ramnit | ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-09-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe
Size

292KB
MD5

540ce6edb77a6941dcee1d03536a04df
SHA1

3be74dd166444f5b78b3f21206a40bbdd08cc5c8
SHA256

ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10
SHA512

acb69ca66bc242016d80ccbb6367d641edd90e6264f1a4f358f1d435c8916acc7af5ca12fc5a58db34dee3e58e4d8d54d23d443ee151f41a5319e53e955b14b0
SSDEEP

6144:0GWajvSsANgXb8MtQXrZ0giO7WNNw1DtPE:1z5XbNtYrCOYufE

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 3 IoCs

pid	Process
1536	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2768	DesktopLayer.exe

Loads dropped DLL 4 IoCs

pid	Process
2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe
2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe
2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe
1536	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0018000000015682-9.dat	upx
behavioral1/memory/1536-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x000a00000001225d-7.dat	upx
behavioral1/memory/2888-29-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2888-32-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2768-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2888-37-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px8066.tmp	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{719479B1-6AA6-11EF-926E-C6DA928D33CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7194A0C1-6AA6-11EF-926E-C6DA928D33CD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7196DB11-6AA6-11EF-926E-C6DA928D33CD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431606725"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2768	DesktopLayer.exe
2768	DesktopLayer.exe
2768	DesktopLayer.exe
2768	DesktopLayer.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2700	iexplore.exe
2256	iexplore.exe
2676	iexplore.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2700	iexplore.exe
2700	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe
2256	iexplore.exe
2256	iexplore.exe
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2888	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	31
PID 2964 wrote to memory of 2888	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	31
PID 2964 wrote to memory of 2888	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	31
PID 2964 wrote to memory of 2888	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	31
PID 2964 wrote to memory of 1536	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	32
PID 2964 wrote to memory of 1536	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	32
PID 2964 wrote to memory of 1536	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	32
PID 2964 wrote to memory of 1536	2964	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe	32
PID 1536 wrote to memory of 2768	1536	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe	33
PID 1536 wrote to memory of 2768	1536	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe	33
PID 1536 wrote to memory of 2768	1536	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe	33
PID 1536 wrote to memory of 2768	1536	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe	33
PID 2768 wrote to memory of 2700	2768	DesktopLayer.exe	34
PID 2768 wrote to memory of 2700	2768	DesktopLayer.exe	34
PID 2768 wrote to memory of 2700	2768	DesktopLayer.exe	34
PID 2768 wrote to memory of 2700	2768	DesktopLayer.exe	34
PID 2888 wrote to memory of 2256	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	35
PID 2888 wrote to memory of 2256	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	35
PID 2888 wrote to memory of 2256	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	35
PID 2888 wrote to memory of 2256	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	35
PID 2888 wrote to memory of 2676	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	36
PID 2888 wrote to memory of 2676	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	36
PID 2888 wrote to memory of 2676	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	36
PID 2888 wrote to memory of 2676	2888	ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe	36
PID 2700 wrote to memory of 2972	2700	iexplore.exe	37
PID 2700 wrote to memory of 2972	2700	iexplore.exe	37
PID 2700 wrote to memory of 2972	2700	iexplore.exe	37
PID 2700 wrote to memory of 2972	2700	iexplore.exe	37
PID 2676 wrote to memory of 2980	2676	iexplore.exe	38
PID 2676 wrote to memory of 2980	2676	iexplore.exe	38
PID 2676 wrote to memory of 2980	2676	iexplore.exe	38
PID 2676 wrote to memory of 2980	2676	iexplore.exe	38
PID 2256 wrote to memory of 2008	2256	iexplore.exe	39
PID 2256 wrote to memory of 2008	2256	iexplore.exe	39
PID 2256 wrote to memory of 2008	2256	iexplore.exe	39
PID 2256 wrote to memory of 2008	2256	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe
"C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
  C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2256
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2256 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2008
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2980
- C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe
  C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2700 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02fba3d79321a3701ca212eb28301688

SHA1
f8342ddfd1c4530329ddab3897e7a0cc3426dafe

SHA256
7c1cfd3f2766fd07c4a0fc433f873e1a1e2b4c3756b6b14b7238686dad24aa7c

SHA512
6c2fcce22b90fa794016a27d414e3ab82161f4ac746bf2815a5290fcba9d67939ce757703b376c91e3870de11d02290f83043d06c853fd5869d8467a48a6f345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf3ea257b2d34a51a11db62c10591713

SHA1
cf0c71f2e0d6bf84e49b6aa9dddcb52cafc21157

SHA256
f47618362c3073bf5e2f6537b2734f6779274d834ee5b2e1ea1010d3fecf1419

SHA512
a729beaa925ab35495d32d599b0da010aedb7b9eed81f5cb64d9dd60081f80bcc5866fddb5b088bce9d93415ea92df93b4bb2ce74ae5680f552d2a2854678153

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03e1c74e0039f3d71cf4441a8f4cde73

SHA1
65604ee78fd4c49b803275d81a3cad4da4f2fef5

SHA256
4d8e2f5e563f77129ad0164907e656f85c5f6b8a224715f8efa97472ed7fe9a1

SHA512
0edb09ffa968c28d4631a5b000e4667eda0c1e468985b24685be5a6a214cf35975c68ac1e8899b00c45de9e385e25d2f0da9ba2491d87772c1bc6eac54dc646e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28bf8bd761c9f6cf935cc2195e1af95e

SHA1
f7b1e005f4f28f6c075c914fa821edc4b37f3a20

SHA256
d8e66970f557de1ac6ad82cb0a7af76ddfdea22a15f75ca7b3d03d12424bf70a

SHA512
8a0e21c4c7ff76668beff4f5faec69cf689def0721e71686a9c2bcd6794625ffec828129329042775438f8674e00afaa9c02778379bacfa68287f060bea52f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee591288fd1b5579a8d214989b880f2d

SHA1
ffe0b193c67a39accb43fcf1dd466275fcf51cab

SHA256
2457b98a5ff1043621190b50d74541c47555d777116cbff742f23cb6cc30d526

SHA512
80dda467aa810964d15ba9bddef4c84c41270192128c227540ee3ef760d3d1d35aba5e6d8dd0c7a496e7c58dea91757bc0221fc6ca9e7dc548434e916ea68757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6ba7dfe9f36522ce8f52d7dade519dd

SHA1
ed2e9768d08916728a64a357493708ef672f711e

SHA256
61e2a0356eeb9abd0c98ae0ab4f132fe39f7f92896951e9a70bcc044b7c8460b

SHA512
6f3cd463e5a740fa8f09803476b0cb188fe2d8ade67389f2253e4a649e67f4bdbe07f9c799eac45d9cc7cd80d1f5b51848f2d157d3383f46d8c92b3891d5128a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ae7ccbf0967dc3872329f2f76bab240

SHA1
7a7d93a585246a6a70f546cc1ac36bd01bd217a3

SHA256
21042727d589842590781d8b862903df479195800bcbe9154efe203a2919220e

SHA512
781c303e13a707f2a241e251b94889c46a24a0656a66ad7cb0e62b5f0980b99ca6d1271cd086f67fd13a405084e35a79734a1f2ef4e9b4dbdbe74b70002ae875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
638cc4c01a89985909d8c0719a5d9b0d

SHA1
ccc190891db06c22486471308cc516c454a6c941

SHA256
9b745c50b954a3e4df75a61426d25427b900e1bb50eac258b83762f10f448462

SHA512
43f1077428e65f823e2c6abd3d107289637caf0e85a5c3c0993d4a92ff0ed4187e8a2fb680a2e9c38da55a517c489c1663f9149ccdf6764e2b7217d5df83b32c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c0b7b6b2049fe33493af0cbd115056a

SHA1
3c5679e48b061b5e19b3acf8d458c1550bed6cb3

SHA256
9088a1deaa1918d2adce6a98536219b803f3ca539cd1d1cf377752b512421e2a

SHA512
db689fe16ff21fb58c5576dc8f68f094b043b6d942dff68b359ba7875d5f50fcc461c72914d88cf5d5ea2d523ebe4886395b7f3162045bc4953fe332cdb014da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1290362f859d7d28baf49a5473e506fe

SHA1
54cf15d225e1175fdd522ec375cf01451f6b24ea

SHA256
25bee19a0aa0029240a5db79688c939f3d2b947cc913449f2f628c7f040f79c0

SHA512
fe80e3ba1ef9d87813ec3db76540d754d9206dbd907bf047ba1d0b06b64d52289e82f02a708b103e48496929ddeccc1b64a154ef359957309e3dc6a09782f198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d51f6d5b05e41c394a6d2c19bea63c65

SHA1
aec7dc8aa5ecf89f2380aff44479ebc81383a695

SHA256
3dec2e25c6a1c00986686fccebadc0fd706d1c9b51abb137b0475453510d9a29

SHA512
daf56a5ead442a032dc0a28a3ec5cf2b763886b6ce9f03bff96b8ed79c439a2d264d5c53876f52deb3eca13bc0fd23b9cbf1c46726115f9dfe23799f6711901f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fe141b8ed34684f446e6568d6f52566

SHA1
3b6a5cac92869fa039ad5ce25236e1d7f6587267

SHA256
95bc912f0e8250d10539becb47bf72259abd6fb8117246fd6a34e108f9be6215

SHA512
608a6bd08ecc7dfca3314d5bf1a6b187bc0f1196cdfda7bad0b478d2fe1ca117bb38d35b35e03541b7b5d9a6be278a8a1c156d5a7d77ff5e654a9b7f5b837e1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36af27419f5ea5b9c175d99f3f294ec1

SHA1
e79d43b41bac5ca99e14433b13470625f5ec8740

SHA256
aa84bdcd7f3dc81057b257970e6eeeb61abae72311739b3d935d4f4b698acef3

SHA512
71039be00f7cc7b7fa4e62227cf26f32e2d809e82f1cfc32332af1a721e7daa3e151e35de4ce878c6e1d790ae3326b0344c2b1eba5e1b3510d26334c05e569e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b79d7a1adad89ae72d07439e1fd0e90

SHA1
dc2ea3801473e72562d08a46e8481037fdbe3764

SHA256
e0c92a162f95b5d881eb3928021e7c2ea631468b52a8c87ecb5aa09b86ddc99f

SHA512
08c61e266ec5f579b20f72ea41fdee79fccd40d732345558681ef88c3345920a60d2ac055c8c8d13bde5953cf8f44544b506d6cf77de0661c807b5e2eb351204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddabad527acc982b4afe29278b34c765

SHA1
5cffb8ca2148728c0bfd8bdb8c1d188ca3bdda0d

SHA256
338e5fa8aa17e6e5aa52fb40b2d3bd68de1e90330410a7d13c74fb7726489ee0

SHA512
f5fba94ddbc339319825d650f51a99402dcedb0fa27c26b63e7a69bf167dc3c31d249459192dc1ce97eadd780bdbd53b417c2c638c318281a730f97a80a84fdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa80362fccbcc4e7a01f44a41c9d6827

SHA1
1ce244fffe97d8ef090c62a065b01aa06e169301

SHA256
632e362e5f4ab88a3a63c2b1a9852c9e5228c1e02fcef96ed3a4875a96cdcd73

SHA512
9ed3114956fb20f01257cc0acbb3019aed758cf65fbd86aca6ff5e50115ae726d78a028e956b44748d4f19491cc0031e6cb701d4fdffced2a209d87da7c2bcea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34dbd56ab4ffd9e50a831b9aaff41120

SHA1
84fd2acea0dcada850aacdd9ab98852a30cbccd8

SHA256
285353fe264a773db945fc53a2357feca7c8d7ad2fefbb2bbb3f2649e940617f

SHA512
d5cba24e101419fcebf5a09c5b3c02210040c3d89b8e97213414d86ce764ff743e8c2c3e812d41fbadf7ee1329a19366d56f65d2963b9079bf7bc010c18b6691

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97bb5a7b1b24af10fb97ee071641e234

SHA1
d29e9232bac93a874560a5cf3fff1aa4d01d83bc

SHA256
f99cf978d7d12a22a5c6684213ad90b83a7aa5d825fe9eb3bf5a5ad49fa88b8e

SHA512
5f7e9a5c71b57a61138e9adc01b075bfd8da57b170bc53a7f8cb26fc06777f8dc0c3047c76acfbef2f6293627fb7a8e21f04855a938b4332a6934635aebc1271

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b59cfb2c690b86e1a338d72fd3fc181

SHA1
a3e526965b45f1f0cb4f77293ddb99fe32985e17

SHA256
e40d608f710511469f5166312268d3f433e2c0047e30e671ffc7b2c959c4fd30

SHA512
dbb8b0cdeda5ca29d3cfb1d90fd52d80aebea0550fb390435485357bb6244e98db4185a8733b4da7c88b3a8e2675d19fd6a1502e0c55cf42fb0966dee692f84f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
902b52b06ccf3c68abe6c7b593b1f670

SHA1
9a4ee7a90fdbbcda1b7f615a8b79018b88225768

SHA256
7d79e7ea7864956c3c7f7ab6b85de898c00105f6edde58d0e834d4d6442bfaa7

SHA512
3c8797429b2f1ef4ec9d6f311d90e0f0168a07d40d950950e88e9b7205006075da2f068155813a9f46cbe6c3c009ee80257ecd5afbdfd9745b71e93a4d10ecc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{719479B1-6AA6-11EF-926E-C6DA928D33CD}.dat

Filesize
3KB

MD5
6c889683c27027a78a5eefe9046570ca

SHA1
5f848d40d57bbb04bb9d34d575d64a63d19eac61

SHA256
73705a5ad0068f21b8fe56e7ed07097d78d162ea9cb8c6ce621730286a7edd78

SHA512
99e7bf5020d5354189a18265811c52fa2054be4c2dce6ffd649f3dc6b7dadfb94fa19866b0576fd6c64aa2c7962470a7716a8c8506770337787088e56998f553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{719479B1-6AA6-11EF-926E-C6DA928D33CD}.dat

Filesize
5KB

MD5
4531ac28fd0afb4738165c72702d0505

SHA1
fe4579a0b3857967390949c8b936eb85565e0b23

SHA256
fa5f596fbd1e8a9ce65935922072f70932262d41479f3a7770362cc10cb5d319

SHA512
7def34eaad60c92674c1a733013ba782d8a8ffce2d04699d624659c8504d34233f687c91799ef6fb3419de7592b7f204066802b74750aacbce5e68f26e188e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7194A0C1-6AA6-11EF-926E-C6DA928D33CD}.dat

Filesize
5KB

MD5
388def45c2122035be4366e676ad54ea

SHA1
b4b9d0aa53473f48ab6e5d76d7abb2c5171b34d3

SHA256
1875957a2216afbfc8d349bf5053076fbce8b9fc91205ff5aa27ad75ec90b0f9

SHA512
72b9c9ee597b67c909da715baf2afeed8b51b83552a6bb636d0caa2842b00bf5d7fc80bf9f8b056c67c93deb289b4889205aa9cf3f6c68ea317eb99686dbcd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab989A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar990B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10mgr.exe

Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
\Users\Admin\AppData\Local\Temp\ebe100770959aa1565f61177e0c693a256ecbe1d639c1e4552032864efb70c10Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1536-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-26-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2888-31-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2888-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2888-30-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2888-32-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2888-37-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2964-467-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2964-12-0x0000000000450000-0x00000000004AB000-memory.dmp

Filesize
364KB

Download
memory/2964-13-0x0000000000450000-0x00000000004AB000-memory.dmp

Filesize
364KB

Download
memory/2964-14-0x00000000003D0000-0x00000000003FE000-memory.dmp

Filesize
184KB

Download
memory/2964-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2964-36-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2964-38-0x0000000000450000-0x00000000004AB000-memory.dmp

Filesize
364KB

Download