ramnit | 76c58e6f8a087d53f673409865b3194020293c115ba9f622b2943348ecc5be40

Analysis

max time kernel
118s
max time network
139s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4ecbf3230ff3fa931893d8da86e7c20.html
Size

689KB
MD5

d4ecbf3230ff3fa931893d8da86e7c20
SHA1

4c6e4ed50c7312480c0a24a395882cbfad1b912e
SHA256

76c58e6f8a087d53f673409865b3194020293c115ba9f622b2943348ecc5be40
SHA512

10a6481aa0a3f942edbdd44bd7e3a7b55efc0dbac6e6142371ddd1616048a5e3d2fa67c368a7c2fbb67c37d053581f8d040af4eb1a7dae3e4934c58cd20a1c35
SSDEEP

12288:S5d+X3R8mU9jFB5d+X3R8mU9jFkQ5d+X3R8mU9jFt5d+X3R8mU9jF3:o+Wt9Bd+Wt9Bkq+Wt9BR+Wt9B3

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

pid	Process
2028	FP_AX_CAB_INSTALLER64.exe
112	svchost.exe
1576	svchost.exe
1396	DesktopLayer.exe
824	svchost.exe
828	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
112	svchost.exe
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000193af-107.dat	upx
behavioral1/memory/112-112-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/files/0x00060000000195a3-113.dat	upx
behavioral1/memory/112-122-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1396-130-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1576-129-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/824-133-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9C11.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9E33.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9C3F.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px9CEB.tmp	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET99C0.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET99C0.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307ab095a079da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c23067700000000020000000000106600000001000020000000e82b3ec0d4ff0f8e0827f54267d055717868f5303b9f63b8b23093b4c5de39d7000000000e80000000020000200000008bbe5c5cdfef7be0edae3547be0858a9ba3dce59fd78a68afd68b2e793ab196c20000000e9c1d72f58605631ffa7917856088293621b6dcf1e93f06a125e931c37cae37b4000000050b830ed721e174386c61b83ca2667b517d73363be4bbe9dc6fbe103f31968b956cf9184447181045e7483f4dc7b1a71b5a04bd5a1ff2546ca7f71f303ba0017	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C0B0A7A1-E593-11EE-90F6-569FD5A164C1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416975213"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000c12c25e2ddfb54dbf19c8710c2306770000000002000000000010660000000100002000000015ac883fc98d6bd6374d28ac8aa388198bc76700cde3c5fbf12523baa906e5ce000000000e8000000002000020000000cacace1af577f5c65842ace86bcf0d8d31c0d56516652d2446bc5bfebefb503390000000ef4ba1f45d5b597285219f1e45c555c810db3879d873a3744cc94f3d59796f0feb337317ea8192c76c9a31971d6777320359f776c00fd4fece44ad88c6ef4b332c964e8320aba6159ac9b2cc25ceb417827140b0dc17758982129f38adf964ca9a93b40e2744de4a7251e44cc1fea3de5f99e1df71d488fd59e968ef7979ee8d31abfd24e1460d7288b4267fc62f2a7b4000000009f8d9a65994d45a568700ed9f6f820f64bcbfb5a7b41428e6ce34cdd8482c74800a34e248c1bfd6bf3b06f28b1ac424d966b725b621999e334aec902f61bce3	iexplore.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2028	FP_AX_CAB_INSTALLER64.exe
1576	svchost.exe
1396	DesktopLayer.exe
1576	svchost.exe
1576	svchost.exe
1576	svchost.exe
1396	DesktopLayer.exe
1396	DesktopLayer.exe
1396	DesktopLayer.exe
824	svchost.exe
824	svchost.exe
824	svchost.exe
824	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe
828	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE
Token: SeRestorePrivilege	2988	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2776	iexplore.exe
2776	iexplore.exe
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2776	iexplore.exe
2776	iexplore.exe
1936	IEXPLORE.EXE
1936	IEXPLORE.EXE
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
2776	iexplore.exe
676	IEXPLORE.EXE
676	IEXPLORE.EXE
3004	IEXPLORE.EXE
3004	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2988	2776	iexplore.exe	28
PID 2776 wrote to memory of 2988	2776	iexplore.exe	28
PID 2776 wrote to memory of 2988	2776	iexplore.exe	28
PID 2776 wrote to memory of 2988	2776	iexplore.exe	28
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2988 wrote to memory of 2028	2988	IEXPLORE.EXE	30
PID 2028 wrote to memory of 2316	2028	FP_AX_CAB_INSTALLER64.exe	31
PID 2028 wrote to memory of 2316	2028	FP_AX_CAB_INSTALLER64.exe	31
PID 2028 wrote to memory of 2316	2028	FP_AX_CAB_INSTALLER64.exe	31
PID 2028 wrote to memory of 2316	2028	FP_AX_CAB_INSTALLER64.exe	31
PID 2776 wrote to memory of 1936	2776	iexplore.exe	32
PID 2776 wrote to memory of 1936	2776	iexplore.exe	32
PID 2776 wrote to memory of 1936	2776	iexplore.exe	32
PID 2776 wrote to memory of 1936	2776	iexplore.exe	32
PID 2988 wrote to memory of 112	2988	IEXPLORE.EXE	33
PID 2988 wrote to memory of 112	2988	IEXPLORE.EXE	33
PID 2988 wrote to memory of 112	2988	IEXPLORE.EXE	33
PID 2988 wrote to memory of 112	2988	IEXPLORE.EXE	33
PID 2988 wrote to memory of 1576	2988	IEXPLORE.EXE	34
PID 2988 wrote to memory of 1576	2988	IEXPLORE.EXE	34
PID 2988 wrote to memory of 1576	2988	IEXPLORE.EXE	34
PID 2988 wrote to memory of 1576	2988	IEXPLORE.EXE	34
PID 112 wrote to memory of 1396	112	svchost.exe	35
PID 112 wrote to memory of 1396	112	svchost.exe	35
PID 112 wrote to memory of 1396	112	svchost.exe	35
PID 112 wrote to memory of 1396	112	svchost.exe	35
PID 2988 wrote to memory of 824	2988	IEXPLORE.EXE	36
PID 2988 wrote to memory of 824	2988	IEXPLORE.EXE	36
PID 2988 wrote to memory of 824	2988	IEXPLORE.EXE	36
PID 2988 wrote to memory of 824	2988	IEXPLORE.EXE	36
PID 1576 wrote to memory of 1980	1576	svchost.exe	37
PID 1576 wrote to memory of 1980	1576	svchost.exe	37
PID 1576 wrote to memory of 1980	1576	svchost.exe	37
PID 1576 wrote to memory of 1980	1576	svchost.exe	37
PID 1396 wrote to memory of 2808	1396	DesktopLayer.exe	38
PID 1396 wrote to memory of 2808	1396	DesktopLayer.exe	38
PID 1396 wrote to memory of 2808	1396	DesktopLayer.exe	38
PID 1396 wrote to memory of 2808	1396	DesktopLayer.exe	38
PID 824 wrote to memory of 1804	824	svchost.exe	39
PID 824 wrote to memory of 1804	824	svchost.exe	39
PID 824 wrote to memory of 1804	824	svchost.exe	39
PID 824 wrote to memory of 1804	824	svchost.exe	39
PID 2776 wrote to memory of 3004	2776	iexplore.exe	40
PID 2776 wrote to memory of 3004	2776	iexplore.exe	40
PID 2776 wrote to memory of 3004	2776	iexplore.exe	40
PID 2776 wrote to memory of 3004	2776	iexplore.exe	40
PID 2988 wrote to memory of 828	2988	IEXPLORE.EXE	41
PID 2988 wrote to memory of 828	2988	IEXPLORE.EXE	41
PID 2988 wrote to memory of 828	2988	IEXPLORE.EXE	41
PID 2988 wrote to memory of 828	2988	IEXPLORE.EXE	41
PID 2776 wrote to memory of 676	2776	iexplore.exe	42
PID 2776 wrote to memory of 676	2776	iexplore.exe	42
PID 2776 wrote to memory of 676	2776	iexplore.exe	42
PID 2776 wrote to memory of 676	2776	iexplore.exe	42
PID 2776 wrote to memory of 1616	2776	iexplore.exe	43
PID 2776 wrote to memory of 1616	2776	iexplore.exe	43
PID 2776 wrote to memory of 1616	2776	iexplore.exe	43
PID 2776 wrote to memory of 1616	2776	iexplore.exe	43
PID 828 wrote to memory of 1924	828	svchost.exe	44

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\d4ecbf3230ff3fa931893d8da86e7c20.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:112
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2808
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1980
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1804
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1924
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:209940 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1936
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:472074 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:799753 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:930823 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

Filesize
64KB

MD5
9bca6aef9dacf40150be0d1a6c39263e

SHA1
2778d275d88d474aff8259a7e415c926adce8624

SHA256
8be0e539e95424e252f8ef7d32d643912e9fd3d9414fc0d9823d051798377dc2

SHA512
97effef09b5a97f0097c54c263cd662e3de09931b038d236ea9ac57df0bf04e71085414acbf4fe434a15e6252a0e36204342e6fdd5a675a1ddd3261a1e1946c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2af8a57acd196ed100141e1ab6881980

SHA1
854ea6b3cd18bc19ca2faa7eb531a8ac6aa9b990

SHA256
8385fd5585fbf88905c57d415f1c4c4fee4efdfa2ee867604cde5780de9209ef

SHA512
86069b46dca2fc585b18489404889adc9a09938e93d0f2fef2047d4d75e4b03dd1bd269bab67b003ed30c4245bca571fc9a87a7e418a02ece2415b242318f813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
663ebc04d3ce024a1ca35f1e5e6bf5ac

SHA1
3cc1df86f40af838c7e6306caec58c7c1f247f6d

SHA256
209aebc0f32d98b79e08af357273cb4e3773fdf54a9062031404e5ba314b0dcd

SHA512
838c4fe19aed9e6cd41695d25aa94911d3bdb185f455c7ef83d94c002f882db3e896568d68968c24e37d0d3406bf6b3cfa09761e24606cc404047fbc3e226aae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03d73033be3e631fc5ac35444428ad9c

SHA1
066eecc4343088793b1526193d819d1fd8a94f59

SHA256
52af5170ea7e4a4c30553f3fb930164e77973e4412e0b730554730b34a7f09a4

SHA512
ef79f2ad032ed0b0c414e39183bce52f91d845a5fa8cf1d2bd1b57c0f0686e6c5dd86a180f0eb75ddc0b5317715bb8cf0b62654bfae35c9cc4efc667b6a592cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
050a13b5e59a3251876affc2c18bff77

SHA1
76321508110219ad2ac429832c512cba7764c970

SHA256
f70405f65fda1808ed5963c35e2102720d3d9cb07dd2303b7144ac5eb228d1ef

SHA512
341e96592a24c7f67544f40953d4953517da02fc6e8600fde5ccb0c547e3e02ee28ace91e07f026b24151a58c2b5d07e2e6015c51a2f4455926056f98362378a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb2dde978f646d3e15570ac49d88c245

SHA1
9aec67c1d26a8dccca9ddf27c9a9967a9326d9cd

SHA256
1e93dfe549c16ab5804fe8bc936167addd37b98197f9a5a0d49ce719d12d8cc1

SHA512
0c4877fc084ff8002cbe8e6e47087e01d1272acd9e269258b9a8b59b03f189281cb84218d3d5f48eb3a19d666919f5855f76abd8c8db38562172cd4b25f539f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cdb3f0cf4610a61a68c41ccf48015c02

SHA1
90b3a2f69c0422fe72c132a2e96de0e68c4606f3

SHA256
c3ee039be29c0a5ea1eb0f44bd458b4b1cfc7017c81ad967822b974422c56a76

SHA512
7c169e54be603ffd9c585b9c0b90836357b1f58f5873a7ddb56845b8cdd26d6f967f18a41d44a0ffe82b67b8159735c594af410ba5a46d29c28d97c202ac9bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
695a52273c3d8544b400b854283aeee5

SHA1
704268267c67e3acb0361b350c66fbd373f61f47

SHA256
533fc25c6edd4910c434ebcf642b50a56daace6fd20caa8d4bd73f1c17dee6c5

SHA512
78338a550f7c71308900f50a801d3b93ec833725ebebd0c587902db01c8208ecd6d99b1e77d72aec301a8f9e182ea5866d05efb944c4ac7965ead210f3a0bb98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
865a57987d0d43dbc42aac219e4e8e7d

SHA1
3960f7175480183056193f46d7ce28e64bec4946

SHA256
2d151fd19d03926d765d69c62dc2b574ab0fa2666bac166a2866584f0bc3177c

SHA512
9005d2cabffd50e2c3466e2ad1d6d904d835ec2e05e090ae13fe3dae9554c3d56092c5a1efea8d4caa25d2c12c3cdc439b1cc86b2fe4588df0a1a266d8800b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8adff426ce173f14b290fb70e2b7f2aa

SHA1
14888327a471cc4a61bcb4d533a4ba6831b0a666

SHA256
da774cd3a3939632c47e9d03c7f778c772ff5396c8470dec04a11c1fb5364148

SHA512
b0243bfb8615d9ddcaf3e1100d5882d601f6933d70dd0a048808615c7871cffc51479841617a731f3ab51e90312f4f5efe34b113a811892bb477259dfe9050d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HQQVSTWU\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E4D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8F69.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9EA3.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
83KB

MD5
c5c99988728c550282ae76270b649ea1

SHA1
113e8ff0910f393a41d5e63d43ec3653984c63d6

SHA256
d7ec3fcd80b3961e5bab97015c91c843803bb915c13a4a35dfb5e9bdf556c6d3

SHA512
66e45f6fabff097a7997c5d4217408405f17bad11748e835403559b526d2d031490b2b74a5ffcb218fa9621a1c3a3caa197f2e5738ebea00f2cf6161d8d0af0d

Download Submit
memory/112-115-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/112-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/112-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/824-135-0x00000000001C0000-0x00000000001CF000-memory.dmp

Filesize
60KB

Download
memory/824-131-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/824-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/828-139-0x000000007786F000-0x0000000077870000-memory.dmp

Filesize
4KB

Download
memory/828-138-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1396-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1576-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1576-132-0x000000007786F000-0x0000000077870000-memory.dmp

Filesize
4KB

Download
memory/1576-121-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1576-127-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/1576-833-0x000000007786F000-0x0000000077870000-memory.dmp

Filesize
4KB

Download