Malware Analysis Report

2025-05-28 17:25

Sample ID 250519-jw6p2svn18
Target 250519-jqjnbsvns7.bin
SHA256 b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9
Tags
dridex botnet defense_evasion payload persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b26b58a0fd0811e31a1f53e914784db5736478e1272929ed075f71bc4b48dae9

Threat Level: Known bad

The file 250519-jqjnbsvns7.bin was found to be: Known bad.

Malicious Activity Summary

dridex botnet defense_evasion payload persistence privilege_escalation trojan

Dridex

Dridex family

Dridex Shellcode

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Unsigned PE

Event Triggered Execution: Accessibility Features

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 08:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 08:02

Reported

2025-05-19 08:04

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250519-jqjnbsvns7.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1153236273-2212388449-1493869963-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bchxroqbssp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\0FMa\\sethc.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe N/A

Event Triggered Execution: Accessibility Features

persistence privilege_escalation

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 4976 N/A N/A C:\Windows\system32\wbengine.exe
PID 3448 wrote to memory of 4976 N/A N/A C:\Windows\system32\wbengine.exe
PID 3448 wrote to memory of 5232 N/A N/A C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe
PID 3448 wrote to memory of 5232 N/A N/A C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe
PID 3448 wrote to memory of 3376 N/A N/A C:\Windows\system32\sethc.exe
PID 3448 wrote to memory of 3376 N/A N/A C:\Windows\system32\sethc.exe
PID 3448 wrote to memory of 5572 N/A N/A C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe
PID 3448 wrote to memory of 5572 N/A N/A C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe
PID 3448 wrote to memory of 3572 N/A N/A C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3572 N/A N/A C:\Windows\system32\cmd.exe
PID 3448 wrote to memory of 3600 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3448 wrote to memory of 3600 N/A N/A C:\Windows\system32\eudcedit.exe
PID 3572 wrote to memory of 5684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe
PID 3572 wrote to memory of 5684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe
PID 3448 wrote to memory of 4196 N/A N/A C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe
PID 3448 wrote to memory of 4196 N/A N/A C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250519-jqjnbsvns7.dll,#1

C:\Windows\system32\wbengine.exe

C:\Windows\system32\wbengine.exe

C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe

C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe

C:\Windows\system32\sethc.exe

C:\Windows\system32\sethc.exe

C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe

C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe

C:\Windows\system32\eudcedit.exe

C:\Windows\system32\eudcedit.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\0FMa\sethc.exe

C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe

C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe

Network

Country Destination Domain Proto
NL 104.110.240.113:443 www.bing.com tcp
NL 104.110.240.113:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/408-1-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/408-3-0x000001C00E870000-0x000001C00E877000-memory.dmp

memory/3448-8-0x00007FFFDBA6A000-0x00007FFFDBA6B000-memory.dmp

memory/3448-31-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Users\Admin\AppData\Local\bIvrQx0\SPP.dll

MD5 3ce6ad470958542c7ead480554e85e37
SHA1 8fe338950a1c761d54fc157e5a05fa769ceee3c6
SHA256 48b5e4d5bc0b8b56a7852764a70bd1ae99c71bbea4ea98d19108f04ec71cef94
SHA512 754fa2e0c7b3288db3d58de6f91148870a24d7535da35a005ec3cc20786622af2d06d85b07ed2f4571619f2b36c9a85b8add81bc7a179027c0c9f8c019e40cbd

memory/5232-100-0x000002AAF1FB0000-0x000002AAF1FB7000-memory.dmp

C:\Users\Admin\AppData\Local\bIvrQx0\wbengine.exe

MD5 17270a354a66590953c4aac1cf54e507
SHA1 715babcc8e46b02ac498f4f06df7937904d9798d
SHA256 9954394b43783061f9290706320cc65597c29176d5b8e7a26fa1d6b3536832b4
SHA512 6be0ba6be84d01ab47f5a4ca98a6b940c43bd2d1e1a273d41c3e88aca47da11d932024b007716d1a6ffe6cee396b0e3e6971ab2afc293e72472f2e61c17b2a89

memory/3448-91-0x00007FFFDCC60000-0x00007FFFDCC70000-memory.dmp

memory/3448-90-0x0000000001200000-0x0000000001207000-memory.dmp

memory/3448-64-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-63-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-62-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-61-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-60-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-59-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-57-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-56-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-55-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-54-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-53-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-52-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-51-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-49-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-48-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-47-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-46-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-45-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-43-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-42-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-40-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-41-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-39-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-37-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-36-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-35-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-33-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-32-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-30-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-29-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-28-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-27-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-25-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-24-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-22-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-23-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-21-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-20-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-19-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-18-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-15-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-14-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/408-13-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-12-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-65-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-11-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-10-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-9-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-58-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-50-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-44-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-38-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-34-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-6-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Users\Admin\AppData\Local\NMXMyLa\sethc.exe

MD5 8ba3a9702a3f1799431cad6a290223a6
SHA1 9c7dc9b6830297c8f759d1f46c8b36664e26c031
SHA256 615b2f2d7e3fce340839a9b54bdc3445eb2333d0fafee477d6113379e90935b8
SHA512 680c216d54f4fd2a14f0398e4461c8340ac15acdca75c36a42083625e1081d5e7d262c4c12296b6f21ba2f593f92816edf1c9a0cf4cbee23588e590713b87746

C:\Users\Admin\AppData\Local\NMXMyLa\OLEACC.dll

MD5 8631459abff53f13778cca5770e96630
SHA1 b6fbb6757f5fd97e2b22dba9a486c071862c17ea
SHA256 248b0ca97df2aec8b7a1d5c3814d10485e30f505fc942ca3ad6799b179b2972a
SHA512 8bbef4a6882959a1104e2aea848a002271e4825d3744cc1fee52ae289c3dd3e57d2373aa02533ba0130f7de7b871293c85a8d40d4a73f7dfdf21194bd200b3e4

memory/5572-112-0x0000027DCF600000-0x0000027DCF607000-memory.dmp

memory/3448-26-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-16-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-17-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3448-4-0x0000000001270000-0x0000000001271000-memory.dmp

memory/3448-7-0x0000000140000000-0x00000001401EC000-memory.dmp

C:\Users\Admin\AppData\Local\2sK2d7F\eudcedit.exe

MD5 a9de6557179d371938fbe52511b551ce
SHA1 def460b4028788ded82dc55c36cb0df28599fd5f
SHA256 83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe
SHA512 5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

C:\Users\Admin\AppData\Local\2sK2d7F\MFC42u.dll

MD5 aad649a2de9f33b64b3bb9c0c09ccf84
SHA1 da60aed75fcf11fcfbfd7fa06852f973621f8ccf
SHA256 dadaf52fef5939fcf08e51945cf57ca1ae2e870ed3d19931fe90b66ca66fe7b0
SHA512 418ed2977c0cba90903b223769254a02d9a0e448c50859fc5a2514b7b7f10e9cebfde6d39070c8b8ab56a2f89d52899e768353a24143157be741a69458882124

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Apruuejagsc.lnk

MD5 bb30a08596008864f8bc9876314ab4d7
SHA1 259d451288771fa7c1de3618ee7daea1e9e046a9
SHA256 1217eb8997e1c51b0cb939307ced56dd242297c0cb89869c29087394b547df90
SHA512 e12f5882558f6d5346eeaaa83f970eee226524bfdde629ac8a11b47c88af551ba8c422e0efabc9f8b7e4eee786518f09ab7b6b7c1265705fc853c64e771bfe13

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 08:02

Reported

2025-05-19 08:04

Platform

win11-20250502-en

Max time kernel

150s

Max time network

104s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250519-jqjnbsvns7.dll,#1

Signatures

Dridex

botnet dridex

Dridex family

dridex

Dridex Shellcode

botnet payload
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330179853-1108322181-418488014-1000\Software\Microsoft\Windows\CurrentVersion\Run\Wfsmcetjkwodll = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AddIns\\W7uGOyZ0\\wusa.exe" N/A N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\system32\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\e2n\rdpclip.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 5432 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3264 wrote to memory of 5432 N/A N/A C:\Windows\system32\rdpclip.exe
PID 3264 wrote to memory of 4908 N/A N/A C:\Users\Admin\AppData\Local\e2n\rdpclip.exe
PID 3264 wrote to memory of 4908 N/A N/A C:\Users\Admin\AppData\Local\e2n\rdpclip.exe
PID 3264 wrote to memory of 4816 N/A N/A C:\Windows\system32\wusa.exe
PID 3264 wrote to memory of 4816 N/A N/A C:\Windows\system32\wusa.exe
PID 3264 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe
PID 3264 wrote to memory of 4940 N/A N/A C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe
PID 3264 wrote to memory of 4976 N/A N/A C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 4976 N/A N/A C:\Windows\system32\cmd.exe
PID 3264 wrote to memory of 5060 N/A N/A C:\Windows\system32\AgentService.exe
PID 3264 wrote to memory of 5060 N/A N/A C:\Windows\system32\AgentService.exe
PID 4976 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe
PID 4976 wrote to memory of 3068 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe
PID 3264 wrote to memory of 5696 N/A N/A C:\Users\Admin\AppData\Local\UDKuq4\AgentService.exe
PID 3264 wrote to memory of 5696 N/A N/A C:\Users\Admin\AppData\Local\UDKuq4\AgentService.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\250519-jqjnbsvns7.dll,#1

C:\Windows\system32\rdpclip.exe

C:\Windows\system32\rdpclip.exe

C:\Users\Admin\AppData\Local\e2n\rdpclip.exe

C:\Users\Admin\AppData\Local\e2n\rdpclip.exe

C:\Windows\system32\wusa.exe

C:\Windows\system32\wusa.exe

C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe

C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe

C:\Windows\system32\AgentService.exe

C:\Windows\system32\AgentService.exe

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe

C:\Users\Admin\AppData\Roaming\Microsoft\AddIns\W7uGOyZ0\wusa.exe

C:\Users\Admin\AppData\Local\UDKuq4\AgentService.exe

C:\Users\Admin\AppData\Local\UDKuq4\AgentService.exe

Network

Files

memory/1204-1-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/1204-0-0x000001DF5D1A0000-0x000001DF5D1A7000-memory.dmp

memory/3264-4-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/3264-5-0x00007FFFF4117000-0x00007FFFF4118000-memory.dmp

memory/3264-7-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-11-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-50-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-66-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-88-0x00007FFFF6210000-0x00007FFFF6220000-memory.dmp

memory/4908-100-0x00000289359D0000-0x00000289359D7000-memory.dmp

C:\Users\Admin\AppData\Local\e2n\WTSAPI32.dll

MD5 ce09a1691f4dba677f6a63bce9ade2cf
SHA1 4f0880848a1ed44b54e4e709802df0b15cbcbc52
SHA256 12a4a8700a1c2b5ad34e426619039a3b9becc3c4e497dddbd94359d602a2c372
SHA512 4f73b1fb1a56ba60456aa5c2e54cb0ab4f2da13dad52f8435c03fd9015e8c1d714e1c06dda68d469658972783e6fe13110415dc5703cc418d4cf371740616a33

C:\Users\Admin\AppData\Local\e2n\rdpclip.exe

MD5 7e094c9b2ed143d70220eba69c106a13
SHA1 f11057cb5d5203861307604634bd03cd175fe7df
SHA256 1d259ed430b9af4aadc15d899e8458e158cae516fdd5b4267a0d0995b82e9048
SHA512 d9acab9eae18da3ac1fddde128fbda98633000d9ab94dca3142077e1adaafd3fa3e76c545f8e82380f6c42eb718f6a1d81bc0be26a61ef1fc5f8daf9a1d3ac8b

memory/3264-87-0x00000000026D0000-0x00000000026D7000-memory.dmp

memory/3264-65-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-63-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-59-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-58-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-57-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-56-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-55-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-54-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-53-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-52-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-51-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-49-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-48-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-47-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-46-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-43-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-42-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-41-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-39-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-38-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-37-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-36-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-35-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-34-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-31-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-32-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-29-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-28-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-27-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-19-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-18-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-17-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-16-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-14-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-61-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-62-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-60-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-13-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-12-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-10-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-45-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-44-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-9-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-8-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-33-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-25-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-26-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-23-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-22-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-20-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/3264-21-0x0000000140000000-0x00000001401EC000-memory.dmp

memory/4940-112-0x000002CA86B00000-0x000002CA86B07000-memory.dmp

C:\Users\Admin\AppData\Local\oYgJNB0\dpx.dll

MD5 b8f9999e0987f62ad3913685eafaa31c
SHA1 e226469e8d1eba1f45366f59d9317d6853b64207
SHA256 c58828aa663f3951be558c536b461f3a825bcbe198c8a723a0b64008ca1e4a70
SHA512 b529dc1f0e9e8ba63327a9059c9fad8e225ccdc1f1e5b5f06c6152a9d1e36fb451b1969c563557447a97970c04d500e5d6630367d3c0021cc92dd15a3c013877

C:\Users\Admin\AppData\Local\oYgJNB0\wusa.exe

MD5 297ce1cb7c6ce8ef6f5655ec78e4c667
SHA1 986422155a1509a0ee0dfe8098623f1158ad69c5
SHA256 50af95b82a9fc4f25b5443b2582bc76ef8fdd64792bb8da9b64ec7312da37452
SHA512 2e436801f2f64e816b0f4b80dbe60d350c1d48956d059e55a25c8d1d66311cbd6b59ed1deeec2524c6dedb7efc97ceca5e061f70be06fa7e4872cfa8079519cb

C:\Users\Admin\AppData\Local\UDKuq4\AgentService.exe

MD5 c7e24de48a363f4eb05ade5aad1185ba
SHA1 fbd5529274020b100804394344fc837a14189d66
SHA256 395564dce668e21d767e2a9a627569b97bc06a63fdedc328101e65d05327316d
SHA512 f549f0f08a0487735339bbdca28332da0b194599ac92ab197854505a9ee29e864ae2e0f22bb53adcba010c22e614511e033b7917a7435747001c9a10bba25d35

C:\Users\Admin\AppData\Local\UDKuq4\VERSION.dll

MD5 47e8aa4ba0891c3bae36a1c76be6d365
SHA1 4212914675b39bc5a84bd272c80680dd187d5809
SHA256 c9567e858e1de5963590a99d7edea029e223127f9abd41b52a74420cdb3ac1cd
SHA512 16243fb1ca99ced987fd665346e18506eaeafa91484e0cfb6e5657b0333ed08c7a368ee33a3533bdb26878d44e66c733db15471d444ecbb098a762a443523e11

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Devrec.lnk

MD5 1d0eddba9564003fc80af03509e7c421
SHA1 f53106cbe078c141600b42e28300c09a245ff2c6
SHA256 bfddfc714681e74604efb2c17c63a75d2a064e37b1b96782634c4b1e8b698d27
SHA512 ba99ce6af1f2c8f1c955d15b6735916c509ba49b1f7bb098d38dbc2ae21716533d4ee68b9269c5b21b1b1a60782d0d99c8d996422c92512a3f888e6de74988eb