ramnit | db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460

Analysis

max time kernel
192s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 16:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll
Size

380KB
MD5

f7e390609bcab34a1cde45f4c8415fa8
SHA1

59774582c775dd7fd2fd2b6c9b18e8432ce326d8
SHA256

db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460
SHA512

504afada85f1d6a7cbb985467ad7b44345954322b50a79a488bdc53d97a1317b69a9477fa651c09263afbb990632bc7ed27a6df64209883ba255017b6ab2780a
SSDEEP

6144:zKwFsGM5y+3kyzuJO1AmAGFxlNWCJBD4DsWR3Uqzujd3rm4eKsaJ:zlRB+3kyzuJO1AqWzujd3i4eKs6

Score

10^/10

ramnit adware banker spyware stealer trojan worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 2 IoCs

pid	Process
5036	regsvr32mgr.exe
1020	cupcfbguiukilobo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	regsvr32mgr.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}	regsvr32.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32mgr.exe	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3748	3768	WerFault.exe	82
1776	4044	WerFault.exe	90

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EB92546-711E-11ED-919F-7218A89707DE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{9421DD08-935F-4701-A9CA-22DF90AC4EA6} = "EPTBL"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5EB94C56-711E-11ED-919F-7218A89707DE} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ = "IToolBarEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EPTBL.DLL	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\EPTBL.DLL\AppID = "{CACC252F-95A7-4741-BBE8-FB1F18C2826F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CurVer\ = "EPTBL.ToolBarEx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\TypeLib\ = "{3521DDB8-44AE-446D-921E-73EC4E00C8CF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\ = "{3521DDB8-44AE-446D-921E-73EC4E00C8CF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CACC252F-95A7-4741-BBE8-FB1F18C2826F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1\ = "ToolBarEx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\VersionIndependentProgID\ = "EPTBL.ToolBarEx"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx.1\CLSID\ = "{9421DD08-935F-4701-A9CA-22DF90AC4EA6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\CLSID\ = "{9421DD08-935F-4701-A9CA-22DF90AC4EA6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\ProgID\ = "EPTBL.ToolBarEx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\AppID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ = "IToolBarEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\ = "{3521DDB8-44AE-446D-921E-73EC4E00C8CF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CACC252F-95A7-4741-BBE8-FB1F18C2826F}\ = "EPTBL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EPTBL.ToolBarEx\ = "ToolBarEx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\ = "EPTBL 1.0 ƒ^ƒCƒv ƒ‰ƒCƒuƒ‰ƒŠ"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DB65A2B7-6133-45AC-B054-11AC9E6C9672}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\ = "Easy Photo Print"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9421DD08-935F-4701-A9CA-22DF90AC4EA6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3521DDB8-44AE-446D-921E-73EC4E00C8CF}\1.0	regsvr32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
644	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5036	regsvr32mgr.exe
Token: SeDebugPrivilege	5036	regsvr32mgr.exe
Token: SeSecurityPrivilege	1020	cupcfbguiukilobo.exe
Token: SeLoadDriverPrivilege	1020	cupcfbguiukilobo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3456	iexplore.exe
1324	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3456	iexplore.exe
3456	iexplore.exe
1324	iexplore.exe
1324	iexplore.exe
5076	IEXPLORE.EXE
5076	IEXPLORE.EXE
4548	IEXPLORE.EXE
4548	IEXPLORE.EXE
4548	IEXPLORE.EXE
4548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 3112	540	regsvr32.exe	80
PID 540 wrote to memory of 3112	540	regsvr32.exe	80
PID 540 wrote to memory of 3112	540	regsvr32.exe	80
PID 3112 wrote to memory of 5036	3112	regsvr32.exe	81
PID 3112 wrote to memory of 5036	3112	regsvr32.exe	81
PID 3112 wrote to memory of 5036	3112	regsvr32.exe	81
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 3768	5036	regsvr32mgr.exe	82
PID 5036 wrote to memory of 1324	5036	regsvr32mgr.exe	88
PID 5036 wrote to memory of 1324	5036	regsvr32mgr.exe	88
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 4044	5036	regsvr32mgr.exe	90
PID 5036 wrote to memory of 3456	5036	regsvr32mgr.exe	93
PID 5036 wrote to memory of 3456	5036	regsvr32mgr.exe	93
PID 3456 wrote to memory of 4548	3456	iexplore.exe	95
PID 3456 wrote to memory of 4548	3456	iexplore.exe	95
PID 3456 wrote to memory of 4548	3456	iexplore.exe	95
PID 1324 wrote to memory of 5076	1324	iexplore.exe	96
PID 1324 wrote to memory of 5076	1324	iexplore.exe	96
PID 1324 wrote to memory of 5076	1324	iexplore.exe	96
PID 5036 wrote to memory of 1020	5036	regsvr32mgr.exe	97
PID 5036 wrote to memory of 1020	5036	regsvr32mgr.exe	97
PID 5036 wrote to memory of 1020	5036	regsvr32mgr.exe	97

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\db7bb6bfd6e8decc478d3c8473ddf276a5fa5090e6987e3c5d641a63337a2460.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\SysWOW64\regsvr32mgr.exe
    C:\Windows\SysWOW64\regsvr32mgr.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:3768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 204
        5⤵
        Program crash
        
        PID:3748
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:5076
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:4044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 204
        5⤵
        Program crash
        
        PID:1776
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3456 CREDAT:17410 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\cupcfbguiukilobo.exe
      "C:\Users\Admin\AppData\Local\Temp\cupcfbguiukilobo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3768 -ip 3768
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4044 -ip 4044
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5EB92546-711E-11ED-919F-7218A89707DE}.dat

Filesize
5KB

MD5
946ddb887de1253e351cbf80ff66e37c

SHA1
cd5196d036f1985c96f273c2684063738bc1f52a

SHA256
cdbb520206f852f40da90f0266bf9bc81e8d44e07193a3b17f0d7bf052b83146

SHA512
0fdc342768ca50f2e7874abe7742c69dbefc206a28208be2171581ea4c1ec1056d6bac86bac9d53b7c00e19585f3493a9656fadaf9bdfc1855c853452d92e262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5EB94C56-711E-11ED-919F-7218A89707DE}.dat

Filesize
5KB

MD5
747e9f1fcd28646930e38aa25239069f

SHA1
1b50cecd4733c772aabb44e8d93c56c744244383

SHA256
67128c9e628f789f2c30db3a4d29b9d85b111eeba0638a4a45b1ca2da05ac82e

SHA512
b9a80f32a948888f55ba993d28c23d5efee9622a6d9f60e9d7fc559b10b1d9d33ab4b43a8ffdd832a71e1b4f6ab0743a68fc6779e09f913de4936b59d51ae44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cupcfbguiukilobo.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
C:\Users\Admin\AppData\Local\Temp\cupcfbguiukilobo.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
C:\Windows\SysWOW64\regsvr32mgr.exe

Filesize
114KB

MD5
4c994b7218b80db2fe103d0f8fb92822

SHA1
587501280df187180825dd1c9b7dd93e235a84e4

SHA256
cd61bb2ee59221d4b96f4120c4eecbb280f0bc8417de703b04f30a16ddad1b7b

SHA512
e977013d3a03634bebadfa7cf9e15dc68bc9856484914aa334815e38d73a642e1ccc67c14bc79159b6b7e5dcebc2d2273a189e2168a7cc9cc4ccf9bfb5003495

Download Submit
memory/1020-146-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download
memory/1020-148-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download
memory/5036-138-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download
memory/5036-147-0x0000000000400000-0x0000000000437E80-memory.dmp

Filesize
223KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads