Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-pn76sswhmd
Target 2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58
SHA256 2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58

Threat Level: Likely malicious

The file 2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58 was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:29

Reported

2024-06-11 12:32

Platform

win7-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\qokpi\\gpthb.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\qokpi\gpthb.dll C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe N/A
File opened for modification \??\c:\Program Files\qokpi C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 1744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2228 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe
PID 2228 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe
PID 2228 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe
PID 2228 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1496 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe

"C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\dbedvdx.exe "C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe

C:\Users\Admin\AppData\Local\Temp\\dbedvdx.exe "C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\qokpi\gpthb.dll",Verify C:\Users\Admin\AppData\Local\Temp\dbedvdx.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/2040-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2040-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbedvdx.exe

MD5 d3d5668142e6e2488113b673c8ee03d6
SHA1 ccdd2a280cfebd941f01f59d7cd3ed0b3e1d853d
SHA256 4cbf1b87ab43aedb6cf588a6fa37faf8a049806a9a49d21f8b28c1e76b272f62
SHA512 f965ecdbb91355cd1d5ad59359d1b92fb59235538e6ddaeb55e7500f8a3cf516f5ab2d7e6da4bf293c3ce6a032c0fb8e89fca8fabbb7cc3ac82c5eef8e38ab8d

memory/2228-8-0x0000000000160000-0x00000000001C4000-memory.dmp

memory/2228-7-0x0000000000160000-0x00000000001C4000-memory.dmp

memory/1496-10-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\qokpi\gpthb.dll

MD5 253d5a20751105c9268b7f1c7cfabc43
SHA1 afd505619ff66fff50ecd646e6764609ad949952
SHA256 25dff76088254427621a11c4ae74e9ddad865d6c9f11b0a993bee5ba4f8b5824
SHA512 380eb7862416fa5f2a9b3073cf4ec9a2080476e004fb54dd8f2cdf6b23bb34cffc7b315af30bf60cf2bfbc0230e37c217a402f5900edd62388ba4a08dcb685aa

memory/2272-17-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2272-16-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2272-15-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2272-19-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2272-20-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2272-22-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 12:29

Reported

2024-06-11 12:32

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sivtg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sivtg.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\ukivgopsp\\tdcdj.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created \??\c:\Program Files\ukivgopsp\tdcdj.dll C:\Users\Admin\AppData\Local\Temp\sivtg.exe N/A
File opened for modification \??\c:\Program Files\ukivgopsp C:\Users\Admin\AppData\Local\Temp\sivtg.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4444 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 4444 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe C:\Windows\SysWOW64\cmd.exe
PID 656 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 656 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 656 wrote to memory of 5032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 656 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sivtg.exe
PID 656 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sivtg.exe
PID 656 wrote to memory of 628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sivtg.exe
PID 628 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\sivtg.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\sivtg.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\sivtg.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe

"C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\sivtg.exe "C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\sivtg.exe

C:\Users\Admin\AppData\Local\Temp\\sivtg.exe "C:\Users\Admin\AppData\Local\Temp\2e365264e5bbfa228a37d9593e9a00d2024d89c295f6e2cf8feb5d772d9cab58.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\ukivgopsp\tdcdj.dll",Verify C:\Users\Admin\AppData\Local\Temp\sivtg.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 110.34.196.36:803 tcp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 211.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 104.246.116.51.in-addr.arpa udp

Files

memory/4444-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4444-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sivtg.exe

MD5 646061a4be9b22c72f0f31f28c0abd1b
SHA1 ab08208a96d76de465d205a8d800ab123f316860
SHA256 20cd0ba16e567b639f1545ab84f98f68b09e6c548ec08d983153c5fc9ccb851e
SHA512 917816cdaf275398867933e32b61c50466345920df6027a22c844bb0c35e79a08b0eaa31515630c019d38fab14d0931a94b44b48bcb236df505ba47e7adea8ad

memory/628-6-0x0000000000400000-0x0000000000464000-memory.dmp

memory/628-8-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\ukivgopsp\tdcdj.dll

MD5 80eaacb6d088d0ac677c8e6f19507202
SHA1 905297eaf03f89bf73001dff2c891fe9e5cc7063
SHA256 0651f60397d918f63661f1a10592233c534d3a77f399b24f6fc9185ae90b56bb
SHA512 5941c7506363c68ebfc05ff88c8df3df628dba6a84642a59175e4baf21b1bd9971d2ed5914be55bdd7e4d5deded7ad5334c7cd3d27147285bcbb235bb8c8df41

memory/1748-11-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1748-13-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1748-14-0x0000000010000000-0x0000000010080000-memory.dmp