Analysis
-
max time kernel
92s -
max time network
141s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 13:19
Static task
static1
Behavioral task
behavioral1
Sample
29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll
Resource
win7v20210408
General
-
Target
29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll
-
Size
536KB
-
MD5
3e096103e9228d6c68d53a66d5744952
-
SHA1
655f73c6d6d61d5e3f7f135b6dc4ddf756a20385
-
SHA256
29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b
-
SHA512
22b35fdb2edd2c8c26adea0a2c53a5ee668f813eda76984f6f61ed4832b11623ea2e27d2dbf11e225dc9d2cb74cefd616aedcc4fe1b96e64232381932d7e9993
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 216 rundll32Srv.exe 208 DesktopLayer.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx behavioral2/memory/208-124-0x0000000000400000-0x000000000042E000-memory.dmp upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\pxF28.tmp rundll32Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1484 3264 WerFault.exe rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A8EB459E-B482-11EB-A11C-4624C1D76809} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2112710920" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2106460750" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886031" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327789444" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886031" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327740858" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327757452" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886031" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2106460750" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
DesktopLayer.exeWerFault.exepid process 208 DesktopLayer.exe 208 DesktopLayer.exe 208 DesktopLayer.exe 208 DesktopLayer.exe 208 DesktopLayer.exe 208 DesktopLayer.exe 208 DesktopLayer.exe 208 DesktopLayer.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe 1484 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1484 WerFault.exe Token: SeBackupPrivilege 1484 WerFault.exe Token: SeDebugPrivilege 1484 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2248 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2248 iexplore.exe 2248 iexplore.exe 2064 IEXPLORE.EXE 2064 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 4060 wrote to memory of 3264 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3264 4060 rundll32.exe rundll32.exe PID 4060 wrote to memory of 3264 4060 rundll32.exe rundll32.exe PID 3264 wrote to memory of 216 3264 rundll32.exe rundll32Srv.exe PID 3264 wrote to memory of 216 3264 rundll32.exe rundll32Srv.exe PID 3264 wrote to memory of 216 3264 rundll32.exe rundll32Srv.exe PID 216 wrote to memory of 208 216 rundll32Srv.exe DesktopLayer.exe PID 216 wrote to memory of 208 216 rundll32Srv.exe DesktopLayer.exe PID 216 wrote to memory of 208 216 rundll32Srv.exe DesktopLayer.exe PID 208 wrote to memory of 2248 208 DesktopLayer.exe iexplore.exe PID 208 wrote to memory of 2248 208 DesktopLayer.exe iexplore.exe PID 2248 wrote to memory of 2064 2248 iexplore.exe IEXPLORE.EXE PID 2248 wrote to memory of 2064 2248 iexplore.exe IEXPLORE.EXE PID 2248 wrote to memory of 2064 2248 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\29233737fd55f65b571c76132b43133c71ce5fede9825a03d2e2928fdb399a3b.dll,#12⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2064 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 6723⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
ef07b2dc81b7fdcc01d8a9cce1261822
SHA1535c60f61ed56d43a349e92b86dd5204a1b61859
SHA2564f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6
SHA5121a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
a8029723e6c1f6125b95f208d025f2e0
SHA14a774c9df3131f386e8307d7801b1475fe33f9f6
SHA25665a80c7f2f07954ed67f2d6c3e73b3d996020a36300d729edb8bf5386fc49e24
SHA512128ce31f4dde80f3986ca15ac6b85d7562934c6ebd9a72efec85b84b783be234a69c775264a2ee77c475f313a60df20cfb1d5d439a9835e1738f603e716a4d7b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\C2Y5QFDX.cookieMD5
86defddd001f6b844f6785e86ba2b10e
SHA10772218a967972770375a39c302de55f3394b77b
SHA25647fc7a7965cefa106eb6806a02374e3f5b809450f382ee4fec2765d18aaf0da6
SHA512c6a78f2c9ee4d4bb3a2db21c2fbab40d82ebd174c3f967496dfb562526092a173ba628f30626d2434b5464bd98df686f64166fc4aee7867cadd475f65cf461cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IC022UZH.cookieMD5
71c146a6f239dc8ade235abf5dac6a15
SHA141843fbc6dcaff570bb779ee0090e6dd93fb8c0d
SHA2564db31bb57a17880469a339707cfb7afc505612020833a8aa1b809cd4bd5f0b22
SHA5122f751594c774da755521bef7b07f696e547cfcad81bfc6b8547b39982575da90834ab2aede25b91706579abd967c5b713dcce45268984c93d9a5c1c60c5554c5
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/208-124-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/208-123-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/208-118-0x0000000000000000-mapping.dmp
-
memory/216-119-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/216-115-0x0000000000000000-mapping.dmp
-
memory/2064-128-0x0000000000000000-mapping.dmp
-
memory/2248-127-0x00007FFAE8E30000-0x00007FFAE8E9B000-memory.dmpFilesize
428KB
-
memory/2248-125-0x0000000000000000-mapping.dmp
-
memory/3264-114-0x0000000000000000-mapping.dmp