Edit tour

Windows Analysis Report
drytex.dll

Overview

General Information

Sample Name:	drytex.dll
Analysis ID:	610526
MD5:	b85405fc1d3a4473826d7ebd31111a50
SHA1:	4b62c6e56be21a0dc8f285a23ca62a055a768956
SHA256:	26af00a279ce082c2bb1db2cb50d2d590623e3f20e6c260d77ca77bf72b51797
Tags:	dlldridexexe
Infos:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes memory attributes in foreign processes to executable or writable

Machine Learning detection for sample

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Call by Ordinal

Uses schtasks.exe or at.exe to add and modify task schedules

Uses Atom Bombing / ProGate to inject into other processes

PE file contains section with special chars

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Queries the installation date of Windows

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Entry point lies outside standard sections

PE file contains an invalid checksum

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Found evasive API chain checking for process token information

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Binary contains a suspicious time stamp

Registers a DLL

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Sigma detected: Autorun Keys Modification

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7036 cmdline: loaddll64.exe "C:\Users\user\Desktop\drytex.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)

cmd.exe (PID: 7044 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 7064 cmdline: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 7052 cmdline: regsvr32.exe /s C:\Users\user\Desktop\drytex.dll MD5: D78B75FC68247E8A63ACBA846182740E)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

phoneactivate.exe (PID: 6868 cmdline: C:\Windows\system32\phoneactivate.exe MD5: 09D1974A03068D4311F1CE94B765E817)

cmd.exe (PID: 7064 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

phoneactivate.exe (PID: 1988 cmdline: "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" MD5: 09D1974A03068D4311F1CE94B765E817)

pwcreator.exe (PID: 1428 cmdline: C:\Windows\system32\pwcreator.exe MD5: BF33FA218E0B4F6AEC77616BE0F5DD9D)

SppExtComObj.Exe (PID: 6320 cmdline: C:\Windows\system32\SppExtComObj.Exe MD5: 809E11DECADAEBE2454EFEDD620C4769)

cmd.exe (PID: 6028 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\33sSd.cmd MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

phoneactivate.exe (PID: 1908 cmdline: "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" MD5: 09D1974A03068D4311F1CE94B765E817)

dllhost.exe (PID: 5520 cmdline: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} MD5: 2528137C6745C4EADD87817A1909677E)

schtasks.exe (PID: 5872 cmdline: "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest MD5: 838D346D1D28F00783B7A6C6BD03A0DA)

conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

phoneactivate.exe (PID: 2384 cmdline: "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe" MD5: 09D1974A03068D4311F1CE94B765E817)

rundll32.exe (PID: 7072 cmdline: rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 7132 cmdline: rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 5168 cmdline: rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.255992853.0000000140001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0000002C.00000002.442591492.0000000140001000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000017.00000002.454233782.0000000140001000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000007.00000002.263687093.0000000140001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000024.00000002.425949324.0000000140001000.00000020.00000001.01000000.0000000A.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.269681895.0000000140001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000004.00000002.248898952.0000000140001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000002.00000002.337765155.0000000140001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.248725971.0000000140001000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
4.2.rundll32.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
2.2.regsvr32.exe.140000000.2.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
44.2.phoneactivate.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
6.2.rundll32.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
3.2.rundll32.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll64.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
23.2.phoneactivate.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
36.2.phoneactivate.exe.140000000.0.unpack	JoeSecurity_Dridex_2	Yara detected Dridex unpacked file	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Call by Ordinal

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7044, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, ProcessId: 7064, ProcessName: rundll32.exe

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton: Data: Details: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\explorer.exe, ProcessId: 3968, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Conqxrew

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\cmd.exe, ProcessId: 7064, TargetFilename: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Source: Process started

Author: frack113: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 7064, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 7112, ProcessName: conhost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: drytex.dll	Virustotal: Detection: 60%			Perma Link
Source: drytex.dll	ReversingLabs: Detection: 76%

Antivirus / Scanner detection for submitted sample

Source: drytex.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Y1C20.tmp	Avira: detection malicious, Label: HEUR/AGEN.1207422
Source: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp	Avira: detection malicious, Label: HEUR/AGEN.1207422

Machine Learning detection for sample

Source: drytex.dll

Joe Sandbox ML: detected

Source: drytex.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.30.dr
Source:	Binary string: phoneactivate.pdb source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source:	Binary string: phoneactivate.pdbGCTL source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source:	Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.30.dr
Source:	Binary string: sgI.pdb source: rundll32.exe, 00000003.00000003.248179831.000002639BD20000.00000004.00000020.00020000.00000000.sdmp, drytex.dll, Y1C20.tmp.5.dr, vmqDDCE.tmp.5.dr

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140049724 FindFirstFileExW,

Source: phoneactivate.exe

String found in binary or memory: http://schemas.mic

E-Banking Fraud

Yara detected Dridex unpacked file

Source: Yara match	File source: 7.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.regsvr32.exe.140000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.phoneactivate.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.255992853.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.442591492.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.454233782.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.263687093.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.425949324.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.269681895.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.248898952.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.337765155.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.248725971.0000000140001000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

System Summary

PE file contains section with special chars

Source: SppExtComObj.Exe.30.dr

Static PE information: section name: ?g_Encry

Source: C:\Windows\System32\cmd.exe

File created: C:\Windows\system32\xs2t3d

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005284C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140048A4C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140040370
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400343E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026C74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F4D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140049CE8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004357C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003DEEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036778
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022004
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060014
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140024028
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002782C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002E030
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005582B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140034044
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000F848
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003D878
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140020094
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F8A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400280AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004F0AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400410B4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400150E4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140066100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025100
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004D914
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140033124
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032128
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140025930
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140005950
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004E954
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001158
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003796C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140049980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140039990
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F198
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400389A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400099AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400659F0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EA1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140055A4D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014005A24C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001B250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140001A78
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140007284
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140061283
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140061A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400642A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002DAA4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140043AC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019AC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400512E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400162E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002BAEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006AEC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063324
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140013B64
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140055364
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140019378
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140060B8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001A394
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140008B94
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004BBBC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140021BD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400243E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B3F3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140004C0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002B429
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140012474
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000AC74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140038478
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004FC74
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002747C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002A4A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001B4AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004A4B0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140063CB4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002F4B8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140003CC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000ECD0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017CD4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140044CD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004ECF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140042504
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140026534
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002AD38
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140022D50
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140029550
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140012D8C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140051D90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140006D94
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400515A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400285AC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031DCC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400365D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400205D8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140011DE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004D5EC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003A60C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140021E1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140023E1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004E628
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004CE2C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140018638
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140004E38
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140014644
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002EE48
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004A660
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053670
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014003AE70
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140031670
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014002D694
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140036E98
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000D69C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140050EA8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140053EC0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001BEC8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400466C4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014004EF0C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140017F40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001CF40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140041F3C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140032750
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014000578C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400137A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400557A3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000014001C7CC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001400027DC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000140030FE0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF744385364
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438D570
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF744386920
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF7443891DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF744385998
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438B9B4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF7443883BC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF7443897D4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF744388058
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438A094
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438D220
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438CE28
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF7443884DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF744385EE0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF7443812F8
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438730C
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF744385364
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438D570
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF744386920
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF7443891DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF744385998
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438B9B4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF7443883BC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF7443897D4
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF744388058
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438A094
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438D220
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438CE28
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF7443884DC
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF744385EE0
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF7443812F8
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438730C

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Code function: String function: 00007FF744386104 appears 52 times

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014005284C NtQuerySystemInformation,

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll
Source: C:\Windows\explorer.exe	Section loaded: pcacli.dll
Source: C:\Windows\explorer.exe	Section loaded: mpr.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll

Source: drytex.dll	Static PE information: Number of sections : 57 > 10
Source: Y1C20.tmp.5.dr	Static PE information: Number of sections : 58 > 10
Source: vmqDDCE.tmp.5.dr	Static PE information: Number of sections : 58 > 10

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe 5D4F713CFC98E7148B67D063193D93BFE29F8329705A03690590633FADE32EE5

Source: drytex.dll	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Y1C20.tmp.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vmqDDCE.tmp.5.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.30.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: drytex.dll	Virustotal: Detection: 60%
Source: drytex.dll	ReversingLabs: Detection: 76%

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\drytex.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\33sSd.cmd
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\phoneactivate.exe C:\Windows\system32\phoneactivate.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\pwcreator.exe C:\Windows\system32\pwcreator.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\SppExtComObj.Exe C:\Windows\system32\SppExtComObj.Exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe "C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winDLL@40/10@0/0

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Code function: 23_2_00007FF74438730C CoCreateInstance,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,GetProcessHeap,HeapAlloc,memset,memset,

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1d67e0a9-ab25-2d3a-f358-7073a8bb1c60}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Mutant created: \Sessions\1\BaseNamedObjects\{4ae5d0f4-7b10-3c35-b894-84b2027938b4}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Code function: 23_2_00007FF744384794 FindResourceExW,GetLastError,LoadResource,LockResource,

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: drytex.dll

Static PE information: Image base 0x140000000 > 0x60000000

Source: drytex.dll

Static file information: File size 1253376 > 1048576

Source: drytex.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.30.dr
Source:	Binary string: phoneactivate.pdb source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source:	Binary string: phoneactivate.pdbGCTL source: cmd.exe, 00000013.00000003.380184797.000001CC86274000.00000004.00000020.00020000.00000000.sdmp, phoneactivate.exe, 00000017.00000000.402663485.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000017.00000002.455042289.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000000.420584441.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 00000024.00000002.427114230.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000000.439008775.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe, 0000002C.00000002.443535019.00007FF744390000.00000002.00000001.01000000.00000009.sdmp, phoneactivate.exe.19.dr
Source:	Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.30.dr
Source:	Binary string: sgI.pdb source: rundll32.exe, 00000003.00000003.248179831.000002639BD20000.00000004.00000020.00020000.00000000.sdmp, drytex.dll, Y1C20.tmp.5.dr, vmqDDCE.tmp.5.dr

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000020ADDE83055 push rbx; retf
Source: C:\Windows\System32\regsvr32.exe	Code function: 2_2_02873055 push rbx; retf
Source: C:\Windows\System32\rundll32.exe	Code function: 3_2_000002639A343055 push rbx; retf
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000001FFD9983055 push rbx; retf
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_000001774A0A3055 push rbx; retf
Source: C:\Windows\System32\rundll32.exe	Code function: 7_2_000001AC7B973055 push rbx; retf
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_000001C248203055 push rbx; retf
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_0000021222523055 push rbx; retf
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 44_2_0000025AA5963055 push rbx; retf

Source: drytex.dll	Static PE information: section name: .crt1
Source: drytex.dll	Static PE information: section name: qwTG
Source: drytex.dll	Static PE information: section name: .lqen
Source: drytex.dll	Static PE information: section name: .vqb
Source: drytex.dll	Static PE information: section name: .gjd
Source: drytex.dll	Static PE information: section name: .wqhqlp
Source: drytex.dll	Static PE information: section name: .nulizw
Source: drytex.dll	Static PE information: section name: .fgrum
Source: drytex.dll	Static PE information: section name: .mjabqc
Source: drytex.dll	Static PE information: section name: .ghh
Source: drytex.dll	Static PE information: section name: .vrqcr
Source: drytex.dll	Static PE information: section name: .siorvl
Source: drytex.dll	Static PE information: section name: .sqgym
Source: drytex.dll	Static PE information: section name: .kqhrq
Source: drytex.dll	Static PE information: section name: .rsntf
Source: drytex.dll	Static PE information: section name: .iqt
Source: drytex.dll	Static PE information: section name: .kpwiuc
Source: drytex.dll	Static PE information: section name: .yuzcn
Source: drytex.dll	Static PE information: section name: .jbsbuw
Source: drytex.dll	Static PE information: section name: .mdjtj
Source: drytex.dll	Static PE information: section name: .mbjeh
Source: drytex.dll	Static PE information: section name: .amb
Source: drytex.dll	Static PE information: section name: .lac
Source: drytex.dll	Static PE information: section name: .zro
Source: drytex.dll	Static PE information: section name: .vtq
Source: drytex.dll	Static PE information: section name: .kyhoy
Source: drytex.dll	Static PE information: section name: .wvi
Source: drytex.dll	Static PE information: section name: .alzw
Source: drytex.dll	Static PE information: section name: .vdsoxe
Source: drytex.dll	Static PE information: section name: .pus
Source: drytex.dll	Static PE information: section name: .oqnl
Source: drytex.dll	Static PE information: section name: .ohjt
Source: drytex.dll	Static PE information: section name: .ofjxx
Source: drytex.dll	Static PE information: section name: .ifw
Source: drytex.dll	Static PE information: section name: .zktgse
Source: drytex.dll	Static PE information: section name: .pmd
Source: drytex.dll	Static PE information: section name: .kexxpw
Source: drytex.dll	Static PE information: section name: .kiqzd
Source: drytex.dll	Static PE information: section name: .uslf
Source: drytex.dll	Static PE information: section name: .zkkgx
Source: drytex.dll	Static PE information: section name: .phhwk
Source: drytex.dll	Static PE information: section name: .klf
Source: drytex.dll	Static PE information: section name: .xme
Source: drytex.dll	Static PE information: section name: .fnxmzz
Source: drytex.dll	Static PE information: section name: .wpkbi
Source: drytex.dll	Static PE information: section name: .gzgei
Source: drytex.dll	Static PE information: section name: .zep
Source: drytex.dll	Static PE information: section name: .viz
Source: drytex.dll	Static PE information: section name: .xqen
Source: drytex.dll	Static PE information: section name: .ouhvqw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .crt1
Source: Y1C20.tmp.5.dr	Static PE information: section name: qwTG
Source: Y1C20.tmp.5.dr	Static PE information: section name: .lqen
Source: Y1C20.tmp.5.dr	Static PE information: section name: .vqb
Source: Y1C20.tmp.5.dr	Static PE information: section name: .gjd
Source: Y1C20.tmp.5.dr	Static PE information: section name: .wqhqlp
Source: Y1C20.tmp.5.dr	Static PE information: section name: .nulizw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .fgrum
Source: Y1C20.tmp.5.dr	Static PE information: section name: .mjabqc
Source: Y1C20.tmp.5.dr	Static PE information: section name: .ghh
Source: Y1C20.tmp.5.dr	Static PE information: section name: .vrqcr
Source: Y1C20.tmp.5.dr	Static PE information: section name: .siorvl
Source: Y1C20.tmp.5.dr	Static PE information: section name: .sqgym
Source: Y1C20.tmp.5.dr	Static PE information: section name: .kqhrq
Source: Y1C20.tmp.5.dr	Static PE information: section name: .rsntf
Source: Y1C20.tmp.5.dr	Static PE information: section name: .iqt
Source: Y1C20.tmp.5.dr	Static PE information: section name: .kpwiuc
Source: Y1C20.tmp.5.dr	Static PE information: section name: .yuzcn
Source: Y1C20.tmp.5.dr	Static PE information: section name: .jbsbuw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .mdjtj
Source: Y1C20.tmp.5.dr	Static PE information: section name: .mbjeh
Source: Y1C20.tmp.5.dr	Static PE information: section name: .amb
Source: Y1C20.tmp.5.dr	Static PE information: section name: .lac
Source: Y1C20.tmp.5.dr	Static PE information: section name: .zro
Source: Y1C20.tmp.5.dr	Static PE information: section name: .vtq
Source: Y1C20.tmp.5.dr	Static PE information: section name: .kyhoy
Source: Y1C20.tmp.5.dr	Static PE information: section name: .wvi
Source: Y1C20.tmp.5.dr	Static PE information: section name: .alzw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .vdsoxe
Source: Y1C20.tmp.5.dr	Static PE information: section name: .pus
Source: Y1C20.tmp.5.dr	Static PE information: section name: .oqnl
Source: Y1C20.tmp.5.dr	Static PE information: section name: .ohjt
Source: Y1C20.tmp.5.dr	Static PE information: section name: .ofjxx
Source: Y1C20.tmp.5.dr	Static PE information: section name: .ifw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .zktgse
Source: Y1C20.tmp.5.dr	Static PE information: section name: .pmd
Source: Y1C20.tmp.5.dr	Static PE information: section name: .kexxpw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .kiqzd
Source: Y1C20.tmp.5.dr	Static PE information: section name: .uslf
Source: Y1C20.tmp.5.dr	Static PE information: section name: .zkkgx
Source: Y1C20.tmp.5.dr	Static PE information: section name: .phhwk
Source: Y1C20.tmp.5.dr	Static PE information: section name: .klf
Source: Y1C20.tmp.5.dr	Static PE information: section name: .xme
Source: Y1C20.tmp.5.dr	Static PE information: section name: .fnxmzz
Source: Y1C20.tmp.5.dr	Static PE information: section name: .wpkbi
Source: Y1C20.tmp.5.dr	Static PE information: section name: .gzgei
Source: Y1C20.tmp.5.dr	Static PE information: section name: .zep
Source: Y1C20.tmp.5.dr	Static PE information: section name: .viz
Source: Y1C20.tmp.5.dr	Static PE information: section name: .xqen
Source: Y1C20.tmp.5.dr	Static PE information: section name: .ouhvqw
Source: Y1C20.tmp.5.dr	Static PE information: section name: .ivx
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .crt1
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: qwTG
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .lqen
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .vqb
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .gjd
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .wqhqlp
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .nulizw
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .fgrum
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .mjabqc
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .ghh
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .vrqcr
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .siorvl
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .sqgym
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .kqhrq
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .rsntf
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .iqt
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .kpwiuc
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .yuzcn
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .jbsbuw
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .mdjtj
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .mbjeh
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .amb
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .lac
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .zro
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .vtq
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .kyhoy
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .wvi
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .alzw
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .vdsoxe
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .pus
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .oqnl
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .ohjt
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .ofjxx
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .ifw
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .zktgse
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .pmd
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .kexxpw
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .kiqzd
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .uslf
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .zkkgx
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .phhwk
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .klf
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .xme
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .fnxmzz
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .wpkbi
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .gzgei
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .zep
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .viz
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .xqen
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .ouhvqw
Source: vmqDDCE.tmp.5.dr	Static PE information: section name: .dlt
Source: phoneactivate.exe.19.dr	Static PE information: section name: .imrsiv
Source: SppExtComObj.Exe.30.dr	Static PE information: section name: ?g_Encry

Source: initial sample

Static PE information: section where entry point is pointing to: .crt1

Source: drytex.dll	Static PE information: real checksum: 0xb3260629 should be: 0x136300
Source: Y1C20.tmp.5.dr	Static PE information: real checksum: 0xb3260629 should be: 0x142b53
Source: vmqDDCE.tmp.5.dr	Static PE information: real checksum: 0xb3260629 should be: 0x1816a3

Source: phoneactivate.exe.19.dr

Static PE information: 0x9D5EA917 [Sun Aug 31 04:16:23 2053 UTC]

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\drytex.dll

Source: initial sample	Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample	Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample	Static PE information: section name: .text entropy: 7.8179817907
Source: initial sample	Static PE information: section name: .text entropy: 7.59477523886

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\System32\xs2t3d\SppExtComObj.Exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\ThotvT\DUI70.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\Y1C20.tmp	Jump to dropped file

Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\System32\xs2t3d\SppExtComObj.Exe			Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy)			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest

Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Conqxrew			Jump to behavior
Source: C:\Windows\explorer.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Conqxrew			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: ntdll.dll function: ZwSetEvent new code: 0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Source: C:\Windows\explorer.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\cmd.exe	Dropped PE file which has not been started: C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Y1C20.tmp	Jump to dropped file

Source: C:\Windows\System32\loaddll64.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	API coverage: 0.8 %
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	API coverage: 0.8 %

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_000000014003EB14 GetSystemInfo,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140049724 FindFirstFileExW,

Source: explorer.exe, 00000005.00000000.270853419.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.270853419.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000005.00000000.263094565.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.263115567.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.303077563.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}+]e
Source: explorer.exe, 00000005.00000000.284568857.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.271171855.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.270853419.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.271193257.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Code function: 23_2_00007FF744385364 memmove,GetProcessHeap,HeapFree,

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_0000000140040370 LdrLoadDll,

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438DD68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF74438E060 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438DD68 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF74438E060 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: Y1C20.tmp.5.dr

Jump to dropped file

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read
Source: C:\Windows\System32\regsvr32.exe	Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Memory protected: unknown base: 7FFC866FEFE0 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Memory protected: unknown base: 7FFC866FE000 protect: page execute read
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Memory protected: unknown base: 7FFC85C32A20 protect: page execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Windows\System32\regsvr32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Uses Atom Bombing / ProGate to inject into other processes

Source: C:\Windows\System32\regsvr32.exe	Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Atom created: 53565741554156554881ECA8 0x00000000 push ebx 0x00000001 push esi 0x00000002 push edi 0x00000003 inc ecx 0x00000004 push ebp 0x00000005 inc ecx 0x00000006 push esi 0x00000007 push ebp 0x00000008 dec eax 0x00000009 sub esp, 000000A8h

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1

Source: explorer.exe, 00000005.00000000.263102869.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.249591286.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.283030296.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.302845333.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.250020483.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.250020483.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.298746734.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.283087838.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.249622086.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.263342877.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.299296787.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.250020483.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Code function: 23_2_00007FF7443891DC memset,GetSystemTime,SystemTimeToFileTime,GetLastError,memset,SLGetWindowsInformation,memset,LocalFree,GetProcessHeap,HeapFree,

Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 23_2_00007FF744381E00 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,
Source: C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe	Code function: 36_2_00007FF744381E00 StrToID,?FindDescendent@Element@DirectUI@@QEAAPEAV12@G@Z,?AddListener@Element@DirectUI@@QEAAJPEAUIElementListener@2@@Z,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	312 Process Injection	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Masquerading	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	312 Process Injection	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Regsvr32	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Rundll32	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	1 DLL Side-Loading	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
drytex.dll	61%	Virustotal		Browse
drytex.dll	76%	ReversingLabs	Win64.Worm.Cridex
drytex.dll	100%	Avira	HEUR/AGEN.1207422
drytex.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\Y1C20.tmp	100%	Avira	HEUR/AGEN.1207422
C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp	100%	Avira	HEUR/AGEN.1207422
C:\Users\user\AppData\Local\Temp\Y1C20.tmp	100%	Joe Sandbox ML

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
7.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
4.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
2.2.regsvr32.exe.140000000.2.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
44.2.phoneactivate.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
6.2.rundll32.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
0.2.loaddll64.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
23.2.phoneactivate.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File
36.2.phoneactivate.exe.140000000.0.unpack	100%	Avira	HEUR/AGEN.1207430	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.mic	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.mic	phoneactivate.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	610526
Start date and time: 18/04/202207:33:07	2022-04-18 07:33:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 23s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	drytex.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	45
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@40/10@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 30.7% (good quality ratio 25.6%) Quality average: 67.4% Quality standard deviation: 36.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, dllhost.exe, consent.exe, SppExtComObj.Exe, backgroundTaskHost.exe, UsoClient.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, go.microsoft.com, login.live.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:35:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Conqxrew C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe
07:35:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Conqxrew C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe
07:35:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Conqxrew.lnk
07:35:34	API Interceptor	1x Sleep call for process: dllhost.exe modified
07:35:41	Task Scheduler	Run new task: Uttpj path: C:\Windows\system32\xs2t3d\SppExtComObj.Exe

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	204
Entropy (8bit):	4.992450793081024
Encrypted:	false
SSDEEP:	3:8Fo5TAI2eAIQUjV7AIBgIWXp5cViE2J5xAIhmXVLRIvmJAIUsMuoUQ:8u5TYeyiJHRWXp+N23fhmFlNqUQ
MD5:	3EBEA66F3F22B719EEA0C1ED1882A87A
SHA1:	D6AEAA23E30880AAD41C17E674D24CCFCCB6FED8
SHA-256:	C266CA358FA49A556F80C1486C0E054B78080AC380318A619F6CE15A93C84166
SHA-512:	94A81C7C0A4428408BCFED168C605CD4B2D7098C79BE8728E5B337F75D458508424041723623D6364802D9881EA6C23D8D2BD0CD75098247B627D7E1A483893A
Malicious:	false
Preview:	md C:\Windows\system32\xs2t3d..copy C:\Windows\system32\SppExtComObj.Exe C:\Windows\system32\xs2t3d..move C:\Users\user\AppData\Local\Temp\Y1C20.tmp C:\Windows\system32\xs2t3d\ACTIVEDS.dll..del %0 & exit

C:\Users\user\AppData\Local\Temp\V8Ka.cmd

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	237
Entropy (8bit):	4.913522860271459
Encrypted:	false
SSDEEP:	6:8u5PWXp+NaZ5AgHG+AdgmfNWXp+NaZ5AsWXp+N23fHHYIWXp+NaZ5A6ovxUQ:8u5+HDugo0HyAdHqvxUQ
MD5:	20E4260BFC284D0F40AF7DAA705F22D0
SHA1:	0599152423FADB2BB7BEC29BB6DC91052C52DF4F
SHA-256:	1E7288DC642133C2B2D272F19899D27B7079BCD467BE6C07DAA9E5C96B2DC82E
SHA-512:	FFA815C5B2FF13E4D24EF01B421EA70F1A37B99D9D684FA3C07C32289DCE764CA5360443FC77B05DF244EEE398B870B6EF6AF5F7CF561C58288BC657BB0E892C
Malicious:	false
Preview:	md C:\Users\user\AppData\Roaming\ThotvT..copy C:\Windows\system32\phoneactivate.exe C:\Users\user\AppData\Roaming\ThotvT..move C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp C:\Users\user\AppData\Roaming\ThotvT\DUI70.dll..del %0 & exit

C:\Users\user\AppData\Local\Temp\Y1C20.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1257472
Entropy (8bit):	4.869587549920812
Encrypted:	false
SSDEEP:	12288:habbKACcbDWwVedYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:saXcfWwgSKrhncQYlez5nGa84djgol
MD5:	C770563E0C71B17EF44FF21185C63AD3
SHA1:	6AA9A5A97217143DA9F7E7F6FAB2CE71E127D6F2
SHA-256:	45EE8F805EBB6C92B215B7C559BB778F5AC5AC7A913EBC028CF70EBE426EB1FD
SHA-512:	CD52CD910CDF19245BE808AF2398D57A361E8D0EE7B57D5B5382CE56C1AB4E0B3D2D74877E50F1389E5069C85D60A3659A21991BF43BBD4049D1234129310127
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d.:..\.T.........." .....f.....................@.............................0......).&...`.......................................... ..y...h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540096
Entropy (8bit):	5.376397843442921
Encrypted:	false
SSDEEP:	12288:AabbKACcbDWwVedYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDkW:7aXcfWwgSKrhncQYlez5nGa84djgol
MD5:	FAB6B6A557FBE1C84AB38A331914817C
SHA1:	21B8E6CA4B6826D05B9E630A884AB8C8E2EE6317
SHA-256:	090BB796EC1FFD9B7C050F86BDAA8A1614985D8BEBE3965DB8F39A569603D24A
SHA-512:	465A04D661CA6B454FA44FAF4143189F86B43D86060308409987B3162C30AE6DC9584AA2833A759DB9B71435FDF8AC583AE9034FF98204BEB6D91452D18D9BA3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d.:..\.T.........." .....f.....................@....................................).&...`.......................................... ..dQ..h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	1450
Entropy (8bit):	7.346730158776579
Encrypted:	false
SSDEEP:	24:UX4NtP5Ucj5fMbfPOU/J0nfl75UETR72tnZQcBit1uak1:UX4NtP5UcybfPOU/qfl75n92kc+uak1
MD5:	FA67A4DAB5AD8716BA08564C60E0ED05
SHA1:	34493BE6B3D4D5A6E04B24B90B87D32F686D6D96
SHA-256:	61B4971FB3394F314D0A5401E3B99A806CE15001B98A7112E46FBC92B3DFBC31
SHA-512:	B497314198CBF476B7AD016856F5578212B1E176CD669959251C7829DA3C5FC87526834FA1E5C5E6BC9EEADAF9CC7DEB848BEE836FCCE14547A62007A7E669F5
Malicious:	false
Preview:	........................................user.....................RSA1.................!".F..K.?M}.]..l.......n...-.GE....<..rW..>.C.3.F.h..\9.....[...9_....=m^h........j.qb...o$V....abe;Rh.e.::...j.j}-........................z..O......w...L.aI....?E......,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .....zZkW.<.6.{.86..O.fZ...%8<.o. ............ ...i......X?.~...G.{.........)..S....XE...d.o..)=_K..n}.....mE.C......\|..=.....n..L...0W..W...v..].U2..sv..S5..T-..}.L.>>....`l.s.5.Lr.?hc.N.Z..x]R..Bc:.._.... Y.&1j..P....kL..A.j..!.u.8.. r7.....7...9....sy...3..k.t.$..i......D..DN...:.Y........y...Kk<kW.}.PW.Q........<.E.....Y*w....b._..$..'...0f.C...f.D.T......F..e..R.r....^..s....`W.H%..Y.....qtK~yJ..A.QA..v$.W7..4...4...$..."....9.Z&...d.i.J.0.3.u.w..1 i.9N.@.4.......j}.or..t_.4.,..`./c.%.La.atU.Z^.@.${.r.].h.GK7.E2....."7.....\| ...d....?w.u..8[.....Ie.....r2A8m`..=..P....?x..5.m.[.Z..i..rF..'....A(X...VC.JC....5..f.&..rRH..J@.b..w..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Conqxrew.lnk

Download File

Process:	C:\Windows\explorer.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Apr 18 13:35:12 2022, mtime=Mon Apr 18 13:35:12 2022, atime=Wed Apr 11 22:34:36 2018, length=107504, window=hide
Category:	dropped
Size (bytes):	901
Entropy (8bit):	5.0652880756211704
Encrypted:	false
SSDEEP:	12:8q43P84grl0KCqo//ZSL44gue7XQhwLDglvRgjAsHAnDSa7sd14P542Gm:8zVgrlH7oBssHLQGQlJ0ABDp7PEm
MD5:	41C3A004B77DE5860657B1653FFC54F7
SHA1:	D53C091CF6582B32EC5BAE408E5EE48059CD9F82
SHA-256:	7C3BC8D56BF8466BF92012966C7720FB569BCD7AA36CF2E679E0B35F96FF6BFC
SHA-512:	AB1710478E568CC467B670F85C53CDCAF144C23D3EAA394705D0E3FBAE93F00B135EA330DE029C65FB3DD3FA345A1AEAEF0D7455274CCF3247EA3D37F2586113
Malicious:	false
Preview:	L..................F.... ......1S..f_.1S..p+...............................:..DG..Yr?.D..U..k0.&...&...........-....)..3...P.1S......t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny..TDt.....Y....................f.(.A.p.p.D.a.t.a...B.V.1......Tft..Roaming.@.......Ny..Tgt.....Y........................R.o.a.m.i.n.g.....T.1......Tgt..ThotvT..>......Tft.Tgt..........................7R..T.h.o.t.v.T.....p.2.....LS. .PHONEA~1.EXE..T......Tgt.Tgt................t..........O..p.h.o.n.e.a.c.t.i.v.a.t.e...e.x.e.......f...............-.......e...........7..e.....C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe..'.....\.....\.....\.....\.....\.T.h.o.t.v.T.\.p.h.o.n.e.a.c.t.i.v.a.t.e...e.x.e.`.......X.......computer..!a..%.H.VZAj................-..!a..%.H.VZAj................-.E.......9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\ThotvT\DUI70.dll (copy)

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1540096
Entropy (8bit):	5.376397843442921
Encrypted:	false
SSDEEP:	12288:AabbKACcbDWwVedYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDkW:7aXcfWwgSKrhncQYlez5nGa84djgol
MD5:	FAB6B6A557FBE1C84AB38A331914817C
SHA1:	21B8E6CA4B6826D05B9E630A884AB8C8E2EE6317
SHA-256:	090BB796EC1FFD9B7C050F86BDAA8A1614985D8BEBE3965DB8F39A569603D24A
SHA-512:	465A04D661CA6B454FA44FAF4143189F86B43D86060308409987B3162C30AE6DC9584AA2833A759DB9B71435FDF8AC583AE9034FF98204BEB6D91452D18D9BA3
Malicious:	false
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d.:..\.T.........." .....f.....................@....................................).&...`.......................................... ..dQ..h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	107504
Entropy (8bit):	6.536585324272613
Encrypted:	false
SSDEEP:	1536:UhKYFAVrKO6PcIgpCaYov3ZKCZwaG70Ur/61cVtat/gLaoU0Sj09P0e:dmlPcNphvo0mtV1La8Lse
MD5:	09D1974A03068D4311F1CE94B765E817
SHA1:	7DD683571E4DCCAF181A5271BBCF15B3BC9D0155
SHA-256:	5D4F713CFC98E7148B67D063193D93BFE29F8329705A03690590633FADE32EE5
SHA-512:	07FD0700C8368485BEC91847C4B9721B059FEDB678C603A57FBD5DABCF110C80B0BD1D114384D4334F0412F3F4FD93C839A1B17F3A9F02C25CD59216692A8AC9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i.......................................O.....................Rich............................PE..d.....^...........".................`..........@....................................;;............... .......................................0.......p.. J...`.......~...%..........`"..T.......................(....................................................text............................... ..`.imrsiv..................................rdata...I.......J..................@..@.data...8....P.......$..............@....pdata.......`.......&..............@..@.rsrc... J...p...L...0..............@..@.reloc...............\|..............@..B................................................................................................................................................................................................................

C:\Windows\System32\xs2t3d\SppExtComObj.Exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	577024
Entropy (8bit):	7.365924302927238
Encrypted:	false
SSDEEP:	12288:KEpKNOQ/1mgFgnHF+2ryqfut4iob3vBzx4PQpIQbwhsi:lpKbbFgl+2Oqfuqiob3JUFs
MD5:	809E11DECADAEBE2454EFEDD620C4769
SHA1:	A121B9FC2010247C65CE8975FE4D88F5E9AC953E
SHA-256:	8906D8D8BCD7C8302A3E56EA2EBD0357748ACC9D3FDA91925609C742384B9CC2
SHA-512:	F78F46437C011C102A9BCEC2A8565EDC75500C9448AC17457FF44D3C8DB1980F772C0D1546F1DEE0F8A6F2C7273A5A915860B768DE9BB24EBEFE2907CE18B0DF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.].a.3.a.3.a.3.h.u.3...6.`.3...7.t.3...2.n.3.a.2...3...=.r.3...0.e.3....`.3...1.`.3.Richa.3.........PE..d...b.............".................0..........@................CS P................3................ .......................................Y..h................J......................T............................S...............z..`............................text............................... ..`?g_Encry.-.......................... ..`.rdata..._.......`..................@..@.data........p.......V..............@....pdata...J.......L...d..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy)

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1257472
Entropy (8bit):	4.869587549920812
Encrypted:	false
SSDEEP:	12288:habbKACcbDWwVedYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:saXcfWwgSKrhncQYlez5nGa84djgol
MD5:	C770563E0C71B17EF44FF21185C63AD3
SHA1:	6AA9A5A97217143DA9F7E7F6FAB2CE71E127D6F2
SHA-256:	45EE8F805EBB6C92B215B7C559BB778F5AC5AC7A913EBC028CF70EBE426EB1FD
SHA-512:	CD52CD910CDF19245BE808AF2398D57A361E8D0EE7B57D5B5382CE56C1AB4E0B3D2D74877E50F1389E5069C85D60A3659A21991BF43BBD4049D1234129310127
Malicious:	false
Preview:	MZ......................@.......................................x..j<.9<.9<.9?.t9I.9..8k.9S.49..9.ou9w.9..8M.9...82.9.7.9..91.I9u.9".:9..9'l590.9".=9/.9...8G.9R..8..9..8P.9S.39v.9?.u9i.9.7.9}.9..8..9".;9i.9..I9S.9Z.e9x.9?.w9..9A.v9,.9Rich<.9....................................................................................................................PE..d.:..\.T.........." .....f.....................@.............................0......).&...`.......................................... ..y...h...d................................(...................................................................................text....w.......................... ..`.rdata.............................. ..`.crt1............................... ..`.rdata..............................@..@.data............ ..................@....pdata..F...........................@..@qwTG................................@....rsrc...............................@..@.reloc...(.......0..........

Static File Info

General

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	4.887324738140095
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	drytex.dll
File size:	1253376
MD5:	b85405fc1d3a4473826d7ebd31111a50
SHA1:	4b62c6e56be21a0dc8f285a23ca62a055a768956
SHA256:	26af00a279ce082c2bb1db2cb50d2d590623e3f20e6c260d77ca77bf72b51797
SHA512:	1335ee999d69930805f41c2b177538ec21cfd7cf11af973caeb4e53bb9893708b4795b556d28bddd41982b360e4f428b17ec80feeb7beff40a095a3f9981cf0f
SSDEEP:	12288:WabbKACcbDWwVedYHi4mrh+IyiPU0D88nTtgO9HvjA3RlkuRCYJRB7laUqdezDk5:ZaXcfWwgSKrhncQYlez5nGa84djgol
TLSH:	0C45CF0D496F1AC8D6A550F26B3387F6296EF0940420DEBD36B67025ED8DE7D8CC291B
File Content Preview:	MZ......................@.......................................x..j<..9<..9<..9?.t9I..9...8k..9S.49...9.ou9w..9...8M..9...82..9.7.9...91.I9u..9".:9...9'l590..9".=9/..9...8G..9R..8...9...8P..9S.39v..9?.u9i..9.7.9}..9...8...9".;9i..9..I9S..9Z.e9x..9?.w9...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x14002a5b0
Entrypoint Section:	.crt1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x54B45CFA [Mon Jan 12 23:47:06 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	25c7ac00c91884fd2923a489ae9dfbca

Entrypoint Preview

Instruction
dec eax
mov dword ptr [00037CB9h], ecx
dec eax
mov dword ptr [00037CBAh], edx
dec eax
or dword ptr [00037CFBh], esi
dec eax
mov dword ptr [00037CFCh], edi
dec eax
mov dword ptr [00037CFDh], ebx
dec eax
mov dword ptr [00037CA6h], ebp
dec eax
mov dword ptr [00037CA7h], esp
dec esp
mov dword ptr [00037CA8h], eax
dec esp
mov dword ptr [00037CA9h], ecx
dec esp
mov dword ptr [00037CC2h], esp
dec esp
mov dword ptr [00037CB3h], ebp
dec esp
or dword ptr [00037CA4h], esi
dec esp
mov dword ptr [00037C95h], edi
dec eax
lea esi, dword ptr [FFFFD97Eh]
jmp esi
ud2
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x131010	0x73a	.ouhvqw
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2ba68	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0xfc98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0x28bc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x610	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x90	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2779e	0x28000	False	0.761749267578	data	7.8179817907	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x29000	0xfe0	0x1000	False	0.050537109375	data	0.497374256831	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.crt1	0x2a000	0x6fb	0x1000	False	0.25634765625	data	2.77764805072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xcc0	0x1000	False	0.44921875	data	4.04304284558	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2c000	0x41e09	0x42000	False	0.577795780066	data	6.66561055311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x6e000	0xb46	0x1000	False	0.0595703125	data	0.53656064431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
qwTG	0x6f000	0x2e9a2	0x2f000	False	0.818348986037	data	7.87184991211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0xfc98	0x10000	False	0.223709106445	data	4.08759024615	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0x28bc	0x3000	False	0.105550130208	data	5.14379878517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.lqen	0xb1000	0x45174	0x46000	False	0.0010498046875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vqb	0xf7000	0x1455	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gjd	0xf9000	0x128f	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wqhqlp	0xfb000	0x1f2a	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nulizw	0xfd000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fgrum	0xfe000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mjabqc	0xff000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ghh	0x101000	0x1e66	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vrqcr	0x103000	0x706	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.siorvl	0x104000	0x1124	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sqgym	0x106000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kqhrq	0x107000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsntf	0x108000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.iqt	0x109000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kpwiuc	0x10b000	0x1278	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.yuzcn	0x10d000	0x5a7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.jbsbuw	0x10e000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mdjtj	0x10f000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.mbjeh	0x110000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.amb	0x111000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.lac	0x112000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zro	0x114000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vtq	0x115000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kyhoy	0x116000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wvi	0x117000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.alzw	0x119000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vdsoxe	0x11a000	0xbde	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pus	0x11b000	0x389	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.oqnl	0x11c000	0x736	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ohjt	0x11d000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ofjxx	0x11e000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ifw	0x120000	0x896	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zktgse	0x121000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pmd	0x122000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kexxpw	0x123000	0x3ba	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.kiqzd	0x124000	0x13e	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.uslf	0x125000	0x1af	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zkkgx	0x126000	0x2da	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.phhwk	0x127000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.klf	0x128000	0xb4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xme	0x129000	0x543	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.fnxmzz	0x12a000	0x3fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.wpkbi	0x12b000	0x197d	0x2000	False	0.0037841796875	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.gzgei	0x12d000	0xb4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.zep	0x12e000	0x8fe	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.viz	0x12f000	0x1f7	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xqen	0x130000	0x23b	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.ouhvqw	0x131000	0x74a	0x1000	False	0.2734375	data	3.18901859221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_STRING	0x9ee40	0x14a	data	English	United States
RT_STRING	0x9ef90	0x310	data	English	United States
RT_STRING	0x9f2a0	0x162	data	English	United States
RT_STRING	0x9f408	0x286	data	English	United States
RT_STRING	0x9f690	0x1cc	AmigaOS bitmap font	English	United States
RT_STRING	0x9f860	0x272	data	English	United States
RT_STRING	0x9fad8	0xee	data	English	United States
RT_STRING	0x9fbc8	0x144	data	English	United States
RT_STRING	0x9fd10	0xda	data	English	United States
RT_STRING	0x9fdf0	0x20e	data	English	United States
RT_STRING	0xa0000	0x326	data	English	United States
RT_STRING	0xa0328	0x33a	data	English	United States
RT_STRING	0xa0668	0x58c	data	English	United States
RT_STRING	0xa0bf8	0x2ca	data	English	United States
RT_STRING	0xa0ec8	0x2ce	data	English	United States
RT_STRING	0xa1198	0x3c6	data	English	United States
RT_STRING	0xa1560	0x41c	data	English	United States
RT_STRING	0xa1980	0x380	data	English	United States
RT_STRING	0xa1d00	0x408	data	English	United States
RT_STRING	0xa2108	0x4cc	data	English	United States
RT_STRING	0xa25d8	0x206	data	English	United States
RT_STRING	0xa27e0	0x50a	data	English	United States
RT_STRING	0xa2cf0	0x168	data	English	United States
RT_STRING	0xa2e58	0x12a	data	English	United States
RT_STRING	0xa2f88	0x36c	data	English	United States
RT_STRING	0xa32f8	0x2a8	data	English	United States
RT_STRING	0xa35a0	0x1de	data	English	United States
RT_STRING	0xa3780	0x3ec	data	English	United States
RT_STRING	0xa3b70	0x354	data	English	United States
RT_STRING	0xa3ec8	0x19c	data	English	United States
RT_STRING	0xa4068	0x27e	data	English	United States
RT_STRING	0xa42e8	0x3d8	data	English	United States
RT_STRING	0xa46c0	0x396	data	English	United States
RT_STRING	0xa4a58	0x336	data	English	United States
RT_STRING	0xa4d90	0x242	data	English	United States
RT_STRING	0xa4fd8	0x1ac	data	English	United States
RT_STRING	0xa5188	0x2f4	data	English	United States
RT_STRING	0xa5480	0x3ec	data	English	United States
RT_STRING	0xa5870	0x570	data	English	United States
RT_STRING	0xa5de0	0x3b2	Hitachi SH big-endian COFF object file, not stripped, 9472 sections, symbol offset=0x4b004200, 83895552 symbols, optional header size 12544	English	United States
RT_STRING	0xa6198	0x3aa	data	English	United States
RT_STRING	0xa6548	0x2c0	data	English	United States
RT_STRING	0xa6808	0x226	data	English	United States
RT_STRING	0xa6a30	0x248	data	English	United States
RT_STRING	0xa6c78	0x8f0	data	English	United States
RT_STRING	0xa7568	0x6aa	data	English	United States
RT_STRING	0xa7c18	0x456	data	English	United States
RT_STRING	0xa8070	0x522	data	English	United States
RT_STRING	0xa8598	0x51c	data	English	United States
RT_STRING	0xa8ab8	0x492	data	English	United States
RT_STRING	0xa8f50	0x432	data	English	United States
RT_STRING	0xa9388	0x6ec	data	English	United States
RT_STRING	0xa9a78	0x214	data	English	United States
RT_STRING	0xa9c90	0x472	AmigaOS bitmap font	English	United States
RT_STRING	0xaa108	0x3a2	data	English	United States
RT_STRING	0xaa4b0	0xb4	data	English	United States
RT_STRING	0xaa568	0x466	data	English	United States
RT_STRING	0xaa9d0	0x4b2	data	English	United States
RT_STRING	0xaae88	0x312	data	English	United States
RT_STRING	0xab1a0	0x106	data	English	United States
RT_STRING	0xab2a8	0x24e	data	English	United States
RT_STRING	0xab4f8	0x2b0	data	English	United States
RT_STRING	0xab7a8	0x392	data	English	United States
RT_STRING	0xabb40	0x34a	data	English	United States
RT_STRING	0xabe90	0x404	data	English	United States
RT_STRING	0xac298	0x3fc	data	English	United States
RT_STRING	0xac698	0x27a	data	English	United States
RT_STRING	0xac918	0xa8	data	English	United States
RT_STRING	0xac9c0	0xda	data	English	United States
RT_STRING	0xacaa0	0x2b2	data	English	United States
RT_STRING	0xacd58	0x274	data	English	United States
RT_STRING	0xacfd0	0x37c	data	English	United States
RT_STRING	0xad350	0x3fe	data	English	United States
RT_STRING	0xad750	0x2c0	data	English	United States
RT_STRING	0xada10	0x284	data	English	United States

Imports

DLL	Import
KERNEL32.dll	GetBinaryTypeW, GetModuleFileNameW, GetExitCodeProcess, GetModuleHandleW, GetCurrentProcess, GetCurrentProcessId, GetUserDefaultUILanguage
USER32.dll	SetProcessDefaultLayout, IsProcessDPIAware, ChildWindowFromPointEx, GetThreadDesktop
GDI32.dll	GetCharWidthW, FlattenPath
ADVAPI32.dll	InitiateSystemShutdownExW

Exports

Name	Ordinal	Address
DllCanUnloadNow	111	0x14000ffd0
DllGetClassObject	115	0x140002d30
DwmAttachMilContent	116	0x1400112ac
DwmDefWindowProc	117	0x14000b39c
DwmDetachMilContent	118	0x140002198
DwmEnableBlurBehindWindow	119	0x1400179cc
DwmEnableComposition	102	0x140026b64
DwmEnableMMCSS	120	0x140011870
DwmExtendFrameIntoClientArea	121	0x14001bdf0
DwmFlush	122	0x14000bf54
DwmGetColorizationColor	123	0x140022534
DwmGetCompositionTimingInfo	129	0x14000afa4
DwmGetGraphicsStreamClient	130	0x14001aef4
DwmGetGraphicsStreamTransformHint	149	0x140004d40
DwmGetTransportAttributes	183	0x140013134
DwmGetUnmetTabRequirements	184	0x14000a0ac
DwmGetWindowAttribute	185	0x14001a968
DwmInvalidateIconicBitmaps	186	0x140023a0c
DwmIsCompositionEnabled	187	0x14000e64c
DwmModifyPreviousDxFrameDuration	188	0x14001caa4
DwmQueryThumbnailSourceSize	189	0x14000ac9c
DwmRegisterThumbnail	191	0x140007828
DwmRenderGesture	192	0x14001dec4
DwmSetDxFrameDuration	193	0x14001e530
DwmSetIconicLivePreviewBitmap	194	0x14000f418
DwmSetIconicThumbnail	195	0x14001433c
DwmSetPresentParameters	196	0x140024ffc
DwmSetWindowAttribute	197	0x1400247c8
DwmShowContact	198	0x14001e4ac
DwmTetherContact	199	0x1400062e0
DwmTetherTextContact	156	0x140004a9c
DwmTransitionOwnedWindow	200	0x140010880
DwmUnregisterThumbnail	201	0x1400236f0
DwmUpdateThumbnailProperties	202	0x14001db58
DwmpAllocateSecurityDescriptor	136	0x14001bbd4
DwmpDxBindSwapChain	125	0x140027080
DwmpDxGetWindowSharedSurface	100	0x14001ace8
DwmpDxUnbindSwapChain	126	0x14000ab48
DwmpDxUpdateWindowRedirectionBltSurface	133	0x140001bec
DwmpDxUpdateWindowSharedSurface	101	0x14001ad00
DwmpDxgiIsThreadDesktopComposited	128	0x140019038
DwmpEnableDDASupport	143	0x140014360
DwmpFreeSecurityDescriptor	137	0x140014694
DwmpGetColorizationParameters	127	0x14001ef3c
DwmpRenderFlick	135	0x140008100
DwmpSetColorizationParameters	131	0x140017c40

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
ZwSetEvent	INLINE	explorer.exe
RtlAllocateMemoryBlockLookaside	INLINE	explorer.exe
RtlAllocateMemoryZone	INLINE	explorer.exe
NtSetEvent	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: ntdll.dll

Function Name	Hook Type	New Data
ZwSetEvent	INLINE	0xE9 0x9B 0xBB 0xB5 0x5E 0xEF
RtlAllocateMemoryBlockLookaside	INLINE	0x48 0x88 0x89 0x9E 0xE0 0x03
RtlAllocateMemoryZone	INLINE	0x8D 0xDA 0xAC 0xC2 0x24 0x49
NtSetEvent	INLINE	0xE9 0x9B 0xBB 0xB5 0x5E 0xEF

Target ID:	0
Start time:	07:34:08
Start date:	18/04/2022
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\drytex.dll"
Imagebase:	0x7ff6fc2f0000
File size:	140288 bytes
MD5 hash:	4E8A40CAD6CCC047914E3A7830A2D8AA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.269681895.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exePID: 7044, Parent PID: 7036

General

Target ID:	1
Start time:	07:34:08
Start date:	18/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Imagebase:	0x7ff62f630000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exePID: 7052, Parent PID: 7036

General

Target ID:	2
Start time:	07:34:09
Start date:	18/04/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\drytex.dll
Imagebase:	0x7ff750960000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000002.00000002.337765155.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 7064, Parent PID: 7044

General

Target ID:	3
Start time:	07:34:09
Start date:	18/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\drytex.dll",#1
Imagebase:	0x7ff703c90000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.248725971.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 7072, Parent PID: 7036

General

Target ID:	4
Start time:	07:34:09
Start date:	18/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\drytex.dll,DllCanUnloadNow
Imagebase:	0x7ff703c90000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.248898952.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: explorer.exePID: 3968, Parent PID: 7052

General

Target ID:	5
Start time:	07:34:11
Start date:	18/04/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 7132, Parent PID: 7036

General

Target ID:	6
Start time:	07:34:13
Start date:	18/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\drytex.dll,DllGetClassObject
Imagebase:	0x7ff703c90000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000006.00000002.255992853.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 5168, Parent PID: 7036

General

Target ID:	7
Start time:	07:34:16
Start date:	18/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\drytex.dll,DwmAttachMilContent
Imagebase:	0x7ff703c90000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000007.00000002.263687093.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: phoneactivate.exePID: 6868, Parent PID: 3968

General

Target ID:	18
Start time:	07:35:04
Start date:	18/04/2022
Path:	C:\Windows\System32\phoneactivate.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\phoneactivate.exe
Imagebase:	0x7ff76d130000
File size:	107504 bytes
MD5 hash:	09D1974A03068D4311F1CE94B765E817
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: cmd.exePID: 7064, Parent PID: 3968

General

Target ID:	19
Start time:	07:35:10
Start date:	18/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\V8Ka.cmd
Imagebase:	0x7ff62f630000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exePID: 7112, Parent PID: 7064

General

Target ID:	20
Start time:	07:35:11
Start date:	18/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: phoneactivate.exePID: 1988, Parent PID: 3968

General

Target ID:	23
Start time:	07:35:22
Start date:	18/04/2022
Path:	C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Imagebase:	0x7ff744380000
File size:	107504 bytes
MD5 hash:	09D1974A03068D4311F1CE94B765E817
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000017.00000002.454233782.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

Analysis Process: pwcreator.exePID: 1428, Parent PID: 3968

General

Target ID:	24
Start time:	07:35:23
Start date:	18/04/2022
Path:	C:\Windows\System32\pwcreator.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\pwcreator.exe
Imagebase:	0x7ff6ef240000
File size:	800768 bytes
MD5 hash:	BF33FA218E0B4F6AEC77616BE0F5DD9D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: SppExtComObj.ExePID: 6320, Parent PID: 3968

General

Target ID:	25
Start time:	07:35:24
Start date:	18/04/2022
Path:	C:\Windows\System32\SppExtComObj.Exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SppExtComObj.Exe
Imagebase:	0x7ff6ca820000
File size:	577024 bytes
MD5 hash:	809E11DECADAEBE2454EFEDD620C4769
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Analysis Process: cmd.exePID: 6028, Parent PID: 3968

General

Target ID:	30
Start time:	07:35:29
Start date:	18/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\33sSd.cmd
Imagebase:	0x7ff62f630000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6832, Parent PID: 6028

General

Target ID:	34
Start time:	07:35:29
Start date:	18/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: phoneactivate.exePID: 1908, Parent PID: 3968

General

Target ID:	36
Start time:	07:35:30
Start date:	18/04/2022
Path:	C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Imagebase:	0x7ff744380000
File size:	107504 bytes
MD5 hash:	09D1974A03068D4311F1CE94B765E817
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 00000024.00000002.425949324.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

Analysis Process: dllhost.exePID: 5520, Parent PID: 756

General

Target ID:	38
Start time:	07:35:33
Start date:	18/04/2022
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}
Imagebase:	0x7ff7f1fd0000
File size:	20888 bytes
MD5 hash:	2528137C6745C4EADD87817A1909677E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: schtasks.exePID: 5872, Parent PID: 3968

General

Target ID:	42
Start time:	07:35:38
Start date:	18/04/2022
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /F /TN "Uttpj" /TR C:\Windows\system32\xs2t3d\SppExtComObj.Exe /SC minute /MO 60 /RL highest
Imagebase:	0x7ff77eda0000
File size:	226816 bytes
MD5 hash:	838D346D1D28F00783B7A6C6BD03A0DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 3176, Parent PID: 5872

General

Target ID:	43
Start time:	07:35:38
Start date:	18/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: phoneactivate.exePID: 2384, Parent PID: 3968

General

Target ID:	44
Start time:	07:35:39
Start date:	18/04/2022
Path:	C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe"
Imagebase:	0x7ff744380000
File size:	107504 bytes
MD5 hash:	09D1974A03068D4311F1CE94B765E817
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_2, Description: Yara detected Dridex unpacked file, Source: 0000002C.00000002.442591492.0000000140001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report drytex.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\33sSd.cmd

C:\Users\user\AppData\Local\Temp\V8Ka.cmd

C:\Users\user\AppData\Local\Temp\Y1C20.tmp

C:\Users\user\AppData\Local\Temp\vmqDDCE.tmp

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\414045e2d09286d5db2581e0d955d358_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Conqxrew.lnk

C:\Users\user\AppData\Roaming\ThotvT\DUI70.dll (copy)

C:\Users\user\AppData\Roaming\ThotvT\phoneactivate.exe

C:\Windows\System32\xs2t3d\SppExtComObj.Exe

C:\Windows\system32\xs2t3d\ACTIVEDS.dll (copy)

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
drytex.dll

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre