ramnit | d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db

Analysis

max time kernel
139s
max time network
213s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
Size

111KB
MD5

df84ba3e887c3458a21c29063f01faa0
SHA1

cd1ced4d3296ffa57ecc911523dee8544bd23f7b
SHA256

d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db
SHA512

522753ea75048341dd36db7434fb98db5284026f7f92d5065373f729c19b28fb50aeaf2eddbfb66120e209eb0914705a9448309b354e7c7b47bef9c0d5d8b107
SSDEEP

3072:TROzoTq0+RO7IwnYePnIfKLyD23htKFHY6S:1kdNwBT/n3hwK6S

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 3 IoCs

Processes:

d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid process

1696 d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
588 DesktopLayer.exe
536 DesktopLayerSrv.exe

pid	process
1696	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
588	DesktopLayer.exe
536	DesktopLayerSrv.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1696-61-0x0000000000400000-0x000000000042E000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/516-64-0x0000000000400000-0x000000000043D000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral1/memory/588-74-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/536-75-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exeDesktopLayer.exe

pid	process
516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
588	DesktopLayer.exe

Drops file in Program Files directory 9 IoCs

Processes:

DesktopLayer.exeDesktopLayerSrv.exed35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exed35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3600.tmp	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px35FF.tmp	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px36DA.tmp	DesktopLayerSrv.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376430290"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C19D841-6F56-11ED-A843-F2E527DE56F1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C19FF51-6F56-11ED-A843-F2E527DE56F1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DesktopLayer.exeDesktopLayerSrv.exe

pid	process
588	DesktopLayer.exe
588	DesktopLayer.exe
588	DesktopLayer.exe
588	DesktopLayer.exe
536	DesktopLayerSrv.exe
536	DesktopLayerSrv.exe
536	DesktopLayerSrv.exe
536	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

1652 iexplore.exe
1004 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1652	iexplore.exe
1004	iexplore.exe
1652	iexplore.exe
1004	iexplore.exe
992	IEXPLORE.EXE
624	IEXPLORE.EXE
992	IEXPLORE.EXE
624	IEXPLORE.EXE
992	IEXPLORE.EXE
992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exeDesktopLayer.exeDesktopLayerSrv.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 516 wrote to memory of 1696	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
PID 516 wrote to memory of 1696	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
PID 516 wrote to memory of 1696	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
PID 516 wrote to memory of 1696	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
PID 516 wrote to memory of 588	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	DesktopLayer.exe
PID 516 wrote to memory of 588	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	DesktopLayer.exe
PID 516 wrote to memory of 588	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	DesktopLayer.exe
PID 516 wrote to memory of 588	516	d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe	DesktopLayer.exe
PID 588 wrote to memory of 536	588	DesktopLayer.exe	DesktopLayerSrv.exe
PID 588 wrote to memory of 536	588	DesktopLayer.exe	DesktopLayerSrv.exe
PID 588 wrote to memory of 536	588	DesktopLayer.exe	DesktopLayerSrv.exe
PID 588 wrote to memory of 536	588	DesktopLayer.exe	DesktopLayerSrv.exe
PID 588 wrote to memory of 1004	588	DesktopLayer.exe	iexplore.exe
PID 588 wrote to memory of 1004	588	DesktopLayer.exe	iexplore.exe
PID 588 wrote to memory of 1004	588	DesktopLayer.exe	iexplore.exe
PID 588 wrote to memory of 1004	588	DesktopLayer.exe	iexplore.exe
PID 536 wrote to memory of 1652	536	DesktopLayerSrv.exe	iexplore.exe
PID 536 wrote to memory of 1652	536	DesktopLayerSrv.exe	iexplore.exe
PID 536 wrote to memory of 1652	536	DesktopLayerSrv.exe	iexplore.exe
PID 536 wrote to memory of 1652	536	DesktopLayerSrv.exe	iexplore.exe
PID 1004 wrote to memory of 624	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 624	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 624	1004	iexplore.exe	IEXPLORE.EXE
PID 1004 wrote to memory of 624	1004	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 992	1652	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 992	1652	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 992	1652	iexplore.exe	IEXPLORE.EXE
PID 1652 wrote to memory of 992	1652	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe
"C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:516

C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1696

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:588

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1652 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1004 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
df84ba3e887c3458a21c29063f01faa0

SHA1
cd1ced4d3296ffa57ecc911523dee8544bd23f7b

SHA256
d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db

SHA512
522753ea75048341dd36db7434fb98db5284026f7f92d5065373f729c19b28fb50aeaf2eddbfb66120e209eb0914705a9448309b354e7c7b47bef9c0d5d8b107

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
df84ba3e887c3458a21c29063f01faa0

SHA1
cd1ced4d3296ffa57ecc911523dee8544bd23f7b

SHA256
d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db

SHA512
522753ea75048341dd36db7434fb98db5284026f7f92d5065373f729c19b28fb50aeaf2eddbfb66120e209eb0914705a9448309b354e7c7b47bef9c0d5d8b107

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
df84ba3e887c3458a21c29063f01faa0

SHA1
cd1ced4d3296ffa57ecc911523dee8544bd23f7b

SHA256
d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db

SHA512
522753ea75048341dd36db7434fb98db5284026f7f92d5065373f729c19b28fb50aeaf2eddbfb66120e209eb0914705a9448309b354e7c7b47bef9c0d5d8b107

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8C19D841-6F56-11ED-A843-F2E527DE56F1}.dat
Filesize
3KB

MD5
7e404e63406004032053419b883b891e

SHA1
e195d19667d5f7328c8300952081670a3399c5e8

SHA256
964cbe2b2f5505c480806e2323eb153f54d599dd52cb5d2a4e9200eda7c62a56

SHA512
f22076c8705df3007d03b7072e4f643b9fb15a9e8e1b9b859d1031a5c4386065e264acb523e21408ea1a8b3acc67accc90252715a4d01351c51b85f5abdb2447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8C19FF51-6F56-11ED-A843-F2E527DE56F1}.dat
Filesize
3KB

MD5
6501fda3dd534eccda3cc14ed2f3b99b

SHA1
dd7280759b46dfef1df69eaba42be2b0e5e450e7

SHA256
402b6caf16f39e04ee2fa23ec59900ac9c152d8049ffe96f9db0e6b99ac6128f

SHA512
f816da411fcc88982e206b2edf425879d23f02803075615ba7b8cc71386ba796c9aa00fa018f633e2e267b0a9cd19a74ed30283b18036c55e565f9dbc4aa1d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\72C5I2BZ.txt
Filesize
608B

MD5
26bff1968b1807af84e98f91b887f328

SHA1
0da7439aa4e05bd7cbc77270fed1b97db0a4612f

SHA256
9e5e9480e7a074c9e5cc3c01cfe7cdcbc60b3d22563f1a53eec15f85eba44ae8

SHA512
31c19c4bd96a951c55f472730dcb098f8cb779fb691addd442a46f482ae6b5aa32e9678667ae5c8c43cb66340a37d7b3ac8820d9aaa05e806804757557e335a2

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
df84ba3e887c3458a21c29063f01faa0

SHA1
cd1ced4d3296ffa57ecc911523dee8544bd23f7b

SHA256
d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3db

SHA512
522753ea75048341dd36db7434fb98db5284026f7f92d5065373f729c19b28fb50aeaf2eddbfb66120e209eb0914705a9448309b354e7c7b47bef9c0d5d8b107

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\d35fd7563c9934bb3af410bd31c388519af1aedba014b3c1f4a4e7efc581a3dbSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/516-54-0x0000000075A31000-0x0000000075A33000-memory.dmp

Filesize
8KB

Download
memory/516-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/516-68-0x0000000001B60000-0x0000000001B8E000-memory.dmp

Filesize
184KB

Download
memory/536-75-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/536-69-0x0000000000000000-mapping.dmp

Download
memory/588-63-0x0000000000000000-mapping.dmp

Download
memory/588-74-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download
memory/1696-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download