ramnit | 889023eac38801449ee85942ce684228c37e1299b88e9fd83cddf23070a08d07

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64759bf4eb2e911726bb066b5adb062d_JaffaCakes118.html
Size

520KB
MD5

64759bf4eb2e911726bb066b5adb062d
SHA1

c8a1b643d15edd19c1fb276ab5fd317bdfc9f95f
SHA256

889023eac38801449ee85942ce684228c37e1299b88e9fd83cddf23070a08d07
SHA512

d33d19b9e6acd462093bec889ab40d9a5771e1fbabd0c7925380b43735a865d7dd9d14d517ab7123400d2f91971e7a38cb91b717b22bf61d7de1d165d4dcc3e5
SSDEEP

6144:STcsMYod+X3oI+YGVsjVQJsMYod+X3oI+YGVsjV0sMYod+X3oI+YGVsjVP:YK5d+X3zjVQV5d+X3zjVC5d+X3zjVP

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2560 svchost.exe
1488 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2556 IEXPLORE.EXE
2116 IEXPLORE.EXE

pid	process
2556	IEXPLORE.EXE
2116	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2560-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2560-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/1488-20-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px19D7.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1EE6.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f690961946b844bb2c0e367b6d7f2d00000000020000000000106600000001000020000000f7835746f37d6d8405dd890f3f54f5ffb0aee5b0b04b3b9f73f88b7b614a3ab8000000000e8000000002000020000000e1a3e456fda3be8b4c244e4c563d838faec69aa5cc67fe50aebe5bce31c589e2200000004f3b8d0df291352e893fb156e087e51ea9ee0704e39c4bbe5e6a5dea73a514d840000000b2b688b3bbbeb7d929c0fec8d6421b005c522a90068389adaab25995288a01f0f56773270699a5edd814b3f4ea26045c0beabc94b30b2e53e089c5db88e4d37f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f45bc3b3abda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422480986"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED2FAF71-17A6-11EF-A499-62A279F6AF31} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e1f690961946b844bb2c0e367b6d7f2d00000000020000000000106600000001000020000000e445b19248744cfbdfab90c6bcc17614699ab0d6b97f8b54acbd67bb0738fc59000000000e800000000200002000000048b79c64c051ae6c41647a5378cf3be35bc7c34c6724726d551370e01e6491ff90000000ea730abd59b4d201c93ddcc4319ce1ec7f2eabee00be0b0f4bab1e34204ebc74bcf6e074efd92b9ba3ee03bf5a461de993d744ed9e22551780b107d587c8fbdd7128e51631f63214d6cb15134c74a8ca8285d217aef1b9c3e9b033d16b66f193a5f7b02b8c688d8be8e3c7f8c79545078b24be0e9d8a3156d6961ef5108962e37e84d522779c8dc82782b85bc3d64e9b40000000a56c812493a98619eb7009bcc078cb2e3e02a758877430dc43336461a0dc9662170d733c5509599ad7cbd69a1e719de9377616a11c8907c16cb683c016476592	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2560 svchost.exe
1488 svchost.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
2560	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2560 svchost.exe
Token: SeDebugPrivilege 1488 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2644 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2560	svchost.exe
Token: SeDebugPrivilege	1488	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2644	iexplore.exe
2644	iexplore.exe
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2644 wrote to memory of 2556	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2556	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2556	2644	iexplore.exe	IEXPLORE.EXE
PID 2644 wrote to memory of 2556	2644	iexplore.exe	IEXPLORE.EXE
PID 2556 wrote to memory of 2560	2556	IEXPLORE.EXE	svchost.exe
PID 2556 wrote to memory of 2560	2556	IEXPLORE.EXE	svchost.exe
PID 2556 wrote to memory of 2560	2556	IEXPLORE.EXE	svchost.exe
PID 2556 wrote to memory of 2560	2556	IEXPLORE.EXE	svchost.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 388	2560	svchost.exe	wininit.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 400	2560	svchost.exe	csrss.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 436	2560	svchost.exe	winlogon.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 480	2560	svchost.exe	services.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 496	2560	svchost.exe	lsass.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 504	2560	svchost.exe	lsm.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 612	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe
PID 2560 wrote to memory of 696	2560	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:388

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:840

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:296

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1124

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2716

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:2744

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:496

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:504

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:400

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\64759bf4eb2e911726bb066b5adb062d_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2644 CREDAT:209930 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
86f7f83660e03712f0ab8c8164f3a616

SHA1
241a6092b95d649d7c104fbec1b4b262cc1a4e63

SHA256
25245ef7554e9e7c91478d0c967a2258e0af461ab1c2a5fabf049788779c18e3

SHA512
f19f9214ae739c7230347f1f1ec3b8d4462675dbdd18161a031150437e76c45d9e4994be93f7db53541c34cd67c9cc2c2ea5f48ebee8848a04c2379a2172cfc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3a68ba56d7c9423af63db1de6e9690b

SHA1
0c9b558b0a64e3e1e176117039d836fcb3a9ea51

SHA256
1c44de3815cd4bdc39836fab632e7add8fc82f89d1920f130efa9f86fe2f6f28

SHA512
0c93156cc14c0437303fb63210876dbeddb5311371634192116ddff90686ca73155e51b2960f2048123644cb863869521a11b1712d3d46c038e73a2b088a6d7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0093bf8139346d727ff6a2d68e76dca1

SHA1
8ba11c11ba31c4b7c38e31592a957ed8393ba839

SHA256
d02d82d2b1c61f83f8617e99598cbf6febd1d377604502a6850e90fbdeb0276d

SHA512
c882dbea3b98820a87ae54c2ddcc27cd6bcdab0b4d7b31984bf4e2811379164ed21c6400cb47a1ebe41a79b27194983964035eb710f8b77d4b8f1eeb60d7bb97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
71e04dceb6749a2deed83775685a0c70

SHA1
2d0a36bf2615652e611e9fd9ebc731dd4b501811

SHA256
2e74796e048713c9d8e71ea362127139424a1a39c67c9da4f4702e6987d6c10e

SHA512
e10c1f01a053fc1762f8461f24828fea8ac3afa164f6ba70fa7b75bf4a33515ac5702f8591d3053bf9c2981a4d5ee67055b9bbdeffde0ee93f94655b2b9088a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5e4732ca908d0756c84629f1daac124

SHA1
0408fc8e97c316493a3e9b5b61d56cd69fe0dba7

SHA256
3cafca0ee325dec0ed03da57ac4d3a9cf978b7047a03a655d46ddaaef900ab67

SHA512
21b83369a3823327a4086e5c55d39555b930e5e44baab920f2068563b97b135f3264b5c6915f038436b1d919792edc594a7753199d0062c85d307eaded3af2b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b5f9fbb6c61e0fa06d2c7c70899e1e6

SHA1
74c7308acc055ba0af375c0a6d106d8355dca6d0

SHA256
17dd0283e335bbb491856c63240f1b662f9de0897b6ca37bc85dcd51008baa91

SHA512
a800c64f5af1ce5239c6cbc83ec09f7ac0a74b0274aeb449a2533d0ad0bc099fe86088d7763481260cae6001538eafb68469e566490673a6f60095a610912f5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81806508727276381dfdbd22a2512eda

SHA1
135f53c59a6252d09746b396dee433cb68c46654

SHA256
4d24e20c8edac8245df5bc12547a002815d99b6d9d995a38b655c3339ce0db4e

SHA512
ebb5b8af694be7eab19f8ee620be3b21e5a3705c17410c498e577a5539a418c70c66fd7a5b30a679dba4bff81d9685ce0c46c45ac8e429541e4a828d3c639350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
059a4542be4c121745cab326e44f1361

SHA1
dcc2d44574719bf9102cc7f1e50a8932e5fd6429

SHA256
db309e720be69523835dd4e322e8d1d68e4428021ab1e7559b832e189986d744

SHA512
94fd4aebfb82fcbaea28c23ebd630e920546e4c6f299662302fd25c9a27b653b39dcca225dae3681de69a3eba65c7e9aa037b2359287185a71bec76f17f196d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e64f2c4c8768774c0a866adafb164e0

SHA1
2dc78d40272eb94daf93d0d702de02386a250a86

SHA256
17428b7a82fc5d790bc62f69716c21ccc812d9ecb295c470702b70df9221516c

SHA512
bc40552530d8fa6e79dc77ab1e4e4f4b4544ecbb35d978206682397a46f4bae80cb39cd6554e7f50a3095f4c697a8b3eff54cad774cf9c56ac91bfa984688850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51c3eacea1823f1aca907d911d028e98

SHA1
d2776dc0b21c27ef550f0bfa20f2b6f398de1b36

SHA256
e12997be288e58c88324a2c99c0cefb87f75e81c2c1f2c48f0305b603da5198b

SHA512
cfb7bad46a3b9d22a6fc110884b7015977e01b4191684b01ab4b70b864585d4ebd02bedc6737d3d4a662cf25e92b25502ec38b9424768a7fa163ad25ab89381f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\jquery-1.8.1.min[2].js

Filesize
90KB

MD5
e7155ee7c8c9898b6d4f2a9a12a1288e

SHA1
d1b0ac46b41cbde7a4608fb270745929902bac7c

SHA256
fc184f96dd18794e204c41075a00923be7e8e568744231d74f2fdf8921f78d29

SHA512
00f96415745519916c4ef53daafba8fa6eb9de9b75b2a1e3d55f9588ff759b80a90988f0c79450214ba13ec06f4f4cc915fbb2a493f4f1983b9aea63e9e99fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab37E4.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3924.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/1488-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download