ramnit | e41da39d4a22d023c5c2015aad073dbb9e9539b28557b594d3e8582a8d24573c

Analysis

max time kernel
120s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

699cac35303796fc8880c82df4d8f4e0_JaffaCakes118.html
Size

521KB
MD5

699cac35303796fc8880c82df4d8f4e0
SHA1

aac7a43f2dbb98374eddca9acbd1500b9250f5fb
SHA256

e41da39d4a22d023c5c2015aad073dbb9e9539b28557b594d3e8582a8d24573c
SHA512

fa16e6a6ca4f0fe90413b5cb96dac2cfdf01f2042aece91ec03c223d74cfb1fc104282c252aab056b5d5906ec8f7ac0dde3b2600b9caf162af8ce6b416760014
SSDEEP

6144:SQ5sMYod+X3oI+YGVsjVdgsMYod+X3oI+YGVsjVFsMYod+X3oI+YGVsjVP:tF5d+X3zjVdO5d+X3zjVx5d+X3zjVP

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2796 svchost.exe
580 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

1960 IEXPLORE.EXE
1588 IEXPLORE.EXE

pid	process
1960	IEXPLORE.EXE
1588	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2796-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2796-11-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/580-23-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxA064.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px99EF.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b13e9c4b51a77c4ea14722d99ea387ec00000000020000000000106600000001000020000000953a33a5a959b4ec636a286da49441e3312c95ec57f34a8e69eee3dddde230e6000000000e800000000200002000000029efdf83a610625dccc534a82c4c4432f1a1c86023f9fbe8cfb851219c38332890000000dd1f19465e3965dc39b4827d70c3c7eab05da07831589b6604bb6f0ba3d96308de6332356451cdde193c3f8d5091e1bab93281b306128f1bc07c7fd883957e298650134bd5d42f28156bb63d7f64e59c050058f10ed3e7e02b247cd757cc70d6d8575b08868266c2dfaf69f20ab1486701739488d7c9041834ef7e6e48491768e6637dde586fef67ee02d645a5ea21be40000000fdd2daaf0f7360a2e44d89e07ac11b3f3feb4f0c61258ffb55228f4848bb1b8cc69ddc6d9a452fb309ad477d9ee1d0f7253a917d3e3821d51bc637cd83b91921	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b13e9c4b51a77c4ea14722d99ea387ec0000000002000000000010660000000100002000000086cb612cc7d3d6e8e8278df8fbc96676e77a596cb1b463704b3288bc0c13c32d000000000e80000000020000200000002dad0f8a1705077fd72bcc98d5e417cdd0941f367511f8f44960e122d30e0c2b200000002885219fd241f26065e0a93e39b90ae472adabd90fdfa0e7df15d6bf71380606400000001bddb307b30cde7cd87cf89038544e73760f601f9eedbc44c6ca14d76b0d66df7bab8404e6579db17d3188077bc1f9a14de5ecb562b56d0643e1aa8f17677330	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f07dbad6c2acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FEE13531-18B5-11EF-B2DC-EA263619F6CB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422597410"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2796 svchost.exe
580 svchost.exe

Suspicious behavior: MapViewOfSection 47 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
2796	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe
580	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2796 svchost.exe
Token: SeDebugPrivilege 580 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2892 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2796	svchost.exe
Token: SeDebugPrivilege	580	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2892	iexplore.exe
2892	iexplore.exe
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1588	IEXPLORE.EXE
1588	IEXPLORE.EXE
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE
1188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2892 wrote to memory of 1960	2892	iexplore.exe	IEXPLORE.EXE
PID 2892 wrote to memory of 1960	2892	iexplore.exe	IEXPLORE.EXE
PID 2892 wrote to memory of 1960	2892	iexplore.exe	IEXPLORE.EXE
PID 2892 wrote to memory of 1960	2892	iexplore.exe	IEXPLORE.EXE
PID 1960 wrote to memory of 2796	1960	IEXPLORE.EXE	svchost.exe
PID 1960 wrote to memory of 2796	1960	IEXPLORE.EXE	svchost.exe
PID 1960 wrote to memory of 2796	1960	IEXPLORE.EXE	svchost.exe
PID 1960 wrote to memory of 2796	1960	IEXPLORE.EXE	svchost.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 372	2796	svchost.exe	wininit.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 388	2796	svchost.exe	csrss.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 424	2796	svchost.exe	winlogon.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 468	2796	svchost.exe	services.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 484	2796	svchost.exe	lsass.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 492	2796	svchost.exe	lsm.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 604	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe
PID 2796 wrote to memory of 680	2796	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:1824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
4⤵
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:820

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:344

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1044

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2980

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:3068

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:484

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\699cac35303796fc8880c82df4d8f4e0_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:3617798 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
898fcdf9da57447d7710eb971fcee04f

SHA1
7416b87aa5dfbeb92823fb2dd1f9d19041aebc0a

SHA256
98b44ab366877ff7c01f68ac76746bb78bf41d6f248a9f0e694833132aa0b89f

SHA512
179f056bdf8b4a0261ebf10c9a7837e00e3dcf166a957c1adfd3c19297e2148f1a7dd4d4f0531da3dd0f788e32cedc30b28946aa715a140f55664e8505f1e0f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
662c5b7a74e95f914795bbe4aa258026

SHA1
e241e28cd9f2ff7c3f59e05acde9946a05dba827

SHA256
bcc15233132610e90627f362f516dd8c5de5d92311d95c2883539a56f9ebd762

SHA512
3e330b23e02323d4f86ab555ba26e054a7d3dc05915843aef3c5d02ea3dc8786398e00a2256a69473c76558fa506b539e9e387cc936e52508572728e3f7443e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c8745064545795b04306561ada6e28ba

SHA1
4a7ce22af8a8ab46a272317c71f944efb3a41e5d

SHA256
632a5f8ea33ef28f858601bd522403f3286230394f7c9e6b11699385fa6ce46d

SHA512
df3c5051d672026c8418268255366184c7ecd3a8f684e5e85d7474487c4ad442230ed81e47d4cda5e5f3fcb80ef2161a5b95d80d85638a4ad79fa99da167627a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b153d59579c7e0b37a342691889289a7

SHA1
50d797ded631771a18611f43ccf4834ef760a123

SHA256
540632e3da955e1b921e8e0147b448683e2fea7ac7071402c81d1aadebcdd236

SHA512
a3812d022dba870f1fe9c5df850b501844c7b87301abe224142da67ed9669ae0a6ab4c3361ca00cf614d8059f2bf01b7faa389ec5f9afc260bdcc61c8fce6bdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3d1504f17bb80f57e3f000490560cd3f

SHA1
f509ae981a6485abd4689910433abd66709b91d3

SHA256
d6212c94e18c9a213d5705e6951a34d3ae3bd501f5fdd05ea4f389155080ac8f

SHA512
0db90bbf2a75a9c1f1ff369ad3d183afd2c30947a48719f66469c345aaecace59787651ef4b222956a3d925d72b4332798a7671ac03fe7ca67ba1bce08111571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
22a52faf0c8ca51fdebb7c0755059350

SHA1
0b7c7a5b59ef692d810b2768b3dc71993e3bad2e

SHA256
336f4becce8da06fefb86b00bde5c97141b488ef3ae168f206149f0a067addcf

SHA512
c095cd6ad397352216234d27fbf4648073a40dd77d6a3a2d4fc8e62878b217f4694aad87cd5a5e4465e9e2aab59a6dcbe9efeb4914eb49c588ccc6f8642f6e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
29b213e198a58961230852b705005509

SHA1
35f2729364720ccbea6f64ddafb74e2546481229

SHA256
71c1522ca5b8d5a5dfa068d1b71f52f312943478c7c6a67c76c5e1bcc0e48721

SHA512
72ba132ef896cb20115ff1acb605cc59797b6639292c36913383e97a04c2d679f4114a31521fc34e56b64aac284f9fdb8ab1ec4c1e3a7e9f99b11f2b28a4e3e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5b699c441d987e969d59c8f186d80b49

SHA1
3ad52b7256377fad26cb0d23d4b5d3428b1bc902

SHA256
96f8f14bfd8d731374644fca7fc2ad6398acfaf42094a346d638673db54aa532

SHA512
6d838025e2ea42ae99093c47c7051081ba3718185d3a5e4c456892d617c8718fcead15dfea59a74156cc4e475b10f9403d7ad67c96771f0bd683a87507ec083e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9ff6f95f6efb9879016c1c41ba9f36b0

SHA1
449bbd2cff04f7f7de7717c528d72adbb93ebda0

SHA256
c8edf424929ff69b489d9c781fc9b97270f3b7f04c68e6874c5b004876cf178a

SHA512
773dab08bca9e7e44e93a5e4dfd00d019c2a0b495bdd8770c376b0feb508b6b62e0a7d447efa0ce11010f3154507d3cb31ade5192f53324a2134a1995cf5ff18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
36f3ada3878377d538df689d717620af

SHA1
e903ae430eb6d9e70c371011cbc74b413653c63c

SHA256
488c4f17eec395c7f14d535d939f8ae88d1c4a61057de3e5323a4aeea4ca818b

SHA512
662f303e614933cd1463ee5f05c211637e517a9ccb043f82dc7d439c085856b31b164f5452231fc3ad5538515ce9423402cad21b2cf114ba138eb52fd08a9b79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2f9744f7f41aab1c26fd5fad703e1479

SHA1
9748b54e9eddf7727839689edfac97524a98d3c4

SHA256
6cf61efd011ffc0db429376edf12161eb3799d506e254b8e1aff456f8d3731a5

SHA512
f6953b457104e0448ad06f69b579009b7bd91b3c574f573c00e15bc6e81863684cab81a56e7601899be7072b0349c4a80024e47b7f11dd8cc5d48a0a96fd6073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
543b2c06d894d8b1c7b78fa641d9b8e7

SHA1
928bad779b82e8c31925eb38596f596766202a3c

SHA256
ab6c0989a0a4aaad19ecdf961598ecbb50da498c3e38e91089392b27bb840a0e

SHA512
a0c8decabd46c067f6590385a041379e52dd460bf786f85ea2b9734de8030a8f63f957dd371b209fb36f2a784059ccad9ac66012a50cb629a3fc082b31f13335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7173ef56220f3a36bf50a585349df97c

SHA1
2f305b74b61bc6d13fd54f9b409e5a48f0673d58

SHA256
cda7abaad2d47d39bc4607f63a445d9e57c68b4fb76d4235a6b05503b17912d4

SHA512
a3c8c39a048d563b9de2de2234686e2ecacd6e43e2bc875fe00050d4ae3534c332444916d0d8b9af6f4bb43b0f4e9c9693e9284915897a2d38f3a0f754f532ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a733b34fb7d60a4fb0af492771f50996

SHA1
2be056285ce1905a991b1d80da1e17e629ba5a48

SHA256
9b93b222dc6ab95fd6cf1a2728d265dd225e4a8927368ad7b9a5fc5f2a7d286e

SHA512
98ce1b7d3dff3fdc20462593ca2dc382da3bcb2acc91fc83c34b37eb7723f2bcce164eda071d0d7fe1fd219de14b302f8ff0cf232f681fa0425de341bf867ec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
71bdf1ab038574a0ac37af2a348289a3

SHA1
62c0f579b087bdceb725a7277a44c8fbee016594

SHA256
906cf15a8e8d26003dd31598663a7725819551f41d8506892909e6ded2997503

SHA512
2cb160d2a91fb39a32bca8de6a4e241e4f38272f66e21a612e225349792a1c1f371dfdaab17f96ccc3433805d80a0fd0e127ac60a88476f87581b05ed6546a95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9e59c2ee7cecfb37dd81819fc879219f

SHA1
64b6647c5938d01d50395743fb3991494c36ecd1

SHA256
9cdb08f8644880b9a266d248978cdbf7212e30f26d490541a2606cc03349f347

SHA512
29e8b9ae123aed4090cb92ce916f30fce5ebeff93af70d0505c3197ba8ebb9f4ca4a0bf3eef825635a02554a8dd4499d6d6478a3ca60e3b27508fbd338ed9362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
108c2d2c6dea338499ecd9475143253d

SHA1
42f06075d646ad5f22e3cbf849da17e499c8db99

SHA256
0feeb646c4ba1dbf3305d0288657f48dc12c3efe1be412e105bd6a1b6777b7b5

SHA512
08482319d1ea29d9fee770e56c0a422616f7d0fa0bf17abd490a893349462e788e79c034dba542b2e0d29771bd849e7f115dde186e0f5972c53de2d464ac1de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\jquery-1.8.1.min[2].js
Filesize
90KB

MD5
e7155ee7c8c9898b6d4f2a9a12a1288e

SHA1
d1b0ac46b41cbde7a4608fb270745929902bac7c

SHA256
fc184f96dd18794e204c41075a00923be7e8e568744231d74f2fdf8921f78d29

SHA512
00f96415745519916c4ef53daafba8fa6eb9de9b75b2a1e3d55f9588ff759b80a90988f0c79450214ba13ec06f4f4cc915fbb2a493f4f1983b9aea63e9e99fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBF5B.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC048.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC06C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/580-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-7-0x000000007733F000-0x0000000077340000-memory.dmp

Filesize
4KB

Download
memory/2796-8-0x0000000077340000-0x0000000077341000-memory.dmp

Filesize
4KB

Download
memory/2796-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-11-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-10-0x0000000000280000-0x000000000028F000-memory.dmp

Filesize
60KB

Download