ramnit | c0552fcbce51f552d05b980a98fe652d64c67fa975db205a1cf406ef78641ad6

Analysis

max time kernel
138s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aabc0dabe030e0cd94059d0e93e8a8a_JaffaCakes118.html
Size

567KB
MD5

6aabc0dabe030e0cd94059d0e93e8a8a
SHA1

426d26b8ad83191e57cfc56c7eccafadcc65d596
SHA256

c0552fcbce51f552d05b980a98fe652d64c67fa975db205a1cf406ef78641ad6
SHA512

fee02cd45759cd364c8f5cd4a12f938f17da6b5f6fef7811ef59ea919f0aa9cd2aec4b7150fa06b042364b8b021dd97e7306bc5631ee44aa8e115fa3539d8827
SSDEEP

6144:SW+sMYod+X3oI+YssMYod+X3oI+YesMYod+X3oI+YqsMYod+X3oI+YssMYod+X3+:L85d+X3g5d+X3G5d+X3S5d+X3U5d+X3+

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 7 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exeDesktopLayer.exe

pid process

2536 svchost.exe
2728 DesktopLayer.exe
2588 svchost.exe
1488 svchost.exe
1712 svchost.exe
2408 svchost.exe
1060 DesktopLayer.exe
Loads dropped DLL 6 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2564 IEXPLORE.EXE
2536 svchost.exe
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE
2564 IEXPLORE.EXE

pid	process
2536	svchost.exe
2728	DesktopLayer.exe
2588	svchost.exe
1488	svchost.exe
1712	svchost.exe
2408	svchost.exe
1060	DesktopLayer.exe

pid	process
2564	IEXPLORE.EXE
2536	svchost.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2536-6-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2536-9-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2588-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2588-23-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2728-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1488-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1488-28-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px822B.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8315.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px200E.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8095.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px8112.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F00853F1-18F0-11EF-8C27-FA5112F1BCBF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422622726"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000445faab5fb0ef8458f0d1e4f38f6424a00000000020000000000106600000001000020000000d25ce70d609df6ec6e79103d23e2199d03cf14f3025aac2b889bfb4790988ae5000000000e8000000002000020000000e4cf9abf5c3b324aaa95edc3ec43a9ebd9867ddb245e82588dcd47ad48f06fb1200000006223b04006af570a4eafe060bbd58cc2cfaff657a089f1f1f265065264af15c540000000c18a2b04a9f5583ff3b2ffbf722443ce0a73f07da36df2fadd594f8d4bead60dbc1b259fac8eba8c8c4c43ce05b091d3494fe24358bd0539ace47ac6cbefd9a0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 700fa904feacda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000445faab5fb0ef8458f0d1e4f38f6424a00000000020000000000106600000001000020000000912ad318729f49c232979b8360e59c38b6a326892f0ce1814e40a36c11cf95b4000000000e80000000020000200000001cfcc8b8dc138d16e516cfc98fd1fb3c1a5d51dd76520f1893364a1ac2d38c9b9000000039426c4a94fb71ed9142e00484687910199219f18894ddb104c4c8ea4b340b5768c64192c410a1ed531deca00bd79b164a59b39bb1601a3e651b4a90218709d5bd929d32fa2017bb98912a5042d23ac88196e181f97bd824b799dca1ea1ad3a6133262a06b0cb5308cd4a41996d66c4e625e2c43226a94e643cea99f37acdfe7a5d49f33fcdb7a6ec7fcdb648259adbd40000000ac1dadb6791dc8b3853c82483e2a11fe219628d4a755b6399878ae1cb4cb77e3c1d211bbc6b6abed2266f484cbcc82005019b3dbe3b387be053fb4efa8101f6b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exesvchost.exeDesktopLayer.exe

pid	process
2728	DesktopLayer.exe
2728	DesktopLayer.exe
2728	DesktopLayer.exe
2728	DesktopLayer.exe
2588	svchost.exe
2588	svchost.exe
2588	svchost.exe
2588	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1488	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1712	svchost.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe
1060	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exe

pid process

2760 iexplore.exe
2760 iexplore.exe
2760 iexplore.exe
2760 iexplore.exe
2760 iexplore.exe
2760 iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2760	iexplore.exe
2760	iexplore.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2760	iexplore.exe
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
2940	IEXPLORE.EXE
2940	IEXPLORE.EXE
2760	iexplore.exe
2760	iexplore.exe
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2920	IEXPLORE.EXE
2760	iexplore.exe
2760	iexplore.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process	target process
PID 2760 wrote to memory of 2564	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2564	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2564	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2564	2760	iexplore.exe	IEXPLORE.EXE
PID 2564 wrote to memory of 2536	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2536	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2536	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2536	2564	IEXPLORE.EXE	svchost.exe
PID 2536 wrote to memory of 2728	2536	svchost.exe	DesktopLayer.exe
PID 2536 wrote to memory of 2728	2536	svchost.exe	DesktopLayer.exe
PID 2536 wrote to memory of 2728	2536	svchost.exe	DesktopLayer.exe
PID 2536 wrote to memory of 2728	2536	svchost.exe	DesktopLayer.exe
PID 2564 wrote to memory of 2588	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2588	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2588	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2588	2564	IEXPLORE.EXE	svchost.exe
PID 2728 wrote to memory of 2420	2728	DesktopLayer.exe	iexplore.exe
PID 2728 wrote to memory of 2420	2728	DesktopLayer.exe	iexplore.exe
PID 2728 wrote to memory of 2420	2728	DesktopLayer.exe	iexplore.exe
PID 2728 wrote to memory of 2420	2728	DesktopLayer.exe	iexplore.exe
PID 2588 wrote to memory of 2440	2588	svchost.exe	iexplore.exe
PID 2588 wrote to memory of 2440	2588	svchost.exe	iexplore.exe
PID 2588 wrote to memory of 2440	2588	svchost.exe	iexplore.exe
PID 2588 wrote to memory of 2440	2588	svchost.exe	iexplore.exe
PID 2760 wrote to memory of 2940	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2940	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2940	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2940	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2936	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2936	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2936	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2936	2760	iexplore.exe	IEXPLORE.EXE
PID 2564 wrote to memory of 1488	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 1488	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 1488	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 1488	2564	IEXPLORE.EXE	svchost.exe
PID 1488 wrote to memory of 2400	1488	svchost.exe	iexplore.exe
PID 1488 wrote to memory of 2400	1488	svchost.exe	iexplore.exe
PID 1488 wrote to memory of 2400	1488	svchost.exe	iexplore.exe
PID 1488 wrote to memory of 2400	1488	svchost.exe	iexplore.exe
PID 2564 wrote to memory of 1712	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 1712	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 1712	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 1712	2564	IEXPLORE.EXE	svchost.exe
PID 1712 wrote to memory of 1836	1712	svchost.exe	iexplore.exe
PID 1712 wrote to memory of 1836	1712	svchost.exe	iexplore.exe
PID 1712 wrote to memory of 1836	1712	svchost.exe	iexplore.exe
PID 1712 wrote to memory of 1836	1712	svchost.exe	iexplore.exe
PID 2760 wrote to memory of 2800	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2800	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2800	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2800	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2920	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2920	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2920	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2920	2760	iexplore.exe	IEXPLORE.EXE
PID 2564 wrote to memory of 2408	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2408	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2408	2564	IEXPLORE.EXE	svchost.exe
PID 2564 wrote to memory of 2408	2564	IEXPLORE.EXE	svchost.exe
PID 2408 wrote to memory of 1060	2408	svchost.exe	DesktopLayer.exe
PID 2408 wrote to memory of 1060	2408	svchost.exe	DesktopLayer.exe
PID 2408 wrote to memory of 1060	2408	svchost.exe	DesktopLayer.exe
PID 2408 wrote to memory of 1060	2408	svchost.exe	DesktopLayer.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6aabc0dabe030e0cd94059d0e93e8a8a_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2536

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1488

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:406534 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2940

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:668675 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:668678 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:799750 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1b2fc87f4c01a08b0ab5f71ffac6bbe4

SHA1
006f833d52d8eb9623fe7e3bbeec20e73715c3a4

SHA256
fe905dd357c2708225c827dad52f7e0137cc13eed95c45642a2cb46a2fc845df

SHA512
ac6eb4794160749438c0d42ccaf1daae93e3827097f125ff10551d3e462438ae95aa314b1307f5980c3ca00ce69a1b0155ceac4eabdefd5f61993441ea5659cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
81dd0b87d5497c623d7a65882fc1e164

SHA1
7a4c1ae05e46f7886d6b4ed56bbe4be05a0dd925

SHA256
473995302bdcc1227a8306bcf29eb704b6cacc6b06698cb5e74f844ab8ea0566

SHA512
5ed509aa9248579cc8e5f530aa555806d000ac2b4f486c1f30520bd8462caf853a20133e48e926bcad6e30358dd58636dd81af2298a2fc2f17996d45ba6d1f10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
842364008b2fa07666c2400437d19909

SHA1
0609efdf24b0147ed66f751f60b10bb342d4e50b

SHA256
c533e5ca5f1cb7fdc34ce3cd709ed7eb80e5907f2fce6372e6303756a9c19428

SHA512
79baeffff52a959b0fc05f9ed15025ce5611e2349456ed5261529c5fc2b81f9dd9eeab733b939abb6696d417ce78ceca5dd84c2f6986eb830fa515d5bbd2e9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
069a8902aab4bd1ea5a3714b4fe7049c

SHA1
5dd7c08b621d3ecbc0f1b251e05020d8d51997f8

SHA256
a25d9fda51db97f17be8f8f45b392f25811a7037156bf062ffab59b01e77d510

SHA512
fa4fe542854038a3ce1b59e32eaeef492af1fda3d304c9cf4f3b07806896b9f5804e6b3bd63876cac64d0b9b5deab700ec2f3b7b716cb8659a9886cf59cafe2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9278d747bd121563cef230bf809f7397

SHA1
29e8792fa27e79a687a3a34c39ac5a4fefcc6e62

SHA256
07d3a130dad3023f66a36edf4dc441efb8380c3a5d9528c3532eac9562fc3a3a

SHA512
53dfa57984ad76305a24e9afdf6029685785973bc0f988dd997329b84d36073a2fec4dc223923487929061db8071da4ff2cdccbeb3f9107238fd0aa0ca0ae684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
50db5a1355c1db77b83e85d7c6697081

SHA1
311d76e3b361d1c3c8a9a54a7fd1f48313bebaee

SHA256
3da70a4708114465743cd5bc37bd28698e3ecb139c403e8d23f33fd6bdaf2768

SHA512
5c0417f066fd0a895c86df8320d9e149e8093ca7a94a78a9aae10418f57bde557cca4c7709f715c1d90a2aed86bf6996624711305e0d2155c8e76987430ce612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
07dd66017bed0f7cfca5cac5c768125c

SHA1
368a4d438878fbaae759f1aa7e32667700a395ac

SHA256
462886b65b32afb575fcbf5618e8067089266f947868ec83131425910f502457

SHA512
fc7329e3b9f8ef6f13b51dccb282a26b2a927c45d9c779fcff98dc6fd8ca0518b76d17bbdf89986448fc94e8c915a49e0db34ac041f89dfff97fec3650aa9ff2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
22dadb5b9a85a290bfb08688bb2d1a2a

SHA1
87f19239a3ee737d7a3fd8687e50a9001081465b

SHA256
afd3774fa78493ef3ebac465f15baa364b27b8497d103c29ea90713b72968174

SHA512
db5912ac7a2fe37bdd1b1f0e93ad64a64837ea5bcc565a9cee8326fe0b3793b0f4abee6364d1571e4577d525c6a95b889c39cf5761f5c4215db8c9b4caed1d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
35952157ce06f822f57bcc458c056428

SHA1
f8055181a1c9b7045387afe978313dd1f023e34f

SHA256
a26c62546f79ebe3dc9b61e4b9b8f2d83f221bb0144f28e71d7a6bdd26654a27

SHA512
0ae6277d6217275f7d34dbc0a7fa510480391ad91a36d74ce1b4f98e7797f7ef178c225b62d9406076d20c61144aba1c13ec0532eb176f08474ec35f75d3bfd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
71298c43bcd13b54b9f8963d62fd1b6e

SHA1
e3c5ee2703c4784d13da36c302e232f79f05f44c

SHA256
034f662dc75fdcd2fc9d9164f19da248fa9909f92743d36fcad3a636f0ff43ee

SHA512
23da7218d1283c6ceb8584d91a8d29e4d02d055c069111e8284b4e66ccb7b7ec1da5948da89b0666c1b7b6e1334b608f144a08f9f698b7bba9ebb5b7aba24ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7B19.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C79.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1060-516-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1488-28-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1488-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-8-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2536-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2536-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-23-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2588-22-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2728-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2728-19-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download