ramnit | dc8c7c188bc87860b65edd13c5daa0bcf9cf116ecae28a0ec03208a80a37f532

Analysis

max time kernel
145s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc8c7c188bc87860b65edd13c5daa0bcf9cf116ecae28a0ec03208a80a37f532.html
Size

133KB
MD5

6dd984235774eb016f96a36fee6842f8
SHA1

43b80ce09c33b298c0c10debaec679700add8fe1
SHA256

dc8c7c188bc87860b65edd13c5daa0bcf9cf116ecae28a0ec03208a80a37f532
SHA512

55f51c8d1fe56be9eedab21d28760a2f252f39a0d38503f7f8cab873b8ac58cac81c7fd083cb1bd789ace4bf28382c1df1e859e9438dc5ae3ea1d157124aad6d
SSDEEP

1536:SMD9cXOSkyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOZ:SS4gyfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid process

1340 FP_AX_CAB_INSTALLER64.exe
2724 FP_AX_CAB_INSTALLER64.exe
2000 svchost.exe
1552 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2248 IEXPLORE.EXE
2248 IEXPLORE.EXE
2248 IEXPLORE.EXE
2000 svchost.exe

pid	process
1340	FP_AX_CAB_INSTALLER64.exe
2724	FP_AX_CAB_INSTALLER64.exe
2000	svchost.exe
1552	DesktopLayer.exe

pid	process
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2000	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2000-1323-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1552-1331-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1552-1333-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7D6A.tmp	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\Downloaded Program Files\SETDD36.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETDD36.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET39D5.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SET39D5.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422711467"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60e1c664ccadda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000ea68f96e182868644680826d92ccca699917f9d587e69a7379120eef29acc3f3000000000e80000000020000200000005afdf18dfcc9c4618f3ac93a5b9921c946625750fe7f52e5e611ca0b3faeef3790000000e559095784e7da38d221d0f5e2ad779bc62b94046a0991662ac92bf8e97b4b8017e02b3e1182ee8502f3c3385575c5ef80a4c9cba7c4cb8909c5f90981f8ecf96592d43f9d024908932837d6928efccb2fa324aa8bcbbe08bceddc741c692dbf25412aa3f892948ca60a665cb15e835aa71e1b568a07ba49acbf02e288c1af1b071539bd361dbdc3ffa936045b31198c4000000071675dc805ebf2bee3ed82ba38e2e166eae1f46b302fc4f6d5798dd3417867e6b57ea90d738a7126a5c7e09824d8d2da7b5c421cb64a5af37811b47a23ca82e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E8FF631-19BF-11EF-8B04-EAF6CDD7B231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000aa702bb1bcecc852a35458d2c6a8840de862ee19d70d782876b046bf680b97b8000000000e800000000200002000000038360cd36fd7ff9bcb4481740c81fc8b813e72edad236ad3a79edc477ee4d5832000000078f6f076afc37df8166cf9caefad9539e80cd3296510a69f464f77c9e1f40e8e4000000064b4f893c7ae61ad6da20c969f442d7000045088992b73f446ea3c0c793487b78c0bbb4b8c5b4651cc9945acae15bcf2cc0d58f9b52fe0c23e9d15ed919f6ca6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exeDesktopLayer.exe

pid process

1340 FP_AX_CAB_INSTALLER64.exe
2724 FP_AX_CAB_INSTALLER64.exe
1552 DesktopLayer.exe
1552 DesktopLayer.exe
1552 DesktopLayer.exe
1552 DesktopLayer.exe

pid	process
1340	FP_AX_CAB_INSTALLER64.exe
2724	FP_AX_CAB_INSTALLER64.exe
1552	DesktopLayer.exe
1552	DesktopLayer.exe
1552	DesktopLayer.exe
1552	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2248	IEXPLORE.EXE
Token: SeRestorePrivilege	2248	IEXPLORE.EXE
Token: SeRestorePrivilege	2248	IEXPLORE.EXE
Token: SeRestorePrivilege	2248	IEXPLORE.EXE
Token: SeRestorePrivilege	2248	IEXPLORE.EXE
Token: SeRestorePrivilege	2248	IEXPLORE.EXE
Token: SeRestorePrivilege	2248	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2364 iexplore.exe
2364 iexplore.exe
2364 iexplore.exe
2364 iexplore.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2364	iexplore.exe
2364	iexplore.exe
2248	IEXPLORE.EXE
2248	IEXPLORE.EXE
2364	iexplore.exe
2364	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2364	iexplore.exe
2364	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2364	iexplore.exe
2364	iexplore.exe
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE
1508	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeIEXPLORE.EXEFP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2364 wrote to memory of 2248	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2248	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2248	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2248	2364	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 1340	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 1340 wrote to memory of 1636	1340	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1340 wrote to memory of 1636	1340	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1340 wrote to memory of 1636	1340	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 1340 wrote to memory of 1636	1340	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2364 wrote to memory of 2112	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2112	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2112	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2112	2364	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2248 wrote to memory of 2724	2248	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2724 wrote to memory of 2648	2724	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2724 wrote to memory of 2648	2724	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2724 wrote to memory of 2648	2724	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2724 wrote to memory of 2648	2724	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2364 wrote to memory of 2500	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2500	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2500	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 2500	2364	iexplore.exe	IEXPLORE.EXE
PID 2248 wrote to memory of 2000	2248	IEXPLORE.EXE	svchost.exe
PID 2248 wrote to memory of 2000	2248	IEXPLORE.EXE	svchost.exe
PID 2248 wrote to memory of 2000	2248	IEXPLORE.EXE	svchost.exe
PID 2248 wrote to memory of 2000	2248	IEXPLORE.EXE	svchost.exe
PID 2000 wrote to memory of 1552	2000	svchost.exe	DesktopLayer.exe
PID 2000 wrote to memory of 1552	2000	svchost.exe	DesktopLayer.exe
PID 2000 wrote to memory of 1552	2000	svchost.exe	DesktopLayer.exe
PID 2000 wrote to memory of 1552	2000	svchost.exe	DesktopLayer.exe
PID 1552 wrote to memory of 1480	1552	DesktopLayer.exe	iexplore.exe
PID 1552 wrote to memory of 1480	1552	DesktopLayer.exe	iexplore.exe
PID 1552 wrote to memory of 1480	1552	DesktopLayer.exe	iexplore.exe
PID 1552 wrote to memory of 1480	1552	DesktopLayer.exe	iexplore.exe
PID 2364 wrote to memory of 1508	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 1508	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 1508	2364	iexplore.exe	IEXPLORE.EXE
PID 2364 wrote to memory of 1508	2364	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\dc8c7c188bc87860b65edd13c5daa0bcf9cf116ecae28a0ec03208a80a37f532.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2000

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:209932 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:668691 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2364 CREDAT:799775 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
408bb6e4313272d9e85b325f72e69bfa

SHA1
d8dc8ac72a70c1dc52ab4a0bd51a2b6af387ce84

SHA256
7aa52ae23473cb4d760360d397db1cc6ef5c52369badd6d5f1799c84723ba9ba

SHA512
c16789f9795b2a96d5a81806c0c604ca4d5d16e1de3b78f9d8f593b643eaa7a3b8531b475b7719dc7963725d139e211fd54b23da14191eccd5b2ff20edba5d9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ffe93065c405bc7dece88f50a9ca3414

SHA1
ac4709619680517b1fc42d117361315c1e6c8794

SHA256
fc1aa41154462164af10471a120f9db5e40f8d2bf6916dad5524d518b4efa1d0

SHA512
792f7db7adc9b79327d4c79f10a32007c78907c6e2f7fcc4fb445a40ae06ebdc71caafad37b21e0b1959bed3d8b017f33598c11cf37a32f4f66d00822d508aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6a0fb467b1580f4e9982a82cd37ac24f

SHA1
6d88a505645aedb43c341e2a8ffa949c223174d7

SHA256
312633ddcc2e793452455e6e4df65c9fc3296a58b670d534d3f22567cab1848b

SHA512
79a3b9b2927d57a843866e67c901ecd51347ba07014d35110a247beffcc8878eeb472e2d7e478cc0b8df738662bdb4aada335deec722b8e8ef73715f428ab723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ce04650bf27c81bd51b5a722e9339d4

SHA1
3f269502f45f7978d831dd16ab9d78c3f49bbfeb

SHA256
59cd983ef029e9cd89d74005042067950c12df3955538f6e0f253cddfd51a85f

SHA512
405e4fcb1e829100683b0e6d17824a322f2465bf262354550282813d5c0d1fe0c0f31cba50187724f4fa36374e93a62ef12dead87eccf6012a2bfe5cf55aebd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f45d5228f22529e6d38144592e894893

SHA1
be2ceaa31aec9c2333724d547636a1966db94dc0

SHA256
d5842ee5c4be56fa767537bd2e501333ce63e3441f4eb554cfa6f69bef871093

SHA512
eac27b9a3a90c90c3061a921cec7a1cf731e8dbf12a01cf56d607088a2d7ea4e4606fee8e2ffe13b761c39695650d77103a46cd901ed1cd586bd1c5ac8219f31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cb4c0b06733be38a76da0a8e538888e5

SHA1
771e474db4ca2ae193486f87e7fb73dab7ce018e

SHA256
e8ae77c04e12b848fe17e30d1034f4755a4ea9432b9687979cda43b9b009deee

SHA512
60accc3c7cb49590bddb23c34d84a7367b6dbe381381713e78787c9858a707c858a41b4e3a3f50f0f676eb6990ef0bfb264dd5e02b7cf77117464d4a520fd18e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
18736a54a35c1f48780b25d53b6b833c

SHA1
760907c20eed4fcf66c0bd43bdaff7270631068f

SHA256
218ef6097f0da058de76e22d1546d4d2fd301ab4b72d816ffce8c5ec12d254ef

SHA512
4c5e73611af71856935b7ca2c80168b83893d0b2b4cdc5b68ce998a242a31b1d8ae2a61b29f19f648934c100bde774eeccb8fc3490fcb4867859ecb8fa6da4c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
33e22739d12bb7b3cffcade2079bf30b

SHA1
feccdeb7d73386cc5f5d9a16879733dfc73f262d

SHA256
1cb0c3ce7defa1a82666d00f9d66d4c7b0f34646e549cbcaa10fee4de692c001

SHA512
0fc7caffbe7c6693626ffe6de62b08d0104f442fd559ea5a4e379d487e6d035eed8cc93ab93a3ad42452958921bf22a3801ef1089b21b8e1e4136ba661ac6832

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4959875a8270d00b2b21e98515ad8f10

SHA1
252ef4c6bc324c5c677ae769fa376ae3cf011800

SHA256
a4e3893e71528edbc7e14511c478adac8f0bf4a8d7bd4f5a1c78172d55437377

SHA512
5c0603864acb425eaa982b6468d44edf0aab85317d48e4e99847e6f725abfc3ecaae83b2f3609f04079800b2ddf16b5af743740ff8ceeb478966c3cfb4a88cb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
09b27196a4e104d28ed45ae75e7a55a1

SHA1
9f2e42860c0e7442d51f091cabc731cf486a0bd2

SHA256
44ea82282b15d7c8c22b9d8aa06784340d70a46118bb66ebd77648d1b6ff1f91

SHA512
c7ddacf4cab734764a2797e2beae3b747503dc831cfa492ba20c1b811d04926c160c37045c5dd8969a0f7eb44ea747253549f5a45a89b35edcae6a81af70b4da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
71527ed0f2aa11828db4d22255197726

SHA1
75758072a0ce8c709e3bda7c63b3bfef2fb30948

SHA256
fe7816e6907d544b6ad37b7a071b61c6974bf8c349c7c0ccd6ca651ebce9abd3

SHA512
82c3fd81c53ec9baab3debf8573545ec853d755f27e41f7adc6dcc1b641b45cef7e56766b016641072e8cde0885d139448f339991a7d7300caf46378fb17e740

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e22d5e12f3bbfd16114b876e5c6f4d35

SHA1
66e3abd8a2dd647270e33a2e1ef998556b6f313c

SHA256
0290350e833ac8ece3a6b799d49760f31d61ff8321ad4b8340f907f200a82d32

SHA512
8f1d7d103f5c901a637ebae857d4269a01db0844ae0764989a964afe5f5759c6de9f941385f1715925e677ab4f61e7045f3aeda6f867dc51cb90e9dd1e6a8806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9cb6830da29786d2f94eb9f9e7847b17

SHA1
d6f77186d90a546d20b00796c2b205c2b123ac7a

SHA256
fdc7d0ed466cf4cfc0e23be7d21056815eee699181cb106108a6fa8b61979441

SHA512
6a236be65a14d08d1636549641df83bb5549be3fe062bbc8ea6a0b434606105d64ee1af3afa22bd9781c5dd967d74e7fd5ae397ce1804b7aaaa253ed8358dc55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b19d497f8cc5e74aca42ec3b6aee0d16

SHA1
4aec0bf511d2c5af83733b68fa7865159e65e555

SHA256
436bb2b9a5981e77e75acc00db99d064df094044ab9a924dbdc0ed269d6e41c4

SHA512
e7db2deec3623f73a189af52adf96ec37dd240cb955128c0a6830170f488e9a827261061efcfa816fad0e26e45878b95efab745afee271e1d9a4bc647f40f294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
27b5d7f66ab27d033cc84234438049d9

SHA1
4a35e8c87b0fd99873e74dac217a101359c68cc8

SHA256
c5563a3f78dde89d09d8355b00244011b8fadcf826fdae812538355dca9005ff

SHA512
0d9d1c43e54bcd0c73314f4dd11cc96136652156a08e83fa6c3d41343b18bebbc1c9247bb467f48ef3e8586fbcd76ab252cf242eddb0a32bfb0c8783d3313b08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6976660d7a20ddf0a12723956b6d1c4e

SHA1
968cb3aa3aec0c169194ee7f4a7ffd00d51d4dfb

SHA256
887dabe589d2cf9a79aba1fa955be450f46171ab6a7b5750c1cdb6f7013b361c

SHA512
28e1cc4409319129c35e20bb16dc54e1b52d2920f5e55e3867bc3a29a996b1d66a7377801f0430eb51fe245846787aa837617984344289fbc2e1339f935e8ea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
641ac24aa862d4d8b9ac0e197c9e8c6b

SHA1
9f8beb54f89c61a0e0a92d32ba7d7a1233a860c0

SHA256
9b354382d0e95f6daf1609c5a9763956a0c9d6ed4922434fe1ffd6b7b8b71785

SHA512
4db8104fd579b807b86c7f97b429f032c3ea38ffec63f17df6a5d41c9eb25de9867c40ba76ab21d88dad459eb21ad7a90ef6637cda6ffaaeed69d00e0ea653c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9da0a892655b6e462d4791e220a71b8e

SHA1
7197d76c772176b45ae399fb2134c5ca88db28bf

SHA256
128c2025db78c6e608038f857b1351ac709a75fd3bbaed1835e675e2973ac33c

SHA512
0c3e77e6a5c7984344e637a8452ca63531a23b2675350cc0800020c1b1fb45862ec7a6116673fd07c8641b305d868ddf4e67358c6fac79768c145f5d1eb6e5b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
986922fd51e22515f77479a463d54f77

SHA1
6a70695d4d1400e671ba45cd66437a370a7ac2c1

SHA256
7dc1c6d5cee97a16cc4188454a3b022a4ae37a2ca88e08111ec6588afae50a05

SHA512
7601505fcc071200949058be34ff7a141a5f49675e72884ed43a745b67f06f203e2c3b53a07be223d7e6d6d463593eb3d4bc6ef489804720d31d2c4e8bf2d888

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bcd3324cb01e692d30aa681bcbfcfd19

SHA1
014c14f1722cc8588cb4d8375a7f2bcaee609b28

SHA256
970f1f15736359f09beceab29fa7421ec6a0e5311fd9c5e507250c12927eb6f3

SHA512
c664078bf1dc650d126b33e3c1104bc802e061adc85c17d0491980f056ed3dd5d7261bc81394e348311d3b282f6b343fa20446a805f7471c980adf62946d1d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3555.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35D5.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
memory/1552-1331-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1552-1330-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1552-1333-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2000-1323-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download