ramnit | a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3

Analysis

max time kernel
121s
max time network
137s
platform
windows7_x64
resource
win7v20210410
submitted
09-05-2021 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll
Size

332KB
MD5

015e11b88afcd635d409dd37d63b34ee
SHA1

efdccbe4280d4f8f635bb2bd74c912bab6a0bf38
SHA256

a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3
SHA512

ef7c3c6b9462e33437b83b93bdc3a193b9bdc951f14483c072362491747551aefca4238085bdf4410ebf429c74f6366cee8b081090c0a65a171969f18f524957

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

rundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid process

1388 rundll32Srv.exe
1952 rundll32SrvSrv.exe
1760 DesktopLayer.exe
1712 DesktopLayerSrv.exe

pid	process
1388	rundll32Srv.exe
1952	rundll32SrvSrv.exe
1760	DesktopLayer.exe
1712	DesktopLayerSrv.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32SrvSrv.exe	upx
C:\Windows\SysWOW64\rundll32Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral1/memory/1388-89-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1952-91-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32Srv.exeDesktopLayer.exe

pid process

2012 rundll32.exe
1388 rundll32Srv.exe
1388 rundll32Srv.exe
1760 DesktopLayer.exe
Drops file in System32 directory 2 IoCs

Processes:

rundll32.exerundll32Srv.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe
File created C:\Windows\SysWOW64\rundll32SrvSrv.exe rundll32Srv.exe

pid	process
2012	rundll32.exe
1388	rundll32Srv.exe
1388	rundll32Srv.exe
1760	DesktopLayer.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32Srv.exe	rundll32.exe
File created	C:\Windows\SysWOW64\rundll32SrvSrv.exe	rundll32Srv.exe

Drops file in Program Files directory 8 IoCs

Processes:

DesktopLayerSrv.exerundll32Srv.exerundll32SrvSrv.exeDesktopLayer.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px11AD.tmp	rundll32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px11AD.tmp	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	rundll32SrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1287.tmp	DesktopLayerSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327310925"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2969FA1-B099-11EB-B1BA-7AE655052A65} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A296C6B1-B099-11EB-B1BA-7AE655052A65} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A28AB8C1-B099-11EB-B1BA-7AE655052A65} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

rundll32SrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
1952	rundll32SrvSrv.exe
1952	rundll32SrvSrv.exe
1952	rundll32SrvSrv.exe
1952	rundll32SrvSrv.exe
1760	DesktopLayer.exe
1760	DesktopLayer.exe
1760	DesktopLayer.exe
1760	DesktopLayer.exe
1712	DesktopLayerSrv.exe
1712	DesktopLayerSrv.exe
1712	DesktopLayerSrv.exe
1712	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1768 iexplore.exe
1088 iexplore.exe
1192 iexplore.exe

pid	process
1768	iexplore.exe
1088	iexplore.exe
1192	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1088	iexplore.exe
1088	iexplore.exe
1768	iexplore.exe
1768	iexplore.exe
1192	iexplore.exe
1192	iexplore.exe
956	IEXPLORE.EXE
956	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1812	IEXPLORE.EXE
1812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

rundll32.exerundll32.exerundll32Srv.exeDesktopLayer.exerundll32SrvSrv.exeDesktopLayerSrv.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 1748 wrote to memory of 2012	1748	rundll32.exe	rundll32.exe
PID 2012 wrote to memory of 1388	2012	rundll32.exe	rundll32Srv.exe
PID 2012 wrote to memory of 1388	2012	rundll32.exe	rundll32Srv.exe
PID 2012 wrote to memory of 1388	2012	rundll32.exe	rundll32Srv.exe
PID 2012 wrote to memory of 1388	2012	rundll32.exe	rundll32Srv.exe
PID 1388 wrote to memory of 1952	1388	rundll32Srv.exe	rundll32SrvSrv.exe
PID 1388 wrote to memory of 1952	1388	rundll32Srv.exe	rundll32SrvSrv.exe
PID 1388 wrote to memory of 1952	1388	rundll32Srv.exe	rundll32SrvSrv.exe
PID 1388 wrote to memory of 1952	1388	rundll32Srv.exe	rundll32SrvSrv.exe
PID 1388 wrote to memory of 1760	1388	rundll32Srv.exe	DesktopLayer.exe
PID 1388 wrote to memory of 1760	1388	rundll32Srv.exe	DesktopLayer.exe
PID 1388 wrote to memory of 1760	1388	rundll32Srv.exe	DesktopLayer.exe
PID 1388 wrote to memory of 1760	1388	rundll32Srv.exe	DesktopLayer.exe
PID 1760 wrote to memory of 1712	1760	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1760 wrote to memory of 1712	1760	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1760 wrote to memory of 1712	1760	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1760 wrote to memory of 1712	1760	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1952 wrote to memory of 1768	1952	rundll32SrvSrv.exe	iexplore.exe
PID 1952 wrote to memory of 1768	1952	rundll32SrvSrv.exe	iexplore.exe
PID 1952 wrote to memory of 1768	1952	rundll32SrvSrv.exe	iexplore.exe
PID 1952 wrote to memory of 1768	1952	rundll32SrvSrv.exe	iexplore.exe
PID 1760 wrote to memory of 1192	1760	DesktopLayer.exe	iexplore.exe
PID 1760 wrote to memory of 1192	1760	DesktopLayer.exe	iexplore.exe
PID 1760 wrote to memory of 1192	1760	DesktopLayer.exe	iexplore.exe
PID 1760 wrote to memory of 1192	1760	DesktopLayer.exe	iexplore.exe
PID 1712 wrote to memory of 1088	1712	DesktopLayerSrv.exe	iexplore.exe
PID 1712 wrote to memory of 1088	1712	DesktopLayerSrv.exe	iexplore.exe
PID 1712 wrote to memory of 1088	1712	DesktopLayerSrv.exe	iexplore.exe
PID 1712 wrote to memory of 1088	1712	DesktopLayerSrv.exe	iexplore.exe
PID 1088 wrote to memory of 1812	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1812	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1812	1088	iexplore.exe	IEXPLORE.EXE
PID 1088 wrote to memory of 1812	1088	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1872	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1872	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1872	1192	iexplore.exe	IEXPLORE.EXE
PID 1192 wrote to memory of 1872	1192	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 956	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 956	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 956	1768	iexplore.exe	IEXPLORE.EXE
PID 1768 wrote to memory of 956	1768	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a5058b9528ef9cd2997cd143a8ed3e18e44b354ee331378c651a53852fdda5d3.dll,#1
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\rundll32Srv.exe
C:\Windows\SysWOW64\rundll32Srv.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\rundll32SrvSrv.exe
C:\Windows\SysWOW64\rundll32SrvSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1768 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:956

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1872

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A28AB8C1-B099-11EB-B1BA-7AE655052A65}.dat
MD5
f8fcc28d7066189fe4e9cf3e1e016a90

SHA1
a55efd29562209d54c863471e51438ca29636156

SHA256
845beec873b956b6e6bcf85ec7026bf2ecc5bebd11a37159d10a26053ee7cb13

SHA512
a77164a396864025a1c9aca1b5dadade937ce3eab3ac05c43c9427e253585c2152170262e79001a7a8c08e064e33c9bafafc1ff116386b04d2ae872b23683b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A296C6B1-B099-11EB-B1BA-7AE655052A65}.dat
MD5
29a2fc2b22801c053f1405b6f0d0c619

SHA1
01689c2b5c9f1aa4eedd0c6824e5df2d625d47ee

SHA256
4ced14530d9fb9edb5c1261df20c49af9c6eb558e8dcb9fed7cfc7ccd601c247

SHA512
7d7eab4924f270c46ff45dfbba70fb4d0a39fd5234020538161ff9245a5b7ac886faa4d2db5215e79c72fa2155ee347679729aa382dfdca4149c1947508f3b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A296C6B1-B099-11EB-B1BA-7AE655052A65}.dat
MD5
49ca55f4c05072e2f07314b1c54ff132

SHA1
e9b6211d9499d8c63b470005995130a818fa1729

SHA256
e7d08e1fe2e9d2af212576c6449e5c9995ad0ffc3cf74c06a8928b597e076f12

SHA512
ad51ec26d3b83786ae9d7443041d5706940b6d413f8fb1ca9d28c8ad81a1c2f8e08643532043daccd56edde05fab35b445fec98edbeb70dea58225891e755da1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2NJM7CTJ.txt
MD5
5ff3809bd2492b9a357d9d7cddb65773

SHA1
034774c6650d0414e859551c159e25a24944fac7

SHA256
45402c48a12d8fe6c8196f39c3a309225b51c09dbb23bab4035e1a8be3e366e9

SHA512
512e4cc20ff2bb0845f11041d49f708f242236ef8a5aa4a9dfc0b52300c12a6190f13fa645c98f9b6887b3874fffa0b576c9fe1168ef4f24a41f6ce44291df16

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32Srv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Windows\SysWOW64\rundll32Srv.exe
MD5
f018e9eb66dc53d840ee98c5926f1e2e

SHA1
8e736010173688f982e5713fa8b70c978f17ba42

SHA256
8e9e93a7ae39aa3c6e17a11d567cf52e6190b726d76e6f60b57e9db99ee58bb6

SHA512
30b1fb67767eb5b15bd9d45091d9f184811d4934faeed47b672315d8c8d05b9dc031a6a02addb4b71de1c6b286cc62ef61db2f55dfe4df4bd3c584f256ca49a2

Download Submit
\Windows\SysWOW64\rundll32SrvSrv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/956-98-0x0000000000000000-mapping.dmp

Download
memory/1088-87-0x0000000000000000-mapping.dmp

Download
memory/1088-103-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1192-84-0x0000000000000000-mapping.dmp

Download
memory/1388-63-0x0000000000000000-mapping.dmp

Download
memory/1388-88-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1388-89-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1712-78-0x0000000000000000-mapping.dmp

Download
memory/1760-92-0x0000000000230000-0x000000000025E000-memory.dmp

Filesize
184KB

Download
memory/1760-73-0x0000000000000000-mapping.dmp

Download
memory/1768-79-0x0000000000000000-mapping.dmp

Download
memory/1812-96-0x0000000000000000-mapping.dmp

Download
memory/1872-97-0x0000000000000000-mapping.dmp

Download
memory/1952-91-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1952-67-0x0000000000000000-mapping.dmp

Download
memory/1952-74-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1952-90-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2012-60-0x0000000000000000-mapping.dmp

Download
memory/2012-61-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download