ramnit | 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
Size

10.3MB
MD5

e3abe904593a215b4dae43cdfd2b0d7e
SHA1

a24443eb26a99aed2cabb5285789dea8e51eb235
SHA256

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee
SHA512

0640b99cb3996685415fa5673ca087e32d598a8e66f0f87d84497e739730681e1a52811a8a72b7f98718ee55fbb72b2dd6c1b41dce5fb726f8ddd67d60dda617
SSDEEP

196608:46F/8qYqsBmiFm4CTqfG+vTiwnDmNQkJM8uDIYnKO37w7:TF/8qD4F3e+biSDcQwM8uDuN

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exearia2c.exe

pid process

2124 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
1612 aria2c.exe

Loads dropped DLL 4 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	upx
behavioral1/memory/2124-12-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2124-14-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/2124-36-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 52 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{477CB561-19BC-11EF-8E44-4635F953E0C8} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422710059"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{477CDC71-19BC-11EF-8E44-4635F953E0C8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

pid	process
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

description pid process

Token: SeDebugPrivilege 2124 4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

description	pid	process
Token: SeDebugPrivilege	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

iexplore.exeiexplore.exe4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
2848	iexplore.exe
1872	iexplore.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

pid	process
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
2848	iexplore.exe
2848	iexplore.exe
1872	iexplore.exe
1872	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 1688 wrote to memory of 2124	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 1688 wrote to memory of 2124	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 1688 wrote to memory of 2124	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 1688 wrote to memory of 2124	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
PID 2124 wrote to memory of 1872	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 1872	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 1872	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 1872	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 2848	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 2848	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 2848	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2124 wrote to memory of 2848	2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe	iexplore.exe
PID 2848 wrote to memory of 2652	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2652	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2652	2848	iexplore.exe	IEXPLORE.EXE
PID 2848 wrote to memory of 2652	2848	iexplore.exe	IEXPLORE.EXE
PID 1872 wrote to memory of 3064	1872	iexplore.exe	IEXPLORE.EXE
PID 1872 wrote to memory of 3064	1872	iexplore.exe	IEXPLORE.EXE
PID 1872 wrote to memory of 3064	1872	iexplore.exe	IEXPLORE.EXE
PID 1872 wrote to memory of 3064	1872	iexplore.exe	IEXPLORE.EXE
PID 1688 wrote to memory of 1612	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 1688 wrote to memory of 1612	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 1688 wrote to memory of 1612	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe
PID 1688 wrote to memory of 1612	1688	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe	aria2c.exe

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe
"C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daee.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1872 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3064

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
"C:\Users\Admin\AppData\Roaming\datatemp\aria2c.exe" --conf-path=C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf #--save-session=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --input-file=C:\Users\Admin\AppData\Roaming\datatemp\aria2.session --rpc-listen-port=7022 --listen-port=7055 --dht-listen-port=7033 --enable-rpc=true --rpc-allow-origin-all=true --disable-ipv6=false --rpc-secret=123 --enable-dht=true --enable-dht6=true --dht-file-path=C:/Users/Admin/AppData/Roaming/datatemp/dht.dat --dht-file-path6=C:/Users/Admin/AppData/Roaming/datatemp/dht6.dat --bt-external-ip= --stop-with-process=1688
2⤵
- Executes dropped EXE
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b440a869da7766c45a7b038695415a3e

SHA1
fc22d5a35af6d2a39cc3298163ff2a2f459d91f5

SHA256
0b506b0e8c93fcc135b3937423ea1a57b5c23402c7c58d56f3efe6753ee141f5

SHA512
732a31f0f04e8ad53474ef427cf10f7de745b5a681da7e91642e8d2f82cbc88da0201734ca1e87f55617f8e79f2dff42868473ced0517fc67d6832b898d3b258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
dcbecb365b3d6914a78580364954614c

SHA1
ce34a73078d98aff5525c98a3d4e76fc3e98442e

SHA256
85692d8d2286e27a0b20bf601b6e68121231323dd8ebdb0ac472f9977d62385e

SHA512
d6b0ad4ec9093e108a9c13e5ce505350e3fa8dc2a83ff67d0bcb0dcae7f681088a956a43334250ba2832e649de9cf95ed8846b682902f0615d93e309f6198d37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
93857a5c6b626cd975dce2e2ac8740c7

SHA1
c7147140ed2ea93b94833b8923213db707de71bb

SHA256
7b7310caaf04beee28dfff21b5e62c1710e9c0532e451a628b1d44da7acc7493

SHA512
50d6d45734c7d3c3cd46bd4d946b616c0e2cc4d131bde0d8f52da469aa93b488c3a6ddd1843cf1289748eb40debc1f5d88485a33689d37c0ce32e6c08c8bc096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c43d2f3ce9a3717ed50b5da90c2622d5

SHA1
bec5428e7e096bdb3a031a565f2a7ca984dfbc7b

SHA256
7ec1304235c5e57a2aac61f41825608bf46e1d907a52f891ef9cf94c997bac8f

SHA512
6283bfc0098112db6e5347c1dcf4f52132ae77c35007f98279b839ee7351473f25309a9726791882ba1dc3380c1b403de065c040035c05d9dcb07110f06f8e0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8c2ef9c5f12561feee8310ba9bdf00d7

SHA1
833f00af81fac97dbeb840e107352fe7fb745c3a

SHA256
eb381c7528351fdc79d270c50429a03349812de6bcb4859ce505ad8fffdb8d74

SHA512
824612c7c6535cf97a842c9f93f563cfdc53ad26f89ae13454d717d0154e504fb184a5b6cdf6e1ec71957b07b8a0d91609ef775a0b650408607865cbadef3b7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a1a9dab775f75a5d01750949e08ffe2d

SHA1
267eab91180f0c2ca1f10f6166b9c83a7fc4916d

SHA256
d5081ed5d795f0ffd93a47abbe6032a1d666167449cd8ca8beee53e8303acd2a

SHA512
22739cebbdd53b092c33a78aa8ae00db96f6b55ddde7cbf42cc78ffd9a39ddd6f420c16b006544a989947b0ce0f52ada37ae06c5be4777a48e9e5a174219f2b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ce3bf1f70fc2d9dcd4b97e2786a2cbf9

SHA1
3c2b81316efe95496328815af61f5273f4b859bf

SHA256
b93fe4b0b019650885413c936bbc1e8fc19550f1b1827be58d5b6fb490b2b7cb

SHA512
9d2881e668c98f1371b4ef9f2f7089e6491e12bdb8cf971b4b31efb7f3bd763887e15c90fd3f669f813c147b8ceaffb23c3e13a2f563b586173a9c3707905a11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
37789ddd1538f6ae8dfc9a899934f9ba

SHA1
4c631847df1646e8dbf81766c123f679135e8ce7

SHA256
9af8180d49f3ab28151a942a85d65555e846ce28d41b521787c113a3e2e55827

SHA512
e9cf9e0586f9238249d5e739cd7a481f19e85135dad1a596ccc631cdf97d202fc41a1821141c619689e83fb16ba53396c227a7bb3f07a4fcf0383152919a8a3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e53bdefb0857a236e3bb8c262a5c8297

SHA1
fdefa8f4235bcd6e74c3dad4ac4886d2b0ffc961

SHA256
68d7cff449d21101ba0d861722cee21cd64c937f52c78d1d45b8f4a62d609ec5

SHA512
9db84d9fd9751908c8abfd40b1d77632ec21bda36dcc811d8718c03fd1a68b407f698c584708c60bb8df9dbe191b7691a3b1fbd24ea1a88a803293028eb9df1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5e617248c8f04af3c37a01110df45e1b

SHA1
d032c94891b59ff6563791b5d552f1ad97ebf8b3

SHA256
adac60c3aa3b952772cc3d457e70344daca2fd642d4b8be6480cf141819093ce

SHA512
40f5dd0de15e99221dfc56bab21a539b37e03b520c57ae6781aa9aa1c3a33ad586ca655c93028c5c7fa39f84b394013a24c5f5e5c5b840f62ffef7a4ffb3120a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0a55de49d633b2abc8284703ac455f16

SHA1
e5169bdb03b0e5ea4dd19303ba18e7ceae8f733d

SHA256
280b21dfbd3b9ffa673d9b6cad66733cb27d67414c3e8008a983c4e9fedb9a6d

SHA512
8bf97406c3a17a964725f452852c17b6b4ecf7429a26d4c5f1242cf00987efc89a74137e9ecd1471f5d65015acde0652ecff74bcf220912c2b4c1a5ea1e51b76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
485aa770af5fe4428733f3a3c5a9b2c6

SHA1
9bd66dac7f05a8af5c2d493cb7e21b773022bd8d

SHA256
814668a1b408fb82997467761f829acd9a89efc2b8e9b46865f5fd6a67827212

SHA512
3916acc10ad1990cdf4f3a09917f95a646ab9033471b8a901402f3dbca828d0b5c3e10246606d78b41ed8e2cc5d04f31075762d9c6343808ba9aab396728c396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
5d5f24cf6e66d3754eafb85fe353e504

SHA1
4e9a7b4be944582541e35e197d12ac178dbb6145

SHA256
5f6238e122bdd6fd9e39c0bf5a621af255e3a9d69c0374ba56c22ce55d658e0c

SHA512
44772da80a602c4a06421b98e7d6b6eceb6e13aae364f46692d0269c13f2d7aa0b5261e00280d91c30c6e18aab678624aac3b14a303c5f448b675a66cdbbdfe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7df574ba4eb97dd3df5f99c7ec66ace0

SHA1
3af6f4bd3db02a721e26aebf629017c4d698c456

SHA256
e013b488d3e3b2a5c4b7805b059d19010dd1763912222f72cfc53b555f27b6c4

SHA512
daa4b4e73c53caf05fe63a1d6b76aaa205126db73b376cb794c87ab28eb6e4e8fba6099225bdf4960de3d634e0c9d16065052f9f5f8cf1677a9814989b1e1ea5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8e79213283e1227f9496828b0cfa31f9

SHA1
e4cab3c684f5cb5398312d27aae7b1ff21a8c58a

SHA256
be1585eff5dee652c7a097d8b2f8ea18618f0f5f7e5f6c1c8efd40a94d231407

SHA512
93ea557a4b12370e786625358f45ca40d7ad3f5d081785c6ee2240841fda5b2fd091993a2ad31dbce0cb4a135b741133fb52cccd4f19026f123a3a6f9239b268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
64937d8b1bca4f8b592bbedd6c3f525d

SHA1
1fab99d05ee066bc6beff13a95f120bda226a11d

SHA256
1f4a9e4d12db59793f5d32911a5c486504558cf37a2caf89177d7bb10a65a3a7

SHA512
bbe9920b0dda726cb4862ea3953d04bd15a938a71c3ae706830b899dd1535bee8c0af644ef05d95859259d05466132ed0049b27166a4d9f2d3d4a328a454978e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f1f062a66b04b4123be6ad0719a0d01b

SHA1
92463cd66fa08589e5b6393792e8a6b10157eb87

SHA256
fcfffdea7f2f64e1398c7774397391bf70bf636e339d7ae444271d79a28381d4

SHA512
416a3742d9f6dad36b3b81b40167b6618575ffdb504a4b3507268ec03cf0bcb4baa21213daf3cd08ae81539b029f9ddaa219c02b22cc73bfd961befc531c6383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
933accd51c541f92d2a93648565b738e

SHA1
62632ebcf63020273517747e3ad9d6e5faea2b31

SHA256
75948d79e129e70a0c3fc9030776d3419bf5eee6e94927d965eafb0c653aaaf2

SHA512
9b20df3fc62090fef349e71ab884fde34b6bba4ead9ddf0cb8187d3e896fe4b696799530d03d3871239df23eed4285cde18e33769867043f63742141ec765869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
80bae8812a5d45870059479f65a391ee

SHA1
dd329088e3149e158791b7fcbab3679fdb8efdbc

SHA256
adeb6f4e40972350356b02bb6f8eef32209d360c3b797a061db60c31c1c6adf5

SHA512
35f3da201eb590f296c8b4ff7e55a7b008ac2c5d49d5cf9058fc47ceeb23e55691db55c32dfa468041661e64a51722c1541dd0422511867940007269c0ee44f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{477CB561-19BC-11EF-8E44-4635F953E0C8}.dat
Filesize
5KB

MD5
a4266a4e91882776c5b03504156190b8

SHA1
287691d29c929ef5d34a9e4e92531f2245c9d686

SHA256
7183113452731966a122e90089adb26238967b5d4b17bc30bd5cc3c3c27ee6d3

SHA512
7f90be486bcd907ac6296e12eb0007818d2aead747c8513e8a16b9ae4f85988e3433ca65a1d4966641216ba28fdca409bce31dbec461e396219907ce010ade78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{477CDC71-19BC-11EF-8E44-4635F953E0C8}.dat
Filesize
4KB

MD5
5382eb33804b9c82429b770d44b23f34

SHA1
591d1805e9331d4c2758f465bce04a8596155ca5

SHA256
7da1140cd444631cccda6e3724887139ddf8fcb3bacb6b54dcbc6d1e7241f0ac

SHA512
2f85d5f4f80c311e4b60e24f60267d6d360b1316699fba4df7931d8fbd4016bcc87971e41d8dff794fef16b46410a3d9068481f216ffb803b92c28e14c5163b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
Filesize
105KB

MD5
dfb5daabb95dcfad1a5faf9ab1437076

SHA1
4a199569a9b52911bee7fb19ab80570cc5ff9ed1

SHA256
54282ec29d4993ed6e9972122cfbb70bba4898a21d527bd9e72a166d7ec2fdc0

SHA512
5d31c34403ab5f8db4a6d84f2b5579d4ea18673914b626d78e458a648ac20ddd8e342818e807331036d7bb064f596a02b9737acac42fbead29260343a30717e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4C6E.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4CBF.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\datatemp\aria2.conf
Filesize
55KB

MD5
4a1b71ede6ff12456038f6a26e356a42

SHA1
16af6552ebbeb0300d1451715add745e840ff993

SHA256
0ee9c9e686a595f86d25854bca6e92e8bfd51437a28306b4eaebf736156cc7ee

SHA512
bea15214c76083c86f4104e569bb93ba7000e4e555382b6cc97e0c9bdb6b4de72f50b8458d4c3420e073edefe4f40b7eea580000001d089fd5c78e303fbd8501

Download Submit
\Users\Admin\AppData\Roaming\datatemp\aria2c.exe
Filesize
4.8MB

MD5
a5c047f169471bd325552c255d6c04af

SHA1
e313cff2f3d668ec5d0e90920bd622b0f38aed9d

SHA256
cec8bb942475690363c1558fdf55e3cf59f29607967a822a626d4976a348334a

SHA512
6cf929d36ea0c95815d3218a3b11f0c8f539a6113c368642a70d41379145ba7ace9aed1e5b78836a4cd2ca861d9bcd10fea3e7fc126adb85822ed4cf4f762f0d

Download Submit
\Users\Admin\AppData\Roaming\datatemp\libcurl.dll
Filesize
2.5MB

MD5
298f5812023bab65ee23d13ee9489a6e

SHA1
71e9d7f205e5e7af6907c539c77a3aeea971692f

SHA256
fe100d35b034c15ae3b74379f4eedd321c8e4b84fe666b54ee924ca2a8bdca6e

SHA512
217258fb7728f61199f913fb98c894077c12a124e1596d1c6c7cfc065d4d2a6e1e03ad950c3321e2a8dcd997fb5c9524f98530db4bcb39f9914ecb5ff0e22dbd

Download Submit
memory/1612-476-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/1612-475-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/1612-473-0x0000000000400000-0x00000000008CE000-memory.dmp

Filesize
4.8MB

Download
memory/1688-10-0x0000000000310000-0x000000000036B000-memory.dmp

Filesize
364KB

Download
memory/1688-7-0x0000000000400000-0x0000000000E92000-memory.dmp

Filesize
10.6MB

Download
memory/1688-465-0x0000000000310000-0x000000000036B000-memory.dmp

Filesize
364KB

Download
memory/1688-15-0x0000000000310000-0x000000000036B000-memory.dmp

Filesize
364KB

Download
memory/1688-474-0x0000000000400000-0x0000000000E92000-memory.dmp

Filesize
10.6MB

Download
memory/2124-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2124-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2124-11-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2124-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2124-9-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2124-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

pid	process
2124	4b33da871cd87e2d4c489f343b0e5641818b835a0ba238b7392461c0cf27daeemgr.exe
1612	aria2c.exe