ramnit | d843fec3a6754635c9384fd9f34d72cc6f47902b4f0be4cd2d71fcbd72d66a73

Analysis

max time kernel
136s
max time network
130s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62222384d8faa279cd661c6da7088556JaffaCakes118.html
Size

672KB
MD5

62222384d8faa279cd661c6da7088556
SHA1

2c5e5c595403a40b0c1220bdc45561d293d6be01
SHA256

d843fec3a6754635c9384fd9f34d72cc6f47902b4f0be4cd2d71fcbd72d66a73
SHA512

51f58cae135a63bcb39980a1873e5082062c8781941ce613104a4e919a2f1762b064a765378f51e26be557801099e8c7992bef2e6426b509fc0ee57c55e5aa1e
SSDEEP

12288:n5d+X3V5d+X3r5d+X3p5d+X3Q5d+X3f5d+X3+:X+Z+j+F+K+P+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 7 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid process

2740 svchost.exe
2240 DesktopLayer.exe
2700 svchost.exe
2944 svchost.exe
1800 svchost.exe
2812 svchost.exe
2932 svchost.exe
Loads dropped DLL 7 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

3008 IEXPLORE.EXE
2740 svchost.exe
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE
3008 IEXPLORE.EXE

pid	process
2740	svchost.exe
2240	DesktopLayer.exe
2700	svchost.exe
2944	svchost.exe
1800	svchost.exe
2812	svchost.exe
2932	svchost.exe

pid	process
3008	IEXPLORE.EXE
2740	svchost.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2740-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2740-7-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2240-16-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2700-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2700-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2240-22-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2812-37-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3073.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px30B1.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2FA8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px3044.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2FE6.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px30C1.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000d6d2a137e175d25af5095ffeb799ceb48b982a5985791bc4658f433bacb2c3be000000000e80000000020000200000005bd5bcf0a33ea7c2de0da5fa08f70c00d9a68eaac44b004acf9bc63da44105e220000000e042332488a6cb19f0f91df7884390769c914e18718187dae88fca26ab95fc8a40000000749974ab517c17df96a0222a2085c74f6220b07e0ba912e0c719710dc6928b2f476e7e85a7a387d2922ee2e3b6b8faa968547e3e66f64a0a96a7e5e31179b870	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422586014"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0ae584aa8acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{75905F01-189B-11EF-A1BA-6AD47596CE83} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000df3aaf3d521663fe39e8f6c482f6b65e1b9f38b40792dd71fc3fc03e3e66c19b000000000e800000000200002000000045320c139b1160b5ca27911519f12ba8590713577f32892b2c316221b866212890000000ecb00eda64c39b8dc52ff8fcca6cc8d76f4c36609ff1371e2f38d2a3162f48fc477a9372fa9f2ce806e73c3b2e3fd88de909f71fbaa1c5d0504f3a4dd5d2a22c2000c58ceba04ec4ed14ddbf5d4315c16246aba895cbb666ccb5468e347a61e073cc94178299f8b38ec6146aaba09c7e42484e244bafbfd893afa95c403cbd7cc65a88e94acfe10e9614a8adeccfa63640000000a8387dcef5276366c6424e54cd7826b91cdc1326832ca3bd83db7b55c26511c7f5b100a3dd8d44802691cb9e25f718c1fe3f9963b7a7a8ea1508eb3130a13023	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2240	DesktopLayer.exe
2240	DesktopLayer.exe
2240	DesktopLayer.exe
2240	DesktopLayer.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2700	svchost.exe
2944	svchost.exe
2944	svchost.exe
2944	svchost.exe
2944	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
1800	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe
2932	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

2904 iexplore.exe
2904 iexplore.exe
2904 iexplore.exe
2904 iexplore.exe
2904 iexplore.exe
2904 iexplore.exe
2904 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2904	iexplore.exe
2904	iexplore.exe
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2904	iexplore.exe
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
3008	IEXPLORE.EXE
3008	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2904 wrote to memory of 3008	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 3008	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 3008	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 3008	2904	iexplore.exe	IEXPLORE.EXE
PID 3008 wrote to memory of 2740	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2740	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2740	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2740	3008	IEXPLORE.EXE	svchost.exe
PID 2740 wrote to memory of 2240	2740	svchost.exe	DesktopLayer.exe
PID 2740 wrote to memory of 2240	2740	svchost.exe	DesktopLayer.exe
PID 2740 wrote to memory of 2240	2740	svchost.exe	DesktopLayer.exe
PID 2740 wrote to memory of 2240	2740	svchost.exe	DesktopLayer.exe
PID 3008 wrote to memory of 2700	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2700	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2700	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2700	3008	IEXPLORE.EXE	svchost.exe
PID 2240 wrote to memory of 2232	2240	DesktopLayer.exe	iexplore.exe
PID 2240 wrote to memory of 2232	2240	DesktopLayer.exe	iexplore.exe
PID 2240 wrote to memory of 2232	2240	DesktopLayer.exe	iexplore.exe
PID 2240 wrote to memory of 2232	2240	DesktopLayer.exe	iexplore.exe
PID 2700 wrote to memory of 2632	2700	svchost.exe	iexplore.exe
PID 2700 wrote to memory of 2632	2700	svchost.exe	iexplore.exe
PID 2700 wrote to memory of 2632	2700	svchost.exe	iexplore.exe
PID 2700 wrote to memory of 2632	2700	svchost.exe	iexplore.exe
PID 2904 wrote to memory of 2588	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2588	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2588	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2588	2904	iexplore.exe	IEXPLORE.EXE
PID 3008 wrote to memory of 2944	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2944	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2944	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2944	3008	IEXPLORE.EXE	svchost.exe
PID 2944 wrote to memory of 2388	2944	svchost.exe	iexplore.exe
PID 2944 wrote to memory of 2388	2944	svchost.exe	iexplore.exe
PID 2944 wrote to memory of 2388	2944	svchost.exe	iexplore.exe
PID 2944 wrote to memory of 2388	2944	svchost.exe	iexplore.exe
PID 3008 wrote to memory of 1800	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 1800	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 1800	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 1800	3008	IEXPLORE.EXE	svchost.exe
PID 2904 wrote to memory of 2556	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2556	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2556	2904	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2556	2904	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 2756	1800	svchost.exe	iexplore.exe
PID 1800 wrote to memory of 2756	1800	svchost.exe	iexplore.exe
PID 1800 wrote to memory of 2756	1800	svchost.exe	iexplore.exe
PID 1800 wrote to memory of 2756	1800	svchost.exe	iexplore.exe
PID 3008 wrote to memory of 2812	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2812	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2812	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2812	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2932	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2932	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2932	3008	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 2932	3008	IEXPLORE.EXE	svchost.exe
PID 2812 wrote to memory of 1792	2812	svchost.exe	iexplore.exe
PID 2812 wrote to memory of 1792	2812	svchost.exe	iexplore.exe
PID 2812 wrote to memory of 1792	2812	svchost.exe	iexplore.exe
PID 2812 wrote to memory of 1792	2812	svchost.exe	iexplore.exe
PID 2932 wrote to memory of 1252	2932	svchost.exe	iexplore.exe
PID 2932 wrote to memory of 1252	2932	svchost.exe	iexplore.exe
PID 2932 wrote to memory of 1252	2932	svchost.exe	iexplore.exe
PID 2932 wrote to memory of 1252	2932	svchost.exe	iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\62222384d8faa279cd661c6da7088556JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2944

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1252

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:209932 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:603141 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:6501378 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:996366 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
83030198069e8996d50095b372e5ab00

SHA1
20901313606e81c3fb85c6eb876f6e7f273a1075

SHA256
2b0d9535e5a797a685a5d3493e04cdd43ae129bc609beaccccb2afe03ff017d1

SHA512
0171ec477f5c16923bec74c4fb505c4a924e8727ca94958f1c7c3add4b96ec62bd5d935260fe73c2f00b90aa2e741f42b919d083ad6a38ddfc43149843e87a58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
42111e66b8c1624f410ae22f4eea6142

SHA1
eecf2bff1b5b1b3b67b169704a0e324d769c03b7

SHA256
f468b2f8bd768d4ef556accf91b1e313cb21910f3aed074997cfa03fe1116155

SHA512
a99cbaff24e510e5b4ab0fdf567534751d040d2c17dc27208d8633b39231845710d2472cfe15041acbe65d3bbf6d73b9ce0922ad174d50d1b9760f4d9625016b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0fcbb169db939501057059f51a20828f

SHA1
526149a0c2fd8ad79c9bc92f1243110b10b7e60a

SHA256
70d6833b853508ed688040e0c91f6c8a89b2f1717f739d3f44b613ade38aac9d

SHA512
f57182bc7884e290f3ba1d9290f74bfdcd265784005b863885aeab154eb8e32a61d1f9fb90496afa15a545cd38e683d7f8ce216be89f28ab8873929a633d7cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b8c4c8bddf7aef077e7fbe6a13bbacd3

SHA1
ae7c81ed79e97d026bbb4b6afa19c9a1fd5b4fae

SHA256
231417ed45f89cefbd3b0d6a4069b0ba855e04586b07176496ee7840e92ed906

SHA512
9755ea86970e8278c663332358ecaa36b09a6887331b5829b39c3ecb1d35dfd826188f5345493a35de6b186c0d004a9ab17b8d3c569fcd44a5bc6423a7e48530

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bb8d158f70fea97b93ef8d43d77212f2

SHA1
3f96743eb57693472b57a6a0e4b3da721e6ed3f2

SHA256
b232d1127a3e004d546176fca791db846217178d217bd4e52bb4a0bc74f05a08

SHA512
79f6e5aee265a3de3b3376a629878f349e1ebfd706382b38ba8fc61af1237991a500049a01a690ca60a8acf62b25d6d13d5464648bd875d5600e1090d6656a89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
394bbdd4466d6872cbac16fd8956ebb4

SHA1
d933f44abdaeaf372718041e2c1883c08d07ad6d

SHA256
65daecbc14b03f23c49fe0ee76bc82ee9530c297d5c452511d6b7afc2a126f07

SHA512
a25b397bf34cb775fb19b03673dccfc9d4241117dc1506007182ed07895463dcc70c37b06f811d6386ecab6a865ee08c65932fe1ce0a102e324ef71d19e51013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
08176eb3778beb9298f962838d19cf5e

SHA1
171b49bf91c2dafa8c3324e626f081d63fd6a83e

SHA256
5c9f37d5d3f408d9dfc52c328786e59a9a61a64e13aa6e6ca619fee641481fdb

SHA512
bacb7ec156fea8394056e9f2e3854866cc114e75e63f59b27862aa139ed95a83f681fc768e9afc5da5387fa8bb9d765fc7f5c3aa8f0e02ddc31788329d8588db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0aec2a33979c2061b8698b1dbed4e64c

SHA1
01e2416b8daf07c2dd4ac2b7e040c7f0b79d82e1

SHA256
d000c7789de123a0034d2f804213d4eeae7988da24b1a5d738e7f99465986d7d

SHA512
056b078675c2211e253ccbc0c2eb48d3eebc18252c625256bd8bd9ae45756c7cd676ed95035b1fa8aaafe2243fe5d9456dcae716ebf0510e8cadb45d95ec0999

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b3a5b115fbfd5ffb2162d6ae75e78986

SHA1
6b4cdeb7b3004c8fd1fc8738eec087036b88826e

SHA256
c75273109ade6e2a20a15629afa1ac3412abc3ceac1194cf4e21884d54651a5e

SHA512
d0846d8fda1d944550d285920a5d300fa05b88dc0d5eab17d35390fdddd813c4c9f6db0d0d5f17f074b92cfff78315330a47f001b1d3af8c1b0f12a38b6c7efe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8801625e8488fe46dd6d2f129d23870b

SHA1
50d899d9d4df5ddd5187f6273863fc9d095fb8b5

SHA256
2161e92caa281d9a3ed5e08692839ed859b7dccbd5a95f81ab0c77d098e0b52a

SHA512
dc248ed406a67109551f18bd9260f8382af1fe04a1b86c4b0dcd115670e8cf2720a8d25f6c9baa59fc5b967d2882d49071a5075c7c1491a28371e8ede4f7b2e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e20e163568cde5df63c7865d8f7234e7

SHA1
26fe368a007a6680c0e84711e83ed225f8484c9e

SHA256
f80d5e2b4543016316edc960d0645737d924252163b475d16c0905deddfac652

SHA512
8b6025c15b9248c77f6826df9156fd06dc11ab61bab59625b056741e3ee31964a328a564c0476fa7d9d283b6c31f8efef01f13c8a9335c76ef0677240d16bd4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f11040430d602a392449d398be964a20

SHA1
e29976e90bc51bae5726bd90cecaa6e7b792f3d3

SHA256
ab13a53aa6532c48874ceeb59ca32fc73374f65c75dbc788930d1e08f895ff42

SHA512
f7a19741a74bd1ec64e545acaeab3f8187f398981a0e7f9c23d2c2b5561bbe7d9a68adafc10607978c45550aff17b8e59e3649b867987bfd6e7ceba1eccc401c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bd1418df5532d16666a410b6d9be4abe

SHA1
6603f54774eb1146af2b283b1656b56f9958e4d5

SHA256
cfb8bf63ba48b203972d88d3e49df9f394d021ee939773d22456c03c6f1f8a1b

SHA512
0274fcab4459d6baeabbddbae58aa49ce80371f7d8bb96609893a5e4aa2b8ea1fe7ee0681ae059acfe71c869846e0d635ed2f378042f094b3b5fd193650c746a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
52cf5c86b23252456911c53aac240927

SHA1
06e5d7150afa9625ea6869dc27b3d0f2dc9424fb

SHA256
5335979dde6a1a6a1c3985653a1afca80f0f30957fc28f8cffb2934826733846

SHA512
9c59291ec5e0acaf2a97eb487a47e05cff23d2370feef3a35f60d4c36c6e7092deb19bc11aa72cf825654264a44f0664ef15ac22a7bc530b766049c8349263aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0b368ecc4e9020229e92cc1bf1baa885

SHA1
f6d5221ecc9e8d275d08134cb32252211f434571

SHA256
40907815cefdb13d3cd907d8b69ccfde6a59c5200b11125e258640c24a4992e4

SHA512
d8855f5a2e0b8ddf064c3021ddfce727f672cb1cb597a34598b348dde23e8325a8e5c80c2609bd22b73e7e0808fe7ead143b625495eadd41a719cda4cb6f1844

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
580d85f6875abe392b3fac37eea469ba

SHA1
d8aa5179400b67c738fced4c0b93fed6ebab509d

SHA256
79710689d21907d0b42d05cf32f2cc739515c13f25dfc20108b4780be482f089

SHA512
a1330d54e06f496ca1c34ec7d21b937b9a284e0ea8a1dd80af5ad35015155882ce8a491659c57e0d8ac989c7c11d849acc6538a6b41851a72c04fcab2aacc327

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7d6ae0ba4ee28ce248646c7c49601f5e

SHA1
c1ac22475a2a535c46fcc8fa23ee73fe899f7a05

SHA256
ef85d3f8e755fb56453a427a4ac56e68fb429b1387b8b9a2e860534a844f7347

SHA512
63d4f06d10aceba5f5af2b9b56ea1040062081abcbf1802cb8c30e84feb8c48ee57577404ccf433d274ef5f9fbb757356696cc6e420559abfef70e54a59ce06f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
33211e8259fdaeebbd17a71c3846bbb0

SHA1
34c048c711d2ecd2ad9a827bd19130c50d010783

SHA256
7ac8ac09ffdd2442477afd8fada0b41c6e1a1a5bb6d95238fc9d508113436987

SHA512
902394f637ac0d4631972e9ce3bf1c1329ec5af5b4453fd09784b924afcc7fd80226726f39e7d4d09c2eeb0c285d1d151314b1a7217ee21640cf48fc1fef1684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ab379b2a3132ceab4ceca373903ee06a

SHA1
a275a9e9b9c485f2ef13f447eb11edbc64e9303f

SHA256
8726d348482c928253bf3929ea67cfb263e7c48a5467a0a8cbd260936f1d9e7d

SHA512
b2d3012d5e12e38844b53444c4a23125eaf82559bb2209f18c47f6a68a54dc80879e72501140a6d5f1e5a939c707e2bac670a6305efec43519ef8dcc70c9a04f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2f392abc305ff6a8fa59f018c652cc2e

SHA1
5df60f009cd175365de1153e1de8db1d57d6e7a9

SHA256
cc345169786d69f304592b55cbefce059e33fed47ba5ebf85d528b232c049c39

SHA512
269a8452d8421b6a6803e7939cef955c8d7cbd4631251b675ab622b1d5083c0af606aea725c325694470f1d6286711a447466d0a0d7f4d7a9c661a482c4b16a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab455D.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45CD.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/2240-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2240-20-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2240-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2700-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2700-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2700-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2740-12-0x0000000000240000-0x000000000026E000-memory.dmp

Filesize
184KB

Download
memory/2740-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2740-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2812-37-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2932-42-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download