ramnit | bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90

General

Target

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
Size

149KB
MD5

47c116db3f0e5d536352aaecbbc7d6b6
SHA1

9aab8a86b946ba6eaf513206e1c594fda27ae646
SHA256

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90
SHA512

82d6325993b4bbddf1c1db66d47de0430ad67338303708889fe0914aec6259579501c5b5ca0ad8cd18262d8a722f327ded0ad62a8c4559b8293cfaee3ab03aad

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exeDesktopLayer.exe

pid process

2584 bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
3044 DesktopLayer.exe

pid	process
2584	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
3044	DesktopLayer.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/2584-127-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2524-129-0x0000000003190000-0x000000000319B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px88CD.tmp	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2126762558"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30914986"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A9D26368-259D-11EC-AF2E-C21CE4F78BE2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "340193531"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30914986"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914986"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "340176938"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2122543513"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2122543513"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2126762558"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30914986"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "340225523"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DesktopLayer.exebd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe

pid	process
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
3044	DesktopLayer.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

2128 iexplore.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2128 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2128 iexplore.exe
2128 iexplore.exe
4076 IEXPLORE.EXE
4076 IEXPLORE.EXE
4076 IEXPLORE.EXE
4076 IEXPLORE.EXE

pid	process
2128	iexplore.exe

pid	process
2128	iexplore.exe

pid	process
2128	iexplore.exe
2128	iexplore.exe
4076	IEXPLORE.EXE
4076	IEXPLORE.EXE
4076	IEXPLORE.EXE
4076	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exebd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 2524 wrote to memory of 2584	2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
PID 2524 wrote to memory of 2584	2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
PID 2524 wrote to memory of 2584	2524	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
PID 2584 wrote to memory of 3044	2584	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe	DesktopLayer.exe
PID 2584 wrote to memory of 3044	2584	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe	DesktopLayer.exe
PID 2584 wrote to memory of 3044	2584	bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe	DesktopLayer.exe
PID 3044 wrote to memory of 2128	3044	DesktopLayer.exe	iexplore.exe
PID 3044 wrote to memory of 2128	3044	DesktopLayer.exe	iexplore.exe
PID 2128 wrote to memory of 4076	2128	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 4076	2128	iexplore.exe	IEXPLORE.EXE
PID 2128 wrote to memory of 4076	2128	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe
"C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:82945 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
46cbd0a3d1e70a49db77aa1a79dea093

SHA1
e7ee6492153fcb7477c0512e14e923532940e066

SHA256
678c0747c7616857ed9abc64fa182ae2ff649167f322a11299b1119947f2f651

SHA512
8e11310cb6ea27c0aed73c29293fc3336e5445391063bc7e5a8b0443784a5a9919786386d950bdfe6f4e9cefb83f44a0ebeb400ddb1ed2ced0e16274f691784b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
1eb65d959ac12eadc1c58a27926bdc3a

SHA1
7ce4b730b91365588f9543a0db21f058c4f3230e

SHA256
ec0c42aab38410866710dec88614ec5e996fdea057a9b1d468d9ebafc8177c3b

SHA512
178d364778343eea198b147fe467d1a572bed377575966375c36e76320957c244ba5656ca314f3c172d5f933dfa352a874d2b458e09f3456a85143eeb97b9f8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O23WODA1.cookie
MD5
42b4c3ec2bebdef1cf9748ba1035fffd

SHA1
8f4a09daff20009297e352b7236c4d42b5cb9415

SHA256
65f930901b84124ec345a58abfd448c21527b64044ca0b3aa7d30e8846e3fcd1

SHA512
73bfedae37a9368c81b5c4ece3b99aca1a8b1b3f4e1706a1b415a910c3050ae0aae3d6af9abf6ef587666dfbd649dba334a4eab343a50b2585d062ecf7b5f472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\XFP2F2NG.cookie
MD5
dc086b6c9beba3f4fbde857660646548

SHA1
a9c27faea816477201dbecc791fd65f959c7cfe5

SHA256
8edca6ee29d4e82c6bda49fcfd153af9ed2f18917144806c69ee595c8ec0f109

SHA512
dcede60dabd6803b26c780125af1e0150c7023160e27f7f2dec852126a030323d336e76ee7a44a02441c3c5cd54ca66b565dfe92c0ec957805330adce16706de

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd5f19d54c0d5de713d609653e64116e07af8037a322f803850c9cb1e6a03c90Srv.exe
MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2128-124-0x0000000000000000-mapping.dmp

Download
memory/2128-125-0x00007FFFA03D0000-0x00007FFFA043B000-memory.dmp

Filesize
428KB

Download
memory/2524-117-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2524-129-0x0000000003190000-0x000000000319B000-memory.dmp

Filesize
44KB

Download
memory/2584-126-0x00000000001E0000-0x00000000001EF000-memory.dmp

Filesize
60KB

Download
memory/2584-127-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2584-115-0x0000000000000000-mapping.dmp

Download
memory/3044-120-0x0000000000000000-mapping.dmp

Download
memory/3044-123-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4076-128-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads