ramnit | 9de0a3071db484166d4a3e0ff0bd18759df5834e78af09d5b95b4b057df5daed

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dc815e9a4b9a34b45c2085e6036d54e_JaffaCakes118.html
Size

351KB
MD5

6dc815e9a4b9a34b45c2085e6036d54e
SHA1

0a95636dd5072fde5d14e194692c46eee747b913
SHA256

9de0a3071db484166d4a3e0ff0bd18759df5834e78af09d5b95b4b057df5daed
SHA512

0db654af043c073b67e58f1dafe4ccb48d09ba1162d4c4dfeff4d171ff7156dac6bb17f2888bf564c3ac52a4cf5935a9fdbdb06811d135f747b0e282069b428e
SSDEEP

6144:STtp+Pn1qRZ7P4K97RLNLxsMYod+X3oI+YRGDe1sMYod+X3oI+YRGDev:0v+Pn1qRZ7P4K97RLNL95d+X3vGDG5d2

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

svchost.exesvchost.exesvchost.exeDesktopLayer.exe

pid process

3008 svchost.exe
2420 svchost.exe
1728 svchost.exe
1508 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEsvchost.exe

pid process

2172 IEXPLORE.EXE
2600 IEXPLORE.EXE
2600 IEXPLORE.EXE
1728 svchost.exe

pid	process
2172	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
1728	svchost.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/3008-6-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/3008-11-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2420-461-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1508-462-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/1508-465-0x0000000000400000-0x0000000000436000-memory.dmp	upx
behavioral1/memory/2420-450-0x0000000000400000-0x0000000000436000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

Processes:

svchost.exesvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px5E08.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxB8D4.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5E08.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ddd852aeadda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000a77288dd9a4ab4336efb867bfed572568a4a7b0372c1685cee788103d97b9ccb000000000e800000000200002000000002530c8e3938ca413708495bf32574ddadebe1f045ab78533b693f6ffa4ff371900000008248263067cf6df72152875c1971165b4ce77db06e09dd8a71c54d853b22ae9060433c315aa1521c290bbdfa7b32cc28700f53b18b1d8878dfcd6a6824e4b9fc4cee55a1d1846f77c8c9fa59e073346c5c26786e277fef77ccff07d39d28c0b0c9007f439d22652f44c0ad5f43a2cc3a2b87eeab471ab4b598e6372678becca7d274e13227e28a9a44195094feee3ed54000000039d61dbaff46846bd7dea3b1bd743582c86a2f9a007bd09a737fc9e56277e15c8d51992301b1455d77ad1036528c65153d977aad6baca38b2a50145d9f5215b9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422698470"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4BC46D41-19A1-11EF-8189-4637C9E50E53} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a23000000000200000000001066000000010000200000000f960e363b434beea17325c77d703fd25bba99e4ac9ec90a2cd6c7a3461e3bc3000000000e80000000020000200000001368210cf60262baeb2027be1b4a289fa511f5562dc410de8741fc595af8a3ad200000003f971c04af17143f1f005abe0dc2d4e1a8bb5625db4f382d8c718ba5a3dee61d40000000a2f30d7a011e3795c1aaa8bf39e3f6c92ec83115b620dc7b16a3c686c339ce29bbb8c914433f14b1d66343d11c52cb22e8347eae7c0f186396a1208ce091b992	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

svchost.exeiexplore.exesvchost.exeDesktopLayer.exe

pid process

3008 svchost.exe
1680 iexplore.exe
2420 svchost.exe
2420 svchost.exe
2420 svchost.exe
1508 DesktopLayer.exe
1508 DesktopLayer.exe
1508 DesktopLayer.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

svchost.exesvchost.exeDesktopLayer.exe

pid	process
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
3008	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
2420	svchost.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe
1508	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

svchost.exesvchost.exeDesktopLayer.exe

description pid process

Token: SeDebugPrivilege 3008 svchost.exe
Token: SeDebugPrivilege 2420 svchost.exe
Token: SeDebugPrivilege 1508 DesktopLayer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1680 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	3008	svchost.exe
Token: SeDebugPrivilege	2420	svchost.exe
Token: SeDebugPrivilege	1508	DesktopLayer.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
1680	iexplore.exe
1680	iexplore.exe
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 1680 wrote to memory of 2172	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 2172	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 2172	1680	iexplore.exe	IEXPLORE.EXE
PID 1680 wrote to memory of 2172	1680	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 3008	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 3008	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 3008	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 3008	2172	IEXPLORE.EXE	svchost.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 384	3008	svchost.exe	wininit.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 392	3008	svchost.exe	csrss.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 432	3008	svchost.exe	winlogon.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 476	3008	svchost.exe	services.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 492	3008	svchost.exe	lsass.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 500	3008	svchost.exe	lsm.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 592	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe
PID 3008 wrote to memory of 672	3008	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:476
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:592
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:304
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2980
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:672
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:732
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:808
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1172
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:836
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:964
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:112
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:348
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1072
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1112
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2364
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:2392
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:492
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6dc815e9a4b9a34b45c2085e6036d54e_JaffaCakes118.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:340994 /prefetch:2
    3⤵
    - Loads dropped DLL
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:1728
    - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275468 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e9d37c793437febda4bf413ed2dcac76

SHA1
654f368274a9274e0b8f8e2a4651f7c4a4c392dd

SHA256
f577dc57378880515a8e86f7c6cba8ae8010e9d4a45ed5dda574498bad4b1b00

SHA512
f3377f95a5be4811f4f0910e088a233fd2e43467035dc9ca098a2a1bf86ffc88647d61c90a78268a98854b992a923593eb55a883fb4a74a540eef852de0288b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2093d51a48dcc7df86c3a5fe02ce5228

SHA1
2e79341f5526770720c3af5718cf8a21efd0afb8

SHA256
b083c607eb3fcc836f5cd61347503cdac3dd25a53666f41eabcb5ae5f54bdc0d

SHA512
543f1a28f4fca3e1910523c0f3d4846aedb29fd6294d0a7e3af8bceec1587cc26737e32bd7d16f5551888308246e0c83e94db75ff608054980164e8dfa465f21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37e3b099e5d498c4c0195c27059da6b9

SHA1
ffc7f51251525ff4307f7936886ecae7553f6a76

SHA256
e4c72f16f8ffe785417864eddad0a0f8aeb061672f675f6d08b94945a94efcae

SHA512
a747063e86d969d3faf8dabdb048bc02da16f92faf008c2a0679dab8aaac0edf1d896562029a71b6ab28219a270921148828235a14244371e148facf7ec79e1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fafcf7bf1a93814830f75f7bce4043b3

SHA1
7f7e853c15ba3d6e8f579db4ae966b78fdcef817

SHA256
b0bb84aa93592a6cc5f3f3ae88ae8d6dedaaec23e734ae3e8d5355fa75a15ddf

SHA512
f1efbe77ccde1e483e42de6b4dd8004ff41119958aa852ded2aecec4bc10aaa33d279f6aa3e9a906e4650aa79f4188318532a5e74dbeb8dd558c9362a0ae9eff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10ef04740807cd45347d6be2465da0b4

SHA1
9968087099da3414e49daf56e3874c1828a2b67e

SHA256
312e7f3d9a2d9e78b5cd09e1f5c74b98c32998466f0ed5008941c292d534c83f

SHA512
e98acf40c27430b254b30945c8bb6d1b22d539aba193a96576cbb84ad5f752876f8cea4842f22554ba00fff852e1bb0e3d1e7b2385b596dfabfb5c6641b7ed76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
059d8077f696c833ffd8e0dce5abb824

SHA1
ae44806bec17123b7cde9b582b8dd39a00b86098

SHA256
c09a78ce918ce04551ba740227aafa0011ea73b0998f647b7d193dba15ea79ee

SHA512
bcf9c781dcebf6a54a637c6056768a333bf24c9b9919533326788b10b64d4aed5d53831c61a291b62bdef73614a30a18c273847689323290ec6118d53a0c4f5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f0b86d8c42cfdd1d570807ef28105dc

SHA1
2b1d03ef8141441e46b13098ce22453fb93024ae

SHA256
e939627db328abba982b528ad9cc943062ba86ef125766a679e8d1f060fe22d6

SHA512
e22b95400c802e3fcc95d9da3a47880c9e26d480b26ee5e22c1a09d532328f08d3ac58052aaddfbdfd2b14ebf057eeeb42557da73977e73f2e5298140c7753fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
216a094b7cd62fa45af5fce1c37a9cb9

SHA1
2f29a3326a25d267f61b996dcbcd177199b71cf5

SHA256
435ac080c1a5bd8671cb87d09ad8cf6fdb286a08e2992285ff7218edd17e7435

SHA512
322aaf7a0db95f41bfb69a91b0c7fcd7da3bcf003c8df9aef1df8886a6edeb0c87748a65f8b23f9f364f3ce90ad534cca703bb66e1e5cc6558701fe50a55d5bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2abe7f76960114b8f631f9cc44b42cc

SHA1
407dd3fed657b731362f63f86a79d6111474908b

SHA256
60bfc1b1478cc04fe89d870cf6c4baf100b5032f62dd761ed1c39554e2ab95fb

SHA512
42db5f68f36f28799bbdb93910bed1f2bba8bb91825a1ed2b0d114639bda4a1bb910a0c1b7966187950d93772083945977b1afdbbc543ad8ad3253aa39ad605f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30f7e815853778ebddb00e5937d00087

SHA1
e0210bf327e05776e436564f160cfd091868f654

SHA256
37657c88d412df42db0d4a7b20c4deb3a8512fcd72b5dc5693555b0adbf85d7d

SHA512
bfce257a7d66e9ee5dcec88ff31485d9843c0de87079f7505e20611b7470f028d11aae9d848fd1e84846b0afacf8f7c1112208d0407e2b272dfced4950dab71b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
329102bb057a8a193680999d5b93d538

SHA1
fbc4b57cab424d52df2b52f535a9da3f046a3d5d

SHA256
019baf4245fede01f53190b55be96c08982c23232271a8f93c08f4c1c9bcc7be

SHA512
87f5c1f52335312a767fea8fde8f3d49b4c2718bd634b743fbd999f6eb54fd1b08a5804818c092793ad562e63ea0e7aecd7570befa9de5ec07f8e9edfc81d46c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45842e6d557360b00a24c950e70db3b5

SHA1
461c67f5fd2d79a9b1c23726b042f628516798e9

SHA256
954b270289ca3eddeb3a790836cd7d1247acd481697ecdb968e2006458826233

SHA512
a79d89adecccd4105bbf73a18f4ec0e4f9212bc2f194b752324627f45ec4c3c90b9d4c554f50d6397fd43e1a6cac0c7ea58ef56df66b6d571e3848cd672cf296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
874df968a75cbb22223aaf5119dfe8cd

SHA1
17d3e5f8644ed6e1be497c93ae7e573837054d17

SHA256
d0f9ce13bfdd170066ff32792828e1a8be2f88bfe99e80ade4b9070006bd7adf

SHA512
25ce38d92dd7c915467f6976b9b5189c649e979f965d5d4b62d9e1d61b9a981fa3ac0c69d334a7503d86c94da245918c7956badceb5e72b1311d3a1aebf6b485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2a15a4dc289a815db73dcf668479ba0

SHA1
20b4ef4623d2d04b74acf78db185581636e27bce

SHA256
c1c374122a4f21ce7a468eae4dabaf6e269434cbe8e451b4d546d2f07a5a46ce

SHA512
feed1e47d25199af3102dc9520d6cf8a60f659b44f6aaaefdea6807edcc5f22d14c7d11256bca64c0c705ba082c024adcc9214faaa72b69748ac7765e14e5eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e703a1669e94748c8da5a7d0df8a426

SHA1
f6d6a9c266ac4e7bb0e271f5563607f084b1d8fb

SHA256
8b7f58a63d913700d00c8ccea85b56a884b93054cca96b3a8fcfb05b063c3ce9

SHA512
997546a18c7f8bf65f73d1fff965d17491bb7bb50e82c97668cbd0bff2891eac3fbf1b2f33dbb21e0f9aa2ca057d7898a758c319bf3ca986ef682342940e0029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
342ea87929a45a349e7f407267cd86c5

SHA1
8023d71fa3ab83e51d9015e23f791448ac60ce36

SHA256
4dc70db08ea249ed705de07c5d4ed2bb3496255b0e27660fc94bcd74853b701f

SHA512
cdcb03b71c75a8afee7e328bff2acc91543d2e10cf1a8a452282f9b8a135b05c3d647ea1fa50dd97edd100b86cfcde31ab1429a9f1a86a3f14d512566adb9315

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36af0ac606567ff51dad59c6d5af545d

SHA1
2b624d7e32b9942d21d09a8600578487487f56b5

SHA256
a59497736c9d90de52d0f56ab48f45009252125b8414c5c0bfedf564260988b5

SHA512
27e005536d2f6ba2110180e4327ce423a722037111076a364ca2e9a05e8ff1827a0816387a23e7bcc4790b18e03ee70b49bd21dcf270eff83fa65aab40d6a2f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc67cf6981db31a8ff56d509c89c801b

SHA1
b47810e28ebd71af236e22f641e6d8b46e5d26ca

SHA256
6c0f72a80e7395dde54720091624967d99133191f6a8aa17b9f4645cd790212b

SHA512
4f4ca9ed6438605f2aab4ffbac2dd8e0dacd1be1a66b765c1b8b173cf98940d7ed252a8c25fd8ae8ad7c04089c5ef019b70d61fa5fa52d099be3b53ccdd0dc4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
323b8fb031d76765144a086907a57c5d

SHA1
666911b1c4b18e5f396851b349daf2d9d9385ec2

SHA256
5cc9dda7a45268f4020fa3e9790e89647c1636fecd77dca643b882db75573cc8

SHA512
4c48a9f02e0b7bb294035e9e630646b3aeceb71c754ab5cd92606cd106b63469801b44acd4301d060d99cb3f11b89b6fd4788c72bd51c3de9760a0d107b62c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1048.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1099.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
84KB

MD5
03451dfbff127a5643a1ed613796621d

SHA1
b385005e32bae7c53277783681b3b3e1ac908ec7

SHA256
60c6c49b3a025dbf26a1f4540921908a7ea88367ffc3258caab780b74a09d4fb

SHA512
db7d026781943404b59a3d766cd4c63e0fa3b2abd417c0b283c7bcd9909a8dad75501bd5a5ff8d0f8e5aa803931fc19c66dcaf7f1a5450966511bdaa75df8a89

Download Submit
memory/1508-462-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1508-463-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1728-457-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/2420-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-458-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2420-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3008-10-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/3008-9-0x0000000077AB0000-0x0000000077AB1000-memory.dmp

Filesize
4KB

Download
memory/3008-8-0x0000000077AAF000-0x0000000077AB0000-memory.dmp

Filesize
4KB

Download
memory/3008-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download