ramnit | 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
Size

10.3MB
MD5

e3abe904593a215b4dae43cdfd2b0d7e
SHA1

a24443eb26a99aed2cabb5285789dea8e51eb235
SHA256

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee
SHA512

0640b99cb3996685415fa5673ca087e32d598a8e66f0f87d84497e739730681e1a52811a8a72b7f98718ee55fbb72b2dd6c1b41dce5fb726f8ddd67d60dda617
SSDEEP

196608:46F/8qYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO37w7:TF/8qD4F3e+biSDcQwM8uDuN

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exearia2c.exe

pid process

2688 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
3064 aria2c.exe

Loads dropped DLL 4 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	upx
behavioral1/memory/2688-12-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2688-35-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422694632"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C435A41-1998-11EF-8745-52ADCDCA366E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C433331-1998-11EF-8745-52ADCDCA366E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

pid	process
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

description pid process

Token: SeDebugPrivilege 2688 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

description	pid	process
Token: SeDebugPrivilege	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exe4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
2508	iexplore.exe
2628	iexplore.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2508	iexplore.exe
2508	iexplore.exe
2628	iexplore.exe
2628	iexplore.exe
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE
2392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2240 wrote to memory of 2688	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 2240 wrote to memory of 2688	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 2240 wrote to memory of 2688	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 2240 wrote to memory of 2688	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 2688 wrote to memory of 2508	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2508	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2508	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2508	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2628	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2628	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2628	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2688 wrote to memory of 2628	2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2508 wrote to memory of 2660	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2660	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2660	2508	iexplore.exe	IEXPLORE.EXE
PID 2508 wrote to memory of 2660	2508	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2392	2628	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2392	2628	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2392	2628	iexplore.exe	IEXPLORE.EXE
PID 2628 wrote to memory of 2392	2628	iexplore.exe	IEXPLORE.EXE
PID 2240 wrote to memory of 3064	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 2240 wrote to memory of 3064	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 2240 wrote to memory of 3064	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 2240 wrote to memory of 3064	2240	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
"C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2660

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
"C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=2240
2⤵
- Executes dropped EXE
PID:3064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
27859e95f1b636f9c99604d5a9ed2c29

SHA1
a668969470c7e549bfb0dcab585a109844f76ab9

SHA256
2c91a13d7f80b0afee87e334d1ac0f28ddb1a4231a3f99959a561c65124d15e4

SHA512
6d14131999ed22257fc17f8d4922e1849ecc3abb1bf50843ca3803503cd13c3c5ee2f82c145b806f9a7be10081d75463adbbdb04b59b1c7504ef50124607661e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a806caa2c60d2935aec612860b55e0a6

SHA1
8e83ec59cf495197fca3aa02566158cd597b1772

SHA256
170d743d234c3ecf3717288a1589f0edef72ebbe1ab4820266a7dcb0506d2bec

SHA512
68d14c113e14c287180969644f1f0842021aebbbe8f8d6f6e0891dd25ad1edc8a8914aedf78169bbfc6bdad469df8f67f911de8d409081fa1cef3e75fdf8b5da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
15b9990c92e86729d673b53695e35a7e

SHA1
40a5d95b436e2788f1bca711fd3bb31fa58f8c2c

SHA256
a491cec7e72c82dc571ab1bc819dc6768db0f0108ca4c28c8c83716e0b15719f

SHA512
168808e390bd9b0701898dcb752b36e26744d2385bef7c9c00557095902f620cdbcbe0cf2c211a78c55a903f98e7608c00db519834b086b140face58ad2450f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1a6e1c6ef78465c344652c5c3542aa30

SHA1
89bbcfc2342409c72bdc0f4d64398f0870524870

SHA256
af29aa808a554e2f94d37148003abcb40763d7c6d0f1121dbbfb647f5bf62e46

SHA512
f9e314260266dc27373a68f2f8613c34aeaa08a6b9b7b8e7f818135f1003e0665d3b956ee9e7bbabfbe821079156cdc77342e78a488ce9df426dd05298c4abbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4521a7f7bbd45800915aae9990adaec8

SHA1
316b2b98ddc974f5017ab6103a5eb27651ae58ba

SHA256
cb33667dd04f6dd7c56c031d9b7b4c533bb0441ddd0b4cbeb97be5131c8b3c45

SHA512
a363d2af0a1d150a7f4604004ee7ec10b081d1ea177c5b25a128099d165a497dfe339e510369a1e1c82a7094f0fcc918d7dfecec7c00c03a8dc0319984d3a3bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
58ff6533a36cf05543e8fcf0d402c40b

SHA1
ab448bfcdab91253fc0b8f08be9d2f18fce2ad3a

SHA256
9645d96e63890cb80cd66d4e76372dd98eeaca628ea6d91f75006c08af434fc9

SHA512
46e88136c41a90c9f963d50b272c6e49fbba5205d26e7ed7b8d5fe64a0460ba4728076f20669a475ca9e66731a4f713d7f16b7394d4a5ceb0035021b3c917bae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ab5fe98c8dd7a222d47ce112cb8172e7

SHA1
faec3a480928c2b2fe57dc6c374bd8247c14ad1e

SHA256
255ce2dcae8637bea1fe75c0d7b2685a35c48b97c1c1110070cf46732816ba91

SHA512
46761d80559bdcbce360182199c274ea09122d3ea4f379a32f444428e7fa721a226f79152c71ea0f2de59b90f31110224453257a1c15a000810b6e4a70c09be7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6462fda45242f09d29e856009226379d

SHA1
5683995970917906fff61c91e715005f7c80f2ae

SHA256
8454e0188cc53e995b3f74050eb26f8cd2c004a2865dadf080ba279c4762bc10

SHA512
89ff32aa626f7a6c7a784061c3ea8fae666a318dc650e9fec88061646bcf482f3506bcd36a9a09edd383587a7ae0b7076f57004e9c6238b263a38c0428f3918a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
42ed69d1e2220d53ecbb369f3010f4ef

SHA1
2a366c7c662f7b177e647a09d694d7441a1877d2

SHA256
c660855a1a70986464b9b9dfa530ea28c4f79177e1b666612a2709f8b042cd61

SHA512
8a785ef5300978b8551783dc79900aa5a89ea760aa70d13ddcbc9d19809e9023040c55e7c42e442fe50d2cd40cb26e2546bbd9b231d185c058cbafa74b8e82b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9af351d4e90ce81e6bafc5c8bc360958

SHA1
6125010283eee77afa0157d7c56d7d1d83f5d364

SHA256
bab1ef2f67c3f01b6b709ee06e9b9008e6866a2f254ea3e632388d29ba6ca964

SHA512
2b1a042efaec53fdabc4979b172b77b6e82681e8a9ea9fc235e2135b1dc03cfeccdffad1d71221d2a5d9f1ba570369cfb0a4c0c1dd39c58cb3949ca5fe98698d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c007e595a93c5a5e5682b2b5eb7561b7

SHA1
9b3d1bda2ef60ed4bca426095effd94d00a8602b

SHA256
55d09d0e704b986e40e4a1106f1e52eace4d63ed0f0c1c573851a460f9b2adf9

SHA512
705e27dea2bc49ecf4ec952bda7fb9cc8f084f736b850ba0d1c4d70745488246393c523288b02784f6a0d02929522dfb43b380abb79fc2afb9c39d01b2d3d347

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
fedaef14130ea6fe68c795b9e801cd2b

SHA1
ae043aba06810094cfcc32956306e8506b7e41dc

SHA256
f1e5f307b28ab0c804686115372feacfddddac8244cbc7935efb1c2d767197f9

SHA512
a60cf840f0a2e19d756b3a9629427f94eadfafb1ef5dea31bb526acceacd45ffcaac22f4e43d5fd9bb6f920284a56ad3b42e220465a3e8558201d1dcf38b2734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
94cf7ad0bf3e8b77cd5ba0a0dae6060a

SHA1
a9efc82a26468266f7f88886a2cfe11e3e42eeac

SHA256
20dfce898fb63f3606c5cc72ad8f84d06f3f29b46ccd0f70ae510508fe68735a

SHA512
8e95817b1561889d1747d6f2a3841cf25a7cb61d0dd56fc78141ea5d1260c2f8bdb0e13033f04be2b38a79c916851aa2da324fbe8a84ba47c1fa41b9a74f481b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e0ad91b08f99f56837072f8aa9a47890

SHA1
89e0a99ba9e53ffa70442378e4f28333a822ad7c

SHA256
580beb235de976d42c9e81e25703da32998d5677d6e78b01e08b9f4a60a9aa87

SHA512
c6f139ada943fdfe116ae4c19a2f9e44dd9879f60c808cbab1585a0c987305576946eca5f2aa40279801ad4b1dc1c3ea51f6e54b327b71ce1e651671edcf0704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f27fa8fad6b76f8676aa906aa18bbf0f

SHA1
e76cc3288b8049b3081362e09aa5f536bdb74ce0

SHA256
108212dd24270c30c671c8a4eeafdc19e049ec4f526216b10b7a77e21d56efc1

SHA512
10296bf0b1cf7684185eab75909f5b1d5001ca224d2cded7a0af46ab320e3331151d436fa26b54036d9fbb0225ded729c0ee22b76edd430eeda9c7c392dde0f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b03bf5800df225aad94e424642a2deaf

SHA1
469de607a634d74d0e40ef618728ab08eccb9a3e

SHA256
56ae959770475375b7cc8853db347e612e91df28f281abfd5ba5e3f7886518b2

SHA512
b20f2884a32ab53fc81e6738aa08aa3989d0b735b5bc24d99acd632fba26b7b96a7361a02d6d6721bcd9d686b8e8a79bfff9aff228a8949b85dac457cac39e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5b93a76d54885f202f4be9925bbf4066

SHA1
8ba8ae3c6a4b93c898323ede9992a686aa76f6b4

SHA256
40870aea6da47b24cc2fbe64c159f3b731e58f765845d0cc7a1bd5d5d79e8c02

SHA512
f67c2153456e928f7bc8a5459023a9d127264c8e4da55b4da74b1f1fc0dd0ca37bcff3c5f12c3628bb641f69b79b0f20ef453968e27ccbc40d84f8c2cbdeee00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d3348a95fa193f81c9e4b90b2c13a760

SHA1
bbe7a886f78f2084220256031eaa21fca8e9b4f8

SHA256
22b35748d5dcc743e2c803cb7a378088654d4fadefbae696c81a14b5b2352f5c

SHA512
6fc03297c977aab559ef3d6791b36716407315c6fa366d481e37721c180a6c0a3a0f1392b6f029e0993ef6f1733ceca3d6cda4cee19475dabc61a7dbca5e23d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f61418acdfd9a303b075bf8a5ea3d547

SHA1
f45f4e57fa76507b24234839d0e4dbb265f4bae2

SHA256
70a6e4355ff5811cab3e86a93d3d9f945f3771ba6bb9ad830aef9f0e9bf45e48

SHA512
e84eba8a6c8f4798111a49b4dcf39fe2a51301fb3b29f6d122e51dd5c91729717eee57d6e55a52d70d29e0f8716a57a51b63805e58af8d3dff51ffacb637f077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C433331-1998-11EF-8745-52ADCDCA366E}.dat
Filesize
5KB

MD5
04c5615525f06c7fb14d669d68c0182b

SHA1
d67adc6a9a27bd40081e66c553d57f976aaa1694

SHA256
49b7d86d0f354c9d0ff0f1cb30d4e79eef6324ac8574c5f20cecd59a743f3a38

SHA512
78ec193e524bcb7150003b4bdbc42380f835006fc08deb26169d3f44cd3b6a66b6ff221e6b625f8ee709390bcbfa199ee3b2cfefdd232135a379eea8a6e1b8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C435A41-1998-11EF-8745-52ADCDCA366E}.dat
Filesize
4KB

MD5
69a024bfbae486c76deb0c364b18faf0

SHA1
165fa775d6ab254d7ad57d840e36ca2676dacd35

SHA256
d2d6146737e0f8232cdc48ca3159457b3900bc73772546e9cb2db4059da349e3

SHA512
4aa5710dffb220f9e7c33e90f0093c6c1aca04fef2137d76c9b2af2df2859cfd977b47c1d3a75eabd523dcbe3f2ace76302b6882d39be052c9e00da607e820f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3239.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar332B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf
Filesize
55KB

MD5
4a1b71ede6ff12456038f6a26e356a42

SHA1
16af6552ebbeb0300d1451715add745e840ff993

SHA256
0ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee

SHA512
bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
Filesize
4.8MB

MD5
a5c047f169471bd325552c255d6c04af

SHA1
e313cff2f3d668ec5d0e90920bd622b0f38aed9d

SHA256
cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a

SHA512
6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

Download Submit
\Users\Admin\AppData\Roaming\datatemp\libcurl.dll
Filesize
2.5MB

MD5
298f5812023bab65ee23d13ee9489a6e

SHA1
71e9d7f205e5e7af6907c539c77a3aeea971692f

SHA256
fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e

SHA512
217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

Download Submit
memory/2240-11-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2240-519-0x0000000000400000-0x0000000000E92000-memory.dmp

Filesize
10.6MB

Download
memory/2240-510-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2240-10-0x0000000000400000-0x0000000000E92000-memory.dmp

Filesize
10.6MB

Download
memory/2240-14-0x0000000000250000-0x00000000002AB000-memory.dmp

Filesize
364KB

Download
memory/2688-8-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2688-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2688-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2688-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2688-35-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3064-520-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/3064-518-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download

pid	process
2688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
3064	aria2c.exe