Analysis
-
max time kernel
120s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13/03/2024, 23:03
Static task
static1
Behavioral task
behavioral1
Sample
c711a7b74c62cbdcd059ec9421ecdc3e.dll
Resource
win7-20240221-en
General
-
Target
c711a7b74c62cbdcd059ec9421ecdc3e.dll
-
Size
80KB
-
MD5
c711a7b74c62cbdcd059ec9421ecdc3e
-
SHA1
2c5d751748523f47897c4490f014e5e01b37d1bf
-
SHA256
27ea524cc2f12cc4b9e70878667bcb8901e7d1548d0b1341b36b7722c056213b
-
SHA512
8daaaf0b8496ce05fd66dfd1812b1b7fb63fc4c25d7954760bc708f018becad765b274dbfd52557d2ddbdb627199fc8844ed6a2b2496c80cd59dae059406c730
-
SSDEEP
1536:T2lFYHQuwVlTS8uT4Dpd7kJNNV+ZA0J7Pt0s+96Ve5Uhm:TUA2lTS8ukDzAJNL+22F0s+9Ye50
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2484 rundll32Srv.exe 2544 DesktopLayer.exe -
Loads dropped DLL 4 IoCs
pid Process 1772 rundll32.exe 1772 rundll32.exe 2484 rundll32Srv.exe 2484 rundll32Srv.exe -
resource yara_rule behavioral1/memory/2484-14-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2484-12-0x0000000000400000-0x0000000000413000-memory.dmp upx behavioral1/memory/2544-29-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\px50EE.tmp rundll32Srv.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8F56C41-E18D-11EE-8AD9-56D57A935C49} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416532910" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2544 DesktopLayer.exe 2544 DesktopLayer.exe 2544 DesktopLayer.exe 2544 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2556 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2556 iexplore.exe 2556 iexplore.exe 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE 2612 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2484 rundll32Srv.exe 2544 DesktopLayer.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 2320 wrote to memory of 1772 2320 rundll32.exe 28 PID 1772 wrote to memory of 2484 1772 rundll32.exe 29 PID 1772 wrote to memory of 2484 1772 rundll32.exe 29 PID 1772 wrote to memory of 2484 1772 rundll32.exe 29 PID 1772 wrote to memory of 2484 1772 rundll32.exe 29 PID 2484 wrote to memory of 2544 2484 rundll32Srv.exe 30 PID 2484 wrote to memory of 2544 2484 rundll32Srv.exe 30 PID 2484 wrote to memory of 2544 2484 rundll32Srv.exe 30 PID 2484 wrote to memory of 2544 2484 rundll32Srv.exe 30 PID 2544 wrote to memory of 2556 2544 DesktopLayer.exe 31 PID 2544 wrote to memory of 2556 2544 DesktopLayer.exe 31 PID 2544 wrote to memory of 2556 2544 DesktopLayer.exe 31 PID 2544 wrote to memory of 2556 2544 DesktopLayer.exe 31 PID 2556 wrote to memory of 2612 2556 iexplore.exe 32 PID 2556 wrote to memory of 2612 2556 iexplore.exe 32 PID 2556 wrote to memory of 2612 2556 iexplore.exe 32 PID 2556 wrote to memory of 2612 2556 iexplore.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c711a7b74c62cbdcd059ec9421ecdc3e.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b2ade7cdcb69aafada988322b1da6674
SHA181e1311624711edafd5f08573fd00b66557c35a0
SHA256eeb906e45300960887f9e84364b91752530887be1b3763c90041c802a97b1546
SHA5128afe365e02b47aff387918e43c97e5efffcaf7b147ed700b2d4c87a266ee56b23bbf498e2904bacbbf87630724eafc83e44d72c2236113a12cbc7dc1131f4409
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58ea77a4320a15ebd0eb2bcb86b166a2c
SHA1d13effbb7abf651d318f219ce673d75de1aee4a2
SHA256d4c1ec658779ade99a1ed121596d39b58428e9a2cee0b797d4bef649513c08ec
SHA512a5cd00dcaa81d1a986f968f6e8318fef04554cc9e9304674e01a1ccb9beec2ba60b8291d9bbef05ef253f6dbf7dd8df44e9a8cfbdb6fbce0dd413d1127b354f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5337aa3b4f8eeefa43c13db0d3d92345e
SHA14415c687bf0a59f48f0b9e9ba2f052e4393649a5
SHA2562eaab6936b830c3c4d37dee472e305233947521dd7f4e0f0e57279d097ffb48b
SHA5123d7bb7459627853c12baab515617c4f4912a74a1fb6af87495e010b802338fa882c5c4679424525c252648e5fc4232b6d5f3ae15867601ca38820565cf5f07a0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD562979155aa01bd9f83295158f6277e26
SHA126209d6d672c5224e33d31f705e7308c6c2d6421
SHA25619eb3fb2eb256aaba82ac51f9d65c7fff47dd0bce110e0b6b51c5bb51f1a6832
SHA51278834ba30d37420b16ea9adb2435f2c412b3569085c23d6cb686722a37112fc8412b748c1a15ef641277078ad2ec5b9e5e99286306af6762557248a29fd79b5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52fa85f2f19d6bbf09370fc1e02628aa0
SHA1153e63545338d029b4fb253c8d4dc8fc88680e38
SHA256a6734e0f16905fcd72db8d96b30efe29b5a17094735e9144e98f10137010358b
SHA512820e370eb2791e9b54b636f9f8489a22ab8e3cfece4d9f3cab0fb8e4ebd6d275122efb2a31ed84f4988704e621ee01f7b2221f3935cbca4460c69be9e957440a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD576685556e605a181998bbbfbab9174d4
SHA143a407a348dad38bd3c0afc0b4db11e9a041caaa
SHA25637091cc2b1ad0260d7b5540b4d8cf935f91dc63226e832adaaa0e0ce0fb60af8
SHA51232b9af9b9dce76f4f6f91f6da694102cc7359248e3efe3b9196f860755df2873f1345655050d8d5c1ff1aba2d245addb5e4ca2738e597b0e2765da6caa11fb1e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56d03165201c5f9168194c772e8eaafd5
SHA1784b7f784305e9e91ff4e2a02375d3c49c9cca93
SHA256c613679f5827c7d4d0713dce25c08c5abe36f52115429c1b6e84f13b073f409e
SHA512c25554db4b70448db1a98b0f9b54f394083d71ede9135d60ce3e69a53726da5c48ee86685b2793a412318bf3f6a0d1c006f704197e00d9277d6f535e46e531f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50d2d55506653dc34d74171fba0bdc330
SHA1f5a319f4864fef9614ca8df3305c537761527fd4
SHA256a8ca520e5a5505a7ee490cdc565eebc919c43cff2b0d0f1672edccb1f912e5e6
SHA5125c8d4fab4b19ab0e3654aeebfa6f3597f32a162c11459b5fc37c173bc68b766c70723b147c724dd06736f49308c1fb8e384ead31b25107a4e04f941b9ba7853c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a4858b0ccc928ae0502e90ca04761acc
SHA17980e59ed79d8c6905921d24a182c2d97eeb7520
SHA256c77dadb379fd8c53c4f0ecc420fbda8ae24e144fd907393d7256574d4e16fd92
SHA512fc78d0feeeb0856a1289e9329ff5c610b21b754ec797e6f93b5ba41074e3f6b5680aa24205714272fb966e9b7beb5e3d717f22d0cb4e3e7726e4d3446b2b5061
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD557b9580b5eb6df201c65e49feb02d6f1
SHA1973fdd5b0661a73525538da318d2fa12b1ecf024
SHA2561d7fbebd60272019c110c8bc114cb3b67f566f63b7d19254f83d505870945311
SHA512ab6aef16bdfea5649e2a90c289bd5e01e5ec4fa99e60c5586f15d58b3b954d6510193917e6fecfe073741bcad14e7ae784f262088b2649eff7b34b927cb6519e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f4997f25027384527a24c880c6009067
SHA124bd550c6b4f6e9689928eab277a6af980dabaa7
SHA2564ac048658be69d3d0a21d67108168cf512b26a62d91bf221ae159cde36bd961e
SHA512ea3c0a56e7285e45147a01a5743ac81f02c77d575b22811bfea8424e90246a362d7351df070f7ec0ef041ca04d0f0510bcaad5a28be90b57c7c17272a76f58d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5fb561401f5411d83f5be7f688ed4f06b
SHA119e2dd17483e5e2ab51b4b922ea1d46d8f884e62
SHA256b5dc57d023887950b8fafeac9978b62ee3be3f5fa9fe8a3b5abe69e27b496b90
SHA51222baf1bb9f05e23b99c104e1dac8d4d227b10ec116524f0966dcebb36c70e9a2fe361b5a1b0f7f3450b050161ba1f9ae2caa9924a4c8ec71558a4d797fc462cb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50ff03c6b10d97265f39627b53c532ecf
SHA142f30a0df83d0f786905b5faa399501627f38678
SHA2560c4bfbe68590a84c13190130af51c2553cd37437226a366ecd7a49addc15e057
SHA512c40ace7ef832dcbc6e63b6133530da43929a0da34b2b23dbd6a7d9401f5b321926b4d4edfb6294b26cd21877195c198898d709d4d947524b7aa7d9ce7f02cb89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59591d4e3ddaf848fe8af4118ea6a4e3b
SHA1ce67e87d0d504097c851719eae832d13e59dbb60
SHA256e1973dd304d75e424ce393be5fbb78a482cd1d64473c044d71f64964cf8e74fa
SHA512d32292df786776c176bbfe359a6d07997044e408399fd78838bf72985ef9c35531d1d07bc2a8f2b008e477427381a5ee0f2f66a3b547c6b164a93e0e101a5a9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD53295c14f638d4f522e7c8d6501a06155
SHA1f6e0fa037096343cb36e8c9b6bfddfa21a7a710b
SHA25609426974aa100b48cb7f2d0306009b799ec5411688c689de996c1dedd3036d62
SHA5124f54387c2c6e27bbda0b72f9be7cd5646fd0256fa28e0938d5f55d341f56733eb0ccfc1d8bb9319c0d1f9df7bff3e72f89525dc51542d3d1a333bb8025b506e8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b078fbfaa4423089b8e48001cd41b449
SHA17238ee01ab2377e8e79263c2864fe2301d823d15
SHA256c173b559323eeacb152eff82a2806f70408478e9e61907d7b5fcab4d7bd17ac0
SHA512a58cda33c78595ab850a4335423e6a7becc25e6be486a2847614c9b032b489b7a101ecb0b7c5da56dd4059940c721363c29150e6b43deb67ef3f94bf7fdd2e29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56a469ee1c10bea36df5d786a102430fc
SHA1d2df1330fe553e9c9b4ea9b5e5d3e0ec7d657273
SHA256fd2a71f5452ce0fc8a1cbb65a6c3f12b75432bb0d9c144b789c0ca6bb79253b5
SHA51221c1dc95d0a63cda303822d94665fd79bc135dffb453541ebd7aefee44bc6445b52972b55429d5fc2b037c88c543cc524c7c00b2330672a57de710b30dfdf17c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
52KB
MD517efb7e40d4cadaf3a4369435a8772ec
SHA1eb9302063ac2ab599ae93aaa1e45b88bbeacbca2
SHA256f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386
SHA512522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450