gh0strat | 20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75

General

Target

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
Size

260KB
MD5

27fe3482f2f12435310a3c84544f4f0b
SHA1

dcef2cd3c551bf22b748556d7cdcd439a6cc5274
SHA256

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75
SHA512

2324d9e10f410c3573d99dcdf3daf0960965e0e09a5134d21ad25e9cf6d0f91919e38cf37513b27baa25c3ade79825096dd88c50dfa5ddb82ff8ed36c32b2c48

Score

10^/10

gh0strat ramnit banker rat spyware stealer trojan upx worm

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1792-67-0x0000000000400000-0x0000000000442000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exeDesktopLayer.exe

pid process

1016 20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
1200 DesktopLayer.exe

pid	process
1016	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
1200	DesktopLayer.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1016-63-0x0000000000400000-0x0000000000435000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1200-70-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1200-71-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Loads dropped DLL 2 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

pid	process
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1016	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

Drops file in Program Files directory 3 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px926.tmp	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3149EDB0-EA95-11EC-B0ED-C2F2D41BD72F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "361833689"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exeDesktopLayer.exe

pid	process
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1200	DesktopLayer.exe
1200	DesktopLayer.exe
1200	DesktopLayer.exe
1200	DesktopLayer.exe

Suspicious behavior: MapViewOfSection 23 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe

pid	process
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe

pid process

1792 20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe

description pid process

Token: SeDebugPrivilege 1792 20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2020 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2020 iexplore.exe
2020 iexplore.exe
544 IEXPLORE.EXE
544 IEXPLORE.EXE
544 IEXPLORE.EXE
544 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe

pid	process
2020	iexplore.exe

pid	process
2020	iexplore.exe
2020	iexplore.exe
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE
544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe

description	pid	process	target process
PID 1792 wrote to memory of 1016	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
PID 1792 wrote to memory of 1016	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
PID 1792 wrote to memory of 1016	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
PID 1792 wrote to memory of 1016	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 372	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	wininit.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 384	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	csrss.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 420	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	winlogon.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 464	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	services.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 480	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsass.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 488	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	lsm.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 604	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 680	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 764	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 764	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 764	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe
PID 1792 wrote to memory of 764	1792	20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe
"C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1016

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:544

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:1932

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1652

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
1⤵
PID:1748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
1⤵
PID:1732

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
1⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
1⤵
PID:856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:604

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
84KB

MD5
5cdc5ad14f0f7476711d2ab65607fe5b

SHA1
d03fa4a202afc929725f969471a8c1d5943fd12a

SHA256
4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97

SHA512
b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
84KB

MD5
5cdc5ad14f0f7476711d2ab65607fe5b

SHA1
d03fa4a202afc929725f969471a8c1d5943fd12a

SHA256
4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97

SHA512
b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

Filesize
84KB

MD5
5cdc5ad14f0f7476711d2ab65607fe5b

SHA1
d03fa4a202afc929725f969471a8c1d5943fd12a

SHA256
4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97

SHA512
b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

Filesize
84KB

MD5
5cdc5ad14f0f7476711d2ab65607fe5b

SHA1
d03fa4a202afc929725f969471a8c1d5943fd12a

SHA256
4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97

SHA512
b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7AZV37Q6.txt

Filesize
599B

MD5
a27f6a6e5faa25a49223aa5c4325174d

SHA1
a99a8083bbe97c0eed4eec7e04cf61d7f28cbb59

SHA256
223c3c53056437c2b1159eb04d549b225bd3f634d4522e9149f165987e2d19ee

SHA512
ddf839236028c4f0aa07f9d929fd0563566b78f2c624a8ddfa51701ae40a3da028ed09398b7218210465c3f2c95b58256a198c6f0cac252ee092ee33703fe7e6

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
84KB

MD5
5cdc5ad14f0f7476711d2ab65607fe5b

SHA1
d03fa4a202afc929725f969471a8c1d5943fd12a

SHA256
4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97

SHA512
b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2

Download Submit
\Users\Admin\AppData\Local\Temp\20105bd3112e1467d5081400343a6c4baa915c12012db77fadddd5a84e7a0b75Srv.exe

Filesize
84KB

MD5
5cdc5ad14f0f7476711d2ab65607fe5b

SHA1
d03fa4a202afc929725f969471a8c1d5943fd12a

SHA256
4e7d57da4995611e1451846e7a08017a4fbca09215a31707d6ac2957b71f5a97

SHA512
b0a0c1367efcd37c827306ca5ebad1cd6fca695d12746df1686a3f9ee1d59698ef82ba98b5e697f311168a63533d7046729eae921ce177213183253ea815a9a2

Download Submit
memory/1016-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1016-56-0x0000000000000000-mapping.dmp

Download
memory/1016-66-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1200-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-69-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/1200-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1200-61-0x0000000000000000-mapping.dmp

Download
memory/1792-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1792-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1792-68-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads