ramnit | 89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd

Analysis

max time kernel
106s
max time network
142s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
Size

111KB
MD5

325f3c45070a354fa6353d97f7b3cd80
SHA1

e204794630b2a3aec9dc9b9e970a2ea3779d6fc4
SHA256

89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd
SHA512

96df4c15a822d1d7afd5a793dc3421695925cc02332471c39aefe3d870fcc75dc861d8c71f65fc690b71577fe51239af33d8abc16f73c3bf488e88d4b406d1ae
SSDEEP

3072:HROzoTq0+RO7IwnYi1g8Q4+BEWpSvSZad9g:xkdNwB454+mWpSvyU9

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
1004	DesktopLayer.exe
2024	DesktopLayerSrv.exe
1720	DesktopLayer.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00140000000054ab-57.dat	upx
behavioral1/files/0x00140000000054ab-55.dat	upx
behavioral1/files/0x000a0000000122e9-58.dat	upx
behavioral1/files/0x00140000000054ab-64.dat	upx
behavioral1/files/0x000a0000000122e9-62.dat	upx
behavioral1/memory/864-61-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1884-65-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x00090000000122ea-66.dat	upx
behavioral1/memory/1004-69-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x000a0000000122e9-68.dat	upx
behavioral1/files/0x00090000000122ea-70.dat	upx
behavioral1/files/0x00090000000122ea-72.dat	upx
behavioral1/files/0x000a0000000122e9-73.dat	upx
behavioral1/files/0x000a0000000122e9-76.dat	upx
behavioral1/memory/2024-75-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000a0000000122e9-78.dat	upx
behavioral1/memory/1720-79-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
1004	DesktopLayer.exe
2024	DesktopLayerSrv.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE8CA.tmp	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE763.tmp	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxE7F0.tmp	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371622318"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{20A3FA91-439C-11ED-9AD4-7A3897842414} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{20CBA6D1-439C-11ED-9AD4-7A3897842414} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
1004	DesktopLayer.exe
1004	DesktopLayer.exe
1004	DesktopLayer.exe
1004	DesktopLayer.exe
1720	DesktopLayer.exe
1720	DesktopLayer.exe
1720	DesktopLayer.exe
1720	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1740	iexplore.exe
2044	iexplore.exe
1052	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2044	iexplore.exe
2044	iexplore.exe
1740	iexplore.exe
1740	iexplore.exe
1052	iexplore.exe
1052	iexplore.exe
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
1180	IEXPLORE.EXE
1180	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 1884	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	28
PID 864 wrote to memory of 1884	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	28
PID 864 wrote to memory of 1884	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	28
PID 864 wrote to memory of 1884	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	28
PID 864 wrote to memory of 1004	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	29
PID 864 wrote to memory of 1004	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	29
PID 864 wrote to memory of 1004	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	29
PID 864 wrote to memory of 1004	864	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe	29
PID 1884 wrote to memory of 1740	1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe	30
PID 1884 wrote to memory of 1740	1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe	30
PID 1884 wrote to memory of 1740	1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe	30
PID 1884 wrote to memory of 1740	1884	89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe	30
PID 1004 wrote to memory of 2024	1004	DesktopLayer.exe	31
PID 1004 wrote to memory of 2024	1004	DesktopLayer.exe	31
PID 1004 wrote to memory of 2024	1004	DesktopLayer.exe	31
PID 1004 wrote to memory of 2024	1004	DesktopLayer.exe	31
PID 1004 wrote to memory of 2044	1004	DesktopLayer.exe	32
PID 1004 wrote to memory of 2044	1004	DesktopLayer.exe	32
PID 1004 wrote to memory of 2044	1004	DesktopLayer.exe	32
PID 1004 wrote to memory of 2044	1004	DesktopLayer.exe	32
PID 2024 wrote to memory of 1720	2024	DesktopLayerSrv.exe	33
PID 2024 wrote to memory of 1720	2024	DesktopLayerSrv.exe	33
PID 2024 wrote to memory of 1720	2024	DesktopLayerSrv.exe	33
PID 2024 wrote to memory of 1720	2024	DesktopLayerSrv.exe	33
PID 1720 wrote to memory of 1052	1720	DesktopLayer.exe	34
PID 1720 wrote to memory of 1052	1720	DesktopLayer.exe	34
PID 1720 wrote to memory of 1052	1720	DesktopLayer.exe	34
PID 1720 wrote to memory of 1052	1720	DesktopLayer.exe	34
PID 2044 wrote to memory of 1368	2044	iexplore.exe	36
PID 2044 wrote to memory of 1368	2044	iexplore.exe	36
PID 2044 wrote to memory of 1368	2044	iexplore.exe	36
PID 2044 wrote to memory of 1368	2044	iexplore.exe	36
PID 1740 wrote to memory of 1932	1740	iexplore.exe	37
PID 1740 wrote to memory of 1932	1740	iexplore.exe	37
PID 1740 wrote to memory of 1932	1740	iexplore.exe	37
PID 1740 wrote to memory of 1932	1740	iexplore.exe	37
PID 1052 wrote to memory of 1180	1052	iexplore.exe	38
PID 1052 wrote to memory of 1180	1052	iexplore.exe	38
PID 1052 wrote to memory of 1180	1052	iexplore.exe	38
PID 1052 wrote to memory of 1180	1052	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe
"C:\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
  C:\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1932
- C:\Program Files (x86)\Microsoft\DesktopLayer.exe
  "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1720
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1180
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
325f3c45070a354fa6353d97f7b3cd80

SHA1
e204794630b2a3aec9dc9b9e970a2ea3779d6fc4

SHA256
89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd

SHA512
96df4c15a822d1d7afd5a793dc3421695925cc02332471c39aefe3d870fcc75dc861d8c71f65fc690b71577fe51239af33d8abc16f73c3bf488e88d4b406d1ae

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
325f3c45070a354fa6353d97f7b3cd80

SHA1
e204794630b2a3aec9dc9b9e970a2ea3779d6fc4

SHA256
89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd

SHA512
96df4c15a822d1d7afd5a793dc3421695925cc02332471c39aefe3d870fcc75dc861d8c71f65fc690b71577fe51239af33d8abc16f73c3bf488e88d4b406d1ae

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20A002F1-439C-11ED-9AD4-7A3897842414}.dat

Filesize
3KB

MD5
e4b2f0433e60d4562ce7f7eb678c1b9f

SHA1
b263d266e5fdb055a759f6a6bbc3d71d290ae5f0

SHA256
a7c28103602fc6ee38206d03ccb3ae765049c0a69e7f475e25349e936121edf3

SHA512
141da7017c4316b2d154e731bc4e933f70ecc60b36f99a832e81f156c3919bc0e8b280dc271454faa5bcc8c32e68a2a1c9c19de457e11f7d3e5b040fd73e4e07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20A002F1-439C-11ED-9AD4-7A3897842414}.dat

Filesize
5KB

MD5
9feafabdbaa6963fe10c85c6b3dc0d64

SHA1
64d70c4ab2e8634a40e29f1beec127f24a1675e5

SHA256
613dc16dbae53842cd4f33104a508286b958b37d58e1c1f03496aba746d6fc1b

SHA512
2eaf55093e8ebd0bf22a67a0e6de354ebb92694dcb31a8cbc60c018c9887743ae19180358d41fd7ffb80dfc8c5341b9b568fc5d5f536f1a0a54b591114c23414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20A3FA91-439C-11ED-9AD4-7A3897842414}.dat

Filesize
3KB

MD5
c931bfbdbb25cb9cd0544fbf42a7bbce

SHA1
4538f9a951aaedd02e79f5088d952ab4d7965996

SHA256
f56059c2497342f0e6b1ba8ba3150d211544ac40b9c4d13b6cf13f103dc759f8

SHA512
c5e2898fbb1de0d4ed92da3224541ca91381254a04f587d497db0fb541d38a4a423ce90490fdaa0dad4d2d18f14608286a0496b5337cb50475262ccc0f30ac60

Download Submit
C:\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\16NUCBFB.txt

Filesize
603B

MD5
db6bda49009eb86d429f99bcd01391eb

SHA1
71cc73a2525d14acf4feb56e4033457b853facd1

SHA256
9e2fa2e298342c502da3dad16c6f06cb3b035ef4b68db14cd06f1f94d1164e90

SHA512
b96e31929f75b56cb8f8aeca447c328b794627ebcdab6374ae569dae1805382db47a9e94b389952d0365e640f8d6a0d04c2a7c1a975e9ae87d03331de51ee152

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
111KB

MD5
325f3c45070a354fa6353d97f7b3cd80

SHA1
e204794630b2a3aec9dc9b9e970a2ea3779d6fc4

SHA256
89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efd

SHA512
96df4c15a822d1d7afd5a793dc3421695925cc02332471c39aefe3d870fcc75dc861d8c71f65fc690b71577fe51239af33d8abc16f73c3bf488e88d4b406d1ae

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
\Users\Admin\AppData\Local\Temp\89334f117663ce148c0094a998b8227f53e95227d72f2ed58538860ea9db8efdSrv.exe

Filesize
55KB

MD5
42bacbdf56184c2fa5fe6770857e2c2d

SHA1
521a63ee9ce2f615eda692c382b16fc1b1d57cac

SHA256
d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

SHA512
0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

Download Submit
memory/864-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/864-54-0x0000000076321000-0x0000000076323000-memory.dmp

Filesize
8KB

Download
memory/1004-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1720-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1884-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2024-75-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download