Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 05:52
Static task
static1
Behavioral task
behavioral1
Sample
b21af993c655321f79fa16a8c05911ede5cc9dfdbfb981d2b754c276a1b65e6e.dll
Resource
win7v20210410
General
-
Target
b21af993c655321f79fa16a8c05911ede5cc9dfdbfb981d2b754c276a1b65e6e.dll
-
Size
151KB
-
MD5
97b81a5c9262ae3bc7067be49914e88a
-
SHA1
2dd7be09a81b0f28cb2677981b4b7be624746f12
-
SHA256
b21af993c655321f79fa16a8c05911ede5cc9dfdbfb981d2b754c276a1b65e6e
-
SHA512
a2bfef84d1300cc94ca78312cd0fe995d1afc900d3cd44559e11aa2e4fa1b46c80d57749b5dc7fe9c88ad55dcdebbe2075a59aa322d5465b29e602ec93ab8eba
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 1356 rundll32Srv.exe 1648 DesktopLayer.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/1356-125-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px19E6.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886560" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "934221620" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62FE053A-B693-11EB-A11C-CEFF684A7CF6} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327984539" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886560" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886560" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "328016531" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "934221620" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "944377639" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327967945" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
DesktopLayer.exepid process 1648 DesktopLayer.exe 1648 DesktopLayer.exe 1648 DesktopLayer.exe 1648 DesktopLayer.exe 1648 DesktopLayer.exe 1648 DesktopLayer.exe 1648 DesktopLayer.exe 1648 DesktopLayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1620 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1620 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1620 iexplore.exe 1620 iexplore.exe 200 IEXPLORE.EXE 200 IEXPLORE.EXE 200 IEXPLORE.EXE 200 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 3912 wrote to memory of 4016 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 4016 3912 rundll32.exe rundll32.exe PID 3912 wrote to memory of 4016 3912 rundll32.exe rundll32.exe PID 4016 wrote to memory of 1356 4016 rundll32.exe rundll32Srv.exe PID 4016 wrote to memory of 1356 4016 rundll32.exe rundll32Srv.exe PID 4016 wrote to memory of 1356 4016 rundll32.exe rundll32Srv.exe PID 1356 wrote to memory of 1648 1356 rundll32Srv.exe DesktopLayer.exe PID 1356 wrote to memory of 1648 1356 rundll32Srv.exe DesktopLayer.exe PID 1356 wrote to memory of 1648 1356 rundll32Srv.exe DesktopLayer.exe PID 1648 wrote to memory of 1620 1648 DesktopLayer.exe iexplore.exe PID 1648 wrote to memory of 1620 1648 DesktopLayer.exe iexplore.exe PID 1620 wrote to memory of 200 1620 iexplore.exe IEXPLORE.EXE PID 1620 wrote to memory of 200 1620 iexplore.exe IEXPLORE.EXE PID 1620 wrote to memory of 200 1620 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b21af993c655321f79fa16a8c05911ede5cc9dfdbfb981d2b754c276a1b65e6e.dll,#11⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:82945 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b21af993c655321f79fa16a8c05911ede5cc9dfdbfb981d2b754c276a1b65e6e.dll,#11⤵
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
55205f68311ba681b087489576566937
SHA16365b0130e0cab1958461376ea7058b69a89740f
SHA256e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03
SHA51206dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
507f90b165651a3bf2853c55c8b66440
SHA11b6532f9e5d38c7fc152d1b90c2d0ddafef563a3
SHA2568ad6d2153cd287b522fba4ee678cc6c7ced62b6dc32c90b36a8568fb9538fb03
SHA512fd99508d1b947e66ddf983b2a8b47e63f570e0e6d5718227fca4f55cf87de5f6528076ce159e8f9d3744298a2a720f648a3491de99ac5b05fe672cfdb19749a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\B1THZYCN.cookieMD5
bde0aedb2ed5030fd20a54bde45e4238
SHA134556b0e9c3a12a8581f0a4c6190b0a61d7d7a4b
SHA25623ee5b568d0ac470463623ab789ff34b4bfe695aa41748526beb92cbd078cdf1
SHA5127b74e367a4a55a5df2a16eede4e6cc4ac9817a5a3e6f24cdf9254a8e08e7015fbce40f8b849d4e54a8b19e18d9410ef32f26a78acfbaa498de6fb53beb26c1a6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\F335LRQH.cookieMD5
7d1eccdaef3ad76d0b28af878e182dae
SHA1c00483fce0a2bb915700cb9d29ea4c553607833d
SHA2562c9c06ffcacdebc543fbd5a0afa6ad56572156fe29667eb561bd1c2d4347336e
SHA512dbf8a95de6d911608496f98ca13f82b09be813d92a04183a813d7608f7b9d77570fc316d689ad5375e46f460af8acf5f3d98a186ee34268352cc66f302378254
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/200-128-0x0000000000000000-mapping.dmp
-
memory/1356-124-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/1356-125-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1356-115-0x0000000000000000-mapping.dmp
-
memory/1620-123-0x00007FFB7FD20000-0x00007FFB7FD8B000-memory.dmpFilesize
428KB
-
memory/1620-122-0x0000000000000000-mapping.dmp
-
memory/1648-121-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/1648-118-0x0000000000000000-mapping.dmp
-
memory/4016-114-0x0000000000000000-mapping.dmp