ramnit | a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba

Analysis

max time kernel
93s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exe
Size

531KB
MD5

425329e63edda1ae194938f8cccfdb3e
SHA1

e362f7af567bf4ae65f523aa9b868c66f52794a0
SHA256

a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba
SHA512

a2211feb10e1b978d83c420da98d2266feef8142dbc2a4150f26eb3a3fd8596de782ec18a2e735890e0305ba1e19888ff56c24236895b8ae7b6d2cf183d212b7

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

Processes:

a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exea6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
1088	DesktopLayer.exe
1400	DesktopLayerSrv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral2/memory/524-134-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/440-138-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

Processes:

DesktopLayerSrv.exea6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exea6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exeDesktopLayer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1C86.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1B5D.tmp	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1B9C.tmp	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884225"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884225"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "550091227"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884225"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884225"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "549934881"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884225"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "326981626"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884225"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "326965032"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "549934881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30884225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BF78BCC-AD74-11EB-A11C-425E2D5A16C6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30884225"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "550091227"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BC5CDD4-AD74-11EB-A11C-425E2D5A16C6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "561185130"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "550559881"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "550559881"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
1088	DesktopLayer.exe
1088	DesktopLayer.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
1088	DesktopLayer.exe
1088	DesktopLayer.exe
1400	DesktopLayerSrv.exe
1400	DesktopLayerSrv.exe
1400	DesktopLayerSrv.exe
1088	DesktopLayer.exe
1088	DesktopLayer.exe
1400	DesktopLayerSrv.exe
1088	DesktopLayer.exe
1088	DesktopLayer.exe
1400	DesktopLayerSrv.exe
1400	DesktopLayerSrv.exe
1400	DesktopLayerSrv.exe
1400	DesktopLayerSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

1472 iexplore.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1752 iexplore.exe
1472 iexplore.exe
1900 iexplore.exe

pid	process
1472	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1752	iexplore.exe
1752	iexplore.exe
1900	iexplore.exe
1900	iexplore.exe
1472	iexplore.exe
1472	iexplore.exe
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE
3720	IEXPLORE.EXE
3720	IEXPLORE.EXE
3672	IEXPLORE.EXE
3672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exea6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exeDesktopLayer.exea6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exeDesktopLayerSrv.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 4044 wrote to memory of 524	4044	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
PID 4044 wrote to memory of 524	4044	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
PID 4044 wrote to memory of 524	4044	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
PID 524 wrote to memory of 440	524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
PID 524 wrote to memory of 440	524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
PID 524 wrote to memory of 440	524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
PID 524 wrote to memory of 1088	524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	DesktopLayer.exe
PID 524 wrote to memory of 1088	524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	DesktopLayer.exe
PID 524 wrote to memory of 1088	524	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe	DesktopLayer.exe
PID 1088 wrote to memory of 1400	1088	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1088 wrote to memory of 1400	1088	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1088 wrote to memory of 1400	1088	DesktopLayer.exe	DesktopLayerSrv.exe
PID 440 wrote to memory of 1472	440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe	iexplore.exe
PID 440 wrote to memory of 1472	440	a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe	iexplore.exe
PID 1088 wrote to memory of 1752	1088	DesktopLayer.exe	iexplore.exe
PID 1088 wrote to memory of 1752	1088	DesktopLayer.exe	iexplore.exe
PID 1400 wrote to memory of 1900	1400	DesktopLayerSrv.exe	iexplore.exe
PID 1400 wrote to memory of 1900	1400	DesktopLayerSrv.exe	iexplore.exe
PID 1752 wrote to memory of 1872	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 1872	1752	iexplore.exe	IEXPLORE.EXE
PID 1752 wrote to memory of 1872	1752	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 3672	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 3672	1472	iexplore.exe	IEXPLORE.EXE
PID 1472 wrote to memory of 3672	1472	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 3720	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 3720	1900	iexplore.exe	IEXPLORE.EXE
PID 1900 wrote to memory of 3720	1900	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exe
"C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33ba.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:440

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1472 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3720

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1752 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
88c5a67dc27492319119b467d926ca50

SHA1
e899b8f8018dd4df35369c2b5ebcb3422b87e562

SHA256
9a1a42ce8fca5e20c8ab5f064ef402f37df321e3fde4df5f3a25fca8df94719e

SHA512
06753fca66e557b0c8ea03410d7c8b8b896b084ca2a57efd003a0b6f56bd2b7bc4bec4e5901045a699f8fa0ca8c9e47cc149a5759e7a6f0e22e52a33bdf4a380

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
88c5a67dc27492319119b467d926ca50

SHA1
e899b8f8018dd4df35369c2b5ebcb3422b87e562

SHA256
9a1a42ce8fca5e20c8ab5f064ef402f37df321e3fde4df5f3a25fca8df94719e

SHA512
06753fca66e557b0c8ea03410d7c8b8b896b084ca2a57efd003a0b6f56bd2b7bc4bec4e5901045a699f8fa0ca8c9e47cc149a5759e7a6f0e22e52a33bdf4a380

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
10987a1d727697d22e9613985bf39eba

SHA1
d92fa559cdea14bdc068eb5388f4a8725d9d290c

SHA256
8c026af272e0d8eae1ec8978047926e4bbdb2a7ebe0207a738307150e2ed0063

SHA512
31910362ff1a6afe47a6abe7d77d1056eb1a1531cc027ae33bb34e1b4b788cd7efe2292278b02548e72b1441c86f85a3376ed46edf4c58a247febf4da91dfb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
a5a576bc9fe910e48ea847cddcb7d9fd

SHA1
c61803cf1f5af8c832d386c50dc2bf845ccd08ea

SHA256
55e462ac9fe672e81daa7fb94a50ff62ba468c239347b0953a24d38a4c380295

SHA512
e9d9ca893732ac94e577d055d4de43c17ca698c33f5085498e05e603aa386d8f207b868fa8f89183c52b4e7b49c3ff3d54f16d0ecb235469afa4a373152be50e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
a5a576bc9fe910e48ea847cddcb7d9fd

SHA1
c61803cf1f5af8c832d386c50dc2bf845ccd08ea

SHA256
55e462ac9fe672e81daa7fb94a50ff62ba468c239347b0953a24d38a4c380295

SHA512
e9d9ca893732ac94e577d055d4de43c17ca698c33f5085498e05e603aa386d8f207b868fa8f89183c52b4e7b49c3ff3d54f16d0ecb235469afa4a373152be50e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
9e4fe53e037ce25c0f5007819b630fb0

SHA1
516aadf0aa9d24d394adfdb588ab60b7ec289b73

SHA256
c8e345fce2bd6389f8f4fbd39548083c86bff202a09fa21bcb6a66566045670b

SHA512
9789e957a108105320fcac6f5a177cccec4df3cd986beb3d6595e717461a6ab44375dbfa03c8b435091b9e2cf46939e9e9d2ac9d9a51f9cf434d8815708da842

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d9ab7b2cca2aa313e89c46a751bed208

SHA1
15029578ecb5dae3d42def506eddbbf8f5ae4511

SHA256
c6488bfede32ca18c29d36a649206532fd2b6d97692f14a8e24ad78d22b6e70f

SHA512
8592ca86c23dcecacee3766d7299aede7f67309242ecc5e367f4fb8bcefb6c804cf3ae5c50b2fcb6fd21ce749f5356b1443f4b366c8eb175e8ebbfc468c1009f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d9ab7b2cca2aa313e89c46a751bed208

SHA1
15029578ecb5dae3d42def506eddbbf8f5ae4511

SHA256
c6488bfede32ca18c29d36a649206532fd2b6d97692f14a8e24ad78d22b6e70f

SHA512
8592ca86c23dcecacee3766d7299aede7f67309242ecc5e367f4fb8bcefb6c804cf3ae5c50b2fcb6fd21ce749f5356b1443f4b366c8eb175e8ebbfc468c1009f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
d9ab7b2cca2aa313e89c46a751bed208

SHA1
15029578ecb5dae3d42def506eddbbf8f5ae4511

SHA256
c6488bfede32ca18c29d36a649206532fd2b6d97692f14a8e24ad78d22b6e70f

SHA512
8592ca86c23dcecacee3766d7299aede7f67309242ecc5e367f4fb8bcefb6c804cf3ae5c50b2fcb6fd21ce749f5356b1443f4b366c8eb175e8ebbfc468c1009f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BC5CDD4-AD74-11EB-A11C-425E2D5A16C6}.dat
MD5
9a89e16a3aeb10f308334547c296dc81

SHA1
4edf92c55d8c2b9f0dbbc2a4b8b9582ea09439e2

SHA256
eeffc615714f5d5d42b32bc951482ab2b64b77715c257f09bc3a17f5599778c6

SHA512
5056a5fe4584386d34c92cdb45f41951a10da095e5e4307b1f1a12969f2fe39d43304a6c05d14d31f36069c4f955a62e3c037da2948d0456128794248abad596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BC5CDD4-AD74-11EB-A11C-425E2D5A16C6}.dat
MD5
9a89e16a3aeb10f308334547c296dc81

SHA1
4edf92c55d8c2b9f0dbbc2a4b8b9582ea09439e2

SHA256
eeffc615714f5d5d42b32bc951482ab2b64b77715c257f09bc3a17f5599778c6

SHA512
5056a5fe4584386d34c92cdb45f41951a10da095e5e4307b1f1a12969f2fe39d43304a6c05d14d31f36069c4f955a62e3c037da2948d0456128794248abad596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BF78BCC-AD74-11EB-A11C-425E2D5A16C6}.dat
MD5
de681526fd5ad5ba6398427d555ae3cf

SHA1
f610883f18d2e229e8cdcc8cde3a28dd1539c283

SHA256
e34f1f1630f92f658c4d49fb83886d524af539244866541120925adf0d1d09f8

SHA512
e8ffc654601422c476896fdea19c8c2927b39f86f9432044a5eda9c0fb5d024d5dc7baddf66ea6a0310226c6420b572922bbdc0d339929aca4d3df379838f05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\I0ULNEL8.cookie
MD5
2830ae193526720232f1d663d0a45589

SHA1
44e35adb41fa7cb3039a4019cb8b644825169551

SHA256
4ab331a28d198f7c9cff94f8d56421529a0db57a812e82257fbe4189cd402c8d

SHA512
0992d9e791c15b547a4bcb15bb26cb74a721ee1e03c878ee35bab08df6e72207acbf8da5a3252c310bf210c3d98d74663ecc4f4efd4d2bb7bcb0d07724963275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\P0KV66CR.cookie
MD5
976ea6d2864e7a33a0c4a1394e1aa42b

SHA1
2c09e1338c98ef096b89e3d981c591850e88f727

SHA256
bf403219c62e37e69204e5c75d0cde84849001f56c9d2aadd348a01c46745373

SHA512
08fabd282abf7def9f996cb2d33feaa07a97bc2fa09199a6582f0c4ad3214c6c47ef70194889d4c75757adf0d6d105bcfa1bb54701e1a36f8e74fc116a9decea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
MD5
88c5a67dc27492319119b467d926ca50

SHA1
e899b8f8018dd4df35369c2b5ebcb3422b87e562

SHA256
9a1a42ce8fca5e20c8ab5f064ef402f37df321e3fde4df5f3a25fca8df94719e

SHA512
06753fca66e557b0c8ea03410d7c8b8b896b084ca2a57efd003a0b6f56bd2b7bc4bec4e5901045a699f8fa0ca8c9e47cc149a5759e7a6f0e22e52a33bdf4a380

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrv.exe
MD5
88c5a67dc27492319119b467d926ca50

SHA1
e899b8f8018dd4df35369c2b5ebcb3422b87e562

SHA256
9a1a42ce8fca5e20c8ab5f064ef402f37df321e3fde4df5f3a25fca8df94719e

SHA512
06753fca66e557b0c8ea03410d7c8b8b896b084ca2a57efd003a0b6f56bd2b7bc4bec4e5901045a699f8fa0ca8c9e47cc149a5759e7a6f0e22e52a33bdf4a380

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a6530c33b2d2e69d985f0dc9bdfc5e7443d96eeb057e958a8da9c81bc2cf33baSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/440-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/440-122-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/440-116-0x0000000000000000-mapping.dmp

Download
memory/524-134-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/524-133-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/524-114-0x0000000000000000-mapping.dmp

Download
memory/1088-119-0x0000000000000000-mapping.dmp

Download
memory/1400-123-0x0000000000000000-mapping.dmp

Download
memory/1472-131-0x00007FF843A40000-0x00007FF843AAB000-memory.dmp

Filesize
428KB

Download
memory/1472-124-0x0000000000000000-mapping.dmp

Download
memory/1752-135-0x00007FF843A40000-0x00007FF843AAB000-memory.dmp

Filesize
428KB

Download
memory/1752-129-0x0000000000000000-mapping.dmp

Download
memory/1872-143-0x0000000000000000-mapping.dmp

Download
memory/1900-136-0x00007FF843A40000-0x00007FF843AAB000-memory.dmp

Filesize
428KB

Download
memory/1900-132-0x0000000000000000-mapping.dmp

Download
memory/3672-144-0x0000000000000000-mapping.dmp

Download
memory/3720-145-0x0000000000000000-mapping.dmp

Download