Malware Analysis Report

2024-12-07 02:02

Sample ID 241111-t212vs1gjm
Target 019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052
SHA256 019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052

Threat Level: Likely malicious

The file 019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052 was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 16:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 16:33

Reported

2024-11-11 16:36

Platform

win7-20240903-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\bdiqhvxif\\auyvkvt.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\bdiqhvxif C:\Users\Admin\AppData\Local\Temp\sjjju.exe N/A
File created \??\c:\Program Files\bdiqhvxif\auyvkvt.dll C:\Users\Admin\AppData\Local\Temp\sjjju.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sjjju.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 2492 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 1524 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 2356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1524 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sjjju.exe
PID 1524 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sjjju.exe
PID 1524 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sjjju.exe
PID 1524 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\sjjju.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 1812 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\sjjju.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe

"C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\sjjju.exe "C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\sjjju.exe

C:\Users\Admin\AppData\Local\Temp\\sjjju.exe "C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\bdiqhvxif\auyvkvt.dll",Verify C:\Users\Admin\AppData\Local\Temp\sjjju.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/2492-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2492-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\sjjju.exe

MD5 066c7e66c07f1bb5efbf29322253e1f1
SHA1 aa6dd56128f5e7d0562580adfeaf2ccd5bac11fb
SHA256 26a80e6ff5b97a30122daef070ad9ef459aad2c92558f4ec258107ec0809a54f
SHA512 e2c896fd18545f28d01a10c027442b10ae6a268f185ad9037989c1d177f2b54771bff020e067e7e8bc1e1dcf5743be02311c2b397b7335b9851c3e4a338332f8

memory/1524-6-0x0000000000280000-0x00000000002E4000-memory.dmp

memory/1524-7-0x0000000000280000-0x00000000002E4000-memory.dmp

memory/1812-10-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\bdiqhvxif\auyvkvt.dll

MD5 e1a358d4beb754cee47edf617e9adce1
SHA1 cea417d9a276aab89fcdb5643fe52dc377ab55c1
SHA256 68b69665e400c8e6e683ecfbc2af690ed08e4de0946f69ee09d3cfa236b5d4d3
SHA512 9c27b3595a8f200cb3e373e1a902e2d79a315bcddf08e97fa2a1404a7a30246dd5bc93a94e412b5f0b01e544fb51a2dfff0c451022bed25fabc93325fe96619e

memory/2644-16-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2644-17-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2644-19-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 16:33

Reported

2024-11-11 16:36

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hfbkr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hfbkr.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\zzejw\\bijey.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\zzejw C:\Users\Admin\AppData\Local\Temp\hfbkr.exe N/A
File created \??\c:\Program Files\zzejw\bijey.dll C:\Users\Admin\AppData\Local\Temp\hfbkr.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hfbkr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4568 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 4568 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 512 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 512 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 512 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hfbkr.exe
PID 512 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hfbkr.exe
PID 512 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\hfbkr.exe
PID 4664 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\hfbkr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\hfbkr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\hfbkr.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe

"C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\hfbkr.exe "C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\hfbkr.exe

C:\Users\Admin\AppData\Local\Temp\\hfbkr.exe "C:\Users\Admin\AppData\Local\Temp\019ca5885886ecc2cc62352fe358d7c211390f8522d49f9a369e9bd5e7044052.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\zzejw\bijey.dll",Verify C:\Users\Admin\AppData\Local\Temp\hfbkr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 110.34.196.34:3204 tcp

Files

memory/4568-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4568-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hfbkr.exe

MD5 3758dd67d2edb7ce52f6c9a052e17356
SHA1 7d5729fdbb59309972461685189d8a5057498d5b
SHA256 8d068f5d300d65b73a7d5ad53df1c70e021f769f73fa673dbeabcddd82c959d7
SHA512 622ea63e957c0ba38b2d12f3ab99ff69a7a94a63fb0596a2d9320e93bb1490e8ae75e43cbc287970f2cc5093018cfb994702fe037106beecdaffcca0950c07c5

memory/4664-6-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4664-8-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\zzejw\bijey.dll

MD5 da050e7e69e3fd079a67713e8814bee1
SHA1 96b483006baa2337e14aba10554d7ed08d509262
SHA256 c069a6d83b21169e00d82a2067927a8b44d58e8560f15b759bfdbdc0357dec6f
SHA512 eca04931c27a456d0e0aff13bff02dcb5d2709f0f7cc22d92d1fa1b64b4966c1cd1f5c60baf6bea94dabffb9a4160b1b62370e271e32b4f070437a382be2ca6b

memory/2496-11-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2496-12-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2496-14-0x0000000010000000-0x0000000010080000-memory.dmp