Analysis
-
max time kernel
132s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 05:48
Static task
static1
Behavioral task
behavioral1
Sample
c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll
Resource
win7v20210410
General
-
Target
c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll
-
Size
303KB
-
MD5
07893c856a2df7acd180f570ee546c15
-
SHA1
212df564993b9890ceca5a2598d5cee0d29ac347
-
SHA256
c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28
-
SHA512
209388795aea439d47b018763dd64ab28ab9b38fc14da9c7763332a5b8bcf3ffa67de700f7e62c994bcb716ebf1869321c98743f5e5db0432befdb13aed0ed9b
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 3940 rundll32Srv.exe 3568 DesktopLayer.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/3940-126-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\px118A.tmp rundll32Srv.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "574662767" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327984073" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "574662767" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "328016065" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DB5BC46-B692-11EB-A11C-F29CEA8FB389} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886559" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886559" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327967480" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "581694996" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886559" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
DesktopLayer.exerundll32.exepid process 3568 DesktopLayer.exe 3568 DesktopLayer.exe 3568 DesktopLayer.exe 3568 DesktopLayer.exe 3568 DesktopLayer.exe 3568 DesktopLayer.exe 3568 DesktopLayer.exe 3568 DesktopLayer.exe 500 rundll32.exe 500 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 1448 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
rundll32.exedescription pid process Token: SeIncreaseQuotaPrivilege 500 rundll32.exe Token: SeSecurityPrivilege 500 rundll32.exe Token: SeTakeOwnershipPrivilege 500 rundll32.exe Token: SeLoadDriverPrivilege 500 rundll32.exe Token: SeSystemProfilePrivilege 500 rundll32.exe Token: SeSystemtimePrivilege 500 rundll32.exe Token: SeProfSingleProcessPrivilege 500 rundll32.exe Token: SeIncBasePriorityPrivilege 500 rundll32.exe Token: SeCreatePagefilePrivilege 500 rundll32.exe Token: SeBackupPrivilege 500 rundll32.exe Token: SeRestorePrivilege 500 rundll32.exe Token: SeShutdownPrivilege 500 rundll32.exe Token: SeDebugPrivilege 500 rundll32.exe Token: SeSystemEnvironmentPrivilege 500 rundll32.exe Token: SeRemoteShutdownPrivilege 500 rundll32.exe Token: SeUndockPrivilege 500 rundll32.exe Token: SeManageVolumePrivilege 500 rundll32.exe Token: 33 500 rundll32.exe Token: 34 500 rundll32.exe Token: 35 500 rundll32.exe Token: 36 500 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1448 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1448 iexplore.exe 1448 iexplore.exe 3696 IEXPLORE.EXE 3696 IEXPLORE.EXE 3696 IEXPLORE.EXE 3696 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 2680 wrote to memory of 500 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 500 2680 rundll32.exe rundll32.exe PID 2680 wrote to memory of 500 2680 rundll32.exe rundll32.exe PID 500 wrote to memory of 3940 500 rundll32.exe rundll32Srv.exe PID 500 wrote to memory of 3940 500 rundll32.exe rundll32Srv.exe PID 500 wrote to memory of 3940 500 rundll32.exe rundll32Srv.exe PID 3940 wrote to memory of 3568 3940 rundll32Srv.exe DesktopLayer.exe PID 3940 wrote to memory of 3568 3940 rundll32Srv.exe DesktopLayer.exe PID 3940 wrote to memory of 3568 3940 rundll32Srv.exe DesktopLayer.exe PID 3568 wrote to memory of 1448 3568 DesktopLayer.exe iexplore.exe PID 3568 wrote to memory of 1448 3568 DesktopLayer.exe iexplore.exe PID 1448 wrote to memory of 3696 1448 iexplore.exe IEXPLORE.EXE PID 1448 wrote to memory of 3696 1448 iexplore.exe IEXPLORE.EXE PID 1448 wrote to memory of 3696 1448 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c2c2b5396c067f2f9af045b664c1f7ec3ae1cc13668acd8b04860a39063d3e28.dll,#12⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
55205f68311ba681b087489576566937
SHA16365b0130e0cab1958461376ea7058b69a89740f
SHA256e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03
SHA51206dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
eead734551acac08876abf162ab2d206
SHA1b35e522bd882b48c9856dda82a2d27224c49331e
SHA2564ed9983f3d7496208737f7d0a7ff276bc271c8f0f217dfe2cbe7aa598e83a8df
SHA512f914fbd97484f9295a32d5aab904d05367a05f15850388e7a3c3d3303b611a3dabaf82ef57e4b5e7c70ec78f9cd150de74fe1894a2d2cc5f7af77c361c08afaa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\700ESFZB.cookieMD5
0af3a23f0405bbf5ca3f7971997af98c
SHA16898999a584dc2e4232df470d86cf571733c0296
SHA256e9f0c7083011cfa962cd219646bd32a2ed87638951a530054ff85d43ef196d67
SHA5124f441cdffddfa07d61f1e5237eac60345796c249db7a6b94b35c0cf56b81cae06ea3c29199a20733b209238bce58b3b5054d2a192e631c41b3019aed7971a9f7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\D48IQRQY.cookieMD5
b7ea5f3352d9559482cbe1aed176e2d3
SHA1d61167866b802a04993ec48559f533c146cb205c
SHA2566ab0454c074fda451085214999bff9e9fc13758f2980124b6efa6bed9678450d
SHA512dd653c6a256237c70dc1b49fc08bf900f1285bf7e787c3d2184f798b7704cb49e8b12eb2e9507f788215e647dd9d1dbcaf131735ce02096c02e62e71dd462451
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/500-114-0x0000000000000000-mapping.dmp
-
memory/1448-122-0x0000000000000000-mapping.dmp
-
memory/1448-123-0x00007FFD68B30000-0x00007FFD68B9B000-memory.dmpFilesize
428KB
-
memory/3568-118-0x0000000000000000-mapping.dmp
-
memory/3568-121-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/3696-124-0x0000000000000000-mapping.dmp
-
memory/3940-126-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3940-125-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/3940-115-0x0000000000000000-mapping.dmp