ramnit | 3a06432d94df443e7b6ab633023f1b3f956ae65f9d18551ca9a41f8cb280e5b8

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b3389d6eeb974f805de6007026e9a5_JaffaCakes118.html
Size

572KB
MD5

66b3389d6eeb974f805de6007026e9a5
SHA1

746c0d6ec1d307f82d936a1448edfe8e5cbed440
SHA256

3a06432d94df443e7b6ab633023f1b3f956ae65f9d18551ca9a41f8cb280e5b8
SHA512

9f91b945c36cca6602e5854c36b4749bc14516645101f0f396a37855901cda705620f153779cfc567c039ee3f00bb5d787835a052223b509ded2a76ee007cfc0
SSDEEP

6144:SeksMYod+X3oI+Y5sMYod+X3oI+YPsMYod+X3oI+YldbsMYod+X3oI+YEsMYod+e:Ry5d+X3L5d+X3Z5d+X3Z5d+X3Y5d+X3+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 6 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2724 svchost.exe
2256 DesktopLayer.exe
2532 svchost.exe
2936 svchost.exe
760 svchost.exe
2536 svchost.exe
Loads dropped DLL 6 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2648 IEXPLORE.EXE
2724 svchost.exe
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE
2648 IEXPLORE.EXE

pid	process
2724	svchost.exe
2256	DesktopLayer.exe
2532	svchost.exe
2936	svchost.exe
760	svchost.exe
2536	svchost.exe

pid	process
2648	IEXPLORE.EXE
2724	svchost.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2724-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2256-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2256-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2532-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2532-25-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2936-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/760-35-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px24FE.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2481.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px24EE.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px24DF.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px23B6.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000003d6bf84394b646dd076cf7a7b6ec207fe8e68006ca7179358cbd9747f1bf105e000000000e800000000200002000000028943685ce78a1f9951088b02a4591ae6d2be403ed128999cc82c9533adfbc2d90000000694d07cf8c69aef9b52c0f73152dacc466b49f26b271ef0471f17b2190da6916b3cb8a2d8ca23296bcda34978be7daa0fd981de81a4d88c696b0d6cbbe5072d819b4b227655245ea76dc75f0ea9399a2259759d3402da656828e463a5713c0ac096c7f838df3a99d1ac61ae5d26122753a4d2b4f4c87a02fac1186dedcd9273bad91b85c1b95ce90ced295c311059e69400000005c4000d00241700890b58fb4592509df13ef48f0b6df7160929781dbaaf0b0e075d9ab1c32b6b2b8892217306aabb6264a7cf83efcf2ec49e3355acd28a8aff8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422529790"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000c9d1db58d2f17dbf5d181944504670db257ac1c6dd79d7d853c97ee38fb71b36000000000e80000000020000200000006b7b94150ee96a9e64a03242b71ac59ff7a27659f56c06b7201964b575d6f9202000000012e2ce2ab105fe5090d60dd3b03de2326ee75ead9f38a9495a983ed48a249d3340000000eeb140c68d3f8ec4a2c4333bf08334d44907236f772585006ded718400fca5523b78fbc7deaaed6571cb8f09b34d2977e3934d0018a652b2a4302e608da7095f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0089746325acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8EA5B951-1818-11EF-AB01-4E87F544447C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2256	DesktopLayer.exe
2532	svchost.exe
2532	svchost.exe
2532	svchost.exe
2532	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
2536	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe
760	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exe

pid process

2056 iexplore.exe
2056 iexplore.exe
2056 iexplore.exe
2056 iexplore.exe
2056 iexplore.exe
2056 iexplore.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2056	iexplore.exe
2056	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
2492	IEXPLORE.EXE
2492	IEXPLORE.EXE
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
2056	iexplore.exe
1040	IEXPLORE.EXE
1040	IEXPLORE.EXE
2928	IEXPLORE.EXE
2928	IEXPLORE.EXE
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2056 wrote to memory of 2648	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2648	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2648	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2648	2056	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2724	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2724	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2724	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2724	2648	IEXPLORE.EXE	svchost.exe
PID 2724 wrote to memory of 2256	2724	svchost.exe	DesktopLayer.exe
PID 2724 wrote to memory of 2256	2724	svchost.exe	DesktopLayer.exe
PID 2724 wrote to memory of 2256	2724	svchost.exe	DesktopLayer.exe
PID 2724 wrote to memory of 2256	2724	svchost.exe	DesktopLayer.exe
PID 2256 wrote to memory of 2712	2256	DesktopLayer.exe	iexplore.exe
PID 2256 wrote to memory of 2712	2256	DesktopLayer.exe	iexplore.exe
PID 2256 wrote to memory of 2712	2256	DesktopLayer.exe	iexplore.exe
PID 2256 wrote to memory of 2712	2256	DesktopLayer.exe	iexplore.exe
PID 2056 wrote to memory of 2492	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2492	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2492	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2492	2056	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2532	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2532	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2532	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2532	2648	IEXPLORE.EXE	svchost.exe
PID 2532 wrote to memory of 2964	2532	svchost.exe	iexplore.exe
PID 2532 wrote to memory of 2964	2532	svchost.exe	iexplore.exe
PID 2532 wrote to memory of 2964	2532	svchost.exe	iexplore.exe
PID 2532 wrote to memory of 2964	2532	svchost.exe	iexplore.exe
PID 2056 wrote to memory of 1040	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 1040	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 1040	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 1040	2056	iexplore.exe	IEXPLORE.EXE
PID 2648 wrote to memory of 2936	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2936	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2936	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2936	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 760	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 760	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 760	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 760	2648	IEXPLORE.EXE	svchost.exe
PID 2936 wrote to memory of 2756	2936	svchost.exe	iexplore.exe
PID 2936 wrote to memory of 2756	2936	svchost.exe	iexplore.exe
PID 2936 wrote to memory of 2756	2936	svchost.exe	iexplore.exe
PID 2936 wrote to memory of 2756	2936	svchost.exe	iexplore.exe
PID 2648 wrote to memory of 2536	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2536	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2536	2648	IEXPLORE.EXE	svchost.exe
PID 2648 wrote to memory of 2536	2648	IEXPLORE.EXE	svchost.exe
PID 2536 wrote to memory of 2776	2536	svchost.exe	iexplore.exe
PID 2536 wrote to memory of 2776	2536	svchost.exe	iexplore.exe
PID 2536 wrote to memory of 2776	2536	svchost.exe	iexplore.exe
PID 2536 wrote to memory of 2776	2536	svchost.exe	iexplore.exe
PID 760 wrote to memory of 2816	760	svchost.exe	iexplore.exe
PID 760 wrote to memory of 2816	760	svchost.exe	iexplore.exe
PID 760 wrote to memory of 2816	760	svchost.exe	iexplore.exe
PID 760 wrote to memory of 2816	760	svchost.exe	iexplore.exe
PID 2056 wrote to memory of 1188	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 1188	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 1188	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 1188	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2928	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2928	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2928	2056	iexplore.exe	IEXPLORE.EXE
PID 2056 wrote to memory of 2928	2056	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\66b3389d6eeb974f805de6007026e9a5_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2256

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2532

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2816

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2536

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:472070 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:472076 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:865291 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2056 CREDAT:734215 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1093c091396c7eab4ece94d90fc787a5

SHA1
09b6d8466def2d82b87cd46622a9e8700fe2af07

SHA256
412c1462c9665314becae82f46d4685693361266c8e90ab20f4d36d08fbfa13b

SHA512
3190d5bf6d53e52bd1930c0b3d3db9f52f3b072425bd2022a38fc48b5486d95073c413fae8eec9c44cbbb6c186aadc086502e0c9421c034703868ac3de255060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
94069a35b1b4e3f7b36fd5d43579bac3

SHA1
2a518251b7a9cdc945648444e2e2249961aa2031

SHA256
358f48291e4b463aab618ab7c21f4a780df3a63a77c1b20ce06ade844cbf8f4c

SHA512
a6c0a2704a6abc5b73f4c47e6b9c9951136e52e94768e51765616ce77df78e27e61a1b3a889ad438fb7db487310a7cced050de06b3b7c61ffd3334215f53d527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9d0fdc1e1ceca5a3d810ad1aa62e619c

SHA1
49df4dfa10379658770ddf44042bbd4b39843bbf

SHA256
b7bdb31633d599ddfc5ed00210a4c05cba34832939aa97a9e78f56ec31ccc821

SHA512
5f958eff9131aeb0c0911d139d972783996324e2e351d014d761107e4987a42d5dc5aea4903bde3130163f58eff8c99880feb48948425fde5bf760dbfd39a931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
088ddaba3e11f77bf4f987a4c1d55d1b

SHA1
00b7c7eca041ea24cbedcce058c784d8b75ee2d7

SHA256
9314eda0ce73d3c76fe65a5ab5c380f3b93f898dcdcaf40fc094ec593a5b5900

SHA512
6579fd5610633607bda999cba0a57a5fcde04e969aedce8df1db2ad7875b0bfccd4c31536970feab0896a2c84758aa0429c5be6f39fa180111c0118dbe9d4c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0df31a37cb89226e2da2d251fd0e1b25

SHA1
f95dc9c0d96750304e9a630099976404e079772c

SHA256
3278bdae2703e393b1c9a81126ee97c19689288adb7ebf33e3d03f09f6254a59

SHA512
b5718e47d263464a746704454f830ba711a6dbcc4880b27f2428eae3d74eb6bf52abec0285ce2c2b2f41d6adb0caca0d650f856492c973c543d90244be76dc6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
46e01d23ede9abb22d10f9690e575d05

SHA1
dc4794819198acd94453a841fcb80eacc588653e

SHA256
4e2ad73f5d72a5d0839e60d7442f02d69123dff357a26113fec6fa6e65ed16f5

SHA512
55a186dc5882b2454156989ba3fbc7aa5a3e6dcb94cedeb1fdf56c0ee7dbd8cfe29a6168e7045352cdbfe06b240ed9364fa7963f5fde583d9841fadd9b3985ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ac1b8e270b4f5d3fee380b7dd75555dd

SHA1
7fbb4d13241de61ff984edf5ad95a0cf6372bb2b

SHA256
f6c42530d0ed014cc78f8df21a11cf5c31ac565f85441341f5042a8c647931f2

SHA512
425b730c6129f7ebfca05ad22e69b0f49281741353ae73afc7181ad196e035ae1f95f423315e546671ad724e83593040b31173385bb6a22e2789cb562d1c3174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e2010ae7529bc4462f0a6124f63cca8e

SHA1
f02629143cb6da2584931ad8dc78cbdc622377ef

SHA256
ed05c8131a762b8218fa0c8bc2e2cb0d615d5c8c67f1b08df68176e06df32feb

SHA512
dba12a44f9bfd6f99be3ca4e29f939ce6c879b89f19cbb709b2fadc13580f89b453f93ecc7940918a28b3fd63d79ca6f12086b53eb234ce90e300400905a9371

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9d0efdfb22e6124c93e0596aed861d6d

SHA1
8e1a3ffff38b912d2fb5d66561f2e7094f9fd3b0

SHA256
883920b3163735846f3035e33e07e7056627635f42828f6f30ccb9b5ba4b5d17

SHA512
29c0cf492c35ac9d491eea78828ea5b05f60259f2db5010394e657019ab0ebf75bcf31e60229d781ffbf91c1df25545bff70000a5daffaacb52b54282ca67d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab20AC.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar212C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/760-35-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2256-16-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2532-25-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2532-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-36-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2724-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2724-9-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2936-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download