ramnit | 1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
Size

938KB
MD5

4e4010befd36c75466ee97219d47b261
SHA1

9dc92bcdf210ba38ad6c6a84f3993043f2fc983c
SHA256

1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594
SHA512

7453ef520a0af5e51975d063daf5b65e8d7c8432b36aeca5d5380ad8345741bbf42291b0c5d3a4b17cf9b416b246691bfada5fb3a6840b1a78187c3bff3455cf
SSDEEP

12288:47+G+rcR2BWcjL1JLs4Y6CRdz69HiJENgz5QDA6dVxawwMScxn/32XOG1T:47dRK85ro5RVxRScBf2XO0

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

Logo1_.exe1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exeDesktopLayer.exe

pid process

436 Logo1_.exe
4524 1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
924 1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
4604 DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe	upx
behavioral2/memory/924-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4604-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/924-29-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4604-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Deleted\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

Logo1_.exe1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe

description	ioc	process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
File created	C:\Windows\Logo1_.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1399481090"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1410262746"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426537492"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7F033A80-370F-11EF-9D11-424A43B6706F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116060"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116060"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116060"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1399481090"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Logo1_.exeDesktopLayer.exe

pid	process
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
4604	DesktopLayer.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe
436	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3796 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3796 iexplore.exe
3796 iexplore.exe
1412 IEXPLORE.EXE
1412 IEXPLORE.EXE
1412 IEXPLORE.EXE
1412 IEXPLORE.EXE

pid	process
3796	iexplore.exe

pid	process
3796	iexplore.exe
3796	iexplore.exe
1412	IEXPLORE.EXE
1412	IEXPLORE.EXE
1412	IEXPLORE.EXE
1412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exeLogo1_.exenet.execmd.exe1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 1232 wrote to memory of 1824	1232	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	cmd.exe
PID 1232 wrote to memory of 1824	1232	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	cmd.exe
PID 1232 wrote to memory of 1824	1232	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	cmd.exe
PID 1232 wrote to memory of 436	1232	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	Logo1_.exe
PID 1232 wrote to memory of 436	1232	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	Logo1_.exe
PID 1232 wrote to memory of 436	1232	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	Logo1_.exe
PID 436 wrote to memory of 4328	436	Logo1_.exe	net.exe
PID 436 wrote to memory of 4328	436	Logo1_.exe	net.exe
PID 436 wrote to memory of 4328	436	Logo1_.exe	net.exe
PID 4328 wrote to memory of 2180	4328	net.exe	net1.exe
PID 4328 wrote to memory of 2180	4328	net.exe	net1.exe
PID 4328 wrote to memory of 2180	4328	net.exe	net1.exe
PID 1824 wrote to memory of 4524	1824	cmd.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
PID 1824 wrote to memory of 4524	1824	cmd.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
PID 1824 wrote to memory of 4524	1824	cmd.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
PID 4524 wrote to memory of 924	4524	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
PID 4524 wrote to memory of 924	4524	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
PID 4524 wrote to memory of 924	4524	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
PID 924 wrote to memory of 4604	924	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe	DesktopLayer.exe
PID 924 wrote to memory of 4604	924	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe	DesktopLayer.exe
PID 924 wrote to memory of 4604	924	1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe	DesktopLayer.exe
PID 4604 wrote to memory of 3796	4604	DesktopLayer.exe	iexplore.exe
PID 4604 wrote to memory of 3796	4604	DesktopLayer.exe	iexplore.exe
PID 3796 wrote to memory of 1412	3796	iexplore.exe	IEXPLORE.EXE
PID 3796 wrote to memory of 1412	3796	iexplore.exe	IEXPLORE.EXE
PID 3796 wrote to memory of 1412	3796	iexplore.exe	IEXPLORE.EXE
PID 436 wrote to memory of 3796	436	Logo1_.exe	iexplore.exe
PID 436 wrote to memory of 3796	436	Logo1_.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
"C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3A69.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe
"C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524

C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3796

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3796 CREDAT:17410 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1412

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2180

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
f5247d45580bc4137b32f751f887f3f4

SHA1
3b8b82943eefd9603d3d57cb1e9f77eb10bbf80b

SHA256
61091ef66c02b73d45c58c86aa58f67e2d1ce65536f0f16c8367b3444363a090

SHA512
5c8177a1359aa4de8695a99a3f916250ab7c6f5c0aa2ad8beb157d4ff58276380514a8b16dab42c04a203333a90d3e90dda9785faae9dff701eb0bd8fffaa439

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
570KB

MD5
58846d11d9ec8771c972b4f129bbdb3d

SHA1
707fe69ae92389e8506732fb6d4175adc9c80d63

SHA256
ca26faff531f35625e01c59a0eb72e5a24861d9c2ae60e5e192ff032b29f13fe

SHA512
1caaf1cb66373c5db0a3a056161228231b7ac2095c3a4c899fdd3907a4f0a7809c2def80136ef1c1d91a34398387f7c3423859123de2f2db93b5991963a1d858

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QQACG5HD\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3A69.bat
Filesize
722B

MD5
fb9267c8b2d8eb73f12606d447081615

SHA1
da0ae23d61ae4221f98efc58ee1a55a90801f90a

SHA256
3c9def8dccc06dcf32ad6896f501ce30b87d2f95670f8adb2287b59c38d449e6

SHA512
537e1c53c3351e59db4f6f735e5b31d53230baca831cd39c516641a40562eb6930aff2d136f8f771b7121f34b1a182643ca9a2353f12e0a9d14ee6454635fe64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594.exe.exe
Filesize
912KB

MD5
0e1effe0649461a726e982331b7610fb

SHA1
ed6b696cb612b63023e0be47d3152947f405131a

SHA256
922470b85ceb399574cb39b46ccbc29d9411b0295737dc33ff7696276d945f89

SHA512
945c35a8f7aa11e4868e0e6b604ea85c180f44628e3f86bcfe98837f88dfb1542632acb1beeeb8e6a922b798acc7263cc93a518671706c9f69b8439b432d3b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\1204fcc6df6642257959c441fdfd562907b7135ebfe3dfaa8441e8f372376594Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
d4a56b92f2e1da019853a277e11da2cb

SHA1
be894cfdf5bc6ea23803f7419a2f8084edd0857a

SHA256
f955150f9007ef96564fb2be164758007f615ba64a05ebc3a30f5cffdab6c6f3

SHA512
223edbeca71aaab78410175fa216815fbb79d686cd49e1e76f8feb3d248a5b0e18cd951cf41f55a9fb21773bd887c699bcee5d13dee14a104ace95bde801254d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-200405930-3877336739-3533750831-1000\_desktop.ini
Filesize
9B

MD5
4b66be111b497cdd28c15afccbbd2620

SHA1
43ffb36014883f201e76464ded7ec69f2973d43b

SHA256
483e991549f8cb58e18e7a79a14cf6065e121f897e73b6f4edff227432a733dc

SHA512
32fddfbca04f67fdb0e865862e6f29b06cd079ddba416d801ceedcba8ed88b8dda77663fc8bd5bdd0224f722cd337c9d58edfc2e97e4fab73fa56f6f6198bb21

Download Submit
memory/436-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-5447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-5006-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-1408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-1275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-621-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/436-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/924-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/924-29-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1232-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4524-18-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4524-36-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/4524-30-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/4604-32-0x0000000000480000-0x000000000048F000-memory.dmp

Filesize
60KB

Download
memory/4604-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4604-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4604-28-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download