ramnit | 9ad084cc670af4ed23cd7370af2b71c8abbad3b63c1250790c279f234a48c3d8

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

746059d4695ca90f26c7be7e58002312_JaffaCakes118.html
Size

681KB
MD5

746059d4695ca90f26c7be7e58002312
SHA1

d28f7795bf5d352cd826c9d6cea12b178ef3daae
SHA256

9ad084cc670af4ed23cd7370af2b71c8abbad3b63c1250790c279f234a48c3d8
SHA512

62e979610861c54cd17d5a2d698c181919bdb9af5f29f55406fe6a48744430d5d3f169c2de69fade2f61c71cff161f50219f94d5578596ebdd63afcdd792abad
SSDEEP

12288:d5d+X3kCdlDG5d+X3kCdlDH5d+X3kCdlDC:h+ECdm+ECdV+ECdk

Score

10^/10

ramnit banker spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 10 IoCs

Processes:

svchost.exesvchost.exesvchostSrv.exesvchostSrv.exeDesktopLayer.exesvchost.exesvchostSrv.exeDesktopLayer.exeDesktopLayerSrv.exeDesktopLayer.exe

pid	process
2596	svchost.exe
2720	svchost.exe
2696	svchostSrv.exe
2460	svchostSrv.exe
2480	DesktopLayer.exe
2596	svchost.exe
2788	svchostSrv.exe
2624	DesktopLayer.exe
2564	DesktopLayerSrv.exe
2580	DesktopLayer.exe

Loads dropped DLL 10 IoCs

Processes:

IEXPLORE.EXEsvchost.exesvchost.exesvchostSrv.exesvchost.exeDesktopLayer.exeDesktopLayerSrv.exe

pid	process
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2720	svchost.exe
2596	svchost.exe
2696	svchostSrv.exe
2172	IEXPLORE.EXE
2596	svchost.exe
2596	svchost.exe
2624	DesktopLayer.exe
2564	DesktopLayerSrv.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\svchost.exe	upx
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe	upx
behavioral1/memory/2720-14-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2596-13-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2696-26-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2720-23-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2480-44-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2480-45-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2460-32-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2720-38-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2460-35-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2596-617-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2624-636-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2624-641-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/2564-649-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2580-651-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 16 IoCs

Processes:

svchost.exesvchostSrv.exesvchostSrv.exesvchost.exesvchost.exesvchostSrv.exeDesktopLayerSrv.exeDesktopLayer.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\px115F.tmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px116E.tmp	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px11BC.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5448.tmp	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5457.tmp	svchostSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px5486.tmp	DesktopLayerSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px118E.tmp	svchostSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe	DesktopLayer.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	svchostSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	DesktopLayerSrv.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422860998"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B43229A1-1B1B-11EF-8951-5E4183A8FC47} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

svchostSrv.exesvchost.exesvchost.exeDesktopLayer.exesvchostSrv.exeDesktopLayer.exeDesktopLayer.exe

pid	process
2460	svchostSrv.exe
2460	svchostSrv.exe
2460	svchostSrv.exe
2460	svchostSrv.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2720	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2480	DesktopLayer.exe
2480	DesktopLayer.exe
2480	DesktopLayer.exe
2480	DesktopLayer.exe
2788	svchostSrv.exe
2788	svchostSrv.exe
2788	svchostSrv.exe
2788	svchostSrv.exe
2624	DesktopLayer.exe
2624	DesktopLayer.exe
2624	DesktopLayer.exe
2624	DesktopLayer.exe
2580	DesktopLayer.exe
2580	DesktopLayer.exe
2580	DesktopLayer.exe
2580	DesktopLayer.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

iexplore.exe

pid process

756 iexplore.exe
756 iexplore.exe
756 iexplore.exe
756 iexplore.exe
756 iexplore.exe
756 iexplore.exe
756 iexplore.exe

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
756	iexplore.exe
756	iexplore.exe
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2876	IEXPLORE.EXE
2876	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEsvchost.exesvchost.exesvchostSrv.exesvchostSrv.exeDesktopLayer.exesvchost.exe

description	pid	process	target process
PID 756 wrote to memory of 2172	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2172	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2172	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2172	756	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2720	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2720	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2720	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2720	2172	IEXPLORE.EXE	svchost.exe
PID 2720 wrote to memory of 2460	2720	svchost.exe	svchostSrv.exe
PID 2720 wrote to memory of 2460	2720	svchost.exe	svchostSrv.exe
PID 2720 wrote to memory of 2460	2720	svchost.exe	svchostSrv.exe
PID 2720 wrote to memory of 2460	2720	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2696	2596	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2696	2596	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2696	2596	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2696	2596	svchost.exe	svchostSrv.exe
PID 2696 wrote to memory of 2480	2696	svchostSrv.exe	DesktopLayer.exe
PID 2696 wrote to memory of 2480	2696	svchostSrv.exe	DesktopLayer.exe
PID 2696 wrote to memory of 2480	2696	svchostSrv.exe	DesktopLayer.exe
PID 2696 wrote to memory of 2480	2696	svchostSrv.exe	DesktopLayer.exe
PID 2460 wrote to memory of 2616	2460	svchostSrv.exe	iexplore.exe
PID 2460 wrote to memory of 2616	2460	svchostSrv.exe	iexplore.exe
PID 2460 wrote to memory of 2616	2460	svchostSrv.exe	iexplore.exe
PID 2460 wrote to memory of 2616	2460	svchostSrv.exe	iexplore.exe
PID 2720 wrote to memory of 2468	2720	svchost.exe	iexplore.exe
PID 2720 wrote to memory of 2468	2720	svchost.exe	iexplore.exe
PID 2720 wrote to memory of 2468	2720	svchost.exe	iexplore.exe
PID 2720 wrote to memory of 2468	2720	svchost.exe	iexplore.exe
PID 2596 wrote to memory of 2524	2596	svchost.exe	iexplore.exe
PID 2596 wrote to memory of 2524	2596	svchost.exe	iexplore.exe
PID 2596 wrote to memory of 2524	2596	svchost.exe	iexplore.exe
PID 2596 wrote to memory of 2524	2596	svchost.exe	iexplore.exe
PID 2480 wrote to memory of 2988	2480	DesktopLayer.exe	iexplore.exe
PID 2480 wrote to memory of 2988	2480	DesktopLayer.exe	iexplore.exe
PID 2480 wrote to memory of 2988	2480	DesktopLayer.exe	iexplore.exe
PID 2480 wrote to memory of 2988	2480	DesktopLayer.exe	iexplore.exe
PID 756 wrote to memory of 2520	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2520	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2520	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2520	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2876	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2876	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2876	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2876	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2160	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2160	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2160	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2160	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2952	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2952	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2952	756	iexplore.exe	IEXPLORE.EXE
PID 756 wrote to memory of 2952	756	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2172 wrote to memory of 2596	2172	IEXPLORE.EXE	svchost.exe
PID 2596 wrote to memory of 2788	2596	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2788	2596	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2788	2596	svchost.exe	svchostSrv.exe
PID 2596 wrote to memory of 2788	2596	svchost.exe	svchostSrv.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\746059d4695ca90f26c7be7e58002312_JaffaCakes118.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:2
2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
6⤵
PID:2988

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2596

C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2788

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2824

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2564

C:\Program Files (x86)\Microsoft\DesktopLayer.exe
"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
7⤵
PID:1220

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
5⤵
PID:2108

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:472071 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2876

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:865285 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:1127427 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:734212 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
701af29891d0a3c7e81836981690832e

SHA1
56207d6f8d403fe8bd5b275f06a1687d98c6c545

SHA256
0b2a0ae4be1c94118f156b33d8c159f6458edf96ec7083c2b867b853223a68c5

SHA512
e258ff52c1cab0d9e0f621d9bf26ea44ac5911d3ceb2bcc80f2f7c1d820b780b1b13870ebaca3a0bbace3e1d8c75582afd02b224a62513d1144465e1b8b96162

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
548024b75282d60e815581143b3a4896

SHA1
a441e9e07bbe8291f4ef2893743f0f1a1b925c77

SHA256
2ac9575034a08c893747b5b6abb604283846a1750ac2e0521d46ff6b853a2560

SHA512
fa5c18df4e655860454baaecea7102047dc2671004fc2d409fcce91955ab6d34a7ec435d13ad41f478b9c0d227b97290f3d41b0078742217fb334e251bf7da73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d92d3e42256bf6b7837b7e5ae01c7522

SHA1
450d7ca1135f98d9dab6d7a7079e4eca357e6fa2

SHA256
a886cf7a577a7945875b2117c05a7f64b8bc16cf133d2d8016c520cf3e86bb5e

SHA512
9bd453bb5169ab522ffb70ca901e2a4d2f7817f1967bec69dd3e0df7c72a5ddf134af58413f502986aabb75f989dd7b95c7915553529b44fdb92a72c37ecf1ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f198aabc259419453c31ad68e786947c

SHA1
7b9655f0a93f84ccff97937465fdbdb58c9f088d

SHA256
a7e1dbb53353ca719358b8484c95cd7d77ebba8b43dcf754f02c96b03e56a228

SHA512
015307ba872f3c357c051ca7ec0d3d5a8effd662c9473b3b8328096867f569f5e7f8830b998ec849a98901196d2746bcaf8d1a34216a91057b56cdfb0900db3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3ce0ebac2b3125ec7e0ab1483237afb0

SHA1
e1f53ee0f172ef645244df27b45ac99358956200

SHA256
b6ea6b66ea51178d180e59f37e5e3c3cd28c88a5e7defb860b450371e258ccc1

SHA512
67d660a6b3f7527f397fd836f9dd9173c4b1b5193d5db6b1a92d90d2edfd4a7e100db3e9ec9f2bbff218fea4e19a6b48cd14173beb0fe854d09908a68efa9cc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
df073144bdf5d7a52be01dc7eafe8b86

SHA1
1f2237d9d4ba67bddc4114536bafda7909838552

SHA256
60f5c82d4cd8eaf5ce995b7c9cde628217b583f8b58719fe39f8e3e116613e79

SHA512
44ce3584d613f81fa0ac15546a7c34cb84ea55f9759ca03b49c09c73f9ac200245c7bf5e3548f235bfb6edc4836d1b14c855777cc18db03b8ca3bfe02ee0a705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
0aa4a14cb4b2c33f899bccf6d3807d5b

SHA1
c554e822b043d9cae16ed26263152f916d4a8365

SHA256
0037bee29a6ebab04367836b34d44b3645ad34c016eac065b45666a3979ea41d

SHA512
ddb1a5adc8730dd83909ea2510498ee036d6d79bc5da0137a64a886358ee3ff1be8a35bd1e569916f91007be07341dd7e1ebabbf4f3f0da2feaff3eeb8a686ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A0B.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchostSrv.exe
Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
111KB

MD5
f9b6a36532ad339c536257d6d663ac50

SHA1
05bc904af61bd3dc99e431ce418ad3db8fbeaa96

SHA256
e359c2f9f18ff3d99b211670d64d29bf607d8a360b92866ce2e4bd7f3bd22a17

SHA512
8be67449f33a1fb18a1f11d171b0c33bff634f30778d67cea03641d8c0780dbcfcc9d59d68136696a89af0124710195f524d2753c49379d9a5e46418d2ae4f06

Download Submit
memory/2460-32-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2460-35-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-44-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2480-43-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2480-45-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2564-649-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2580-651-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2596-617-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2596-13-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2596-628-0x0000000000240000-0x000000000027D000-memory.dmp

Filesize
244KB

Download
memory/2624-636-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2624-641-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2696-26-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2720-23-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2720-22-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2720-21-0x00000000002D0000-0x00000000002FE000-memory.dmp

Filesize
184KB

Download
memory/2720-36-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2720-38-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2788-632-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download