ramnit | a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
Size

130KB
MD5

d91004262f9bdcc37809b7a0e327c796
SHA1

ba025f8d658cf3c2feaac5e50f48df382950a955
SHA256

a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71
SHA512

b310531e5f6ca3323d2c4035de0d6515b25838cc28f0d8f86f2a4da1419f7994f2bb3fc5a73f4e2cb5e7af0a6d7b366c7d4969f706206755f0c0bc95057eb906
SSDEEP

3072:bftffjmNbjRS+oSODRMl67Sxhrnd89ayHyBT9WKe5HL:bVfjmNzoSODi8GxhrdiaygsKQHL

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
5068	Logo1_.exe
2852	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
6136	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe
2592	DesktopLayer.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023610-22.dat	upx
behavioral2/memory/6136-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/6136-25-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/6136-30-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2592-31-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2592-34-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2592-35-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\codecpacks.webp.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\EBWebView\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.AppTk.NativeDirect3d.UAP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
File created	C:\Windows\Logo1_.exe	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132628"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0FAFA029-77C8-11EF-A2A4-EE6C637598CE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132628"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433653636"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3838417752"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3837948638"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3837792354"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132628"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132628"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3838417752"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
2592	DesktopLayer.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe
5068	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1188	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2852	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
2852	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
1188	iexplore.exe
1188	iexplore.exe
4968	IEXPLORE.EXE
4968	IEXPLORE.EXE
4968	IEXPLORE.EXE
4968	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 4908	1700	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	89
PID 1700 wrote to memory of 4908	1700	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	89
PID 1700 wrote to memory of 4908	1700	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	89
PID 1700 wrote to memory of 5068	1700	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	90
PID 1700 wrote to memory of 5068	1700	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	90
PID 1700 wrote to memory of 5068	1700	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	90
PID 5068 wrote to memory of 4572	5068	Logo1_.exe	91
PID 5068 wrote to memory of 4572	5068	Logo1_.exe	91
PID 5068 wrote to memory of 4572	5068	Logo1_.exe	91
PID 4572 wrote to memory of 1800	4572	net.exe	94
PID 4572 wrote to memory of 1800	4572	net.exe	94
PID 4572 wrote to memory of 1800	4572	net.exe	94
PID 4908 wrote to memory of 2852	4908	cmd.exe	95
PID 4908 wrote to memory of 2852	4908	cmd.exe	95
PID 4908 wrote to memory of 2852	4908	cmd.exe	95
PID 2852 wrote to memory of 6136	2852	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	96
PID 2852 wrote to memory of 6136	2852	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	96
PID 2852 wrote to memory of 6136	2852	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe	96
PID 6136 wrote to memory of 2592	6136	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe	97
PID 6136 wrote to memory of 2592	6136	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe	97
PID 6136 wrote to memory of 2592	6136	a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe	97
PID 2592 wrote to memory of 1188	2592	DesktopLayer.exe	98
PID 2592 wrote to memory of 1188	2592	DesktopLayer.exe	98
PID 1188 wrote to memory of 4968	1188	iexplore.exe	99
PID 1188 wrote to memory of 4968	1188	iexplore.exe	99
PID 1188 wrote to memory of 4968	1188	iexplore.exe	99
PID 5068 wrote to memory of 1188	5068	Logo1_.exe	98
PID 5068 wrote to memory of 1188	5068	Logo1_.exe	98

C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
"C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7F2E.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe
    "C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe
      C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:6136
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1188 CREDAT:17410 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4968
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4768,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=948 /prefetch:8
1⤵
PID:5396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
f41b6e3c15470dd1760bcb40f4ea3ba2

SHA1
16aac99f2990b9dfbbb19919b5e86a0394bc3ce3

SHA256
c645867dda8c6ddb3b485b2336a729401d76de07a5f50190d7af6220dc4efa5f

SHA512
c098e6b22959c164aa0e6aee3e694ef27ec7ce3dc692f749153032395bf0dc5a9672e9aeddfbca6f8ade8fa0a76d9577e1bfb655155e720aee1154d0171c4425

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
8f2e35de3f2313d4770519001bf0b117

SHA1
26043864f230c88c10d21c6961b917bb005d8a48

SHA256
13860f265a11270dbf3c81ac67684fbd2e0e67e0c3a595aaf51c6c019b06e24b

SHA512
0bfe507f5ed6ae4c11e0522086973f2c279ca2f279fd1d0af4203b60cbe2f7014f1832b572f51d5018136aff57adae96e074382cf9d7c1aded0f50de8ce7f0bb

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ed05e58945ed7a2c9b1cdfc86642b6ed

SHA1
57c72c87f05d91b39f235af6688c13c8d9749c67

SHA256
c4e101f22a067b19a4629a48e893f9cd842b9a709a979208c9c5bb06724124ab

SHA512
853107d0ed6191d3a79e2e31d2b41873ccc67ac8bddaeb4ba902cc27342a5bbb127ed98828fa499e1f898d6304da2a05b93457490873f44b5987df780801ef8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
8f3f47678ba603b73b29899d5cb96728

SHA1
af0a20a73d62788dd01260ce7416ca587347da67

SHA256
fc939aec6f05b0db0c69776ac46e9a7665fecd02fdad3d528c18290f8a0b5323

SHA512
685a50974074f2d5ae56efc371cfa1bf6727b8bfee91cb681a85cdd08b9e860ca1b30029d641a3df9763ef60acca127a6fbdb1ea6d03769d42ccd0cba232992b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFD08.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCPU4OJ5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7F2E.bat

Filesize
722B

MD5
12126fc81d8c8f0c1a2087eb35cb18a6

SHA1
9f9f5ed1d7aead14b905fb86effb9242612754a6

SHA256
3813505b090148aae5fe2ac03184154e4a256fd25386d82f175c6e1d5c3c145e

SHA512
a9f796d49450fa847ca1f625c45a6c19e94a104ea3c9f7ee626f6ea82613120c4729a94c502ba2842465a7f4c3dde3ea2009a2086c1dd20cd86565d8f7a24636

Download Submit
C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71.exe.exe

Filesize
104KB

MD5
230e632976d37eec35c7c5aa033583ca

SHA1
9971e0710f56c0966e0f202579486db138076e56

SHA256
91c3dfd728e4664bdf03a61a0292c11dc357a7daa5c06c88fb9bd7b26e520930

SHA512
30d49f6be1a044184e8a4846d54e89564e5991d5b47197e323a20b0aa15474c0bf81d211274da374b45fea0659f745dc3c3552924f790cc6ce9c070d5c96fd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a022ffd9d1a8b6b14494d5bade8cf38d1145e97c507174841eeabcb945982a71Srv.exe

Filesize
83KB

MD5
6cb54cfe353a4227029cbef9fd4f84b7

SHA1
cb6c810be8d06bbc7ce8d18aadeb499c8f8f585f

SHA256
3224971b7d8ea8cbb80e3d106a1abf05668e5e369b0e5f4667c1061f881f72cd

SHA512
5a54961e8ed230534caa8b8d6a91147989cf4c784012c92f10fb39ea98cd891ac2486e9da742da87cdd8a388e93da6cec54a5d28d7de866df6585698f108e133

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
cb56be1839c14f99caa517c332b76737

SHA1
377c1701bbf2efd5a6804e25905abe84e8003fbe

SHA256
01b03ad434eb5d7f1f9a1e6318df774e5240e9ab6a57a4915d534625f90ed005

SHA512
60d259378bcb7391ac0c8116de40bce7006b654cab2d10cdbcc778b9e66863a18ccfbbb67b6fbd1d5680bfbcdcf07d778368fa355fc0bde14ad16fa1438f5a46

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/1700-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2592-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-33-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2592-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2592-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2852-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2852-39-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5068-68-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-4911-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-5368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5068-1285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/6136-24-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download
memory/6136-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6136-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/6136-30-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download