ramnit | 9b9ff08b97d954af34f5665531b9e5bb72394115cb7e2fd00a9b9e364ddae47e

Analysis

max time kernel
146s
max time network
128s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
09-05-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a3ffad98aed30f0bd8a015d83d8d684_JaffaCakes118.html
Size

247KB
MD5

2a3ffad98aed30f0bd8a015d83d8d684
SHA1

2a570f4531fecbad04ef27e393cdc4e3c0ca5f52
SHA256

9b9ff08b97d954af34f5665531b9e5bb72394115cb7e2fd00a9b9e364ddae47e
SHA512

41b3d5ec7d57c8ac360b6a3c6569ca839ff58ef60a26521d6de4fc818d9153252d39e6cb3265de84905d3608092517459e548d13ce55fd59e92bbfc87989570a
SSDEEP

3072:SouyfkMY+BES09JXAnyrZalI+YuyfkMY+BES09JXAnyrZalI+YQ:SoLsMYod+X3oI+YLsMYod+X3oI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 5 IoCs

pid	Process
2296	FP_AX_CAB_INSTALLER64.exe
2080	FP_AX_CAB_INSTALLER64.exe
2768	svchost.exe
2740	svchost.exe
2224	DesktopLayer.exe

Loads dropped DLL 5 IoCs

pid	Process
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2768	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x002b000000004ed7-1394.dat	upx
behavioral1/memory/2740-1405-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2768-1404-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2224-1415-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2740-1417-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6806.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px6825.tmp	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET2A2C.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET2A2C.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETC591.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETC591.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f059d3c917a2da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000034ba24b6dbe20762bb488ceb334942ea65523b13520e307a0d470675857d4ed2000000000e800000000200002000000086ab2a118f17cdc8adbede581ad08b8f21fcdb9ed96be3a5a63fc18908123708900000006518aa75f75eb4e810b20e46cbd73865038d1608b03c4ef114334106eb1639d0041a93f5c646dcd02f59e16167b56a97b9bbe600c939d540ea64b1ece84df9f8e456e5a1cf065165802feda30a270120a1d4000fe7eaf2b92784834bcde236c1c73fce8eb60e499f9787a07ab1983936d64969027745bd99a2fe692f7fe1187fbe25cc8c5d92e39586ffac1c6c4a8c1840000000bb93379edc99741af6d0993b2df1ff46ad19997e2bdb1b5d305e068bda52033aedf359096c70cf50063fadeabca87ce79651f16ded8d8a1d8ddd5581cfd19f0f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421424420"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000013c31f6308768a39b9fc1ee64fcff8153bda26f76a74b3dd80822e79efcdaf55000000000e80000000020000200000009e6eb9ae9b66477f2e8339b2c179b3b99899205723536ce5386be3fc59bb495c20000000eb56c414257b2d80cd96a19a987e54a72ae38694eb7b5ee9c8ec17c82e9d39444000000015a203c9e886f2229a4322e7276bf7379cd67dc66e87734f81b48ebacd3250d6b8795559faa414dd48ace09e3003d486dc5d26287ed614f53e2ec2adde96f33d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EACBC7A1-0E0A-11EF-A339-D22A4FF6EED8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2296	FP_AX_CAB_INSTALLER64.exe
2080	FP_AX_CAB_INSTALLER64.exe
2224	DesktopLayer.exe
2224	DesktopLayer.exe
2740	svchost.exe
2224	DesktopLayer.exe
2740	svchost.exe
2224	DesktopLayer.exe
2740	svchost.exe
2740	svchost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3000	IEXPLORE.EXE
Token: SeRestorePrivilege	3000	IEXPLORE.EXE
Token: SeRestorePrivilege	3000	IEXPLORE.EXE
Token: SeRestorePrivilege	3000	IEXPLORE.EXE
Token: SeRestorePrivilege	3000	IEXPLORE.EXE
Token: SeRestorePrivilege	3000	IEXPLORE.EXE
Token: SeRestorePrivilege	3000	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2488	iexplore.exe
2488	iexplore.exe
2488	iexplore.exe
2488	iexplore.exe
2488	iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2488	iexplore.exe
2488	iexplore.exe
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2488	iexplore.exe
2488	iexplore.exe
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
1580	IEXPLORE.EXE
2488	iexplore.exe
2488	iexplore.exe
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2736	IEXPLORE.EXE
2488	iexplore.exe
2488	iexplore.exe
2488	iexplore.exe
2488	iexplore.exe
908	IEXPLORE.EXE
908	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 3000	2488	iexplore.exe	28
PID 2488 wrote to memory of 3000	2488	iexplore.exe	28
PID 2488 wrote to memory of 3000	2488	iexplore.exe	28
PID 2488 wrote to memory of 3000	2488	iexplore.exe	28
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2296	3000	IEXPLORE.EXE	30
PID 2296 wrote to memory of 1288	2296	FP_AX_CAB_INSTALLER64.exe	31
PID 2296 wrote to memory of 1288	2296	FP_AX_CAB_INSTALLER64.exe	31
PID 2296 wrote to memory of 1288	2296	FP_AX_CAB_INSTALLER64.exe	31
PID 2296 wrote to memory of 1288	2296	FP_AX_CAB_INSTALLER64.exe	31
PID 2488 wrote to memory of 1580	2488	iexplore.exe	32
PID 2488 wrote to memory of 1580	2488	iexplore.exe	32
PID 2488 wrote to memory of 1580	2488	iexplore.exe	32
PID 2488 wrote to memory of 1580	2488	iexplore.exe	32
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 3000 wrote to memory of 2080	3000	IEXPLORE.EXE	33
PID 2080 wrote to memory of 2436	2080	FP_AX_CAB_INSTALLER64.exe	34
PID 2080 wrote to memory of 2436	2080	FP_AX_CAB_INSTALLER64.exe	34
PID 2080 wrote to memory of 2436	2080	FP_AX_CAB_INSTALLER64.exe	34
PID 2080 wrote to memory of 2436	2080	FP_AX_CAB_INSTALLER64.exe	34
PID 2488 wrote to memory of 2736	2488	iexplore.exe	35
PID 2488 wrote to memory of 2736	2488	iexplore.exe	35
PID 2488 wrote to memory of 2736	2488	iexplore.exe	35
PID 2488 wrote to memory of 2736	2488	iexplore.exe	35
PID 3000 wrote to memory of 2768	3000	IEXPLORE.EXE	38
PID 3000 wrote to memory of 2768	3000	IEXPLORE.EXE	38
PID 3000 wrote to memory of 2768	3000	IEXPLORE.EXE	38
PID 3000 wrote to memory of 2768	3000	IEXPLORE.EXE	38
PID 3000 wrote to memory of 2740	3000	IEXPLORE.EXE	39
PID 3000 wrote to memory of 2740	3000	IEXPLORE.EXE	39
PID 3000 wrote to memory of 2740	3000	IEXPLORE.EXE	39
PID 3000 wrote to memory of 2740	3000	IEXPLORE.EXE	39
PID 2768 wrote to memory of 2224	2768	svchost.exe	40
PID 2768 wrote to memory of 2224	2768	svchost.exe	40
PID 2768 wrote to memory of 2224	2768	svchost.exe	40
PID 2768 wrote to memory of 2224	2768	svchost.exe	40
PID 2224 wrote to memory of 1028	2224	DesktopLayer.exe	41
PID 2224 wrote to memory of 1028	2224	DesktopLayer.exe	41
PID 2224 wrote to memory of 1028	2224	DesktopLayer.exe	41
PID 2224 wrote to memory of 1028	2224	DesktopLayer.exe	41
PID 2740 wrote to memory of 1276	2740	svchost.exe	42
PID 2740 wrote to memory of 1276	2740	svchost.exe	42
PID 2740 wrote to memory of 1276	2740	svchost.exe	42
PID 2740 wrote to memory of 1276	2740	svchost.exe	42
PID 2488 wrote to memory of 908	2488	iexplore.exe	43
PID 2488 wrote to memory of 908	2488	iexplore.exe	43
PID 2488 wrote to memory of 908	2488	iexplore.exe	43
PID 2488 wrote to memory of 908	2488	iexplore.exe	43

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2a3ffad98aed30f0bd8a015d83d8d684_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:1288
- - C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
      4⤵
      PID:2436
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1028
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1276
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275465 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1580
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:603148 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:734235 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
64f7eabeeda295045a9ee0670c1f0162

SHA1
001f6a9091c9b0233c18cc61fd06ed3bb063ddd8

SHA256
b59aa9dcfae6a7636c33901f375bb83b06ab47a089bb684400627889bcc16364

SHA512
7ad772c9723fbcf5daae3cc80eaca83f2fb1ccff7ca3a7219935014196a33185b2aa0cc6f6863bc8d85dd9273ca7783a139174988636458cd02ab9da4bd60f8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4fceb2cce6a99a2d77437aaf78951a68

SHA1
bc4566cbd5b54612c51f7362a144398b20f25ac6

SHA256
1f5533331f6473361f213bdd86cf03a50171866a1d4e764ec836ef38e6fb938f

SHA512
9d316e2df3310f70b2b81e3bf2d61ed06b5091822364652a58754c80a076bfbfa49d82a8906e89b84854bcc2eaf5ae4da366f32b50afb518e6a36821f12dc458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ad0d7af68a2312d77e9dfb1a4306cb9

SHA1
ca340e02b914d1ae6c69bad99280bcf7520cd9e5

SHA256
dd7984f90614985e5a90bc161590a96586ec02a384603a76e919a2b93809b339

SHA512
c7f37f1837607781108d4fab2e898401970ca1e4db2703d9569982cee921e9675e0daf49ec729eb24e807366aa1c3a9159a4932304df83c6b69702fc2f8634f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d63d078fb4a1b832e70221bf701ffb76

SHA1
f96f82d7c0e9fd9bc909bd19e3bc91b4778bc6e0

SHA256
2323b928e3dcc2f5b87c87029702aedc7a300779cd33feaadc6bf50c5e4eed1a

SHA512
bb5840706989265374d22e13d0e353a46cefe6142e2c3cb03325c087f3410f0c1172b3a9aef687af705fabf255700c745e7ad6e72532fb738781602255b3c023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fdc4296166dc01d6c6bb816e6d52e29f

SHA1
806f7c314cd8344e399238632ca4a43d2b2d5747

SHA256
0ad4711ad2e94f1654f3ef54463cbcea00ba4f60d102515d264d47b050928482

SHA512
302cd5b2177a600af41ce4c7a33b7a512d0ad307180da09118bf97cd8ee2089da9a584089c13f57def86a723bcbd38ae0440431c040c0bce4bd6313de39002a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64da2cfb9d5cabcdf0b22378bf819ecb

SHA1
694d127c25267b129d7e826a656f42541d09ad88

SHA256
a3413f02d2eb77ed792288cf06017b6b0b930185f370626de17f14d203d8a34f

SHA512
c62ed23bd96032fd8800df72fb44ca61d14b651d88488638386428e38672f4fd5af0f2bd94eff2398484758b5c2fa2b8582ac4792a548ef6e3e3a688c55c060b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3d60d49b8095aca675d37a608bacf6f

SHA1
f3fa600ad05791dabf7daa686ac461f154bda83f

SHA256
e0a576334e7d7b245e1eea068d7583805e9751df8a73991e33dc4b943ee0574c

SHA512
a5a0fc2799e07234d9fd798128284ee12a7c8f2d86ed919fe26d6fe1906988662c843c6a11f644fb10901c6161ebfb2c8837de8451395f1f66f13e4f05cc1fb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff0d5eb181beb40cbafcf3e5bfcde375

SHA1
d6579393600fe21134a75ed1f46077743e5cd4bb

SHA256
677b4bed82f7ca9a4077890aa3117d86646ff583fa23f2f04cd85f9454f50fa7

SHA512
975ddfefd8c18b2344e9c7d5fbdd13c019c8e0530d57453434f3c919cb3c2280f848116fef8d923b7d8db9129690b289b252c18ae3fb64fdb1cef7b876b586e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8ffdbde8fd9fb271cc3d316b493713f

SHA1
c4d11b22ba9f335e9977e153aa43246ab1f22678

SHA256
1b773ea5fb0a623421a336fb826c2ca7f6ac29e7fa4372afd64ca937ac53e9d6

SHA512
c5d581da1d15e3f640c6b11a6446f3d77cda20428bce233afba4d097dd49e612c91e888010cba382cee4cf98d4d84a96fea9163a6cbc50cef675b0df5e50e147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15747b287b9204cbbf0dc75289eb1c57

SHA1
75658fbe760aa6c8ee248fe40092a5227cea2354

SHA256
04acc07673279cd160c9843210bd6354194adaa479c8deeb425180459030d781

SHA512
90bd8b6db324cd02edb74c934b1ee06ee60f4809aa9defaa64bb8fb63b44a9ec25a4fdded156295ad56b527baf535e4e2d17e8da96e0c07f8c208b098c8617af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
56f9fc890ea19044af1f1f7489a5e76e

SHA1
f65e8b12361a9df4f85b4afa81df4270b8242c42

SHA256
b3628557f8c25c0a44eccd0e378b62b61224881a6f25190640c3f58d6301206d

SHA512
811c7a936bc3966862ccea642c083dcd8aa5b91108c4d9b34d03c741d14791a7e935d2c866e2958a132517a601dd655a04a9a5680d6adf109cafaa9fda12aebf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d161c10c51079a0ec6540d05e07e18f4

SHA1
91f394a3596e0cb2231f09011d2c329382cdb02b

SHA256
3259876e9407f56375d87f23327f5221530d4af28c2193e921b83bf4c47c0e5d

SHA512
c4173ae706ac40a44df0ec57b044cd3c940fa7de99e1b97c3c03403999bd8463c579e5f0b13dedd3041a2384066e4951dc98be80acc80b10b139d99d2fded04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9e9bb051d5c821901d096aca365150c2

SHA1
a275b8d611e3846e23fd16e5f530bc2e842e5b3c

SHA256
e10db283bcd7936067ef8f61caffaeaa42ef67b6b3cd09f95706bb45c29aca80

SHA512
425bdd4b7685ce977722c4b890b69c15b283d71bfc7aeac898a8e04be9c64b34f31e10b4570f45e9253af74e6b145c3f6b8040aea38569278be9678e7e2d26e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e74e74276a65670385dbfd0546cc0276

SHA1
6620d14989a108538f7547e262d48c06e5d62e85

SHA256
09f4fcd676d56cab90d0098cbf6d4fe6c8d48b587308a2ac90088da3ef6decfa

SHA512
dabbd4b862b1858193bef8d5cb6f120b8c978a47c5628716feb379661ebc9c70e0671ddd0f8d6ac8247e3353b38559abd235f183737a31b7ad5d7b24c45177c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OOWQLMJV\swflash[1].cab

Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2030.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf

Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar211D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar59D4.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe

Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2224-1415-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2224-1412-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2740-1405-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-1417-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-1413-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2768-1404-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download