Analysis
-
max time kernel
92s -
max time network
146s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
13-05-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe
Resource
win7v20210410
General
-
Target
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe
-
Size
116KB
-
MD5
78fd901508f5ab965aa00b6962d767df
-
SHA1
67c5798691e4f6549eb7e9bbdef375fa2fdcbd14
-
SHA256
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7
-
SHA512
6879bff3b313455c4cff0bcab6181f66528fda97b559c5e5e52b5694e32de2ca4750a0fc752da7203a7f5caef827dd0d37c441a6c2a327f49fea6fd2a0e1fd07
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exeDesktopLayer.exepid process 3712 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe 588 DesktopLayer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe upx C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/3712-123-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
Processes:
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px191B.tmp d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
IEXPLORE.EXEiexplore.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3032112391" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327730643" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DF6C56B3-B46A-11EB-A11C-7280A1B46CD1} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327747236" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886007" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886007" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886007" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3022425024" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3022425024" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327779228" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe -
Modifies registry class 1 IoCs
Processes:
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
DesktopLayer.exepid process 588 DesktopLayer.exe 588 DesktopLayer.exe 588 DesktopLayer.exe 588 DesktopLayer.exe 588 DesktopLayer.exe 588 DesktopLayer.exe 588 DesktopLayer.exe 588 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 800 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 800 iexplore.exe 800 iexplore.exe 3916 IEXPLORE.EXE 3916 IEXPLORE.EXE 3916 IEXPLORE.EXE 3916 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exed89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 1744 wrote to memory of 3712 1744 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe PID 1744 wrote to memory of 3712 1744 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe PID 1744 wrote to memory of 3712 1744 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe PID 3712 wrote to memory of 588 3712 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe DesktopLayer.exe PID 3712 wrote to memory of 588 3712 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe DesktopLayer.exe PID 3712 wrote to memory of 588 3712 d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe DesktopLayer.exe PID 588 wrote to memory of 800 588 DesktopLayer.exe iexplore.exe PID 588 wrote to memory of 800 588 DesktopLayer.exe iexplore.exe PID 800 wrote to memory of 3916 800 iexplore.exe IEXPLORE.EXE PID 800 wrote to memory of 3916 800 iexplore.exe IEXPLORE.EXE PID 800 wrote to memory of 3916 800 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe"C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exeC:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:800 CREDAT:82945 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
ef07b2dc81b7fdcc01d8a9cce1261822
SHA1535c60f61ed56d43a349e92b86dd5204a1b61859
SHA2564f4d35e9bbae40c756cb82b60a2bbfe0dfe055b06ddf2494a953ce7565ff8eb6
SHA5121a26ee805d55b252567caec75c0b75ec5493aa1865b4fd8a1cf6b18972e2ffd82ba778b4a6a80ed85c9d016d841d26be11d4bc6f4bf8d8b512e7261dc7ad3fe3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
374de454d997d128e02284ae8f6223c8
SHA1a948f23b1a7afddd347defd3b7c966eddf6ae102
SHA256944ed21f6ff1de8f448cd380e170b97d4ef1258dc09bc08205e7f742750bfc7d
SHA512765ad4e1c4efa596eb6b5e857bf5922e0457e2e6bf9ff89b0c63096105968125c5e65715848a140124a2f53e9ddee688ed50b233ce5e8c1de185eb3b62642e69
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\LI51V1IZ.cookieMD5
0e14c19e33621fc851c1ed4568cd0d5f
SHA1ec53f709ec5526a878b7f331df5222b88ce15ba2
SHA2563aed8c39e63bc523657c7bc3ea1e393eae9896678694a6c9e83c41662eae6e9e
SHA512b50c9965494c1f26b25d49cee610d4e3b382939ca2c336ac4f77590049e00b0f793e2f2e9ab0ec55b25c3cec946a3497dd9232766bac6b5e318f68e4032a6d60
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\V556FYIT.cookieMD5
0ce4b137212b7c7b6c316aea3bbd95a5
SHA12a34d2ab4e06bcd686d792b974d07f89945f408b
SHA25612544c6d6447c9f340ecb345fc8c853f716043452874056daff1f175e40d6949
SHA512d2dfa2f3d3f023cf32a8f442ae94254290d07d1fb8574df3fefa5cbaea0652b7003159170d9a6581a9eb50f51f0128f37909db3d373cabb2cbb5cf6bfb02df17
-
C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\d89720ade957d93beb913d9be72dc69d2147f5772ece01b2cd97e5208b98f3e7Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/588-120-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/588-117-0x0000000000000000-mapping.dmp
-
memory/800-121-0x0000000000000000-mapping.dmp
-
memory/800-126-0x00007FF8581E0000-0x00007FF85824B000-memory.dmpFilesize
428KB
-
memory/3712-123-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3712-114-0x0000000000000000-mapping.dmp
-
memory/3712-122-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/3916-127-0x0000000000000000-mapping.dmp