ramnit | c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe

General

Target

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Size

829KB
MD5

e0a867c1368e0a0f7cee9f9304826945
SHA1

f179c0b49d3d3705d99697702ac5383ba018f30a
SHA256

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe
SHA512

ebee0a2f4ad1ee3b042befeb6f5351293fe7c376c2686c7ba0e2de9f5411532f20d0e9886c2254389b5cb51a1dcd75da56d1f61d78bbfe02239ec91fcb5c780e
SSDEEP

24576:Un+GIgqdJeXo7joesIeXE2zp8jvJUKGU99o:7OqdMXcTslE2zpSqKGUv

Score

10^/10

ramnit banker bootkit persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exeDesktopLayer.exe

pid process

4868 c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
2104 DesktopLayer.exe

pid	process
4868	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
2104	DesktopLayer.exe

UPX packed file 34 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/4772-137-0x0000000000400000-0x0000000000CAF000-memory.dmp	upx
behavioral2/memory/4868-138-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2104-140-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral2/memory/2104-142-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4772-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-144-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-149-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-147-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-151-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-155-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-157-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-159-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-163-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-161-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-165-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-167-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-177-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-183-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-181-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-185-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-179-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-186-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4772-187-0x0000000000400000-0x0000000000CAF000-memory.dmp	upx
behavioral2/memory/4772-188-0x0000000010000000-0x000000001003E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe

description ioc process

File opened for modification \??\PhysicalDrive0 c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe

Drops file in Program Files directory 3 IoCs

Processes:

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEE6C.tmp	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "803424728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998545"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "803424728"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "854831279"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376065127"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998545"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5AE38B4F-6C04-11ED-AECB-4A8324823CC0} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998545"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exe

pid	process
2104	DesktopLayer.exe
2104	DesktopLayer.exe
2104	DesktopLayer.exe
2104	DesktopLayer.exe
2104	DesktopLayer.exe
2104	DesktopLayer.exe
2104	DesktopLayer.exe
2104	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe

description	pid	process
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: 33	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
Token: SeIncBasePriorityPrivilege	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1372 iexplore.exe

pid	process
1372	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exeiexplore.exeIEXPLORE.EXE

pid	process
4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
1372	iexplore.exe
1372	iexplore.exe
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE
4280	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exec8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 4772 wrote to memory of 4868	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
PID 4772 wrote to memory of 4868	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
PID 4772 wrote to memory of 4868	4772	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
PID 4868 wrote to memory of 2104	4868	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe	DesktopLayer.exe
PID 4868 wrote to memory of 2104	4868	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe	DesktopLayer.exe
PID 4868 wrote to memory of 2104	4868	c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe	DesktopLayer.exe
PID 2104 wrote to memory of 1372	2104	DesktopLayer.exe	iexplore.exe
PID 2104 wrote to memory of 1372	2104	DesktopLayer.exe	iexplore.exe
PID 1372 wrote to memory of 4280	1372	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 4280	1372	iexplore.exe	IEXPLORE.EXE
PID 1372 wrote to memory of 4280	1372	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe
"C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbe.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1372 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
870b615bd1f6e73bcd807d31b8678934

SHA1
6623daf15f495a66f0738c3c03bdbfd4bc7342d0

SHA256
186f4707b61526047271661adc8ffa8357d7a6ac36776d2c3bd1afad6a511fac

SHA512
774482b01beea35b1556a531dff40bbde7869225d9dbbde126b825b3bbc342e8529bcbb8f8c367251994ee6b28c41d33b2344bb6d03e82eae04bdee056b23c34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
b6dc883f471156cebff64c162fcf5147

SHA1
6bdd0710f8b91112eb24f99053c74acf66085c82

SHA256
f87c4fff8ba9fdb28ead785482ce69a09fa12a1b9a4786b700d97fa58b4fd922

SHA512
5a19fa0093d266c2d0feccd5457964a820e18c1fe1d99d20b049b72b7639470ca5ecc5bb21287f30406f1383996deba397d74ced5e4d086b6bbc6184b7dae811

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8b846efff2b4e197a98be1a4dc35117725ee905c0f5b7e22c87183ce67f6dbeSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2104-135-0x0000000000000000-mapping.dmp

Download
memory/2104-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2104-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4772-155-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-144-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-149-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-147-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-151-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-137-0x0000000000400000-0x0000000000CAF000-memory.dmp

Filesize
8.7MB

Download
memory/4772-157-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-159-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-163-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-161-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-165-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-188-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-177-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-183-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-181-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-185-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-179-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-186-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4772-187-0x0000000000400000-0x0000000000CAF000-memory.dmp

Filesize
8.7MB

Download
memory/4868-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4868-139-0x0000000000470000-0x000000000047F000-memory.dmp

Filesize
60KB

Download
memory/4868-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads