3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d

Analysis

max time kernel
152s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 04:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d.dll
Size

967KB
MD5

9634f1a7a6036a22b6ad86a1a671ad58
SHA1

2b8e333675aaa8b8211cbbd56bcf8996d0380b92
SHA256

3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d
SHA512

b73d2053f4ee906be366ae8631833cc9ce5837234768f7796cfb4f3c5eccebb78767191f16165303cddfec4706ed9669c348d7e2bafe1d98d8a1e62c7e8ff61a

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

dxgiadaptercache.exerdpinit.exeeudcedit.exe

pid process

2288 dxgiadaptercache.exe
1476 rdpinit.exe
2340 eudcedit.exe
Loads dropped DLL 4 IoCs

Processes:

dxgiadaptercache.exerdpinit.exeeudcedit.exe

pid process

2288 dxgiadaptercache.exe
2288 dxgiadaptercache.exe
1476 rdpinit.exe
2340 eudcedit.exe

pid	process
2288	dxgiadaptercache.exe
1476	rdpinit.exe
2340	eudcedit.exe

pid	process
2288	dxgiadaptercache.exe
2288	dxgiadaptercache.exe
1476	rdpinit.exe
2340	eudcedit.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Erihzxqqayujs = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-1081944012-3634099177-1681222835-1000\\wLjUnl\\rdpinit.exe"

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exedxgiadaptercache.exerdpinit.exeeudcedit.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dxgiadaptercache.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rdpinit.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	eudcedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
5080	rundll32.exe
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940
2940

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2940

pid	process
2940

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	target process
PID 2940 wrote to memory of 1644	2940	dxgiadaptercache.exe
PID 2940 wrote to memory of 1644	2940	dxgiadaptercache.exe
PID 2940 wrote to memory of 2288	2940	dxgiadaptercache.exe
PID 2940 wrote to memory of 2288	2940	dxgiadaptercache.exe
PID 2940 wrote to memory of 3388	2940	rdpinit.exe
PID 2940 wrote to memory of 3388	2940	rdpinit.exe
PID 2940 wrote to memory of 1476	2940	rdpinit.exe
PID 2940 wrote to memory of 1476	2940	rdpinit.exe
PID 2940 wrote to memory of 4548	2940	eudcedit.exe
PID 2940 wrote to memory of 4548	2940	eudcedit.exe
PID 2940 wrote to memory of 2340	2940	eudcedit.exe
PID 2940 wrote to memory of 2340	2940	eudcedit.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3c7bd82f6f0bc019c1188e929bd012ec14f8be0671f3e678c0836d01a007994d.dll,#1
1⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
PID:5080

C:\Windows\system32\dxgiadaptercache.exe
C:\Windows\system32\dxgiadaptercache.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\lqW2\dxgiadaptercache.exe
C:\Users\Admin\AppData\Local\lqW2\dxgiadaptercache.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2288

C:\Windows\system32\rdpinit.exe
C:\Windows\system32\rdpinit.exe
1⤵
PID:3388

C:\Users\Admin\AppData\Local\Tu6ndvaGf\rdpinit.exe
C:\Users\Admin\AppData\Local\Tu6ndvaGf\rdpinit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:1476

C:\Windows\system32\eudcedit.exe
C:\Windows\system32\eudcedit.exe
1⤵
PID:4548

C:\Users\Admin\AppData\Local\edOdH\eudcedit.exe
C:\Users\Admin\AppData\Local\edOdH\eudcedit.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
PID:2340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Tu6ndvaGf\dwmapi.dll
Filesize
969KB

MD5
b8ae87e5a1e1e1b907454a3d461f78cd

SHA1
88d8dbd7e36d36967d6cf658c2dd995aab55bd9a

SHA256
c62df0a30356110511f0fbf548fb0438e85fc358583afac6f28dfcbdfe094e6b

SHA512
73e88c5c186f71807289215d9e44a3411e438a266e3fc20719acf252953306ae5928458d0ead914fa9b9f984fb37dc48a3998cd6ab85539968f0b93dc76edf65

Download Submit
C:\Users\Admin\AppData\Local\Tu6ndvaGf\dwmapi.dll
Filesize
969KB

MD5
b8ae87e5a1e1e1b907454a3d461f78cd

SHA1
88d8dbd7e36d36967d6cf658c2dd995aab55bd9a

SHA256
c62df0a30356110511f0fbf548fb0438e85fc358583afac6f28dfcbdfe094e6b

SHA512
73e88c5c186f71807289215d9e44a3411e438a266e3fc20719acf252953306ae5928458d0ead914fa9b9f984fb37dc48a3998cd6ab85539968f0b93dc76edf65

Download Submit
C:\Users\Admin\AppData\Local\Tu6ndvaGf\rdpinit.exe
Filesize
343KB

MD5
b0ecd76d99c5f5134aeb52460add6f80

SHA1
51462078092c9d6b7fa2b9544ffe0a49eb258106

SHA256
51251863097f7c80ef59606152ec59e7522881c8e3886c194c43f56bcab92e1b

SHA512
16855c7db48b26297c78d37d52ad03f6af0f5a58e333e17ad83b34f5e8b200c5517c6481043af0ecf1b962af2378f38600bd968592f4e1018b5a1b9400adb367

Download Submit
C:\Users\Admin\AppData\Local\edOdH\MFC42u.dll
Filesize
995KB

MD5
d48ff166a96d02718a8733b56c7a97cd

SHA1
b5fc1c096d4fe226600875db58e071e02d866195

SHA256
44c1d3fe2082f04f785c382c568510da2abd5775a6ba1d64e1cf4a9d9c3534e7

SHA512
17b47b497e1915406b6b780d4c2cec579b757a575756360d850b845e6928e87c2d51c5fe74df4a542aa46d2554b30a88c14eff13fbc0c0340cf1ba89621d6336

Download Submit
C:\Users\Admin\AppData\Local\edOdH\MFC42u.dll
Filesize
995KB

MD5
d48ff166a96d02718a8733b56c7a97cd

SHA1
b5fc1c096d4fe226600875db58e071e02d866195

SHA256
44c1d3fe2082f04f785c382c568510da2abd5775a6ba1d64e1cf4a9d9c3534e7

SHA512
17b47b497e1915406b6b780d4c2cec579b757a575756360d850b845e6928e87c2d51c5fe74df4a542aa46d2554b30a88c14eff13fbc0c0340cf1ba89621d6336

Download Submit
C:\Users\Admin\AppData\Local\edOdH\eudcedit.exe
Filesize
365KB

MD5
a9de6557179d371938fbe52511b551ce

SHA1
def460b4028788ded82dc55c36cb0df28599fd5f

SHA256
83c8d1a7582b24b4bbc0d453c813487185c2b05c483bd1759ef647a7e7e92dfe

SHA512
5790cac8dae16a785b48f790e6645b137f211c1587fb64ea88e743b846ff3a886324afcfef4bebc61f869023b9a22ba925c461dfb2e12497b70f501e6b79153c

Download Submit
C:\Users\Admin\AppData\Local\lqW2\dxgi.dll
Filesize
968KB

MD5
e366b0a9625da56102acffd6292d0fb3

SHA1
84cf1d85e03c8151d4867ac9c61a534f1ad9a128

SHA256
f14d371e6bb2c7b5cd2565244a9791b5a2485d1521a9c2ef8a47cdce88632503

SHA512
c4ca0772bf68fb1b89b3472238c9c1fa3cceeb811d6c0fa935c9ee5c339c358f7810bc59b29763a2387895c4b892ed90416abf55367bb94f7eafc92af89c7e13

Download Submit
C:\Users\Admin\AppData\Local\lqW2\dxgi.dll
Filesize
968KB

MD5
e366b0a9625da56102acffd6292d0fb3

SHA1
84cf1d85e03c8151d4867ac9c61a534f1ad9a128

SHA256
f14d371e6bb2c7b5cd2565244a9791b5a2485d1521a9c2ef8a47cdce88632503

SHA512
c4ca0772bf68fb1b89b3472238c9c1fa3cceeb811d6c0fa935c9ee5c339c358f7810bc59b29763a2387895c4b892ed90416abf55367bb94f7eafc92af89c7e13

Download Submit
C:\Users\Admin\AppData\Local\lqW2\dxgi.dll
Filesize
968KB

MD5
e366b0a9625da56102acffd6292d0fb3

SHA1
84cf1d85e03c8151d4867ac9c61a534f1ad9a128

SHA256
f14d371e6bb2c7b5cd2565244a9791b5a2485d1521a9c2ef8a47cdce88632503

SHA512
c4ca0772bf68fb1b89b3472238c9c1fa3cceeb811d6c0fa935c9ee5c339c358f7810bc59b29763a2387895c4b892ed90416abf55367bb94f7eafc92af89c7e13

Download Submit
C:\Users\Admin\AppData\Local\lqW2\dxgiadaptercache.exe
Filesize
230KB

MD5
e62f89130b7253f7780a862ed9aff294

SHA1
b031e64a36e93f95f2061be5b0383069efac2070

SHA256
4bea9f741fe4ca9d6262477849896b9fa6377326d11af044561c31bde2d994b5

SHA512
05649d38a0b5d825bb8442549427b0ff77b139c9dd297b04d6c0fb1415504c95ed750cd79efea2ff514abfc5d1003e6251a3cd871d352dcea06be0cdeb0304f7

Download Submit
memory/1476-172-0x0000021516BB0000-0x0000021516BB7000-memory.dmp

Filesize
28KB

Download
memory/1476-164-0x0000000000000000-mapping.dmp

Download
memory/2288-155-0x0000000000000000-mapping.dmp

Download
memory/2288-160-0x0000000140000000-0x00000001400FA000-memory.dmp

Filesize
1000KB

Download
memory/2340-181-0x00000165A3430000-0x00000165A3437000-memory.dmp

Filesize
28KB

Download
memory/2340-177-0x0000000140000000-0x0000000140100000-memory.dmp

Filesize
1024KB

Download
memory/2340-173-0x0000000000000000-mapping.dmp

Download
memory/2940-143-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-138-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-154-0x00007FFA17D30000-0x00007FFA17D40000-memory.dmp

Filesize
64KB

Download
memory/2940-141-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-140-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-135-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-139-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-142-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-145-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-137-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-136-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download
memory/2940-144-0x00000000015B0000-0x00000000015B7000-memory.dmp

Filesize
28KB

Download
memory/5080-134-0x000002358E610000-0x000002358E617000-memory.dmp

Filesize
28KB

Download
memory/5080-130-0x0000000140000000-0x00000001400F9000-memory.dmp

Filesize
996KB

Download