ramnit | 0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34

Analysis

max time kernel
120s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Size

974KB
MD5

6a385771977bab2c8914089e6c65bf91
SHA1

6ec4bd68e06b13d7065e83b4b1adbc32ec5db0bb
SHA256

0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34
SHA512

63c2e1fb1e95d5ac9262b7ac8339b54bae372c1d2138b0f5fa9bbb5e1603d83377c70f959f65dc6855d0615c3095b9be423dab71683a8082ae043b356046ea16
SSDEEP

24576:mNoYMx2ZB8Xk61KmjBpVGE7EjwSM8AXjYRyfhfel3gQO:K1MKB8UyjsE7DlNMRywmv

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2396	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
2768	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
2396	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000016edc-16.dat	upx
behavioral1/memory/2768-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2768-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2768-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2768-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2396-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2768-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\pxF4EA.tmp	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AC968E31-A599-11EF-9A25-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438088397"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\0\ = "&Edit,0,2"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\server\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1\ = "&Open,0,2"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension\ = ".pdf, PDF ??(*.pdf) "	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DocObject\ = "0"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE,1"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DefaultExtension	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec\ = "[open(\"%1\")]"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ProgID\ = "FoxitReader.Document"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE /dde"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\Insertable\	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\InprocHandler32\ = "ole32.dll"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE /dde"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3\ = "Foxit Reader"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec\ = "[print(\"%1\")]"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\ddeexec\ = "[printto(\"%1\",\"%2\",\"%3\",\"%4\")]"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE /dde"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb\0	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\ = "PDF Document"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE,1"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable\	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus\ = "32"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\ = "PDF Document"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Verb\1	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\3	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\CLSID	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0EA19E~1.EXE\" \"%1\""	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\Insertable	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\print\ddeexec	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\shell\printto\command	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxitReader.Document\protocol\StdFileEditing\verb	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\AuxUserType\2\ = "PDF"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\MiscStatus	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14E8BBD8-1D1C-4D56-A4DA-D20B75EB814E}\DocObject\ = "0"	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2768	DesktopLayer.exe
2768	DesktopLayer.exe
2768	DesktopLayer.exe
2768	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2812	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
2812	iexplore.exe
2812	iexplore.exe
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE
2716	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2396	2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2996 wrote to memory of 2396	2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2996 wrote to memory of 2396	2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2996 wrote to memory of 2396	2996	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe	30
PID 2396 wrote to memory of 2768	2396	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 2396 wrote to memory of 2768	2396	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 2396 wrote to memory of 2768	2396	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 2396 wrote to memory of 2768	2396	0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe	31
PID 2768 wrote to memory of 2812	2768	DesktopLayer.exe	32
PID 2768 wrote to memory of 2812	2768	DesktopLayer.exe	32
PID 2768 wrote to memory of 2812	2768	DesktopLayer.exe	32
PID 2768 wrote to memory of 2812	2768	DesktopLayer.exe	32
PID 2812 wrote to memory of 2716	2812	iexplore.exe	33
PID 2812 wrote to memory of 2716	2812	iexplore.exe	33
PID 2812 wrote to memory of 2716	2812	iexplore.exe	33
PID 2812 wrote to memory of 2716	2812	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe
"C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
  C:\Users\Admin\AppData\Local\Temp\0ea19e8af1d7c3b0dc11b2f4d77b60fd16858449e55bab8fd18ed15074173e34Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef946b2fb254a6d6d292977dc5b4f547

SHA1
461bb01f32d57731c36f7b0df750e8ef0845a643

SHA256
34967ef33363afd664d7f5721979528b6df77ce5caea8a409612b173173dd779

SHA512
a005b0f0743b79ce8886565967a43ae7a22815e5cca96900fc87d995eb3b510f70863d9a884775508b714e148be2c6629c986d33fb4343f7d3137fb594b020b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2990784360e9eae0d58e885fc34b807b

SHA1
4fa32ee95c43f462d8169628209998be34490feb

SHA256
cf68d1148f08f8ece9daf0cc268927bb2dfed9d717daad95e1f7fcb3a34a01fe

SHA512
3cace45a1cf6c36e844a47de182b457b50f6e9bdd569f67e91c32ef740431ded11c2127872761abc7fc16b520e61199cf7c2ab975da41eb6e34b60bf70e1f62b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e309957fe08dd3a7861c67b27b5724f5

SHA1
f7545eb11b9a0f47cb0238347229e6de33239f0a

SHA256
d97c0c80e22238a56d3dd1cca1c62c47b8cb74385116f8c3150ba468dad56c34

SHA512
b527b7b400e88280051cb45006f4d5ac291b05b7f665f51151a26ca3014d6bef9d942484a413a126b9cad2228091f6602193904fa3d37aecbf6cc375489c9952

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
539e62706b2b6584568c3a90fb9298f6

SHA1
d2a6b86cad36d4ffa80a16bee6930ea1045e28a4

SHA256
e874739b175e8ea88b6e13a6399e11e85cf5bd72c204b5ac804e6d2e7612f789

SHA512
dc02f79a588bf3a1dc68dbc0512ba370621cef5ef5796034323e4727648f29f3180ad76090f4e5ad94db7ad1e74072b269d6556118cfaa04a5066f35876bb738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
881db138b36a40a4715b00ea1818fd78

SHA1
443fd7e11981759398336d689aaf05f1464ba852

SHA256
73e8989480800ccd79d7e090827ec1976b0eecd1739a9fe9b12300a94ccf1b6b

SHA512
872879dac6c5d8f615fe4027114646941b11c1140d4d0b8234b0e045201a7b351dcbc3a1c08aa183e8d29e9d7ae360634a7a62debe76abe6da4bf71aca5283cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2767c9a0e2eb513d2181eadaf1b2ca3f

SHA1
050b72c87676b316a6d169b40aa5d84807678958

SHA256
f2a07a70efa705eba6ee5e5647deabb58832d360df3b764b801852f59a5d5928

SHA512
8210573c947b941e7f7cd98815928ef0d330905fc2d0480a5909be79633045fd897b712b925040cf5f53957b646b9da996ba36d92bad2919f7544f85d270b6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
001b92e1b130933837bd03cbc556ad87

SHA1
6eaf90686448a3dee514b4ee06be9d62a6877600

SHA256
4188747aa19addab7834e0aeb679943d8e19afd82632ef1f7c36513fabbd04bf

SHA512
bbf74cb34d6f529beba0ca825d63d6b387127cc1dbc9e901f41cfe0e25a65c3974061b8c445d06c3f27b42a5a61615d50ce1b316cc19d8982aef0da3a1f82c16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de09498005880bef11ae2e3e02a9f178

SHA1
eb9699170d4b36f5b90250bafd2ac17f9b4037b5

SHA256
80d64fc9a552c635e66d6526eccdd3522253ac06c509cb908b3d81cb3eb2bf2f

SHA512
d80058156fd24dbc249f02d34e40b34cbdc4888b2bab719ae31bd5ace8cc327e09de4f62c4ce98ddc11d09325ccabeceb88f2a79761f54ab8f0b53355fd0e4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6747bfccb3a401e9f17121f08f58d76

SHA1
eab934cadf12f03528226a12933048fc561a7ef6

SHA256
f481ce351200b0fd47a65a65330054dd471f42dc6e0f55a43be15b449341364f

SHA512
bb0d71947837015a638313bfd928dcb8a3f6ff77ef6771ef01a686fead089736075b3add9800dfd17e52a8fb587f6b7c614cb4f53c87aea389734ad6405cdfc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96f77f9b960c82016e867dc7cf0c7a9a

SHA1
55ac5969e8fc10294bb039581fee457327fc7a09

SHA256
eafb29e0cfe8d81b93d57338db13e0b4e5a4bf5d8ac3d0d096755b85cee0ab6e

SHA512
78d9222272ce3062f59fc8251afc39c08a476cc10c95b5e7173cf78be1c4b7247539cc85c251090828a9cb60d5e8e7e247837105f80502f7f99dc815a1f4f0fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47b4a37dfbdc7dcc05b5f2907aee7aae

SHA1
2a655a5db08c9ee7bb1d452315f4424fad096d24

SHA256
87fd95026d565b9dcac4f9e924e16396750cada38eee750f933b62d43b0012b4

SHA512
4057b8f311f57866029f1bbe6c82d66ae133d68ce660cc61e5af94b0b29bdc99c2c52ea45be51f7d8ebb1f3c38fa43acb40fe50653bbf065776e6968a862ebcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2402eb3f2471bf6ca7d09c87d9921b6

SHA1
d14c7a0a727d04d96a01a402e5025464e45630b8

SHA256
a3944876586be8dbd51d180f62308945bbc34c03fc305de8184a60dc8f920d7c

SHA512
02434835bdc48c79904323ddcce3f7d33dea2310b537b11a693e648d8b5fd441cacfe31aff36019dd83a82377aaf888a6c87cd356fae2a05107fa81b37f6f4a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
647f5653e43a2142f890571249a60d37

SHA1
e72a35c02e9a8c95b23e600642c4be9817040c40

SHA256
8cfc9895ecbfd4a6f42b4baa2f9b462df374f513d7844114681709a2c37c7fd8

SHA512
1a99c9703ec5c4145025ad7ae314c8871e1c08d3685d9fd14a769d1e8df35ff76acdeac340852e3bc2cd9bf54202558fc9dda865be10299f077310ba75f91e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCC0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD41.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2396-10-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2396-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-21-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2768-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2768-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2996-8-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/2996-14-0x00000000006B0000-0x00000000006DE000-memory.dmp

Filesize
184KB

Download
memory/2996-454-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2996-6-0x0000000000400000-0x00000000006A2000-memory.dmp

Filesize
2.6MB

Download
memory/2996-25-0x00000000035F0000-0x0000000003892000-memory.dmp

Filesize
2.6MB

Download