07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c

Analysis

max time kernel
156s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
17-04-2022 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c.dll
Size

882KB
MD5

f7ebaa469f359428eb4c1ae559ccb5a5
SHA1

60e9a7184c28f812116245bacf27d7105acc8572
SHA256

07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c
SHA512

84e919b0760df09406224fd669f448f34517170ae7f76a3013da389fccbb501a88f22b8451f83bb11f0bc22e7fc263b991c18bb9d0b86d88fd3839cd80b4c324

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

DisplaySwitch.exeusocoreworker.exeInfDefaultInstall.exe

pid process

2128 DisplaySwitch.exe
4392 usocoreworker.exe
2340 InfDefaultInstall.exe
Loads dropped DLL 3 IoCs

Processes:

DisplaySwitch.exeusocoreworker.exeInfDefaultInstall.exe

pid process

2128 DisplaySwitch.exe
4392 usocoreworker.exe
2340 InfDefaultInstall.exe

pid	process
2128	DisplaySwitch.exe
4392	usocoreworker.exe
2340	InfDefaultInstall.exe

pid	process
2128	DisplaySwitch.exe
4392	usocoreworker.exe
2340	InfDefaultInstall.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erihzxqqayujs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\AccountPictures\\3T\\usocoreworker.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DisplaySwitch.exeusocoreworker.exeInfDefaultInstall.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DisplaySwitch.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	usocoreworker.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InfDefaultInstall.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
4388	rundll32.exe
4388	rundll32.exe
4388	rundll32.exe
4388	rundll32.exe
4388	rundll32.exe
4388	rundll32.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044

pid	process
3044

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 3044 wrote to memory of 2756	3044	DisplaySwitch.exe
PID 3044 wrote to memory of 2756	3044	DisplaySwitch.exe
PID 3044 wrote to memory of 2128	3044	DisplaySwitch.exe
PID 3044 wrote to memory of 2128	3044	DisplaySwitch.exe
PID 3044 wrote to memory of 5024	3044	usocoreworker.exe
PID 3044 wrote to memory of 5024	3044	usocoreworker.exe
PID 3044 wrote to memory of 4392	3044	usocoreworker.exe
PID 3044 wrote to memory of 4392	3044	usocoreworker.exe
PID 3044 wrote to memory of 4420	3044	InfDefaultInstall.exe
PID 3044 wrote to memory of 4420	3044	InfDefaultInstall.exe
PID 3044 wrote to memory of 2340	3044	InfDefaultInstall.exe
PID 3044 wrote to memory of 2340	3044	InfDefaultInstall.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\07f5bfe8bd8448bed535b3e17ba4a771f8e22d79323409223904651b9c4f637c.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Windows\system32\DisplaySwitch.exe
C:\Windows\system32\DisplaySwitch.exe
1⤵
PID:2756

C:\Users\Admin\AppData\Local\EFtbZX\DisplaySwitch.exe
C:\Users\Admin\AppData\Local\EFtbZX\DisplaySwitch.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2128

C:\Windows\system32\usocoreworker.exe
C:\Windows\system32\usocoreworker.exe
1⤵
PID:5024

C:\Users\Admin\AppData\Local\HU3o5R4\usocoreworker.exe
C:\Users\Admin\AppData\Local\HU3o5R4\usocoreworker.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:4392

C:\Windows\system32\InfDefaultInstall.exe
C:\Windows\system32\InfDefaultInstall.exe
1⤵
PID:4420

C:\Users\Admin\AppData\Local\U7Z8\InfDefaultInstall.exe
C:\Users\Admin\AppData\Local\U7Z8\InfDefaultInstall.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EFtbZX\DUser.dll
Filesize
887KB

MD5
a8ff587e06fde33fdbb8d1b23daae86b

SHA1
ca229161b58d8de5f1e93eeae563b5510c851cb1

SHA256
88310b92110b5a92ebc7995dc155d2b49dbcce3f8b2a77fcc2517175d44a84c8

SHA512
190e1bb0626377cb9b678877e1037474cc1ea0281960d6ed9516ab1f077c8179635cb16a4f11ef446d49efa150c25f02a142d60f8f5dc58090aeda85dd6626c9

Download Submit
C:\Users\Admin\AppData\Local\EFtbZX\DUser.dll
Filesize
887KB

MD5
a8ff587e06fde33fdbb8d1b23daae86b

SHA1
ca229161b58d8de5f1e93eeae563b5510c851cb1

SHA256
88310b92110b5a92ebc7995dc155d2b49dbcce3f8b2a77fcc2517175d44a84c8

SHA512
190e1bb0626377cb9b678877e1037474cc1ea0281960d6ed9516ab1f077c8179635cb16a4f11ef446d49efa150c25f02a142d60f8f5dc58090aeda85dd6626c9

Download Submit
C:\Users\Admin\AppData\Local\EFtbZX\DisplaySwitch.exe
Filesize
1.8MB

MD5
5338d4beddf23db817eb5c37500b5735

SHA1
1b5c56f00b53fca3205ff24770203af46cbc7c54

SHA256
8b581f1d15a6920e4ecfe172d8ef753d0a2bf1a47e686a8d5d8e01147fa4c65e

SHA512
173170b83e0048ee05da18c0c957744204954da58a93c532b669d62edb632c4c73d0744c13eb864ecf357ff12831aa46c4f2445dc33b62a4547385b9e0297b0c

Download Submit
C:\Users\Admin\AppData\Local\HU3o5R4\XmlLite.dll
Filesize
883KB

MD5
6eb6ccedc26b329f5b7924df45abf8e1

SHA1
6f6826f724b0528f81be3bee129e0e96ec72dcf6

SHA256
278c57ed288a71e608b6699fee4dcdeb8c25491313277b6eabf20456e97a8d67

SHA512
8f9bba95b493cdfe23336acc9eda861ceafa94f6b4e6d717e8a1bc63bbc08562264a471beb06f0a28b636f1945d21e27c1c744a164eef80de50cf2faf057a067

Download Submit
C:\Users\Admin\AppData\Local\HU3o5R4\XmlLite.dll
Filesize
883KB

MD5
6eb6ccedc26b329f5b7924df45abf8e1

SHA1
6f6826f724b0528f81be3bee129e0e96ec72dcf6

SHA256
278c57ed288a71e608b6699fee4dcdeb8c25491313277b6eabf20456e97a8d67

SHA512
8f9bba95b493cdfe23336acc9eda861ceafa94f6b4e6d717e8a1bc63bbc08562264a471beb06f0a28b636f1945d21e27c1c744a164eef80de50cf2faf057a067

Download Submit
C:\Users\Admin\AppData\Local\HU3o5R4\usocoreworker.exe
Filesize
1.3MB

MD5
2c5efb321aa64af37dedc6383ce3198e

SHA1
a06d7020dd43a57047a62bfb443091cd9de946ba

SHA256
0fb6688a32340036f3eaab4a09a82dee533bfb2ca266c36f6142083134de6f0e

SHA512
5448ea01b24af7444505bda80064849a2efcc459011d32879e021e836fd573c9b1b9d3b37291d3f53ff536c691ac13a545b12f318a16c8a367421986bbf002ed

Download Submit
C:\Users\Admin\AppData\Local\U7Z8\InfDefaultInstall.exe
Filesize
13KB

MD5
ee18876c1e5de583de7547075975120e

SHA1
f7fcb3d77da74deee25de9296a7c7335916504e3

SHA256
e59127b5fe82714956c7a1f10392a8673086a8e1f609e059935c7da1fa015a5d

SHA512
08bc4d28b8f528582c58175a74871dd33ac97955c3709c991779fc34b5ba4b2ba6ff40476d9f59345b61b0153fd932b0ea539431a67ff5012cb2ac8ab392f73c

Download Submit
C:\Users\Admin\AppData\Local\U7Z8\newdev.dll
Filesize
884KB

MD5
c7ffb811859dad02172bb65b3f9cc2ac

SHA1
adac221aab1d3975d73f9d179530a67da0ea5e05

SHA256
15eca81f50ca21d54b5eefc55db2d41b9ffb7f220ed2c6b4ae747a3a07525ab2

SHA512
496090a74506ef2a6f2561c73dcdf3ee4784270c3be44b71f97794022591528d26007ea5505944fb5bf00ffa58001fb99de01129fd06368654b2321d89d996e2

Download Submit
C:\Users\Admin\AppData\Local\U7Z8\newdev.dll
Filesize
884KB

MD5
c7ffb811859dad02172bb65b3f9cc2ac

SHA1
adac221aab1d3975d73f9d179530a67da0ea5e05

SHA256
15eca81f50ca21d54b5eefc55db2d41b9ffb7f220ed2c6b4ae747a3a07525ab2

SHA512
496090a74506ef2a6f2561c73dcdf3ee4784270c3be44b71f97794022591528d26007ea5505944fb5bf00ffa58001fb99de01129fd06368654b2321d89d996e2

Download Submit
memory/2128-143-0x0000000000000000-mapping.dmp

Download
memory/2340-151-0x0000000000000000-mapping.dmp

Download
memory/3044-136-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-137-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-141-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-140-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-139-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-138-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-132-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-142-0x00007FF87B1F0000-0x00007FF87B200000-memory.dmp

Filesize
64KB

Download
memory/3044-131-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-135-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-134-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-133-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/3044-130-0x0000000140000000-0x00000001400E1000-memory.dmp

Filesize
900KB

Download
memory/4392-147-0x0000000000000000-mapping.dmp

Download