ramnit | bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7

Analysis

max time kernel
84s
max time network
67s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 02:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7.dll
Size

2.5MB
MD5

1a5213723f7d8e0d40d1902643498fd4
SHA1

afb43438d6999be0ac626792653f835a0f0cde0a
SHA256

bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7
SHA512

34257f3f52e54a1caf9249986ff6042b702d5619b8b0dcdf5e1335a74847de44dc48e06be080f87845f825bc977ae376196ceac93ebaeb388128f4ec74c03c33
SSDEEP

49152:ZWGT8J8nXBXb7D1WkEFNPWRp0JeeI8ENn+4B5UP:XT8J4/158WRry

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Executes dropped EXE 2 IoCs

pid	Process
3036	regsvr32Srv.exe
2808	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	regsvr32.exe
3036	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120fe-2.dat	upx
behavioral1/memory/3036-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3036-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/3036-9-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2808-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2808-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2808-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px4D1.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C70D7821-D9FE-11EF-9DFD-D67B43388B6B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443849243"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDS.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1\CLSID\ = "{2BD745A0-384D-421F-8648-9E73113EF132}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\ProgID\ = "PDS.ProfileDataServer.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ = "IProfileDataServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\VersionIndependentProgID\ = "PDS.ProfileDataServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CLSID\ = "{2BD745A0-384D-421F-8648-9E73113EF132}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D5FD848A-FD75-46DA-968B-EED4E5DC6098}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1\ = "ProfileDataServer Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\ = "ProfileDataServer Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CurVer\ = "PDS.ProfileDataServer.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\ = "PDS 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ = "_IProfileDataServerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{D5FD848A-FD75-46DA-968B-EED4E5DC6098}\ = "PDS"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\AppID = "{D5FD848A-FD75-46DA-968B-EED4E5DC6098}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BD745A0-384D-421F-8648-9E73113EF132}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\PDS.DLL\AppID = "{D5FD848A-FD75-46DA-968B-EED4E5DC6098}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PDS.ProfileDataServer\ = "ProfileDataServer Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\TypeLib\ = "{F007BF0B-2946-40D0-8D12-83D7629C0135}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F007BF0B-2946-40D0-8D12-83D7629C0135}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B18A93BB-DDEC-4E2A-92EC-BE8E1229A881}\ = "_IProfileDataServerEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\ = "IProfileDataServer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{679C10C0-9E84-499A-96C3-6E8216505013}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2808	DesktopLayer.exe
2808	DesktopLayer.exe
2808	DesktopLayer.exe
2808	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2852	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2852	iexplore.exe
2852	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2556 wrote to memory of 2384	2556	regsvr32.exe	29
PID 2384 wrote to memory of 3036	2384	regsvr32.exe	30
PID 2384 wrote to memory of 3036	2384	regsvr32.exe	30
PID 2384 wrote to memory of 3036	2384	regsvr32.exe	30
PID 2384 wrote to memory of 3036	2384	regsvr32.exe	30
PID 3036 wrote to memory of 2808	3036	regsvr32Srv.exe	31
PID 3036 wrote to memory of 2808	3036	regsvr32Srv.exe	31
PID 3036 wrote to memory of 2808	3036	regsvr32Srv.exe	31
PID 3036 wrote to memory of 2808	3036	regsvr32Srv.exe	31
PID 2808 wrote to memory of 2852	2808	DesktopLayer.exe	32
PID 2808 wrote to memory of 2852	2808	DesktopLayer.exe	32
PID 2808 wrote to memory of 2852	2808	DesktopLayer.exe	32
PID 2808 wrote to memory of 2852	2808	DesktopLayer.exe	32
PID 2852 wrote to memory of 2840	2852	iexplore.exe	33
PID 2852 wrote to memory of 2840	2852	iexplore.exe	33
PID 2852 wrote to memory of 2840	2852	iexplore.exe	33
PID 2852 wrote to memory of 2840	2852	iexplore.exe	33

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\bc5e54a0f2466f878e1b0b37683db5f513a00ca5085b09167f317ae22bf138b7.dll
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f367a798e7e08e2e6c7d85f29155374e

SHA1
ffe13a0cf38f4efd57ac2e480448b574533e44e6

SHA256
a49f02ce9a2cd099b072ba04c71f9c4c924cf7fa1f647915349530d91f4eebe0

SHA512
93f1d68e557cb98f69dcbd2efe2fd2887c5b068f3e224a4848ad55d80d7839221408c206451881e4cdfa909b0f9d3afa2bf01b27744d466dd46fc41a9a54ec8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ca2d04da456f599ec73c4a2069567a2

SHA1
ffeefc4ef9225efd32c7991ad877f6c806913b25

SHA256
d8841f01fce07d96a348e39236ce946a254b5ca68034ce640baf93ff53fafd54

SHA512
1b53dc5f18d268dea443e854b0079bcddd87a78c2a197cdf0d4b091e33239bb36f94da6b1a520d779d07890e2d8c1c53f0f3f10177607eef72ee1b126fd1c87f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f565ce23f9d2557ca71a5d1be4b9e00

SHA1
3122c3b248a11b06e0c07cde0488e235b85a497f

SHA256
f85ae11553a1ef1309ab4bd22f9b124d7a15135cfd87157462e86231b9d2c495

SHA512
54aadf821962d9684f1d663e1ce4b3bef545a2bd843b6b0fef33e442ca7046f03e7bae534722524ff3fd1a136a656eb55c39cf258f543bf6504aa0145b04666c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a20ae9b05d90491aa7b0e2422defbb3

SHA1
0efb7493a5233e16a184315a68bc328f7aad7a91

SHA256
38a1cd0b007a7cbab8cd4427cf31922c49620c3872b7f2717065297c5ee01805

SHA512
32798967dd4feaf700abd8721f8a2a9d174c2bc33ed8fea6f12f7adf968c3663488783995abf337f7b00c4d5f8ae3d4a75883756b879d3c4743f06b32c2e8044

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ccdbe64b80489f831ccb92a7c44ee30

SHA1
e9a9875c724e409f1b0870ed27a6bf5b195179e5

SHA256
93e03de913129d5072345a5ce3b95e099a5a92341a74c36b4fc5e22b1ebc5238

SHA512
14c5f10703f83b39aded373d4e2d935adef1951552456a442bb3574c519a6cb3e82103a91773bc2e92cfbcdaddb1bf020ff45cb182362f63c575c12f9621623d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff19ddd15fc044f2660f852550c22697

SHA1
77119f55cae4612eb704a6408a41f37217ed9674

SHA256
7fb96852094f51f8a519bad110ca9ba0c1ffd4ee595730e0ad195039a8c13b3f

SHA512
c740660dfa5f841160706e3f4854decce0e754cd35e202a0f80782745063b806d226c218fe238549e7d85cda49f03d24980907efae54baf77bf7babe779ed03e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
355cee5e9879bf8fc4c982c350822cce

SHA1
687d30020440f77226421c14eb54f84e435c86e8

SHA256
78a7cbc1301bf00b46aaf53c3696c20a98ff062be73e65c425ae9ce79a922242

SHA512
5dea235a13372ce39431eaa9599a70c8d779298d479c15c0fc6fbbdeb952b3891ab2b3b7e6e098ed680c7d71b211045324c894b44f36f86cd8fc75b5610836b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f404562bb84d49351b4dc3c70e6eeea2

SHA1
886a3c70221e6091f6de81be2b95b74a9854233d

SHA256
fa9503dc6a7aa0008d81ffdc9c34263d677b0bec7676c16c6613d3b91490fe4b

SHA512
65efdfee4fb2ab11d5e5a6d0a48584902c63b6fbaea53818e08fc4a157adac365cfbf090ed34ddb1ad495021a32d9cf114d3d9cbeea073f4587c30cc3d8945cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b41172defe68d2e1fd16b48c48c85d2

SHA1
db20bdf148df32ac08f515149301e8f6d054d80e

SHA256
bd0b626be01690684e8d7afd4a1b645ddb959df0fe047fb02c804ea8d126d914

SHA512
d208defa41990c075ebdfc5f7c6a05f551405d243e55127c366f29aec01a0c71803611884cbacb0c31ccb8e9eace9e78ebd731ecf7e149193c5dad32bbf545a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08114029ef6ec64f2d4e1b208f11a73a

SHA1
3696af75414d8f483739deb5d57291fe1964bca3

SHA256
8e534583271d9a5374207a629343a789c8b01de35c2a2590d9add7fd7cc44229

SHA512
03bf758d00e36dd54038cccc360e47471dcdc53ebe06685b96326d348cf7d2191c27b723ae59a34e821f2ab13443666bdd955a43e869c87235ecad311654a975

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb5b2557dbc9851c5402a6bdf2e45b3

SHA1
03148af00b457e1890e2c7909536a87add214f4c

SHA256
65673eb73a548201d9587dcc8de4d19c748de5bbc51c759268b7ebb371f05689

SHA512
4ca806cdd25197142b9bccb4405cd154b4b574a14103bcbe2b9022dfd1111a2b4db10d5b666713d98850280dfa0a43c7fb887dfde9842e2035d3c8e350a9d38e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ba05fa5e3b87cf79ae796990c603233

SHA1
997dfacd13cb72c4ddb2964675637bb73a2354f1

SHA256
1d9f97085f113676b1dc662998a9c8686380b20966170ee513edb287c2a6dfe2

SHA512
74f501a05f1f1963c25952f0a8e1eac5f78576e7744f1fa9ebd93263d8e905104418a28f8058380d47e881331a0f5833dacfe979f5f25ab54babbd2e97870dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbfb50550b7e3fdddbcf3ce42f4fb399

SHA1
7b8030bc5a1497582e4d590269de50fb3a0724e9

SHA256
25901d3d5e14d3f258c4f80dea8b3a70da1d4753552192a73c8b7f09f4b8b60d

SHA512
55c9b0ab8748db4ebeb61c175ea85af545f18d216c8a79885bcb6b084a5575eaab184b34497ea9827b9c507fdcbba787149b9163cdb1ad02af0682d9b7082199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c79e8df397c603c843ed91124b2b6cdd

SHA1
697942f62a143ef6ce23d25c231cdd07fb927e62

SHA256
e72dc1167b5bc969b2366a3d9c23aebe0a80735f66ba99de9df7aff65618bf98

SHA512
32f922c66326cd9dc301157e6c86dcc017ff18f930ad6401be2e319f3e0875db8ee6f02782b16535adf87ee3c78eb586089b763a777ce03b1aa783e9035959d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aef2221aa2b3c05d7523d7f68f4cc5c7

SHA1
d6a6281d3c9a043ef9249e540b47d452d37d86dd

SHA256
fb2a501d1ddea92abc7199b8b604ac5fe2fcf2b1b905bfd968bea09636494273

SHA512
b0ebe3666289e9c1a3311c0e401d8a939d820cf05a27b35b0588b1109fe4604be22b891350d030bcc3a4905db68201180aab9db96457710fb0eab4e8f24db4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
598fc512710f682b6474f1b611103ca5

SHA1
7237658bb752f82808fc7bc4baf1a5cfc407bcff

SHA256
b1f2f09a2b64398fb4a600f62b426fd65e6e9e80e2f25c0fb094973d6d56f873

SHA512
11f0e73e56cedc4daa66d817f8a41961ef0fe494363f23b38f1f427a3d5e7607726f580c728b2368f817053d437ac13ee3073a6b89e2ec1105804f2fd6cc32ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
480117149fd7e8ea77e125a5551d661c

SHA1
7051ad9cf875df0046405c6e3cfef09493776bbd

SHA256
0bdfaa8bc02ceb6bd0bacab5f1f010d948f97b9d84553acc844ff32b75055a99

SHA512
0268baab8a8d7938da5e09497cd0b0de17065b8bf4ad45d58c295e43375ec33fac6b81db461cb906e8bcbe43dafc7cbe29fe443941056f3ce2ebf4815ad59344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9591a61966ae9431fd6969ddabd32b6e

SHA1
475978aa81b488ef3522c027e7a77e046db274c5

SHA256
5ee8e1a433d5e4b8fbe41516425d34f8de9b5af789c1476e828f6296f895ba1e

SHA512
d041f8f68b3cf9883fc6ac080e84b454d4392037929bb9596bbebf306d132bb0a244de09dabbc25d5c30e663e242c6f8d754deec0156bb20ecb63f8f25fafe82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c12e0ec2ba24f06216aa049387b5cf5

SHA1
1a4af4ec06f85006d303f060ebe094233cfd035b

SHA256
eff85819f7884ba99a92b76339f33a7951800c40b746427aef451213ff2f483e

SHA512
9e97e281f11143caab61938ce6e69d13498ba45f44689c842058839ffb492aa00ceae18845a379241ee1cb6a46ae1c4471351849af06a535cf7d9c2d41895251

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AE3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B44.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2384-0-0x0000000074340000-0x00000000745C2000-memory.dmp

Filesize
2.5MB

Download
memory/2384-6-0x0000000000190000-0x00000000001BE000-memory.dmp

Filesize
184KB

Download
memory/2808-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2808-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2808-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3036-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3036-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3036-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download