ramnit | af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593

Analysis

max time kernel
66s
max time network
67s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593N.dll
Size

2.5MB
MD5

10668cd532f0e6e95e95e59b1f3461a0
SHA1

6bd12b35926c6aac1343b1573cbbab9b951f14e6
SHA256

af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593
SHA512

fbdf59d18dd7a9a8b25d07727f258544b894cc8353346848d9486719792e839ec4d1b1820560a69742b3474f74aa5532fbe833c117f445bf04e2181bee9fe4a2
SSDEEP

49152:ZWGT8J8nXBXb7D1WkEFNPWRp0JeeI8ENn+4B5U:XT8J4/158WRr

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
2300	regsvr32Srv.exe
2840	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	regsvr32.exe
2300	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2840-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x00090000000156a8-17.dat	upx
behavioral1/memory/2840-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2300-15-0x0000000000240000-0x000000000026E000-memory.dmp	upx
behavioral1/memory/2840-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2300-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px76E5.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{623D23D1-D9EC-11EF-8318-F2DF7204BD4F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443841342"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\VersionIndependentProgID\ = "PDS.ProfileDataServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593N.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\ = "PDS 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDS.DLL\AppID = "{D5FD848A-FD75-46DA-968B-EED4E5DC6098}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CurVer\ = "PDS.ProfileDataServer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ = "IProfileDataServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D5FD848A-FD75-46DA-968B-EED4E5DC6098}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDS.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D5FD848A-FD75-46DA-968B-EED4E5DC6098}\ = "PDS"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1\ = "ProfileDataServer Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ = "_IProfileDataServerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\ProgID\ = "PDS.ProfileDataServer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593N.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\ = "ProfileDataServer Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\AppID = "{D5FD848A-FD75-46DA-968B-EED4E5DC6098}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ = "IProfileDataServer"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1\CLSID\ = "{2BD745A0-384D-421F-8648-9E73113EF132}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CLSID\ = "{2BD745A0-384D-421F-8648-9E73113EF132}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ = "_IProfileDataServerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\ = "ProfileDataServer Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2840	DesktopLayer.exe
2840	DesktopLayer.exe
2840	DesktopLayer.exe
2840	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3000	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3000	iexplore.exe
3000	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2316 wrote to memory of 2268	2316	regsvr32.exe	30
PID 2268 wrote to memory of 2300	2268	regsvr32.exe	31
PID 2268 wrote to memory of 2300	2268	regsvr32.exe	31
PID 2268 wrote to memory of 2300	2268	regsvr32.exe	31
PID 2268 wrote to memory of 2300	2268	regsvr32.exe	31
PID 2300 wrote to memory of 2840	2300	regsvr32Srv.exe	32
PID 2300 wrote to memory of 2840	2300	regsvr32Srv.exe	32
PID 2300 wrote to memory of 2840	2300	regsvr32Srv.exe	32
PID 2300 wrote to memory of 2840	2300	regsvr32Srv.exe	32
PID 2840 wrote to memory of 3000	2840	DesktopLayer.exe	33
PID 2840 wrote to memory of 3000	2840	DesktopLayer.exe	33
PID 2840 wrote to memory of 3000	2840	DesktopLayer.exe	33
PID 2840 wrote to memory of 3000	2840	DesktopLayer.exe	33
PID 3000 wrote to memory of 2888	3000	iexplore.exe	34
PID 3000 wrote to memory of 2888	3000	iexplore.exe	34
PID 3000 wrote to memory of 2888	3000	iexplore.exe	34
PID 3000 wrote to memory of 2888	3000	iexplore.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593N.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\af43ca62c4a9987d2e34614f5c918ca9aeb2c0a25c61b1b587e1a3d17c19b593N.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3000
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3000 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a02d2db302d39fdedc9312091d53b00

SHA1
9dfc98cfa84211a85c6cf6772a63f62b0be99726

SHA256
24fb7c2d53bd19d7b7ce0feff38bae0a17e2c56f67380c0218ac0af5d41c11bb

SHA512
9ca870572e435e78858a513d1a726a1a475e43c92889e1529b35167fbc82decddf471aa8759770de337f9af4f80d59f49cf8d4a7091f3ef05cb2268e6a23a5f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99671273763c68f10625fb193a9109c7

SHA1
fefdc24fde250d7255f2fa6f71d78819ee5ed163

SHA256
8978ebb2532274e396ac0243fb1141d60cf9309829e134bcf5d2824b8b6e5885

SHA512
4dac009d5e038492603b1fbe0d4fa5b20d53a3c6b26691af6cf47e79b97e3416539cfa668ea13791b6193168206df8d6e0178b8f3aa37d402ff851245950d1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed3522573e83e0cbde94234a3f473e43

SHA1
32c7b54bd434f3aa41c0675f18974d752106eca3

SHA256
ab7ffdbd19cbfcaafba86804f8f94d8f4e756a12a775eb67dc10c61468c3c5c9

SHA512
4cd371c5ac6b5b4c1847e46aecff37b7cc06188d7a569e49b0b623e8c217f2ee9fd69e6c5f3d00aae83b54dc430485d04ba900820e143b9a382dbaaaf0d0d82f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc2564c50f3205b6a4c5599c810b4f99

SHA1
0b113d722d508415e7edec4cd9c6c53fd4fe38a2

SHA256
3f851091cd890fec0b94e7cba2d8b1766fe7e42c43e827f928ac76c3f13f1824

SHA512
02b52c0aede5b65fccfa35f57ee42e3a46b6f15155a5dc649512ddfe48fa5ed8f9bb5902e345da91ad7f2a7e516cb8455f010f678e56177534d8808d2ff1a1ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e24dfcbf2c380e032217ff35853d3dae

SHA1
1c3f242e909a10bdafa62204d8c9dc30ee92be3b

SHA256
9dd7d551186953e7efd0818f74c28f429ad818b65b53ec9ee1b1859074c255eb

SHA512
bf5109ff6661f237d05adb0e92e8ba24c3b2bcb52b52c9cc22f75218168b4d57b7186e01ba192d2ac37fa10eae729d6b89bb691f41ac49879d2eef39813467ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fafabf30d6c879a1cd92544bc78eaa8

SHA1
abf22ea023f7861d2b4ddc25e1ddef1f0131017f

SHA256
0d6682ec83fe67a5c0d81b3af3fdef19182ef760d0d04280658383633cf35c6b

SHA512
aae91b5cf043c835cacad4b0cd89329802f5acc22eb9996ca916df836e000e4c7ba6ce9d0096e35ecb019551b15abd1723f67286b36f382658bcd5c3bd70b562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
537f536ec4e26e2cf6d9d1e86d0a9c1e

SHA1
b7323bccb292eff4fceb1b181316c70cd5bf1bd5

SHA256
41e6b4388f8047755d59d1561449b4715f60a3746c9e84c5c8f9705ce1d3c0a5

SHA512
d70b4a04359c658f82868322c885bf199681791c5f30eec6c00e0fc806dc3b434af08aea52bd6701d4b033a6d071e57a45fef486866a69ad7c9c0603be06211f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34e8db4e2e8b64274302a396953d1f12

SHA1
816de7837b7c9ee0b497156d603150342ee9fdf0

SHA256
5d03620f92cecfda991fbe26e3f0a0dc0a430b1bbf30b56de481998a2df20a60

SHA512
913fc563bbc3b9268dd77856be9f6ae78c4c75895bf489e2020b1a725a0ff87002b39d37f804b5c9ccbd538ceef1fc4866e0584da78bf523de880bbe42068c7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25d6981eb9c77300d1a757bdd1a5346a

SHA1
1754990e9e69d0a724ad611cfd69b75d0c7d9565

SHA256
d7652924e7a56f6d8ccde6a5a289758616c9d357b03e94e749eebccc6da53c17

SHA512
bd5d9f022ffc2e6c5aa07979bf52324da73ab9d67d38b69cd8dc795defd1a9da73e49c69d219c1e7c825e183c66e264a0233a692e0c236cca0872908f4195b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f493a8552ffcda234ad6cc489370c551

SHA1
dd8ea1cc9808daa315c6546f3b6f7eda10db0168

SHA256
1dfb9c0081f21d88491e2c26d6654f7bd8350559f593d54e2b536d13385add2c

SHA512
2b85cd7cc734d1a0f03be52dcf6e9726df679b537d6f48e129237feef945ead628a99e9e500d8c2f7650a3f003a90c9c7935929f83c8a5301a7c93d23e62bb39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d70ca41666c957a491286f33b8d3601

SHA1
6fe6fc9feb05a658fd7a51e9ef6f5638ada81681

SHA256
091ff2b52539c51bb99bd9e1dcbe8a300541ee5fbbfb6a50feef4fc2c1b02b12

SHA512
a43c0e3d6edf12774967d093e56fca37f0f744d89cdb3923b23d2d3e7a69b746a99ca3a0f9e84566265c58f6ffd8c3706a819c78033b24eac2261f19bb5916f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05158b4214d3306bce6db05e1d8c94fc

SHA1
9273985f6ae2c5d5004a4786febdf710e32c9697

SHA256
d479817756acac81db4f9c115f7dc0c290bbd1405eff9abe634328c50d66d3d2

SHA512
9b37d5db18cbbb43925ec9056f3445b53dae59d51c48199370c7a6bf2c2466e7a8b1c9896411be8999877d49a6094c59970f79c62aa46f31c2f8c23ef67c6b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e32e835d0a8f2e4d7e90822f9ab01a30

SHA1
cae4173a885afa769d15ed279f63aadaece85f95

SHA256
54d11872e0ab8de20b82ab969722813df092d0d939492cbc27121bb15c343845

SHA512
acbe8ed27de980e370d6917aaa60dc4fd0c28e30b26bb3d07132c693e8f983ac7d23caf3fd5a94d81bb70e3ee4b5975daa4538a03bd0433c21b470d46eccbdc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a21733e57dd1af04573434ac1581af5

SHA1
a64bed85d4e722e16782a0f42b285f77be16025f

SHA256
43547721a3ac7d9398367e363ed801a834db01472533ac55086d80ab3622f99f

SHA512
0200b513b062c72e357d04bc6182faa5901ac7e5a9fe791f9a5c42e411d4e73d606e4d49176a0371d3f0d51ab84799ae1799e3efe0051937c171f4c3c9a5488d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
628d59876a5e926616926b772478c342

SHA1
c488b467b44f06df54b3cd2e728148ba80f4ed3b

SHA256
ec405e56566987d6ca9b5932083de9ac36cb1aacfc14ed6eda20c111c56f454a

SHA512
b6743cd64725b9dc4597040a24c6811e32b0e91fe81e47d838767a48798e05492903e2dfbe0877f7921a6e66aaf266b00a40646d3e084c3c0427f78a39cd2e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df26e26e789a15af88ac978c7c48bb01

SHA1
0178a808d33080201aa50ebaa3306503f5e9c6bd

SHA256
9b1deab498bf3f923d2586b8f5d2af767664c3f5a72698bce4392073cde88d92

SHA512
e736202daa4a6ea3f43b40e95616ec1e8a9fd8d527ab432af0a0093b78cbc36a3d9fd4093a296d904705c33c60823b840f59402efe8303b4f7cd11957fe15ffb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bf1528d174d953a700dede644b5ddce

SHA1
5ce1330a849621614f39f0a052d9bb79dd588b7c

SHA256
9daeca78b91d6df238258396e1e8eb47bf46a9e3c3d465fde5ea77cffa911f0a

SHA512
53b1965f3a40cbca0c74d60c420015d740f54429a6fe273a344ba4bd38975c34746883b98b85ce256d782f212207f201d9c5736386d8ea58f04eefbb89954efa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcaf7fe437d331bbc6fa85f358f05380

SHA1
9fd0450536594c73f4ce001bcaa4e4afebcfed20

SHA256
1cc12c074b4a0d4c7ca9a89435a44ff05d414d6df67f8077d84bca7e08cfbf23

SHA512
3db4a2e99838cf338d3f313b8fc4bbe291d51e4fad296ce1b93ca372fb02bc092cd95a79a0ad361e2cb4144f3b93a4f2c0883a865d8a1766aab32574ee9e9947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7b0406a91e64b0b3bdf3cc365f47b1

SHA1
548fecdc84d83d1b5bc5a66186069e8d74659986

SHA256
a300748a21b7476f94ca7f4e5eb948538d56eeee50058ccddf88d12e54b7d7a3

SHA512
e13aa1cfc04919d0ed81106b05767dddb430b87236343e16cec26d35508098b48b2a8627ba0b1719c6e25e3b35cded8c0938cacabf19fb798fa1171c1eeed814

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8BDE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C5E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2268-5-0x0000000000160000-0x000000000018E000-memory.dmp

Filesize
184KB

Download
memory/2268-0-0x0000000074850000-0x0000000074AD2000-memory.dmp

Filesize
2.5MB

Download
memory/2300-450-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2300-15-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2300-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2840-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2840-18-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2840-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2840-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download