Windows Analysis Report
drytex.dll

Overview

General Information

Sample Name: drytex.dll
Analysis ID: 610526
MD5: b85405fc1d3a4473826d7ebd31111a50
SHA1: 4b62c6e56be21a0dc8f285a23ca62a055a768956
SHA256: 26af00a279ce082c2bb1db2cb50d2d590623e3f20e6c260d77ca77bf72b51797
Tags: dlldridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
PE file contains an invalid checksum
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain checking for process token information
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Binary contains a suspicious time stamp
Registers a DLL
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Sigma detected: Autorun Keys Modification
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: drytex.dll Virustotal: Detection: 60% Perma Link
Source: drytex.dll ReversingLabs: Detection: 76%
Antivirus / Scanner detection for submitted sample
Source: drytex.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Y1C20.tmp Avira: detection malicious, Label: HEUR/AGEN.1207422
Source: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp Avira: detection malicious, Label: HEUR/AGEN.1207422
Machine Learning detection for sample
Source: drytex.dll Joe Sandbox ML: detected
Source: drytex.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.30.dr
Source: Binary string: phoneactivate.pdb source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source: Binary string: phoneactivate.pdbGCTL source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.30.dr
Source: Binary string: sgI.pdb source: rundll32.exe, 00000003.00000003.248179831.000002639BD20000.00000004.00000020.00020000.00000000.sdmp, drytex.dll, Y1C20.tmp.5.dr, vmqDDCE.tmp.5.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140049724 FindFirstFileExW, 0_2_0000000140049724
Source: phoneactivate.exe String found in binary or memory: http://schemas.mic

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 7.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.140000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.255992853.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000002C.00000002.442591492.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.454233782.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.263687093.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.425949324.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.269681895.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.248898952.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.337765155.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.248725971.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary
barindex
PE file contains section with special chars
Source: SppExtComObj.Exe.30.dr Static PE information: section name: ?g_Encry
Creates files inside the system directory
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\system32\xs2t3d Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005284C 0_2_000000014005284C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140048A4C 0_2_0000000140048A4C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140040370 0_2_0000000140040370
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400343E8 0_2_00000001400343E8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026C74 0_2_0000000140026C74
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F4D0 0_2_000000014004F4D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140049CE8 0_2_0000000140049CE8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004357C 0_2_000000014004357C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003DEEC 0_2_000000014003DEEC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036778 0_2_0000000140036778
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022004 0_2_0000000140022004
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140060014 0_2_0000000140060014
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140024028 0_2_0000000140024028
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002782C 0_2_000000014002782C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002E030 0_2_000000014002E030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005582B 0_2_000000014005582B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140034044 0_2_0000000140034044
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000F848 0_2_000000014000F848
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003D878 0_2_000000014003D878
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140020094 0_2_0000000140020094
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F8A4 0_2_000000014002F8A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400280AC 0_2_00000001400280AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004F0AC 0_2_000000014004F0AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400410B4 0_2_00000001400410B4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400150E4 0_2_00000001400150E4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140066100 0_2_0000000140066100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025100 0_2_0000000140025100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004D914 0_2_000000014004D914
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140033124 0_2_0000000140033124
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032128 0_2_0000000140032128
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140025930 0_2_0000000140025930
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140005950 0_2_0000000140005950
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004E954 0_2_000000014004E954
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001158 0_2_0000000140001158
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003796C 0_2_000000014003796C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140049980 0_2_0000000140049980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140039990 0_2_0000000140039990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F198 0_2_000000014002F198
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400389A4 0_2_00000001400389A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400099AC 0_2_00000001400099AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400659F0 0_2_00000001400659F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EA1C 0_2_000000014002EA1C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140055A4D 0_2_0000000140055A4D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005A24C 0_2_000000014005A24C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001B250 0_2_000000014001B250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140001A78 0_2_0000000140001A78
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140007284 0_2_0000000140007284
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140061283 0_2_0000000140061283
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140061A90 0_2_0000000140061A90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400642A0 0_2_00000001400642A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002DAA4 0_2_000000014002DAA4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140043AC0 0_2_0000000140043AC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019AC4 0_2_0000000140019AC4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400512E0 0_2_00000001400512E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400162E0 0_2_00000001400162E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002BAEC 0_2_000000014002BAEC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006AEC 0_2_0000000140006AEC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063324 0_2_0000000140063324
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140013B64 0_2_0000000140013B64
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140055364 0_2_0000000140055364
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140019378 0_2_0000000140019378
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140060B8C 0_2_0000000140060B8C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001A394 0_2_000000014001A394
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140008B94 0_2_0000000140008B94
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004BBBC 0_2_000000014004BBBC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140021BD8 0_2_0000000140021BD8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400243E0 0_2_00000001400243E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B3F3 0_2_000000014002B3F3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140004C0C 0_2_0000000140004C0C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002B429 0_2_000000014002B429
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140012474 0_2_0000000140012474
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000AC74 0_2_000000014000AC74
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140038478 0_2_0000000140038478
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004FC74 0_2_000000014004FC74
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002747C 0_2_000000014002747C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002A4A4 0_2_000000014002A4A4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001B4AC 0_2_000000014001B4AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004A4B0 0_2_000000014004A4B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140063CB4 0_2_0000000140063CB4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002F4B8 0_2_000000014002F4B8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140003CC4 0_2_0000000140003CC4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000ECD0 0_2_000000014000ECD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017CD4 0_2_0000000140017CD4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140044CD8 0_2_0000000140044CD8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004ECF8 0_2_000000014004ECF8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140042504 0_2_0000000140042504
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140026534 0_2_0000000140026534
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002AD38 0_2_000000014002AD38
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140022D50 0_2_0000000140022D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140029550 0_2_0000000140029550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140012D8C 0_2_0000000140012D8C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140051D90 0_2_0000000140051D90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140006D94 0_2_0000000140006D94
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400515A0 0_2_00000001400515A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400285AC 0_2_00000001400285AC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031DCC 0_2_0000000140031DCC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400365D0 0_2_00000001400365D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400205D8 0_2_00000001400205D8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140011DE4 0_2_0000000140011DE4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004D5EC 0_2_000000014004D5EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003A60C 0_2_000000014003A60C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140021E1C 0_2_0000000140021E1C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140023E1C 0_2_0000000140023E1C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004E628 0_2_000000014004E628
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004CE2C 0_2_000000014004CE2C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140018638 0_2_0000000140018638
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140004E38 0_2_0000000140004E38
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140014644 0_2_0000000140014644
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002EE48 0_2_000000014002EE48
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004A660 0_2_000000014004A660
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053670 0_2_0000000140053670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003AE70 0_2_000000014003AE70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140031670 0_2_0000000140031670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014002D694 0_2_000000014002D694
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140036E98 0_2_0000000140036E98
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000D69C 0_2_000000014000D69C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140050EA8 0_2_0000000140050EA8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140053EC0 0_2_0000000140053EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001BEC8 0_2_000000014001BEC8
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400466C4 0_2_00000001400466C4
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014004EF0C 0_2_000000014004EF0C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140017F40 0_2_0000000140017F40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001CF40 0_2_000000014001CF40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140041F3C 0_2_0000000140041F3C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140032750 0_2_0000000140032750
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014000578C 0_2_000000014000578C
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400137A0 0_2_00000001400137A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400557A3 0_2_00000001400557A3
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014001C7CC 0_2_000000014001C7CC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00000001400027DC 0_2_00000001400027DC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140030FE0 0_2_0000000140030FE0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744385364 23_2_00007FF744385364
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438D570 23_2_00007FF74438D570
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744386920 23_2_00007FF744386920
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF7443891DC 23_2_00007FF7443891DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744385998 23_2_00007FF744385998
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438B9B4 23_2_00007FF74438B9B4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF7443883BC 23_2_00007FF7443883BC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF7443897D4 23_2_00007FF7443897D4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744388058 23_2_00007FF744388058
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438A094 23_2_00007FF74438A094
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438D220 23_2_00007FF74438D220
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438CE28 23_2_00007FF74438CE28
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF7443884DC 23_2_00007FF7443884DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744385EE0 23_2_00007FF744385EE0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF7443812F8 23_2_00007FF7443812F8
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438730C 23_2_00007FF74438730C
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF744385364 36_2_00007FF744385364
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438D570 36_2_00007FF74438D570
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF744386920 36_2_00007FF744386920
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF7443891DC 36_2_00007FF7443891DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF744385998 36_2_00007FF744385998
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438B9B4 36_2_00007FF74438B9B4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF7443883BC 36_2_00007FF7443883BC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF7443897D4 36_2_00007FF7443897D4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF744388058 36_2_00007FF744388058
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438A094 36_2_00007FF74438A094
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438D220 36_2_00007FF74438D220
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438CE28 36_2_00007FF74438CE28
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF7443884DC 36_2_00007FF7443884DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF744385EE0 36_2_00007FF744385EE0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF7443812F8 36_2_00007FF7443812F8
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438730C 36_2_00007FF74438730C
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: String function: 00007FF744386104 appears 52 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014005284C NtQuerySystemInformation, 0_2_000000014005284C
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
PE file contains more sections than normal
Source: drytex.dll Static PE information: Number of sections : 57 > 10
Source: Y1C20.tmp.5.dr Static PE information: Number of sections : 58 > 10
Source: vmqDDCE.tmp.5.dr Static PE information: Number of sections : 58 > 10
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe 5D4F713CFC98E7148B67D063193D93BFE29F8329705A03690590633FADE32EE5
Source: drytex.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Y1C20.tmp.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vmqDDCE.tmp.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.30.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: drytex.dll Virustotal: Detection: 60%
Source: drytex.dll ReversingLabs: Detection: 76%
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\drytex.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\33sSd.cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@40/10@0/0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438730C CoCreateInstance,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset, 23_2_00007FF74438730C
Source: C:\Windows\explorer.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Mutant created: \Sessions\1\BaseNamedObjects\{1d67e0a9-ab25-2d3a-f358-7073a8bb1c60}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Mutant created: \Sessions\1\BaseNamedObjects\{4ae5d0f4-7b10-3c35-b894-84b2027938b4}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744384794 FindResourceExW,GetLastError,LoadResource,LockResource, 23_2_00007FF744384794
Source: Window Recorder Window detected: More than 3 window changes detected
Source: drytex.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: drytex.dll Static file information: File size 1253376 > 1048576
Source: drytex.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.30.dr
Source: Binary string: phoneactivate.pdb source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source: Binary string: phoneactivate.pdbGCTL source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.30.dr
Source: Binary string: sgI.pdb source: rundll32.exe, 00000003.00000003.248179831.000002639BD20000.00000004.00000020.00020000.00000000.sdmp, drytex.dll, Y1C20.tmp.5.dr, vmqDDCE.tmp.5.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000020ADDE83055 push rbx; retf 0_2_0000020ADDE8305A
Source: C:\Windows\System32\regsvr32.exe Code function: 2_2_02873055 push rbx; retf 2_2_0287305A
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000002639A343055 push rbx; retf 3_2_000002639A34305A
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_000001FFD9983055 push rbx; retf 4_2_000001FFD998305A
Source: C:\Windows\System32\rundll32.exe Code function: 6_2_000001774A0A3055 push rbx; retf 6_2_000001774A0A305A
Source: C:\Windows\System32\rundll32.exe Code function: 7_2_000001AC7B973055 push rbx; retf 7_2_000001AC7B97305A
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_000001C248203055 push rbx; retf 23_2_000001C24820305A
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_0000021222523055 push rbx; retf 36_2_000002122252305A
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 44_2_0000025AA5963055 push rbx; retf 44_2_0000025AA596305A
PE file contains sections with non-standard names
Source: drytex.dll Static PE information: section name: .crt1
Source: drytex.dll Static PE information: section name: qwTG
Source: drytex.dll Static PE information: section name: .lqen
Source: drytex.dll Static PE information: section name: .vqb
Source: drytex.dll Static PE information: section name: .gjd
Source: drytex.dll Static PE information: section name: .wqhqlp
Source: drytex.dll Static PE information: section name: .nulizw
Source: drytex.dll Static PE information: section name: .fgrum
Source: drytex.dll Static PE information: section name: .mjabqc
Source: drytex.dll Static PE information: section name: .ghh
Source: drytex.dll Static PE information: section name: .vrqcr
Source: drytex.dll Static PE information: section name: .siorvl
Source: drytex.dll Static PE information: section name: .sqgym
Source: drytex.dll Static PE information: section name: .kqhrq
Source: drytex.dll Static PE information: section name: .rsntf
Source: drytex.dll Static PE information: section name: .iqt
Source: drytex.dll Static PE information: section name: .kpwiuc
Source: drytex.dll Static PE information: section name: .yuzcn
Source: drytex.dll Static PE information: section name: .jbsbuw
Source: drytex.dll Static PE information: section name: .mdjtj
Source: drytex.dll Static PE information: section name: .mbjeh
Source: drytex.dll Static PE information: section name: .amb
Source: drytex.dll Static PE information: section name: .lac
Source: drytex.dll Static PE information: section name: .zro
Source: drytex.dll Static PE information: section name: .vtq
Source: drytex.dll Static PE information: section name: .kyhoy
Source: drytex.dll Static PE information: section name: .wvi
Source: drytex.dll Static PE information: section name: .alzw
Source: drytex.dll Static PE information: section name: .vdsoxe
Source: drytex.dll Static PE information: section name: .pus
Source: drytex.dll Static PE information: section name: .oqnl
Source: drytex.dll Static PE information: section name: .ohjt
Source: drytex.dll Static PE information: section name: .ofjxx
Source: drytex.dll Static PE information: section name: .ifw
Source: drytex.dll Static PE information: section name: .zktgse
Source: drytex.dll Static PE information: section name: .pmd
Source: drytex.dll Static PE information: section name: .kexxpw
Source: drytex.dll Static PE information: section name: .kiqzd
Source: drytex.dll Static PE information: section name: .uslf
Source: drytex.dll Static PE information: section name: .zkkgx
Source: drytex.dll Static PE information: section name: .phhwk
Source: drytex.dll Static PE information: section name: .klf
Source: drytex.dll Static PE information: section name: .xme
Source: drytex.dll Static PE information: section name: .fnxmzz
Source: drytex.dll Static PE information: section name: .wpkbi
Source: drytex.dll Static PE information: section name: .gzgei
Source: drytex.dll Static PE information: section name: .zep
Source: drytex.dll Static PE information: section name: .viz
Source: drytex.dll Static PE information: section name: .xqen
Source: drytex.dll Static PE information: section name: .ouhvqw
Source: Y1C20.tmp.5.dr Static PE information: section name: .crt1
Source: Y1C20.tmp.5.dr Static PE information: section name: qwTG
Source: Y1C20.tmp.5.dr Static PE information: section name: .lqen
Source: Y1C20.tmp.5.dr Static PE information: section name: .vqb
Source: Y1C20.tmp.5.dr Static PE information: section name: .gjd
Source: Y1C20.tmp.5.dr Static PE information: section name: .wqhqlp
Source: Y1C20.tmp.5.dr Static PE information: section name: .nulizw
Source: Y1C20.tmp.5.dr Static PE information: section name: .fgrum
Source: Y1C20.tmp.5.dr Static PE information: section name: .mjabqc
Source: Y1C20.tmp.5.dr Static PE information: section name: .ghh
Source: Y1C20.tmp.5.dr Static PE information: section name: .vrqcr
Source: Y1C20.tmp.5.dr Static PE information: section name: .siorvl
Source: Y1C20.tmp.5.dr Static PE information: section name: .sqgym
Source: Y1C20.tmp.5.dr Static PE information: section name: .kqhrq
Source: Y1C20.tmp.5.dr Static PE information: section name: .rsntf
Source: Y1C20.tmp.5.dr Static PE information: section name: .iqt
Source: Y1C20.tmp.5.dr Static PE information: section name: .kpwiuc
Source: Y1C20.tmp.5.dr Static PE information: section name: .yuzcn
Source: Y1C20.tmp.5.dr Static PE information: section name: .jbsbuw
Source: Y1C20.tmp.5.dr Static PE information: section name: .mdjtj
Source: Y1C20.tmp.5.dr Static PE information: section name: .mbjeh
Source: Y1C20.tmp.5.dr Static PE information: section name: .amb
Source: Y1C20.tmp.5.dr Static PE information: section name: .lac
Source: Y1C20.tmp.5.dr Static PE information: section name: .zro
Source: Y1C20.tmp.5.dr Static PE information: section name: .vtq
Source: Y1C20.tmp.5.dr Static PE information: section name: .kyhoy
Source: Y1C20.tmp.5.dr Static PE information: section name: .wvi
Source: Y1C20.tmp.5.dr Static PE information: section name: .alzw
Source: Y1C20.tmp.5.dr Static PE information: section name: .vdsoxe
Source: Y1C20.tmp.5.dr Static PE information: section name: .pus
Source: Y1C20.tmp.5.dr Static PE information: section name: .oqnl
Source: Y1C20.tmp.5.dr Static PE information: section name: .ohjt
Source: Y1C20.tmp.5.dr Static PE information: section name: .ofjxx
Source: Y1C20.tmp.5.dr Static PE information: section name: .ifw
Source: Y1C20.tmp.5.dr Static PE information: section name: .zktgse
Source: Y1C20.tmp.5.dr Static PE information: section name: .pmd
Source: Y1C20.tmp.5.dr Static PE information: section name: .kexxpw
Source: Y1C20.tmp.5.dr Static PE information: section name: .kiqzd
Source: Y1C20.tmp.5.dr Static PE information: section name: .uslf
Source: Y1C20.tmp.5.dr Static PE information: section name: .zkkgx
Source: Y1C20.tmp.5.dr Static PE information: section name: .phhwk
Source: Y1C20.tmp.5.dr Static PE information: section name: .klf
Source: Y1C20.tmp.5.dr Static PE information: section name: .xme
Source: Y1C20.tmp.5.dr Static PE information: section name: .fnxmzz
Source: Y1C20.tmp.5.dr Static PE information: section name: .wpkbi
Source: Y1C20.tmp.5.dr Static PE information: section name: .gzgei
Source: Y1C20.tmp.5.dr Static PE information: section name: .zep
Source: Y1C20.tmp.5.dr Static PE information: section name: .viz
Source: Y1C20.tmp.5.dr Static PE information: section name: .xqen
Source: Y1C20.tmp.5.dr Static PE information: section name: .ouhvqw
Source: Y1C20.tmp.5.dr Static PE information: section name: .ivx
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .crt1
Source: vmqDDCE.tmp.5.dr Static PE information: section name: qwTG
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .lqen
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .vqb
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .gjd
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .wqhqlp
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .nulizw
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .fgrum
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .mjabqc
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .ghh
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .vrqcr
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .siorvl
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .sqgym
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .kqhrq
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .rsntf
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .iqt
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .kpwiuc
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .yuzcn
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .jbsbuw
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .mdjtj
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .mbjeh
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .amb
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .lac
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .zro
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .vtq
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .kyhoy
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .wvi
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .alzw
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .vdsoxe
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .pus
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .oqnl
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .ohjt
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .ofjxx
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .ifw
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .zktgse
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .pmd
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .kexxpw
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .kiqzd
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .uslf
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .zkkgx
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .phhwk
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .klf
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .xme
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .fnxmzz
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .wpkbi
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .gzgei
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .zep
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .viz
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .xqen
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .ouhvqw
Source: vmqDDCE.tmp.5.dr Static PE information: section name: .dlt
Source: phoneactivate.exe.19.dr Static PE information: section name: .imrsiv
Source: SppExtComObj.Exe.30.dr Static PE information: section name: ?g_Encry
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .crt1
PE file contains an invalid checksum
Source: drytex.dll Static PE information: real checksum: 0xb3260629 should be: 0x136300
Source: Y1C20.tmp.5.dr Static PE information: real checksum: 0xb3260629 should be: 0x142b53
Source: vmqDDCE.tmp.5.dr Static PE information: real checksum: 0xb3260629 should be: 0x1816a3
Binary contains a suspicious time stamp
Source: phoneactivate.exe.19.dr Static PE information: 0x9D5EA917 [Sun Aug 31 04:16:23 2053 UTC]
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll
Source: initial sample Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample Static PE information: section name: .text entropy: 7.59477523886
Drops PE files
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\xs2t3d\SppExtComObj.Exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy) Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\ThotvT\DUI70.dll (copy) Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Y1C20.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\xs2t3d\SppExtComObj.Exe Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy) Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Conqxrew Jump to behavior
Source: C:\Windows\explorer.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Conqxrew Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\cmd.exe Dropped PE file which has not been started: C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy) Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Y1C20.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe API coverage: 0.8 %
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe API coverage: 0.8 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_000000014003EB14 GetSystemInfo, 0_2_000000014003EB14
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140049724 FindFirstFileExW, 0_2_0000000140049724
Source: explorer.exe, 00000005.00000000.270853419.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.270853419.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000005.00000000.263094565.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.263115567.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.303077563.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.284568857.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.271171855.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.270853419.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744385364 memmove,GetProcessHeap,HeapFree, 23_2_00007FF744385364
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_0000000140040370 LdrLoadDll, 0_2_0000000140040370
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438DD68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 23_2_00007FF74438DD68
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF74438E060 SetUnhandledExceptionFilter, 23_2_00007FF74438E060
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438DD68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 36_2_00007FF74438DD68
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF74438E060 SetUnhandledExceptionFilter, 36_2_00007FF74438E060

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: Y1C20.tmp.5.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\regsvr32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Memory protected: unknown base: 7FFC866FEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Memory protected: unknown base: 7FFC866FE000 protect: page execute read Jump to behavior
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Memory protected: unknown base: 7FFC85C32A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\regsvr32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\regsvr32.exe Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h Jump to behavior
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 Jump to behavior
Source: explorer.exe, 00000005.00000000.263102869.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.249591286.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.283030296.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.302845333.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.250020483.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.250020483.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.298746734.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.283087838.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.249622086.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.250020483.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF7443891DC memset,GetSystemTime,SystemTimeToFileTime,GetLastError,memset,SLGetWindowsInformation,memset,LocalFree,GetProcessHeap,HeapFree, 23_2_00007FF7443891DC
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 23_2_00007FF744381E00 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z, 23_2_00007FF744381E00
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe Code function: 36_2_00007FF744381E00 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z, 36_2_00007FF744381E00
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 610526 Sample: drytex.dll Startdate: 18/04/2022 Architecture: WINDOWS Score: 100 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 5 other signatures 2->60 9 loaddll64.exe 1 2->9         started        process3 process4 11 regsvr32.exe 9->11         started        14 cmd.exe 1 9->14         started        16 rundll32.exe 9->16         started        18 2 other processes 9->18 signatures5 70 Changes memory attributes in foreign processes to executable or writable 11->70 72 Uses Atom Bombing / ProGate to inject into other processes 11->72 74 Queues an APC in another process (thread injection) 11->74 20 explorer.exe 11 35 11->20 injected 24 rundll32.exe 14->24         started        process6 file7 42 C:\Users\user\AppData\Local\...\vmqDDCE.tmp, PE32+ 20->42 dropped 44 C:\Users\user\AppData\Local\Temp\Y1C20.tmp, PE32+ 20->44 dropped 62 Benign windows process drops PE files 20->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 20->64 26 phoneactivate.exe 20->26         started        29 cmd.exe 3 20->29         started        32 cmd.exe 3 20->32         started        36 7 other processes 20->36 34 conhost.exe 24->34         started        signatures8 process9 file10 66 Changes memory attributes in foreign processes to executable or writable 26->66 68 Uses Atom Bombing / ProGate to inject into other processes 26->68 46 C:\Users\user\AppData\...\phoneactivate.exe, PE32+ 29->46 dropped 48 C:\Users\user\AppData\...\DUI70.dll (copy), PE32+ 29->48 dropped 50 C:\Windows\system32\...\ACTIVEDS.dll (copy), PE32+ 32->50 dropped 52 C:\Windows\System32\xs2t3d\SppExtComObj.Exe, PE32+ 32->52 dropped 38 conhost.exe 32->38         started        40 conhost.exe 36->40         started        signatures11 process12
No contacted IP infos