ramnit | 1e7e26161715fea8da4ed40f171f89e3083bc30b862c840589874d0c4b5c950e

Analysis

max time kernel
118s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

732988fa0dcbab160478a833b43d16e9_JaffaCakes118.html
Size

522KB
MD5

732988fa0dcbab160478a833b43d16e9
SHA1

8100537bbac9720c382912679eda9c5a69c00bef
SHA256

1e7e26161715fea8da4ed40f171f89e3083bc30b862c840589874d0c4b5c950e
SHA512

a810850c67cfd5755d9499a2946c808873eef2ff1b5fca2b3e6c5a92ac8f12c0e15e3ff701b10678f51cad64f1fdbb5926940e48b9421970651cb62c593ccab4
SSDEEP

6144:SncsMYod+X3oI+YGVsjVp9sMYod+X3oI+YGVsjVtsMYod+X3oI+YGVsjVP:MK5d+X3zjVpJ5d+X3zjV55d+X3zjVP

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2516 svchost.exe
2692 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2704 IEXPLORE.EXE
2584 IEXPLORE.EXE

pid	process
2704	IEXPLORE.EXE
2584	IEXPLORE.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
behavioral1/memory/2516-6-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2516-10-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral1/memory/2692-20-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxCCD.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px722.tmp	svchost.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad75f351c78da345a34395e7b4fe968500000000020000000000106600000001000020000000b57dcf8021cc2a6a3ab1964bca64626e37ea52bd36ed84c036b7ebe96c4939e3000000000e8000000002000020000000a6161a4078bddca8d7b4d5ca9eb3c331a4dff707123c855c7799be678e27d03a20000000141be169fcf52f821793de917a63fc6c5866d0b977acda36bf748139ed76ca26400000009cdaba2d50fe8eb539848b4daba3c61e05e7a6b59dc4213e5e8942342bd396826dc9875841ae209e2c05865c8352fa97cc56e0978c8451130374526ba56fa5a2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c029f7f1e2aeda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422831104"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad75f351c78da345a34395e7b4fe96850000000002000000000010660000000100002000000027677904bae5d2922c31721ae4a3318c71ecf5baf7ca0c103a2be549ce66684c000000000e8000000002000020000000e622a1a74654b2e63f18cabd5ece2f94ad69799c8ef8be5955a8764af47d65f990000000ffacffcc05427dc8c898c9f510050d31cfc7c69f21e85cf8731e212b63572528c75c87c7451aa27ea34d27f3488afa5104dfac3bcd941881446d6308cdc42c0a97160115be48d792e26a45f9ebc8293990be0829ffc7120f6aa6fc68bba5b1b860e659930f23c732bfae82c793d8226808ecb0f78b5d314c48949078864b178ee7dcf3a6d806cbbd71ff3962be59a0654000000098a8e3689e14051bede9d69e4b84d0697f091abd15c0627e1911f0e3b859830dc8ddf429386abe15bb1430e85b73619263a59d0178436026a5f90cd64113684b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1BC49BC1-1AD6-11EF-805C-EAAAC4CFEF2E} = "0"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

2516 svchost.exe
2692 svchost.exe

Suspicious behavior: MapViewOfSection 46 IoCs

Processes:

svchost.exesvchost.exe

pid	process
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2516	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe
2692	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 2516 svchost.exe
Token: SeDebugPrivilege 2692 svchost.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2196 iexplore.exe

description	pid	process
Token: SeDebugPrivilege	2516	svchost.exe
Token: SeDebugPrivilege	2692	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2196	iexplore.exe
2196	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exe

description	pid	process	target process
PID 2196 wrote to memory of 2704	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 2704	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 2704	2196	iexplore.exe	IEXPLORE.EXE
PID 2196 wrote to memory of 2704	2196	iexplore.exe	IEXPLORE.EXE
PID 2704 wrote to memory of 2516	2704	IEXPLORE.EXE	svchost.exe
PID 2704 wrote to memory of 2516	2704	IEXPLORE.EXE	svchost.exe
PID 2704 wrote to memory of 2516	2704	IEXPLORE.EXE	svchost.exe
PID 2704 wrote to memory of 2516	2704	IEXPLORE.EXE	svchost.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 384	2516	svchost.exe	wininit.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 396	2516	svchost.exe	csrss.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 432	2516	svchost.exe	winlogon.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 480	2516	svchost.exe	services.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 488	2516	svchost.exe	lsass.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 496	2516	svchost.exe	lsm.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 588	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe
PID 2516 wrote to memory of 668	2516	svchost.exe	svchost.exe

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:384

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
3⤵
PID:588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
4⤵
PID:328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
3⤵
PID:668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
3⤵
PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
3⤵
PID:812

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
4⤵
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
3⤵
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
3⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
3⤵
PID:276

C:\Windows\system32\taskhost.exe
"taskhost.exe"
3⤵
PID:1056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
3⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
3⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
3⤵
PID:1532

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
3⤵
PID:1976

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
2⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
2⤵
PID:496

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:396

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1104

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\732988fa0dcbab160478a833b43d16e9_JaffaCakes118.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:275457 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:340994 /prefetch:2
3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:2765834 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e675095e2e5550d69e35c120be080a61

SHA1
f5844c9a348d8603baf04ef28dff009efa24c78a

SHA256
0107a1b51d444f61809382842c63189d1150878758deee6c429819f2c3c05409

SHA512
e3b4fa21dd5dd74257ddbdb310f6d64abae4e7c1927456c00790a6b753c5f51d28b395019d33a9036b1dff0043ba8a6174d000bf856b4adb5275fa044bc513a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
50dc84a46da39f5974f5553e25cd13c7

SHA1
8de7241ffdf081b23991c9406e563c618928acea

SHA256
280e6c453d9e5c4eb23be79c2754703f1652a30eea04408e350526bc2bfd1ca2

SHA512
865b57192c5f77013119632c83c4fb3b951304b33265f01abcd989b322a1226e9e07ab760bce1a44e960ee6e56ac10095de57c679531d933247dc27470a964e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8195651fe256379f739c097f055f7bd9

SHA1
2163fbfd958304028e06b6aa11c22e9c0ae5b349

SHA256
bffb94085b34edb68945f76d8c36f2a8040bca8739465050af87f71dd7b7d995

SHA512
78ade62793c886c0b39f6d6f08e63a27519febe00d341714c627ffb7c1270d841940ca090b6451d4257573d7bdef0e45471b119b305b42a61e8da707c9f08a30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
14539dbebaa1b7a1dee0d7379a137cf4

SHA1
725b57e103a6fc2bfc3c50d57538734d1ff7b7e2

SHA256
1d293f9006edf2f93d7dc8b70147ace27606f015a9fd52674d39adda5927c821

SHA512
5e3704a564f675b0e71be57ef215c977eea76764710876933b60c583771c85746a1960329613047fc87471bea4f8e9eadcbd14d78fe98e1f328b86d7ba51ef1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
16849bd518ef15d49f4bdbd8f185c4af

SHA1
b22c583c45ac2bd843d14211d70c0fc1c79ac252

SHA256
c5ddf0e6edb3d072aefdd33c6a4c1aeff628e096152b3eb115b2a5d275877390

SHA512
d93423193f25dcc01c4138cdba8af45e7f1745f119f75a2910bab12cc009720e0e8ab8774dcc3b53bf5f8a454b37be9c545804af83f954b461d9250c96d87612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
edfd2b419a000115af1157db1374d529

SHA1
a5729f50542df46d4c3aa7790faffa97bbc40b6f

SHA256
11369fc9baa76c93b2dc054bbc96356a663acacd0e651df335238ed42ab77f13

SHA512
8c9904453640ea2318162d694087a31080a9221708661a3af57e6e030f5e738849c6311b1f9c37682743b82626a18295608154353bf2680b584f7aa83de63c6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
166b8343647a991de13a5fbb20281ee2

SHA1
86bf172895d53ec9dc78a8df6e098b6d25f1fa9e

SHA256
11921b3ec220d5838089ddaae0fa2f8baa3361c957f695a66466ea9ea71413d2

SHA512
c6011c3ebd81ba626a1e359927920d063084327fbe9c15f5bba3e7e1bce1a8a7f4530b954f4842a1e89b9fe7285bcb428ec8ff702516426c98eead43d76b9b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7348387e9f670bd6f1326852856f1805

SHA1
17256afa573e74c3dcc7be62bd71611bfc5a5ef7

SHA256
048690415bdd7df209d738f75047f8742c360402112942e2073221408c5bafb6

SHA512
cfbebcac2832954bc31145ad9e36f32a00d4a2e848a8aaef53fb06f65e7ee3059485a1deb22fb9461dceeedd1b74eb850ea6f7a79673485f4457e0f95cf66439

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
31eb56583d509e243a53cb158033f37c

SHA1
140e2d3445a952a7478722d39a9e7070beb5ce72

SHA256
b56b2676a940da82628f4d7588cea0910482a1c83262f2a88f732ff2912df89a

SHA512
5c34faee3b1122ac0119a9eb3952623440d2fe28997f7b053929e3cfa24613cf2ea2aa067989bef58062ab806413d4ced3d88f15f23db4ae3c5c57ff77f67640

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0f50fc908f7350edb694d1ac06e8ecba

SHA1
409822f6a20b8141d48a35f2e10f3ab9aba5841a

SHA256
81fccb17e6d142350346faf67443f5223f3380276ac024b7d11d116256b61864

SHA512
57366037a72658f895685b9051c29bc17925077fba44ce9faf637b5b058edab00edae2e71dfe7aab7a150b9edd262b50946ab097861658fb47c062c87e09c1fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
28bfe8b4c1dbafb3692a969b15bf4fad

SHA1
cb57494ef6d89c44c51142b284c186a3f6d0cc9a

SHA256
9e06ad627b52df81de2d1ed0d6c05324e3f9f5e00f3640f97172ce2f921ac727

SHA512
4dc2268ebd9e25d076c9a4080055da85de149f33daccf391741f5708db4ff3455f243886a4278aedb13e96a3d337df98ce4cae317b048c5ee2b2f44a9abe7adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c6926c0ed6f7b627610b530498d0ca0a

SHA1
f25209f96c9d76e5092d7cc1aee084ddc2dba9b9

SHA256
fbfe0914e82dff7c423ff8409ea125f34c61bfa775f17a4b83ed4c10eed5bcdb

SHA512
62aeb9493498a99efbbc50b902db6356a42d2335a72d61ad43b250fce064d995651334ace17de51fcb194d1566025d0dc36ec0a0ce41e6a7d362452f18511857

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
63a67a24ebc3905a7394711b484b3579

SHA1
33a33ad0cfabcbfb81ffd28254a279c806f514e8

SHA256
bc89e3a5a8de9e1bff3bbbf0685d830ba3f8559060ab6a13390a225870518814

SHA512
f8e26de43043fcb0571bc034edb43ffb45fc49a46ad007f59e1788a2be45e872acb041e3d0e0464af7d29d611c9556c4dcbd53c5d91c3ce8f30da376bdbcb8b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c8958b5a32e1efa6b5287ba8bc34b448

SHA1
0ba7fddca026194d4485d5f9e13f18b8909e6c66

SHA256
750639d21fa0877be148f58c10f055306e85254164e04bba181df8359e4b8108

SHA512
2cba01db1b84470472b0c61230ec7c97e079112f1e51ecdaf6f17993366991b48cb2beb78d152a849f52aa85d446eaa316535201f72f767d5488c2732f6c5226

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
96515c18cca43e3a22a807f50b0be117

SHA1
0f91e6d266df713ab91eb6d12f28dab8a85b40c7

SHA256
1bebd837bf919948b710668d4b2feeda24c2a7b51ee0cbaa21f5d029ca9e2280

SHA512
132fead8a7ae02b7614916ba670f4b3a2a5fa999d5ff7db99dba49b030179d91c81237df8371d838325641020de04d16f05d5e6512cce1a6e7f5c02b641c9fad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6ec1f599db7f84fbd0f156b1b2600424

SHA1
9b3bceb07cd24fd09ac3ae57f815e0c89265e106

SHA256
5d161151b3c68a8e19645002c8e6ecf34ffaff70da26847d1a2a2912b6d90263

SHA512
6616442be1a63b4b4ab941eabd8cc75097e67e193b2bca56e73590b42be712cc2afc831a1af2fc7354d3381cb3e773107dc3447d69a5d8d9d204c08501775fe0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cfc0312f5476da7ae628061de6ba7b67

SHA1
e5ad7ad92d03fc547fb99636394f4c63734f0d47

SHA256
d50eefa926a1a19821e487b3085a8a78edf404b18fc4747388415e5a621f2d28

SHA512
3b67bebec926348fe3435b1cd3cd1929bdd4b69065b8048a69bf0ee91548a9f047d31a169b0cf4b8c0b66a57915f58c2e6cd1b80841c32f8359c8817af1ecb4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2c2717bd5450a2b55a2c54482aea7e91

SHA1
e6840948fe88beb22d9e2da7a018c3fdbe066bef

SHA256
8a4a558602f88f4db3d2dd027d750d651ff4df8697f880252c48889f6a773596

SHA512
41e24cb1ffbf78f1408ae61d90cf68368c9bff1f79ea41eb4795c96ccde4f78b4ffe2395e1fdfd13848e5da56efd63c5e1e6581d8383daa2ae057422d3575947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\jquery-1.8.1.min[1].js
Filesize
90KB

MD5
e7155ee7c8c9898b6d4f2a9a12a1288e

SHA1
d1b0ac46b41cbde7a4608fb270745929902bac7c

SHA256
fc184f96dd18794e204c41075a00923be7e8e568744231d74f2fdf8921f78d29

SHA512
00f96415745519916c4ef53daafba8fa6eb9de9b75b2a1e3d55f9588ff759b80a90988f0c79450214ba13ec06f4f4cc915fbb2a493f4f1983b9aea63e9e99fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2608.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar270B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
84KB

MD5
666faefb80b2c2c4028875ce8cd6f3a0

SHA1
1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b

SHA256
da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4

SHA512
c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

Download Submit
memory/2516-10-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2516-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2692-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download