Analysis
-
max time kernel
109s -
max time network
139s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-05-2021 04:11
Static task
static1
Behavioral task
behavioral1
Sample
602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll
Resource
win7v20210410
General
-
Target
602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll
-
Size
593KB
-
MD5
6ade6fd07766bfcee12779da5731f0f9
-
SHA1
2fbbfcaec9d68129bac35ea6c4638497e1a4aa54
-
SHA256
602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d
-
SHA512
b55f8ed44befa1d337839b8ed4cd7ea82d57269873eed3d80bd3c96deaf87b5fe5d71e1c34e81b46e36a631e2b452aaced827c9f24bb002cec3228126a202a10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 2020 rundll32Srv.exe 2036 DesktopLayer.exe -
Processes:
resource yara_rule \Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx \Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral1/memory/2020-76-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32Srv.exepid process 1924 rundll32.exe 2020 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px1D7F.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1988 1924 WerFault.exe rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF3636B1-B55B-11EB-AB32-6E76A0352788} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327834207" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
rundll32.exeDesktopLayer.exeWerFault.exepid process 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 1924 rundll32.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 2036 DesktopLayer.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe 1988 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1988 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1988 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1996 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1996 iexplore.exe 1996 iexplore.exe 1552 IEXPLORE.EXE 1552 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 664 wrote to memory of 1924 664 rundll32.exe rundll32.exe PID 1924 wrote to memory of 2020 1924 rundll32.exe rundll32Srv.exe PID 1924 wrote to memory of 2020 1924 rundll32.exe rundll32Srv.exe PID 1924 wrote to memory of 2020 1924 rundll32.exe rundll32Srv.exe PID 1924 wrote to memory of 2020 1924 rundll32.exe rundll32Srv.exe PID 2020 wrote to memory of 2036 2020 rundll32Srv.exe DesktopLayer.exe PID 2020 wrote to memory of 2036 2020 rundll32Srv.exe DesktopLayer.exe PID 2020 wrote to memory of 2036 2020 rundll32Srv.exe DesktopLayer.exe PID 2020 wrote to memory of 2036 2020 rundll32Srv.exe DesktopLayer.exe PID 1924 wrote to memory of 1988 1924 rundll32.exe WerFault.exe PID 1924 wrote to memory of 1988 1924 rundll32.exe WerFault.exe PID 1924 wrote to memory of 1988 1924 rundll32.exe WerFault.exe PID 1924 wrote to memory of 1988 1924 rundll32.exe WerFault.exe PID 2036 wrote to memory of 1996 2036 DesktopLayer.exe iexplore.exe PID 2036 wrote to memory of 1996 2036 DesktopLayer.exe iexplore.exe PID 2036 wrote to memory of 1996 2036 DesktopLayer.exe iexplore.exe PID 2036 wrote to memory of 1996 2036 DesktopLayer.exe iexplore.exe PID 1996 wrote to memory of 1552 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1552 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1552 1996 iexplore.exe IEXPLORE.EXE PID 1996 wrote to memory of 1552 1996 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 2683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1988
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C8WLG890.txtMD5
fbeab2b1fa3ffbc16e675ad68e45b512
SHA1b62e6d96cdb187acccc8054d7be33b868acd6825
SHA2567f8b70840fb3e3b23941837e7d5f7c4a762f89d6b81a978c84abdcbba503262c
SHA5124e3d0c1af38d08621c995a98e6570b5c984422006d62094a08a4e63d7a42e56ca37c815e1816634b73e84d2e9b7e9d9781677a4cda169e79ff4d169233be2cc4
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
\Windows\SysWOW64\rundll32Srv.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
memory/1552-80-0x0000000000000000-mapping.dmp
-
memory/1924-77-0x00000000000C0000-0x00000000000EE000-memory.dmpFilesize
184KB
-
memory/1924-61-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1924-60-0x0000000000000000-mapping.dmp
-
memory/1988-73-0x0000000000000000-mapping.dmp
-
memory/1988-82-0x00000000004C0000-0x00000000004C1000-memory.dmpFilesize
4KB
-
memory/1996-81-0x0000000004CB0000-0x0000000004CB1000-memory.dmpFilesize
4KB
-
memory/1996-74-0x0000000000000000-mapping.dmp
-
memory/2020-63-0x0000000000000000-mapping.dmp
-
memory/2020-75-0x00000000001C0000-0x00000000001CF000-memory.dmpFilesize
60KB
-
memory/2020-76-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2036-72-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/2036-68-0x0000000000000000-mapping.dmp