ramnit | db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 16:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll
Size

380KB
MD5

f7e390609bcab34a1cde45f4c8415fa8
SHA1

59774582c775dd7fd2fd2b6c9b18e8432ce326d8
SHA256

db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460
SHA512

504afada85f1d6a7cbb985467ad7b44345954322b50a79a488bdc53d97a1317b69a9477fa651c09263afbb990632bc7ed27a6df64209883ba255017b6ab2780a
SSDEEP

6144:zKwFsGM5y+3kyzuJO1AmAGFxlNWCJBD4DsWR3Uqzujd3rm4eKsaJ:zlRB+3kyzuJO1AqWzujd3i4eKs6

Score

10^/10

ramnit adware banker evasion persistence spyware stealer trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Users\\Admin\\AppData\\Local\\ywjxuarp\\habkiabg.exe"	svchost.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
944	regsvr32mgr.exe
1780	yiyfkcdmslvbtfle.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	svchost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\habkiabg.exe	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\habkiabg.exe	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1968	regsvr32.exe
1968	regsvr32.exe
944	regsvr32mgr.exe
944	regsvr32mgr.exe
944	regsvr32mgr.exe
944	regsvr32mgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\HabKiabg = "C:\\Users\\Admin\\AppData\\Local\\ywjxuarp\\habkiabg.exe"	svchost.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{9421DD08-935F-4701-A9CA-22DF90AC4EA6} = "EPTBL"	regsvr32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1\ = "ToolBarEx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EPTBL.DLL\AppID = "{CACC252F-95A7-4741-BBE8-FB1F18C2826F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\ = "{3521DDB8-44AE-446D-921E-73EC4E00C8CF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\ProgID\ = "EPTBL.ToolBarEx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\ = "ToolBarEx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\VersionIndependentProgID\ = "EPTBL.ToolBarEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ = "IToolBarEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CLSID\ = "{9421DD08-935F-4701-A9CA-22DF90AC4EA6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\ = "Easy Photo Print"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\TypeLib\ = "{3521DDB8-44AE-446D-921E-73EC4E00C8CF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\ = "{3521DDB8-44AE-446D-921E-73EC4E00C8CF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CACC252F-95A7-4741-BBE8-FB1F18C2826F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1\CLSID\ = "{9421DD08-935F-4701-A9CA-22DF90AC4EA6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\ = "EPTBL 1.0 ƒ^ƒCƒv ƒ‰ƒCƒuƒ‰ƒŠ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ = "IToolBarEx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CACC252F-95A7-4741-BBE8-FB1F18C2826F}\ = "EPTBL"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EPTBL.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CurVer\ = "EPTBL.ToolBarEx.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe
1344	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	944	regsvr32mgr.exe
Token: SeDebugPrivilege	944	regsvr32mgr.exe
Token: SeSecurityPrivilege	1988	svchost.exe
Token: SeSecurityPrivilege	1344	svchost.exe
Token: SeDebugPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeSecurityPrivilege	1780	yiyfkcdmslvbtfle.exe
Token: SeLoadDriverPrivilege	1780	yiyfkcdmslvbtfle.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe
Token: SeBackupPrivilege	1344	svchost.exe
Token: SeRestorePrivilege	1344	svchost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1960 wrote to memory of 1968	1960	regsvr32.exe	28
PID 1968 wrote to memory of 944	1968	regsvr32.exe	29
PID 1968 wrote to memory of 944	1968	regsvr32.exe	29
PID 1968 wrote to memory of 944	1968	regsvr32.exe	29
PID 1968 wrote to memory of 944	1968	regsvr32.exe	29
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1988	944	regsvr32mgr.exe	30
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1344	944	regsvr32mgr.exe	31
PID 944 wrote to memory of 1780	944	regsvr32mgr.exe	32
PID 944 wrote to memory of 1780	944	regsvr32mgr.exe	32
PID 944 wrote to memory of 1780	944	regsvr32mgr.exe	32
PID 944 wrote to memory of 1780	944	regsvr32mgr.exe	32

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      Modifies WinLogon for persistence
      UAC bypass
      Checks BIOS information in registry
      Drops startup file
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe
      "C:\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
\Users\Admin\AppData\Local\Temp\yiyfkcdmslvbtfle.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
\Windows\SysWOW64\regsvr32mgr.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
memory/944-81-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download
memory/1344-77-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/1344-73-0x0000000020010000-0x0000000020023000-memory.dmp

Filesize
76KB

Download
memory/1780-90-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download
memory/1780-91-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download
memory/1960-54-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1968-56-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1988-64-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download
memory/1988-67-0x0000000020010000-0x000000002001C000-memory.dmp

Filesize
48KB

Download