ramnit | 47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
14-07-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe
Size

3.4MB
MD5

c31d89828dd33b14e2c0c97075af2ed9
SHA1

1908bd082d0399dca6a21f3ce1779670a6b93726
SHA256

47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5
SHA512

be054a06528acf4219bec7036c7a26be15db8edc0ae4e41ac618d8f2cd4691db36c88563b1fe0d2bf9c8030cbdbbc8d912ffe305cbb5426dc96739defaf77c4a

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

Processes:

»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exeDesktopLayer.exe»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

pid	process
4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
380	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
4236	DesktopLayer.exe
3476	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe	upx
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/380-142-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4236-146-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

pid	process
4260	47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe
4260	47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

Drops file in Program Files directory 3 IoCs

Processes:

»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px2D98.tmp	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364563523"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0DBE8128-0369-11ED-A58B-76C19ED5575B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3851151027"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30971765"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3851151027"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4059900206"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30971765"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30971765"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

DesktopLayer.exe»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

pid	process
4236	DesktopLayer.exe
4236	DesktopLayer.exe
4236	DesktopLayer.exe
4236	DesktopLayer.exe
4236	DesktopLayer.exe
4236	DesktopLayer.exe
4236	DesktopLayer.exe
4236	DesktopLayer.exe
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

description	pid	process
Token: SeDebugPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeLoadDriverPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeCreateGlobalPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: 33	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeSecurityPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeTakeOwnershipPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeManageVolumePrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeBackupPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeCreatePagefilePrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeShutdownPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeRestorePrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: 33	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Token: SeIncBasePriorityPrivilege	372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXEiexplore.exe

pid process

372 »Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
4692 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4692 iexplore.exe
4692 iexplore.exe
4616 IEXPLORE.EXE
4616 IEXPLORE.EXE
4616 IEXPLORE.EXE
4616 IEXPLORE.EXE

pid	process
372	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
4692	iexplore.exe

pid	process
4692	iexplore.exe
4692	iexplore.exe
4616	IEXPLORE.EXE
4616	IEXPLORE.EXE
4616	IEXPLORE.EXE
4616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exeDesktopLayer.exe»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXEiexplore.exe

description	pid	process	target process
PID 4260 wrote to memory of 4872	4260	47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4260 wrote to memory of 4872	4260	47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4260 wrote to memory of 4872	4260	47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4872 wrote to memory of 380	4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
PID 4872 wrote to memory of 380	4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
PID 4872 wrote to memory of 380	4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
PID 380 wrote to memory of 4236	380	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe	DesktopLayer.exe
PID 380 wrote to memory of 4236	380	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe	DesktopLayer.exe
PID 380 wrote to memory of 4236	380	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe	DesktopLayer.exe
PID 4872 wrote to memory of 3476	4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4872 wrote to memory of 3476	4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4872 wrote to memory of 3476	4872	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4236 wrote to memory of 4692	4236	DesktopLayer.exe	iexplore.exe
PID 4236 wrote to memory of 4692	4236	DesktopLayer.exe	iexplore.exe
PID 3476 wrote to memory of 372	3476	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 3476 wrote to memory of 372	3476	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 3476 wrote to memory of 372	3476	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE	»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
PID 4692 wrote to memory of 4616	4692	iexplore.exe	IEXPLORE.EXE
PID 4692 wrote to memory of 4616	4692	iexplore.exe	IEXPLORE.EXE
PID 4692 wrote to memory of 4616	4692	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe
"C:\Users\Admin\AppData\Local\Temp\47b13019ad68c21411b5a18a29f39ef821c71ea1158dc6ed1a11f58e9dd18ad5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4260

C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
"C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4872

C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:380

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4236

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:17410 /prefetch:2
6⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
"C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE" -ORIGIN:"C:\Users\Admin\AppData\Local\Temp\"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3476

C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE "C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\CET_TRAINER.CETRAINER" "-ORIGIN:C:\Users\Admin\AppData\Local\Temp\"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
4e64144e228300de42014cbc16141081

SHA1
a8f013082dc51a1e6ab624fdec2628b2ac4b9e7b

SHA256
94333b66fadfb3b501b8cf09acad2a37c7ccd4bac4fac50987e26b87da49b334

SHA512
024c8564ecc30be3458308e990afde66c7e945592c7624752740d8202bae451829f0859cb8d1032a09f57613b656324321a7260324000757062fa4d8c414452c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
127871925bec89ca61e178763db64e36

SHA1
f1fb2a4d897343fdf138b8f95a68645a52ad1e85

SHA256
341a83d1acb4ab563f7619c1353a5548008e6333b1904c3de0f83a812a59ac3d

SHA512
d91985f7341a74fb8a0f69bef025da24a539df76fab2a6b5b818eee52ed258513b138b7abfbb35edf3550fc45edf5ed81ed224f0eab5c4c752b67ba5ba11ecb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\CET_Archive.dat
Filesize
3.0MB

MD5
e0a1df7d2422c60a78c60997b7c3aaa1

SHA1
a0c4358cb38825793234ad86604371be9af40c34

SHA256
d15acfc18a772955c25e123505f3a12d4c001490a9ee4789c39ec72c4606bae4

SHA512
c1aa26a85d04866c86b67c6a3583adbca3a29d63d979f45cd8bc4a02ea4e36c7c935f5c72b010e81e3797e0709128723605ed20bceb6bf5bd2ee9dd5296c87e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\CET_TRAINER.CETRAINER
Filesize
24KB

MD5
6e82654c8612e4666fd16265635ecf46

SHA1
94b80347b1cb0b7b1c5a956e59b91030fe1bd582

SHA256
5ec5389d5e6282365278a298ad8994131b404e224bd61a8a597cc669fb9a65a3

SHA512
5a686ff519357e00834bfea05e86e7b5e710cf127c96d7b7209ecc15075476ed4c3442deaf44fc3889cea577db32f8f66d8e5f9c842097fc72c0a9b6676e99da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\defines.lua
Filesize
3KB

MD5
1c08aaed49c4c67bd2bb3a235c720348

SHA1
ed1dad9db0270c072e5609c8a0b676f46ecc7f3e

SHA256
fb36305086e4458907a73ec270523db872d58e8772f2fa58271936f6bb727440

SHA512
47325bf6c272047b6daa6b0555236da14ff8d52a9e3e3a5f7398a1aea175de99ee42ca5c4e34da5601e58fb0e752fba772575a7e839f207c569f64a106a78e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\lua5.1-32.dll
Filesize
322KB

MD5
03c7c30bdad17e233843f61d46f22542

SHA1
aec92289caa4b1f085e37c9945fdc25882b338bf

SHA256
6720db08ff6ed24f9e6c3f2912fff2512a6904bdf68b946f85ae97a643630d41

SHA512
005e3421adf98dd4eec9a6ea4ed7ef11a3b1372d466d7ab7fa87ebcb37202c5ac223d42c367516ea505dd919afcdde160b9c4d09ad16334238680615e06b2052

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\lua5.1-32.dll
Filesize
322KB

MD5
03c7c30bdad17e233843f61d46f22542

SHA1
aec92289caa4b1f085e37c9945fdc25882b338bf

SHA256
6720db08ff6ed24f9e6c3f2912fff2512a6904bdf68b946f85ae97a643630d41

SHA512
005e3421adf98dd4eec9a6ea4ed7ef11a3b1372d466d7ab7fa87ebcb37202c5ac223d42c367516ea505dd919afcdde160b9c4d09ad16334238680615e06b2052

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\win32\dbghelp.dll
Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\win32\dbghelp.dll
Filesize
1.2MB

MD5
4003e34416ebd25e4c115d49dc15e1a7

SHA1
faf95ec65cde5bd833ce610bb8523363310ec4ad

SHA256
c06430b8cb025be506be50a756488e1bcc3827c4f45158d93e4e3eeb98ce1e4f

SHA512
88f5d417377cd62bde417640a79b6ac493e80f0c8b1f63a99378a2a67695ef8e4a541cedb91acfa296ed608e821fee466983806f0d082ed2e74b0cd93eb4fb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Filesize
6.4MB

MD5
566abf9c4c139fd55957f83001c70dbe

SHA1
9923cdfe31fd9fdbb792557eeeadda0b44877176

SHA256
d62f9bb29214d7230deb16f9e28095da46f4c3588ab980fdbd11542aba8ba693

SHA512
f64dfa3a0c397c34f71353691944a7cee869ecc55aff8ac021af890e3a76361a90fcd076d223b44ccf5307dedd01a3a23eab63abc19d339c5cfb61d8f32e527e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\extracted\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Filesize
6.4MB

MD5
566abf9c4c139fd55957f83001c70dbe

SHA1
9923cdfe31fd9fdbb792557eeeadda0b44877176

SHA256
d62f9bb29214d7230deb16f9e28095da46f4c3588ab980fdbd11542aba8ba693

SHA512
f64dfa3a0c397c34f71353691944a7cee869ecc55aff8ac021af890e3a76361a90fcd076d223b44ccf5307dedd01a3a23eab63abc19d339c5cfb61d8f32e527e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Filesize
188KB

MD5
00bb109abc3e80495c919241198352e6

SHA1
4b50b54af591836571fece5326b59456cd8264ad

SHA256
41f456c9bdbe7df6df63629d4bcee63ebff386d473a3cd9c2ef38bcd8e053171

SHA512
7fa4acfa825232cc72cb3bdbac01c0af2e61641ff62233403ed95511c436418f802aab897ae961e8a15ef460ff8b694e4996c8ab29f4552a3babb3a4995adeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\cetrainers\CET2CCD.tmp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Filesize
188KB

MD5
00bb109abc3e80495c919241198352e6

SHA1
4b50b54af591836571fece5326b59456cd8264ad

SHA256
41f456c9bdbe7df6df63629d4bcee63ebff386d473a3cd9c2ef38bcd8e053171

SHA512
7fa4acfa825232cc72cb3bdbac01c0af2e61641ff62233403ed95511c436418f802aab897ae961e8a15ef460ff8b694e4996c8ab29f4552a3babb3a4995adeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAB0.tmp\AdvSplash.dll
Filesize
6KB

MD5
a1bba35c752b36f575350cb7ddf238e4

SHA1
9603b691ae71d4fbc7a14dbb837bd97cecac8aab

SHA256
0667863d71a3021ab844069b6dd0485f874bf638af478ab11c6fb8b7d6c834b6

SHA512
eb5d3498dd994bec42a437cf91343665d3c35bfe3f6277a7393af6a0b8348772c3166d9be48955edddf6ef79fa508ec8d4f96d7d5df37ecdc52c90042e0a2967

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgAB0.tmp\NSISdl.dll
Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Filesize
3.3MB

MD5
dbd8722b6329508711d88e40cfac71a2

SHA1
99c71e484c1a52bfa610be4da7062c2887433c5c

SHA256
2213f51b12cca2768bf62df3c3c9db126cd4147bc8a07ea0fd231b7abd72efdb

SHA512
20a4694fdd3f3edcdb833c56224419d103e592f9217ac64b934e6f9c744f1554f01abbd5193cf70ad90d1aebe5a97334606aef150317206e6a505545366864ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷.EXE
Filesize
3.3MB

MD5
dbd8722b6329508711d88e40cfac71a2

SHA1
99c71e484c1a52bfa610be4da7062c2887433c5c

SHA256
2213f51b12cca2768bf62df3c3c9db126cd4147bc8a07ea0fd231b7abd72efdb

SHA512
20a4694fdd3f3edcdb833c56224419d103e592f9217ac64b934e6f9c744f1554f01abbd5193cf70ad90d1aebe5a97334606aef150317206e6a505545366864ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\»Ê¼ÒËþ·À2ÐÞ¸ÄÆ÷Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/372-148-0x0000000000000000-mapping.dmp

Download
memory/380-136-0x0000000000000000-mapping.dmp

Download
memory/380-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3476-143-0x0000000000000000-mapping.dmp

Download
memory/4236-139-0x0000000000000000-mapping.dmp

Download
memory/4236-146-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4872-135-0x0000000000230000-0x000000000058D000-memory.dmp

Filesize
3.4MB

Download
memory/4872-157-0x0000000000230000-0x000000000058D000-memory.dmp

Filesize
3.4MB

Download
memory/4872-132-0x0000000000000000-mapping.dmp

Download