Analysis
-
max time kernel
2s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-06-2022 19:12
Static task
static1
Behavioral task
behavioral1
Sample
139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll
Resource
win10v2004-20220414-en
General
-
Target
139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll
-
Size
175KB
-
MD5
6da623293e4972585d1395adc5dc4b0d
-
SHA1
de4e53f8bef0577e0d9b074bb85818e98dce4792
-
SHA256
139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab
-
SHA512
f984134fe6a4a205d454f529deeefd5c80283cd43c283188660cb115988c41ca62e29b4e9a1be1aee63e80675006c95d78a85a1a727415f56e3979514a8ca7b4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
rundll32Srv.exeDesktopLayer.exepid process 1528 rundll32Srv.exe 1376 DesktopLayer.exe -
Processes:
resource yara_rule \Windows\SysWOW64\rundll32Srv.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Program Files (x86)\Microsoft\DesktopLayer.exe upx behavioral1/memory/1376-68-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1528-64-0x0000000000400000-0x000000000042E000-memory.dmp upx \Program Files (x86)\Microsoft\DesktopLayer.exe upx C:\Windows\SysWOW64\rundll32Srv.exe upx -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32Srv.exepid process 912 rundll32.exe 1528 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
Processes:
rundll32Srv.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\pxC8BC.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process 1308 912 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
DesktopLayer.exepid process 1376 DesktopLayer.exe 1376 DesktopLayer.exe 1376 DesktopLayer.exe 1376 DesktopLayer.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exedescription pid process target process PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 1668 wrote to memory of 912 1668 rundll32.exe rundll32.exe PID 912 wrote to memory of 1528 912 rundll32.exe rundll32Srv.exe PID 912 wrote to memory of 1528 912 rundll32.exe rundll32Srv.exe PID 912 wrote to memory of 1528 912 rundll32.exe rundll32Srv.exe PID 912 wrote to memory of 1528 912 rundll32.exe rundll32Srv.exe PID 912 wrote to memory of 1308 912 rundll32.exe WerFault.exe PID 912 wrote to memory of 1308 912 rundll32.exe WerFault.exe PID 912 wrote to memory of 1308 912 rundll32.exe WerFault.exe PID 912 wrote to memory of 1308 912 rundll32.exe WerFault.exe PID 1528 wrote to memory of 1376 1528 rundll32Srv.exe DesktopLayer.exe PID 1528 wrote to memory of 1376 1528 rundll32Srv.exe DesktopLayer.exe PID 1528 wrote to memory of 1376 1528 rundll32Srv.exe DesktopLayer.exe PID 1528 wrote to memory of 1376 1528 rundll32Srv.exe DesktopLayer.exe PID 1376 wrote to memory of 1112 1376 DesktopLayer.exe iexplore.exe PID 1376 wrote to memory of 1112 1376 DesktopLayer.exe iexplore.exe PID 1376 wrote to memory of 1112 1376 DesktopLayer.exe iexplore.exe PID 1376 wrote to memory of 1112 1376 DesktopLayer.exe iexplore.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\139b5e2737385a0f4f4758b115b276da11abc4ceeddb747974c5c711e48949ab.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"1⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1112 CREDAT:275457 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 2281⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
8KB
MD5fe2677dd75c9cfa24efed67ffa2d77a1
SHA1728ccbeecb6e64807d31d9bad152d5f814e50295
SHA25606355b7d8b37042826bc12d1b0abf2722b9fce19d70920765f2019ffe487d347
SHA5120b6c4870d3115b5fae2d8ee8a5e1bfb390ad896c5ee74d4fc07a9189582ab8186c6b9950a35622c3de5135048eb3d15fb3f74ca80a787f37bfbe47767de34fdd
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
1KB
MD53def49b0d3a607cf44bf442d7966131d
SHA16951aa21b9b18c45d62d4221a01b1a47b4de2fbb
SHA25621a5cbb39b634d744a7bb8f8283875f8ce64118d4775c2412ce2d8b3c7fffaf6
SHA51252535996c8f997ce11e8aa7fa4824ab8488678c97be1285e3e66248bb071a427d1191984aff5ba3a36de6101748a99075fdcc5cb4474afa2920325540dc9dac2
-
C:\Windows\SysWOW64\rundll32Srv.exeFilesize
25KB
MD506a2a39a8897763483a40dd0f987044d
SHA16e6fd5a242796223fcebec0551e30b57813ca7e6
SHA256935c08891ddd7d9a43b5ba06a9cb73984df5cf8a07165cc8b2855d3350ca30dd
SHA512a26a2ff2f38db308afd4ad79497f508445cbe6c58555ddf423cddb69b24839e398f445e967903c1f0e7c8fa2d78cb92343092e9bf10092d29c642d9c90966f93
-
C:\Windows\SysWOW64\rundll32Srv.exeFilesize
24KB
MD547e8c635c2fae83546163b264eb9c813
SHA1f2334ddcfc48f5006cf30612be7cb78b7d083f6a
SHA25678bb6f534b49830e43c347f73c88a6af77e65d801fe64186ada103d06d0bbc00
SHA51200ee7941959b911b0f626da48a162ac9a3cfc1c78e65f00e4b0fcdf1edcf4891caef5be6f5bc72bce6925c1d6b26058fa772706c0b6e0736ab62e37adf26359e
-
\Program Files (x86)\Microsoft\DesktopLayer.exeFilesize
10KB
MD54d89720108b173f0075224ed2aa61769
SHA1d76b45a6c4d1f806f51a7b1e00c2db33126006d9
SHA2561117682cd5162bf8eade7116f58d6d0a624c5a149bab927f14e60a8c89c95686
SHA5127465907ad9cc657d220dc71e28e539bf04ab4ef28826d7690a4b1d5d1d97914740faa3869a02c914870b1f226ec562315f626d75da356e8b94de9cbd9907585d
-
\Windows\SysWOW64\rundll32Srv.exeFilesize
27KB
MD5522c49ad1ef9428d011cce88f07ff89a
SHA197ad4e1ecec13fb497a955c11be7b6a141768eb5
SHA2562d48dbcd3daca4b0397ed160b05de1f9cc031722c340d02042d01b9ed297599f
SHA51215db7a6b63827e1e0b7846b68ac791d96200c95b9640af55202e93c619510476c91ca7d2db9983dfb5df57f6d374c2e599fd337bab2bf4d175b6594690943597
-
memory/912-55-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB
-
memory/912-54-0x0000000000000000-mapping.dmp
-
memory/912-69-0x0000000010000000-0x0000000010030000-memory.dmpFilesize
192KB
-
memory/912-70-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1308-61-0x0000000000000000-mapping.dmp
-
memory/1376-68-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1376-63-0x0000000000000000-mapping.dmp
-
memory/1528-64-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1528-57-0x0000000000000000-mapping.dmp