Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-05-2021 14:06
Static task
static1
Behavioral task
behavioral1
Sample
7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll
Resource
win7v20210410
General
-
Target
7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll
-
Size
276KB
-
MD5
d8422419e68cadb2283be20e88119ebe
-
SHA1
d408afceb43ae005212de514add4a399bea0ed08
-
SHA256
7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963
-
SHA512
7ba20fd1dbd8c0f183f6c0ff55813538b2bb03d0c1c3bd7103a2f423f77f56f348c38b55a335e8dd45cbcf53695609def44610aed7d5aa7f298983e4b40f6a05
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 4828 rundll32Srv.exe 4888 DesktopLayer.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/4828-126-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\px2418.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5012 4472 WerFault.exe rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DB51D2EB-B29B-11EB-A11C-6E47AA25CD96} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327531778" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327580364" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885544" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2950792152" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885544" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2950792152" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885544" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2959698515" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327548372" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
DesktopLayer.exeWerFault.exepid process 4888 DesktopLayer.exe 4888 DesktopLayer.exe 4888 DesktopLayer.exe 4888 DesktopLayer.exe 4888 DesktopLayer.exe 4888 DesktopLayer.exe 4888 DesktopLayer.exe 4888 DesktopLayer.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe 5012 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 5012 WerFault.exe Token: SeBackupPrivilege 5012 WerFault.exe Token: SeDebugPrivilege 5012 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 4972 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 4972 iexplore.exe 4972 iexplore.exe 3148 IEXPLORE.EXE 3148 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 4460 wrote to memory of 4472 4460 rundll32.exe rundll32.exe PID 4460 wrote to memory of 4472 4460 rundll32.exe rundll32.exe PID 4460 wrote to memory of 4472 4460 rundll32.exe rundll32.exe PID 4472 wrote to memory of 4828 4472 rundll32.exe rundll32Srv.exe PID 4472 wrote to memory of 4828 4472 rundll32.exe rundll32Srv.exe PID 4472 wrote to memory of 4828 4472 rundll32.exe rundll32Srv.exe PID 4828 wrote to memory of 4888 4828 rundll32Srv.exe DesktopLayer.exe PID 4828 wrote to memory of 4888 4828 rundll32Srv.exe DesktopLayer.exe PID 4828 wrote to memory of 4888 4828 rundll32Srv.exe DesktopLayer.exe PID 4888 wrote to memory of 4972 4888 DesktopLayer.exe iexplore.exe PID 4888 wrote to memory of 4972 4888 DesktopLayer.exe iexplore.exe PID 4972 wrote to memory of 3148 4972 iexplore.exe IEXPLORE.EXE PID 4972 wrote to memory of 3148 4972 iexplore.exe IEXPLORE.EXE PID 4972 wrote to memory of 3148 4972 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7b945215c65146faea45ab75d8a842a56d0ecff0ec7ed4b7dde9caf8c6dc3963.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4972 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 6443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
06165dea77d5d10217992bd74f065006
SHA1964d97611d8050aaf7d8a3a5e641cd20df6afd92
SHA2569b125647f3ede14fa37214fe956f3b906f8bf58510bdc1eecfdf2ca4c827fe8f
SHA512e126e1fdd45d2b08c37724b568a1ee9eef95895f2c31f5626186032293eb7f2a62f907fea96f1f0fca4c7de3cd9bac45df28bb69d42b2cd7ea5468e1aefdfee2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
32e6c388ae0fe88feb8818568b5f92a4
SHA1aead9ac1d31e68b6103dc3e8d474612ad0a4e2c4
SHA256d193f6b59600795526e521d46c8ca2b093a65a72dc816c61b26cca94b745414c
SHA512f17ddaf99ec570e32f9c019aed313a08c84b5671886102a6b0bd4eba5c1e28b42154829130b02185f5a89b510ddb4aa3afc0f3b34a5ccf1abfe9e612317aeb8d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\0L6RP3TW.cookieMD5
7822652d23368dca22093a1ce1da27ef
SHA10432886dde0c41b205c80e092a051313a10b3be2
SHA256fb5367ee0bf986f39d6a9e6a83061abb180347097c33e07074650789fbf0f1ff
SHA512312e0ebd364ef3c6229fdc22e4fc7dba3b83ad64003bc57eaa05f54e5ffd4574ec3e2ea8d199262bddd70d775ad95c1e579ef3961a495e992ba86c41e04188a2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\VNXCZ2TZ.cookieMD5
3cf77efff5de71c12aeca57adab4f833
SHA1ed8bb0fdf334f479d5263252afe1654cce1d8f70
SHA2563cbd889a144fbc6fbde8441faa9f4adfb68f732cd9b50f68eb29a43f7c5e93b8
SHA512f87e620f019b4137067446de9b715260f536a8ceef38804293159171510c51ce761207e641ff23491a2ff1d0bf93afc44ec9b21d6906c225d97b5468f894a100
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/3148-124-0x0000000000000000-mapping.dmp
-
memory/4472-114-0x0000000000000000-mapping.dmp
-
memory/4828-115-0x0000000000000000-mapping.dmp
-
memory/4828-125-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/4828-126-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4888-118-0x0000000000000000-mapping.dmp
-
memory/4888-121-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/4972-123-0x00007FF9E3D90000-0x00007FF9E3DFB000-memory.dmpFilesize
428KB
-
memory/4972-122-0x0000000000000000-mapping.dmp