ramnit | 01e674c96e195bfce6d2fd3628fddb61115bce0ce4d7b3a7090e00aef181b50e

General

Target

01e674c96e195bfce6d2fd3628fddb61115bce0ce4d7b3a7090e00aef181b50e.dll
Size

2.9MB
MD5

916e2ab3eb51a6c691ba4017d60aaefd
SHA1

a783b4f6ba3ade9a8bbc5b2e8dc102b1b4ca6e60
SHA256

01e674c96e195bfce6d2fd3628fddb61115bce0ce4d7b3a7090e00aef181b50e
SHA512

5674c2a57b44952364b9998c573c2ef7ec1a4605f8b5dce0ec7b466dc9ac5df6f00b76dad64b5da2793cc957a1c8b00597ad3ece4e3b237d668eaf6d090063cb
SSDEEP

49152:+mlr6FEE1gtUoQAir5BBpJ11brhkUFc78IRT10QK+:+mlr6FEE1gtHcpJ5Fc7ft

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 1 IoCs

Processes:

rundll32mgr.exe

pid process

4588 rundll32mgr.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4588-7-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-8-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-10-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-12-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-15-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-14-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-13-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4588-11-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

rundll32.exe

description ioc process

File created C:\Windows\SysWOW64\rundll32mgr.exe rundll32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\rundll32mgr.exe	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000564c4230505b854f9a1b15ebe45a6a00000000000200000000001066000000010000200000000afff2e2b18dffcecb0c5728560365a3d5ce01f3619078c5d434d37ec76ec99a000000000e8000000002000020000000f1aa9c72a6d70d3edf521f46dfd850a05195fd6af5019524cdb6bcb71844f156100000006a35d2dfbc8145d1462eb3cbd4ef56fa4000000028a677ba672a4dd0fb3ee15f7222e3fb70b9fc74d1df9a506b27c66d74307a9eab23d4bd547eba7dddb644e0e9bba2348667a6449bafcb615433cf808efecccb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31074023"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000564c4230505b854f9a1b15ebe45a6a0000000000020000000000106600000001000020000000b04d24ebed671acd28fe8feeb6e54e969d2e994252a46b282178cb90b7d7fd10000000000e80000000020000200000002db5cb1eadbd72727893997b7e205b8c9fa8cf3c82587b7ef72e07674e9f6a981000000009cd2e7f90111ae433bff430e5b7fb3640000000b101a9ef73b67ba14b8cda82a4486af4cddc9c5cf8815526bafe62c9c6ae2a7f0ca32c73bb8707ce3254a558b30c81c047aa4bb5d0caeaa77f9b2793d38e527a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1358266223"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IESS02&market={language}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31074023"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 444afb099a21da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31074023"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\User Preferences	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000564c4230505b854f9a1b15ebe45a6a000000000002000000000010660000000100002000000030024657c71ef939e843c4455f6702025c20942e855831b93e7e53abf5a855f1000000000e8000000002000020000000c5c535575902bdae9d3c315332f50c74dfaac4c152a042078831672322533eda50000000a72ab8b36150c2da9f737271c58bd7c3ae98ae56617c199a4dddc5226372c82a180c234a1c6d460b20e9161472f7ce49a19b0e4f7cd3a73bec95b5d3929b52b739903f1214f750a8e29dd37bfb3c9f67400000003077bb8ca7f9d27c99dbb6cf0713d772492e72f0e36034e7febb6e0c6baf6e5c09e06fb00d5fd5a3fe73517d78990c06ebc8e93ccbfa4d1b56e24af02a2eda77	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000564c4230505b854f9a1b15ebe45a6a00000000000200000000001066000000010000200000008e0dae526665167a2553261e7db88547099a20cfd1242dbd1ca76a88c1d51fa4000000000e80000000020000200000004e93effb7b63e43b2b026310df035a80f47414fea32bdc0147ae3fdf15f3ee2250000000ffb56510ac8a4e2c5bf068bc7aec426b47ac693fdd9903e847761f48355f02b60ac7c2bf0adf37117fc65f5ed4ce3e8499a89f7ab846722360e57ba4b68af6bacf89d826c0e532f5170e932a0561f510400000001b5d33d2d8cfcff641a9c1895d3fb8923a82720457cc08a00004e643027982b47583ae8a9f57f7b90030503739175b4a98feb043ab3fe39b9f4f9250c06aaf64	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1368267284"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 444afb099a21da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "408482733"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IENTSS"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1358266223"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7C97E057-92DA-11EE-BE1A-F6DDF3AEB2E7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

rundll32mgr.exe

pid	process
4588	rundll32mgr.exe
4588	rundll32mgr.exe
4588	rundll32mgr.exe
4588	rundll32mgr.exe
4588	rundll32mgr.exe
4588	rundll32mgr.exe
4588	rundll32mgr.exe
4588	rundll32mgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

5100 iexplore.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32mgr.exe

description pid process

Token: SeDebugPrivilege 4588 rundll32mgr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

5100 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

5100 iexplore.exe
5100 iexplore.exe
2004 IEXPLORE.EXE
2004 IEXPLORE.EXE
2004 IEXPLORE.EXE
2004 IEXPLORE.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

rundll32mgr.exe

pid process

4588 rundll32mgr.exe

pid	process
5100	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	4588	rundll32mgr.exe

pid	process
5100	iexplore.exe

pid	process
5100	iexplore.exe
5100	iexplore.exe
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE
2004	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exerundll32mgr.exeiexplore.exe

description	pid	process	target process
PID 5108 wrote to memory of 1424	5108	rundll32.exe	rundll32.exe
PID 5108 wrote to memory of 1424	5108	rundll32.exe	rundll32.exe
PID 5108 wrote to memory of 1424	5108	rundll32.exe	rundll32.exe
PID 1424 wrote to memory of 4588	1424	rundll32.exe	rundll32mgr.exe
PID 1424 wrote to memory of 4588	1424	rundll32.exe	rundll32mgr.exe
PID 1424 wrote to memory of 4588	1424	rundll32.exe	rundll32mgr.exe
PID 4588 wrote to memory of 5100	4588	rundll32mgr.exe	iexplore.exe
PID 4588 wrote to memory of 5100	4588	rundll32mgr.exe	iexplore.exe
PID 5100 wrote to memory of 2004	5100	iexplore.exe	IEXPLORE.EXE
PID 5100 wrote to memory of 2004	5100	iexplore.exe	IEXPLORE.EXE
PID 5100 wrote to memory of 2004	5100	iexplore.exe	IEXPLORE.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01e674c96e195bfce6d2fd3628fddb61115bce0ce4d7b3a7090e00aef181b50e.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\01e674c96e195bfce6d2fd3628fddb61115bce0ce4d7b3a7090e00aef181b50e.dll,#1
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\SysWOW64\rundll32mgr.exe
C:\Windows\SysWOW64\rundll32mgr.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:4588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5100 CREDAT:17410 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8VETP1BS\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnoD810.tmp
Filesize
88KB

MD5
002d5646771d31d1e7c57990cc020150

SHA1
a28ec731f9106c252f313cca349a68ef94ee3de9

SHA256
1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f

SHA512
689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
88KB

MD5
fe76e62c9c90a4bea8f2c464dc867719

SHA1
f0935e8b6c22dea5c6e9d4127f5c10363deba541

SHA256
5705c47b229c893f67741480ed5e3bce60597b2bb0dd755fb1f499a23888d7d6

SHA512
7d6d5bfb10df493ffea7132807be417b5a283d34a1cd49042390b2b927691fd53ecf8eee459c727844395f34e4230b2cd85b38b7fb7df0a3638b244d0c3f6394

Download Submit
C:\Windows\SysWOW64\rundll32mgr.exe
Filesize
88KB

MD5
fe76e62c9c90a4bea8f2c464dc867719

SHA1
f0935e8b6c22dea5c6e9d4127f5c10363deba541

SHA256
5705c47b229c893f67741480ed5e3bce60597b2bb0dd755fb1f499a23888d7d6

SHA512
7d6d5bfb10df493ffea7132807be417b5a283d34a1cd49042390b2b927691fd53ecf8eee459c727844395f34e4230b2cd85b38b7fb7df0a3638b244d0c3f6394

Download Submit
memory/1424-1-0x0000000074C90000-0x00000000750AC000-memory.dmp

Filesize
4.1MB

Download
memory/4588-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-15-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-14-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-16-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/4588-17-0x0000000077642000-0x0000000077643000-memory.dmp

Filesize
4KB

Download
memory/4588-19-0x0000000077642000-0x0000000077643000-memory.dmp

Filesize
4KB

Download
memory/4588-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-11-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-9-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4588-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4588-5-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads