ramnit | b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
Size

2.1MB
MD5

5a36f877c1754ec1b28965da122e45a2
SHA1

bef9a0e53e7dc23cbcd935edefc11e64000661ff
SHA256

b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0
SHA512

a1066c262b3534c4bf0da80b2befa8860812ca4b9df5628f1187b329847d0baa31d714284c934ae46d9ba26af8d508e56876f285b886fb0c3f14726822ddb383
SSDEEP

49152:97CHEZXbb2PHs+KEpU3coSCglR/GQeTRF:0EFv2PTKEpJo/cR/GFD

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

Logo1_.exeb1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exeb1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exeDesktopLayer.exe

pid process

1932 Logo1_.exe
1192 b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
4000 b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
2124 DesktopLayer.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe	upx
behavioral2/memory/4000-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/4000-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2124-31-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/2124-33-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Logo1_.exe

description	ioc	process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

Processes:

Logo1_.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-IN\en-IN_female_TTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

Processes:

b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exeLogo1_.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
File created	C:\Windows\Logo1_.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426540752"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{167C9370-3717-11EF-8383-FA8F9E8C279D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116067"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3947980485"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3942511715"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3942511715"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116067"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116067"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

Logo1_.exeDesktopLayer.exe

pid	process
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
2124	DesktopLayer.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe
1932	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2468 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exeiexplore.exeIEXPLORE.EXE

pid process

1192 b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
2468 iexplore.exe
2468 iexplore.exe
2656 IEXPLORE.EXE
2656 IEXPLORE.EXE
2656 IEXPLORE.EXE
2656 IEXPLORE.EXE

pid	process
2468	iexplore.exe

pid	process
1192	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
2468	iexplore.exe
2468	iexplore.exe
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exeLogo1_.exenet.execmd.exeb1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exeb1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exeDesktopLayer.exeiexplore.exe

description	pid	process	target process
PID 2040 wrote to memory of 3324	2040	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	cmd.exe
PID 2040 wrote to memory of 3324	2040	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	cmd.exe
PID 2040 wrote to memory of 3324	2040	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	cmd.exe
PID 2040 wrote to memory of 1932	2040	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	Logo1_.exe
PID 2040 wrote to memory of 1932	2040	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	Logo1_.exe
PID 2040 wrote to memory of 1932	2040	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	Logo1_.exe
PID 1932 wrote to memory of 1848	1932	Logo1_.exe	net.exe
PID 1932 wrote to memory of 1848	1932	Logo1_.exe	net.exe
PID 1932 wrote to memory of 1848	1932	Logo1_.exe	net.exe
PID 1848 wrote to memory of 2844	1848	net.exe	net1.exe
PID 1848 wrote to memory of 2844	1848	net.exe	net1.exe
PID 1848 wrote to memory of 2844	1848	net.exe	net1.exe
PID 3324 wrote to memory of 1192	3324	cmd.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
PID 3324 wrote to memory of 1192	3324	cmd.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
PID 3324 wrote to memory of 1192	3324	cmd.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
PID 1192 wrote to memory of 4000	1192	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
PID 1192 wrote to memory of 4000	1192	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
PID 1192 wrote to memory of 4000	1192	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
PID 4000 wrote to memory of 2124	4000	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe	DesktopLayer.exe
PID 4000 wrote to memory of 2124	4000	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe	DesktopLayer.exe
PID 4000 wrote to memory of 2124	4000	b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe	DesktopLayer.exe
PID 2124 wrote to memory of 2468	2124	DesktopLayer.exe	iexplore.exe
PID 2124 wrote to memory of 2468	2124	DesktopLayer.exe	iexplore.exe
PID 2468 wrote to memory of 2656	2468	iexplore.exe	IEXPLORE.EXE
PID 2468 wrote to memory of 2656	2468	iexplore.exe	IEXPLORE.EXE
PID 2468 wrote to memory of 2656	2468	iexplore.exe	IEXPLORE.EXE
PID 1932 wrote to memory of 2468	1932	Logo1_.exe	iexplore.exe
PID 1932 wrote to memory of 2468	1932	Logo1_.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
"C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4249.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe
"C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2468

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:17410 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
3⤵
- Suspicious use of WriteProcessMemory
PID:1848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
4⤵
PID:2844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
Filesize
251KB

MD5
954f16a9dd404195caa5e1d87a73d1e8

SHA1
b3ba17d5495fcdb4a067bc52297d9e7fd52dbfff

SHA256
d0bfc5e7982c574562ee3044f4a440131f58a5b58f4c753fa2455761df95d0f3

SHA512
6f31015dc95aebba22ceb5d24efbce09c99960f1c612e28a34022efc13d691faf52523caabf92136a2ca3fcbb5f294e16961f710a3c913e1fefa9e9a5585c685

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
570KB

MD5
fdc23215a5fa087b0cf07b24fef591ad

SHA1
85fff1868e28176bfb6f5dcb0877dd1ee4973cac

SHA256
7aa5e2e8f96b90ecb1b07baacfe42f91c1d3fca3eeaad49a4ef76e00a83ae934

SHA512
0227c26c335ce94a657693eddd6cce810ec15fd958c40ee7cc0034849037e235379053b06c41984ef5d14121566c5dd69f73609df004aa5bea562370a19e4462

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
4002e8b12817dfbab01588c4f44e6ee3

SHA1
cd4af5e44b05b1af7218bc8b2a002f471c480fa6

SHA256
cc39772f0b25c3383b5f2e37ff9b29bdbc27193366d8d6422a8f0b81801d6ab9

SHA512
b42ef3ac0dddb2563e6c4d5d49042d9da7a5f03718cbcc59d2025b842efd0b64fda490571459fdcfb49acc0b80f15edee68a510598fe60b0ae9151c01c615404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
03c1ce01600fee8dc2bbbef5a86d0b3a

SHA1
89db17ceb897cae8810504ee1746211446bda2b2

SHA256
feea688ebe2b0582f20e5cba62529aaee5aaeec904c6ad0d45ca2bfc932d8c65

SHA512
53de9707a17e7eae1d01b81348a66ff6b7ea22a396265de32399a663d6ae1912e29618bee86f38405a80d5e9ac908277ef5203529f67197ecd848bb7d63f2300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\REQ5K173\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4249.bat
Filesize
722B

MD5
fdc1171ea17af4660399f130836c269b

SHA1
8cb70fc5dfd58473a56ffbcc2b43943f76b408e8

SHA256
f0650d91e10a8713c64bf8b735ef10509a474c97f68f417a6a3f3b022e812793

SHA512
b3d60904c5479bcd175bf7ee7e139336fa85b3824a53f5bb47ed81eb96295ca13074fe91e0c62525148cc29b5f6a28b6240fe713627d184c50d6b624b89b51d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0.exe.exe
Filesize
2.1MB

MD5
fcae2e2d3592ab685e2e2c3bc8d1b511

SHA1
faafbf5088e7bd31fb62533b8a2c97e885e69b76

SHA256
f797d6daac43ab372eb4e496eb04978587a1326a9d691073d68a84bf6554237c

SHA512
e8acc9b2f8dde6fe05334abac61e5cde9b8ec842c248bd8f581c8ad982fc9d31b223b2f63046737fae06656d41aceefd8f54aefd9af19503df4900fcd51023b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1ce307191b9b029301d5c896e6d8efebb8d75b4db6993a0062759b0065d88e0Srv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\Logo1_.exe
Filesize
26KB

MD5
347f4bd1e2074efd30dea13765b2612f

SHA1
f1c1e0a1611a70c92811b4a73eec8b7cb20d4e77

SHA256
7c31ecbc0c63df3632ad08a2f33602c1f00e7309929d8655c5684b1c2adff79d

SHA512
16e7e29bb3e24d030e7eb9cd4aaa077165ecc14f2179630ccbf1a6d51a829d3d0c8ce4f5628cfd402c4d5b16e85c145274ccc1bd9d9ff01b6af686483b02aa3d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2447855248-390457009-3660902674-1000\_desktop.ini
Filesize
9B

MD5
4b66be111b497cdd28c15afccbbd2620

SHA1
43ffb36014883f201e76464ded7ec69f2973d43b

SHA256
483e991549f8cb58e18e7a79a14cf6065e121f897e73b6f4edff227432a733dc

SHA512
32fddfbca04f67fdb0e865862e6f29b06cd079ddba416d801ceedcba8ed88b8dda77663fc8bd5bdd0224f722cd337c9d58edfc2e97e4fab73fa56f6f6198bb21

Download Submit
memory/1192-40-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1192-38-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1192-23-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1192-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1932-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-1105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-5267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-4828-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-1272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2124-34-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2124-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4000-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4000-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4000-24-0x0000000000550000-0x000000000055F000-memory.dmp

Filesize
60KB

Download