ramnit | d964afb2e08496352fa926912d9c6f6dc1d1a10bd13c4660ded4e81af1b4c030

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23176c9bd015f578adc37755551f98a6_JaffaCakes118.html
Size

569KB
MD5

23176c9bd015f578adc37755551f98a6
SHA1

36c20d5ff1d75a34aa447120413704b3f16f4a94
SHA256

d964afb2e08496352fa926912d9c6f6dc1d1a10bd13c4660ded4e81af1b4c030
SHA512

f4634beaf3bdf219cd78c996c08994f7fa0008d816659a950dc02c25f834272afa9b900222e2ed49edd6c7009ca84bf059e480b36685472e32c3cbec662d8e7d
SSDEEP

6144:ZgsMYod+X3oI+YNsMYod+X3oI+YRsMYod+X3oI+YlsMYod+X3oI+YGsMYod+X3oL:ZO5d+X3b5d+X3n5d+X3z5d+X3C5d+X3c

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 6 IoCs

pid	Process
2640	svchost.exe
2684	DesktopLayer.exe
2584	svchost.exe
2432	svchost.exe
2872	svchost.exe
1868	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2696	IEXPLORE.EXE
2640	svchost.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000016d06-2.dat	upx
behavioral1/memory/2640-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2684-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2684-18-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2584-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px25E8.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px24CF.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px258A.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px25AA.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px25F8.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000e37c77583b55fc9e1250f8e0f5667494b094c2da243d9d34304edb72e398cbee000000000e800000000200002000000089560a5481fdf52fed1751fe5c7d5357b852779ba9e949d2fa49147c87a8027c90000000851fa54cd103109180c45f1d5ea2e05332aed8db4bf898f89acc078c97b09c4c5c434e7696ef4a218ce53eb7df8e400a060bacbe083fcab8c432cddb0b39605fe738fd447f41c605c565b5f591e0bb22bc644f4499a59364a09cc1a02d03a2f00fb8ec8550b7da342276f236f8f56aa01e6fdb07845920dbadf66e82954a54dfe641b375fb4c566701b6634b1fa12a6440000000ed6272e376b581ee84e0d71ea83b2ed32ef7ada297b5c8485ab22e63b73e102cb4c499601dc5575db7d00410a271cb3738b0507b5351b963a25ae21dbcf02839	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421302550"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0deecfffba0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000a2dcf79777d455b65cb7af9ad2547285858b5e012da00686fe3414aec9bfb45b000000000e8000000002000020000000f09d3f39e78614396a1baccc1d079680dc6dad7d2c7aa9eab581f2313b6152a62000000099f26c57951298e34f05f95dae6d5c61c0391a097108ed378ec49f99f640ea98400000003a102cd904c6786c9cc267f9c783a4d0d188310652ccb4bfd88300145bf434a904be87683c531b6fff286e53474cf09f9680120ea3ea848209997387601de0a2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2B2B6521-0CEF-11EF-8F9A-6A55B5C6A64E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2684	DesktopLayer.exe
2684	DesktopLayer.exe
2684	DesktopLayer.exe
2684	DesktopLayer.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2584	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2432	svchost.exe
2872	svchost.exe
2872	svchost.exe
2872	svchost.exe
2872	svchost.exe
1868	svchost.exe
1868	svchost.exe
1868	svchost.exe
1868	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
1244	iexplore.exe
1244	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
1244	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
1244	iexplore.exe
1244	iexplore.exe
2700	IEXPLORE.EXE
2700	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2696	1244	iexplore.exe	28
PID 1244 wrote to memory of 2696	1244	iexplore.exe	28
PID 1244 wrote to memory of 2696	1244	iexplore.exe	28
PID 1244 wrote to memory of 2696	1244	iexplore.exe	28
PID 2696 wrote to memory of 2640	2696	IEXPLORE.EXE	29
PID 2696 wrote to memory of 2640	2696	IEXPLORE.EXE	29
PID 2696 wrote to memory of 2640	2696	IEXPLORE.EXE	29
PID 2696 wrote to memory of 2640	2696	IEXPLORE.EXE	29
PID 2640 wrote to memory of 2684	2640	svchost.exe	30
PID 2640 wrote to memory of 2684	2640	svchost.exe	30
PID 2640 wrote to memory of 2684	2640	svchost.exe	30
PID 2640 wrote to memory of 2684	2640	svchost.exe	30
PID 2684 wrote to memory of 2772	2684	DesktopLayer.exe	31
PID 2684 wrote to memory of 2772	2684	DesktopLayer.exe	31
PID 2684 wrote to memory of 2772	2684	DesktopLayer.exe	31
PID 2684 wrote to memory of 2772	2684	DesktopLayer.exe	31
PID 1244 wrote to memory of 2700	1244	iexplore.exe	32
PID 1244 wrote to memory of 2700	1244	iexplore.exe	32
PID 1244 wrote to memory of 2700	1244	iexplore.exe	32
PID 1244 wrote to memory of 2700	1244	iexplore.exe	32
PID 2696 wrote to memory of 2584	2696	IEXPLORE.EXE	33
PID 2696 wrote to memory of 2584	2696	IEXPLORE.EXE	33
PID 2696 wrote to memory of 2584	2696	IEXPLORE.EXE	33
PID 2696 wrote to memory of 2584	2696	IEXPLORE.EXE	33
PID 2584 wrote to memory of 2416	2584	svchost.exe	34
PID 2584 wrote to memory of 2416	2584	svchost.exe	34
PID 2584 wrote to memory of 2416	2584	svchost.exe	34
PID 2584 wrote to memory of 2416	2584	svchost.exe	34
PID 2696 wrote to memory of 2432	2696	IEXPLORE.EXE	35
PID 2696 wrote to memory of 2432	2696	IEXPLORE.EXE	35
PID 2696 wrote to memory of 2432	2696	IEXPLORE.EXE	35
PID 2696 wrote to memory of 2432	2696	IEXPLORE.EXE	35
PID 2432 wrote to memory of 2480	2432	svchost.exe	36
PID 2432 wrote to memory of 2480	2432	svchost.exe	36
PID 2432 wrote to memory of 2480	2432	svchost.exe	36
PID 2432 wrote to memory of 2480	2432	svchost.exe	36
PID 2696 wrote to memory of 2872	2696	IEXPLORE.EXE	37
PID 2696 wrote to memory of 2872	2696	IEXPLORE.EXE	37
PID 2696 wrote to memory of 2872	2696	IEXPLORE.EXE	37
PID 2696 wrote to memory of 2872	2696	IEXPLORE.EXE	37
PID 2872 wrote to memory of 1648	2872	svchost.exe	38
PID 2872 wrote to memory of 1648	2872	svchost.exe	38
PID 2872 wrote to memory of 1648	2872	svchost.exe	38
PID 2872 wrote to memory of 1648	2872	svchost.exe	38
PID 2696 wrote to memory of 1868	2696	IEXPLORE.EXE	39
PID 2696 wrote to memory of 1868	2696	IEXPLORE.EXE	39
PID 2696 wrote to memory of 1868	2696	IEXPLORE.EXE	39
PID 2696 wrote to memory of 1868	2696	IEXPLORE.EXE	39
PID 1868 wrote to memory of 2704	1868	svchost.exe	40
PID 1868 wrote to memory of 2704	1868	svchost.exe	40
PID 1868 wrote to memory of 2704	1868	svchost.exe	40
PID 1868 wrote to memory of 2704	1868	svchost.exe	40
PID 1244 wrote to memory of 2744	1244	iexplore.exe	41
PID 1244 wrote to memory of 2744	1244	iexplore.exe	41
PID 1244 wrote to memory of 2744	1244	iexplore.exe	41
PID 1244 wrote to memory of 2744	1244	iexplore.exe	41
PID 1244 wrote to memory of 2748	1244	iexplore.exe	42
PID 1244 wrote to memory of 2748	1244	iexplore.exe	42
PID 1244 wrote to memory of 2748	1244	iexplore.exe	42
PID 1244 wrote to memory of 2748	1244	iexplore.exe	42
PID 1244 wrote to memory of 2008	1244	iexplore.exe	43
PID 1244 wrote to memory of 2008	1244	iexplore.exe	43
PID 1244 wrote to memory of 2008	1244	iexplore.exe	43
PID 1244 wrote to memory of 2008	1244	iexplore.exe	43

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\23176c9bd015f578adc37755551f98a6_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2772
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2416
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2480
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1648
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2704
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:209931 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:275467 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:603142 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1244 CREDAT:799748 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57ef43baff3103478e8acc7f99c0ab96

SHA1
668f4e2fb1217091a29363c58d1ebad8b10882cb

SHA256
f45fd1ecac45d4e5b98ef416c8cbd1f49f038ce9179de4bd8e797b72a12a1bcb

SHA512
168bd0e03578d543796b6c81f96fa85cc701ab32fac5724d879698b172f352fe8bc44ae4670ea7635ae96d53994b376f81d3030474a4af8d8f152661fc39b870

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37a92ea7fee8f1b84700e4481516cf09

SHA1
8bdef424c476012756eda75fc3f372154f3fcd70

SHA256
4dfb601c8908fe4821d28e94b2d4e616155aafc9bf6e4588f0da2d361e184173

SHA512
cf058862a10ab059543bfb951ce68cbf874589c2d1ffa5ac9d06164d345b0cc389f98886a50983786737979d2c9861e7c4ec75b0a7b34e819a20dcd7060b8bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bcbdac35d8c028c224ff8bef21e22826

SHA1
4135d14976ce254fd588efad6c1459b4044eedcd

SHA256
dceebd1afd3dfb13ae7a0b886ed8f3d29f5514489b70177c4635da5199c1e59c

SHA512
4a4f6d9cdcc4499229220e02ddb1cb5ae2249917f51c195ada9e0338fe8d980b459e46eed86d801d0fa3ffe55d8634cd523364b4e3c813618155d7a4146832ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
394d48b55022d111cedba3ee72b8339b

SHA1
9dac0590d646a962e2d69cd7ac13440dfe81ce2b

SHA256
af8b9671b1b42f9d2104e5bc32ba9269f6e313b6d2556eb1a40a59d35bb01aa0

SHA512
e41ed946826636228534adea6d5d2e27c5cbea4b38840c2e8a12ab100d85f7b3837929980f924cc4f5c71fea461bf8a7b6b0cdf9d891371782aea7e569557d4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a066e7dcc48923d4e4a38dc4367ad3f9

SHA1
1ea6ddfb2b09e3762473563cbe3afe07dc7d222d

SHA256
0619a8caef92aefbd6c9ee2ff205f3e9d060b2bf6301a3b392b7c05098c46d0f

SHA512
b307190e759e045730917b6a83a0646e814830bdc96ec181144e4a18df190ee83a335446f3018978f04b7762ab8d9cea416da099ba197b706ed6bf10c6663718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aebcbc9e8e2d9384e0c23d91e3f17236

SHA1
c5a8a3ea4de2f22da4f9e249e1728314ce9b661f

SHA256
b890dddb1fc1a15e1705545680e544dff1d898588e20da34779041f8c7b85296

SHA512
abb1b1e867efee7382d240479ed7fd9f5de675c584f66cefde54a4d17ef4fcee0b6e4bfcb415855e529c041a2fc535409fffbcb2390e0853a91ce2c98a6a6f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ba48d8c5574cd1c811a76f88c965633

SHA1
b8bcc89abe389763fe6ff7af2a38b57897e9e841

SHA256
7a92cb2080f6dd7f34ec8dcee3412261c200aa26249fb987763450c10e021e2d

SHA512
90372ad84155c7d54ee2c9077e658591046444b08c9615b55f83758f55d635dfd186af4dd72eaddb58b2b54cd84a6a7620cf96c787e54e2fe80bcac32c472bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58ad64f881ea6c1a3a97db9c79695eb1

SHA1
cc161a188bfd8f2296525fff85154eaf58e28644

SHA256
f1b93a97f52d1277540fd5dd798c5057d3eecf215a7517b3c28a93964035b3a1

SHA512
f4cb48fccf91f8fe380586016895ae6222d33d97c75154c9bf2b7b4478d8ac3710270015ba714776b6ca4749b22614be5ca54e2eceb2eee6c1258109dc9f5af8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03df50660982ad4302ad9e083d58c6cf

SHA1
a45ffd880cf8d9f5abe4be90044e59fa63c27a74

SHA256
fee480b67b44205a458677ccc625f654480b398a107f6473935c062c16bdb0a5

SHA512
6433289740800b151e5b52f2e1c4266941fc5382eed60171cbf33337bc6e9c077d91a8582b9c98fe2df632aad0908bc23d64e4691b795148d1ca21414c579dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb934b00d34c73a223dfcd9f8d8fc31c

SHA1
edbcad4ff615f64ff0d27b4b0b6e7f95fa586daf

SHA256
94ea036064de66e6a333be44ab7c90b2ada582d6ddd26597b32c57f7a1482ef5

SHA512
54952056522e4d7b9255643e771681a827946d02d9da1a8ab2b1222dd6281c8b9e7dc438a3bd3103f176dc5f99bf81e75ab4b3bff300404e7b65ce886ff11c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7916667116711620fd592bbfaf49ba6c

SHA1
4082cc77bc4cfdc5ec81f53a7fc980072825ccbb

SHA256
5d5557f1b681ebe49ddc8a284d9237394f94c30d7751085aff5c1192491e2dd9

SHA512
7103c7943aa1fc340394f7f70cdca8c5d8737e2f7be846f93f223f9c694ad0fa9b6804e2e6b32537d8b60f33cc80555131fe76ee442c07606bc26948aa406f27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67f4406cafdce41e8b3351f30555ddff

SHA1
1434b0f8a4eefe8baa057ce38cab315b3cec9476

SHA256
ff649be2959a37e2292cca4481f67ef8c8e022fdb2d8437c256226c0cb088253

SHA512
7242160c2f25ccab27f6a95de2445d9bcff291893ff477bf7f5904ebb0dd394f7c166dfdd4e724388c51fbc1fab633a6d5884065289ccd639f91dd71aec9b097

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d49a84630b465df1a12a39eed9f4900c

SHA1
853e9d8b0ab1901aa21578dab8197a9f73536133

SHA256
a302d9b03ca4424918dd4786ae34ef255ab5db3cc3492472e122890803f15562

SHA512
ea347013f98ea3e626a57cbb3f35c054e2340c3019e6934db8881409289de51c427ca6a8513b447ad4f7d3943d347d3b0e54959339fa2842e6b646f3ae3d901e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0547763e1f92eeb5a85fd2d9829233ff

SHA1
9ddb1dc9bacc2864223d3736ed0b9d30c87c39f1

SHA256
4bc7a2c124d2dcc16dd09a744476ffbb4673c6d50d9b543be2b9590df44ffa1d

SHA512
4aff6eacd36e872771b78b632bf6fdd8f7957d386021576e64ef85250a23232dbeaa03bf83fb08c410676b04d78d0b2255f8cf7e2af5b9f64ccf3691c5727e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3906fc372a838c1c32a10093c26d4645

SHA1
9cbe8b33889408ce1283d0bd56320b1f89c8cd9a

SHA256
95af0b6592bade5d8e890d4321c3d6b5f333846cddbff5f2187309fce0dbc1d3

SHA512
1a7d5cc2c506d07053243d6636e0de841cd728de1bb3426301bdbb6c3130f784c309591f6c6344dd51a74e40c5c08413add81d69fc241f01c898844ec1b4d684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
436eac78a3d0623192ffe5e3fbf78298

SHA1
f2e154cbf28e5f24981b93baaf7e5659855569fe

SHA256
d59f22e304e476f29d8ea91e931dc8b224483247055221e541d336fccde48e5b

SHA512
ed1ab65420531509df5c49d4a5684c345237e9b9a9741654979e1328e8868cbe48822205db337158233d0dc9487b99dcc07516a2dc9ab494de0d789b18efb995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97df8507f8a22a13b748f380160047b9

SHA1
ed414cacb7da64328050e390041093eb6608646e

SHA256
d47f86d153d861106e8efe3edd63078200a3ccc6df45302abe7451d537ff1ead

SHA512
6f03ae1f90b6c2f9aa2eca941049e0f5c87f6e45a873476220a8497b6d87213c500982950bf7aac96c12cd58fc4048628f4d936d1448ecca8c26823bc7b664d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B1F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3BF2.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2584-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2584-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2640-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2640-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2684-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2684-16-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2684-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download