ramnit | 91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef

Analysis

max time kernel
133s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
09-05-2021 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef.dll
Size

492KB
MD5

934a5dbad6e7d8e2a8ad559b8f7705fa
SHA1

38d000947b376792d473e91fb1b141af2712207a
SHA256

91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef
SHA512

5ab245beb5548856e8ab84bc682d2fd8b62f405e3aad5f7a981a67de496c46b67b9f95f1a2f6edfc6e21aa13b83d5ff4c26a52c362f62a9bba8f1b1d04a106c3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 5 IoCs

Processes:

rundll32Srv.exerundll32SrvSrv.exerundll32SrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid process

3048 rundll32Srv.exe
4088 rundll32SrvSrv.exe
3284 rundll32SrvSrvSrv.exe
2780 DesktopLayer.exe
3296 DesktopLayerSrv.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral2/memory/3048-139-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral2/memory/4088-141-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3284-143-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

Processes:

rundll32SrvSrv.exerundll32.exerundll32Srv.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe	rundll32SrvSrv.exe
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32SrvSrv.exe	rundll32Srv.exe

Drops file in Program Files directory 10 IoCs

Processes:

rundll32SrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exerundll32SrvSrv.exerundll32Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB859.tmp	rundll32SrvSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB963.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB80B.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB80B.tmp	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrvSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885143"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1339052945"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885143"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327359389"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1339208584"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77EDEEC3-B10A-11EB-B2DB-FA5C9235AE05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1294833698"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30885143"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885143"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1294833698"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885143"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885143"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1339208584"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1294833698"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{77EDA0A3-B10A-11EB-B2DB-FA5C9235AE05} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885143"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30885143"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1339208584"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

rundll32Srv.exerundll32SrvSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
3048	rundll32Srv.exe
3048	rundll32Srv.exe
3048	rundll32Srv.exe
3048	rundll32Srv.exe
3284	rundll32SrvSrvSrv.exe
3284	rundll32SrvSrvSrv.exe
3284	rundll32SrvSrvSrv.exe
3284	rundll32SrvSrvSrv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
3296	DesktopLayerSrv.exe
3296	DesktopLayerSrv.exe
3296	DesktopLayerSrv.exe
3296	DesktopLayerSrv.exe
3048	rundll32Srv.exe
3048	rundll32Srv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
3048	rundll32Srv.exe
3048	rundll32Srv.exe
2780	DesktopLayer.exe
2780	DesktopLayer.exe
3296	DesktopLayerSrv.exe
3284	rundll32SrvSrvSrv.exe
3296	DesktopLayerSrv.exe
3296	DesktopLayerSrv.exe
3296	DesktopLayerSrv.exe
3284	rundll32SrvSrvSrv.exe
3284	rundll32SrvSrvSrv.exe
3284	rundll32SrvSrvSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2904 iexplore.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exe

pid process

2788 iexplore.exe
3684 iexplore.exe
184 iexplore.exe
2904 iexplore.exe

pid	process
2904	iexplore.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2788	iexplore.exe
2788	iexplore.exe
184	iexplore.exe
184	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
3684	iexplore.exe
3684	iexplore.exe
3968	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
3968	IEXPLORE.EXE
3760	IEXPLORE.EXE
3760	IEXPLORE.EXE
3188	IEXPLORE.EXE
3188	IEXPLORE.EXE
3188	IEXPLORE.EXE
3188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exerundll32SrvSrvSrv.exeDesktopLayerSrv.exeiexplore.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 640 wrote to memory of 1180	640	rundll32.exe	rundll32.exe
PID 640 wrote to memory of 1180	640	rundll32.exe	rundll32.exe
PID 640 wrote to memory of 1180	640	rundll32.exe	rundll32.exe
PID 1180 wrote to memory of 3048	1180	rundll32.exe	rundll32Srv.exe
PID 1180 wrote to memory of 3048	1180	rundll32.exe	rundll32Srv.exe
PID 1180 wrote to memory of 3048	1180	rundll32.exe	rundll32Srv.exe
PID 3048 wrote to memory of 4088	3048	rundll32Srv.exe	rundll32SrvSrv.exe
PID 3048 wrote to memory of 4088	3048	rundll32Srv.exe	rundll32SrvSrv.exe
PID 3048 wrote to memory of 4088	3048	rundll32Srv.exe	rundll32SrvSrv.exe
PID 4088 wrote to memory of 3284	4088	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 4088 wrote to memory of 3284	4088	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 4088 wrote to memory of 3284	4088	rundll32SrvSrv.exe	rundll32SrvSrvSrv.exe
PID 4088 wrote to memory of 2780	4088	rundll32SrvSrv.exe	DesktopLayer.exe
PID 4088 wrote to memory of 2780	4088	rundll32SrvSrv.exe	DesktopLayer.exe
PID 4088 wrote to memory of 2780	4088	rundll32SrvSrv.exe	DesktopLayer.exe
PID 2780 wrote to memory of 3296	2780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2780 wrote to memory of 3296	2780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 2780 wrote to memory of 3296	2780	DesktopLayer.exe	DesktopLayerSrv.exe
PID 3048 wrote to memory of 2788	3048	rundll32Srv.exe	iexplore.exe
PID 3048 wrote to memory of 2788	3048	rundll32Srv.exe	iexplore.exe
PID 2780 wrote to memory of 3684	2780	DesktopLayer.exe	iexplore.exe
PID 2780 wrote to memory of 3684	2780	DesktopLayer.exe	iexplore.exe
PID 3284 wrote to memory of 184	3284	rundll32SrvSrvSrv.exe	iexplore.exe
PID 3284 wrote to memory of 184	3284	rundll32SrvSrvSrv.exe	iexplore.exe
PID 3296 wrote to memory of 2904	3296	DesktopLayerSrv.exe	iexplore.exe
PID 3296 wrote to memory of 2904	3296	DesktopLayerSrv.exe	iexplore.exe
PID 3684 wrote to memory of 3968	3684	iexplore.exe	IEXPLORE.EXE
PID 3684 wrote to memory of 3968	3684	iexplore.exe	IEXPLORE.EXE
PID 3684 wrote to memory of 3968	3684	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2756	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2756	2788	iexplore.exe	IEXPLORE.EXE
PID 2788 wrote to memory of 2756	2788	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 3188	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 3188	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 3188	2904	iexplore.exe	IEXPLORE.EXE
PID 184 wrote to memory of 3760	184	iexplore.exe	IEXPLORE.EXE
PID 184 wrote to memory of 3760	184	iexplore.exe	IEXPLORE.EXE
PID 184 wrote to memory of 3760	184	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\91c6f1bd3bd34d4d9dcaca6adc9f9c16f312d085fbcebdb5bc8c311999696cef.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\rundll32SrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrv.exe
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3284

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:184

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:184 CREDAT:82945 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3296

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:82945 /prefetch:2
8⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3684 CREDAT:82945 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3968

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
6b816ee93f1cf36935099a4d593bb05f

SHA1
0c0189324d4658217cfb69ed3131f657ee82ef28

SHA256
0f617ef157edf719de5b1281c6f2afb01903acd66aa0a60e075cfc341adcb6f5

SHA512
cd270c8c41db861a78e1a08c08f2186f95e3f45b0d964edb2d9eb8aa4ecf9f796f07ffc2f03a3d96848cb0142cb0d6838fdd08daa68c53bcd176ca27f4320b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
87717484e8cd12bf910890b05948130b

SHA1
10b0263ffb51f13d365e15e27b9c6f6497e2369f

SHA256
18e62faff4df4d7c89929d19b2ad4336258fd767902807f948da232e29d9ccd5

SHA512
80c448897a3f756f5fe6d17a4e16007d474a088fa40b78854a843a23825d92e35f3966d1c0ad59c6d15290a11b1c238da5112f7683d1f9cfde2b3b1a5b35e449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
a0a1613d2a686aa064d233c99f1db58e

SHA1
e8f23be8bf707bfb8e56d6d23252efac96f0346a

SHA256
fa6a2f43de1a8a5bdad58ecc7d8159f6fd7af5d33b16d13d8ead55ad200fc8fc

SHA512
d47a23f8bc4231e983a3450e5047f37a513d951d5dccc6d71a97861b25e0a67696982ec3cf1f9943f32dbf340f915fb1418897fba09d36a43b115cf1912a144d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
a0a1613d2a686aa064d233c99f1db58e

SHA1
e8f23be8bf707bfb8e56d6d23252efac96f0346a

SHA256
fa6a2f43de1a8a5bdad58ecc7d8159f6fd7af5d33b16d13d8ead55ad200fc8fc

SHA512
d47a23f8bc4231e983a3450e5047f37a513d951d5dccc6d71a97861b25e0a67696982ec3cf1f9943f32dbf340f915fb1418897fba09d36a43b115cf1912a144d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a10541eb17692f7b3353553b2671946d

SHA1
19086a881fdab4ba8babe1baa13a6c971b04db4d

SHA256
0f53133a30c2b14de31f3d496a13aec8353b3dc7ab47ee4bcd0d0c1c4fbed5b5

SHA512
cbc2fb7ae6f28ea091bd0c3ac19685b9a521b20280e35ebe79a8991b48ef883cac8711c7d74d4f5d42c62cf936de42b1f8bb659d2b35bcd8dd7945d9a6ab3659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a10541eb17692f7b3353553b2671946d

SHA1
19086a881fdab4ba8babe1baa13a6c971b04db4d

SHA256
0f53133a30c2b14de31f3d496a13aec8353b3dc7ab47ee4bcd0d0c1c4fbed5b5

SHA512
cbc2fb7ae6f28ea091bd0c3ac19685b9a521b20280e35ebe79a8991b48ef883cac8711c7d74d4f5d42c62cf936de42b1f8bb659d2b35bcd8dd7945d9a6ab3659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
a10541eb17692f7b3353553b2671946d

SHA1
19086a881fdab4ba8babe1baa13a6c971b04db4d

SHA256
0f53133a30c2b14de31f3d496a13aec8353b3dc7ab47ee4bcd0d0c1c4fbed5b5

SHA512
cbc2fb7ae6f28ea091bd0c3ac19685b9a521b20280e35ebe79a8991b48ef883cac8711c7d74d4f5d42c62cf936de42b1f8bb659d2b35bcd8dd7945d9a6ab3659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
73af02cef35db032bdc9315f58b6e59a

SHA1
b19d8ea61a05ea55d78b64e7a4c7263e796363ff

SHA256
fc4bb34604d6a28287485a125854bd94b3db1a35c7c11d94460170024d43f19b

SHA512
d31276d87c910a0804fea74fa095e145b343b199e077f6351fa60ea8a9d53ce5e50e312e48f7b111d059ec556557f78dd129474bcb80a76d9d7c393802210c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77EDA0A3-B10A-11EB-B2DB-FA5C9235AE05}.dat
MD5
c4ebdee073a4a02b5f90af0e758affd6

SHA1
1a40e61f88125782b74ae59efe90716292ede1eb

SHA256
19d3581c91e8267ba8a8099cbb6d43f3a2fef87ca6a2349f86c75cf309ed686c

SHA512
826b918f44aefd0ba5311cc36eaa6b855012014071692180a7976169a6445df83b902fb7213de4969f49815df05c3164b299a757bac40addfd7349564f689cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{77EDC7B3-B10A-11EB-B2DB-FA5C9235AE05}.dat
MD5
cfbc904bf1da06cd13dfdc6fdb4613b2

SHA1
a2e20ec0e733694845bedca95219cdca98da3582

SHA256
a949253ddca45924bfc6c1e5ccf14885324266578cd026fde6c768652812075c

SHA512
9636f27c238fef32df1d837e9b0481013d4ee5feb2fe5ff04307efa22f4adcdfc230e0c9e6c095596a6c164eec355001cdd7d81a5f8a9b3fb1d59733dd64f478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\G5RT6SE3.cookie
MD5
ff973296ed1b7fd6ee7b346705220810

SHA1
8f1d79732d9f8d264cf742f110e1218999a6c2b6

SHA256
037580322ae8f9137856ad10a9b09cf2c9519f1e9af8b2df65c0f0971c394954

SHA512
7c96b80eb995b545abd34b63bc384a30bc3343193d44e55fc771a7b974d97e9b8b7ec79e31299bb8a1617a289d1027786c6d6dfe0a873b4ecebf083cbf5ebefc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\RWRKC8XT.cookie
MD5
9b302461639fdaa8f4b05d24a9189b6d

SHA1
6041ed15aace5f37a69360eafcb7238b460d10a3

SHA256
9d23a636c6eba075cbb7492cfcd71e1b58bb437bb6bd321b6c85f52c074024db

SHA512
3912047a3bdb9ad1c8f9f18861718ae1daa0e33e1b0c44f04924e770f242b9bf3bad529221e90e425462ea4195bf6ad7f86776fc494c9d29e8fab82b24f06b88

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
395a1a546b4424e3f11cd3ea26066ff9

SHA1
2f18bf153ed75cd9f33f356d1b9b02219c3a1279

SHA256
5dd67a6408d0421a214abba36a7642591cce652f8eac6f71f6d357c154025e6a

SHA512
2a5a398a56f895bffb245b830fd9b3003d887c2a71c6f1e022fd25bcec303cacd691dc744c0121f1d93f1f6e9887da386b3fab096ec0090a607d2d1aa72710a7

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/184-148-0x00007FFAF6500000-0x00007FFAF656B000-memory.dmp

Filesize
428KB

Download
memory/184-136-0x0000000000000000-mapping.dmp

Download
memory/1180-114-0x0000000000000000-mapping.dmp

Download
memory/2756-153-0x0000000000000000-mapping.dmp

Download
memory/2780-125-0x0000000000000000-mapping.dmp

Download
memory/2788-149-0x00007FFAF6500000-0x00007FFAF656B000-memory.dmp

Filesize
428KB

Download
memory/2788-134-0x0000000000000000-mapping.dmp

Download
memory/2904-137-0x0000000000000000-mapping.dmp

Download
memory/2904-151-0x00007FFAF6500000-0x00007FFAF656B000-memory.dmp

Filesize
428KB

Download
memory/3048-139-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3048-115-0x0000000000000000-mapping.dmp

Download
memory/3048-123-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3048-138-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3188-154-0x0000000000000000-mapping.dmp

Download
memory/3284-143-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3284-119-0x0000000000000000-mapping.dmp

Download
memory/3284-126-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3296-128-0x0000000000000000-mapping.dmp

Download
memory/3296-133-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3684-150-0x00007FFAF6500000-0x00007FFAF656B000-memory.dmp

Filesize
428KB

Download
memory/3684-135-0x0000000000000000-mapping.dmp

Download
memory/3760-155-0x0000000000000000-mapping.dmp

Download
memory/3968-152-0x0000000000000000-mapping.dmp

Download
memory/4088-141-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4088-117-0x0000000000000000-mapping.dmp

Download