ramnit | 73cdb9cc1f884b8f4fd1b298ac2867c76e9c37ab04f18dc2d1a701e0b3223b62

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71aeba1b3dd38e19694f7eed033976cd_JaffaCakes118.html
Size

134KB
MD5

71aeba1b3dd38e19694f7eed033976cd
SHA1

46efde4b6182fdb2539957ae38670ba847c05f12
SHA256

73cdb9cc1f884b8f4fd1b298ac2867c76e9c37ab04f18dc2d1a701e0b3223b62
SHA512

5a84a77157eebc331d243649b9187d2f947c17cee7f809bed5f07048f29e7a833ae3a920cb7d15f9d4a3ee8f88934d16d678b2e1c06744612a8637d8c80e552c
SSDEEP

1536:Sg1SKT8/yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy+:Sg+yfkMY+BES09JXAnyrZalI+YQ

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 4 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

pid process

2636 FP_AX_CAB_INSTALLER64.exe
2552 FP_AX_CAB_INSTALLER64.exe
2072 svchost.exe
1268 DesktopLayer.exe
Loads dropped DLL 4 IoCs

Processes:

IEXPLORE.EXEsvchost.exe

pid process

2120 IEXPLORE.EXE
2120 IEXPLORE.EXE
2120 IEXPLORE.EXE
2072 svchost.exe

pid	process
2636	FP_AX_CAB_INSTALLER64.exe
2552	FP_AX_CAB_INSTALLER64.exe
2072	svchost.exe
1268	DesktopLayer.exe

pid	process
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2072	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2072-625-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1268-643-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/1268-645-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\pxB358.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File created	C:\Windows\Downloaded Program Files\SET1084.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\swflash64.inf	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SETB25F.tmp	IEXPLORE.EXE
File created	C:\Windows\Downloaded Program Files\SETB25F.tmp	IEXPLORE.EXE
File opened for modification	C:\Windows\INF\setupapi.app.log	IEXPLORE.EXE
File opened for modification	C:\Windows\Downloaded Program Files\SET1084.tmp	IEXPLORE.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000009b1de14df75da506f259ba02dea298f614747273025f1895799b740a2d4dcd0b000000000e80000000020000200000002a6bd2c3858212f755b16736c2014ad51a4db4d80e3bd068898fb06ba1efff0b200000006017f093586cce0e0ec2c675640976145b410a2bf05634b85760e652e1bde9214000000018b9cc7f90c2199c22ee3b59672eaee7ee66195c71058c72108d78d0a7f2cf85e746c7d14b7c4346c4bfb38a714d66d2c09c69f48e2a26f439fcbad62bab0138	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 703726d18faeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA8D36E1-1A82-11EF-9BF3-52E878ACFAD8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000072ba7aacc853ed5664374c5b406c3f586ce3a07d7609ab3e3e7d6be3a92ca00a000000000e8000000002000020000000fc26cc6477afeeb70e57c02261cfc2a1f0e422647eb7da347a0cd60305f5a9f8900000008536901fffbb1b0fe6c7a97fe2489ece7e09b048657e373babff57bf6a48fa245e0486a5f05778af85eaab02049f028bbc923e3622a565110fc9f89d687081f21badee1287db12fd6ba8aabc0e2b69829a6a5269aed6d3542b1e1d8bef9d7c3ef10fc2fe7db7de3f02ebc8e8e204163b6a9b25833885cd1d5503f5698238fe4a7667b87907dc7a2599cb342e4ba7fe66400000006ec83183961dd05824c2da2dd63b60af18bfd46ee249b63fbef6074b9260e02160430a9ff4ad396847de74d3f01665a49a243b1fc110f2b694675a71f0b9b168	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422795400"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

FP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exeDesktopLayer.exe

pid process

2636 FP_AX_CAB_INSTALLER64.exe
2552 FP_AX_CAB_INSTALLER64.exe
1268 DesktopLayer.exe
1268 DesktopLayer.exe
1268 DesktopLayer.exe
1268 DesktopLayer.exe

pid	process
2636	FP_AX_CAB_INSTALLER64.exe
2552	FP_AX_CAB_INSTALLER64.exe
1268	DesktopLayer.exe
1268	DesktopLayer.exe
1268	DesktopLayer.exe
1268	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

IEXPLORE.EXE

description	pid	process
Token: SeRestorePrivilege	2120	IEXPLORE.EXE
Token: SeRestorePrivilege	2120	IEXPLORE.EXE
Token: SeRestorePrivilege	2120	IEXPLORE.EXE
Token: SeRestorePrivilege	2120	IEXPLORE.EXE
Token: SeRestorePrivilege	2120	IEXPLORE.EXE
Token: SeRestorePrivilege	2120	IEXPLORE.EXE
Token: SeRestorePrivilege	2120	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

iexplore.exe

pid process

2220 iexplore.exe
2220 iexplore.exe
2220 iexplore.exe
2220 iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2220	iexplore.exe
2220	iexplore.exe
2120	IEXPLORE.EXE
2120	IEXPLORE.EXE
2220	iexplore.exe
2220	iexplore.exe
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
1820	IEXPLORE.EXE
2220	iexplore.exe
2220	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2220	iexplore.exe
2220	iexplore.exe
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE
1592	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

iexplore.exeIEXPLORE.EXEFP_AX_CAB_INSTALLER64.exeFP_AX_CAB_INSTALLER64.exesvchost.exeDesktopLayer.exe

description	pid	process	target process
PID 2220 wrote to memory of 2120	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2120	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2120	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2120	2220	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2636	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2636 wrote to memory of 304	2636	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2636 wrote to memory of 304	2636	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2636 wrote to memory of 304	2636	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2636 wrote to memory of 304	2636	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2220 wrote to memory of 1820	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 1820	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 1820	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 1820	2220	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2120 wrote to memory of 2552	2120	IEXPLORE.EXE	FP_AX_CAB_INSTALLER64.exe
PID 2552 wrote to memory of 2652	2552	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2552 wrote to memory of 2652	2552	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2552 wrote to memory of 2652	2552	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2552 wrote to memory of 2652	2552	FP_AX_CAB_INSTALLER64.exe	iexplore.exe
PID 2220 wrote to memory of 2524	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2524	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2524	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 2524	2220	iexplore.exe	IEXPLORE.EXE
PID 2120 wrote to memory of 2072	2120	IEXPLORE.EXE	svchost.exe
PID 2120 wrote to memory of 2072	2120	IEXPLORE.EXE	svchost.exe
PID 2120 wrote to memory of 2072	2120	IEXPLORE.EXE	svchost.exe
PID 2120 wrote to memory of 2072	2120	IEXPLORE.EXE	svchost.exe
PID 2072 wrote to memory of 1268	2072	svchost.exe	DesktopLayer.exe
PID 2072 wrote to memory of 1268	2072	svchost.exe	DesktopLayer.exe
PID 2072 wrote to memory of 1268	2072	svchost.exe	DesktopLayer.exe
PID 2072 wrote to memory of 1268	2072	svchost.exe	DesktopLayer.exe
PID 1268 wrote to memory of 1524	1268	DesktopLayer.exe	iexplore.exe
PID 1268 wrote to memory of 1524	1268	DesktopLayer.exe	iexplore.exe
PID 1268 wrote to memory of 1524	1268	DesktopLayer.exe	iexplore.exe
PID 1268 wrote to memory of 1524	1268	DesktopLayer.exe	iexplore.exe
PID 2220 wrote to memory of 1592	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 1592	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 1592	2220	iexplore.exe	IEXPLORE.EXE
PID 2220 wrote to memory of 1592	2220	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\71aeba1b3dd38e19694f7eed033976cd_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:304

C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
C:\Users\Admin\AppData\Local\Temp\ICD2.tmp\FP_AX_CAB_INSTALLER64.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2552

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://get3.adobe.com/flashplayer/update/activex
4⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2072

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:1524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:275464 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:209945 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2220 CREDAT:209953 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
98d37662c53c7ca9b79a13354dce0598

SHA1
22fad5df0f523732545a37a27ccb3701fd5d6463

SHA256
c3990dc56b791a0b38faad16801c10f1a00ff739bdd1c9537d37dc01af87d478

SHA512
4c92007d585773f43cc6cd2ca159f0338f4da665fc5209800b68e2b14604f8cf1fd9c2adcd036dae248fe2f1480ad764b7cfac49305876b47f358e7d2379b996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ac573580fa1971fb6e71b8847ee148df

SHA1
dbbd47eb32f1c346c3696eac47f10875f991d314

SHA256
eca8e996a85e101c6381347be4018790cf94e213d5714312a9f6898990afc0d4

SHA512
8e0c6fd4d42448df00a20d71c3023facf0530a516bc0c159508153df1f0686995d888c0ca3e0b76646b20084e378d1ec086322994da18143ffb36aebe31ba106

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
668228e6e09c05cea3bf2d219965b030

SHA1
2d2f3fe9715dd06e67c19f7715602d79994341b5

SHA256
c7cc8a2d24789a17a5bccd60958586264e394fa8b0fa36029eddfb16d88eb872

SHA512
f74387e767f8da6e1bccd377af111fc3cfe3bb9e012a5424c178cd4808b2abb4bbad072343ff4593cfadfb531a6dca85af32ccc3d46df8ba7cd5c4f2a749f6c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9124dd5ccbb10904f0aea45388e760d2

SHA1
7654281f44ded1ae3c86a4e27ad7c2f44181cd48

SHA256
372ca411f9c35c64261b4cc4e990e9e2de84c04b2f4002daf8fb956df137196d

SHA512
783e76b8578337d65ac094f40491c95e4dbe4a751cdb1e71530e29127563c7086019b051cbaecf39ac3fe2a9d78160cd04b73a9785600af2a583eac456863254

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d397c8f046ac96cfd420d8191b3300ee

SHA1
396cfb4a3da3733b76ee0dc724a6a914dbb39ebc

SHA256
4fc4de8d703cceaa7108ab2f4fced05e00aff7ff076f6fbf41092499c062968c

SHA512
a7cd21e6ccde975756d5e02d66b787cff64754206be864c8b80eff483ce5851928d63b50638874f6d66b0c9d55aa6ad3d5a095ba564bba44025d89e47bf807ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
973e7969295d00c11ccc6188d8d3eeb6

SHA1
238ae522cb3da77574c8e84e6aef406edb8ce675

SHA256
17d047b5601b6492267f67d42772ee9c4514936f646a725694daf7ef1fc7b688

SHA512
2333a5fa2dc9dc90c5faf9c186f1b3ffb519b8bb6bd8b29d1258c3d1609b3f7aaf3a9f0042a851f5594535055fae3ff2719fde73c45090f37627e835b7dca991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8f0c714f2bce28d0cc2e00fed091a0ec

SHA1
b0518db2b8cc61d822682385dcd70322bf601ca0

SHA256
f37aee633ccf79d3da3157351126d17c2a368363e6b30b039dd1ea0b896db300

SHA512
319b371a501d246311955fad160752f2978f14d5b9508409e333d476ea5884f699eb9b927fbd18f10210f2ceaf97722262cb60fd7acd9781a76ee12ad1657711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3c96147cef56c8d59b062c08298ecd48

SHA1
31e547bdcfd0fdcb05236b8aef80194f5635fc89

SHA256
e9d7c5f520a862263ab5252be7fe74ebdfdacf4d7becde8b3be9283f9e6ce5cd

SHA512
4225a92dd68f877574103b25ce5654fe52d486d9ab78e2d85281129e27c46b1335a231d541bcc6d8325c9ac515011311f4202f4f009cbab787cc8a62e813290f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b6492b88c63a0440f0d62caa3c86247d

SHA1
1f2d4a65cc20ce6f14d470822e65b41acc4bab46

SHA256
bd76f269b395a7bcea61bb14be6abb4b5e77c75072c83aaad5073755ebc9cdeb

SHA512
09631417f5d714c918246e05968a95fa46ad24846be7c075125df34d49b3cf039fbb96340ac85bf700e5f4284b84a649aa45fdda766703d5968821d00eb9e7d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
25d5410a28375690ad861c37d612df74

SHA1
cf48b4a1c822ebc5b49fcafc51365deea10a5498

SHA256
5e976fb9655ca557ca90584c73fad7411188732d7ece2484a3f37df3f5701852

SHA512
d7364915857d8d3a3c3f45ddba525c336ba4c2b73303bbe738c5d255ae69b5ecddd48c206285ea48056553519a48df9c84d3aafe8ddc6b15bb674a874501bd46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
680cc2c17f7480a2c39922e29851f988

SHA1
a469c689691f71007008ffd192dabaac3881caec

SHA256
8cdf5cd7344843d542d747f5cfe4726bfb4b644bf52c44fe0ede8ab3077afb52

SHA512
bf3e4571e647e9d674c1ad8c2191a8f23837f49e2b95dfc9c7aa2597ad1af2aab1ced22b80dd61c9a6898cb4dfa84dcdd316346e9e719ac3e3194de601328cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9820d3767da09ed571c6b44132f6d999

SHA1
740ce32ac19b29f9e6df4d4f858031e72d5f001c

SHA256
52ee122f4ac55cf8a5a1751b63039e529644ea7b8f9ea8b04ff27f0e74114fef

SHA512
a01461982d4c814009efef6bd5bd8155e2dd04d09147310d11b9ad1aab7f147f5cdcac7ab280ffb9a62ef9265557d7633e56dd2e6977c784373f63590f85ee62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7b4cf2951208eb8e2792c75879108473

SHA1
502d6fd6c0a16f133c54cb2d93cff494213c7a37

SHA256
002794459153591e7d1915fabb7063d63a1b82bdf67f768371ee13eed1b18f71

SHA512
ce4314deae0887c480f3cfe1049ba6d37b9f3905e1373fe87ada9ace27dc688a12d5dd8a0c82b1289e1150035060168ae233b36abdbe3028dad91cabcecf2b61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
30e0adcc847674c28931ef1614463624

SHA1
dc941cbd163ccafa9cbc937d5a255c44ef083803

SHA256
d044fcc8d34a5e8e100397f608b11d6bef45f4de9f0706ba690c0ac78ec0da83

SHA512
652242a1d2b4bc3607eb8629d37256af06d7ed38e3334d3a33b4041cc9694a1d9423a2b51e709f51ff9e4abfb8245ddf50d28d83ec39cfe1fc682163db844c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
39f715bb3cf62275138c7faf66e8b6bd

SHA1
4be51d6d2dc386f903ffe09a96924c38ea079456

SHA256
9d61e5621cef63945705b59602a60223d808190b81014d990ffe0cb71c08b4f1

SHA512
de449a188f383d2502ba58552e25e449eabbede8654f4970121c974966cd89c1791a2008111cd23f2a31cd0c606a8e950dec6a2ea1069ca89f36ef72f5ddca11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a7161dab060fcc412f6649b3bb4eb109

SHA1
fb24724ce74e6e3b9cac3b333cc6da308cd50f66

SHA256
fa02e8a6f54b64800993408deb9b1622a0203ed0d866894b30571181af7f552a

SHA512
f21569625d3521cd0a1b91d6efbfb30ac89e9b348740c6830bff80b8256eec2c3113bf6cf8ea84d2f2fdb044cfe979ee983e838c9016a4ea86d151fadbb443a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c73dc0f53e992a967fe6f724901341b7

SHA1
3ca62de642dba93478305cda64dcc932700ce06d

SHA256
60e13c1a4ce9815df5e67a3d610980c3877114a3d053341c2952aa2def588259

SHA512
7af89d4ca296715e6dcc8cb2ec43e1cb7e3a244da3d2e4ea03047f3ce8bf1fce2fbc20fcd79cd31ec15740d8c89d9d42d8c0d6b7b3511de0b9207cd58b3c94d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
865d8893ed19158ebef5fb4092a75e5c

SHA1
b1290a39e168eba39c125e83a8ece351791b3b5d

SHA256
37b677f72d9abb275c5c8a8ad5dc4f576ebaa98dae31501cd354774c4f8e8512

SHA512
ebfe794a0f7ffcaa3f6bb9533090628f04cd31684a6cbb42159967b37698716415c5cf471a9db53b8ed52adcebb5bc3e311bb4ad4a0d69fd84a2e7255be6cfaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bc8bba93bb502f82321b27fb540aaee1

SHA1
e50993f57bfc4f438ab20af4837aa0374e7bfc17

SHA256
23812aad0734a6d9db777a2cd8f84120cb52ae85bdfa9b19193660c041379564

SHA512
fd8e5ab678a81186859bea1292eb38ffad59790681de719b67b61063aa55ca1c348e85862c60e015195e4eddc5211e16b48c0c083055556fcf902a6dbeedf605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ce7f2b2b6ec25fd2c18348c7a3752007

SHA1
44d76daa6f355937d7a49e6aa5d9f8e0c84f6d8d

SHA256
8665ffed9f7d032a664015a856e04605b1eebc7fc65a9617d62cf73cdd13f5c2

SHA512
ba2036507eae1d839157aeaa108f16a3971177806d3ff64f864228d98c12eb524e0eaacacb088f7b1fb4fedc75cf8a0eb7a615f07dab7cded2a2dacaa48cc04f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
ee2012862d42f8d04a1189e679cf77bb

SHA1
747e5eddbd0331219c8d59f45b9fc4df776a2596

SHA256
3a23dd6f48f8a7bfaf50918a11ad1909d187784de27ba8d6e8780a24791ef972

SHA512
58ae1c290f5186098772c7f427be2520f90c0151749cc30f1b11bacc63b64b58f1e406c0b5e942b554e332837aef219303844a11c9c864f8bab5a120ffe5dccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\swflash[1].cab
Filesize
225KB

MD5
b3e138191eeca0adcc05cb90bb4c76ff

SHA1
2d83b50b5992540e2150dfcaddd10f7c67633d2c

SHA256
eea074db3f86fed73a36d9e6c734af8080a4d2364e817eecd5cb37cb9ec9dc0b

SHA512
82b4c76201697d7d25f2e4f454aa0dd8d548cdfd3ebfa0dd91845536f74f470e57d66a73750c56409510d787ee2483839f799fef5d5a77972cd4435a157a21a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAAD.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ICD1.tmp\swflash64.inf
Filesize
218B

MD5
60c0b6143a14467a24e31e887954763f

SHA1
77644b4640740ac85fbb201dbc14e5dccdad33ed

SHA256
97ac49c33b06efc45061441a392a55f04548ee47dc48aa8a916de8d13dabec58

SHA512
7032669715c068de67d85d5d00f201ee84bb6edac895559b2a248509024d6ce07c0494835c8ee802dbdbe1bc0b1fb7f4a07417ef864c04ebfaa556663dfd7c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2D.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\ICD1.tmp\FP_AX_CAB_INSTALLER64.exe
Filesize
757KB

MD5
47f240e7f969bc507334f79b42b3b718

SHA1
8ec5c3294b3854a32636529d73a5f070d5bcf627

SHA256
c8c8cff5dc0a3f205e59f0bbfe30b6ade490c10b9ecc7043f264ec67ef9b6a11

SHA512
10999161970b874db326becd51d5917f17fece7021e27b2c2dfbee42cb4e992c4d5dbeac41093a345ad098c884f6937aa941ec76fb0c9587e9470405ecb67161

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1268-645-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1268-643-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1268-642-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2072-625-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download