Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 04:11
Static task
static1
Behavioral task
behavioral1
Sample
602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll
Resource
win7v20210410
General
-
Target
602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll
-
Size
593KB
-
MD5
6ade6fd07766bfcee12779da5731f0f9
-
SHA1
2fbbfcaec9d68129bac35ea6c4638497e1a4aa54
-
SHA256
602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d
-
SHA512
b55f8ed44befa1d337839b8ed4cd7ea82d57269873eed3d80bd3c96deaf87b5fe5d71e1c34e81b46e36a631e2b452aaced827c9f24bb002cec3228126a202a10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 4000 rundll32Srv.exe 700 DesktopLayer.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/4000-123-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxA6E4.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 868 1428 WerFault.exe rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327238372" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327238315" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C5140896-B56C-11EB-B2DB-DAB543A68B6E} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327238484" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
rundll32.exeDesktopLayer.exeWerFault.exepid process 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 700 DesktopLayer.exe 700 DesktopLayer.exe 700 DesktopLayer.exe 700 DesktopLayer.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 1428 rundll32.exe 700 DesktopLayer.exe 700 DesktopLayer.exe 1428 rundll32.exe 1428 rundll32.exe 700 DesktopLayer.exe 700 DesktopLayer.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe 868 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 868 WerFault.exe Token: SeBackupPrivilege 868 WerFault.exe Token: SeDebugPrivilege 868 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 776 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 776 iexplore.exe 776 iexplore.exe 584 IEXPLORE.EXE 584 IEXPLORE.EXE 584 IEXPLORE.EXE 584 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 708 wrote to memory of 1428 708 rundll32.exe rundll32.exe PID 708 wrote to memory of 1428 708 rundll32.exe rundll32.exe PID 708 wrote to memory of 1428 708 rundll32.exe rundll32.exe PID 1428 wrote to memory of 4000 1428 rundll32.exe rundll32Srv.exe PID 1428 wrote to memory of 4000 1428 rundll32.exe rundll32Srv.exe PID 1428 wrote to memory of 4000 1428 rundll32.exe rundll32Srv.exe PID 4000 wrote to memory of 700 4000 rundll32Srv.exe DesktopLayer.exe PID 4000 wrote to memory of 700 4000 rundll32Srv.exe DesktopLayer.exe PID 4000 wrote to memory of 700 4000 rundll32Srv.exe DesktopLayer.exe PID 700 wrote to memory of 776 700 DesktopLayer.exe iexplore.exe PID 700 wrote to memory of 776 700 DesktopLayer.exe iexplore.exe PID 776 wrote to memory of 584 776 iexplore.exe IEXPLORE.EXE PID 776 wrote to memory of 584 776 iexplore.exe IEXPLORE.EXE PID 776 wrote to memory of 584 776 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\602b6f21f58e4425253c70404d7939230d058ae7601f461630fc45b4d18f9e5d.dll,#12⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:776 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:584 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 6803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
418f4d192a75ef7f17c747644068ed55
SHA19ca9147e3854ad7eefff4a0262babbe31ab6d172
SHA2569354d8ca1e141cb10373ef9f86b4e65faabf7bcc27432c04ac84480782b79186
SHA51223ed3dde1a03551430443cc61e8c5c6eacb2c10ff557f9c781a2a332100917ec61805d857ebb83dd16afe91738e1a7eb86a5be32bb4057e956078c61a12f84c2
-
memory/584-129-0x0000000000000000-mapping.dmp
-
memory/700-118-0x0000000000000000-mapping.dmp
-
memory/700-121-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/776-126-0x0000000000000000-mapping.dmp
-
memory/776-127-0x00007FFFABC30000-0x00007FFFABC9B000-memory.dmpFilesize
428KB
-
memory/1428-114-0x0000000000000000-mapping.dmp
-
memory/1428-128-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/4000-115-0x0000000000000000-mapping.dmp
-
memory/4000-122-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/4000-123-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB