656030c12d93b8db2648a18bdf762740f2a5cd8e43640e4bd4e8742310dea15823fc76b9e1c126876b8

C:\Users\Admin\AppData\Local\Temp\0t65767.tmp

MD5 517fb5c637eb9e0a53926998b85bde8e
SHA1 574e81f3cb2f37aee2087bbe75c33f81779a9128
SHA256 91c9d56d48d6d35d668e74c17a7d2a1d88b96e18ac449d908dfdc75fc8206b1d
SHA512 19962b4db4705504e30a130a4cfb6f7c9b891f76ac9854baa1f1471a3ad739d4477d94016953b4b824842f59a653c34f5f575ba9e080e70d0b7bf1cc1780572e

C:\Users\Admin\AppData\Local\Temp\aKXLPQl.cmd

MD5 9021153768c640924ae5b4b52031ec1d
SHA1 9dd2f3b6a1978eec40bccf4907d5cd5b81bf0ee2
SHA256 4cf58101e9fb8e74e4eda0677817c8533f18f4236950b9b0cf5797aeba3d6fef
SHA512 206ea3608aa812753da152b34f8ff1f90d526b015a166d893d78839b0045db223051a357b64a7654e36d42c7cb246744e46e1e238f652e61c6214c62da3c914f

memory/3500-38-0x00000000006B0000-0x00000000006B7000-memory.dmp

memory/3500-27-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-26-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-25-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-24-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-22-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-21-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-20-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-19-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-18-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-17-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-16-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-15-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-14-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-13-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-12-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-11-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-10-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-9-0x0000000140000000-0x0000000140083000-memory.dmp

memory/3500-8-0x0000000140000000-0x0000000140083000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Pruztwesow.lnk

MD5 7cd24dd1ebdc7a33d895df24f5035b97
SHA1 b40b1a64c064327f4c91a110ee41d961837e5e03
SHA256 fc8acba1e93ba688cac803a9374e3cf50480b154d3df0266662d08449781c448
SHA512 faf49e99a5a9e416b3f12fd264554a546752ed33bcfedc3f6c26abe24fb53ea6884e58d531f202f99cdca186cc338736fbbbc4333e1d341bb9199fa67c13faa7

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:05

Reported

2024-06-03 05:08

Platform

win7-20240221-en

Max time kernel

149s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yyeybzteybdsbj = "\"C:\\Users\\Admin\\AppData\\Roaming\\usve2sZ\\StikyNot.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\2073\BdeUISrv.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\2073\BdeUISrv.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\G5SUW.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\MSCFile\shell N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2716 N/A N/A C:\Windows\system32\LogonUI.exe
PID 1224 wrote to memory of 2716 N/A N/A C:\Windows\system32\LogonUI.exe
PID 1224 wrote to memory of 2716 N/A N/A C:\Windows\system32\LogonUI.exe
PID 1224 wrote to memory of 2664 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1224 wrote to memory of 2664 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1224 wrote to memory of 2664 N/A N/A C:\Windows\system32\StikyNot.exe
PID 1224 wrote to memory of 2948 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2948 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2948 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2468 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2468 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2468 N/A N/A C:\Windows\System32\cmd.exe
PID 2468 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2468 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2468 wrote to memory of 2952 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1224 wrote to memory of 2484 N/A N/A C:\Windows\system32\sdchange.exe
PID 1224 wrote to memory of 2484 N/A N/A C:\Windows\system32\sdchange.exe
PID 1224 wrote to memory of 2484 N/A N/A C:\Windows\system32\sdchange.exe
PID 1224 wrote to memory of 2120 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1224 wrote to memory of 2120 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1224 wrote to memory of 2120 N/A N/A C:\Windows\system32\BdeUISrv.exe
PID 1224 wrote to memory of 2596 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2596 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2596 N/A N/A C:\Windows\System32\cmd.exe
PID 1224 wrote to memory of 2688 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1224 wrote to memory of 2688 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1224 wrote to memory of 2688 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2688 wrote to memory of 2696 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2696 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2696 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\e9f4bcc870e4b10369e86561b3aa28e9949ab8e0e2934ee33c05b974bd22d4ce.dll,#1

C:\Windows\system32\LogonUI.exe

C:\Windows\system32\LogonUI.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\system32\StikyNot.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\RC8.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{2262e400-a0a9-2d5f-1946-aa1a0d59cbbd}"

C:\Windows\system32\sdchange.exe

C:\Windows\system32\sdchange.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\system32\BdeUISrv.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Kzcfjezwvyzrv" /SC minute /MO 60 /TR "C:\Windows\system32\2073\BdeUISrv.exe" /RL highest

Network

N/A

Files

memory/2224-1-0x0000000140000000-0x0000000140083000-memory.dmp

memory/2224-2-0x0000000000290000-0x0000000000297000-memory.dmp

memory/1224-3-0x0000000077316000-0x0000000077317000-memory.dmp

memory/1224-4-0x0000000002990000-0x0000000002991000-memory.dmp

memory/2224-6-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-7-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-10-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-8-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-16-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-35-0x0000000002970000-0x0000000002977000-memory.dmp

memory/1224-34-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-27-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-26-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-25-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-24-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-36-0x0000000077421000-0x0000000077422000-memory.dmp

memory/1224-23-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-22-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-21-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-20-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-19-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-18-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-17-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-15-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-14-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-13-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-12-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-11-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-9-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-51-0x0000000140000000-0x0000000140083000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\y3B5B.tmp

MD5 decfafbb276f47b9b1ea8ccae6ff43a8
SHA1 091747ddd6b00f06e3a815638b319972406f8154
SHA256 d12de875acfddbf80ee07e71fbf42fb3003ff437cea09d7a3998323290431016
SHA512 ab25f3f95be30e718ebd312c866b47bbec18eff0fc78a9693397afb999269209c863e7f8f1c7ef8500fcc5df0ebc2792051811e33214695c3dd9f31ba8169758

\Users\Admin\AppData\Roaming\usve2sZ\StikyNot.exe

MD5 b22cb67919ebad88b0e8bb9cda446010
SHA1 423a794d26d96d9f812d76d75fa89bffdc07d468
SHA256 2f744feac48ede7d6b6d2727f7ddfa80b26d9e3b0009741b00992b19ad85e128
SHA512 f40aad2a381b766aae0a353fae3ab759d5c536b2d00d135527bba37b601d2f24323f079bd09600355d79404d574ac59201d415ef64c1568877ad0ce0da2dd1d5

C:\Users\Admin\AppData\Local\Temp\G5SUW.cmd

MD5 bb3148182c7237b0f0bbd186ea78fab9
SHA1 2774e9b54d60f4934a750722e875aa2149e45c7c
SHA256 2ac8cef263ca229c029894e027fa1d2d7ba4c51dd5012890483f4be3be31a796
SHA512 03c9caeb65c35bf2dcf086b7a71be744eb6c09f9dd43b27418de62eb8f237b0dfa0204ded934a27d188ddf7cef141d578c254fdde41a1ed9408fcc0433aef283

C:\Users\Admin\AppData\Local\Temp\s5M3BD9.tmp

MD5 1e7a71b520031d49587eaef20b7353d0
SHA1 e86b305cef93ad980beb5ca3f12ea01b62220284
SHA256 e4e37d75838769df23777167adc785709f8c35e874d8b06fb0b47efdc787ec0e
SHA512 1d624249ad72ccf04c163456099b4158a900248cf966cd713d685e0c3fe43ea7da864fdc7f4f3dd3f78840dafac52a53e408d515510b2fbab85c779e3d660f37

C:\Users\Admin\AppData\Local\Temp\W6VlA.cmd

MD5 85f8df5de710b5ce098bf386926ff594
SHA1 a0203e6480c9d66396cd8228804b66e4cbe260ab
SHA256 6ed6bfdbfbd105c21f8ddbf8de2b50f94785e634b55d8be7136f3ffea17d141b
SHA512 aa913d09683e1c5bb7bb53fbab74fc2f483e15bcb81de534b0f116ec6487b53764034e90220fdf12d5cb461eb4d10ef7743055c7350d41e7062c7dad965036db

C:\Users\Admin\AppData\Local\Temp\RC8.cmd

MD5 4be5f38252f91de9bb27a470159930d7
SHA1 014666fc72328efeee6078ac40a074b89b09e0e5
SHA256 afeff5488c66fa5ff7697f7b00229e02bd98aa35c08ca3c55c276344961dfce9
SHA512 96df2ebb722aacbd3cb675ab7a29d34625b2ebc8b3669b93d60e072058fc8f9bc2e9d63fbd64404dec55d8050a0f2a5e7f4ad6cc01884c26e341a0a2917e8af5

memory/1224-50-0x0000000077580000-0x0000000077582000-memory.dmp

memory/1224-49-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-48-0x0000000140000000-0x0000000140083000-memory.dmp

memory/1224-45-0x0000000140000000-0x0000000140083000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Yyeybzteybdsbj.lnk

MD5 3730745838ccd1c5ad3eca8d44273a05
SHA1 91a33fc7aa1329ba37bc0d5c58c76c636df588a7
SHA256 33cace0c94d7db518eb56d3b5dcff61048998affcf3068a87bd1e9912483555d
SHA512 913461c52502872e0553566fac13a70869286aec593abb738589b82c117f6c7e018bc129e4a81a222e6db48d27532875e44c7d572cdd7d615613b7cec8477111

memory/1224-100-0x0000000077316000-0x0000000077317000-memory.dmp