dcb378e8645acb7a8c2be0f51f9c9c125044659a73390d524accb96772f79a16

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 14:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DZKJ-1.0.0.52.exe
Size

14.8MB
MD5

7d94503119588f1e769d1a871a949969
SHA1

d31a2fcb9fa635b7ca9cda8b6a239815a6645dcd
SHA256

dcb378e8645acb7a8c2be0f51f9c9c125044659a73390d524accb96772f79a16
SHA512

cc1b52450d9623d6766320cc80346fe6e8e00f669b2a3f7fd8ab95e5c610803d66457e886e62dff371421982dd21c259159eb5a0907c94562f018e816e3dd95f
SSDEEP

196608:WgA3UoPtKLBSIkMmf5XPmImn/2gpi08QukGZl9lEL38NlxgjewYk1jrMX+5j6txW:pAkolIBShMwu+2ukmoKlxgjewXmxB35m

Score

9^/10

bootkit evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DZKJ-1.0.0.52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DZClient.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DZKJ-1.0.0.52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DZKJ-1.0.0.52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DZClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DZClient.exe

Executes dropped EXE 1 IoCs

pid	Process
4948	DZClient.exe

Loads dropped DLL 4 IoCs

pid	Process
1876	regsvr32.exe
4028	DZKJ-1.0.0.52.exe
3632	regsvr32.exe
4948	DZClient.exe

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4028-0-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4028-2-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4028-3-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4028-4-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4028-5-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4028-15-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4028-28-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/files/0x0006000000023251-31.dat	themida
behavioral2/files/0x0006000000023251-32.dat	themida
behavioral2/memory/4948-33-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4948-34-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4948-35-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4948-36-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4948-37-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4948-49-0x0000000000400000-0x0000000001906000-memory.dmp	themida
behavioral2/memory/4948-59-0x0000000000400000-0x0000000001906000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DZKJ-1.0.0.52.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DZClient.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DZKJ-1.0.0.52.exe
File opened for modification	\??\PhysicalDrive0	DZClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4028	DZKJ-1.0.0.52.exe
4948	DZClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3584	4028	WerFault.exe	84
1616	4948	WerFault.exe	93

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	DZKJ-1.0.0.52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DZKJ-1.0.0.52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DZKJ-1.0.0.52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DZClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	DZClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	DZClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	DZClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	DZKJ-1.0.0.52.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	DZKJ-1.0.0.52.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DZKJ-1.0.0.52.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DZClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	DZClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DZClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DZKJ-1.0.0.52.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\ = "_DSmartPDF"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MFCACTIVEXCONTRO.SmartPDFCtrl.1\ = "SmartPDF Control"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\ProgID\ = "MFCACTIVEXCONTRO.SmartPDFCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\TypeLib\ = "{D519DF02-6454-416B-9B0C-8B8792ACBC2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DZPdf.dll, 5"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FD3196F-914B-4BF9-907C-75BB8FB9C069}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DZPdf.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0\ = "SmartPDFLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0\HELPDIR\	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\ = "_DSmartPDFEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FD3196F-914B-4BF9-907C-75BB8FB9C069}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DZPdf.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MFCACTIVEXCONTRO.SmartPDFCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DZPdf.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\ = "_DSmartPDF"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus\1\ = "131473"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DZPdf.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FD3196F-914B-4BF9-907C-75BB8FB9C069}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DZPdf.dll, 5"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\ = "SmartPDF Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FD3196F-914B-4BF9-907C-75BB8FB9C069}\ = "SmartPDF Property Page"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MFCACTIVEXCONTRO.SmartPDFCtrl.1\CLSID\ = "{6F22EEE9-8467-4806-81C1-FE62D6838E22}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FD3196F-914B-4BF9-907C-75BB8FB9C069}\ = "SmartPDF Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MFCACTIVEXCONTRO.SmartPDFCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\ = "SmartPDF Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\TypeLib\ = "{D519DF02-6454-416B-9B0C-8B8792ACBC2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8FD3196F-914B-4BF9-907C-75BB8FB9C069}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib\ = "{D519DF02-6454-416B-9B0C-8B8792ACBC2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib\ = "{D519DF02-6454-416B-9B0C-8B8792ACBC2D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MFCACTIVEXCONTRO.SmartPDFCtrl.1\CLSID\ = "{6F22EEE9-8467-4806-81C1-FE62D6838E22}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D519DF02-6454-416B-9B0C-8B8792ACBC2D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4948	DZClient.exe
4948	DZClient.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4028	DZKJ-1.0.0.52.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe
4948	DZClient.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4028 wrote to memory of 1876	4028	DZKJ-1.0.0.52.exe	87
PID 4028 wrote to memory of 1876	4028	DZKJ-1.0.0.52.exe	87
PID 4028 wrote to memory of 1876	4028	DZKJ-1.0.0.52.exe	87
PID 4948 wrote to memory of 3632	4948	DZClient.exe	95
PID 4948 wrote to memory of 3632	4948	DZClient.exe	95
PID 4948 wrote to memory of 3632	4948	DZClient.exe	95

C:\Users\Admin\AppData\Local\Temp\DZKJ-1.0.0.52.exe
"C:\Users\Admin\AppData\Local\Temp\DZKJ-1.0.0.52.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4028
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Users\Admin\AppData\Local\Temp\DZPdf.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:1876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 2440
  2⤵
  - Program crash
  PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4028 -ip 4028
1⤵
PID:948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1448

C:\Users\Admin\AppData\Roaming\DZKJ\DZClient.exe
"C:\Users\Admin\AppData\Roaming\DZKJ\DZClient.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Users\Admin\AppData\Local\Temp\DZPdf.dll /s
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:3632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 2196
  2⤵
  - Program crash
  PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4948 -ip 4948
1⤵
PID:2164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8LUH2ELP\banner[1].htm

Filesize
649B

MD5
fa8020de7de927a48fa67e61aa2d5f5d

SHA1
fe7ed0d77da0d6a0bcd8248ff2cc1e15cf28000a

SHA256
afdeee006b0f70830975d26551ad0d0a20cb31da8a84ea5ebb241296e60a4322

SHA512
80f07a56ada9fec6c568306d8cabbdc07ce79a90d0a5d8a6003eaa48230ff9acc321d0a3473cd7051620662f6026492bf44347f434383b68b1f787ffc17238ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCSC7YUT\top[1].gif

Filesize
23KB

MD5
ccc1e4426a3a6581d10e7b596ae36981

SHA1
b9ff9ed2f828f60cf363d08dd8fa6a0a57851993

SHA256
5717e37d9b0f6166bd447998d15742d46bd7e0a9676e893d7e42cf958decb78f

SHA512
9e3164df9aad7dfce5bc511c0277f6480ec395af5cbc5d0ef36ac866602a3934fdf61a2072504ca63a1810ffc62f89b0957c328072d02f4365781cb10d13657c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DZPdf.dll

Filesize
9.9MB

MD5
35d66db087de03b967ad8d62fa22dbb9

SHA1
e9cd8518fa44253bb1e3582ef0323228932e3bb6

SHA256
a42a1b5caf838b3d211c5e4c3aef41aa4b60d0a9394264810a0768f60c330e2c

SHA512
3a793be20fe5f6fe8763af18bce1120c4bad63c8e6110120d92e18852d86490d58ee03dd11acc3f2f8eb15911fbbcb93edc6c7d244a4f0dafb45782591f64484

Download Submit
C:\Users\Admin\AppData\Local\Temp\DZPdf.dll

Filesize
4.1MB

MD5
0c84839c5e22ed47d3bb88fed6a90563

SHA1
5dd9025f3088eea1948077215273572af5de8c74

SHA256
3cdaef6926e2071c679c2ca498bfdd98c0c35093fbe93116871dffcb278aa97b

SHA512
1d860467185cf8f0ddcabbe5b032f89b30cd98964664b580480eb6905e014d2b6f4f4dd9b5a8fba933b120080f12999e6a517b5a7f2f0039bec48407bacc1c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DZPdf.dll

Filesize
2.6MB

MD5
335111b7d8439004752c83fcc0689c28

SHA1
403626c1b67752cfdf5565d2cfcb9362f3ad3fd3

SHA256
b958031172ef4424abe0f2dbc5282d6d1061e4dcfe7f28d400b31215d7273caa

SHA512
ff250f981f5d2bc5ec22adeec9f35f5db22a6a2eeed4620827563e02a874e07ff7ac64c111c1fa5169aca4174ca59170af9def960a5ad0482c7bf4579356e456

Download Submit
C:\Users\Admin\AppData\Roaming\DZKJ\DZClient.exe

Filesize
14.6MB

MD5
bf09a8c4d0980c7c53c0a783364db3b6

SHA1
37f7a0601dbb1270aac1a8c2d241e9cf90b57b80

SHA256
5a50581ef9dccb6e34ae6cc8d244905e81ae659348a6a16d4dfe89d0b52cc4be

SHA512
71a11f322480d0572c5ca95045d69b552f03ee8b40acf87e77be1f24a33b554ca3205bac7b013eb2c40b7b1954e8c213a0424f88066e9476467a5598611636a8

Download Submit
C:\Users\Admin\AppData\Roaming\DZKJ\DZClient.exe

Filesize
14.8MB

MD5
7d94503119588f1e769d1a871a949969

SHA1
d31a2fcb9fa635b7ca9cda8b6a239815a6645dcd

SHA256
dcb378e8645acb7a8c2be0f51f9c9c125044659a73390d524accb96772f79a16

SHA512
cc1b52450d9623d6766320cc80346fe6e8e00f669b2a3f7fd8ab95e5c610803d66457e886e62dff371421982dd21c259159eb5a0907c94562f018e816e3dd95f

Download Submit
C:\Users\Admin\AppData\Roaming\DZKJ\pz.ini

Filesize
40B

MD5
73e71555d444cbe8ac5e359a73b77c84

SHA1
71ea9cc86fd760fc5589557a5e8cf3eca085db09

SHA256
22a67f42c9e5546f9d6be103886942bb81dd02bc541e87c52e5ace6aa28ada11

SHA512
6b0bc7f72b2b8a04f95f186f0dd6a876d57135fa8a88a722627d7d7d420045c40c1638ae2b9c314cc255c70e7d5940a3182e023961a769d1f24ea0d71222530c

Download Submit
memory/4028-12-0x0000000077B73000-0x0000000077B74000-memory.dmp

Filesize
4KB

Download
memory/4028-28-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4028-11-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/4028-0-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4028-13-0x0000000005B90000-0x0000000005BBB000-memory.dmp

Filesize
172KB

Download
memory/4028-14-0x0000000077B8B000-0x0000000077B8C000-memory.dmp

Filesize
4KB

Download
memory/4028-15-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4028-22-0x0000000077B57000-0x0000000077B58000-memory.dmp

Filesize
4KB

Download
memory/4028-9-0x00000000759F0000-0x0000000075AE0000-memory.dmp

Filesize
960KB

Download
memory/4028-10-0x00000000759F0000-0x0000000075AE0000-memory.dmp

Filesize
960KB

Download
memory/4028-29-0x00000000759F0000-0x0000000075AE0000-memory.dmp

Filesize
960KB

Download
memory/4028-30-0x0000000005B90000-0x0000000005BBB000-memory.dmp

Filesize
172KB

Download
memory/4028-8-0x0000000077B75000-0x0000000077B76000-memory.dmp

Filesize
4KB

Download
memory/4028-6-0x0000000005B90000-0x0000000005BBB000-memory.dmp

Filesize
172KB

Download
memory/4028-1-0x0000000077BA4000-0x0000000077BA6000-memory.dmp

Filesize
8KB

Download
memory/4028-2-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4028-3-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4028-4-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4028-5-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-38-0x0000000005A50000-0x0000000005A7B000-memory.dmp

Filesize
172KB

Download
memory/4948-40-0x0000000077B75000-0x0000000077B76000-memory.dmp

Filesize
4KB

Download
memory/4948-37-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-42-0x00000000759F0000-0x0000000075AE0000-memory.dmp

Filesize
960KB

Download
memory/4948-43-0x00000000759F0000-0x0000000075AE0000-memory.dmp

Filesize
960KB

Download
memory/4948-44-0x0000000077B72000-0x0000000077B73000-memory.dmp

Filesize
4KB

Download
memory/4948-36-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-46-0x0000000005A50000-0x0000000005A7B000-memory.dmp

Filesize
172KB

Download
memory/4948-45-0x0000000077B73000-0x0000000077B74000-memory.dmp

Filesize
4KB

Download
memory/4948-48-0x0000000077B8B000-0x0000000077B8C000-memory.dmp

Filesize
4KB

Download
memory/4948-49-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-50-0x0000000077B57000-0x0000000077B58000-memory.dmp

Filesize
4KB

Download
memory/4948-35-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-34-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-33-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-59-0x0000000000400000-0x0000000001906000-memory.dmp

Filesize
21.0MB

Download
memory/4948-60-0x00000000759F0000-0x0000000075AE0000-memory.dmp

Filesize
960KB

Download
memory/4948-61-0x0000000005A50000-0x0000000005A7B000-memory.dmp

Filesize
172KB

Download