ramnit | 02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1

General

Target

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
Size

146KB
MD5

c227ae3b284462ef0a011b5a7ccd9b28
SHA1

15f41f3c0905927f9b0255afcd817572de56324c
SHA256

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1
SHA512

7ccf1b2a1fc86df342fade7244ff0d5770afda0083d144b116d70821e45659164a5789cbabac77b19029c6cd6fccd45b11d7f35269ce911ab03f0ca3ab0a5a94

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exeDesktopLayer.exe

pid process

1964 02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
1992 DesktopLayer.exe

pid	process
1964	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
1992	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1964-73-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe

pid	process
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
1964	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe

Drops file in Program Files directory 3 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px9270.tmp	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327225551"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{03731891-B54F-11EB-B2DE-62BE63CA7978} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exeDesktopLayer.exe

pid	process
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
1992	DesktopLayer.exe
1992	DesktopLayer.exe
1992	DesktopLayer.exe
1992	DesktopLayer.exe

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe

pid	process
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe

description pid process

Token: SeDebugPrivilege 940 02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2040 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2040 iexplore.exe
2040 iexplore.exe
1664 IEXPLORE.EXE
1664 IEXPLORE.EXE
1664 IEXPLORE.EXE
1664 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe

pid	process
2040	iexplore.exe

pid	process
2040	iexplore.exe
2040	iexplore.exe
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE
1664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe

description	pid	process	target process
PID 940 wrote to memory of 1964	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
PID 940 wrote to memory of 1964	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
PID 940 wrote to memory of 1964	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
PID 940 wrote to memory of 1964	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 372	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	wininit.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 380	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	csrss.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 420	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	winlogon.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 472	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	services.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 480	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsass.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 488	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	lsm.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 588	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 664	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 748	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 748	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 748	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe
PID 940 wrote to memory of 748	940	02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1136

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:588

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:380

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe
"C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1964

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
\Users\Admin\AppData\Local\Temp\02804f405f7455bee05a990645bf456d679c3db8727e123a8ef1a14514c2fdf1Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/940-59-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/1664-77-0x0000000000000000-mapping.dmp

Download
memory/1964-61-0x0000000000000000-mapping.dmp

Download
memory/1964-74-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1964-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1964-72-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1992-66-0x0000000000000000-mapping.dmp

Download
memory/1992-70-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2040-71-0x0000000000000000-mapping.dmp

Download
memory/2040-79-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads