ramnit | e396953b02da23d8a77d2427f5a9a4992fa8872cd5f19ca6a6dfda36be6e71c7

Analysis

max time kernel
117s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ebf168aa12f9a81d5edfb5c0f023455_JaffaCakes118.html
Size

673KB
MD5

6ebf168aa12f9a81d5edfb5c0f023455
SHA1

bb4b4e5fda85fd1350501c11aaa91cbac8f866d7
SHA256

e396953b02da23d8a77d2427f5a9a4992fa8872cd5f19ca6a6dfda36be6e71c7
SHA512

5724b943c48d7d29b486b59a7497ddc33c8f9d0bf0459a9c0e65fa25b5cd34ede4ef388a60a1d18e9e91e51b8a743dc3704a3b7749eadaac57ee022dc9e78cb4
SSDEEP

12288:25d+X3p5d+X3P5d+X3I5d+X395d+X3f5d+X3+:0+F+f+C+h+P+e

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 9 IoCs

Processes:

svchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exeDesktopLayer.exesvchost.exe

pid	process
2712	svchost.exe
2944	DesktopLayer.exe
2548	svchost.exe
2504	svchost.exe
2096	svchost.exe
2896	DesktopLayer.exe
1192	svchost.exe
1064	DesktopLayer.exe
1876	svchost.exe

Loads dropped DLL 7 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2112 IEXPLORE.EXE
2712 svchost.exe
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE
2112 IEXPLORE.EXE

pid	process
2112	IEXPLORE.EXE
2712	svchost.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2712-12-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2944-17-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2548-20-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2548-24-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2548-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2096-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px22CC.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px22EC.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px20F8.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px204D.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2108.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px2156.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 45 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000d50e37ea4b234549e2ac1f26dccc8445fa2a7069eaabbaf78e1910705c46c817000000000e800000000200002000000026a6c7616097bda3e80386dd15a8cbc6fa0f20d542de110c8aae21a41c9b7c50200000006f3e783c36678fd48076b422c7c95a26925db8f734762568bda7f3d27fb125da40000000b00a65bef63fb66f98c90358df840aa0dcbf0738e8b7090a1521dc410056c27558c391490f491214c50561f1171e45bc0c92fd5236e989693a6b17eff628cc22	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000004b25caca2a8a5dc23c2eebafc91d8bdffc518cba56942cb8f50690e3b6aa402c000000000e8000000002000020000000457488d23758fff1579fef7a77908e42cb7f440b88a17f97b5a8a0a30a93528590000000ee9e0329545ccabfd1c4fa9d49fe6d0572a404ebc84e45a3b5b6984286a806355baeab8ff48c06de24e6236927a59dcf5f6a86a6e40005cbe92155d965a1d9fb7f9599dfed9b00b587a62242c46d2675b07d661fb5f93360c3ea9059b1938a54451a3f1bb476619b67615f0d1d9701f9ea37551359a5545f1a7dc3275191ecffd3fc970f08686ca770e45531e2b9fc1140000000a6f57892d594970bcfa6ccdfa154504c8e29f3da85d5b60fd1831c7274af2d0187a43b5533dc096b96216ccbfacbcefbafafcb1302396e4f16e8ec9911d9987d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a2e35be2adda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{86DEFD81-19D5-11EF-BE4D-CE57F181EBEB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422720902"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

DesktopLayer.exesvchost.exesvchost.exeDesktopLayer.exeDesktopLayer.exesvchost.exe

pid	process
2944	DesktopLayer.exe
2944	DesktopLayer.exe
2944	DesktopLayer.exe
2944	DesktopLayer.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2548	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2504	svchost.exe
2896	DesktopLayer.exe
2896	DesktopLayer.exe
2896	DesktopLayer.exe
2896	DesktopLayer.exe
1064	DesktopLayer.exe
1064	DesktopLayer.exe
1876	svchost.exe
1064	DesktopLayer.exe
1876	svchost.exe
1064	DesktopLayer.exe
1876	svchost.exe
1876	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

2120 iexplore.exe
2120 iexplore.exe
2120 iexplore.exe
2120 iexplore.exe
2120 iexplore.exe
2120 iexplore.exe
2120 iexplore.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2120	iexplore.exe
2120	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2120	iexplore.exe
2120	iexplore.exe
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2120	iexplore.exe
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2804	IEXPLORE.EXE
2804	IEXPLORE.EXE
536	IEXPLORE.EXE
536	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exeDesktopLayer.exesvchost.exesvchost.exesvchost.exeDesktopLayer.exesvchost.exe

description	pid	process	target process
PID 2120 wrote to memory of 2112	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2112	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2112	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2112	2120	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2712	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2712	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2712	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2712	2112	IEXPLORE.EXE	svchost.exe
PID 2712 wrote to memory of 2944	2712	svchost.exe	DesktopLayer.exe
PID 2712 wrote to memory of 2944	2712	svchost.exe	DesktopLayer.exe
PID 2712 wrote to memory of 2944	2712	svchost.exe	DesktopLayer.exe
PID 2712 wrote to memory of 2944	2712	svchost.exe	DesktopLayer.exe
PID 2944 wrote to memory of 2940	2944	DesktopLayer.exe	iexplore.exe
PID 2944 wrote to memory of 2940	2944	DesktopLayer.exe	iexplore.exe
PID 2944 wrote to memory of 2940	2944	DesktopLayer.exe	iexplore.exe
PID 2944 wrote to memory of 2940	2944	DesktopLayer.exe	iexplore.exe
PID 2120 wrote to memory of 2748	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2748	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2748	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2748	2120	iexplore.exe	IEXPLORE.EXE
PID 2112 wrote to memory of 2548	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2548	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2548	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2548	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2504	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2504	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2504	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2504	2112	IEXPLORE.EXE	svchost.exe
PID 2548 wrote to memory of 2524	2548	svchost.exe	iexplore.exe
PID 2548 wrote to memory of 2524	2548	svchost.exe	iexplore.exe
PID 2548 wrote to memory of 2524	2548	svchost.exe	iexplore.exe
PID 2548 wrote to memory of 2524	2548	svchost.exe	iexplore.exe
PID 2504 wrote to memory of 2208	2504	svchost.exe	iexplore.exe
PID 2504 wrote to memory of 2208	2504	svchost.exe	iexplore.exe
PID 2504 wrote to memory of 2208	2504	svchost.exe	iexplore.exe
PID 2504 wrote to memory of 2208	2504	svchost.exe	iexplore.exe
PID 2112 wrote to memory of 2096	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2096	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2096	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 2096	2112	IEXPLORE.EXE	svchost.exe
PID 2120 wrote to memory of 2804	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2804	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2804	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2804	2120	iexplore.exe	IEXPLORE.EXE
PID 2096 wrote to memory of 2896	2096	svchost.exe	DesktopLayer.exe
PID 2096 wrote to memory of 2896	2096	svchost.exe	DesktopLayer.exe
PID 2096 wrote to memory of 2896	2096	svchost.exe	DesktopLayer.exe
PID 2096 wrote to memory of 2896	2096	svchost.exe	DesktopLayer.exe
PID 2120 wrote to memory of 2892	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2892	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2892	2120	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2892	2120	iexplore.exe	IEXPLORE.EXE
PID 2896 wrote to memory of 2576	2896	DesktopLayer.exe	iexplore.exe
PID 2896 wrote to memory of 2576	2896	DesktopLayer.exe	iexplore.exe
PID 2896 wrote to memory of 2576	2896	DesktopLayer.exe	iexplore.exe
PID 2896 wrote to memory of 2576	2896	DesktopLayer.exe	iexplore.exe
PID 2112 wrote to memory of 1192	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 1192	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 1192	2112	IEXPLORE.EXE	svchost.exe
PID 2112 wrote to memory of 1192	2112	IEXPLORE.EXE	svchost.exe
PID 1192 wrote to memory of 1064	1192	svchost.exe	DesktopLayer.exe
PID 1192 wrote to memory of 1064	1192	svchost.exe	DesktopLayer.exe
PID 1192 wrote to memory of 1064	1192	svchost.exe	DesktopLayer.exe
PID 1192 wrote to memory of 1064	1192	svchost.exe	DesktopLayer.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\6ebf168aa12f9a81d5edfb5c0f023455_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2940
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2524
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2208
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2576
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1064
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1940
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1876
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:1828
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:209931 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:5846020 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:5518339 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2120 CREDAT:668681 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
22b181c2d0b3c3760f65a1ef735662d9

SHA1
2935b9abcb1b8f941081ed0ef5222202ab833663

SHA256
706afc9a6a1e2d131d1df377b90052e91db085dfd3c071b3c4bcbf40115190f1

SHA512
f9b4f66ad1a57ea8e7b61608e7cc83bc6b576f832f38145837203e1acf40e2ac74ce2ef65955a4e68c2c6a85427d54b8d1fd6a117a08923975fa024888841eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93e6306bfce1d7cb8c229e76268a0704

SHA1
c5c71407a1ad0b827657c80f038ee04a2c081220

SHA256
789c8971688564e560011b3ba634b52e6366c5a5ad0f4778074e1118fca0baf0

SHA512
4a01ef55a8e03777c138522e514b22657bc8dfae998d91c8316b212d7eb09758eeba10ee82cf8c2d99a1b3f49601724f4fd100bd984a40f75694507225248005

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f975190d82c48a0bb209a6ba9bf2d44

SHA1
9e967b055a2f34de1cde8ca967c585bac75892ee

SHA256
c6313356a69bb02f3f1920743260527a50f0845bb7480b4b0c0b450ae71a51e6

SHA512
7661f343cdf3dcb4565bf38eeab386e2efbd7fc229403b0c31322cb1b49c0d57e3ce5e3899a3f155df62e451ffea2db3992838f9d1fe4ff654beff959a8460bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4d2377427395529b63b5e1f6a7e85b5e

SHA1
c62d9e6a053300ed6dd48659039cf9223298766e

SHA256
3bfeafe8bd38b862fa56c127e424c52bc7ecae81c46fe1650536570f2e36f18d

SHA512
596e49ab66f4dc6232fc53d8ee91faf2afc9b514acab884037c2175818407d4d2ba00c249d97aa179fa8d4c9719d86a747c5905ff01998528f07b4a27f1a1813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01e734f4bfd9e593642bca3aff9ef32d

SHA1
22aaab6af5cb1c5de8332b4eb3f70377bfc3605c

SHA256
6b1f8ad31698797799ee7b00bb848d952a1da2a1b24b6cbf2e702fc51c917d71

SHA512
0c052ad9e6d711c73e7c060f75b45cc9d430e7fc97da57a498c19972ea837658ff020aa16aae0b133bbfb1b2801826887f0e2357cd46b6832db5ae8daa59a2fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1dc2ba46b16b27baf648a8082826db1

SHA1
96471fe8ec49f3bd3aa6cb821d88bdf830dbd58e

SHA256
0241a4f0e299c26519b8b98e09fecf80e96c5e4cfc8ebaf4e493752c6903943d

SHA512
148dceff1b5151556dded1d96e8b996230b7ffeda5a18e912383a35de8c74adda7491faaec947245c1fdc6475b4b8098ed320940625dfde1d032db88df3226bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a83cb0a41446a3c53f33f098d5022127

SHA1
9af61583a427cae64563e16b2ba7c719257c47ae

SHA256
e07b30e7692a73b3756078544218d43afb29ce220b79f470317d74cb3f45aeb0

SHA512
8a9d8b04f77abd16d0dac1b2e6b13362bfdb3bd23750120baf06169824ed9f4e25c791e6e2076883ef5f1c2de56d24065a51b9f611c82d8c6f112e1dadbe1bc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c143f8d8fc55c1ff9ee1d648d3f9007b

SHA1
b1efe74a3d8481feaba4f8ee4d097151e5a426d2

SHA256
75cd6ae10a1befab73b6e2d641d30d2521dac66b11dfd1b0711de0b3bdf5dd2f

SHA512
4effd76c8e6695299af3be11cf0e696068112c32cc4938eede52db543cc09b7848577c4eafd6b360341ea8a1610dc56b884c4d7aa75d759c0982c2c183e74faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f980b07e49c1353726b3890f39395bfd

SHA1
8202b3d24e05398bc67a86cdaa935732514abf6a

SHA256
7a0f76fe2edf874efff46023ee0b8159743d2d67b98397e61111711dc0564cb4

SHA512
522c9fb0b670df1124be6d7769f5249c46f409c6ce1a42f0c6734aff1a604eab9fdaf649f58d29a48523d5879e967a002ee9b04fce4be1c40b16c7b47800590c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e171881d7ace64dc011e56f77cae7f4

SHA1
53ce6f8aa336492a0b8b6081b13b10421c268bec

SHA256
d9ce25a6e49b8a43e5fb2facb2c9b0a2be4d5ff7c1b661e659ecd0ae22961957

SHA512
212cef177b356859d535edfa098d9e7fc751f4ef9d7fecc3cf62c2f74e99b311905fb2a6e0ab011c239e5b592814f655b153ec7d1d9f8421e60a0fc318157831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1a7ff559d48c9bec76853d6b472d8979

SHA1
0e6e5e02f4bed5de3aca367bcd1687c9ab85f4da

SHA256
f0b52dfe199fbd22c708506cd365defd97bad566047f10ba8c36765817b3be96

SHA512
da49ec485ec9e6bfa48ef1bf6918edd09a7eeffcfb4f1e290131dc8016f4b570cfbd14f3ac2f8a8d942247017b58fdf63d94db0c6a34dc6be0e6da42b29adf6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c73c62a5647fa3694cb53b79040de058

SHA1
c9af281840768c9c35e552d460bf6415d90c4a6d

SHA256
6e2ca841c5d29d907ce72b9dcb29d3ce3253c66e82d24794efddb9753bda0edc

SHA512
81dc53e3f14d4b13f722621d579f990161b5d8fd696a8073dc15d60747f5bf254df182bfba2fb2adc2bd77936420e54128b61d0d4dc73b822d3800b59a75aebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97204eb762da198922d27c623eeb721b

SHA1
56f68e4161a12e523f43125ec5c788986ff25302

SHA256
3c386c60abb8a1bed9badf4bd8bdbd599280d2ad73b6de432d271bd78164ed30

SHA512
addb0dbc1179e2a1b765fa17d7b82734be8203d36d53fd6f0423a7797ec1b83ba4034ff9b8d76d33602fb9b68fe21618db7f64d55c0af0f1ad965200a035ebfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7619d8893483d8ecbc32290d3fd69015

SHA1
fc9bd78dfcfa7012af5e2397ed4fe94adb30738f

SHA256
be5235c2a588c5dbcf354a5318d638e8a37be5c84f1dfbb74e3a0e4e11975264

SHA512
f3860ea63c692faef6ef96d49a33f07d9e881c15eab12d5f094e129ba994ee7cb43b108da216a9b1705eb4ca8111473cf34fe84f1a35ea8d361830bf605bbe5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3da487ebf444a33d90d5d4a3deea14c1

SHA1
7e90b1f1edf79c4d4a444ce452e13be003ad5a7c

SHA256
444818735f4eee01d4a59c83339919fa7be0a6e8d717ccb0e24672bf88a19b74

SHA512
9b18394d928dfcfe3d9cdd40c0a745ae0a7d8b767ff8ba833a64cf2e4cfd383dadc3cc07deb3aaa47a24d92e20e9b5c66f43ace0eeb8af52d562ef5c877bc6a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
60e3b85cdd2baae0bf1e0fae0ce015dc

SHA1
d62dd3c3c5c1f068e4040e76ad2d23e36d090a90

SHA256
0b9c2ccb1b4d70805f3e89d3fa4065f2f575f6a4f1bd5fec2956966b93613fd9

SHA512
518f16f1fe724ff0e1d572261cfd4eaad049c6093abcf5624c7572db8842aebf7a7cf5485edc5a345c26cce83b7803b3af35bcf61f4f116f3f4eed9128354c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10868bfa0d6017a194808f00773ceae9

SHA1
59d53ddfa8108a23a6c1d3f48f277a6f4a27d0e3

SHA256
72e18e4d38641aeed339503de194387e5130a16a0e7a056260a161f09db704cb

SHA512
0e944ba25d5b5d01962d5779877331934f9b47fccd9164f73e7315d1f43896f7fd059b2111760a47412f3f5c2a12f1bb415b14b9d6fca0d5c8b5a0050b6b84ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ec20cb23c20ff951b3e841fbacc9233

SHA1
ddf534f181f88979138f831402267d8c88e9a058

SHA256
07c15f2bef113d2f968c2119c9ad6ce06f99d6e40e58e318a13e369cdbc06ce8

SHA512
69fc8a3d084a23ec21b53cbfad05aa9113053cfd7c25b33eaca6ee1b878f71076a40adac5a6f8df4c52eb446589f3e7c52592602485ea955be871a2c2c1203ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f22764c857b3200682a288475f2a2b5e

SHA1
6fab853354be7aaa403ff82fcd29174ce5bdfc44

SHA256
4f06cf015df7ead9b62d3ef0f32c3e998bff1955f4b8bb03ba7a34a3ec7a0d7c

SHA512
116adfea40d911c8d81c1e76592a7df6fc0514bf830e8c8fe16a67ea0ad9275955752067655b79e2e5eb72b7d0834d5cfb4bd40fafd47fc45aa8b739b3fb17af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f59e94cce76f89ed75ab7f5129e26a2

SHA1
6baf1ebc4d844971b53855203bc641f60ec38f43

SHA256
703e471c2b4928c0b8f0dad7f6ddce137dbf4382f6def39f6acdb55bfa8b2b8b

SHA512
59fc4e4cc15566c09f5ce88c58741b7c9d4134bd09c0dd1e90bbc7c577b9dd406b55b34887cfbc5f0b1aad809e029c083fe0036ec401499bce94ec9733125761

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c543405a8cde465ecefcf26ed8b88798

SHA1
6ee882a51dea015edeb991f1d3389d9d2ff6b267

SHA256
bcd452ef2cd73f3994763f06948bf98d7972ef398b2a1dae3ab5682b2e7d2e54

SHA512
0033099060fa1381ff12e6f8ccdbc340031380b3c4cf8cd89cef75c0303b8ed882f78ef180b985c08c81a94b4c584e29cf1bffd0f977ceaaed29b2b8ff3ffa73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00a3d9e3dfb54a6b3af93307a824123d

SHA1
103c5514880ff85055f8b99254d129e2b68d0b1d

SHA256
87a242d95107fe303b75ceb2e0cdcc5f36dab36322fac9e50e2e5b2b2bfbf35d

SHA512
7bc19c8862ec06c766ccb22975e36829ad56af3c963467bab0d4c6e1cce4e887ae912db7511afd6c5033f5e3ddf6caadab97f9aa580149f2efd72832735d04c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a71292cfa3b06ddb142009d37431f00f

SHA1
34148d4cb485baa6d51df9ab41e366f6045957f9

SHA256
49c7c0dae89e763a24958f0b05df037f1cd640a2e0cc0b4b7df97202e779b0b1

SHA512
bc8bf5988c1fd23db3cb96b91898231a3a68bef0200657d65c84435eeb04e098f6e660864cd6b9c2f94eec8dfe9f05b61a3daf419a5f5578b29145896b6de26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3796.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3807.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1064-49-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2096-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2548-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2548-20-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2548-23-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2548-24-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2712-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2944-15-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2944-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download