ramnit | f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f

Analysis

max time kernel
85s
max time network
135s
platform
windows10_x64
resource
win10v20210408
submitted
13-05-2021 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
Size

2.2MB
MD5

8983ddb0325666653eeed4c2f891256c
SHA1

a7b35ffec9e420318076fa9b29a63beeb41b5eb1
SHA256

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f
SHA512

bd0441226e0dd6c6837a7721ff1607a0b459c680eaedadf80688a71139525ec608b08f54f49494fb6acfe64b7bedaf6811fefaec8bc1412011186f7cd8442ef8

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exef7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3108	DesktopLayer.exe
3852	DesktopLayerSrv.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral2/memory/960-136-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/3268-138-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 8 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exef7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxAF8F.tmp	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB05A.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxAF7F.tmp	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327118946"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8088ED7-B456-11EB-B2DB-46FA6997EE5A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7FCA2F3-B456-11EB-B2DB-46FA6997EE5A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "327119115"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327119003"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D7F57C1C-B456-11EB-B2DB-46FA6997EE5A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3108	DesktopLayer.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe
3852	DesktopLayerSrv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2676 iexplore.exe

pid	process
2676	iexplore.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exeiexplore.exeiexplore.exeiexplore.exe

pid	process
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
2676	iexplore.exe
2524	iexplore.exe
3864	iexplore.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe

pid	process
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exeiexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
2524	iexplore.exe
2524	iexplore.exe
3864	iexplore.exe
3864	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
1124	IEXPLORE.EXE
1124	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exef7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exef7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exeDesktopLayer.exeDesktopLayerSrv.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 864 wrote to memory of 960	864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
PID 864 wrote to memory of 960	864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
PID 864 wrote to memory of 960	864	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
PID 960 wrote to memory of 3268	960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
PID 960 wrote to memory of 3268	960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
PID 960 wrote to memory of 3268	960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
PID 960 wrote to memory of 3108	960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	DesktopLayer.exe
PID 960 wrote to memory of 3108	960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	DesktopLayer.exe
PID 960 wrote to memory of 3108	960	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe	DesktopLayer.exe
PID 3268 wrote to memory of 3864	3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe	iexplore.exe
PID 3268 wrote to memory of 3864	3268	f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe	iexplore.exe
PID 3108 wrote to memory of 3852	3108	DesktopLayer.exe	DesktopLayerSrv.exe
PID 3108 wrote to memory of 3852	3108	DesktopLayer.exe	DesktopLayerSrv.exe
PID 3108 wrote to memory of 3852	3108	DesktopLayer.exe	DesktopLayerSrv.exe
PID 3108 wrote to memory of 2676	3108	DesktopLayer.exe	iexplore.exe
PID 3108 wrote to memory of 2676	3108	DesktopLayer.exe	iexplore.exe
PID 3852 wrote to memory of 2524	3852	DesktopLayerSrv.exe	iexplore.exe
PID 3852 wrote to memory of 2524	3852	DesktopLayerSrv.exe	iexplore.exe
PID 2524 wrote to memory of 1128	2524	iexplore.exe	IEXPLORE.EXE
PID 2524 wrote to memory of 1128	2524	iexplore.exe	IEXPLORE.EXE
PID 2524 wrote to memory of 1128	2524	iexplore.exe	IEXPLORE.EXE
PID 2676 wrote to memory of 1124	2676	iexplore.exe	IEXPLORE.EXE
PID 2676 wrote to memory of 1124	2676	iexplore.exe	IEXPLORE.EXE
PID 2676 wrote to memory of 1124	2676	iexplore.exe	IEXPLORE.EXE
PID 3864 wrote to memory of 2256	3864	iexplore.exe	IEXPLORE.EXE
PID 3864 wrote to memory of 2256	3864	iexplore.exe	IEXPLORE.EXE
PID 3864 wrote to memory of 2256	3864	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe
"C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864

C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3864 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2524 CREDAT:82945 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5
94572235866d843f72d75046796c1569

SHA1
4e6514d9de841f21671abe5655e54f6792ace32b

SHA256
7017ea0ae5c525f067a12ca0f84e766ecbc53dfb8f10f5af32a46e0feef9b901

SHA512
2a91a6cf112656d389ee388ade79879424ca740b41eb10ad8aeab73fe65297a0de1fc79141997a5e4afeecb94ba3dca88adc589d3585761a8f06e9faec439e4c

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5
94572235866d843f72d75046796c1569

SHA1
4e6514d9de841f21671abe5655e54f6792ace32b

SHA256
7017ea0ae5c525f067a12ca0f84e766ecbc53dfb8f10f5af32a46e0feef9b901

SHA512
2a91a6cf112656d389ee388ade79879424ca740b41eb10ad8aeab73fe65297a0de1fc79141997a5e4afeecb94ba3dca88adc589d3585761a8f06e9faec439e4c

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D7FCA2F3-B456-11EB-B2DB-46FA6997EE5A}.dat

MD5
84d924a566b7382099f7f20bebc51240

SHA1
1b7f56389aaae411f70aefbdb3481421b3a0bd9d

SHA256
e08a0b5c1a91aceb773a5d132f70bdda89f70446218c7bedbe97364e60f8f351

SHA512
b69ab82b54fbb96870a0066fdb783cd484a9e0b5ba3106618d74ec41f2162de5be4a2c0dbf91ffe534603b8cdf8df34eeb1cfd2fc0813711611fcd587a457022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D8088ED7-B456-11EB-B2DB-46FA6997EE5A}.dat

MD5
38f6e025217a27ad0f5c7156bd814a96

SHA1
0e5ea1a9aa8ce85d8bb590676f942f8958197f43

SHA256
24e401dffbfcb73c41773d7c17c05ed43a613c5f2c348a8176907fa7e1ec7b5d

SHA512
d94350f108a09475e4659c06915276734bcde3e0ed82cc4b1fa44d16967f26a5fe76cc4b88dd36133ecca0380ae20f1de0f1cc94b2bb54acf3e33c08e300e817

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe

MD5
94572235866d843f72d75046796c1569

SHA1
4e6514d9de841f21671abe5655e54f6792ace32b

SHA256
7017ea0ae5c525f067a12ca0f84e766ecbc53dfb8f10f5af32a46e0feef9b901

SHA512
2a91a6cf112656d389ee388ade79879424ca740b41eb10ad8aeab73fe65297a0de1fc79141997a5e4afeecb94ba3dca88adc589d3585761a8f06e9faec439e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrv.exe

MD5
94572235866d843f72d75046796c1569

SHA1
4e6514d9de841f21671abe5655e54f6792ace32b

SHA256
7017ea0ae5c525f067a12ca0f84e766ecbc53dfb8f10f5af32a46e0feef9b901

SHA512
2a91a6cf112656d389ee388ade79879424ca740b41eb10ad8aeab73fe65297a0de1fc79141997a5e4afeecb94ba3dca88adc589d3585761a8f06e9faec439e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7b326008ea924a48820cb19528dfab0fe73f9d3ebc3f5512a6c71e2f5dd808fSrvSrv.exe

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/864-139-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/960-136-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/960-114-0x0000000000000000-mapping.dmp

Download
memory/960-135-0x00000000001F0000-0x00000000001FF000-memory.dmp

Filesize
60KB

Download
memory/1124-145-0x0000000000000000-mapping.dmp

Download
memory/1128-144-0x0000000000000000-mapping.dmp

Download
memory/2256-146-0x0000000000000000-mapping.dmp

Download
memory/2524-131-0x0000000000000000-mapping.dmp

Download
memory/2524-134-0x00007FFDD0240000-0x00007FFDD02AB000-memory.dmp

Filesize
428KB

Download
memory/2676-133-0x00007FFDD0240000-0x00007FFDD02AB000-memory.dmp

Filesize
428KB

Download
memory/2676-128-0x0000000000000000-mapping.dmp

Download
memory/3108-121-0x0000000000000000-mapping.dmp

Download
memory/3268-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3268-120-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3268-116-0x0000000000000000-mapping.dmp

Download
memory/3852-124-0x0000000000000000-mapping.dmp

Download
memory/3864-132-0x00007FFDD0240000-0x00007FFDD02AB000-memory.dmp

Filesize
428KB

Download
memory/3864-123-0x0000000000000000-mapping.dmp

Download