ramnit | d399e3831cb2e9dcbb2566564eda0c8f03ec5c754b7c95ad409671d62a2fcf46

Analysis

max time kernel
118s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05cb994d8e7c5532cde6002b83a5e0f0_JaffaCakes118.html
Size

523KB
MD5

05cb994d8e7c5532cde6002b83a5e0f0
SHA1

38e6479871d9257ab191b2cdf14f5debe533d5a0
SHA256

d399e3831cb2e9dcbb2566564eda0c8f03ec5c754b7c95ad409671d62a2fcf46
SHA512

d19ed07bd906495bbfa96224586d7b04814903c436e26fc9e4a1739b3684cbdb45deee3b0304d341290aaac52b47e4569ee69f9a7f0c23df0b8ddb03e99e4f7a
SSDEEP

6144:SncsMYod+X3oI+YGVsjV6HsMYod+X3oI+YGVsjVRsMYod+X3oI+YGVsjVP:MK5d+X3zjV6r5d+X3zjVd5d+X3zjVP

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2612 svchost.exe
2904 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1832 IEXPLORE.EXE
2624 IEXPLORE.EXE

pid	process
1832	IEXPLORE.EXE
2624	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2612-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2612-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2904-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxEB0.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px143C.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8EA51801-058B-11EF-B937-729E5AF85804} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000011f7d0e282d100fe6e03fa5e77493ddf3202551a3e83b427052cba22c335eb7e000000000e8000000002000020000000ba0c8626cf893cd9addf742344aa21ca11a084228e634ec813ae56a01092859820000000617668bae7822498a5fcc51f73ee260a5d374394f5ca78340bfd668fde0a0a9e4000000036f8f162cdb41967edaac698a50fd8ccd20d4837480ba0ac216898d9af19c3a91f228cf101449cbb08f7fe90e6543f5c6e38372f5b8df308191ec30d5814e04d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420490110"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80d4b0649899da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000dc39fddd70aff53e024a322bd42d0388405d9520c6ef149052995725a509e819000000000e8000000002000020000000649d79db1097ba70f5b023d6a75ca12af6b509601b5f9bb9c30bf48f1154b7979000000082f5ade0ad629568eff35b3a98c2d5374427ad9e95f060461f7e5f26d4d9b3b0e2514302104bfdb65f8b2ac91b639047688bb6413fd194d0e2a2b814347a3e2e2df88dd0e41a12ed6babd260c419288e2430dbcdf4d29d8db7c4ee441fb197ad66186ba9c63b3ad2f3cc4b208e94eb7c58c62d925d91b16f1f26470cf3e090db818bc3615f328977b363bd555e541e97400000008ed11896fcf16404e28031cc8974b45fa5370fd77bd2e9febcd9fff30db11d736e26f2037a5ab59d5d17e88fc94c8d928baa4323051eba4b3dac2ad35443deab	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2612 svchost.exe
2904 svchost.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe
2904	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2612 svchost.exe
Token: SeDebugPrivilege 2904 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2308 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2612	svchost.exe
Token: SeDebugPrivilege	2904	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2308	iexplore.exe
2308	iexplore.exe
1832	IEXPLORE.EXE
1832	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE
2332	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2308 wrote to memory of 1832	2308	iexplore.exe	IEXPLORE.EXE
PID 2308 wrote to memory of 1832	2308	iexplore.exe	IEXPLORE.EXE
PID 2308 wrote to memory of 1832	2308	iexplore.exe	IEXPLORE.EXE
PID 2308 wrote to memory of 1832	2308	iexplore.exe	IEXPLORE.EXE
PID 1832 wrote to memory of 2612	1832	IEXPLORE.EXE	svchost.exe
PID 1832 wrote to memory of 2612	1832	IEXPLORE.EXE	svchost.exe
PID 1832 wrote to memory of 2612	1832	IEXPLORE.EXE	svchost.exe
PID 1832 wrote to memory of 2612	1832	IEXPLORE.EXE	svchost.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 388	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 396	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 436	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 480	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 496	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 504	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 600	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:480
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:600
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:320
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:748
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:828
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:868
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:276
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:304
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1076
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:3044
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2160
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:496
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\05cb994d8e7c5532cde6002b83a5e0f0_JaffaCakes118.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:340994 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2904
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:209930 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9b204c1b4f34ef6d21d3e2a8b504174

SHA1
9b287a1afcb9c3e3842265e3efec0256548d6aa5

SHA256
6ed95b3283bddf7327ef7ee30c5d3def13d6acf5e2a70aab7dbf95810109b8a0

SHA512
aad41fcd79ff94bfe8bbf3b26a30d896bfefc727f0a133570425aad67f6c8d6e392a0bd119004e89a16c2b993e2d2649b97376ce9269e08a2c704962600969f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12fa76e641931655177b9a3269bee406

SHA1
49d93cabd8f3fcbb7e1777d6c32db2bb0e0ed69e

SHA256
ccd5b9451149af6822f3df181323605d647ea7d434411823cf71708cda12c46a

SHA512
6c658b14cde5f04b06c65a395d36d6c1a5aabf26698043e5fe4edaa5e2afe81bd13247e5947bf1bf104d3f621ce61ca12ca41cddfc1277cc9d5389def8fb0c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b633c5f8ac9fc593744d729fdae3fb30

SHA1
650a45a2113acc02a5fdbf767c550c220659bbea

SHA256
4df0771c49dbd3328b5be072b9008ce483894966431122780e730fbb2ebbe29e

SHA512
146f03ac9aa083305774e0835360de9048be04894033230d4dfb0429b6f9d01342b1a797dc93d1a4604cc0946d794a9ddca560e66a3aa17523b1634b99ccc0a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60edb59873388cab00621202fa37da4c

SHA1
33d364432fc9b104fe701c1ea0ca0c32e3ddf071

SHA256
4846b448e2f406c0bea3d9951b8982cb2ad2101f854bfb2d5a3358786620870e

SHA512
b5c6fb87cb9e4e556252fb1253b646d82fd2e953dfd5bdd4a367cc21fa62529a4592e489d8836601fd0d67945f11d3d06a1f25dec6c0f0c015441e939e8e7673

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
679c5267083c41b643d4d7e5bd8bc264

SHA1
0185358ed9c8c2f0d299e9c5540a8a090c06e448

SHA256
c357d0cfca188180905fb8f0c020f90e28dcb253c4b6edff23972c052295e3f9

SHA512
e4c7963699a8d5eaf2a1047eb3c870f3cc31f70d36d7cdcdceb362d365fb1ed546e6a9ac8c2303dfec8e7366aec7872f7a5f62cbc68e7122f18c7e7a57290796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a75c1d2a7741f6c10f48300cfc3011e6

SHA1
e49c4f752055b5a0a8e79e145ccc952ab2b930de

SHA256
ffaef6a6a86c099827f540c3e6b58af16fc5ddd1e15f6ca11f482e354897e5d8

SHA512
49c739506b229db3ff31bca07d172a783e1e2f0db658519e560d40853cd7bd010438a5ad3797b7b4a0d4fddde52a23c9bc34e12e1eb05825b8d93cafe19562ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60a98b6f47543f2985916842d1ea2f48

SHA1
0f82dc3b43d9e5809d8eea7ce2f698dba05c8b3d

SHA256
62a48f1e9b9a0a9be8b0009b7b1d5958796260159ddbc977246f51efe0a31d29

SHA512
8d1f7dc7cbf1200cd9ddea1f10673429eb2db56602353775af1b92e1594e620627dba80cc4862ac04e1bce17ad3abbfe4042f060674757eb307616ec12f08216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c5ab739378118cf29b81e75254645d2f

SHA1
2468162c12a0fbb99bb0714437dcd44029f32a5b

SHA256
2f84dfe0074d336d706953159a5a2e99d6b932285c2d763e1683d339d2282c77

SHA512
25135ec5a9acb30fd027303e6e66f7d66f94a21c2f8dad9d6ccb863c67b2e8f1a9f6b76d2f327e5aba2371d7f26fa6c155232aa5db88515f8a7e1e9a558f96f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65b370394a6d8ca3bccdc3a8ffc5f4fe

SHA1
c8ca391766cc4c6bd980bc017fd9633c722a8378

SHA256
a71199808da28c215597f80f64eccb944c5566755862da107b5a926a7b1f8e95

SHA512
99ae51b60cb2938251d588c78ec638adc1feede946a2a8b373e4b1ec14ee50e001433e47b3620f624315ba07df090e67b4188d8ffd1efe60493a7f6b6b16e852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc58bf2f8cef9931f6aaeaa6685b13c0

SHA1
4aab2982252c0bd6dcb95bd89457345111694282

SHA256
c281537e6e05d41bdb2dfd1b4daf6c9780c49f3014f1e868f76ca235f447f404

SHA512
73f9716cfa0742376d45db00f77b98ee945d1ccb99cf12dbfef4a6b8caaf8eb69e8005bd8a6b789f0b729f9a6cb40b363dda18fa25fb0586b26c5d9cf83e1266

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9af16dc884ee216aff32fee070b85ffb

SHA1
5f4243394a2e4ca5c50a70e61fa2fd1dbb163794

SHA256
4a381cded6de346646c365a8eed2b8ac9c47527024b85a7f40c0fcf1c0fc693e

SHA512
1dfb66678d73a4a607f6031be822107b6d63808f79f5018320a6a666edacba8b8e3ed00888fddbf050bd53ca2f2d6ca177fa3e39d92f9aa91d071ea74e91bee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37a3ba40c634c6ed99b8abdec8d99f82

SHA1
ced425651e5ab0d542d400add6e8a7801098b75f

SHA256
535daeed3058afafcb7dbdce7f2aee4442eeebf61f64a1a977ab96acc8b7d6c7

SHA512
13fd99116633fe7d1359792c0cf541d8925ccb7ff949bc12f9f00fe513907d33e3607df42689b5934cdc4ffb8b4cefbbaa67d2a2794e9894143f1b0da0b691e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9353bfb39f7732a08614e5c1cfa6a89f

SHA1
c23d1504fa4637c589d0981a500f5afb95078d63

SHA256
db4abc45f75716b94e49f70429e79fd71dfb3f873dd272d8779b0b6e44f7d417

SHA512
49bcd8857080fa96918e2a0a39ee45ed47d854a2cdeb48ed01ecffe318e2c942d42041af4590c0aff472502c7007519621a5d28a957385d134b078e155e08d06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69fd15778ce471b80e403288374b60f1

SHA1
a6d4381b594cc0704b8555076a2cdbea6019110c

SHA256
a03def05913e4d4ee9d98170704ac0220b342f2934203979c7f6b1d03d23060a

SHA512
de7d412e94c1645f5cd756afdee10e80a63472af1657d4fc3840070d3671d6b35d1c89c5a22b046f39d5a812f60098244ca0be845bd63ba5911947711a15c738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9925f03786dc4e05a1d1bbc384444073

SHA1
ac65321eea76ac8945fbf42a6d5059a2b60708b9

SHA256
4ebf663dce6100f77978661f2dc0ac616524bda653e41a27f50e52a3ffe1dde6

SHA512
5eab5097dc74f6e14653685bb20acc6ee64becf54d22c886d1f9387da801a8edd44feee0a61abc84aebc3ed65884113e10392e390d603e4332bccbe0312acf9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f2f97306fa8ac69edcb65b1b92def12

SHA1
43b95d14c3c89eee232e89ed4eae8e629dc524c1

SHA256
bf54fed5783509b4e6b0cbddda87049328ad580e725da0ef427e610445a397f9

SHA512
ed1daa0dddc70cbd43aaa0cf918f2b1629952c70ce0543f1a1791c8765f2b0275ebccd16da23e3018b978cc9098c4a03d4cc4bd145d0849466c5345a95ac78eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
073700d760feef730dfa099c887429cc

SHA1
2b9222ab286707a2b7708cc03c5944e426ac7f42

SHA256
b967252f83d5f4d76a890a4ae2e3063fe8361f1eccf81a2de4a9a166ed58618a

SHA512
0519c2b15e7ce44b98fefa3aaeebb757a4dd2af6a5639be77dcda82926db3ae32a5ef85bb095f0ca42f6c572c0a5aeee888b676a20594392d7f6d83908b92b4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
665bfac7909e3fd7fd74adde81805534

SHA1
a69848782be9cbb8a91d6697a42a1566190acf9f

SHA256
6cd571fd8afbbecb4cd70a08c7a8eecd1b2310fea8e6d0bcfa7c70e8a3cd5c64

SHA512
258b86f46eeef46deca7e84ce384b9462e8f13edeeda08919c8d6aee159b87a5680257c9c5d09e5b8ae2408ec0edae43208b3be1ce7197c8d7387fd063fe31c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59e108a10acecb82542e7064a5bde28c

SHA1
9c7fa70366e40839c75c2a6bcef51abe2f604b0e

SHA256
1bf56da1030a2ddcefcb311b3c9f98adb956fcbecfe6b65f3e80439075ca7e71

SHA512
ee5b9f43be491d3155156046c5a7b38750ab453ea9d68df8c30b86ff1b282f18501f800c171b70fba6e5b49fb2705ae3d2c1c529bd75abbbb717c1da83bdf045

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecb7b56925c741d26d3046fcef8e5f79

SHA1
fa3fc477271deb0438ba85cb6fa19f5e9aa94198

SHA256
543315276ff5906929fe1c5fb4be14e91a4674fa781c97289a261ef148b3fcb6

SHA512
4959824fc2b3058cfcffdcb904964757713ca559a3d59aa9e9fd569bd968dc4241d57cc52e9013a78c5eb1bbde54a4dd0aa9f98d50417df4eca33c15c13d73bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
669ca568f6ac356b94eaa5ef12c1a7b6

SHA1
3d58ba7770ad7aa4a1665e1f95005e03e3e909c8

SHA256
c839c8193cf5bd63acd88939546fee3c57c76c2dc74a5656442309db4548e825

SHA512
1b3cf15a7fee6ca877952f5fe3a08aa651fc5543a900333008c91ad59d037e75996d541d9f02e7c50ec8b26c41fafc0c0906496a4693474acf0987265f542a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\jquery-1.8.1.min[1].js

Filesize
90KB

MD5
e7155ee7c8c9898b6d4f2a9a12a1288e

SHA1
d1b0ac46b41cbde7a4608fb270745929902bac7c

SHA256
fc184f96dd18794e204c41075a00923be7e8e568744231d74f2fdf8921f78d29

SHA512
00f96415745519916c4ef53daafba8fa6eb9de9b75b2a1e3d55f9588ff759b80a90988f0c79450214ba13ec06f4f4cc915fbb2a493f4f1983b9aea63e9e99fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2CFC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DDE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/2612-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-10-0x00000000005D0000-0x00000000005DF000-memory.dmp

Filesize
60KB

Download
memory/2612-9-0x00000000775B0000-0x00000000775B1000-memory.dmp

Filesize
4KB

Download
memory/2612-8-0x00000000775AF000-0x00000000775B0000-memory.dmp

Filesize
4KB

Download
memory/2904-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download