ramnit | b3965f9c52f577c729450631b121f1dc46e769c62f7128ce4f02e5300ca97302

Analysis

max time kernel
168s
max time network
185s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe
Size

24.5MB
MD5

9b126668d3c443dbfc589ec422d0f4e8
SHA1

619beab9224f99d4ebf1d8a74f8595de7ec439c0
SHA256

b3965f9c52f577c729450631b121f1dc46e769c62f7128ce4f02e5300ca97302
SHA512

94b7d0874b69e68b6ff108df497385ec9892689dfab5dcb3a441857f33d9ed181d9b73f983eb1755755d2195e57a49053a58219dfe2f5fc1237a81acfddc3c2e
SSDEEP

393216:DkmiCKFdu9ORaVNQncGiOTxowhmVytML5kGufmgoe7lHkWdyn:9yKjkTOq+3n

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Detects any file with a triage score of 10 7 IoCs

This file has been assigned a triage score of 10, indicating a high likelihood of malicious behavior.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\QtCore4.dll	triage_score_10
\Users\Admin\AppData\Local\Temp\ADEC.tmp\QtCore4.dll	triage_score_10
behavioral1/memory/1440-87-0x0000000000400000-0x0000000001C90000-memory.dmp	triage_score_10
behavioral1/memory/1492-131-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral1/memory/1492-143-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral1/memory/1492-157-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10
behavioral1/memory/1492-635-0x000000006A1C0000-0x000000006A336000-memory.dmp	triage_score_10

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exeUpdateWizard.exe

pid process

2044 202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
1492 UpdateWizard.exe

Loads dropped DLL 12 IoCs

Processes:

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exeUpdateWizard.exe

pid	process
1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe
1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe
1492	UpdateWizard.exe
1492	UpdateWizard.exe
1492	UpdateWizard.exe
1492	UpdateWizard.exe
1492	UpdateWizard.exe
1492	UpdateWizard.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	upx
behavioral1/memory/2044-108-0x0000000000400000-0x0000000000465000-memory.dmp	upx
behavioral1/memory/2044-126-0x0000000000400000-0x0000000000465000-memory.dmp	upx

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B04152D1-EC96-11ED-B4C4-F2A4F945A9C1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "390201783"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0412BC1-EC96-11ED-B4C4-F2A4F945A9C1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe

pid	process
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe

description pid process

Token: SeDebugPrivilege 2044 202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

592 iexplore.exe
584 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe

pid	process
592	iexplore.exe
584	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe
592	iexplore.exe
592	iexplore.exe
584	iexplore.exe
584	iexplore.exe
540	IEXPLORE.EXE
2012	IEXPLORE.EXE
540	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 1440 wrote to memory of 2044	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
PID 2044 wrote to memory of 584	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 584	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 584	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 584	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 592	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 592	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 592	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 2044 wrote to memory of 592	2044	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe	iexplore.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 1440 wrote to memory of 1492	1440	202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe	UpdateWizard.exe
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 592 wrote to memory of 2012	592	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE
PID 584 wrote to memory of 540	584	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe
"C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
"C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnit.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
21081a9b974fe22f95817584125fb41b

SHA1
edd8dc8d7b59658592a4cc6c291c39c812e89c60

SHA256
1f605ef9294b79d1c4e732187b2beabc9d26c27f57cefec82da04e1a1f5ebea2

SHA512
ba080a6987356ba121fe1e78059aada20f1ad081f1736b68a53e52cab59c050c97e93cfd558b298cdd5689c9410bef07bd7bd3a6a7299346ebfea66e510bf8b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0412BC1-EC96-11ED-B4C4-F2A4F945A9C1}.dat
Filesize
3KB

MD5
968ac0ec71e5dc45b93bf240b68661fd

SHA1
e440b95656045465f470f8a91fc37dbe56eb3022

SHA256
0a7ef5ce6c3cc83519d98c4b7063ff0aabf65ba5a268c9812cbb0039bf19ad48

SHA512
2254a7b43e65a8c36906ec72fb6ffbfcafa397647bc2da9ca8ab0fba8c2c11d75c3cececf7b417999007b488b8261bc80e402e7bd0ee9976c5de95a8fd7e8417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B04152D1-EC96-11ED-B4C4-F2A4F945A9C1}.dat
Filesize
3KB

MD5
72e88ec5290c00dc2f8df1bf697a3dfd

SHA1
3bb598671aecde5976a7fa3a369c7beba3f2bca6

SHA256
71f9d0654d21f7cd1462ee24da23db1a60fa907e26a2859d203d0bab46f6992e

SHA512
531206725ee08c96aa14f77e9b8a3d1f0fbc7577fe6bd11a3148a1a9dd842fdda67218fd8d1c11199a8ea562e1d16ea73b91b179d5dc785c58e4a6eb7632c438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\QtCore4.dll
Filesize
1.4MB

MD5
8326988db23abf07186e538f16376ae9

SHA1
72c6d89921a9c4ae5054e78147928e6c58294bf6

SHA256
9ec0090edd157562c1478f9ade93bb4c03bb3beb2c8a3c84a981ebcb80b5e451

SHA512
a083d90b40360f9118f45736855a7c0b6586242857c2f1eafc54627edec0bbdb8142493bff9bf74f27dbd361b6656f155b6d145fa7cd88a2aec111387e79be29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\QtGui4.dll
Filesize
5.2MB

MD5
29be5d4eb2da45c049eb42d7d6da9236

SHA1
3fe635bb4d125b722eac276b78e804b238d29ca3

SHA256
1581ac53aaca8ffd5b3c748dcb5d1ee0d1020ba41196bc3cb371f29b370a9662

SHA512
6da64b8ca3f209a5cf5ef39c35149415ca838bd74092fd4b44c351c309399e62567794d3f8b93775c86759454fa7c85729bb1ef2cc2ed58645e980dc8dc4bc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADEC.tmp\mingwm10.dll
Filesize
15KB

MD5
04d9ee3ee2ab1a2a5ae9bf91b595a80d

SHA1
55eaa1118d15831b868372c1ae15327dc0773208

SHA256
0acf47d1b635c13308ffecca1c39acd2a3c0338a575e3dab97e97ee1f17df277

SHA512
d41ae647e6ba28d0b9334fc27729a12cce76be5190344f070a16a4194e074cd14902037dd84f4dd2df65e7900373b458ff9f4f2a4a38b6c4a9fc154dc93c96e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCAB2.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCC40.tmp
Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SIKZ3AK3.txt
Filesize
604B

MD5
2e7bc99e51832a361a4e3a906ff5c879

SHA1
ee282c97ed498ac52acca497cf4a0ed2b7609ca5

SHA256
7cb903e8cfa2fee56805eb6e12fede29017415f66cbc66f1bbf79321a394f16d

SHA512
74f139974c6df12c3d35a162b7a8cd6566a9e42fdb6b6bc99a488b89a4850623db696e655e610c31acd303cbd806cac34141922a9077229265815e4963489f2a

Download Submit
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
\Users\Admin\AppData\Local\Temp\202304299b126668d3c443dbfc589ec422d0f4e8icedidmirairamnitmgr.exe
Filesize
136KB

MD5
4645cb9a7fc2388c4d28e8b2db21d343

SHA1
964518b803a9f92266c011e8a730c09523b811ba

SHA256
3270363a660e42e608df2cfffb69f9129f2738f82e72a17ba0907be7e409cf8c

SHA512
f86ccae6c2db335633bf4023ae9533b8a6bfcfe3788f9ccfca2645df4f830e3a1957dfb759266db007dc8382b76011331dd75169db274bb93159aae03c699bc4

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\QtCore4.dll
Filesize
1.4MB

MD5
8326988db23abf07186e538f16376ae9

SHA1
72c6d89921a9c4ae5054e78147928e6c58294bf6

SHA256
9ec0090edd157562c1478f9ade93bb4c03bb3beb2c8a3c84a981ebcb80b5e451

SHA512
a083d90b40360f9118f45736855a7c0b6586242857c2f1eafc54627edec0bbdb8142493bff9bf74f27dbd361b6656f155b6d145fa7cd88a2aec111387e79be29

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\QtGui4.dll
Filesize
5.2MB

MD5
29be5d4eb2da45c049eb42d7d6da9236

SHA1
3fe635bb4d125b722eac276b78e804b238d29ca3

SHA256
1581ac53aaca8ffd5b3c748dcb5d1ee0d1020ba41196bc3cb371f29b370a9662

SHA512
6da64b8ca3f209a5cf5ef39c35149415ca838bd74092fd4b44c351c309399e62567794d3f8b93775c86759454fa7c85729bb1ef2cc2ed58645e980dc8dc4bc01

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\UpdateWizard.exe
Filesize
17.4MB

MD5
19b2bb7cefd1460224f5ca14f6d910d6

SHA1
8aa8e2ff17d36fd4d903caf939a38bdd034237e1

SHA256
86ce1b2b0c1e53631cd2206678a6fcf8ebb2996f02cc7d4bc4ea74b4a3a145eb

SHA512
714d2542db5a45588768ebbb5ed41b0a8f045551ec9eb1fd92cb81386e02b77197bc677620b364f6864bc38ff4811420632e607bd6ae95767ee6f96b87c278e7

Download Submit
\Users\Admin\AppData\Local\Temp\ADEC.tmp\mingwm10.dll
Filesize
15KB

MD5
04d9ee3ee2ab1a2a5ae9bf91b595a80d

SHA1
55eaa1118d15831b868372c1ae15327dc0773208

SHA256
0acf47d1b635c13308ffecca1c39acd2a3c0338a575e3dab97e97ee1f17df277

SHA512
d41ae647e6ba28d0b9334fc27729a12cce76be5190344f070a16a4194e074cd14902037dd84f4dd2df65e7900373b458ff9f4f2a4a38b6c4a9fc154dc93c96e5

Download Submit
memory/1440-87-0x0000000000400000-0x0000000001C90000-memory.dmp

Filesize
24.6MB

Download
memory/1440-107-0x0000000000360000-0x00000000003C5000-memory.dmp

Filesize
404KB

Download
memory/1440-88-0x00000000023D0000-0x0000000003C60000-memory.dmp

Filesize
24.6MB

Download
memory/1440-90-0x00000000023D0000-0x0000000003C60000-memory.dmp

Filesize
24.6MB

Download
memory/1440-105-0x00000000023D0000-0x0000000003C60000-memory.dmp

Filesize
24.6MB

Download
memory/1492-130-0x000000006FBC0000-0x000000006FBC8000-memory.dmp

Filesize
32KB

Download
memory/1492-131-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1492-143-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1492-635-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1492-128-0x0000000000400000-0x0000000001561000-memory.dmp

Filesize
17.4MB

Download
memory/1492-150-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/1492-157-0x000000006A1C0000-0x000000006A336000-memory.dmp

Filesize
1.5MB

Download
memory/1492-132-0x0000000067700000-0x0000000067C33000-memory.dmp

Filesize
5.2MB

Download
memory/2044-129-0x0000000000230000-0x000000000023D000-memory.dmp

Filesize
52KB

Download
memory/2044-108-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2044-126-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2044-113-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2044-67-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2044-66-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download