ramnit | 129e38bb43d519938f283bf698da88a07435a732552fe2fca4ffc1e16cd59fae

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

054e1f8460564bc8e28b557e77adb1a7_JaffaCakes118.html
Size

134KB
MD5

054e1f8460564bc8e28b557e77adb1a7
SHA1

13ccfa50dc55084c07221176106dbad8638f85b7
SHA256

129e38bb43d519938f283bf698da88a07435a732552fe2fca4ffc1e16cd59fae
SHA512

f27a0172787ce18a10fbaeb6f7966b91ce73ae86f0d49f45e31ee517c14f8dc9a138f7a1ecfd1d5c1fca255b85183e663649512e93910f04557705c8e346949b
SSDEEP

1536:SQm3ffHXyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy+:SpPfHXyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid process

1868 FP_AX_CAB_INSTALLER64.exe
1688 FP_AX_CAB_INSTALLER64.exe
2452 svchost.exe
1304 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2780 IEXPLORE.EXE
2780 IEXPLORE.EXE
2780 IEXPLORE.EXE
2452 svchost.exe

pid	process
1868	FP_AX_CAB_INSTALLER64.exe
1688	FP_AX_CAB_INSTALLER64.exe
2452	svchost.exe
1304	DesktopLayer.exe

pid	process
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2452	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2452-617-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1304-633-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1304-637-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB9AE.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File created	C:\Windows\Downloaded Program Files\SET17F4.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETB8D5.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETB8D5.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET17F4.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000f9af2f1adedad58bbe7348787111a5aa20fc3982480d52c6366b0469d33687f7000000000e8000000002000020000000091b0172c494e721f66b5b07bd15004ca0cc75f8af3ff10657508d7977f01e9a20000000474912a6e8dc347c18bdd3798a01adc9b45d34b564bbeff281b17de0586c306b400000001a97a698e0cf66d710f9a63cca206ae3d9e2bcd63cd6af57dc92ce5ad17ebd4721b72e3231bd12ec6b71e7515000b2396ccc4724a68ecef45f60ec9167fe441f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0a8d22f7199da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000c6d4b6edc575e1ae31c835f5e263ad1d3b49561dd5e8cae230db5d509f4bca8f000000000e800000000200002000000026013afc2ebf467c8aac57e4cccbde6cb5256559acc2b875fdb64fd3299965d8900000009ba93bba96086907fea4e113c9e4ba2e5d8f26da1b54ce547a8dc44a942051b97e0a0b2565dee036ebe6055f1f22eb206e0ac9a347ebe427167a4c7d19cb834aea5ce42d361f5ce786db4bf51a9c0d5bf767e44374e2b95842d8ba4cf98e2c6b2e321227149e09849972b0f1157464024c7ed9277769db0cc4f2949187f8a13c655a90bc4b2e9e059b0d9ca7aac8972d40000000975d8915b7749f7afdd420739002384e292073da1e2b38bc620eca352fc954c5c94506e63ba8dd3b0682f8a4fcc257ffdd03fbc3f58b2ff6cd047ca051ccf8e6	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{589DBE01-0564-11EF-8178-52C7B7C5B073} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420473269"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exeDesktopLayer.exe

pid process

1868 FP_AX_CAB_INSTALLER64.exe
1688 FP_AX_CAB_INSTALLER64.exe
1304 DesktopLayer.exe
1304 DesktopLayer.exe
1304 DesktopLayer.exe
1304 DesktopLayer.exe

pid	process
1868	FP_AX_CAB_INSTALLER64.exe
1688	FP_AX_CAB_INSTALLER64.exe
1304	DesktopLayer.exe
1304	DesktopLayer.exe
1304	DesktopLayer.exe
1304	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2780	IEXPLORE.EXE
Token: SeRestorePrivilege	2780	IEXPLORE.EXE
Token: SeRestorePrivilege	2780	IEXPLORE.EXE
Token: SeRestorePrivilege	2780	IEXPLORE.EXE
Token: SeRestorePrivilege	2780	IEXPLORE.EXE
Token: SeRestorePrivilege	2780	IEXPLORE.EXE
Token: SeRestorePrivilege	2780	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2784 iexplore.exe
2784 iexplore.exe
2784 iexplore.exe
2784 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2784	iexplore.exe
2784	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2784	iexplore.exe
2784	iexplore.exe
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
1980	IEXPLORE.EXE
2784	iexplore.exe
2784	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2784	iexplore.exe
2784	iexplore.exe
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE
1532	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeIEXPLORE.EXEFP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2784 wrote to memory of 2780	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2780	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2780	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2780	2784	iexplore.exe	IEXPLORE.EXE
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1868	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1868 wrote to memory of 1856	1868	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1868 wrote to memory of 1856	1868	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1868 wrote to memory of 1856	1868	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1868 wrote to memory of 1856	1868	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2784 wrote to memory of 1980	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1980	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1980	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1980	2784	iexplore.exe	IEXPLORE.EXE
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2780 wrote to memory of 1688	2780	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1688 wrote to memory of 2628	1688	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1688 wrote to memory of 2628	1688	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1688 wrote to memory of 2628	1688	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1688 wrote to memory of 2628	1688	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2784 wrote to memory of 2520	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2520	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2520	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 2520	2784	iexplore.exe	IEXPLORE.EXE
PID 2780 wrote to memory of 2452	2780	IEXPLORE.EXE	svchost.exe
PID 2780 wrote to memory of 2452	2780	IEXPLORE.EXE	svchost.exe
PID 2780 wrote to memory of 2452	2780	IEXPLORE.EXE	svchost.exe
PID 2780 wrote to memory of 2452	2780	IEXPLORE.EXE	svchost.exe
PID 2452 wrote to memory of 1304	2452	svchost.exe	DesktopLayer.exe
PID 2452 wrote to memory of 1304	2452	svchost.exe	DesktopLayer.exe
PID 2452 wrote to memory of 1304	2452	svchost.exe	DesktopLayer.exe
PID 2452 wrote to memory of 1304	2452	svchost.exe	DesktopLayer.exe
PID 1304 wrote to memory of 2348	1304	DesktopLayer.exe	iexplore.exe
PID 1304 wrote to memory of 2348	1304	DesktopLayer.exe	iexplore.exe
PID 1304 wrote to memory of 2348	1304	DesktopLayer.exe	iexplore.exe
PID 1304 wrote to memory of 2348	1304	DesktopLayer.exe	iexplore.exe
PID 2784 wrote to memory of 1532	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1532	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1532	2784	iexplore.exe	IEXPLORE.EXE
PID 2784 wrote to memory of 1532	2784	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\054e1f8460564bc8e28b557e77adb1a7_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2780

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2452

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2348

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275465 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1980

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:275485 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2784 CREDAT:603156 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
b928564ecdb09cb9a42b648b70e7776a

SHA1
2fe7799eaa04603934e8fb78d076c8f3b3e8640f

SHA256
243cfd47c505491e69b9f69363eb79aa5f6ef165f267dcf800b7b331e4550344

SHA512
669ee58448c013943b7d31231b9c854a8e0f1e5ba908d918173f333b6814a6ef495b2e50d3a73ca8eb63ea5de68575fb3c3ceef142851c93880d3fd7730e866b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a2bda3f2a629c7c7d25d35acadf28d72

SHA1
b0f70045094802a4c232f1c89a56958af97a48a9

SHA256
2cc9787cef95647c228ad45639cd4890503b35b3b024683db21081410ad21710

SHA512
bd092765696cdcdd09097604c9dbf46604589d7b3d0c99065ebf63c8410271a74679d58c46b33f2ad500b6647a6ef49fecd7be032fed197778754dba783304c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2e34eec8702e3e16d8dd2d3e466e8167

SHA1
85af721b49fe68b3bacf69fe743f16960b9a04db

SHA256
2798ee14dde3bf58d85d32020f2cda01bd582d280e2f542541c6e58b1da3c2ac

SHA512
0f77fc1f928515057b1ae18cd6654ae9088bba62ea89ba0031d4ba24da14792e47d45a38f5ad8530518c2eace905509bfbb350f5dc35fb5cba8ccb9aa4447cdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5df18f20f1dbe547274081a89c910600

SHA1
8cf872f6fc23d9761c5b9e02d6e49393107de132

SHA256
3931d6bf7d376295b5ee9c172f328bc5b6e95f03fd87e048165554f9475ba1d6

SHA512
c2fc6febcbce5927d0e0573ea6b79a2c360ae30e9893316528cfc8728ce6597706903f456c3bfc8553ab1a79c1ba5946999a2d399f21a2eac3443f5733bc8766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f4432786d67a8874880ce2a52edcaaae

SHA1
58935266a16e5bde9b97396236128a9629527681

SHA256
efd2cfc60b45f63e1d842fb6493cee09b472eb078224b23d4fdbbaca855ff37d

SHA512
cdfed0a869360fdd28d25808ac6c159d08011f0175cf60fde4278c920436478a082eaa516a2570c4cabbc849f4497a79b7b0f925b191ef2260538fa75bac2960

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
620f70a7134fa36ecff3c0fbe9e81de8

SHA1
ecb8918efef3db65ddab8eef8bd563c420d271d6

SHA256
7bc49606414b8fe041c7dc1ab048a990283b958f29859a4389b5ab0ae6fb0ac8

SHA512
7a31b5bb98781f05761f1d1758288a969fcb9322eb8d3c8edf28c0ea1f64e9f483a1e73c67db62d3b442eb7df39d3fdb28fbaf433580f42b54fa36d6b2dd676b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d6a4baecbc213802318160c0ccbce4e8

SHA1
606ccef153f7d1a3da34de4ac9dbf7aab9a5f7d0

SHA256
10e3e02b59ec7bf0accfa477df3178614e02d29cce492e87deb4a4673f49cc23

SHA512
ec3c28022f772ee987ee2cf85da0146100b6c30963fe4b3975a7c6109d10a97108dfee507161e3bf4ce561e77343002b0206e0c9dd2c9ea6273b64a635515f9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
17994eaac5d19725a3de5344b2cc30a7

SHA1
efb15b0733e3772917a0bdc56722f091d9253f0e

SHA256
eeb240b3e2f3ce8bcfb61cfd0c46cbc8315696740db06f011f2c225e8c732a19

SHA512
b514a50297e930f8a7155c40daad1cf79d5d7c0b6198cb37ab7b09e43629c534234bcff6ea6d73a4a3ce9fe9a6727018444d92c66c176e01e7544fa4c020f928

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b5ff859d3659511991717099e9e7dd18

SHA1
9d55b02cc34a9c919e3ad1820fd7178f9c9507b9

SHA256
de2d78460dd4bd60a6e10f3f7d358d8688d78d2de9d861803dc25851a0faa6bd

SHA512
2638e7c8d776132a7f87b8ecd36333a589561e731f29feeeb4951af756b16e6669694c6b6f70920f9a297ac1dcaa6e5ffc43b4ccaeea302d8398c7d99722d135

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0dd2442cf221751b067ba0950e4f99e0

SHA1
3f78ce6dd6cfeae2b6a2d37faf9c1cc02807094f

SHA256
a57eae4f61464eff98c7fc302be1edbbbcd12557622ea53854390010aa4479ca

SHA512
6c2a336954ad8d27b541dabca7242af16442790f0d7e1cd7e9ca298a202691d911bad3a801c155d55ee9498d6a2d557934f94e458167f0b31064cc473be8efc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f441147336e46eb05acb41b1ece6b1a2

SHA1
1b3ee3879fca49e0cb0ab0019bd19b025cbc517a

SHA256
8d761ed9a2c6e075086f7c1b2e0b169d45e068b2c659e461e879fc019ae4ec74

SHA512
f38a8127a41801733bc5c7c5676d3264846ef524d2020b964f75999e911c48e07a296bd157b6bb300b66d1a007af1ca3c182b42cfbeaf575e863079e6a941ae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8a89801a191359034a30e44862437a79

SHA1
28b9201a527dd6529a2b37f12c61265b12d738a0

SHA256
178ec6ce945e557e825b326b593635d2bbd0eea2cfed5ab025c3254eafa8b5c5

SHA512
200212b50e66ccd4a9132561e83736a4e7f55697d681c715dbc3f1752200ddce9422766cf8172f250ce05415b8b2df1ab64e286640282c67cfbfa707377d3793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
58e4a4568578296a629a560f36aa6975

SHA1
5eb316bb00caa2d7b57822eb8ca4afbaea647a51

SHA256
4f8ba16426bf157ae8610f14206619c8af042ef6eaaf00e0e9762ac4d9f21966

SHA512
2f2fdf4145841d348cb0f88537365340255433c5ff43f9099e93c5b15e449819c75eb3d2dc2e1a660b409b333efb92415dd6053f5b12d96e0db18fef8b2ddc53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ff9348344c5e796f2aaff2abcff4c7d8

SHA1
4f6af9f3fecebd6f883d5d6b400b5fbf779e1780

SHA256
ffa8bfd9159ec1530ee3aac267e714eaa0677918e86d6749b86a660013746a5e

SHA512
0375da3250bc88dddc409a87e7e1fe9e537497cbc5870ae0dbe15cb14781df9c32930c0a24e23dedfa1149e7cb82ca75369fd79493debb3ab50eb00ad289673b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
585fef0ddb63e5d3ea0268e4f0ccf0e3

SHA1
9bf28c454e4eb5ebd85e98f58f65360557a601ea

SHA256
ac165a1e1dfff33e5fd984152020cc18d8ae734822bf044cc9afa0cb3ced9171

SHA512
7abec8d91d1bbc93693d0f8d4b61df88bd6581d61adeb084346c28fd7063d8905bfe49be01dd550466681373e697c76d07e431905276edac6edfff5d9d450cf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
185ddc216fe54154bb8d3bd6759eb0ec

SHA1
8b044b1d93aa897097e411ef694e3bf760b9a474

SHA256
7380a4aaaa495bef901016450adb67c591d421ab7824e82249479c3c4da82ff1

SHA512
ebfa00a13ba77dd20d4d18b796bc5166cce608122c3037041191423d1afd973b6eb50cc9dca38afbb6bfac37eba06741674966a64dc5e637fdd4b9d06baa850f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
82b6f6a8b1dba18a73da0b5d135917f0

SHA1
ac7879d86114eed9aa47bf14bc28d380c4b36c1c

SHA256
0fb5a4fc5f44ba46c38cd53365715b689708c94628a68383062cb4e85cd34128

SHA512
613bd452b4ff1a372e766a6f3d8bad1c0779b37c3efd0a95d2e56b1423b8814b76c919606c0c1ea1b086142f285aa3db8a6aec9da190d02fcd0458efc8d0902a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6a144e6b9e401e9bb736654b72da81f6

SHA1
b7a936f11f62e09dde2b511377db00f2f04f046d

SHA256
388a0910be3b7ed624d634b253fb9e28d86ea047b9101d781941dbf2c81bd1d1

SHA512
1fa87e780bf971d830a89fe1cc1c998bcbc4beab5c39bd54e7eb4f5cdef364da1d35713bdfca28784928480b75b53af21889bab1c5bf84efdc1f30e6d575eaf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6d82908f9f4e29a5a5a17a5e179d9a1e

SHA1
a9e43bcb8448ba60003a2f5be593cd86af40659a

SHA256
17b4894ae35036502ea652b86ea9adf206e0495e32f544b4205eab11adec12b8

SHA512
3c0da14f2993c5f55d861410da3ce2ee2fc346b65e68de35f8a6ae3844c4250a6dbdad070dbd61557e284d05dcb9f2aa02cbbaa2bec73825d0a661e1bc88c901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
afb78f549b710213168a76440f3d7f91

SHA1
71eccf46439777be27a6c9a9b0774dd6682f8318

SHA256
758dc15672b5f3a367ca6e3f48650aaed9abb951772a632c5aea645403f858da

SHA512
5a5327ff662f3b9f69a985e94286738d3231b4916ce88df9d973abbb696d0e39cc8e0c758ade7d3d8c56802a8a026ca869f33ca4d2b11d804eb11e9631d2cc40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7e3020ae080edca7c68d62b0146eea4e

SHA1
ea2fb87c98051501e9a3133c224364b89131a506

SHA256
419d77df96ff8a316801fe31bfecd851650d9f45190caa2b22b800bc1ed1702b

SHA512
d4b192fdb5f5d8be9cc854b9c872601aa0df5c91175521a545122d2fb1f2460b938dad7a54bb15aa01f6e44ceb3dbec4669f2da0596f655dd133499cd65f1a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d193510ec7fda491ca1f8e0a76b9b3ee

SHA1
839a427c02199831ff763104209b96e2cc015b6e

SHA256
895a41b9ae9da2bcfab1d6814d65b9fb3be648c0e8ed364f304b19fa9d50909a

SHA512
ad875117ed4bf5d0e4b743aebd3c5cec0f37e4fec1c1745d9944bce929d84b3c4497211c8c5b34048a198c7d5c320b6b29c046ca9c3b83f69770c2fb7fdf6cd5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
0b6455f85967aeb948c3ae86b066c8b6

SHA1
bee6c7e0ac44ac4f47ffe97df8da90869aea457c

SHA256
b7796c892001b651fd5036745c3d0d6fe744ced3182defe7b5e8f61b3ed87b59

SHA512
c3b5f83eba58587eaeacbbefa182159ffae2a8fcef985209c2cbfc30ba0403960d8ca89a26a555cb5bb9d8524739740ebcf50baeb89803de088b47f8cd5f87a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1142.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11F0.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1814.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1304-635-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1304-637-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1304-633-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2452-617-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download