ramnit | 09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5

General

Target

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
Size

390KB
MD5

4ac3edd36979050ed63490ca4d64d558
SHA1

965d34311d79c178187c215fbc22ffae3d89f2fd
SHA256

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5
SHA512

e4fa7ffd6433784ecf5e0e484faa2f2bdc86ff538b39028c619949f9450873c35fe3fa8915755b4cef29ee41206ef3f60aa64da0427a60ce54fc4ee32406f1fb

Score

10^/10

ramnit banker evasion spyware stealer trojan upx worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe:*:enabled:@shell32.dll,-1"	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description	pid	process	target process
PID 3060 created 3940	3060	WerFault.exe	DesktopLayer.exe
PID 3500 created 3744	3500	WerFault.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe

Executes dropped EXE 2 IoCs

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exeDesktopLayer.exe

pid process

1228 09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
3940 DesktopLayer.exe

pid	process
1228	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
3940	DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe	upx
C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/1228-121-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px1274.tmp	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3500	3744	WerFault.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3060	3940	WerFault.exe	DesktopLayer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exeDesktopLayer.exeWerFault.exeWerFault.exe

pid	process
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3940	DesktopLayer.exe
3940	DesktopLayer.exe
3940	DesktopLayer.exe
3940	DesktopLayer.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3060	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe
3500	WerFault.exe

Suspicious behavior: MapViewOfSection 63 IoCs

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe

pid	process
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
Token: SeRestorePrivilege	3060	WerFault.exe
Token: SeBackupPrivilege	3060	WerFault.exe
Token: SeRestorePrivilege	3500	WerFault.exe
Token: SeBackupPrivilege	3500	WerFault.exe
Token: SeDebugPrivilege	3060	WerFault.exe
Token: SeDebugPrivilege	3500	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe

description	pid	process	target process
PID 3744 wrote to memory of 1228	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
PID 3744 wrote to memory of 1228	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
PID 3744 wrote to memory of 1228	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
PID 3744 wrote to memory of 572	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	winlogon.exe
PID 3744 wrote to memory of 572	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	winlogon.exe
PID 3744 wrote to memory of 572	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	winlogon.exe
PID 3744 wrote to memory of 572	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	winlogon.exe
PID 3744 wrote to memory of 572	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	winlogon.exe
PID 3744 wrote to memory of 572	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	winlogon.exe
PID 3744 wrote to memory of 632	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	lsass.exe
PID 3744 wrote to memory of 632	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	lsass.exe
PID 3744 wrote to memory of 632	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	lsass.exe
PID 3744 wrote to memory of 632	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	lsass.exe
PID 3744 wrote to memory of 632	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	lsass.exe
PID 3744 wrote to memory of 632	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	lsass.exe
PID 3744 wrote to memory of 716	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 716	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 716	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 716	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 716	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 716	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 732	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 732	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 732	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 732	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 732	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 732	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 736	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 736	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 1228 wrote to memory of 3940	1228	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe	DesktopLayer.exe
PID 3744 wrote to memory of 736	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 1228 wrote to memory of 3940	1228	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe	DesktopLayer.exe
PID 3744 wrote to memory of 736	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 1228 wrote to memory of 3940	1228	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe	DesktopLayer.exe
PID 3744 wrote to memory of 736	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 736	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	fontdrvhost.exe
PID 3744 wrote to memory of 796	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 796	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 796	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 796	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 796	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 796	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 856	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 856	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 856	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 856	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 856	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 856	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 896	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 896	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 896	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 896	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 896	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 896	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 980	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	dwm.exe
PID 3744 wrote to memory of 980	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	dwm.exe
PID 3744 wrote to memory of 980	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	dwm.exe
PID 3744 wrote to memory of 980	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	dwm.exe
PID 3744 wrote to memory of 980	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	dwm.exe
PID 3744 wrote to memory of 980	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	dwm.exe
PID 3744 wrote to memory of 1000	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 1000	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 1000	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe
PID 3744 wrote to memory of 1000	3744	09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe	svchost.exe

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390
1⤵
PID:2172

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2372

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2404

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2688

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:3024

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2712

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe
"C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5.exe"
2⤵
- Modifies firewall policy service
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1228

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 440
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 608
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3260

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2744

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1948

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:3388

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3464

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2664

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2464

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1604

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1272

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1000

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:980

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:796

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:3336

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:736

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:716

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:632

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:728

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:3936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRAM FILES (X86)\MICROSOFT\DESKTOPLAYER.EXE
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\09ff356818f8b41d3c538a7648bb2ea5971cd54c8a2959d3c04a42867555fbe5Srv.exe
MD5
e7efb2a2b36ab241b6c9b770abf95000

SHA1
d4c253cbf80dc65a04747aea4afc91de6a4a4c5d

SHA256
4c7bf8d4e1ad5bd27b4b990791d4968be2a1d9cbb092c1af2e19a42c1b93e4c8

SHA512
958e64677c0acc6b2c0ef8e5ff5c39ea12986b8d5d0820710572af7669fdb6fe740e3ee609c1d9dfcdbfaee6a6f8fdeda25f64f7ad4d335627a024d6a1b4fcf3

Download Submit
memory/1228-114-0x0000000000000000-mapping.dmp

Download
memory/1228-120-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1228-121-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1228-122-0x000000007FEA0000-0x000000007FEAC000-memory.dmp

Filesize
48KB

Download
memory/3940-117-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads