ramnit | 91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef

Analysis

max time kernel
130s
max time network
123s
platform
windows7_x64
resource
win7v20210408
submitted
09-05-2021 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef.dll
Size

492KB
MD5

934a5dbad6e7d8e2a8ad559b8f7705fa
SHA1

38d000947b376792d473e91fb1b141af2712207a
SHA256

91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef
SHA512

5ab245beb5548856e8ab84bc682d2fd8b62f405e3aad5f7a981a67de496c46b67b9f95f1a2f6edfc6e21aa13b83d5ff4c26a52c362f62a9bba8f1b1d04a106c3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

rundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exerundll32SrvSrvSrv.exeDesktopLayerSrvSrv.exe

pid process

2040 rundll32Srv.exe
1344 rundll32SrvSrv.exe
1780 DesktopLayer.exe
1692 DesktopLayerSrv.exe
792 rundll32SrvSrvSrv.exe
1496 DesktopLayerSrvSrv.exe

pid	process
2040	rundll32Srv.exe
1344	rundll32SrvSrv.exe
1780	DesktopLayer.exe
1692	DesktopLayerSrv.exe
792	rundll32SrvSrvSrv.exe
1496	DesktopLayerSrvSrv.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	upx
behavioral1/memory/2040-104-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1344-108-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/792-112-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32Srv.exeDesktopLayer.exerundll32SrvSrv.exeDesktopLayerSrv.exe

pid process

1960 rundll32.exe
2040 rundll32Srv.exe
2040 rundll32Srv.exe
1780 DesktopLayer.exe
1344 rundll32SrvSrv.exe
1692 DesktopLayerSrv.exe

pid	process
1960	rundll32.exe
2040	rundll32Srv.exe
2040	rundll32Srv.exe
1780	DesktopLayer.exe
1344	rundll32SrvSrv.exe
1692	DesktopLayerSrv.exe

Drops file in System32 directory 3 IoCs

Processes:

rundll32.exerundll32Srv.exerundll32SrvSrv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32SrvSrv.exe	rundll32Srv.exe
File created	C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	rundll32SrvSrv.exe

Drops file in Program Files directory 13 IoCs

Processes:

DesktopLayerSrvSrv.exerundll32Srv.exeDesktopLayer.exerundll32SrvSrv.exeDesktopLayerSrv.exerundll32SrvSrvSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px8B5E.tmp	DesktopLayerSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px893C.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8B01.tmp	rundll32SrvSrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8A93.tmp	rundll32SrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8AE1.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrvSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A11A181-B10A-11EB-AC20-62C8A5B8B9AA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A0C90A1-B10A-11EB-AC20-62C8A5B8B9AA} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327359409"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

DesktopLayer.exerundll32SrvSrv.exeDesktopLayerSrv.exerundll32SrvSrvSrv.exeDesktopLayerSrvSrv.exe

pid	process
1780	DesktopLayer.exe
1780	DesktopLayer.exe
1780	DesktopLayer.exe
1780	DesktopLayer.exe
1344	rundll32SrvSrv.exe
1344	rundll32SrvSrv.exe
1692	DesktopLayerSrv.exe
792	rundll32SrvSrvSrv.exe
1692	DesktopLayerSrv.exe
1496	DesktopLayerSrvSrv.exe
1344	rundll32SrvSrv.exe
1344	rundll32SrvSrv.exe
1692	DesktopLayerSrv.exe
1692	DesktopLayerSrv.exe
1496	DesktopLayerSrvSrv.exe
1496	DesktopLayerSrvSrv.exe
1496	DesktopLayerSrvSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

108 iexplore.exe
1016 iexplore.exe
1756 iexplore.exe

pid	process
108	iexplore.exe
1016	iexplore.exe
1756	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1756	iexplore.exe
1756	iexplore.exe
1016	iexplore.exe
1016	iexplore.exe
108	iexplore.exe
108	iexplore.exe
1428	IEXPLORE.EXE
1428	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exerundll32SrvSrv.exeDesktopLayerSrv.exeDesktopLayerSrvSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 2004 wrote to memory of 1960	2004	rundll32.exe	rundll32.exe
PID 1960 wrote to memory of 2040	1960	rundll32.exe	rundll32Srv.exe
PID 1960 wrote to memory of 2040	1960	rundll32.exe	rundll32Srv.exe
PID 1960 wrote to memory of 2040	1960	rundll32.exe	rundll32Srv.exe
PID 1960 wrote to memory of 2040	1960	rundll32.exe	rundll32Srv.exe
PID 2040 wrote to memory of 1344	2040	rundll32Srv.exe	rundll32SrvSrv.exe
PID 2040 wrote to memory of 1344	2040	rundll32Srv.exe	rundll32SrvSrv.exe
PID 2040 wrote to memory of 1344	2040	rundll32Srv.exe	rundll32SrvSrv.exe
PID 2040 wrote to memory of 1344	2040	rundll32Srv.exe	rundll32SrvSrv.exe
PID 2040 wrote to memory of 1780	2040	rundll32Srv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1780	2040	rundll32Srv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1780	2040	rundll32Srv.exe	DesktopLayer.exe
PID 2040 wrote to memory of 1780	2040	rundll32Srv.exe	DesktopLayer.exe
PID 1780 wrote to memory of 1692	1780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1780 wrote to memory of 1692	1780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1780 wrote to memory of 1692	1780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1780 wrote to memory of 1692	1780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1780 wrote to memory of 1756	1780	DesktopLayer.exe	iexplore.exe
PID 1780 wrote to memory of 1756	1780	DesktopLayer.exe	iexplore.exe
PID 1780 wrote to memory of 1756	1780	DesktopLayer.exe	iexplore.exe
PID 1780 wrote to memory of 1756	1780	DesktopLayer.exe	iexplore.exe
PID 1344 wrote to memory of 792	1344	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 1344 wrote to memory of 792	1344	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 1344 wrote to memory of 792	1344	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 1344 wrote to memory of 792	1344	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 1692 wrote to memory of 1496	1692	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1692 wrote to memory of 1496	1692	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1692 wrote to memory of 1496	1692	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1692 wrote to memory of 1496	1692	DesktopLayerSrv.exe	DesktopLayerSrvSrv.exe
PID 1344 wrote to memory of 756	1344	rundll32SrvSrv.exe	iexplore.exe
PID 1344 wrote to memory of 756	1344	rundll32SrvSrv.exe	iexplore.exe
PID 1344 wrote to memory of 756	1344	rundll32SrvSrv.exe	iexplore.exe
PID 1344 wrote to memory of 756	1344	rundll32SrvSrv.exe	iexplore.exe
PID 1692 wrote to memory of 108	1692	DesktopLayerSrv.exe	iexplore.exe
PID 1692 wrote to memory of 108	1692	DesktopLayerSrv.exe	iexplore.exe
PID 1692 wrote to memory of 108	1692	DesktopLayerSrv.exe	iexplore.exe
PID 1692 wrote to memory of 108	1692	DesktopLayerSrv.exe	iexplore.exe
PID 1496 wrote to memory of 1016	1496	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1496 wrote to memory of 1016	1496	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1496 wrote to memory of 1016	1496	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1496 wrote to memory of 1016	1496	DesktopLayerSrvSrv.exe	iexplore.exe
PID 1756 wrote to memory of 1584	1756	iexplore.exe	IEXPLORE.EXE
PID 1756 wrote to memory of 1584	1756	iexplore.exe	IEXPLORE.EXE
PID 1756 wrote to memory of 1584	1756	iexplore.exe	IEXPLORE.EXE
PID 1756 wrote to memory of 1584	1756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 1336	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 1336	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 1336	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 1336	756	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1428	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1428	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1428	1016	iexplore.exe	IEXPLORE.EXE
PID 1016 wrote to memory of 1428	1016	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1784	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1784	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1784	108	iexplore.exe	IEXPLORE.EXE
PID 108 wrote to memory of 1784	108	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\rundll32SrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrv.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:792

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:2
6⤵
PID:1336

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1016 CREDAT:275457 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1428

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:108

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:108 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1756 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A115361-B10A-11EB-AC20-62C8A5B8B9AA}.dat
MD5
a3c814d766b919004f5a652c54f49e50

SHA1
34438ef1565a8abbeac91ca0cede20520f9fc182

SHA256
ae4086c8ed414a742d27bc77ebb9862f45b7732a7773eb513ba0817f147d0bb2

SHA512
9e74dec26ded1872d14f24fafc257135fec78fa9cc1b42ee591641cf3a148248f9087bd698f4996642180a2fc23129ca4330d11c792a2867c98c24fe7fab81bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A115361-B10A-11EB-AC20-62C8A5B8B9AA}.dat
MD5
006dc75591782690e7e5c77315564e96

SHA1
28a6cf91bb0b1521614f2210cc421ec0b9de4f38

SHA256
4dfc6943528f0463b0fc8576085c6a47792c46473d0502c60d3565f9295569ec

SHA512
4fbb55ffc85dff831e7cdd4f6b16c35d613d6ae8011c554f80b66b90f7dfee7169ddb83722652b1c95404b8ffecca32c248c569c968d13e2b6cc687ee04d54b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A11A181-B10A-11EB-AC20-62C8A5B8B9AA}.dat
MD5
c4d7691835d55fd8115c2014068f72c8

SHA1
e7a8effe337c959c0b6d4e8846bda1033930fe25

SHA256
b59ddde776086cfcf026cd4485fef43e1fd8523c8746213a9638fd56a4dc4a0c

SHA512
e491c09c5cc3ab3ad12166b9f2d01c335b6d889d65f0a6165d31230dc28774715ee3c20c33897cebad05721b089fa328f00e0c707e4f6a33daae3f0a87b90338

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EPA1DRZX.txt
MD5
56d89d7a47060e99f43325e88e31233e

SHA1
f82100363345ce30cd5b173f96364a972647d55e

SHA256
4b0f3fe0a3aea4dc9facd41ac0d863113294edc0d42a81353ac25551534a883b

SHA512
5f85af82358c18073caa4777e1dc7c2b68ba1442340db5b31b2b6ff6e6934c0438ce8f2733b0709719acd2fade81fa11e81649b4fb86864f6687b10066ed893f

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/108-124-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/108-98-0x0000000000000000-mapping.dmp

Download
memory/756-96-0x0000000000000000-mapping.dmp

Download
memory/792-83-0x0000000000000000-mapping.dmp

Download
memory/792-112-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1016-101-0x0000000000000000-mapping.dmp

Download
memory/1336-115-0x0000000000000000-mapping.dmp

Download
memory/1344-107-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1344-108-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1344-67-0x0000000000000000-mapping.dmp

Download
memory/1344-86-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1428-117-0x0000000000000000-mapping.dmp

Download
memory/1496-89-0x0000000000000000-mapping.dmp

Download
memory/1584-116-0x0000000000000000-mapping.dmp

Download
memory/1584-120-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/1692-76-0x0000000000000000-mapping.dmp

Download
memory/1692-109-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1756-81-0x0000000000000000-mapping.dmp

Download
memory/1756-97-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download
memory/1780-105-0x00000000002B0000-0x00000000002ED000-memory.dmp

Filesize
244KB

Download
memory/1780-80-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1780-72-0x0000000000000000-mapping.dmp

Download
memory/1784-118-0x0000000000000000-mapping.dmp

Download
memory/1960-60-0x0000000000000000-mapping.dmp

Download
memory/1960-61-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/2040-63-0x0000000000000000-mapping.dmp

Download
memory/2040-104-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2040-103-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download