Analysis
-
max time kernel
92s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 03:52
Static task
static1
Behavioral task
behavioral1
Sample
c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll
Resource
win7v20210410
General
-
Target
c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll
-
Size
303KB
-
MD5
d2549fffa3b22d2e481a0947996f7f0b
-
SHA1
bc6d945740b1e0488122f18751e0655635ed7e58
-
SHA256
c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767
-
SHA512
7cc079904f1615ddd52338a673259ae4564ac817ec0f598ce8aed56049d625851b18024850fd24184fb8291d46242d5c2b30ea07080dd0e5e5eba6f572e73bce
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 1732 rundll32Srv.exe 2044 DesktopLayer.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral2/memory/1732-126-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\px2800.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327954414" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886528" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E208AE35-B673-11EB-A11C-CE9B817779E4} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3063284097" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886528" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327971008" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886528" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3063284097" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3071096087" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "328003000" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
DesktopLayer.exerundll32.exepid process 2044 DesktopLayer.exe 2044 DesktopLayer.exe 2044 DesktopLayer.exe 2044 DesktopLayer.exe 2044 DesktopLayer.exe 2044 DesktopLayer.exe 2044 DesktopLayer.exe 2044 DesktopLayer.exe 3204 rundll32.exe 3204 rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
iexplore.exepid process 2168 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
rundll32.exedescription pid process Token: SeIncreaseQuotaPrivilege 3204 rundll32.exe Token: SeSecurityPrivilege 3204 rundll32.exe Token: SeTakeOwnershipPrivilege 3204 rundll32.exe Token: SeLoadDriverPrivilege 3204 rundll32.exe Token: SeSystemProfilePrivilege 3204 rundll32.exe Token: SeSystemtimePrivilege 3204 rundll32.exe Token: SeProfSingleProcessPrivilege 3204 rundll32.exe Token: SeIncBasePriorityPrivilege 3204 rundll32.exe Token: SeCreatePagefilePrivilege 3204 rundll32.exe Token: SeBackupPrivilege 3204 rundll32.exe Token: SeRestorePrivilege 3204 rundll32.exe Token: SeShutdownPrivilege 3204 rundll32.exe Token: SeDebugPrivilege 3204 rundll32.exe Token: SeSystemEnvironmentPrivilege 3204 rundll32.exe Token: SeRemoteShutdownPrivilege 3204 rundll32.exe Token: SeUndockPrivilege 3204 rundll32.exe Token: SeManageVolumePrivilege 3204 rundll32.exe Token: 33 3204 rundll32.exe Token: 34 3204 rundll32.exe Token: 35 3204 rundll32.exe Token: 36 3204 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 2168 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 2168 iexplore.exe 2168 iexplore.exe 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE 2572 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exeiexplore.exedescription pid process target process PID 3724 wrote to memory of 3204 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 3204 3724 rundll32.exe rundll32.exe PID 3724 wrote to memory of 3204 3724 rundll32.exe rundll32.exe PID 3204 wrote to memory of 1732 3204 rundll32.exe rundll32Srv.exe PID 3204 wrote to memory of 1732 3204 rundll32.exe rundll32Srv.exe PID 3204 wrote to memory of 1732 3204 rundll32.exe rundll32Srv.exe PID 1732 wrote to memory of 2044 1732 rundll32Srv.exe DesktopLayer.exe PID 1732 wrote to memory of 2044 1732 rundll32Srv.exe DesktopLayer.exe PID 1732 wrote to memory of 2044 1732 rundll32Srv.exe DesktopLayer.exe PID 2044 wrote to memory of 2168 2044 DesktopLayer.exe iexplore.exe PID 2044 wrote to memory of 2168 2044 DesktopLayer.exe iexplore.exe PID 2168 wrote to memory of 2572 2168 iexplore.exe IEXPLORE.EXE PID 2168 wrote to memory of 2572 2168 iexplore.exe IEXPLORE.EXE PID 2168 wrote to memory of 2572 2168 iexplore.exe IEXPLORE.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c55a8c23a5d7c29bb2de05ab999ad3cecaa23f4ad35e0192ced1b74a8328e767.dll,#12⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2168 CREDAT:82945 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
55205f68311ba681b087489576566937
SHA16365b0130e0cab1958461376ea7058b69a89740f
SHA256e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03
SHA51206dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776MD5
c29567d1b33de341e048b6743144eb14
SHA1537a29851c7251f95001bfb03645efb442602540
SHA256ba3882419ce6bfe9447b5f0a251b18671e797a5165912d4e02c745425ee023dd
SHA51263d57b5f87cb9e786cc9568e73263838f9c4c61d5888d8b7e8a21ea87484d125761d464ed44c28bb4fcb848491a7629a080809137aaa0e12750b2612879abcb1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\WAY7F3FZ.cookieMD5
c43e6a4d211f1cbdd243cfc419245d0a
SHA16c9b9c1eaade2c65a46295b0833b97c0c5c20678
SHA25644de49a4e50ea408fc74cea8695bec768a57219800545fbdf87daca55d352622
SHA512643641f211f3017ab2beb68b72f94db14739ac8677f6621463645402aa03cdaa2ce631cc8be489a4295dfd67a8c2afe840f582d54e2744cb8331e50324e380cf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\ZD5W76EM.cookieMD5
c3e75e4d42672f40efc22f5e8a3bc70c
SHA100880a3a01844ebbaba12afa0fa9cca14d74a4fc
SHA2561040fe144379291e9175af769576695eb8e2caaed01bef91764861563c40203c
SHA5122f56136e5d91a4e9fa02849553ffc27fc0eebf4e8478701a1db9eeab78655708acda202e5115105a16a2fcef716087ecb85679ea5d35c81acf05077c2ed46ebf
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Windows\SysWOW64\rundll32Srv.exeMD5
ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
memory/1732-125-0x00000000001E0000-0x00000000001EF000-memory.dmpFilesize
60KB
-
memory/1732-115-0x0000000000000000-mapping.dmp
-
memory/1732-126-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2044-118-0x0000000000000000-mapping.dmp
-
memory/2044-121-0x0000000000540000-0x0000000000541000-memory.dmpFilesize
4KB
-
memory/2168-123-0x00007FFA588F0000-0x00007FFA5895B000-memory.dmpFilesize
428KB
-
memory/2168-122-0x0000000000000000-mapping.dmp
-
memory/2572-124-0x0000000000000000-mapping.dmp
-
memory/3204-114-0x0000000000000000-mapping.dmp