ramnit | 3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

Analysis

max time kernel
106s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
Size

111KB
MD5

db7063dd41623179399e9508beb287e8
SHA1

4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27
SHA256

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc
SHA512

d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089
SSDEEP

1536:4+hzRsibKplyXTq8OGRnsPFG+RODTb7MXL5uXZnzEL9juPctT80YfIng1/Aum6ci:TROzoTq0+RO7IwnYthd80SoP3CCneB

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 3 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid process

840 3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
1464 DesktopLayer.exe
1040 DesktopLayerSrv.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	upx
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	upx
\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/840-64-0x0000000000400000-0x000000000042E000-memory.dmp	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
behavioral1/memory/1252-62-0x0000000000400000-0x000000000043D000-memory.dmp	upx
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayer.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	upx
behavioral1/memory/1040-73-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1464-72-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Loads dropped DLL 3 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exeDesktopLayer.exe

pid	process
1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
1464	DesktopLayer.exe

Drops file in Program Files directory 8 IoCs

Processes:

DesktopLayerSrv.exe3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exeDesktopLayer.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px31FA.tmp	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3238.tmp	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3370.tmp	DesktopLayerSrv.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376429496"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B52BBD41-6F54-11ED-9D78-7225AF48583A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B51ACD51-6F54-11ED-9D78-7225AF48583A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
1464	DesktopLayer.exe
1464	DesktopLayer.exe
1464	DesktopLayer.exe
1464	DesktopLayer.exe
1040	DesktopLayerSrv.exe
1040	DesktopLayerSrv.exe
1040	DesktopLayerSrv.exe
1040	DesktopLayerSrv.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exe

pid process

1744 iexplore.exe
596 iexplore.exe
1056 iexplore.exe

pid	process
1744	iexplore.exe
596	iexplore.exe
1056	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1056	iexplore.exe
1056	iexplore.exe
1744	iexplore.exe
1744	iexplore.exe
596	iexplore.exe
596	iexplore.exe
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE
640	IEXPLORE.EXE
640	IEXPLORE.EXE
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exeDesktopLayer.exeDesktopLayerSrv.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1252 wrote to memory of 840	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 1252 wrote to memory of 840	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 1252 wrote to memory of 840	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 1252 wrote to memory of 840	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
PID 1252 wrote to memory of 1464	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 1252 wrote to memory of 1464	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 1252 wrote to memory of 1464	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 1252 wrote to memory of 1464	1252	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe	DesktopLayer.exe
PID 840 wrote to memory of 1744	840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	iexplore.exe
PID 840 wrote to memory of 1744	840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	iexplore.exe
PID 840 wrote to memory of 1744	840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	iexplore.exe
PID 840 wrote to memory of 1744	840	3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe	iexplore.exe
PID 1464 wrote to memory of 1040	1464	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1464 wrote to memory of 1040	1464	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1464 wrote to memory of 1040	1464	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1464 wrote to memory of 1040	1464	DesktopLayer.exe	DesktopLayerSrv.exe
PID 1464 wrote to memory of 596	1464	DesktopLayer.exe	iexplore.exe
PID 1464 wrote to memory of 596	1464	DesktopLayer.exe	iexplore.exe
PID 1464 wrote to memory of 596	1464	DesktopLayer.exe	iexplore.exe
PID 1464 wrote to memory of 596	1464	DesktopLayer.exe	iexplore.exe
PID 1040 wrote to memory of 1056	1040	DesktopLayerSrv.exe	iexplore.exe
PID 1040 wrote to memory of 1056	1040	DesktopLayerSrv.exe	iexplore.exe
PID 1040 wrote to memory of 1056	1040	DesktopLayerSrv.exe	iexplore.exe
PID 1040 wrote to memory of 1056	1040	DesktopLayerSrv.exe	iexplore.exe
PID 1056 wrote to memory of 1392	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1392	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1392	1056	iexplore.exe	IEXPLORE.EXE
PID 1056 wrote to memory of 1392	1056	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 2012	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 2012	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 2012	1744	iexplore.exe	IEXPLORE.EXE
PID 1744 wrote to memory of 2012	1744	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 640	596	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 640	596	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 640	596	iexplore.exe	IEXPLORE.EXE
PID 596 wrote to memory of 640	596	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe
"C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
4⤵
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1056 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:596 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:640

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
db7063dd41623179399e9508beb287e8

SHA1
4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27

SHA256
3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

SHA512
d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
db7063dd41623179399e9508beb287e8

SHA1
4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27

SHA256
3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

SHA512
d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B51ACD51-6F54-11ED-9D78-7225AF48583A}.dat
Filesize
4KB

MD5
53ab99c83536793fcae5b30b0c887bc9

SHA1
545e545bb6810a5e7b18bac1c6f0f251e27b1563

SHA256
c2f4a3d21fb442d178538e87e4e1699f0b94ac18ad31d7e135fd73dff2286060

SHA512
d60f8565b3f454ddf87be835eab0388f8a969c7eea18e287b0b7ee6bf80e4ae357ee8583c745ae86892cab2dc5db02f256ccdd827ee2435cd62fc34fd10cecb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B525C9D1-6F54-11ED-9D78-7225AF48583A}.dat
Filesize
5KB

MD5
af9aa03e7e3f43735c1c2fbd887e0170

SHA1
5af10227cf1939f93fbe718054674dd1a92adf5d

SHA256
e0ef8767d97d9522c8d293b6837fe3b7322fcaeb7e41b0d2e2860ff4f7cc4d51

SHA512
4a9ee1b0c2abc6f3d82804ac846c75cf3dfdbb34de881c603256e92e17c132704375e45e57830e8e97cf29d4c9953e807350a8ebbff86980f24112bfe2125995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B52BBD41-6F54-11ED-9D78-7225AF48583A}.dat
Filesize
5KB

MD5
9f649b90c9dec75137f1e07ec2bc2abd

SHA1
49d942c25f1f1b2a49177c1c0137c15f26be5bed

SHA256
c006a6467c938975958937a1005fa5df0208776a8bd42d26db848a51f61e2ffb

SHA512
85a3219283550ea803a49861c8bc2372d68ac3f51515cc40af2e9662104f6ed2b93053f86467cd6e0f652402a05477c7dfda64f8889dd46cefd533fd40216c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BI3ISNKB.txt
Filesize
607B

MD5
e6ba6eea5f40e7c5973b6dfc3fe23f35

SHA1
ae638a179e97e60444eec8ff0b8c15847e01405f

SHA256
8ff50997931755fc9aa7966cd8f4490f2e8546b40e7f32123498336bb9513d6b

SHA512
a0e39c54dc339dbd71440b9542e7bd638225ef6cdd74bbb6a3df74e81da4b9110f402f6e482987164030e190a8e34947f2e63a53bdab702e570d4c943d801ad0

Download Submit
\Program Files (x86)\Microsoft\DesktopLayer.exe
Filesize
111KB

MD5
db7063dd41623179399e9508beb287e8

SHA1
4c7af2ca9eb7ad2c3fadaaa1a988767efb274c27

SHA256
3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fc

SHA512
d41a086b1f521c0c57e23dd1bcf6e42b35d1c4e43132ad3f01783b1d5870b2eca22e9362c826dfb2b8f536a0307e01ca67aabf49e09c92ca7b8523616b457089

Download Submit
\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\3d2d0b31a0eb5554036bfbe4babf809f51e289c24be9ca06ace4051ffcf6c1fcSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/840-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/840-56-0x0000000000000000-mapping.dmp

Download
memory/1040-67-0x0000000000000000-mapping.dmp

Download
memory/1040-73-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1252-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1252-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1464-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1464-61-0x0000000000000000-mapping.dmp

Download