ramnit | c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a

General

Target

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
Size

256KB
MD5

f9357a88b1a7f26e732e7a8f6cfca22c
SHA1

f07f1628ce975f99b86384326173755253855655
SHA256

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a
SHA512

2e2ffd27e058e57453a31a9a0bee5a63e5413efbf6a0307fba6338fa778b0ed786e68b2c8de1190ebb266cd4cce8d0afd4dcb86c184b181ec5ac4ee1c52fa0ad

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe:*:enabled:@shell32.dll,-1"	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 212 created 1848 212 WerFault.exe DesktopLayer.exe
Executes dropped EXE 2 IoCs

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exeDesktopLayer.exe

pid process

3544 c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
1848 DesktopLayer.exe

description	pid	process	target process
PID 212 created 1848	212	WerFault.exe	DesktopLayer.exe

pid	process
3544	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
1848	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	upx
behavioral2/memory/3544-124-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px640F.tmp	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

212 1848 WerFault.exe DesktopLayer.exe

pid	pid_target	process	target process
212	1848	WerFault.exe	DesktopLayer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exeDesktopLayer.exeWerFault.exe

pid	process
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
1848	DesktopLayer.exe
1848	DesktopLayer.exe
1848	DesktopLayer.exe
1848	DesktopLayer.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe
212	WerFault.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe

pid	process
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
Token: SeRestorePrivilege	212	WerFault.exe
Token: SeBackupPrivilege	212	WerFault.exe
Token: SeDebugPrivilege	212	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exec5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe

description	pid	process	target process
PID 744 wrote to memory of 3544	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
PID 744 wrote to memory of 3544	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
PID 744 wrote to memory of 3544	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
PID 744 wrote to memory of 564	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	winlogon.exe
PID 744 wrote to memory of 564	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	winlogon.exe
PID 744 wrote to memory of 564	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	winlogon.exe
PID 744 wrote to memory of 564	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	winlogon.exe
PID 744 wrote to memory of 564	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	winlogon.exe
PID 744 wrote to memory of 564	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	winlogon.exe
PID 3544 wrote to memory of 1848	3544	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe	DesktopLayer.exe
PID 3544 wrote to memory of 1848	3544	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe	DesktopLayer.exe
PID 3544 wrote to memory of 1848	3544	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe	DesktopLayer.exe
PID 744 wrote to memory of 644	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	lsass.exe
PID 744 wrote to memory of 644	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	lsass.exe
PID 744 wrote to memory of 644	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	lsass.exe
PID 744 wrote to memory of 644	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	lsass.exe
PID 744 wrote to memory of 644	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	lsass.exe
PID 744 wrote to memory of 644	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	lsass.exe
PID 744 wrote to memory of 732	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 732	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 732	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 732	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 732	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 732	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 752	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 752	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 752	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 752	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 752	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 752	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 756	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 756	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 756	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 756	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 756	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 756	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	fontdrvhost.exe
PID 744 wrote to memory of 768	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 768	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 768	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 768	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 768	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 768	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 864	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 864	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 864	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 864	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 864	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 864	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 912	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 912	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 912	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 912	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 912	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 912	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 1000	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	dwm.exe
PID 744 wrote to memory of 1000	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	dwm.exe
PID 744 wrote to memory of 1000	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	dwm.exe
PID 744 wrote to memory of 1000	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	dwm.exe
PID 744 wrote to memory of 1000	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	dwm.exe
PID 744 wrote to memory of 1000	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	dwm.exe
PID 744 wrote to memory of 60	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 60	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 60	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe
PID 744 wrote to memory of 60	744	c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:644

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:1000

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2680

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3264

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3636

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3724

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3496

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe
"C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82a.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3544

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 460
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2688

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:824

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2484

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2352

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3c0
1⤵
PID:2268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1700

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1516

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1236

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:60

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:768

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:1772

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:2368

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:752

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3584

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d6fa42e88c4545b51854e439f7de1cbaf8877e69522d5438a11bc087fbf82aSrv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/744-126-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1848-117-0x0000000000000000-mapping.dmp

Download
memory/1848-120-0x000000007FEA0000-0x000000007FEAC000-memory.dmp

Filesize
48KB

Download
memory/3544-114-0x0000000000000000-mapping.dmp

Download
memory/3544-119-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/3544-123-0x000000007FEA0000-0x000000007FEAC000-memory.dmp

Filesize
48KB

Download
memory/3544-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads