ramnit | 2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c

Analysis

max time kernel
120s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
16-05-2021 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c.dll
Size

786KB
MD5

d84d13fc6011d84aababaeaf543b739f
SHA1

8668ae8acea0362da8a5fea7fe80da9a643f5ff4
SHA256

2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c
SHA512

01360c6a6f32cff2302ae72315685e9c902637b72c8deb04c7ff1206d5fe39b22e2571a2f9242dca65612bf0b85fc865e2f46c87ac002ead5503aba35b8fa2a4

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 3 IoCs

Processes:

regsvr32mgr.exeregsvr32Srv.exeDesktopLayer.exe

pid process

1352 regsvr32mgr.exe
1484 regsvr32Srv.exe
1908 DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\regsvr32Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Windows\SysWOW64\regsvr32Srv.exe	upx
behavioral2/memory/1484-131-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1352-132-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

Processes:

regsvr32.exe

description ioc process

File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe
File created C:\Windows\SysWOW64\regsvr32Srv.exe regsvr32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

Drops file in Program Files directory 3 IoCs

Processes:

regsvr32Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2764.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327960611"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "604781370"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "604781370"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886543"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "604781370"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "615094186"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886543"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "328009196"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "615094186"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F4A7708-B682-11EB-A11C-E62B3DD6123B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30886543"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "327977205"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "604781370"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886543"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886543"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30886543"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4F45B28D-B682-11EB-A11C-E62B3DD6123B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 37 IoCs

Processes:

regsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ = "ISimpleShlExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\ = "{B009308D-E21E-4B9F-A00B-78A1D0C6B719}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\ = "{B009308D-E21E-4B9F-A00B-78A1D0C6B719}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ = "SimpleShlExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\VersionIndependentProgID\ = "Catalyst Context Menu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ = "ISimpleShlExt"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ProgID\ = "Catalyst Context Menu"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D547EE80-6B42-48C1-9EF5-17A566D62546}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5e2121ee-0300-11d4-8d3b-444553540000}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\TypeLib\ = "{5E2121EE-0300-11D4-8D3B-444553540000}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\ = "SimpleEx 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B009308D-E21E-4B9F-A00B-78A1D0C6B719}\1.0\FLAGS\ = "0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

regsvr32mgr.exeDesktopLayer.exe

pid	process
1352	regsvr32mgr.exe
1352	regsvr32mgr.exe
1352	regsvr32mgr.exe
1352	regsvr32mgr.exe
1908	DesktopLayer.exe
1908	DesktopLayer.exe
1352	regsvr32mgr.exe
1352	regsvr32mgr.exe
1908	DesktopLayer.exe
1908	DesktopLayer.exe
1352	regsvr32mgr.exe
1352	regsvr32mgr.exe
1908	DesktopLayer.exe
1908	DesktopLayer.exe
1908	DesktopLayer.exe
1908	DesktopLayer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2204 iexplore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

regsvr32mgr.exe

description pid process

Token: SeDebugPrivilege 1352 regsvr32mgr.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

2204 iexplore.exe
2392 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	1352	regsvr32mgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2204	iexplore.exe
2204	iexplore.exe
2392	iexplore.exe
2392	iexplore.exe
932	IEXPLORE.EXE
932	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE
1008	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

regsvr32mgr.exe

pid process

1352 regsvr32mgr.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32Srv.exeregsvr32mgr.exeDesktopLayer.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 3656 wrote to memory of 3672	3656	regsvr32.exe	regsvr32.exe
PID 3656 wrote to memory of 3672	3656	regsvr32.exe	regsvr32.exe
PID 3656 wrote to memory of 3672	3656	regsvr32.exe	regsvr32.exe
PID 3672 wrote to memory of 1352	3672	regsvr32.exe	regsvr32mgr.exe
PID 3672 wrote to memory of 1352	3672	regsvr32.exe	regsvr32mgr.exe
PID 3672 wrote to memory of 1352	3672	regsvr32.exe	regsvr32mgr.exe
PID 3672 wrote to memory of 1484	3672	regsvr32.exe	regsvr32Srv.exe
PID 3672 wrote to memory of 1484	3672	regsvr32.exe	regsvr32Srv.exe
PID 3672 wrote to memory of 1484	3672	regsvr32.exe	regsvr32Srv.exe
PID 1484 wrote to memory of 1908	1484	regsvr32Srv.exe	DesktopLayer.exe
PID 1484 wrote to memory of 1908	1484	regsvr32Srv.exe	DesktopLayer.exe
PID 1484 wrote to memory of 1908	1484	regsvr32Srv.exe	DesktopLayer.exe
PID 1352 wrote to memory of 2204	1352	regsvr32mgr.exe	iexplore.exe
PID 1352 wrote to memory of 2204	1352	regsvr32mgr.exe	iexplore.exe
PID 1908 wrote to memory of 2392	1908	DesktopLayer.exe	iexplore.exe
PID 1908 wrote to memory of 2392	1908	DesktopLayer.exe	iexplore.exe
PID 2392 wrote to memory of 932	2392	iexplore.exe	IEXPLORE.EXE
PID 2392 wrote to memory of 932	2392	iexplore.exe	IEXPLORE.EXE
PID 2392 wrote to memory of 932	2392	iexplore.exe	IEXPLORE.EXE
PID 2204 wrote to memory of 1008	2204	iexplore.exe	IEXPLORE.EXE
PID 2204 wrote to memory of 1008	2204	iexplore.exe	IEXPLORE.EXE
PID 2204 wrote to memory of 1008	2204	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3656

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2c7a1423deec2316a859cdff0c558143dea966df38441bf4a0c89014e7d8e20c.dll
2⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\regsvr32mgr.exe
C:\Windows\SysWOW64\regsvr32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\regsvr32Srv.exe
C:\Windows\SysWOW64\regsvr32Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1484

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:82945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
f7dcb24540769805e5bb30d193944dce

SHA1
e26c583c562293356794937d9e2e6155d15449ee

SHA256
6b88c6ac55bbd6fea0ebe5a760d1ad2cfce251c59d0151a1400701cb927e36ea

SHA512
cb5ad678b0ef642bf492f32079fe77e8be20c02de267f04b545df346b25f3e4eb98bb568c4c2c483bb88f7d1826863cb515b570d620766e52476c8ee2931ea94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
55205f68311ba681b087489576566937

SHA1
6365b0130e0cab1958461376ea7058b69a89740f

SHA256
e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

SHA512
06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
55205f68311ba681b087489576566937

SHA1
6365b0130e0cab1958461376ea7058b69a89740f

SHA256
e58e5259c4731c23c6ef713508e2df9162a19e82e36ce67056cc860ef5d1bc03

SHA512
06dceeb161f494f43572a5258d4c740382716adbe1374d9c9fac8143087e2ba7bfb808b05d7b922511ce42908b9c7b7a155536033efec7d74e8323ee2af72261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
MD5
b1b5adac10b2dc5d3211741f35dd662c

SHA1
0d28907c2e10ce81212fe661d6f5bfbc5ba2ef84

SHA256
4dae164126eb92fde477ce4be3cf6142892ad00cae34aa15a0ea56772de60d3e

SHA512
7695c33f6b10e0af2894c05abc0de45c6ff0d912133da70ae0efbd125dfb90c480b67cf4e60f69eaa41f10e41dda9782e37896fbd2324d32ba4530431bd28ac1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
08c11f3023230707bda57a5ca1c103f4

SHA1
a9f4fb3760adc706867828de09cac966502ddf68

SHA256
af21f922384cbeab4daa74a7117870b6e0efac62b01b8790b70269248925f1a5

SHA512
2a6f9f409e53640e60ac8d4bc217b2a39dec29b059753d459f35424e6c5cb00da6493191e077560dceb1bd3603be13914ce8dd0be9292e760b40ab644b6f1a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ecfde1b95003f003f9735091ce46f84f

SHA1
b3a2c106a16d82d23c26c6614e480df4d7d98851

SHA256
152a456009053349025517c1e8a89c23e23365c4ec03447380f4184982da111d

SHA512
32ac8e6fc4dadb7631f3ee28078aae4def944f8dd6742b7a03999ecbf36b286e433072e1da26214866cc841a8eade017bad133dd511c094ec61a89ebcffd5157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ecfde1b95003f003f9735091ce46f84f

SHA1
b3a2c106a16d82d23c26c6614e480df4d7d98851

SHA256
152a456009053349025517c1e8a89c23e23365c4ec03447380f4184982da111d

SHA512
32ac8e6fc4dadb7631f3ee28078aae4def944f8dd6742b7a03999ecbf36b286e433072e1da26214866cc841a8eade017bad133dd511c094ec61a89ebcffd5157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F45B28D-B682-11EB-A11C-E62B3DD6123B}.dat
MD5
bdf244c0cc3e2cc27fc198e4c6764364

SHA1
3103806acf3c8491e035c38288d3de188dfad112

SHA256
cd58c918c5235a40b27f0195c384804d488dd866efd7037eee7f9c6107b23130

SHA512
f27720629d8b7c2a287c34c0158004d1e749c7a12e9d0bb4689ae15399a13dfa1544fef5462f9a31fb6d776701c0063dc07daac24d62b54552be1a43c623c765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4F4A7708-B682-11EB-A11C-E62B3DD6123B}.dat
MD5
4fe6b0aebf6f9ca222421a556d856556

SHA1
ee85ca4409f3149fb3a8c3206c99d0c9aaa41534

SHA256
701e17bb4d2d73535b357ec36664f86d3c9525a54303db7206965b34bddcc862

SHA512
7bb52bf4043f75e91f32788557b6de39bdcebb7325651b19fa738734705c9dbe1d21f09797d942d3235ba99d1be642b2f305bd008683e054507c902f2b8465c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\3JTLKOLK.cookie
MD5
0e84dd130da4cff77efbdfb5895329ba

SHA1
3efaf8ef56bc963023cb0fa2fbc4c5c3bd32c51c

SHA256
d7cdd08a92d37d48a514794aa21afdc50bf8ac129849bf3e1dfdc07b67f6cce2

SHA512
6ed7f15edc0bbf2f9341e946e044c441e9a30d0c41e55a4965b96124d888c5bc2bc499bc4307097fae470be19b60d0c6e33fb724729dbe0076c0b001266aae51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\EPDIVR6W.cookie
MD5
10da4f3a65d8944cc7bb0df8358d278b

SHA1
e1fadc1ccb731b91e5e6d6879bda3623f5db3046

SHA256
956e56c7d05ea7a4a75c9df0e70d40baa000dbd8234f6916fcad85e1c0659bf2

SHA512
8f8eb5f773aa29ed9a566aea948131d44fe006dc14a686113317fe6169ebd10b08429f15ab239f31afe436ae28bbcc494264d616ad9452cf1148db9b75ec8d5b

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe
MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe
MD5
a61ea5f2325332c52bff5bce3d161336

SHA1
3a883b8241f5f2efaa76367240db800d78a0209c

SHA256
e6f8a54ed663061527ab46b8e8efc2a0f3c99ae77829c0be0e50eb5b1b48415b

SHA512
fae031e0e7dcd719240bfe94a3f78d1aac73060324d5b65e0cbe564ce6d6781aaa5e930f0729293e3b502b7d07f53f3a72fb2048d44d93d36851aab8330479e5

Download Submit
memory/932-136-0x0000000000000000-mapping.dmp

Download
memory/1008-137-0x0000000000000000-mapping.dmp

Download
memory/1352-123-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1352-115-0x0000000000000000-mapping.dmp

Download
memory/1352-120-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1352-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1484-116-0x0000000000000000-mapping.dmp

Download
memory/1484-124-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/1484-131-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1908-122-0x0000000000000000-mapping.dmp

Download
memory/1908-128-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2204-134-0x00007FF88D720000-0x00007FF88D78B000-memory.dmp

Filesize
428KB

Download
memory/2204-126-0x0000000000000000-mapping.dmp

Download
memory/2392-135-0x00007FF88D720000-0x00007FF88D78B000-memory.dmp

Filesize
428KB

Download
memory/2392-130-0x0000000000000000-mapping.dmp

Download
memory/3672-114-0x0000000000000000-mapping.dmp

Download