ramnit | 7e6aeb90affe505844aa0f4cab9f66f854dfdad1d51952569f47dcd5b9d659ea

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6996b91f9d9ee2a4d5a1e67171602f1c_JaffaCakes118.html
Size

871KB
MD5

6996b91f9d9ee2a4d5a1e67171602f1c
SHA1

b7a7bb68a7531b9923b7e4c453e5ce59ac381140
SHA256

7e6aeb90affe505844aa0f4cab9f66f854dfdad1d51952569f47dcd5b9d659ea
SHA512

7029835b4bfb9383fd54cf1be930500cbadaf1db9e381d13217c8a3a02a046696ff3ed311cd06432463a8851e1798f832f996d6f280632486f880c48a9304aea
SSDEEP

12288:Km5d+X3zjVf5d+X3zjVU5d+X3zjVY5d+X3zjVL5d+X3zjVP:KE+TjJ+TjM+Tj0+Tjp+TjZ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2748 svchost.exe
2528 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1388 IEXPLORE.EXE
2808 IEXPLORE.EXE

pid	process
1388	IEXPLORE.EXE
2808	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2748-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2748-12-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2528-19-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2636.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2481.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d02fa94dc1acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000000ffc6f4bd3f58d95266da90d01c0369701ff4d53494c19224c1ccab7e5e0120000000000e8000000002000020000000b419e6b344881fa9a9bfa4b0ffacfcf44191f58631dc486ff6151a4a060ee4f290000000d3bd8dfc757fb17b343e9898ef3b1eb37db879e9126e9a5126b2977c99d4f02759fb38733271c22b62e38a18e2819f6ef3b22200f4d658ce9394fddd39e17d677bfdafdc3f78f5e2839d34e0836a55230e4c614ce84e1339ea970b67dd9eda684957c5b1b15e362a9d371289736a72fd974f357f73ee93a4311d59523d7d59c2b3f5917d910b5ebb680d07e66ea3b98e40000000b0e3126bacc0876a7e09d869ffd3cbed76d71733e3986bb8a1d616345b6012fe15d41ffc3283f58de0c23b118ac606dedff516ea5c2ff1319f5efc2501630a54	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78528AB1-18B4-11EF-B44D-5A451966104F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422596754"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000004177807a755183a9e6b1c09dc3399167f24f927efa8349b06f99c6e87ed5a1b5000000000e80000000020000200000007e813e31f989716a77712da9e8a200a930051ee27bf48956c41e708af741052d20000000c076f2208b46ca5ceaa01e0e50919388aaf6b61ea55a5c7b4111b641a0f241374000000099aa772ef4ec826b9a8b2d97c2cc18a74e1b8a4028b1a5c71ee06fcb8125ef35df9f726e4c927df28985d1c73ca5284568c686bd20fca1ab7bdace8dcd1f6651	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2748 svchost.exe
2528 svchost.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2748	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe
2528	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2748 svchost.exe
Token: SeDebugPrivilege 2528 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1712 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2748	svchost.exe
Token: SeDebugPrivilege	2528	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1712	iexplore.exe
1712	iexplore.exe
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 1712 wrote to memory of 1388	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1388	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1388	1712	iexplore.exe	IEXPLORE.EXE
PID 1712 wrote to memory of 1388	1712	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 2748	1388	IEXPLORE.EXE	svchost.exe
PID 1388 wrote to memory of 2748	1388	IEXPLORE.EXE	svchost.exe
PID 1388 wrote to memory of 2748	1388	IEXPLORE.EXE	svchost.exe
PID 1388 wrote to memory of 2748	1388	IEXPLORE.EXE	svchost.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 392	2748	svchost.exe	csrss.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 384	2748	svchost.exe	wininit.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 432	2748	svchost.exe	winlogon.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 476	2748	svchost.exe	services.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 492	2748	svchost.exe	lsass.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 500	2748	svchost.exe	lsm.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 596	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe
PID 2748 wrote to memory of 672	2748	svchost.exe	svchost.exe

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:596

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:108

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1028

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2028

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:852

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1244

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6996b91f9d9ee2a4d5a1e67171602f1c_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1712 CREDAT:209930 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
999968bee80be4b87344b66e7788af8d

SHA1
c9f88cbde6f1b304dcb4e6d5012a44adf2868f02

SHA256
8c25c6be4d6a17449ffe879efa68c6186b00fd3ce8fd7419f0b4488391877b63

SHA512
e9c2cd8a417dfd08f598d896ce313488ab6f6561d01c0444c96aa242250b2a1ffe27e9189452ae092574fc24819317719b5efa58a8b51db83a883907e27bea4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f369b29687d8eb27a48ccd8b0db250dd

SHA1
dc91c00a25b5137654d853fce68b1641c8f91cb6

SHA256
a18263b5c14f2b8485e1d61cddb71aced9651bfe4dbcd841ad347b0189c88122

SHA512
21779cc750567e9ac673eddfc20415c991d7a2b142b510d789f2cc4f3a8fbb2e79390f9f2359f9301aeeb7af60932d102b22d8399e9e3c9480cea35d92364509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
68ce4ba849d80fe762996d13ed653db7

SHA1
5cd241e3acdbbba042bc32d3f2978a3b5475c4f0

SHA256
9854c0797e65ebb188ca71f62b42da7c2a1bb8567f9e583c2a75754b100c4d6e

SHA512
2b85b18f5b39fa4ca43cbc96c1a370821e78364b7fbc68d6e91c3c4ddced10834d2a7f93c6164c369ea2a1626f2515839c64efe85664ae1daa0c0d09c0a0809d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3eb156359ff016a06478aa96ab4495e7

SHA1
8d4aaf8788730e6f6f944f23a13cd03152897236

SHA256
42b7ab078b6c18997ef03213a9b5946047086d1e7a4ffda822dcdac8ca8f1cda

SHA512
8e1822c505a9080d6a8ba09a2bae07a144bb5a1819826a06f585294e18df3f1ddee20aab8ee55fb195459c4205dd361ed3a934b5a83cf6a86804db60e285c0b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9438ac40d052fafcc3eb45d2535d16b0

SHA1
58e7e92581c5d480be4a5f732650e44cd1e2b9e0

SHA256
33e08af27c676999cbe4fda33f1883216e568f78914169ec71444e018ad19089

SHA512
fd640ea2a1a3a4f7aeb04bacdc75f4203078e91eb9263a46432b0e4b6613f498c6d8ce2eead7b8b3c149f284fd8e4a2b82152447aef3d55f64a8cc984d104cf8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
15dd0dab9d40734dd1612feb46013a11

SHA1
2b3ea1de3cf70588dfe3177f99e3081d6ba61875

SHA256
140c0fd28b6ad2ab8ee4195b3481264daeed4338a79d4826e338f347380d8f7c

SHA512
6d31e851e8141dc04e57e5140b68dc2b7efc1bbb8897e761da55dc819d2d766cd91d27969253b5e4ca3f13592153efe39b13f02ddd8b70f5a1ccb859334c4202

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9eabe199a32d4b33c6eb4171f09696fe

SHA1
928504a5509733e5ece045d5db38adb72b13c334

SHA256
2188e7f775b410156364fcab7afce7d5840a955f860f8331212992d12c85c954

SHA512
d61c25b322a9e85b82bb7eef789cb182a7ced630504bbaa006cc6c517b068a6c9de6f93086031e02fcbbe3899ab8969224401b0b9dcf3669f1d2f325f30ec2a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0963883660fc4a9c6744a818d7979ef5

SHA1
d840c49ae5e732cbf369d1dd4a28733aad664f5d

SHA256
4cc7252d276738e34a717ee9c40cce18b2c4d4ffe258e21cd2b28c6583c1f170

SHA512
437d74d83d72b2fc118a363746543b8c74d2e69b088ebefa58ed4f4cdc588ddd0874186d8a2b1bb9e0aa7dd6f5a249e8943b7fbf2f619593edbe0a2a710a2d4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
434c45c16cab772e0575b276f933b5e0

SHA1
f29b267943616de9c09bea9e44140f2c2e00c3ee

SHA256
a70b6af20e90f5a3b6f25db376e304e93adc5920540cdd1d027072201f5bfb9f

SHA512
bd1376d40da9f7f893ac8ec442edb780ab8df2427e7e098190a947296c78804a4135b532991ed35098cc334f40f6fa6455f3bf7bac2c84a1bb03fbfe6115e1c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3d9a9d3849b8be1fc929e89a832be0e7

SHA1
78843977e5a020d2b1240d7813dd6ffca13c46f6

SHA256
9b51777663996fa9d18019688cf971a66f2e030db65ef95aec88995421c6198e

SHA512
49aa1a3f195437d36f7b5acbe956d81744ef093c6deb5aad38276f62afd08ad84dd4e4569d109b5e6029cef71afef79880768bec5bacc3da9e47ac52150ffa91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
26827be271eba5079bc6805de279694c

SHA1
b8327865a238da8cc999a58afd3dd8399b1b762c

SHA256
25515e75dcb6cf145c020db8ff5cccb746437c5817f55e523bbf625cd8ea708b

SHA512
0ba18a6c6004a647652035d937ad9c1f770f9972ce0d1727b10ee80dbc38be24875b2fbbbda77eb0766f281f132df6e14fe90eeb80ca1c64257d33991b126733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
87c418313a58d4391dadb6a5b3d83d90

SHA1
1bb1aaca5cf7de1f2a04ebf91e7a76e5236b6d23

SHA256
56d1882fe99e61fc6a3b3eaaaec233c84e3ebfb0d2d7248893a4c3b87f60712d

SHA512
5a1246cf85f1ad73a5b18dc72b9f7000c9b1b01e0fa4d2bc8575c9145328d28178d64d648152bc8c3bf7fb4c54cca41f190afb1ab272873d8b56b2fe1bd487d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
990f95c16f0a87c5ca0fc22cfcb2cc08

SHA1
d7ec29b36337f8a17577f7107575005cfb9e6fdb

SHA256
c4bc1776b3e71286cf70f7d0c69064db7fb3864d597ed2bfe86d4c544f12fe5e

SHA512
f642d1f28ca2323a1bf4d5321a85ed3ec2e1d7f56c5e35314a873b4ff4311c433f48b86388bbdff50f4e5931145c42789cbed1e1b249051552a2673bf6ff8454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4b75d300a943c7a6c915a02f9bc13601

SHA1
5832b9b8e02050ce74ee37ae012801eaba0fafbd

SHA256
7904c5c289f36a066f8b701f942b77afce70185ee3cd9cc51f4b701e3408a7ea

SHA512
29b96ccdf3dea385394ff195d42de2c9b13778524421f630e95878096a196cdd4352ddf688c0770a24a8af339bf280a071a0c2aa5e8b5223ba49d5b6a7813c17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c616186681f9f6ad45811a7a6748952d

SHA1
7292d161f3445da1f3d966536c9a6f4f1af50817

SHA256
552d09ca2d6d25cc533984c8a288d1e41254cee4a6a9efe235513e8fdbe87f57

SHA512
6cf6e2f0a98bf75d3306a8757648c85aace4b6a9af5b60eb46b71400454a36e6f67c453dfc6e8ca94ea5a21084fe2195705c9dc0e0c7aa76f6a083e98ec215b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
042a87f63cb7aa0ff342219ba8e373c2

SHA1
1a3be1c037a65ee9e9d291c07768cf6da8fa4faa

SHA256
c879a36a14ebb9f58cb93dff6c3cffe5c617ef52ce64d8f7f7247c54970717a1

SHA512
5abf367e05b9e4a21e31f8b67366b69e35ca71aed1210e0160b389a90b47c012cdb59890ac46a7e34c2a7832d8a3832e9a5a0bcd6e0b48ba452d073b72c63e8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fa89c4d2089126a455ffd4c3d5fc7ddc

SHA1
f0da2a5cfffd4dbe03ad772868722edaf0fa489b

SHA256
40e673487c5ab843fd934a1e88d9221b0484432193e37bdb12b47f5a2380dd3e

SHA512
b1a96780d4fd1e3674aac364866de29b40977058b1b919e489c0d3d7b3cc032e86d279689e1e522d92c8cd1222090edd6a4fa5c0ec15935ea1638df821eb70b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7887ba531cca5c72ba37b6f755407257

SHA1
000606a797a49c4c00dc988d397708a02d2554ee

SHA256
fa5657b1eeabddb630adefaccbf33e98640e77150855be9ccd6444696da6f3ea

SHA512
5e7a49bdab7df2d420268dfdccc677928e07d2d55706c9a0d7b252bf653b9205c7dfd446fd75dbb87de05f3d54f82d7f63336ee2bf510f46d1ddb2fa5fd81932

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D4F.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3DD1.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/2528-19-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-9-0x0000000076EFF000-0x0000000076F00000-memory.dmp

Filesize
4KB

Download
memory/2748-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2748-11-0x00000000002C0000-0x00000000002CF000-memory.dmp

Filesize
60KB

Download
memory/2748-10-0x0000000076F00000-0x0000000076F01000-memory.dmp

Filesize
4KB

Download