ramnit | 7b4083b9ebeb2aebc6fe2a7ed618c7f8c4a6ac286783163fe27c640aef4f030a

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b4083b9ebeb2aebc6fe2a7ed618c7f8c4a6ac286783163fe27c640aef4f030a.dll
Size

1.8MB
MD5

29099a66b7a3b9eb82c4dddee25bf034
SHA1

ab15d26532c6518b4483f381785de6f95ef32b0e
SHA256

7b4083b9ebeb2aebc6fe2a7ed618c7f8c4a6ac286783163fe27c640aef4f030a
SHA512

c514f2812917739e8003ffdbd67d8f1b1e4d7c59dcb12897c1c90c1c68f2f753e6f6efd3ca9a8876841dc737ab1ad4b3b9518412e3e30b6d36e7aaffed9061b1
SSDEEP

24576:K7bQtVVufETIwjshmxN2CQsQxHhrv5eGg6/LK5DbDrBQwfZac9T/L+7+4O6kt:oiTdQIN2Cc5g1R/VQwMWT/LkpO6kt

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
3032	regsvr32Srv.exe
2088	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	regsvr32.exe
3032	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001211a-7.dat	upx
behavioral1/memory/3032-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2088-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2088-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2088-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2088-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px9FE7.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0207EE1-AB5B-11EF-923A-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "438721443"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Device\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7D0158E-B2CD-4B20-9CA3-AA0CEA47D740}\VersionIndependentProgID\ = "HebcaP11X.Device"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C884AD01-DC9C-43AF-A513-9DC650FD807A}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E8}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4A568F-76D2-4B9E-8B53-246936E7DA79}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.CertMgr\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7D0158E-B2CD-4B20-9CA3-AA0CEA47D740}\AppID = "{74CC83D3-8081-47A9-B883-FBFD14FE783F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE745FFD-E912-4411-AD53-91B19211B667}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE745FFD-E912-4411-AD53-91B19211B667}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4A568F-76D2-4B9E-8B53-246936E7DA79}\ = "ICert"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23B7DE74-2CBD-4EC5-B43A-2FFC9A3C28FA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C665AE5C-B6E3-491F-AAF0-67AD0F71AA3E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C7D0158E-B2CD-4B20-9CA3-AA0CEA47D740}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.HebcaSignCtrl\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E8}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E8}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9420B871-4A90-42CB-8C38-6D88D9D63077}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23B7DE74-2CBD-4EC5-B43A-2FFC9A3C28FA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE745FFD-E912-4411-AD53-91B19211B667}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{589A3559-9151-4C8C-A476-59E07DE9A61E}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C884AD01-DC9C-43AF-A513-9DC650FD807A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F164B94E-094A-42C6-97BF-3F3757A8F7AC}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C884AD01-DC9C-43AF-A513-9DC650FD807A}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DE5969A-1308-4479-BEE7-9BACF7B0144B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{119DD4AC-2A08-44FD-845F-F7A191AB8F2D}\ProgID\ = "HebcaP11X.Cert.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F164B94E-094A-42C6-97BF-3F3757A8F7AC}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1DE5969A-1308-4479-BEE7-9BACF7B0144B}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Util\ = "Util Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{589A3559-9151-4C8C-A476-59E07DE9A61E}\VersionIndependentProgID\ = "HebcaP11X.Util"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.CertMgr.1\CLSID\ = "{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{23B7DE74-2CBD-4EC5-B43A-2FFC9A3C28FA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.CertMgr.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Cert.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Cert\CurVer\ = "HebcaP11X.Cert.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E8}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E8}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE745FFD-E912-4411-AD53-91B19211B667}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4A568F-76D2-4B9E-8B53-246936E7DA79}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.HebcaSignCtrl.1\CLSID\ = "{AE745FFD-E912-4411-AD53-91B19211B667}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}\ = "ICertMgr"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{23B7DE74-2CBD-4EC5-B43A-2FFC9A3C28FA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9420B871-4A90-42CB-8C38-6D88D9D63077}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1DE5969A-1308-4479-BEE7-9BACF7B0144B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{589A3559-9151-4C8C-A476-59E07DE9A61E}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Device	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE745FFD-E912-4411-AD53-91B19211B667}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7b4083b9ebeb2aebc6fe2a7ed618c7f8c4a6ac286783163fe27c640aef4f030a.dll, 204"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE745FFD-E912-4411-AD53-91B19211B667}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Device\ = "Device Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9420B871-4A90-42CB-8C38-6D88D9D63077}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.Pkcs7.1\CLSID\ = "{C665AE5C-B6E3-491F-AAF0-67AD0F71AA3E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HebcaP11X.CertMgr\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{589A3559-9151-4C8C-A476-59E07DE9A61E}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{59B3BFD5-6CC5-4FFA-90E8-C1E5AFCB42E9}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97D889EA-25C1-429A-AEEF-ED74BB53A47C}\TypeLib\ = "{C884AD01-DC9C-43AF-A513-9DC650FD807A}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2088	DesktopLayer.exe
2088	DesktopLayer.exe
2088	DesktopLayer.exe
2088	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1996	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 2900 wrote to memory of 3008	2900	regsvr32.exe	28
PID 3008 wrote to memory of 3032	3008	regsvr32.exe	29
PID 3008 wrote to memory of 3032	3008	regsvr32.exe	29
PID 3008 wrote to memory of 3032	3008	regsvr32.exe	29
PID 3008 wrote to memory of 3032	3008	regsvr32.exe	29
PID 3032 wrote to memory of 2088	3032	regsvr32Srv.exe	30
PID 3032 wrote to memory of 2088	3032	regsvr32Srv.exe	30
PID 3032 wrote to memory of 2088	3032	regsvr32Srv.exe	30
PID 3032 wrote to memory of 2088	3032	regsvr32Srv.exe	30
PID 2088 wrote to memory of 1996	2088	DesktopLayer.exe	31
PID 2088 wrote to memory of 1996	2088	DesktopLayer.exe	31
PID 2088 wrote to memory of 1996	2088	DesktopLayer.exe	31
PID 2088 wrote to memory of 1996	2088	DesktopLayer.exe	31
PID 1996 wrote to memory of 2192	1996	iexplore.exe	32
PID 1996 wrote to memory of 2192	1996	iexplore.exe	32
PID 1996 wrote to memory of 2192	1996	iexplore.exe	32
PID 1996 wrote to memory of 2192	1996	iexplore.exe	32

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7b4083b9ebeb2aebc6fe2a7ed618c7f8c4a6ac286783163fe27c640aef4f030a.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2900
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7b4083b9ebeb2aebc6fe2a7ed618c7f8c4a6ac286783163fe27c640aef4f030a.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b49011b42e036b02627bcdf52aed578

SHA1
69a4e8357ad126f1f01e7efebbd1aa3e2fdb0727

SHA256
9c804c77a76b36f1c963d4c6b37df18c8f78b8e64a7a14df300620a9a6b981df

SHA512
d015d2d991d414ce2cab492c6b496e609af5b1d541f8e083c75502b1afb439144733c58babd6e281aaa671b2cf2f2365e4d8d884f18eca97bc16b86fbeeb3432

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2db6a666153e8d111f3871ad2db2cfc

SHA1
509799757ad673faa11dc7d81a24d7decfd1e626

SHA256
a18def787b1066e29f08db13b690e7651b087b57f21381c4582562c35d1fc01a

SHA512
7a8b316bdfb7b7702f34ac57ac0f31aecde333df489eddd9f966259d0f1a1485293fad4eb8b5e3a3dd2a0310439d9bf0019858cedc1c11068c5fe0b90b0ba870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b38c2de85e427b117716982087fbb15

SHA1
24d65ecd5d197186e528fce2d50859f7c928c758

SHA256
7d466d1800c52914edf52c9da242aff5a14b415b0f5cc97e3e8073a4a2c60fd9

SHA512
55e907f7c6875b6e1c889179900e834793bf0a9c95fb8ca9b6881b1e772b76883a025a2e7b04045dc39df89732d96ac53a28971fa554cc29bc0430aeae52a3da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
424ad224936975811f0b3a8dccfb2ee6

SHA1
485feb26cf7fcb59088074485229f78284ec1807

SHA256
07196e8697d1941f51065b8381e528b4d487a79bc7b258db221815d55a1dc7f9

SHA512
ac8fb9d90d8e9b7befc2aee7546872201ff2b8bf56d203a15b77eec69b421c9f0dfd50c80c0f7a62f438910718d3ae9a340f883f560d942e036cc3aaa61d1028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b416453e8ce11eb02db346c265d7a7ee

SHA1
7327a9c15fbbe78953edd407500e7b40f7818cef

SHA256
de216c5f490ed853b13d8fc2b4ae86ea1f8d83969b334b2461dff8715225420a

SHA512
f1be8def31dae1a3fe6084f197ef98e276ea86419c10c34a845ca298782f43fac0ca6a0759c194bc260e1661c8414c58215c95ce64015e012831e1440a8a116a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc99e1517f989be3c07b3e8666d0dd8f

SHA1
2f47c32eba359a5bf4ab40c72cf3bf3cfced94fa

SHA256
3e444ba698b6f21a3fbd33cdb970459ad734b9cb81081cb8d0e485fe5cc64ade

SHA512
071a6b5cbb2746f2342de398acc013c93fc41b00127d5f1b7feeebd66f14b95691beb3b3650f04925cd75cb3afbb200804809f39d6d7809c67f49d88ca83cf01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d481fc804cfe74c15dda3a39407d6f4c

SHA1
323f93e6a287c0e75811c65b2dc5f44637a7f845

SHA256
627d3f049099f85bbf9125862ba9d1ae94d327db4531e949b092cd442a77f3cf

SHA512
be57742b47412ea48b4da08a150c64752adc47e3241b680acf7ddd224602aed5859e16bd0abea29d4f19f43f6ee8c3ef5b394932a3cbe78f895adc39974fe9f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ae63c924f2176279afb8caa298c3ef3

SHA1
1b999ae4d45274c7d26be57e1262ff429fb34d59

SHA256
10807baa10f70341068dbe969ecde4485c3f674e099935962e6c2cbf12f79846

SHA512
32f470154d5919eccde01b1c334cb2a30b1eac4327fc8380bfae86cb0302694062612c8f3f810a93f0f3433c5c30a2d17857c77063f52c2e24b1a1b71ec7ee08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b413953bad0ab15d0c0ac27ef6a52ab9

SHA1
5281c70059e589688d287179a88bb13bf36002d3

SHA256
914225edfcddd03416ae311b2617dcb19eee19380bb3137d3819bec671b70196

SHA512
5bf226a7ed01ed1d6bc3638e41531f145e5594f21fa8d07221fb2da53a160d2c20cac6af857c8699f35191abbaca74b4bc11b3c9b54eef41c9164c07e7adcbb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92ab346ecc7e20bc5c086f9c91fe0ea9

SHA1
ef68318700867559eb8b093844afc4b66e66701f

SHA256
538289e6a16a82250a64c2cce4ea6f784ff66dfd612889fe90f3bdfbf411f7df

SHA512
01e013b2d281e4e4547d3afdc38a6dc3f5af1855c859e04d36879935f88dc804a34f935b9ef08ffa1df366a74d9fd281aba57d0ff72a590036ae3666dc2c8eb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08358c32c5c60860533700aeed82aa4e

SHA1
a3cb65f39a62b36599216d3f1bb37e1655a9db57

SHA256
42deb9676c1207c649f044784045cffa062af46d375e421db9e23072859c6ccb

SHA512
79f85ed662b66d92f3ad1ee2dcda767a0646588f7bd69b6503c4bed98f0196184cd4fdb1970f3d857a426210386a415ef98c7b42ccd8a2fd4dcc6e6c45d06b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40fe19d3e0f912a68867efe5eb270b2c

SHA1
188c8d7490b0a6ff19a269d32d3a863506ce6b74

SHA256
9789ead2a33beaa86551fe21891051d2c70c3ea69c1fadb0eaec1be02d181027

SHA512
98a3bc06223e0770db0824faed23d1f0438af9fa6d91d5e5d9458aa771ecc733aeba09aad576985805a3f3ca4b69cad7c77fd61a08265ba4b868c136984277d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be670ee5f68264d7a56aebc6415b1976

SHA1
8f88503e2a702d04fbe15a89eb1c40d9e33f28a6

SHA256
58c3ff5aa406a9b9f178c57f726ade51d5148e3252c8b5f883d9ef8dc06cab61

SHA512
3b27e0393d4a95faec401934ab951d0dd112f54002965be8916871270a1f0f9844758b5b6020695ace3951a222048996cf97d01f11746be28ac021dd0896ac54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93ceded8463e41700c764ae91bc35da9

SHA1
05669526f6581639d7e5c5c8d8251e10252fa528

SHA256
27a3505d598de8f45f5b36425fc131a31dff1a1e2ef0eb6b1739475d159a7c49

SHA512
41fb88e7b3f1a8725f569e5617ba51034ed8c31ffcb8b0f658679920939063e5971072e63fe22947f9575b88298ae91346c02d4221edccfc140a068f35f640f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8d6dc08492d3ac67bd27f9e0784ab93

SHA1
10128990101ca67884ea54316fbde6d8cc75be23

SHA256
261e33647ea9e28c039e1188c22388c1f54266acfaa95d9c404d40dd8dfea83e

SHA512
888594f72eb3a464fbfbc82737416d4ea48574df17a9bee20afc3ed8078621855f10cffdb2108426ee5e417875639efa5d58d35d73adda8225394b815250c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC063.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC0F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2088-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2088-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3008-5-0x0000000000280000-0x00000000002AE000-memory.dmp

Filesize
184KB

Download
memory/3008-4-0x0000000010000000-0x00000000101D8000-memory.dmp

Filesize
1.8MB

Download
memory/3032-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3032-9-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/3032-13-0x00000000001D0000-0x00000000001FE000-memory.dmp

Filesize
184KB

Download