ramnit | 4a17a3905084843c2fbea01a5918fd5bf1d1b3a1375c3d1ac5f006eb56cb4a04

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

062ee06be1169bfeb121435f94ae6e68_JaffaCakes118.html
Size

386KB
MD5

062ee06be1169bfeb121435f94ae6e68
SHA1

7e641d18cf7455d6519aeb0ea87c93545f4ba874
SHA256

4a17a3905084843c2fbea01a5918fd5bf1d1b3a1375c3d1ac5f006eb56cb4a04
SHA512

a3bd05029b9abbb5a35bfc02a88e65b1cc3d8bca5ef12091e8165a261b2f924a51f6022d1ae90ba41ee2aacc93b6b6c44fce7fc4aa6af9b47a49735ec5d9f699
SSDEEP

6144:xdsMYod+X3oI+YmZuuShKGsMYod+X3oI+YmZuuShKS:v5d+X3gJU5d+X3gJC

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 3 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

pid process

2452 svchost.exe
3008 svchost.exe
2780 svchost.exe
Loads dropped DLL 3 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2336 IEXPLORE.EXE
2824 IEXPLORE.EXE
2824 IEXPLORE.EXE

pid	process
2336	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2452-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2452-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/3008-586-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px5BF5.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5BF5.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB664.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000886e38478d135045bd83af2a3c50b0550000000002000000000010660000000100002000000035eff8ec17eacde76a904f8e91859b596185f3968b2387f835a4de4dce5d86ed000000000e8000000002000020000000d97a2ab79820e79322111a86ec122f01953d585562aada86ec218c4e3ae2f3ea20000000666708bbd0963141bc6f49999e56ccbdc9d32a0e6724578763766e09fc26bdd040000000af1feec8a5ed43a8457144d2ec6de9cd3eaa20112ffa7147e316bcd577721158fa0285ac6d5a72608e178ecddf87ea5c79ac31d06b8ab6b8367cff58bbdbe554	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1F80FEA1-05AC-11EF-8951-5E4183A8FC47} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0209926b999da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000886e38478d135045bd83af2a3c50b05500000000020000000000106600000001000020000000e06e62c95cb68f8708133e04811bae80f663af5ae43da2849f82abbf89bb755b000000000e80000000020000200000003a7c9350f37bb2c6cc8ff0fd91bfb82693514b4f91d89198af3d173aaf32971b90000000d78f72df2889ea192ffcf14d3a309c30ae96c2b3d28ca3ca7f81037091ee0ad6bace82207a14e8d825a102c2c5071e817d37896782ed5053901a12106b8d5756b9bb170d160fdc1f60ab8d5a5c6b68f96a61ff25a3286dcbc2aeb15524ffcf888bae908971ef557524a6040aa57d6fed44b2e7d1a41c177b6b268d3c9dc98e8e28a4189b0ca04d6e8a5120acf3ab9a2140000000ad2570d53ccc282b3ca232db7a04bedfe4200d3787bf58b348167886bb7871ff72ee7e083157e912843e5f12e0bf6f0f00fbd246a7d02ab3405c724a83f9df93	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420504097"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

svchost.exeiexplore.exesvchost.exe

pid process

2452 svchost.exe
756 iexplore.exe
3008 svchost.exe

Suspicious behavior: MapViewOfSection 49 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
2452	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2452 svchost.exe
Token: SeDebugPrivilege 3008 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

756 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2452	svchost.exe
Token: SeDebugPrivilege	3008	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
756	iexplore.exe
756	iexplore.exe
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
2336	IEXPLORE.EXE
2988	IEXPLORE.EXE
2988	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 756 wrote to memory of 2336	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2336	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2336	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2336	756	iexplore.exe	IEXPLORE.EXE
PID 2336 wrote to memory of 2452	2336	IEXPLORE.EXE	svchost.exe
PID 2336 wrote to memory of 2452	2336	IEXPLORE.EXE	svchost.exe
PID 2336 wrote to memory of 2452	2336	IEXPLORE.EXE	svchost.exe
PID 2336 wrote to memory of 2452	2336	IEXPLORE.EXE	svchost.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 384	2452	svchost.exe	wininit.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 400	2452	svchost.exe	csrss.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 436	2452	svchost.exe	winlogon.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 480	2452	svchost.exe	services.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 496	2452	svchost.exe	lsass.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 504	2452	svchost.exe	lsm.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 608	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe
PID 2452 wrote to memory of 684	2452	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:828

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
4⤵
PID:2864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:816

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:344

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1036

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2072

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2024

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\062ee06be1169bfeb121435f94ae6e68_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2780

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:209934 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
edc23ed3bcf2150f165bccd97bd3f204

SHA1
c8507355ba64d59fb740e5f9ef355ff155cee86c

SHA256
1cf3f01e26b052c12a17378c0b5643edec2d12566b9c6827a1630eb130beb40c

SHA512
00155db209d4ba2b8ea71596e050af96b442e3a21ea7484f8590baf50dc47f39b0534758dafeb56be3bbc1de5f7b0682bc7e80ec62a87832411d7f49be173319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
0118ca3d981293136c8bd1c651fed4ca

SHA1
1c3c35e347b4f6aa58f2acb5e0926b9fd961e720

SHA256
8740080ad504faa3b9a455f96f363717cab0a8361598934e8a77562de433279f

SHA512
1c652c2f5995f5b510abec1dc193d4cc947db504d24f588328fa244b52998eab2b5e07ffe5db8532443b754683519706ffa849b97ec5a73a63d0cb95a396deae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
165306dbafde0b8a0066c536185ec385

SHA1
a7d6bde3ea54faa848bddfbfbb639011ad502967

SHA256
a5becd3c35c46d73b266f73b38e76f4e6234971d0d30f7fd890c77c04234cfc2

SHA512
1e26b892ee05d4c6bbdea23b9beb0f4d90eeb852d01eda169ec863fc1bb410c2e738d9aeee27de5a9590ddc1a3b10c63d2c7c375ed4e92aa5fa0f1da35119e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
1b47ce39117ac182164b8cba2026efb0

SHA1
43ea8ab0f1f88d85e810c6c62e4f7c0882aa471d

SHA256
2040a315ffabf6ac4ce45a9b68953a6a6739e8fdfb662e3d9293fa46c518191d

SHA512
5a2fa8fc564febd6ef35df6fa8663d1d5fbb65db5be80bb4dfc4bc73f3005a5b51c2f7de59777ba0dbcded3e8c0f4fa2065d2804e70847a0cbbe04730a9411f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
10c83a79da4e1f20276f542aae813ef5

SHA1
8f2551b98a51c702abc8e5dba012efe91bc07774

SHA256
aec62bbec1a5f091e7744c744a82f428bf6d46907d949c1d67d933e5a3e756bc

SHA512
cac9643c2f410f22722b453b972acc0b7d214535be31c9c73c68e656116e0d6623145b9da2146baaf690cc61a326f62fc7a63c4c1d16a9f39b883d924b1836ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
ae67bdc9439c0c5a323c695656072a0e

SHA1
71939177a4de9b1d1e38437706a8845038db1dfc

SHA256
30551558f7014fa7a2d10272d9de4de65caf2c7a66c51f608ea019ea2780fbed

SHA512
1bfe2089ea8f63b61e9d7760789ad97e08ebf9630b0b38b136e69c14833c532d958f75ef6c6c4f354dad8f541c5c6f34508455112bc50a0b0bc21ec1f0216115

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
5e4b3365c7b9a0e7669a554e0c5e298c

SHA1
5cfbe65c7b4394968bb752f35761253a6978354b

SHA256
cd7190e4b2aad4b1b0ef5dce7b73b3b55f46d6068aa496219544cf2c8087c114

SHA512
bd124c0af6d2fd4d1580dc2c1066ddac71e5079781103c56c9d65329efc2762e242e031e8b9395a0a24139f173f134a2bdbf7369fae31353b0ee5056e6011ac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
34819ccc7a3cdcc3dc0af9d0c9a3b1a5

SHA1
c7df4bc7b826c3645cf50e0f934e15ed01da175b

SHA256
9d3e0e2ca45ecae7ea45722b2ee1021b052f64fcb0705d75b4e1b97cdb9087db

SHA512
a18eb8f3f0c554e4457b7057b2aeea3f34861c39dc657e8f197bc50ce95c56e783261ea00fddbf1b342a2de288874d6cf489340306820e3659c40cf7e5804e0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
29583457c2d245b2e5cb56a46ecee472

SHA1
c74b4c113915ddf44deb703e2950ccb6fe52cf25

SHA256
8b93630865688470e78569e259cc12cd84530c29b03c7fe22c2baf827e1e8c5c

SHA512
5bddc27e06a728cacbcd70ecd22126de7339c3728bf9f983c96d66b9b131f963ecad4b723eee97849f05f29dd3a4a5cbc62313642d1c37d6560e89ef1102ec02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
8d0ede8dd1b9b3886957004ac619807b

SHA1
20a10ffeda38d2a1c96f1414c6dcf940489c8940

SHA256
e8c79f3ac9b9c8a3df12969f6a50b54302e723d2fb1d08f27f5865202087a84c

SHA512
81c93dd12fab607d14c7304d76bdf5127744b146575f0b7e37b6d69228843cade14d932c67c10a39955effa5454ae6a312599afab05ea7cce752d6b2503d414c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
c87f6ffe8c901122cf23ce14d7e98785

SHA1
256a1abf61cc6186f7717a805e2165108a4eedb3

SHA256
ac898378f6b31848d6d12613ef054b6e76b0658f3207b4d4c2f44175fba4fed0

SHA512
67b9ee03951b1444679e029c6f43c14a3a3fbf7e2ecf9579d90782efb183e2e2b6b9ac328b9881c3824a29aedc1551bc225f6c2afa3dd374378a72c05c1f187b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9346e6ab442e9881a4dd9f27b48aac7c

SHA1
18a6f6d7ff5d0b31ed660adf79093b9d748fc34b

SHA256
06d1500d2d3fa66182ea1ab6adb5fa79c4e15acd5bfe63291725bc3e79d6b1c2

SHA512
de5867751861336cedff9b05747df1f5e356f05cb48dedf033a7985a0516a0bf423354dba7caeb13394b704158fd73e973295eb18fb1968afa5e4822102f08a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9cf8ed78cce9bd9b5cfd50be60fbee77

SHA1
701247029c4fdf3b5bca8b32d69e722ebb49cada

SHA256
649b06579ec2c1ec3a44fd069f94e4c23136cb5ef9539a50aeff5256115fe292

SHA512
c023c8c198b6fd56be23e17cfb844db1d4230a23701c2b455fa724b5307124150af4862d3e0e3262e54c386ae6157ec262655d9e55f4d841e464e014e8f7fa65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
d3fe7414dbfabfb59f386e6a00c3a382

SHA1
36a9a3fb0781d6c2b56c82291a236e6b721e2441

SHA256
52160d178f962f1f18fa4d3e297584f903f849b8efc5d9238714aec820ac636c

SHA512
3e8871f2960b047fd7ab0e6205dbc4a95a0609e210b2aa630b9b1959988f27571abc6435f3a49decd30b0e38f54758c62a6c9ab8f541366665bbabbe7a0adb37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
1d0a71e91c3bd402c303d24598b0db3c

SHA1
4c656dffdb43510efdcc04e926c03fda55cdf4e9

SHA256
152c4f8d3a943e1d5f155a90a6a50324be5df86d83e52b3c942654c016d6b5ca

SHA512
599c89865444470d5c863a0c4f967b6a964156768f507d53e5f601572383b52a75c4fa5bbda269a29032ee54a7ca8e4645deb1a596687149507d692bc4c1163d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
6bbe0710d937de3eb166ebe95ff0d4ea

SHA1
e32aab29b6ab6f8bdf7b2cd87a607e76fb7d1af2

SHA256
087712e5b4a68c9620adef4ab0f214c079b3ae9aab55db6ee4fd94740b10e294

SHA512
8c0aa94f03716639857a64cb74a177c34b2c02e486edbaab45de54704ff251ca4faf15c0898db72f36e59365e0832257c4cc694471af74d75c92fb2d92bee75d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
365d51d0dedb360ae662e133193afbd0

SHA1
98222288d6a432e87550c186a08243ddb8cbb09f

SHA256
b5d2472c0e908d637ce9e2e40896ad51d341164de6071a217187b8c8523b430b

SHA512
656ec6778e1c3b576c210c6a71a161d84b8be2e7b34b7f51444396855efe16518d07e0703ed41bb06ed59e36ec598e6abde2450823930c40eb3cc74905bffd84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
2e50d70d0e309509e3762a93af1d58cf

SHA1
098d8e98d19f3e7044eadcb02f9c39e9caedd846

SHA256
f10c7e26c229049efcd43354e67c8cfa5a58a06ce7adae3d0ba39a522a486ffc

SHA512
3f512d327dcd5095a9c5a6406ffab0b94d7c9b2511dee0ae303601109612d2d4c111c03ff443eb07f176ad52ad423525815dac5d94bed515c8a1eafa81694253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
9b79265981a7aebf32604e066a20c01b

SHA1
1ef132d8a5dd456a15625293d1a88c92dc5ce3d0

SHA256
00d0c1bd94dbcf83db892729e7dc29578cd12b8cb9d6297af1e0036ea7f7696c

SHA512
c847be4e0d7218dc7c21fc88188e06d8c40ddd82c14a935ac2787a35903e7d29b3cfc0bc32908791ae765b50deb62f7a4c91d699040c3dd8da6def05f2307214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
f127efdcc26d2234f46284c465fa2ffc

SHA1
5bf50f7d38e5d5d956775d5ad70499dce6e3c0bc

SHA256
a787d240f3afa661402a7735237cd459a5277e89c150ac068a554f78ac162885

SHA512
a052154c25e10d06e71d0eb34469e82fb73f9d3f23d4dfad65ffe4af181db1b0495ab93c1ba7b2ef775a57a9dd62baafbe76c4e17e7896ecd8e15c2b0ee58e18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
a4271dd5858e578a8058e9f9d0155939

SHA1
2e3d7cd2b33e348d6e8f2de22bb7cea0308c43a2

SHA256
e559b6ea972c2c7adb925e5c8ad87e04ffd9982b77e70d8a397c85c32b4acc75

SHA512
d79ba897fbf209bd406ab0e464d72750e0995d239834695266415598585eed4ed9a4e3e83966bfe15c8ec952ca30a848a7c739a19dee52506e753e0a0c7a744e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5C.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar10A9.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
4285c2096de2389c54694f2bb2f75240

SHA1
f8f41a33c556837abef98c0805502e0a24edf3aa

SHA256
7427b5a5d0a2768268607c10860fe56729572685813fb33df8c9f08a02509867

SHA512
a678f099dfebada9db01f759bfc5e3e06646628e7c4fc237db85a0b29f6924a25d18831d72b871e1c32279731bea12e5021017ce6174765289aa2a52311e21aa

Download Submit
memory/2452-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-599-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/2780-594-0x0000000077E70000-0x0000000077E71000-memory.dmp

Filesize
4KB

Download
memory/2780-595-0x0000000077E6F000-0x0000000077E70000-memory.dmp

Filesize
4KB

Download
memory/2780-596-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/2780-597-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/3008-586-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download