ramnit | c49c52a26a42a7b70e0c1b4e0679e5c9c0778a3ebecd3d9c98c9b69bfc08e939

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723f46d7354ada6c17f2dccd6b4fd3cd_JaffaCakes118.html
Size

519KB
MD5

723f46d7354ada6c17f2dccd6b4fd3cd
SHA1

e4dadc29528e43e552321b8d1d9e7669dbdfe232
SHA256

c49c52a26a42a7b70e0c1b4e0679e5c9c0778a3ebecd3d9c98c9b69bfc08e939
SHA512

a5a09104d170807f42e210e62466928c355d406cf255e571ce7f5788f7a75c8871fa383f5bed4680afb7d376e728c7afd21f9bfe1d0f295498d203c22af5b008
SSDEEP

6144:Sn7sMYod+X3oI+YGVsjVqksMYod+X3oI+YGVsjVdsMYod+X3oI+YGVsjVP:MP5d+X3zjVqy5d+X3zjVp5d+X3zjVP

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2612 svchost.exe
2812 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2604 IEXPLORE.EXE
2648 IEXPLORE.EXE

pid	process
2604	IEXPLORE.EXE
2648	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2612-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2612-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2812-20-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1ED6.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px1AC1.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c25ccfb4aeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000b32de4aa9de4358ef44bbe716e88f1490efcf37da8f585418ba8bea3b28e5ef3000000000e8000000002000020000000f03a1f812b0326e29bc8db71753cfaef83c02620639817014aa06695305204be9000000036bf70a80532e8f92266ac1645c276797241f1b78a6bfa008864dd6ec1f330c0ec8bacef6b71c3f3398d804442d1e0fc581c6997bca5499f2356bf6e3a25cab9b74488b9f147f67707d4820bd269199b7009c5bdd33c7c5ec5d45b10173c5a2b866c53d0d54ad84d6e34915ac4595b5d08445a74fd3de636a5cb7eb56ae330da11f877b27d34887c3183a68b12d6213e400000009ccc72acf927cb1cb01973810cd12f21924d0ef38a48082b478a5f6154cb4d074a07f7087d1e4da3f0dc190a670563c28b5f265d09b0a49e6722c3f54232ef4c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000005b8974fe7514b2eabf71f2ce161ea7be474db1df6ff051b6cbbe57ece064c0e5000000000e8000000002000020000000fc3b3480f268b1d67d015d21d3474d19b39d4bf60f6945d697fdce88c7a702b420000000957c26bb97ac245d1c8143b478f850e34caef13149c881044cd69beb7598507740000000eba6be315dcaae4fb8411c1bf4ce31bb39a0c8b7941232529f122ee1ebe7a38b65c2f20eabfcd98bfa0bc00ffccf4361739348f00fb5720a2879e2ecc4147ec5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422811289"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F935DCA1-1AA7-11EF-BD6B-4E7248FDA7F2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2612 svchost.exe
2812 svchost.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2612	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe
2812	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2612 svchost.exe
Token: SeDebugPrivilege 2812 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2052 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2612	svchost.exe
Token: SeDebugPrivilege	2812	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2052	iexplore.exe
2052	iexplore.exe
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2052 wrote to memory of 2604	2052	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2604	2052	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2604	2052	iexplore.exe	IEXPLORE.EXE
PID 2052 wrote to memory of 2604	2052	iexplore.exe	IEXPLORE.EXE
PID 2604 wrote to memory of 2612	2604	IEXPLORE.EXE	svchost.exe
PID 2604 wrote to memory of 2612	2604	IEXPLORE.EXE	svchost.exe
PID 2604 wrote to memory of 2612	2604	IEXPLORE.EXE	svchost.exe
PID 2604 wrote to memory of 2612	2604	IEXPLORE.EXE	svchost.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 384	2612	svchost.exe	wininit.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 392	2612	svchost.exe	csrss.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 432	2612	svchost.exe	winlogon.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 476	2612	svchost.exe	services.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 492	2612	svchost.exe	lsass.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 500	2612	svchost.exe	lsm.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 604	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe
PID 2612 wrote to memory of 680	2612	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:2228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:816

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:276

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1064

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:2984

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:288

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:500

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:392

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\723f46d7354ada6c17f2dccd6b4fd3cd_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2648

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275464 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e39c5397316deb6cb56aef17292ce00e

SHA1
6c476e12f3320fd4a1648b08b380dfcc05bcacdb

SHA256
e575dfbe2d837c74f5e9017708eb5483083e368fa2dacbe8937f3ec6e7498874

SHA512
d029422358fba0ec73c6ab9a2a082edb0af561345e1638a9bb10529b1e4c42e170a11ddf03176c44790d19be40e88683f496404c314b87ae92c73643906cda4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
83b8ba8dc9ee077e994a5885f2c2d8ff

SHA1
9cde4f50c7a8d7ca2802f26cbcea4c1f63bc0e35

SHA256
e6a30685f2d4383d8b0d046796fce5ea430dfad44cf5945a238e17fc892dd474

SHA512
b1af6f3761865d7cd90c0805765d7fefa7149f12ce24e0dbbafb09c38c0dcad0452c7a3a3946862a21941665e7d8f1b68fa33d2a5794f4fc8bcd520b11612eeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cae8f04add9b6416064034102de78be9

SHA1
8bca08a8f26f8f4bec646a199248d9207b6ffc54

SHA256
56d78a4673c88cc7407239890cb735d28d45c17122fce80a044f3ed5992126f1

SHA512
2f4c232e23f7a35bbd135c06c299c9e6357610a7c8b1344842224fcaaa3571c85be466c60eff61a3945e3f120e80a1b12f4860d045e114c5936e1aaf6bf56cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
89322297feeb833b00e8fb14115a66b6

SHA1
c6ce93d78370fffc2fa46e020614a6c879fc7d08

SHA256
a6a7cdd91ed8af14c70167de95ceff7f78fc0e6097cc44189550dd8845d8e42f

SHA512
1ca79604196cfeae8031f032f1d9461e91ab886b2ca4f16a49bf6bbcde37ce84f9acec5d709d00ac5114672d00876fe01db42cd64be3299ddb4cb774b387e83f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f15968419b30f2f0e7b676c13656c90e

SHA1
95510935b705ef04f889c7f9ebfbb0413ccf3dfa

SHA256
92c60f78d28728bfcb7e26f097a768780376799222497a8138e67b539acfdbfa

SHA512
d7afca0e1891ea8b89b69962d80bd6dcce9db3e016e3c0b3929577a204dec8d1f5e063ca7a9ff4252b7e2ae49ad15065e4754cb2488eeb295d45b22453d02172

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
93be1bb3512f6d6530f44c6781be8639

SHA1
b12afbcd525c9d9192673421c21c7194bb13be4c

SHA256
280c488d58d5db3277788be97014852a11ad2c956a312dca01e74736650c1ce3

SHA512
d9f55b2625781c1be19cc4ff4a971847c67419e9c588a1eb5f6f7dfa1097d2bc20e99e110cf84cfcfc172c01b2db66253386d9251fdd6629f96aa59e3f84de6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a2a42c7e924d5bd056a52b027630bc9c

SHA1
f3190716226e84a6014eacf6c84d062c9cb949b3

SHA256
fee9cfcf483e50f6b22bc2bf52a36cb2a84fd9e54c84579f01de8849a2a38d29

SHA512
223fd5eff4c1013838b1df9f4c5d6aff36301489d2a4f9d8a43d205de86580244a19601c9245e0a7aff348773408be350ad7eac4b4ccde8f6c68e332da8e2288

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8e1c536c9cfbbf20fdc07d341759985b

SHA1
2313106f33aa68c4d75c89735d189d68f63dc219

SHA256
bc1d86b5c6728c36c6588545b2b2c94388755182e4744b3f5b6d8c3dceecb603

SHA512
9b0af771266bbc314b4c353a51a99ab2177d97e2a940faf5f6f4e07b4cb4c7d04835fd41eb982ddc70f99c76d9703d2f452c18d661747e85e616f2df34cf0282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c781307b572c9042184847372d462f20

SHA1
fa58e808d4cd17f78403021edf0f40835b723e3f

SHA256
971733f8d05bb1699e3020b0d682f444d2c09f645aeea7d096532b5b7466b88b

SHA512
4e213139ff4aa1f5cc2802ae8be90170c96aaf6ca32635122555da9bc383b4e02c1c2303b056288da3215c0dba1763290ea87ede52e3542e8166a8ffadc972bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ef029004c7e84e8a7720cb3f1f8fd74f

SHA1
74808aa68296467d881082186d3c13ec7114d84e

SHA256
19f81fb52b056b39d90993c339f4c569bb8d45c2b006f3133e3b6c800f29af96

SHA512
a16321391c6a298b54052242fc8fc190254e79f8a3b3599fe9efd8942d7586c64d5e8ec2b9c7591dcca67709a449de30dd18892ae16c7b665ef8600e581c27ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f54afe8e98cd267cdcfa123f31dae0a5

SHA1
473d2e3c2ef0cf772fbad501ec83cf456bd0861d

SHA256
b8128b9668255c460aa9e6a1608e9ab54d39cfc8b5e69e00ecbf8a1d23932fe7

SHA512
7b7eead6900750d6d82f9edd6f45ea5909df2fb8a11797e68bd82d1c1cac576cb6ee8497be058ab0cc89827d0cda4b5f1842164d52b62e9dd6f884d8e4d30e2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1802552267727e35fecd5b8663f60503

SHA1
ab0537dcc46ce73f479a680b4e086e484cd5b38b

SHA256
c98b0cca1deabacf368f9a0699b24298bcf0057661aa53fd8dcc2e91821b0d38

SHA512
4f8456dcd08a3f20f46b837db0cff64986b245082fdf5637bdcacdb2cd38439671854ed0f23f28594dad7f53696a775d7f0b6bf5d20f93a0407dbf9dca89910d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1fe3a438d23a52f3a023c34816a71e1e

SHA1
5b3d856556593c617994c951203d718c766a24e6

SHA256
a4700e649feb73bb1fb2d79946775fa4b3c55071491f65834f5d7dce9342f25d

SHA512
49a3018363714faeedaf2155aef8d502a8ab657a560c788e28360c4f53c61458ee73cc3a5914221e71583c24a7688473d9881284e3f599939e1ee19bba6aade1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
57bb52e4316ec44bd59c4b9d6c9709de

SHA1
0755cb9b0e5555e1c4403383c88139d36ff8b8ec

SHA256
be1a2a1778a8d01747b7ced9811594c1f457518717f26d43cda9bdc1343f7a07

SHA512
c99a79d981b564d78683f7f885dec96f329f35a6ee18a3510d1743e2ed1cd596e18a05ed5ae4d650065e1cdce27beac29a09244735f38f3156a4c9922c5b6c77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
273647f3c7fed5526877b40846e99347

SHA1
760a5f0bc03452f85d802948dd777998f819ca77

SHA256
4d16f6752ab4cfc891daeebd3d48bb1cf6814b47140e38072c00e11d9f3bc79c

SHA512
7888ea8090b7d26b688cda880e1d92e9761c958fb76c09682bf2c47423112339de479aa96b2081e1a0579764849d9d651c3f09ed7c56e95ae79b4ad830afb520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\528EVS6A\jquery-1.8.1.min[1].js
Filesize
90KB

MD5
e7155ee7c8c9898b6d4f2a9a12a1288e

SHA1
d1b0ac46b41cbde7a4608fb270745929902bac7c

SHA256
fc184f96dd18794e204c41075a00923be7e8e568744231d74f2fdf8921f78d29

SHA512
00f96415745519916c4ef53daafba8fa6eb9de9b75b2a1e3d55f9588ff759b80a90988f0c79450214ba13ec06f4f4cc915fbb2a493f4f1983b9aea63e9e99fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3812.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3884.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/2612-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download